Replies: 1 comment
-
If you compile nfdump with As of the display option - the nsel compile option changes the default format to display event records, which makes sense. There is always a tradeoff between convenience and required information. If you have multiple and mixed sources, such as plain netflow/ipfix as well as nsel exporters, you have to carefully select what output you need from which sources. You won't be able to simply select It's a nightmare about all the different and buggy and/or poor implementations of NSEL, as flexible netflow (fnf) is too flexible and it is almost impossible to fulfil all auto requirements. Although flow start/end and event time is not the same, it is mostly expected the same. If you have special cases in your environment, I would highly recommend to customise your own output formats of choice. To do so you can modify |
Beta Was this translation helpful? Give feedback.
-
Understood, so there are two separate issues here!
First: Is it correct that nfdump compiled with NSEL options requires all the sources to support NSEL? In my test bed example I have sFlow sources for which NSEL doesn't make sense at all and a couple of routers (Mikrotik) that export flows with the NSEL option.
I think the most sensible approach for the automatic format would be to display the flow timestamps in case the even timestamps were not available.
The second is trickier, dealing with buggy/poor implementations of NSEL like Mikrotik's. They are using the X- IP address fields but they are not including any event related fields.
Anyway, given that it is an "auto" format, don't you think it would be a lesser evil to display the flow start timestamp in both cases when the event timestamp is not available?
Originally posted by @borjam in #409 (comment)
Beta Was this translation helpful? Give feedback.
All reactions