jow-
commented
7 years ago Cannot reproduce it. Can you please give an exampl?
Closed cbz closed 7 years ago
jow-
commented
7 years ago Cannot reproduce it. Can you please give an exampl?
jow-
commented
7 years ago I think I understand what you mean. Yes, this is intentional - in the collection phase the protocol mapping merely decides whether the protocol info (proto, dst_port) is zeroed or not. To coalesce multiple layer7 records into one, use the grouping flag, e.g. nlbw -c show -g mac,layer7
cbz
commented
7 years ago As an example, this entry:
6 64738 Mumble 17 64738 Mumble
Will create two records for Mumble in the nlbw output - as I get two records when I dump out the database using '-c json' I assume this is also the case internally/in the database.
nlbw -c show -g mac,layer7 doesn't appear to coalesce the two records.
jow-
commented
7 years ago Can you attach the database file /tmp/0.db here or send it to me by mail?
cbz
commented
7 years ago Sent it to you via email.
cbz
commented
7 years ago I think two records are always being created in the database (one for each proto/protocol pair). The issue comes around displaying it.
Using "nlbw -c show -g layer7" will aggregate things up by layer7 and sum the two records together, using multiple fields for the sort won't do this.
jow-
commented
7 years ago It is working as intended then. Records sharing a protocol are not coalesced in the database but aggregated when grouped in the output.
As per the title. If an application (say DNS or in this case Mumble) uses multiple protocols (both TCP and UDP), then this will result in multiple records in the output.
Intuitively - and based on the contents of protocols.txt - I would have expected traffic for port/protocol pairs that had the same application name to be aggregated together.