search

phaag / nfdump

Netflow processing tools
Other
791 stars 206 forks source link

filter by asn - now requires geo db? #412

Closed thezoggy closed 1 year ago

thezoggy commented 1 year ago

When testing newer nfsen/nfdump I noticed that we can no longer filter by asn:

nfdump -V
nfdump: Version: 1.7.1-d46474b, Date: 2023-02-11 15:25:24 +0100

nfdump -M /data/nfsen/profiles-data/live/dummy_router -T -r 2023/02/13/nfcapd.202302132225 -n 10 -s ip/flows 'dst as 16509'
Can not filter according geo elements without a geo location DB

nfdump was built with (both our older instance and this new one are built using same flags, however we can filter by asn just fine on 1.6.x):

./configure --enable-nfprofile --enable-nftrack --enable-readpcap --enable-nfpcapd --enable-sflow
phaag commented 1 year ago

Ohh - I see. Fixed.

thezoggy commented 1 year ago

can confirm it works now! thanks

wallacemariadeandrade commented 1 year ago

Hi dear, I'm having this same problem:

root@nfsen:/var/nfsen/maxmind# nfdump -M /var/nfsen/profiles-data/live/RT_NE40_BGP -T  -R 2023/04/06/nfcapd.202304061055:2023/04/06/nfcapd.202304061125 -n 10 -s ip/flows 'dst as 16509'
Can not filter according geo elements without a geo location DB

I can confirm that my routers are exporting AS numbers within flow data, so I still need to use gelookup?

It was built this way, may --enable-maxmind be the problem?

./configure --enable-nsel --enable-nfprofile --enable-sflow --enable-readpcap --enable-nfpcapd --enable-nftrack --enable-maxmind

Thanks!

phaag commented 1 year ago

Make sure you run the code from the latest master repo. The bug has been fixed. A next release will be due by the end of April.

You don't need geo lookup for ASN filtering. If you don't need the country codes, you don't need maxmind at all, if you have ASN numbers I your flows.

wallacemariadeandrade commented 1 year ago

Make sure you run the code from the latest master repo. The bug has been fixed. A next release will be due by the end of April.

You don't need geo lookup for ASN filtering. If you don't need the country codes, you don't need maxmind at all, if you have ASN numbers I your flows.

I have used latest release, not from master repo so I think that's the problem. Is there a way to upgrade it? Or I have to recompile everything?

phaag commented 1 year ago

Just get the code from the master repo and compile it the same way as you did for the release. If you install the new binaries, you are fine. There is no change for the data.

wallacemariadeandrade commented 1 year ago

Pretty good! Really thanks, bro. You've done a very good job.