NAME

Net::NfDump - Perl API for manipulating with nfdump files

SYNOPSIS

use Net::NfDump;
TODO

DESCRIPTION

METHODS

new

The constructor. As the parameter options can be specified. This options will be used as a default option set in the particular methods.

file_info

Reads information from nfdump file header. It provides various atributes like number of blocks, version, flags, statistics, etc. related to the file. Return has hreference with items

info

Returns the information the current state of processing input files. It returns information about already processed files, blocks, records. Those information can be usefull for guessing time of processing whole dataset.

query

Query method can be used in two ways. If the string argument is the flow query is handled. See section FLOW QUERY how to create flow queries.

fetchrow_hashref

Have to be used after query method. If the query wasn't called before the method is called as $obj->query() before the first record is returned.

Method returns hash reference with the record and skips to the next record. Returns true if there are more records to read or false if all record from all files have been read.

create

Creates a new nfdump file.

storerow_hashref

Insert data defined in hashref to the file opened by create.

finish

Closes all openes file handles. It is nescessary to call that method specilly when a new file is created. The method flushes to file records that remains in the memory buffer and updates file statistics in the header. Withat calling this method the output file might be corupted.

FLOW QUERY - NOT IMPLEMENTED YET

The flow query is language vyry simmilar to SQL to query data on nfdump files. However flow query have nothing to do with SQL. It uses only simmilar command syntax. Example of flow query

SELECT * FROM data/nfdump1.nfcap, data2/nfdump2.nfcap WHERE src host 147.229.3.10 TIME WINDOW BETWEEN '2012-06-03' AND '202-06-04' ORDER BY bytes LIMIT 100

NOTE ABOUT 32BIT PLATFORMS Nfdump primary uses 64 bit counters and other items to store single integer value. However the native 64 bit support is not compiled in every perl. For thoose cases where only 32 integer values are supported the Net::NfDump uses Math::Int64 module.

The build scripts automatically detect the platform and Math::Int64 module is required only on platforms where perl do not supports 64bit integer values.

EXTRA CONVERTION FUNCTIONS

The module also provides extra convertion functions that allow convert binnary format of IP address, MAC address and MPLS labels tag into text format and back.

Those functions are not exported by default

ip2txt

Converts both IPv4 and IPv6 address into text form. The standart inet_ntop function can be used instead to provide same results.

txt2ip

Inversion fuction to ip2txt. Returns binnary format of IP addres or undef if the conversion is impossible.

mac2txt

Converts MAC addres to xx:yy:xx:yy:xx:yy format.

txt2mac

Inversion fuction to mac2txt. Accept address in any of following format aabbccddeeff aa:bb:cc:dd:ee:ff aa-bb-cc-dd-ee-ff aabb-ccdd-eeff

Return the binnary format of the address or undef if confersion is impossible.

mpls2txt

Converts label information to format Lbl-Exp-S

Whwre Lbl - Value given to the MPLS label by the router. Exp - Value of experimental bit. S - Value of the end-of-stack bit: Set to 1 for the oldest entry in the stack and to zero for all other entries.

txt2mpls

Inversion function to mpls2txt. As the argiment expects the text representaion of the MPLS labels as was described in the previous function (Lbl-Exp-S)

flow2txt

Gets hash reference to items returned by fetchrow_hashref and converts all items into human readable text format. Applies finction ip2txt, mac2txt, mpl2txt to the items where it make sense.

txt2flow

Inversion function to flow2txt. It is usefull before calling storerow_hashref

SUPPORTED ITEMS

Time items

first - Timestamp of first seen packet msecfirst - Number of miliseconds of first seen packet since first last - Timestamp of last seen packet mseclast - Number of miliseconds of last seen packet since last received - Timestamp when the packet was received by collector

Statistical items

bytes - The number of bytes pkts - The number of packets outbytes - The number of output bytes outpkts - The number of output packets flows - The number of flows (aggregated)

Layer 4 information

srcport - Source port dstport - Destination port tcpflags - TCP flags

Layer 3 information

srcip - Source IP address dstip - Destination IP address nexthop - IP next hop srcmask - Source mask dstmask - Destination mask tos - Source type of service dsttos - Destination type of Service srcas - Source AS number dstas - Destination AS number nextas - BGP Next AS prevas - BGP Previous AS bgpnexthop - BGP next hop proto - IP protocol

Layer 2 information

srcvlan - Source vlan label dstvlan - Destination vlan label insrcmac - In source MAC address outsrcmac - Out destination MAC address indstmac - In destintation MAC address outdstmac - Out source MAC address

MPLS information

mpls - MPLS labels

Layer 1 information

inif - SNMP input interface number outif - SNMP output interface number dir - Flow directions ingress/egress fwd - Forwarding status

Exporter information

router - Exporting router IP systype - Type of exporter sysid - Internal SysID of exporter

Extra/special fields

clientdelay - nprobe latency client_nw_delay_usec serverdelay - nprobe latency server_nw_delay_usec appllatency - nprobe latency appl_latency_usec

SEE ALSO

http://nfdump.sourceforge.net/

AUTHOR

Tomas Podermanski, <tpoder@cis.vutbr.cz>, Brno University of Technology

COPYRIGHT AND LICENSE

Copyright (C) 2012 by Brno University of Technology

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.