nfdump 語法說明

[root@mail ~]# cd /usr/local/nfsen/profiles-data/live/device1/2015/12/26/
[root@mail 26]# ls
nfcapd.201512261440  nfcapd.201512261445  nfcapd.201512261450  nfcapd.201512261455
List Flows:
nfdump -r nfcapd.201512261440 -c 10


Create TopN Statistics Packets/Bytes:

nfdump -r nfcapd.201512261440 -n 10 -s record/bytesnfdump -r nfcapd.201512261440 -n 10 -s record/packets

Create TopN statistics IP addresses, Ports:
nfdump -r nfcapd.201512261440 -n 10 -s dstport
nfdump -r nfcapd.201512261440 -n 10 -s srcip

List the first 20 tcp flows:
nfdump -r nfcapd.201512261440 -c 20 'proto tcp'

Show the top 15 IP addresses consuming most bandwidth
nfdump -r nfcapd.201512261440 -n 15 -s ip/bps

Show port scanning candidates:
nfdump -r nfcapd.201512261440 -A srcip,dstport -s record/packets 'not proto icmp and bytes < 100
and bpp < 100 and packets < 5 and not port 80 and not port 53 and not port 110 and not port 123'

Show the top 15 /24 subnets exchanging most traffic: