0

I want to split files produced by nfcapd (a netflow producing daemon) into multiple files, because the file initially produced by nfcapd might be too big.

My problem is that I have no idea what the structure of the files produced are, I suppose there is a header and then a list of netflows but I can't figure out at which byte ends the header and at which byte begins and ends a netflow, and if there is a footer.

I tried to understand it from reading the source C code on github but as I am not really a beast in C, it is quite hard for me to comprehend.

At first, I thought nfdump could solve my problem by reading a number of netflows at a time in the initial file but there is no built-in way to do this, you can use nfdump to read the first N netflows but you can't go from 1 to N then from N to N+N, you can only read from 1 to N.

If anyone knows a way to split those binary files into multiple files that can be used by nfdump, I would really like to know it.

Robin Louis
  • 141
  • 4

1 Answers1

0

you can set the time interval to less than 5 minutes (which is the default) using the -t parameter . That is the way to create a smaller files from advance. For example: nfcapd -w 1 -l -p -t 60

Please note that the -w should be set accordingly: if the -t is 60 (seconds) the -w should be 1 (minute)

there is more here: https://manpages.debian.org/testing/nfdump/nfcapd.1.en.html

saraiko
  • 1