nfdump-1.7.1

This release fixes mostly bugs from 1.7.0 and is now the recommended version for production. It works together with well advanced in years NfSen 1.3.9 https://github.com/phaag/nfsen.

Changelog:

• Fix #394. Event labeling
• Implement #393 consistent logging
• Remove extra ':' in getopt of nfcapd
• Add feature #391. Add country code aggregation
• Fix #392. Fix format options with IPv6
• Implement #390. Aggregation for GeoDB's enriched AS data
• Add OpenBSD pflog decoding in nfpcapd and nfdump
• Fix Ident change
• Sync nfcapd, sfcapd code
• Fix #389 receiving IPv4 on IPv6 socket in sfcapd
• Fix #385 bug when compiled on i386 arch - 32bit alignment
• Fix #384 bug when compile with --enable-nsel
• Implement #366 Linux NFLOG link layer protocol in nfpcapd
• Fix #381 pcap overwrite in nfpcapd fixed
• Fix #380 nbar string validation
• Implement #377. Rework sampling code in general. Switch to packet interval/space notation. Map older sampling to new notation.
• Fix #375 relative timestamps with sysUptime id 160
• Rework nbar code. Use new array records and fix nbar bug in older versions.
• Fix #370. Help shows correct option -A
• Fix #369. Legacy -M for NfSen works again
• Improve nbar handling. Add private enterprise number decoding
• Merge pull request #357

nfdump-1.7.0

NFDUMP switches to new release 1.7.0

A lot of old code has beed remove, and was rewritten. nfdump-1.7.0 replaces nfdump-1.6.x. A lot of code has been improved and new features have been added. The nfpcapd collector has been reworked completely. It allows to merge pcap and flow data.

• nfdump is now a multi-threaded program and uses parallel threads mainly for reading, writing and processing flows as well as for sorting. This may result in a 2 to 3 times faster flow processing, depending on the tasks. The speed improvement also heavily depends on the hardware (SSD/HD) and flow compression option.
• For netflow v9 and IPFIX, nfdump now supports flexible length fields. This improves compatibility with some exporters such as yaf and others. The netflow v9 decoder is more flexible in decoding.
• Support for Cisco Network Based Application Recognition (NBAR).
• Supports Maxmind geo location information to tag/geolocate IP addresses and AS numbers.
• nfpcapd automatically uses TPACKET_V3 for Linux or direct BPF sockets for *BSD. This improves packet processing. It adds new options to collect MAC and VLAN information as well as the first packet of the payload.
• Metric exports: By default, every 60s a flow summary statistics can be sent to a UNIX socket. The corresponding program may be nfinflux to insert these metrics into an influxDB or nfexporter for Prometheus monitoring.