nfdump -B, sort mixed up.

[servidge]

Hi,
tested with Version: 1.6.16 from 11.01.2018 12:00 after fixing the build (deleting else before line ~13616 in configure).

I stumbled upon a sorting problem with the -B option. Mainly sorted by bytes (ibyte/obyte) and the sorting is partially mixed up.

command: nfdump -r nfcapd.201801041430 -B  -O obyte -n10
output:

Duration Proto      Src IP Addr:Port           Dst IP Addr:Port   Out Pkt   In Pkt Out Byte  In Byte Flows
 315.752 TCP                   :62266 <->                 :53418   213120   107309  317.3 M    4.9 M    20
 153.067 TCP                   :57965 <->                 :20931    97274   198324    4.5 M  295.2 M    10   <
 317.643 TCP                   :57965 <->                 :48960    85212   174619    3.9 M  259.9 M    20   <
 302.624 TCP                   :49157 <->                 :445     136176    61916  199.2 M    4.5 M    20
 315.812 TCP                   :49311 <->                 :445     231216   263489   87.5 M   38.6 M    20
 318.778 TCP                   :49170 <->                 :445      91434    71628   71.9 M   14.2 M    20
 314.612 UDP                   :20167 <->                 :20167    74810    73613   70.6 M   25.8 M    20
 313.640 TCP                   :53246 <->                 :445      57252    35606   55.8 M    5.6 M    19
 289.879 TCP                   :59704 <->                 :5200     35954    22421   46.5 M    1.6 M    17
 321.773 TCP                   :49173 <->                 :445      75275    65170   44.6 M   14.0 M    20


command: nfdump -r nfcapd.201801041430 -B  -O ibyte -n10
output:
Duration Proto      Src IP Addr:Port           Dst IP Addr:Port   Out Pkt   In Pkt Out Byte  In Byte Flows
 306.299 TCP                   :53418 <->                 :21425    62378   126387    2.9 M  188.0 M    20
 308.402 TCP                   :55173 <->                 :445      88645    17589  129.5 M    1.2 M     9   <
 312.003 TCP                   :49301 <->                 :445      63776    84267   33.4 M  119.3 M    20
 306.391 TCP                   :49229 <->                 :445      50049    81553   13.0 M  117.4 M    19
 124.595 TCP                   :57965 <->                 :16143    32791    69558    1.5 M  103.5 M     9
 243.926 TCP                   :53180 <->                 :443      56847    26200   84.3 M    1.9 M    12   <
 182.739 TCP                   :49268 <->                 :445      79107    45803   72.2 M    6.0 M    13   <
 304.505 TCP                   :50108 <->                 :15042    22715    46205    1.1 M   68.6 M    20
 232.733 TCP                   :53178 <->                 :5200     45929     9076   67.3 M   566656    16
  62.840 TCP                   :56650 <->                 :5200     37067     4932   44.2 M   420088     6

The sorting source and destination Ports is OK. SrcPort is always larger than DstPort.
My guess is that the sorting takes place before the flow swap. Maybe somewhere in the "PrintFlowTable" Part?.

[phaag]

Swapping takes place after filtering but before sorting. I will check that.

[phaag]

I can confirm this bug. It affects sorting by bytes in or out, if the flow is swapped. The fix is not that easy and requires more changes to the code. I work on it

[phaag]

Fixed in latest master