SET DICTIONARY	[]

REDEFINE DOMAIN	NFD USING NF_RECV5_RECORD
	ON NETFLOW_DATA;

READY	NFD	AS A READ

!++
!	Some TCP statistic
!--
FIND	A WITH NF_REC_B_PROT = 17

FIND	T IN A WITH NF_REC_W_SRCPORT = 25 OR NF_REC_W_DSTPORT = 25
	PRINT	"Total SMTP traffic (bytes)     :", TOTAL (NF_REC_L_DOCTETS) (-) USING ZZZ,ZZZ,ZZZ


FIND	T IN A WITH NF_REC_W_SRCPORT = 80 OR NF_REC_W_DSTPORT = 80
	PRINT	"Total HTTP traffic (bytes)     :", TOTAL (NF_REC_L_DOCTETS)  (-) USING ZZZ,ZZZ,ZZZ


FIND	T IN A WITH NF_REC_W_SRCPORT = 110 OR NF_REC_W_DSTPORT = 110
	PRINT	"Total POP3 traffic (bytes)     :", TOTAL (NF_REC_L_DOCTETS)  (-) USING ZZZ,ZZZ,ZZZ


FIND	T IN A WITH NF_REC_W_SRCPORT = 443 OR NF_REC_W_DSTPORT = 443
	PRINT	"Total HTTPS traffic (bytes)    :", TOTAL (NF_REC_L_DOCTETS)  (-) USING ZZZ,ZZZ,ZZZ

!++
!	Some UDP statistic
!--
FIND	A WITH NF_REC_B_PROT = 6

FIND	T IN A WITH NF_REC_W_SRCPORT = 53 OR NF_REC_W_DSTPORT = 53
	PRINT	"Total DNS  traffic (bytes)     :", TOTAL (NF_REC_L_DOCTETS) (-) USING ZZZ,ZZZ,ZZZ


!++
!	ICMP-ed traffic
!--
FIND	T IN A WITH NF_REC_B_PROT = 1
	PRINT	"Total ICMP traffic (bytes)     :", TOTAL (NF_REC_L_DOCTETS) (-) USING ZZZ,ZZZ,ZZZ


!REPORT	T	SORTED BY NF_REC_T_SRCADDR
!	AT TOP OF NF_REC_T_SRCADDR -
!		PRINT COL 1, NF_REC_T_SRCADDR
!	AT BOTTOM OF NF_REC_T_SRCADDR -
!		PRINT	COL 20, NF_REC_T_DSTADDR, COL 40, TOTAL (NF_REC_L_DOCTETS), TOTAL (NF_REC_L_DPKTS)
!END_REPORT