From gijs at looze.net  Wed Oct  5 00:16:15 2005
From: gijs at looze.net (Gijs Molenaar)
Date: Tue, 04 Oct 2005 16:16:15 +0200
Subject: [netflow-tools] python FlowLog.start_time
Message-ID: <43428EAF.3090102@looze.net>

Hi,

I'm trying to port my python software to the new flowd SNAP-20051003.

In the 0.8.5 release, the python module had a class log, now renamed to 
FlowLog. The log class had a start_time function, that would give me the 
start time (suprise) when the flowfile was created.

Is it possible to get this function back, or should the starttime be 
determined in an other way?


thanks,

gijs



From gijs at looze.net  Wed Oct  5 00:29:28 2005
From: gijs at looze.net (Gijs Molenaar)
Date: Tue, 04 Oct 2005 16:29:28 +0200
Subject: [netflow-tools] what happens with lost flows?
In-Reply-To: <432B61EA.1080102@mindrot.org>
References: <432AB015.5050606@looze.net> <432B61EA.1080102@mindrot.org>
Message-ID: <434291C8.1020604@looze.net>

Damien Miller wrote:

> There is a small kernel-maintained input queue where some will be stored
> if flowd can't keep up, after that they are dropped, but if the system
> load is too high for something light like flowd then this will fill up
> pretty quickly.
>
> You can figure out if there have been drops by looking at
> "flow_sequence" in the FLOW_ENGINE_INFO section (obviously
> you have to direct flowd to store it).

Sorry for the late reply, I was busy with a lot of other projects.

Wouldn't it be a nice feature to be build in to flowd? For example
ipflow and flow-tools will log how many flows are dropped to
syslog. I don't exactly know how they determine this.

I understand and totally respect the minimalistic approach of the
flowd philosophy (only dump logs fast), but isn't this something
that flowd should do?


gr,

gijs




From djm at mindrot.org  Wed Oct  5 07:58:16 2005
From: djm at mindrot.org (Damien Miller)
Date: Wed, 5 Oct 2005 07:58:16 +1000
Subject: [netflow-tools] python FlowLog.start_time
In-Reply-To: <43428EAF.3090102@looze.net>
References: <43428EAF.3090102@looze.net>
Message-ID: <20051005075816.23b73aef.djm@mindrot.org>

On Tue, 04 Oct 2005 16:16:15 +0200
Gijs Molenaar <gijs at looze.net> wrote:

> Hi,
> 
> I'm trying to port my python software to the new flowd SNAP-20051003.
> 
> In the 0.8.5 release, the python module had a class log, now renamed to 
> FlowLog. The log class had a start_time function, that would give me the 
> start time (suprise) when the flowfile was created.
> 
> Is it possible to get this function back, or should the starttime be 
> determined in an other way?

I removed this because it is almost redundant: the start time is roughly
equal to the recv_time of the first flow in the file. Not having a start
of file header makes quite a few other things simpler, e.g. you can 
now join flow logs with "cat".

-d



From gijs at looze.net  Thu Oct 13 18:28:29 2005
From: gijs at looze.net (Gijs Molenaar)
Date: Thu, 13 Oct 2005 10:28:29 +0200
Subject: [netflow-tools] ipv6 filter problem
Message-ID: <434E1AAD.3030601@looze.net>

Hello again,

Somehow I have the idea I don't receive any IPv6 flows (flows with 
src/dst IPv6 address records).

I'm using the latest snapshot (20051001, in changelog there is no change 
since this release).

I tried with other capture daemon, and I really receive IPv6 stuff, so 
it is not a router miss-configuration.

I created a rule in my flowd.conf:
discard all
accept inet6

This doesn't work. I still see ipv4 stuff.

So I tried:
discard inet

This doesn't work. I still see ipv4 stuff.

So I tried:
discard ! inet

This does something. Now I don't see _any_ flows.

After a couple of hours trying different combinations and checking, I 
really have no ideas anymore left.


Can anyone give me a hint?


Thanks,

gijs



From djm at mindrot.org  Thu Oct 13 19:43:37 2005
From: djm at mindrot.org (Damien Miller)
Date: Thu, 13 Oct 2005 19:43:37 +1000
Subject: [netflow-tools] ipv6 filter problem
In-Reply-To: <434E1AAD.3030601@looze.net>
References: <434E1AAD.3030601@looze.net>
Message-ID: <20051013194337.0bf2c771.djm@mindrot.org>

On Thu, 13 Oct 2005 10:28:29 +0200
Gijs Molenaar <gijs at looze.net> wrote:

> After a couple of hours trying different combinations and checking, I 
> really have no ideas anymore left.
> 
> 
> Can anyone give me a hint?

My bad, please try the attached fix.

-d
-------------- next part --------------
A non-text attachment was scrubbed...
Name: filterfix.diff
Type: application/octet-stream
Size: 620 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/netflow-tools/attachments/20051013/070483b2/attachment.obj 

From gijs at looze.net  Thu Oct 13 23:21:25 2005
From: gijs at looze.net (Gijs Molenaar)
Date: Thu, 13 Oct 2005 15:21:25 +0200
Subject: [netflow-tools] ipv6 filter problem
In-Reply-To: <20051013230954.51a2c1e7.djm@mindrot.org>
References: <434E1AAD.3030601@looze.net>	<20051013194337.0bf2c771.djm@mindrot.org>	<434E59CD.6050503@looze.net>
	<20051013230954.51a2c1e7.djm@mindrot.org>
Message-ID: <434E5F55.2050702@looze.net>

Damien Miller schreef:

>This still looks like a filter problem. Could you try uncommenting the
>"#define FILTER_DEBUG" in filter.c and sending the output?
>
I did. But where should I look for the output?

when i run with -g or -d I don't see that any change.



Something I don't really understand completely, do you want this 
discussion to take place on the mailinglist or personal? Sometimes I 
forget this and press 'reply', but I'm not the only one :)

Thanks for the fast replies and actions! Really, the fastest bug fixes 
ever. Not working yet, but still, fast. ;)