[netflow-tools] Flow time query

Robin Breathe rbreathe at brookes.ac.uk
Mon Sep 26 17:57:30 EST 2005


I'm trying to work out whether flow-tools will allow me to retrieve (or
calculate) a second-accurate flow start-time in seconds since the UNIX

If my understanding is correct, and refering to the NetFlow v9
specification along with store.h, AGENT_INFO contains time_sec &
time_nanosec, but these appear to always take the same value as
RECV_TIME.recv_sec. I want to calculate a flows start and stop times
relative to unix epoch rather than the devices uptime.

Would the following give me what I'm looking for?

actual_flows_start =
  (AGENT_INFO.time_sec - 100*AGENT_INFO.sys_uptime_ms)
  + FLOW_TIMES.flows_start

Is there a more sane/sensible way?

On a semi-related note, I've locally patched flowd-reader to support
export to SQLite to facilitate further analysis. Would anyone else be
interested in my cleaning up my patches and submitting them?

Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk       Tel: +44 1865 483685  Fax: +44 1865 483073

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.mindrot.org/pipermail/netflow-tools/attachments/20050926/9051bdd9/attachment.bin 

More information about the netflow-tools mailing list