[netflow-tools] Flow time query
Robin Breathe
rbreathe at brookes.ac.uk
Mon Sep 26 19:41:10 EST 2005
Damien Miller wrote:
> ...snip...
> Shouldn't this be:
>
> time_sec - (sys_uptime_ms / 1000) + flow_start
>
> ?
Pretty much (see my other post).
>> Is there a more sane/sensible way?
>
> I don't think so.
>
> BTW this is already in the TODO list, so it would be a welcome addition
> even if it just a helper macro or two in store.h.
I'll have a look.
>> On a semi-related note, I've locally patched flowd-reader to support
>> export to SQLite to facilitate further analysis. Would anyone else be
>> interested in my cleaning up my patches and submitting them?
>
> Probably not as part of flowd-reader, but a separate tool (to live in
> the tools/ subdirectory) would be most welcome. There is already a
> Perl script to do just this there.
Yup, I had trouble getting the perl module to work under solaris9/sparc,
so decided to patch it into flowd-reader (since I could then also
exploit its existing filter code).
A feature of my SQLite exporter is that it will merge both multiple
instances of a flow and the two sides of a bidirectional dataflow into a
single row (by grouping on the src_addr:src_port/dst_addr:dst_port/proto
tuple). I have another utility to merge flows in adjacent exports into a
single table. However, at present both of these utilities only work on a
fixed set of columns:
start_time, duration,
{src,dst}_{addr,port}, proto,
{in,out}_{octets,packets}
Robin
--
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk Tel: +44 1865 483685 Fax: +44 1865 483073
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.mindrot.org/pipermail/netflow-tools/attachments/20050926/af9b08c3/attachment.bin
More information about the netflow-tools
mailing list