[netflow-tools] softflowctl expire-all

Robin Breathe rbreathe at brookes.ac.uk
Mon Sep 26 22:41:50 EST 2005 

I use softflowd and flowd together on a Solaris 9 host talking NetFlow v5.

I seem to be seeing an inconsistency between the output of `softflowctl
statistics` and the results of issuing a `softflowctl expire-all`.

I expect that issuing an `expire-all` would force softflowd to export
all of its current flow data to flowd and restart monitoring. However,
running a `flowd-reader -v flows.db | wc -l` before and after indicates
that this is not the case.

Example output:

##### BEGIN

# softflowctl statistics; \
> echo "%%%flows: `flowd-reader -v flows.raw | wc -l`"; \
> softflowctl expire-all; \
> echo "%%%flows: `flowd-reader -v flows.raw | wc -l`"; \
> softflowctl statistics

statistics
softflowd[11574]: Accumulated statistics:
Number of active flows: 4176
Packets processed: 9372374
Fragments: 2
Ignored packets: 1405 (1405 non-IP, 0 too short)
Flows expired: 119941 (0 forced)
Flows exported: 239882 in 7569 packets (0 failures)

Expired flow statistics:  minimum       average       maximum
  Flow bytes:                  46         51562      79795808
  Flow packets:                 1            76        109762
  Duration:                  0.00s        18.83s       299.70s

Expired flow reasons:
       tcp =         0   tcp.rst =      5895   tcp.fin =         0
       udp =         0      icmp =         0   general =         0
   maxlife =         0
  over 2Gb =         0
  maxflows =         0
   flushed =    114046

Per-protocol statistics:     Octets      Packets   Avg Life    Max Life
        Unknown (1):         162797         2397      19.20s     298.84s
        Unknown (6):     5939745100      8157978      18.67s     299.70s
       Unknown (17):      244516151       895628      19.53s     299.69s
       Unknown (41):           1088           16       2.93s       6.06s
%%%flows     354
expire-all
softflowd[11574]: Expired 4181 flows.
%%%flows     531
statistics
softflowd[11574]: Accumulated statistics:
Number of active flows: 0
Packets processed: 9372970
Fragments: 2
Ignored packets: 1405 (1405 non-IP, 0 too short)
Flows expired: 124122 (0 forced)
Flows exported: 248244 in 7833 packets (0 failures)

Expired flow statistics:  minimum       average       maximum
  Flow bytes:                  46         51506      79795808
  Flow packets:                 1            76        109762
  Duration:                  0.00s        18.54s       299.70s

Expired flow reasons:
       tcp =         0   tcp.rst =      5895   tcp.fin =         0
       udp =         0      icmp =         0   general =         0
   maxlife =         0
  over 2Gb =         0
  maxflows =         0
   flushed =    118227

Per-protocol statistics:     Octets      Packets   Avg Life    Max Life
        Unknown (1):         167651         2469      19.32s     298.84s
        Unknown (6):     6134757449      8419521      18.33s     299.70s
       Unknown (17):      258098658       950964      19.46s     299.69s
       Unknown (41):           1088           16       2.93s       6.06s

##### END

It seems as though "flows expired" is increasing by about the right
amount, "flows exported" is going up by a factor of two over the number
of active flows, and the flowd datafile is barely going up at all!

# cat flowd.conf
listen on 127.0.0.1:4432
flow source 127.0.0.1
store ALL
logfile "/data/netflow/flows.raw"


Is my understanding of the way netflow, and in particular netflow-tools,
works flawed? Any ideas on how to proceed in working out what's going wrong?

Regards,
Robin
-- 
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk       Tel: +44 1865 483685  Fax: +44 1865 483073

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.mindrot.org/pipermail/netflow-tools/attachments/20050926/10225e45/attachment.bin

More information about the netflow-tools mailing list