[netflow-tools] softflowd statistics bug

Robin Breathe rbreathe at brookes.ac.uk
Wed Sep 28 19:59:54 EST 2005


Damien Miller wrote:
> On Tue, 27 Sep 2005, Robin Breathe wrote:
>> In softflowd.c, it is falsely assumed that every expired flow will lead
>> to 2 exports.
>> This has made testing of the other bug (in flowd) a little harder as
>> softflowd reports that it has exported more flows than it really has.
>>
>> Line 782: ft->flows_exported += num_expired * 2;
>> Line 786: ft->flows_dropped += num_expired * 2;
>>
>> In the case of a unidirectional flow, this is not the case.
> 
> I think this is fixed in the development version, of which I have just
> set up public snapshot releases. Have a look at:
> 
> http://www2.mindrot.org/softflowd_snap/

This provides better statistics, but still not what I'd expect.
Softflowd exports two records per bi-directional flow, but only one
record for a unidirectional flow.

What `softflowctl statistics` displays as an "active flow" will actually
equate to either one or two flow records being exported to the netflow
collector depending upon whether it is uni- or bi-directional (e.g.
blackholed probe versus normal tcp conversation).

The old statistics assumed that every flow was bidirectional ("Flows
exported" --> 2 * "Flows expired"), while the new ones record one expiry
per flow independent of whether it is bidirectional or not ("Flows
exported" --> 1 * "Flows expired").

Old:
Number of active flows: 0
Packets processed: 101136
Fragments: 0
Ignored packets: 21 (21 non-IP, 0 too short)
Flows expired: 1570 (0 forced)
Flows exported: 3140 in 98 packets (0 failures)

New:
Number of active flows: 0
Packets processed: 78026
Fragments: 0
Ignored packets: 23 (23 non-IP, 0 too short)
Flows expired: 2770 (0 forced)
Flows exported: 2770 in 371 packets (0 failures)
Packets received by libpcap: 78049
Packets dropped by libpacp: 0
Packets dropped by interface: 0

What I was suggesting was that it would be extremely useful to actually
record the number of uni-directional flows (i.e. the items recorded by
the collector) in the statistics. Something like the following:

Flows exported: 2770 in 371 packets (0 failures, 5531 records)

Regards,
Robin
-- 
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk       Tel: +44 1865 483685  Fax: +44 1865 483073

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.mindrot.org/pipermail/netflow-tools/attachments/20050928/0fa18509/attachment.bin 


More information about the netflow-tools mailing list