From mwlucas at blackhelicopters.org Mon Dec 8 04:52:44 2008 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Sun, 7 Dec 2008 12:52:44 -0500 Subject: [netflow-tools] softflowctl statistics Message-ID: <20081207175244.GA85769@bewilderbeast.blackhelicopters.org> Hi, (Please pardon the nitpicking questions. My new book includes a section on softflowd. While I've used softflowd happily for years, this means that I'm now poking into corners that I've never looked at before.) I'm taking a close look at "softflowctl statistics," and something doesn't seem quite right to me. Here's output from 0.9.8 on a FreeBSD 6.4 test box: softflowd[61946]: Accumulated statistics: Number of active flows: 16 Packets processed: 11898 Fragments: 0 Ignored packets: 46 (46 non-IP, 0 too short) Flows expired: 759 (0 forced) Flows exported: 784 in 67 packets (0 failures) Packets received by libpcap: 12156 Packets dropped by libpcap: 0 Packets dropped by interface: 3217012028 I would expect "packets processed" + "ignored packets" = "packets received by libpcap". This rarely seems to be the case. Does softflowd lose packets? Also, we've expired 759 flows, but exported 784. Where did the extra 25 flows come from? What makes softflowd "force" expiration of a flow? "softflowctl expire-all" doesn't seem to increment this counter. Last, why would an interface on a machine with very little traffic show 3217012028 packets dropped by the interface? Thanks, ==ml ==ml -- Michael W. Lucas mwlucas at BlackHelicopters.org, mwlucas at FreeBSD.org http://www.BlackHelicopters.org/~mwlucas/ "My pessimism extends to the point of even suspecting the sincerity of the pessimists." -- Jean Rostand, French biologist and philosopher From jaime.blasco at alienvault.com Wed Dec 24 07:13:53 2008 From: jaime.blasco at alienvault.com (Jaime Blasco) Date: Tue, 23 Dec 2008 21:13:53 +0100 Subject: [netflow-tools] netflow problem Message-ID: <53834cf20812231213k6910297bq73d874b68301bb39@mail.gmail.com> Hi, I have install flowd-0.9.1, I have some problems running flowd, when I run flowd with -d option this is the output: read_config: entering child_get_config: entering drop_privs: dropping privs without chroot send_config: entering fd = 4 send_config: done child_get_config: child config done recv_config: entering fd = 3 recv_config: ready to receive config Listener for [127.0.0.1]:12345 fd = 3 Adjusted socket receive buffer from 112640 to 524288 Setting socket send buf to 1024 Listener for [::1]:12345 fd = 4 Adjusted socket receive buffer from 112640 to 524288 Setting socket send buf to 1024 privsep_init: entering fopen(/usr/local/var/run/flowd.pid): No such file or directorydrop_privs: dropping privs with chroot init_pfd: entering (num_fds = 0) init_pfd: done (num_fds = 3) client_open_log: entering receive_fd: recvmsg: Connection reset by peer Anyone can help me? Regards -- _______________________________ Jaime Blasco www.ossim.com www.alienvault.com Email: jaime.blasco at alienvault.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/netflow-tools/attachments/20081223/e6709456/attachment-0001.html