[netflow-tools] Flow time query

Robin Breathe rbreathe at brookes.ac.uk
Mon Sep 26 17:57:30 EST 2005


Greetings,

I'm trying to work out whether flow-tools will allow me to retrieve (or
calculate) a second-accurate flow start-time in seconds since the UNIX
epoch.

If my understanding is correct, and refering to the NetFlow v9
specification along with store.h, AGENT_INFO contains time_sec &
time_nanosec, but these appear to always take the same value as
RECV_TIME.recv_sec. I want to calculate a flows start and stop times
relative to unix epoch rather than the devices uptime.

Would the following give me what I'm looking for?

actual_flows_start =
  (AGENT_INFO.time_sec - 100*AGENT_INFO.sys_uptime_ms)
  + FLOW_TIMES.flows_start

Is there a more sane/sensible way?

On a semi-related note, I've locally patched flowd-reader to support
export to SQLite to facilitate further analysis. Would anyone else be
interested in my cleaning up my patches and submitting them?

Robin
-- 
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk       Tel: +44 1865 483685  Fax: +44 1865 483073

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.mindrot.org/pipermail/netflow-tools/attachments/20050926/9051bdd9/attachment.bin 


More information about the netflow-tools mailing list