[netflow-tools] Flow time query

Damien Miller djm at mindrot.org
Mon Sep 26 18:55:04 EST 2005 

Robin Breathe wrote:
> Greetings,
> 
> I'm trying to work out whether flow-tools will allow me to retrieve (or
> calculate) a second-accurate flow start-time in seconds since the UNIX
> epoch.
> 
> If my understanding is correct, and refering to the NetFlow v9
> specification along with store.h, AGENT_INFO contains time_sec &
> time_nanosec, but these appear to always take the same value as
> RECV_TIME.recv_sec. 

They are in fact different: recv_sec is set by flowd, but time_sec is
set by the flow exported. If they are the same, then it is because your
clocks are in sync and there was no lag between flow expiry and export.

On a Cisco, for example, the first flows in an export packet usually
have the largest delta between recv_sec, as they were expired and
subsequently queued first. On a busy router, there may not be much of a
lag though.

On the other hand, if you are using something like softflowd that
exports flows as soon as they expire, then the only difference that you
will see is the difference between the exporter and the collector's
clock, or zero if they are on the same host.

> I want to calculate a flows start and stop times
> relative to unix epoch rather than the devices uptime.
> 
> Would the following give me what I'm looking for?
> 
> actual_flows_start =
>   (AGENT_INFO.time_sec - 100*AGENT_INFO.sys_uptime_ms)
>   + FLOW_TIMES.flows_start

Shouldn't this be:

time_sec - (sys_uptime_ms / 1000) + flow_start

?

> Is there a more sane/sensible way?

I don't think so.

BTW this is already in the TODO list, so it would be a welcome addition
even if it just a helper macro or two in store.h.

> On a semi-related note, I've locally patched flowd-reader to support
> export to SQLite to facilitate further analysis. Would anyone else be
> interested in my cleaning up my patches and submitting them?

Probably not as part of flowd-reader, but a separate tool (to live in
the tools/ subdirectory) would be most welcome. There is already a
Perl script to do just this there.

-d

More information about the netflow-tools mailing list