[netflow-tools] softflowctl expire-all

Robin Breathe rbreathe at brookes.ac.uk
Wed Sep 28 18:17:55 EST 2005 

Damien Miller wrote:
> On Wed, 28 Sep 2005, Damien Miller wrote:
>> Robin Breathe wrote:
>>> I'm beginning to test the 20050927 snapshot (which looks to have the
>>> queue patch), but needed to apply the attached patch in order for it to
>>> compile in Solaris 9.
>>
>> No, the queue patch has not been committed.
> 
> You will have to apply it yourself. Please let me know how it goes and
> I'll commit it if it is stable and improves your situation.

The patch didn't apply cleanly as given (it didn't like the
process_netflow_v7 function), but I munged it in.

However, I still seem to be getting forgotten flows:

## logged        1 lines
# sleep 30
# softflowctl stop-gather
stop-gather
softflowd[3271]: Data collection stopped.
## logged        1 lines
# softflowctl statistics
statistics
softflowd[3271]: Accumulated statistics:
Number of active flows: 1570
Packets processed: 101136
Fragments: 0
Ignored packets: 21 (21 non-IP, 0 too short)
Flows expired: 0 (0 forced)
Flows exported: 0 in 0 packets (0 failures)

# softflowctl expire-all
expire-all
softflowd[3271]: Expired 1570 flows.
# softflowctl statistics
statistics
softflowd[3271]: Accumulated statistics:
Number of active flows: 0
Packets processed: 101136
Fragments: 0
Ignored packets: 21 (21 non-IP, 0 too short)
Flows expired: 1570 (0 forced)
Flows exported: 3140 in 98 packets (0 failures)

Expired flow statistics:  minimum       average       maximum
  Flow bytes:                  46         48461      34269298
  Flow packets:                 1            64         34677
  Duration:                  0.00s         4.88s        31.27s

Expired flow reasons:
       tcp =         0   tcp.rst =         0   tcp.fin =         0
       udp =         0      icmp =         0   general =         0
   maxlife =         0
  over 2Gb =         0
  maxflows =         0
   flushed =      1570

Per-protocol statistics:     Octets      Packets   Avg Life    Max Life
        Unknown (1):            545            5       0.51s       2.05s
        Unknown (6):       73832643        92504       4.89s      31.26s
       Unknown (17):        2250079         8617       4.92s      31.27s
       Unknown (41):            680           10       4.40s       6.00s
## logged      176 lines


In fact, if anything it seems to be worse?
Should I try increasing INPUT_MAX_PACKET_PER_FD?

> Note that the snapshot releases change the log format a bit from the
> last stable release. You can convert your logs using flowd-reader's -L
> option.

Yup, this will force me to update my flowdb->sqlite conversion program,
which is probably not a bad thing (I'll dis-entangle it from flowd-reader).

>>> It also fails to configure if bison is present, is this intentional?
>>
>> configure should use Berkeley yacc in favour of bison.
> 
> GNU Bison is known to miscompile parse.y and I haven't bothered to spend
> the time to figure out why. On Solaris, /usr/ccs/bin/yacc is known to do
> the right thing (on Linux, use byacc).

Fair enough, just unexpected :)

Robin
-- 
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk       Tel: +44 1865 483685  Fax: +44 1865 483073

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.mindrot.org/pipermail/netflow-tools/attachments/20050928/4aabdd73/attachment.bin

More information about the netflow-tools mailing list