From h4w301 at gmail.com Fri Aug 4 02:23:45 2006 From: h4w301 at gmail.com (Humphrey Widjaja) Date: Fri, 4 Aug 2006 00:23:45 +0800 Subject: [netflow-tools] any missing records when rotating? Message-ID: <1052a31a0608030923i54d8dc4j211aaea6267c994b@mail.gmail.com> Hi ... I want to rotate flow records. Is there any missing flow records between process of renaming flow data file (e.g. to flowd.yymmdd) and sendin a SIGUSR1 to flowd? Regards, Humphrey From djm at mindrot.org Fri Aug 4 08:01:47 2006 From: djm at mindrot.org (Damien Miller) Date: Fri, 4 Aug 2006 08:01:47 +1000 (EST) Subject: [netflow-tools] any missing records when rotating? In-Reply-To: <1052a31a0608030923i54d8dc4j211aaea6267c994b@mail.gmail.com> References: <1052a31a0608030923i54d8dc4j211aaea6267c994b@mail.gmail.com> Message-ID: On Fri, 4 Aug 2006, Humphrey Widjaja wrote: > Hi ... > > I want to rotate flow records. > > Is there any missing flow records between process of renaming flow data file > (e.g. to flowd.yymmdd) and sendin a SIGUSR1 to flowd? No records will be lost so long as the operation to move the flowd log to its new name (e.g. flowd.yymmdd) is a simple rename() and not a move between filesystems. Flow records will be sent to the existing (renamed) file for the period after the file has been renamed but before the SIGUSR1 is received. -d From mwlucas at blackhelicopters.org Sat Aug 5 00:44:00 2006 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Fri, 4 Aug 2006 10:44:00 -0400 Subject: [netflow-tools] Dropped flows? Message-ID: <20060804144400.GA55880@bewilderbeast.blackhelicopters.org> Hi, I'm running a box with four instances of softflowd, on four different interfaces, pointing at four different networks. syslog is reporting lots of these errors: Aug 3 12:09:48 ns1 flow-capture[705]: ftpdu_seq_check(): src_ip=127.0.0.1 dst_ip=127.0.0.1 d_version=5 expecting=1465693 received=1465702 lost=9 Aug 3 12:09:48 ns1 flow-capture[705]: ftpdu_seq_check(): src_ip=127.0.0.1 dst_ip=127.0.0.1 d_version=5 expecting=1465731 received=1465702 lost=4294967266 Aug 3 12:09:48 ns1 flow-capture[709]: ftpdu_seq_check(): src_ip=127.0.0.1 dst_ip=127.0.0.1 d_version=5 expecting=2620523 received=2620524 lost=1 Aug 3 12:09:48 ns1 flow-capture[709]: ftpdu_seq_check(): src_ip=127.0.0.1 dst_ip=127.0.0.1 d_version=5 expecting=2620526 received=2620528 lost=2 We got 34 of them in one arbitrary second. Am I really losing 4294967266 flows, as that one message states, or are the instances overlap in some way? Thanks, ==ml PS: I leave for vacation today at 3PM, but decided I better get this message out before I forget about it... as I'm getting lots of data, I expect that this is either a bug or I'm using softflowd in an unexpected way. -- Michael W. Lucas mwlucas at FreeBSD.org, mwlucas at BlackHelicopters.org http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP & GPG -- http://www.pgpandgpg.com "The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur From phatbuckett at gmail.com Thu Aug 24 13:11:21 2006 From: phatbuckett at gmail.com (Darren Spruell) Date: Wed, 23 Aug 2006 20:11:21 -0700 Subject: [netflow-tools] pfflowd doesn't run except under debug Message-ID: <839aec700608232011g2a7dbd8eg4e49de4d67155229@mail.gmail.com> pfflowd will not stay running on my system unless it is started using the '-D' switch. Using '-d' it exits immediately with a return code of 1, and with no switches it silently exits immediately with a code of 0. Have tried on two different systems, GENERIC and a custom kernel. pfflowd-0.7 OpenBSD 3.9-stable (GENERIC) #1: Tue Aug 8 23:01:29 MST 2006 root at molodetz.sancho2k.net:/usr/src/sys/arch/i386/compile/GENERIC OpenBSD 3.9-stable (NET45xx) #0: Sun Jun 4 15:00:47 MST 2006 root at molodetz.sancho2k.net:/usr/src/sys/arch/i386/compile/NET45xx Invocation: /usr/local/sbin/pfflowd -n molodetz.sancho2k.net:3366 -D $ ldd /usr/local/sbin/pfflowd /usr/local/sbin/pfflowd: Start End Type Open Ref GrpRef Name 00000000 00000000 exe 1 0 0 /usr/local/sbin/pfflowd 052e8000 252f5000 rlib 0 1 0 /usr/lib/libpcap.so.4.0 0e6d4000 2e6d8000 rlib 0 1 0 /usr/lib/libutil.so.11.0 0a3cd000 2a3fe000 rlib 0 1 0 /usr/lib/libc.so.39.0 00945000 00945000 rtld 0 1 0 /usr/libexec/ld.so DS From djm at mindrot.org Thu Aug 24 13:21:50 2006 From: djm at mindrot.org (Damien Miller) Date: Thu, 24 Aug 2006 13:21:50 +1000 (EST) Subject: [netflow-tools] pfflowd doesn't run except under debug In-Reply-To: <839aec700608232011g2a7dbd8eg4e49de4d67155229@mail.gmail.com> References: <839aec700608232011g2a7dbd8eg4e49de4d67155229@mail.gmail.com> Message-ID: Are you sure that you don't have an error message like: Unable to find unprivileged user "_pfflowd" In your logs? -d On Wed, 23 Aug 2006, Darren Spruell wrote: > pfflowd will not stay running on my system unless it is started using > the '-D' switch. Using '-d' it exits immediately with a return code of > 1, and with no switches it silently exits immediately with a code of > 0. Have tried on two different systems, GENERIC and a custom kernel. > > pfflowd-0.7 > > OpenBSD 3.9-stable (GENERIC) #1: Tue Aug 8 23:01:29 MST 2006 > root at molodetz.sancho2k.net:/usr/src/sys/arch/i386/compile/GENERIC > OpenBSD 3.9-stable (NET45xx) #0: Sun Jun 4 15:00:47 MST 2006 > root at molodetz.sancho2k.net:/usr/src/sys/arch/i386/compile/NET45xx > > Invocation: > /usr/local/sbin/pfflowd -n molodetz.sancho2k.net:3366 -D > > $ ldd /usr/local/sbin/pfflowd > /usr/local/sbin/pfflowd: > Start End Type Open Ref GrpRef Name > 00000000 00000000 exe 1 0 0 /usr/local/sbin/pfflowd > 052e8000 252f5000 rlib 0 1 0 /usr/lib/libpcap.so.4.0 > 0e6d4000 2e6d8000 rlib 0 1 0 /usr/lib/libutil.so.11.0 > 0a3cd000 2a3fe000 rlib 0 1 0 /usr/lib/libc.so.39.0 > 00945000 00945000 rtld 0 1 0 /usr/libexec/ld.so > > DS > _______________________________________________ > netflow-tools mailing list > netflow-tools at mindrot.org > http://lists.mindrot.org/mailman/listinfo/netflow-tools >