[Flow-tools] trying to grok syslog spew (bug perhaps?)

[Mark Boolootian]

Once per hour, I'm getting a large volume of syslogs that look
thusly (it's a lot more readable if you can stretch your window
out to about 200 columns):

May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.0.90 dst_ip=128.114.1.91 d_ver=5 pkts=3170665 flows=92089508 lost=3947 
reset=12 filter_drops=0
May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.2.5 dst_ip=128.114.1.91 d_ver=5 pkts=2891 flows=11884 lost=10 reset=0 
filter_drops=0
May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.0.92 dst_ip=128.114.1.91 d_ver=5 pkts=658462 flows=19095398 lost=1769 
reset=6 filter_drops=0
May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.0.90 dst_ip=128.114.1.91 d_ver=5 pkts=3170666 flows=92089537 lost=3947 
reset=12 filter_drops=0
May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.2.5 dst_ip=128.114.1.91 d_ver=5 pkts=2891 flows=11884 lost=10 reset=0 
filter_drops=0
May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.0.92 dst_ip=128.114.1.91 d_ver=5 pkts=658462 flows=19095398 lost=1769 
reset=6 filter_drops=0
May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.0.90 dst_ip=128.114.1.91 d_ver=5 pkts=3170667 flows=92089566 lost=3947 
reset=12 filter_drops=0
May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.2.5 dst_ip=128.114.1.91 d_ver=5 pkts=2891 flows=11884 lost=10 reset=0 
filter_drops=0
May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.0.92 dst_ip=128.114.1.91 d_ver=5 pkts=658462 flows=19095398 lost=1769 
reset=6 filter_drops=0
May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.0.90 dst_ip=128.114.1.91 d_ver=5 pkts=3170668 flows=92089595 lost=3947 
reset=12 filter_drops=0
May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.2.5 dst_ip=128.114.1.91 d_ver=5 pkts=2891 flows=11884 lost=10 reset=0 
filter_drops=0
May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.0.92 dst_ip=128.114.1.91 d_ver=5 pkts=658462 flows=19095398 lost=1769 
reset=6 filter_drops=0
May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.0.90 dst_ip=128.114.1.91 d_ver=5 pkts=3170669 flows=92089624 lost=3947 
reset=12 filter_drops=0
May 18 06:00:00 netflow flow-capture[436]: STAT: now=1084885200 startup=1084835987 
src_ip=128.114.2.5 dst_ip=128.114.1.91 d_ver=5 pkts=2891 flows=11884 lost=10 reset=0 
filter_drops=0


A given exporter seems to repeatedly report the same count of lost flows
over and over for about a minute.  These entries show up en masse when
the log file is turned, then there's complete silence for an hour.   There
an interesting comment in flow-capture.c:

      /*
       * note there is an obscure race condition here if this
       * code is not reached at least every stat_interval*60 seconds
       * where up to 1 hour of STAT lines would not show up.
       * This is highly unlikely and not handled.
       */

Any clues out there?  

mb
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools