Hey everybody, The other thing I'm working on with Juniper flows are "long flows", we have various flow timeouts set to sane values, but keep seeing really long flows arrive at our collection station, which is messing with certain analysis programs.
I wrote a little script that shows us how many flows and bytes from a given flow file are going into what time buckets, where I've set the buckets to be 0-900 seconds, 900-1800, etc. In my dream world no flow would be reported to last over 900 seconds (and there would be free It's It Ice Cream Sandwiches). Here is a "random" sample: (inr-001 and inr-002 are m40e's, inr-003 and inr-004 are m7i's) netflow.inr-001/ft-v05.2006-08-11.040000-0700: 0 111140 6006217920 netflow.inr-002/ft-v05.2006-08-11.040000-0700: 0 164664 17977073440 netflow.inr-003/ft-v05.2006-08-11.040000-0700: 0 711499 3435343092 900 2615 872297513 1800 881 261323019 2700 263 44570234 3600 79 30430681 4500 51 4852349 5400 21 3418594 6300 11 7041484 7200 4 84925 8100 2 7429 netflow.inr-004/ft-v05.2006-08-11.040000-0700: 0 412570 1263148945 900 592 759589358 1800 213 101194786 2700 89 66340933 3600 47 40617598 4500 31 1575887 5400 12 1558969 6300 7 2189981 7200 5 42184 8100 4 141120 9000 1 5639631 11700 1 38076 16200 1 24810 I've seen much longer, including **54 hours** :) We got a "promising" response recently from their TAC, which hinted at the idea that the beginning time of a flow is *not* reset even when it gets "flushed" and set off in a PDU: Instead, the counters are reset to zero (and presumably the end time changes) but the flow remains in some sense. We're not completely sure that we are interpreting their comments right, so we're following up. Mike _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
