Hi, I've a question regarding the use of time window (-t switch) in nfdump:
Why the only the flows that fit completely into specified window are included? A little background - we are using softflowd with maxlife set to 60secs and nfcapd -t is set to 60 as well (-w is also used). In single nfcapd file there are flows which start a few seconds before or end after the given minute. So the problem we are having is that the total bytes from statistics summary (nfdump -I -r) doesn't match the sum of bytes from all flows from that file if the -t flag matching the given minute is specified. It also means that browsing the directory (using -M/-R) and specifying the -t time window to move around would skip the flows that start or end outside it. One of the ideas we have is to make a change to include flows that start or end within specified time window with following change[1]. Would you be able to validate this approach as we are not sure if that's the correct way of solving this problem? Cheers, Alex PS. I work for Opsview and nfdump is included in opsview-base package. It also contains some patches we have added to nfdump - available at https://secure.opsview.com/svn/opsview-base/trunk/patches/ (prefixed with nfdump_) [1] - include flows that start or end within specified time window diff -ur nfdump-1.6.10.orig/bin/nfdump.c nfdump-1.6.10/bin/nfdump.c --- nfdump-1.6.10.orig/bin/nfdump.c 2013-05-06 15:43:59.000000000 +0100 +++ nfdump-1.6.10/bin/nfdump.c 2013-09-09 17:13:43.705258861 +0100 @@ -555,7 +555,7 @@ switch ( flow_record->type ) { case CommonRecordType: { - int match; + int match = twin_start ? 0 : 1; uint32_t map_id = flow_record->ext_map; generic_exporter_t *exp_info = exporter_list[flow_record->exporter_sysid]; if ( map_id >= MAX_EXTENSION_MAPS ) { @@ -576,7 +576,7 @@ // Time based filter // if no time filter is given, the result is always true - match = twin_start && (master_record->first < twin_start || master_record->last > twin_end) ? 0 : 1; + match = (master_record->first >= twin_start || master_record->last <= twin_end) ? 1 : 0; match &= limitflows ? stat_record.numflows < limitflows : 1; // filter netflow record with user supplied filter -- Opsview signature Alex Burzynski ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
