Re: [Nfsen-discuss] Correcting sampling rate when importing flow-tools data

Mon, 05 Jul 2010 07:53:58 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Tore,

On 7/5/10 15:49, Tore Anderson wrote:
> Hi list,
> 
> I'm a new Nfsen user trying to import a few years worth of flow-capture
> data, running all the flow-tools files through a "flow-cat | flow-filter
> | ft2nfdump | nfdump" pipeline.  It appears to do the trick just fine,
> except that the flow-tools data have an incorrect sampling rate recorded
> (apparently 1:1), an error that makes its way over to the converted
> files.  My routers use a 1:1000 sampling rate (nfcapd, unlike
> flow-capture, correctly detects and compensates for that).
> 
> Is there a way to correct the sampling rate of the flow-tools data when
> importing it into Nfsen?

There is no direct switch for applying a sampling rate. However, the quickest
way is a local hack of ft2nfdump.c for the sake of converting:

ft2nfdump.c multiply the packets/bytes by your ampling rate:
make line 287/287 look like:

        record.dOctets      = *((uint32_t*)(rec+fo.dOctets)) * 1000;
        record.dPkts        = *((uint32_t*)(rec+fo.dPkts)) * 1000;

and add after line 257:

        SetFlag(record.flags, , FLAG_SAMPLED);

recompile and covert your files.

Done.

        - Peter

> 
> Best regards,

- -- 
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: [email protected] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQCVAwUBTDHxxP5AbZRALNr/AQKOxQQAjiNKRqPQq9EvKrH1ELp8zvWSRc0IHVyn
Ftb2wLeViHMXNQWKFi5bDaonASHEGly5zmJSZf106RA6iye8t1uriIPeOS+rXdDm
rueBXjeWisnlqJBRGDFkrCiOXK3bsUg/HqBoqdhEFQclf5FFhU6/Oy0XrRapfnV3
/+4DsSCm2Ys=
=DS57
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to