Re: pflow packets before state expires
* Matt Hamilton [2013-09-10 12:30]: > sven falempin gmail.com> writes: [nonsense deleted] > The problem is that (I believe) that the pflow packet is not generated until > the state expires from pf. In the case of the scp transfer I saw that was not > for several days. Meaning I had no accounting/reporting of this data > transfer until it ended and the state expired. correct. > At which point the entire > data transferred during that state's life was counted as if it happened now. This I'd call a visualization bug; but that doesn't change too much here. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pflow packets before state expires
sven falempin gmail.com> writes: > > The manual say the information is extracted from the state table. > So you should have seen the info. > > First: are you sure the information wasnt in the udp pflow packets ? maybe > the collector was wrong. > Second: man says < controlled by the mtu.>> The problem is that (I believe) that the pflow packet is not generated until the state expires from pf. In the case of the scp transfer I saw that was not for several days. Meaning I had no accounting/reporting of this data transfer until it ended and the state expired. At which point the entire data transferred during that state's life was counted as if it happened now. -Matt
Re: pflow packets before state expires
The manual say the information is extracted from the state table. So you should have seen the info. First: are you sure the information wasnt in the udp pflow packets ? maybe the collector was wrong. Second: man says <> + On Mon, Sep 9, 2013 at 11:55 AM, Matt Hamilton wrote: > Hi All, > We use pflow with pf to export packets to a collector for > billing/monitoring > purposes. The problem we have is that someone at the weekend had a very > long running scp connection over several days that transferred a TB > of data. The data was not logged via pflow until the state expired, so > then showed a massive spike when the state expired. > > Anyone know any way around this? Is it possible to get pf/pflow to > export more regularly? Or set some timeout? I'm guessing not due > to the architecture, and unless I force pf states to timeout then I'm > stuck? But thought I'd ask in case anyone knew of a way. > > Thanks > -Matt > > -- - () ascii ribbon campaign - against html e-mail /\
pflow packets before state expires
Hi All, We use pflow with pf to export packets to a collector for billing/monitoring purposes. The problem we have is that someone at the weekend had a very long running scp connection over several days that transferred a TB of data. The data was not logged via pflow until the state expired, so then showed a massive spike when the state expired. Anyone know any way around this? Is it possible to get pf/pflow to export more regularly? Or set some timeout? I'm guessing not due to the architecture, and unless I force pf states to timeout then I'm stuck? But thought I'd ask in case anyone knew of a way. Thanks -Matt
