Re: pflow packets before state expires
* Matt Hamilton ma...@netsight.co.uk [2013-09-10 12:30]: sven falempin sven.falempin at gmail.com writes: [nonsense deleted] The problem is that (I believe) that the pflow packet is not generated until the state expires from pf. In the case of the scp transfer I saw that was not for several days. Meaning I had no accounting/reporting of this data transfer until it ended and the state expired. correct. At which point the entire data transferred during that state's life was counted as if it happened now. This I'd call a visualization bug; but that doesn't change too much here. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: pflow packets before state expires
sven falempin sven.falempin at gmail.com writes: The manual say the information is extracted from the state table. So you should have seen the info. First: are you sure the information wasnt in the udp pflow packets ? maybe the collector was wrong. Second: man says The packet size and thus the maximum number of flows is controlled by the mtu. The problem is that (I believe) that the pflow packet is not generated until the state expires from pf. In the case of the scp transfer I saw that was not for several days. Meaning I had no accounting/reporting of this data transfer until it ended and the state expired. At which point the entire data transferred during that state's life was counted as if it happened now. -Matt
pflow packets before state expires
Hi All, We use pflow with pf to export packets to a collector for billing/monitoring purposes. The problem we have is that someone at the weekend had a very long running scp connection over several days that transferred a TB of data. The data was not logged via pflow until the state expired, so then showed a massive spike when the state expired. Anyone know any way around this? Is it possible to get pf/pflow to export more regularly? Or set some timeout? I'm guessing not due to the architecture, and unless I force pf states to timeout then I'm stuck? But thought I'd ask in case anyone knew of a way. Thanks -Matt
Re: pflow packets before state expires
The manual say the information is extracted from the state table. So you should have seen the info. First: are you sure the information wasnt in the udp pflow packets ? maybe the collector was wrong. Second: man says The packet size and thus the maximum number of flows is controlled by the mtu. + On Mon, Sep 9, 2013 at 11:55 AM, Matt Hamilton ma...@netsight.co.uk wrote: Hi All, We use pflow with pf to export packets to a collector for billing/monitoring purposes. The problem we have is that someone at the weekend had a very long running scp connection over several days that transferred a TB of data. The data was not logged via pflow until the state expired, so then showed a massive spike when the state expired. Anyone know any way around this? Is it possible to get pf/pflow to export more regularly? Or set some timeout? I'm guessing not due to the architecture, and unless I force pf states to timeout then I'm stuck? But thought I'd ask in case anyone knew of a way. Thanks -Matt -- - () ascii ribbon campaign - against html e-mail /\
