Paolo Lucente
Fri, 18 Apr 2008 07:06:21 -0700
Hi Denis, you're correct, these are long-lived flows; while keeping original NetFlow timestamps (no 'nfacctd_time_new' directive in place) this is perfectly legal. Cheers, Paolo On Fri, Apr 18, 2008 at 03:50:42PM +0200, Denis Cavrois wrote: > alex a ??crit : > >>> Hello Paolo! > >>> Sorry again but i found something strange in 'pmacct' behaviour. > >>> I have follow setting for history saving on my 'nfacctd': > >>> > >>> ! nfacctd_time_secs: true > >>> ! nfacctd_time_new: true > >>> sql_refresh_time: 120 > >>> sql_history: 1d > >>> sql_history_roundoff: h > >>> > >>> But i see next records in my database: > >>> > >>> bytes stamp_inserted stamp_updated > >>> > >>> 2188048 2008-04-17 00:00:00 2008-04-18 11:28:01 > >>> 538793 2008-04-17 00:00:00 2008-04-18 09:56:01 > >>> 64680 2008-04-17 00:00:00 2008-04-18 09:56:01 > >>> 286440 2008-04-17 00:00:00 2008-04-18 09:00:01 > >>> ... > >>> > >>> I found that i have overlap records every day: > >>> > >>> date(stamp_inserted) date(stamp_updated) count(*) > >>> > >>> 2008-04-17 2008-04-18 310 > >>> 2008-04-16 2008-04-17 195 > >>> 2008-04-15 2008-04-16 223 > >>> 2008-04-14 2008-04-15 205 > >>> 2008-04-13 2008-04-14 171 > >>> ... > >>> > >>> Of course i haven't exact statistic by days. > >>> What is the matter? > >>> > >>> > >> You seems to have a problem with GMT and local time. Do you have now > >> insert stamp with this day (18/04/2008) ? What is the last stamp_updated > >> (date and time) which has 17/04/2008 as stamp inserted ? > >> > > > > > > No Denis. > > I have identical time on both machines (with 'pmacctd-nfprobe' and > > with 'nfacctd'). You can see last five records with > > stamp_inserted=17/04/2008 > > and stamp_updated=18/04/2008. Totally them 310. But this is very little > > part of all records of this day (22 249). > > > > Ok, if I understand, you have more than 20k of records per day. > Some of these records ( around 300 ) have the stamp inserted of the day > before. > > I think that's because you have some very long connections, like backup > flows. > If you start a backup at 17/04/2008 at 20:00 between IP1:PORT1 and > IP2:PORT2 and this back finish at 18/04/2008 8:00, the stamp inserted > calculated from the start time (ie 17/04/2008 at 20:00 -> see > sql_cache_insert function in sql_common.c ) even if it is exported at > the end of the flow (ie 18/04/2008 8:00 ) > > In this case, the stamp_inserted is 17/04/2008, but it is effectively > updated at 18/04/2008 8:00. > > I hope i'm right this time. > > > > > > > > > >>> And yet one question. As i understand if connection was created at > >>> one day and closed at next we should have two records for it with > >>> somewhat inaccurate (several minutes/Kbytes - 'sql_refresh_time' and > >>> may be something else) around 00:00. > >>> Am i correct? > >>> > >>> Thank you very much, > >>> Alex > >>> > > > > > > ------- > > ???????????????? ???? ?????? ?? ?? ???????? ??????????, ????????, > > ??????????????, ???????????????? ??????????????????????????. > > ???????????? ????????????! http://www.pizza.by > > (017) 290-93-93, (029) 690-93-93, 555-93-93 > > > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > -- > > <http://www.acipia.fr/> > > > > *Denis Cavrois* > [EMAIL PROTECTED] <[EMAIL PROTECTED]> > Tel: (0)320 28 61 67 > Tel: (0)320 28 61 62 > Fax: (0)320 70 57 11 > > Acipia > 50 av. Jean-Baptiste Lebas > 59100 Roubaix > > Visitez notre site Web > http://www.acipia.fr <http://www.acipia.fr/> _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists