Thanks for your kindly help.
I tried flow-merge, but found all time stamp is removed after file merging. How could I merge those files while keeping time stamp? thanks a lot! Regards Joe Shen -----Original Message----- From: Mike Hunter [mailto:[EMAIL PROTECTED] Sent: Saturday, April 24, 2004 12:09 AM To: Joe Shen Cc: [EMAIL PROTECTED] Subject: Re: [Flow-tools] Need help with flowscan On Apr 23, "Joe Shen" wrote: If I understand the problem correctly, using flow-merge instead of flow-cat could help. > Yes, that's just the problem I'm facing. In fact, I run 3 > flow-capture daemon on three UDP port, each port accpets netflow data > from one router, and store those data to one dirctory. The directories > is located on two hard disk. > > I do not run flowscan continuously, but after collecting netflow data > for one week, I want to run flowscan for analysis. In deed, we could > run flowscan seperately with each directory, but we also want to > combine those statistics to form a summary report. So, when we set > up flowscan to process those directories sequently, "illegal time > stamp" error comes up. > > Is there any method to overcome it? or is there tools to combine rrd > contents ? > > thanks. > > Regards > > Joe Shen > > > -----Original Message----- > From: Leigh Sharpe [mailto:[EMAIL PROTECTED] > Sent: Friday, April 23, 2004 8:30 AM > To: Joe Shen; [EMAIL PROTECTED] > Subject: Re: [Flow-tools] Need help with flowscan > > > I suggest you just wait a little while. > The error message you have copied here indicates that flowscan is > trying to update an RRD with a timestamp which is 66000 seconds ( > about 18 hours or so > ) older than the last update. You may find it comes good in about 18 hours > (or less, I expect.). If not, you may need to look at where the incorrect > timestamp has come from. Flowscan uses the timestamp in the filename of the > flow file. If you are renaming these files, you may not have the correct > timestamp in the filename. > > ----- Original Message ----- > From: "Joe Shen" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, April 22, 2004 8:40 PM > Subject: [Flow-tools] Need help with flowscan > > > > Hi, > > > > I run 3 flow-capture daemon which listen on different ports and save > netflow > > files to different directories(/netflow/router1, netflow/router2, > > netflow/catalyst1 etc.). > > > > I've set up flow-capture with -R, which renames original > > flow-capture file name to some other name and link to a central > > directory > > (/users/flowscan) for flowscan . > > > > Now the first period ends and we want to process those files in > > /users/flowscan. The result we expects should include: > > > > - sum and protocol analysis of trafic from all routers, > > - sum and protocol analysis of trafic from first router, > > - sum and protocol analysis of trafic from second router ....... > > etc. > > > > We install CUFlow and set up flowscan with central data directory, > > but when processing those files flowscan reports message like: > > > > " ERROR updating > > /usr/local/flowscan/rrds/router1/ip_address.rrd:illegal > > attempt to update using time 1082010600 when last update time is > 1082076600 > > (minimum one second step) " > > > > and, those rrd files created have no record in it. > > > > How could I do with such problems? Can I process those directoies > > seperately and flowscan will sum up those result automatically? > > > > thanks in advance. > > > > Regards > > > > Joe Shen > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rasmus > > Hansen > > Sent: Thursday, April 22, 2004 4:46 PM > > To: Anukool Lakhina > > Cc: [EMAIL PROTECTED] > > Subject: Re: [Flow-tools] 2 questions on flow-export output > > > > > > Anukool Lakhina wrote: > > > 1) When flow-export reports the *next-hop* IP as 0.0.0.0 and/or > > > the output interface as 0, what does this mean? > > > > Which type of device is the export coming from? I get this from my > > Junipers, but that is excusable as the documentation (JunOS Feature > > Guide v6.1 - page 115) states that the next hop IP address is not > > filled > in. > > > > > 2) And, what does a flow *destination* IP of 0.0.0.0 imply? > > > > Not sure about this one - possibly spoofed traffic? Although I can't > > think why it would get forwarded unless it's sampling on ingress and > > then discarding the packet. Again, I'd check the device > > documentation. _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
