Hi all, I just needed some clarification on whether this is normal. We run flowscan with flow-tools then extract the data from rrd into a mysql DB for usage figures.
One thing I’m noticing though is it’s very CPU intensive. This box is a dual 2.8ghz cpu. 2GB Ram. 15k SCSI Raid 5 config. I’m using the Debian packages on this, although on other collectors I have compiled them myself, using Robert Galloways tutorial. Linux d3-syd-equinix02 2.6.18-6-686 #1 SMP Sun Feb 10 22:11:31 UTC 2008 i686 GNU/Linux # flowscan Configuration Directives ############################################ # FlowFileGlob (REQUIRED) # use this glob (file pattern match) when looking for raw flow files to be # processed, e.g.: # FlowFileGlob /var/local/flows/flows.*:*[0-9] ##FlowFileGlob flows.*:*[0-9] FlowFileGlob /var/netflow/ft-v05.* # ReportClasses (REQUIRED) # a comma-seperated list of FlowScan report classes, e.g.: # ReportClasses CampusIO # ReportClasses SubNetIO ReportClasses CUFlow # WaitSeconds (OPTIONAL) # This should be <= the "-s" value passed on the command-line to cflowd, e.g.: # WaitSeconds 300 WaitSeconds 30 # Verbose (OPTIONAL, non-zero = true) Verbose 5 ~ Flowscan runs every 5 minutes, using the CUFlow class. 2008/02/21 07:20:07 working on file /var/netflow/ft-v05.2008-02-21.071500+1100... 2008/02/21 07:20:10 flowscan-1.020 CUFlow: Cflow::find took 3 wallclock secs ( 3.36 usr + 0.00 sys = 3.36 CPU) for 585896 flow file bytes, flow hit ratio: 32073/32970 2008/02/21 07:20:11 flowscan-1.020 CUFlow: report took 1 wallclock secs ( 0.00 usr 0.00 sys + 0.11 cusr 0.04 csys = 0.15 CPU) The CUFlow.cf has approx 31 Class C’s in it. I am analysing every IP, eg, every IP in those Class Cs has it’s own RRD. Not sure if this is too much for it to do. 2336 ? Ss 0:37 /usr/bin/flow-capture -w /var/netflow/ft 0/0/2055 -S5 -V5 -E1G -n 287 -N 0 -R /usr/local/netflow/bin/linkme 3099 ? S 4:20 /usr/bin/perl /usr/bin/flowscan 4941 ? R 1:31 /usr/bin/perl /usr/bin/flowscan As you can see it’s running 2 sometimes 3 processes of flowscan. Is this normal ? Am I doing this right ? ☺ PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 4941 root 25 0 21708 18m 1700 R 100 0.9 3:19.58 flowscan 2336 root 15 0 2896 1244 504 S 1 0.1 0:37.41 flow-capture I missed the 2nd flowscan in top while writing this email, but it basically flatlines the cpu 24/7 doing this. Can someone point out anything that I am doing wrong ? Appreciate any advice, thanks ☺ Regards, Ross. DISCLAIMER: This e-mail and any files transmitted with it may be privileged and confidential, and are intended only for the use of the intended recipient. If you are not the intended recipient or responsible for delivering this e-mail to the intended recipient, any use, dissemination, forwarding, printing or copying of this e-mail and any attachments is strictly prohibited. If you have received this e-mail in error, please REPLY TO the SENDER to advise the error AND then DELETE the e-mail from your system. Any views expressed in this e-mail and any files transmitted with it are those of the individual sender, except where the sender specifically states them to be the views of our organisation. Our organisation does not represent or warrant that the attached files are free from computer viruses or other defects. 21/2/2008 The user assumes all responsibility for any loss or damage resulting directly or indirectly from the use of the attached files. In any event, the liability to our organisation is limited to either the resupply of the attached files or the cost of having the attached files resupplied. _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
