Hi, I am currently running a CentOS 5.7 server with flow-tools-0.68.5.1,
FlowViewer 3.3.1, and JKFlow 3.5.2 with FlowScan 1.006. This is kind of an
odd server as it receives all the NetFlow data via scp from 2 other servers
also running flow-tools. Every 5 minutes when these other servers process
their newly captured files, the files are copied to this server and a shell
script with the following lines in it is triggered:
$flowpath/flow-cat $flowdir/rmtserv1/$infiles > /tmp/flowfile1
$flowpath/flow-cat $flowdir/rmtserv2/$infiles > /tmp/flowfile2
$flowpath/flow-merge -z2 /tmp/flowfile1 /tmp/flowfile2 >
$flowdir/$infile
The first 2 lines combine any unprocessed files from each of the remote
collector servers to temporary files,
then the 3rd line uses flow-merge to properly combine those temporary
files.
The problem is that somewhere in this process the file header timestamps
are lost so that
flow-cat -t "strtime" -T "endtime" $flowdir
doesn't work. This was working fine with the original uncombined flow
files.
Doing this command (note the debug level > 5):
flow-cat -t "03/13/2012 08:58:59" -T "03/13/2012 12:00:01" -d 9 2>&1
$PREFIX/saved | more
gives a bunch of lines like this:
flow-cat: i=0
flow-cat: name=/var/local/flows/saved/ft-v05.2012-02-29.231500-0500
size=4971055 time=0
flow-cat: name=/var/local/flows/saved/ft-v05.2012-03-02.095500-0500
size=7335032 time=0
...
where the times at the end are all zeros.
Although the doc for flow-merge has a line in it that describes the "-p"
switch to preload headers, the command does not actually support this.
So the questions is - how can I combine flow files from 2 different capture
servers with the proper header timestamps?
Thanks for any help.
Cheers,
Dave
_______________________________________________
Flow-tools mailing list
[email protected]
http://mailman.splintered.net/mailman/listinfo/flow-tools
