Hi Alex, Here's what I think is happening. Softflowd is basically a sniffer, meaning it monitors traffic for your interface and uses that to build flow records. In order to know when a flow "ends" it needs to look for a FIN-ACK to signal that the connection has finished, at which time softflowd builds the flow record and sends it to the netflow collector (nfcapd). If it's a very long session or if it misses the FIN-ACK packet then potentially softflowd could wait forever before sending the flow record. That's what the timeout is for; it tells softflowd how long to wait before assuming the flow is complete and sending out the flow record.
If you look at the flows in the sample you sent out, all the records from hour 17 have '....S.' for TCP flags, meaning all softflowd saw was the initial outbound SYN. The records for hour 18 have '.APRS.' or '.A..SF' so softflowd saw the connection establish and terminate. So I think what's happening is that your server is sending a bunch of outbound http requests that are never getting answered, and softflowd is waiting 3600 seconds before generating flow records for these connections. Depending on what you want to do you might want to decrease the timeout to something like 5 minutes (-t tcp=300) so that any unanswered SYN flows get reported quicker. In any case I don't think this is a nfcapd/nfdump issue. You could try running nfcapd with the -E option to see exactly what flow records it's receiving. That should confirm whether or not the issue is with nfcapd or with softflowd. Hope this helps. Have a good weekend. -- Dave Deitrich deitr...@cymru.com On 1/4/13 4:48 PM, alex adamos wrote: > but i dont get it. Yes the tcp timeout is at 3600s, but why is it showing > flows that have expired 1 hour ago!! shouldnt it be something like this: if a > flow has not expired after 3600s, export-show that flow??? i dont get what > the timeout is for, so i dont really know how to configure it!! ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812 _______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
