Hi Alfredo,
On Fri, Mar 30, 2018 at 7:20 PM, Alfredo Cardigliano <[email protected]> wrote: > > > * I read in release notes that it was possible to us " kill -USR1 to > close and flush the current pcap in order to make live traffic immediately > available" which works but I notice every time I call it it generates a > new index file. Which then leads me to the question of: how do I know > which index file to run npcapextract against? e.g. if the latest index > was 1.idx and I do a kill -USR do I have to guess that my application > events would be found in 1.idx / 1.pcap or is there a another way to do > this? > > > I recommend you to enable the timeline, and just specify the time interval > in npcapextract, using the timeline as data source instead of the specific > pcap/index. > Thanks for this useful info. I will experiment with timeline. > > * looking at all this another way. I'd be happy to defer the npcapextract > until the data is naturally flushed to disk. but this leads me to 2 > questions: > - how can I know when all the relevant data is flushed to disk so I can > take action on the npcapextract? e.g. is there some concept of a > hook/trigger I can call when pcap / index data is flushed to disk? > > > You probably need to know what is the timestamp of the last packet dumped > to disk, maybe we can write it under /proc/net/pf_ring/stats/<n2disk > stats>. If this works for you we can add it to the features list. > this seems like a good feature to have in the general case could be potentially used in my case. another idea I had was: is there an option to control the flush frequency? e.g. lets say I captured 100 packets but they have not yet flushed to disk and no traffic happens for (say) 10 more minutes. would there still be no flush to disk during that 10 minutes? i.e. would the flush only happen when sufficient traffic has occured to fill up the memory buffer or is there a way to say "always flush to disk every X seconds". in that way I could defer the npcapextract for X seconds after I know the application session has ended and could guarantee the packets would be flushed to disk by then. Thanks so much for such a quick and helpful response. RD
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
