What you need is [--max-file-duration|-t] <seconds>, however please note that this is automatically set to 10 minutes when enabling the timeline (-A)
Alfredo > On 30 Mar 2018, at 23:59, Raoul Duke <[email protected]> wrote: > > > Hi Alfredo, > > > On Fri, Mar 30, 2018 at 7:20 PM, Alfredo Cardigliano <[email protected] > <mailto:[email protected]>> wrote: > > >> * I read in release notes that it was possible to us " kill -USR1 to close >> and flush the current pcap in order to make live traffic immediately >> available" which works but I notice every time I call it it generates a new >> index file. Which then leads me to the question of: how do I know which >> index file to run npcapextract against? e.g. if the latest index was 1.idx >> and I do a kill -USR do I have to guess that my application events would be >> found in 1.idx / 1.pcap or is there a another way to do this? > > I recommend you to enable the timeline, and just specify the time interval in > npcapextract, using the timeline as data source instead of the specific > pcap/index. > > Thanks for this useful info. I will experiment with timeline. > > >> * looking at all this another way. I'd be happy to defer the npcapextract >> until the data is naturally flushed to disk. but this leads me to 2 >> questions: >> - how can I know when all the relevant data is flushed to disk so I can >> take action on the npcapextract? e.g. is there some concept of a >> hook/trigger I can call when pcap / index data is flushed to disk? > > You probably need to know what is the timestamp of the last packet dumped to > disk, maybe we can write it under /proc/net/pf_ring/stats/<n2disk stats>. If > this works for you we can add it to the features list. > > this seems like a good feature to have in the general case could be > potentially used in my case. > > another idea I had was: is there an option to control the flush frequency? > e.g. lets say I captured 100 packets but they have not yet flushed to disk > and no traffic happens for (say) 10 more minutes. would there still be no > flush to disk during that 10 minutes? i.e. would the flush only happen when > sufficient traffic has occured to fill up the memory buffer or is there a way > to say "always flush to disk every X seconds". in that way I could defer the > npcapextract for X seconds after I know the application session has ended and > could guarantee the packets would be flushed to disk by then. > > Thanks so much for such a quick and helpful response. > > RD > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
