Re: pflow question - incorrect FIRST and LAST values ?

Tue, 09 Jun 2009 07:12:54 -0700 

On 2009-06-09, fROLOW kONSTANTIN <f-k...@yandex.ru> wrote:
> Hi all.
>
> In fields FIRST and LAST in a stream should be system uptime during reception 
> of the first package
> and during reception of the last
>
> When i use 'softflowd' software sensor - all OK (see below), but when i use 
> pflow interface 
> then in fields FIRST and LAST i see huge values.
> Maybe somebody knows, what mean these values ?

flow_start is specified as system uptime (in ms) at the start of flow,
to calculate the actual time you must look at uptime_ms and time_sec /
time_nanosec from the flow header.

This is done so that millisecond timestamp resolution is available
without using more than 32 bits in the wire format (reduces overhead).

The fix might be as simple as this, but it's totally untested, not
even compiled.

Index: if_pflow.c
===================================================================
RCS file: /cvs/src/sys/net/if_pflow.c,v
retrieving revision 1.10
diff -u -p -r1.10 if_pflow.c
--- if_pflow.c  27 Feb 2009 11:09:36 -0000      1.10
+++ if_pflow.c  9 Jun 2009 14:01:43 -0000
@@ -356,8 +356,8 @@ copy_flow_data(struct pflow_flow *flow1,
        flow1->flow_octets = htonl(st->bytes[0]);
        flow2->flow_octets = htonl(st->bytes[1]);
 
-       flow1->flow_start = flow2->flow_start = htonl(st->creation * 1000);
-       flow1->flow_finish = flow2->flow_finish = htonl(time_second * 1000);
+       flow1->flow_start = flow2->flow_start = 
htonl((st->creation-time_uptime) * 1000);
+       flow1->flow_finish = flow2->flow_finish = 
htonl((time_second-time_uptime) * 1000);
        flow1->tcp_flags = flow2->tcp_flags = 0;
        flow1->protocol = flow2->protocol = sk->proto;
        flow1->tos = flow2->tos = st->rule.ptr->tos;




> 2:56 PM, up 3 mins - flow collection begin with softflowd
> ---------------------
> UNIX_SECS=1244458921 # 2009-06-08 15:02:01 +04
> SYSUPTIME=363460     # 363460/1000/60 = 6 mins
> FIRST=60073           # 
> LAST=60090            # 
> ---------------------
>
> 9:17 AM, up 18 mins - flow collection begin with pflow
> ---------------------
> UNIX_SECS=1244351870 # 2009-06-07 09:17:50 +04
> SYSUPTIME=1119000    # 1119000/60/1000=18.6 MIN
> FIRST=3106274456     # ????
> LAST=3106291456      # ????
> ---------------------

Reply via email to