Re: pflow question - incorrect FIRST and LAST values ?

[Joerg Goltermann]

Hello,

P$QP>P;P>P2 PP>P=Q
QP0P=QP8P= wrote:
> patch works, but i note some differences in same traffic
> (see attached files in my previous message)
> 
> 1. softflowd captured 7 records, pflowd at the same time captured 8

pflow(4) captured one additional flow (line #9) from xxx
Port 137 to yyy Port 137.
                                        
> 2. different quantity of octets in reply from openbsd.org webserver:
> pflow.csv, line #6: 7107 octets
> softflowd.csv, line #5: 7121 octet

are you sure both versions are captured at the same time?
pflow(4) uses the counters from pf. Can you reproduce the
difference of 14?


The attached diff should make better results for the "last"
values:

Index: if_pflow.c
===================================================================
RCS file: /cvs/src/sys/net/if_pflow.c,v
retrieving revision 1.10
diff -u -p -r1.10 if_pflow.c
--- if_pflow.c  27 Feb 2009 11:09:36 -0000      1.10
+++ if_pflow.c  13 Jun 2009 06:43:48 -0000
@@ -356,8 +356,10 @@ copy_flow_data(struct pflow_flow *flow1,
        flow1->flow_octets = htonl(st->bytes[0]);
        flow2->flow_octets = htonl(st->bytes[1]);
 
-       flow1->flow_start = flow2->flow_start = htonl(st->creation * 1000);
-       flow1->flow_finish = flow2->flow_finish = htonl(time_second * 1000);
+       flow1->flow_start = flow2->flow_start =
+           htonl((st->creation - (time_second - time_uptime)) * 1000);
+       flow1->flow_finish = flow2->flow_finish =
+           htonl((time_uptime - st->rule.ptr->timeout[st->timeout]) * 1000);
        flow1->tcp_flags = flow2->tcp_flags = 0;
        flow1->protocol = flow2->protocol = sk->proto;
        flow1->tos = flow2->tos = st->rule.ptr->tos;


 - Joerg