Hi Borys, NetFlow builds uni-directional flows. Such flows are cached on the router until they can be expired basing on a few age-out mechanisms. Flows that account for multiple packets can't be represented by an instantaneous time reference, this is why NetFlow has the concept of flow start and end time.
pmacct uses by default as key to populate the stamp_inserted field the flow start time. This is why you can have a flow expired shortly after midnight by the router but being still accounted to the previous day. You can twist such mechanism by defining nfacctd_time_new to true. This takes as reference time of arrival to the collector (typically a few seconds, ie. 1-2, displaced by the flow end time in non-lab environments). Hope this helps. Cheers, Paolo On Thu, Oct 21, 2010 at 09:15:51AM +0200, Borys Owczarzak wrote: > Hi all, > > My situation: > > I collect inbound traffic per destination IP (my hosts) per day. I use > netflow protocol. Configuration is in nfacct.conf, table template is in > ipinI.txt. > > My problem: > > Some records in table has at "stamp_inserted" in previous day. Please > look in queries.txt. In table for today (21.10.2010) I have 1564 records > with correct date (today) and 484 records with yesterday date. In this > situation, if records has got yesterday date in stamp_inserted they are > not updated. > > I cannot find reason of this problem. Could you check it? > > Kind regards > > -- > Borys Owczarzak > > Wachowiak&Syn s.c. > ul. Grunwaldzka 165D/43 > 60-322 Pozna?? > Poland > e-mail: [email protected] > mobile: +48 609 795 920 > > daemonize: true > pidfile: /var/run/pmacctd.pid > syslog: daemon > !promisc: true > !interface: eth1 > nfacctd_port: 2055 > nfacctd_ip: 172.20.7.246 > > aggregate[ipinI]: dst_host > aggregate_filter[ipinI]: dst net 113.15.208.0/21 > > plugins: mysql[ipinI] > sql_db: nfacct > sql_optimize_clauses: true > sql_table[ipinI]: ipinI%Y%m%d > sql_table_schema[ipinI]: /etc/nfacct/ipinI.txt > sql_user: root > sql_dont_try_update[ipinI]: false > sql_refresh_time: 10 > sql_history: 1d > sql_history_roundoff: d > !sql_cache_entries: 1 > mysql> select * from ipinI20101021 where ip_dst='113.15.208.62'; > +---------------+---------+--------+---------------------+---------------------+ > | ip_dst | packets | bytes | stamp_inserted | stamp_updated > | > +---------------+---------+--------+---------------------+---------------------+ > | 113.15.208.62 | 213 | 308934 | 2010-10-20 00:00:00 | 2010-10-21 > 00:00:31 | > +---------------+---------+--------+---------------------+---------------------+ > 1 row in set (0.00 sec) > > mysql> select count(*) from ipinI20101021 where stamp_inserted = '2010-10-21 > 00:00:00'; > +----------+ > | count(*) | > +----------+ > | 1564 | > +----------+ > 1 row in set (0.00 sec) > > mysql> select count(*) from ipinI20101021 where stamp_inserted = '2010-10-20 > 00:00:00'; > +----------+ > | count(*) | > +----------+ > | 484 | > +----------+ > 1 row in set (0.00 sec) > > > mysql> select * from ipinI20101021 where stamp_inserted = '2010-10-20 > 00:00:00' limit 10; > +---------------+---------+-----------+---------------------+---------------------+ > | ip_dst | packets | bytes | stamp_inserted | stamp_updated > | > +---------------+---------+-----------+---------------------+---------------------+ > | 113.15.212.4 | 610 | 450146 | 2010-10-20 00:00:00 | 2010-10-21 > 00:19:51 | > | 113.15.211.48 | 20771 | 21272799 | 2010-10-20 00:00:00 | 2010-10-21 > 00:02:31 | > | 113.15.215.11 | 356093 | 468051412 | 2010-10-20 00:00:00 | 2010-10-21 > 00:20:01 | > | 113.15.215.5 | 100339 | 56338054 | 2010-10-20 00:00:00 | 2010-10-21 > 00:30:11 | > | 113.15.214.9 | 2027 | 641524 | 2010-10-20 00:00:00 | 2010-10-21 > 00:00:51 | > | 113.15.215.10 | 34 | 2857 | 2010-10-20 00:00:00 | 2010-10-21 > 00:00:41 | > | 113.15.214.42 | 540 | 75617 | 2010-10-20 00:00:00 | 2010-10-21 > 00:01:01 | > | 113.15.208.14 | 51 | 3443 | 2010-10-20 00:00:00 | 2010-10-21 > 00:00:41 | > | 113.15.215.49 | 57283 | 49940708 | 2010-10-20 00:00:00 | 2010-10-21 > 00:26:02 | > | 113.15.214.38 | 1046 | 1034087 | 2010-10-20 00:00:00 | 2010-10-21 > 00:00:41 | > +---------------+---------+-----------+---------------------+---------------------+ > 10 rows in set (0.00 sec) > > mysql> select * from ipinI20101021 where stamp_inserted = '2010-10-21 > 00:00:00' limit 10; > +---------------+---------+---------+---------------------+---------------------+ > | ip_dst | packets | bytes | stamp_inserted | stamp_updated > | > +---------------+---------+---------+---------------------+---------------------+ > | 113.15.213.1 | 136 | 7546 | 2010-10-21 00:00:00 | 2010-10-21 > 08:47:12 | > | 113.15.214.16 | 167 | 10589 | 2010-10-21 00:00:00 | 2010-10-21 > 09:06:21 | > | 113.15.209.1 | 163 | 9556 | 2010-10-21 00:00:00 | 2010-10-21 > 09:05:31 | > | 113.15.210.22 | 163 | 9593 | 2010-10-21 00:00:00 | 2010-10-21 > 09:08:11 | > | 113.15.208.7 | 241 | 12661 | 2010-10-21 00:00:00 | 2010-10-21 > 09:02:51 | > | 113.15.214.18 | 180 | 9366 | 2010-10-21 00:00:00 | 2010-10-21 > 09:08:52 | > | 113.15.211.4 | 5263 | 6145676 | 2010-10-21 00:00:00 | 2010-10-21 > 09:09:12 | > | 113.15.210.19 | 272 | 14878 | 2010-10-21 00:00:00 | 2010-10-21 > 09:07:31 | > | 113.15.209.8 | 202 | 11946 | 2010-10-21 00:00:00 | 2010-10-21 > 09:05:51 | > | 113.15.213.20 | 46 | 3522 | 2010-10-21 00:00:00 | 2010-10-21 > 08:55:51 | > +---------------+---------+---------+---------------------+---------------------+ > 10 rows in set (0.00 sec) > create table nfacct.ipinI%Y%m%d ( > ip_dst CHAR(15) NOT NULL, > packets INT UNSIGNED NOT NULL, > bytes BIGINT UNSIGNED NOT NULL, > stamp_inserted DATETIME NOT NULL, > stamp_updated DATETIME, > PRIMARY KEY (ip_dst) > ) ENGINE=MyISAM; > _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
