Hi Paolo,
The "timestamp_start" primitive solve my problem. Thank you.
----------------------------------------------------------------------------------------------------
mysql> select * from acct_v9 limit 3;
+-----+-------+----------+----------+-----+----------+-------------------+-------------------+------+--------+--------+-------------+--------------+----------+----------+-----------+----------+-----+---------+-------+-------+---------------------+---------------------+---------------------+--------------------------+---------------------+------------------------+
| cos | etype | mask_src | mask_dst | tag | class_id | mac_src |
mac_dst | vlan | as_src | as_dst | ip_src | ip_dst |
port_src | port_dst | tcp_flags | ip_proto | tos | packets | bytes | flows |
stamp_inserted | stamp_updated | timestamp_start |
timestamp_start_residual | timestamp_end | timestamp_end_residual |
+-----+-------+----------+----------+-----+----------+-------------------+-------------------+------+--------+--------+-------------+--------------+----------+----------+-----------+----------+-----+---------+-------+-------+---------------------+---------------------+---------------------+--------------------------+---------------------+------------------------+
| 0 | 800 | 0 | 0 | 0 | unknown | 90:e2:ba:2b:b9:e1 |
00:04:96:51:97:aa | 213 | 0 | 0 | 10.213.58.1 | 10.209.9.4 |
20100 | 42354 | 16 | tcp | 0 | 1 | 74 | 0 |
2014-09-10 11:24:00 | 2014-09-10 11:25:01 | 2014-09-10 11:24:01 |
764676 | 0000-00-00 00:00:00 | 0 |
| 0 | 800 | 0 | 0 | 0 | unknown | 00:a0:d1:cf:2d:e9 |
00:04:96:51:97:aa | 213 | 0 | 0 | 10.213.3.5 | 10.213.0.254 |
0 | 0 | 0 | icmp | 0 | 1 | 126 | 0 |
2014-09-10 11:24:00 | 2014-09-10 11:25:01 | 2014-09-10 11:24:01 |
764705 | 0000-00-00 00:00:00 | 0 |
| 0 | 800 | 0 | 0 | 0 | unknown | 70:72:cf:2b:90:74 |
00:04:96:51:97:aa | 214 | 0 | 0 | 10.214.0.21 | 10.11.4.1 |
161 | 44626 | 0 | udp | 0 | 1 | 149 | 0 |
2014-09-10 11:24:00 | 2014-09-10 11:25:01 | 2014-09-10 11:24:01 |
764713 | 0000-00-00 00:00:00 | 0 |
+-----+-------+----------+----------+-----+----------+-------------------+-------------------+------+--------+--------+-------------+--------------+----------+----------+-----------+----------+-----+---------+-------+-------+---------------------+---------------------+---------------------+--------------------------+---------------------+------------------------+
3 rows in set (0.00 sec)
----------------------------------------------------------------------------------------------------
-----Original Message-----
From: pmacct-discussion [mailto:[email protected]] On Behalf
Of Paolo Lucente
Sent: Wednesday, September 10, 2014 9:14 AM
To: [email protected]
Subject: Re: [pmacct-discussion] More precise flow timestamp
Hi,
Yes, with the "timestamp_start" primitive you can get a timestamp per sFlow
packet. If timestamps_secs config directive is set to false (which is default)
then you get also residual time after secs populated (which is what you want).
sql_history does not clash with the timestamp_start primitive, you can use
both.
Cheers,
Paolo
On Tue, Sep 09, 2014 at 12:14:12PM +0000, [email protected] wrote:
> Hi Paolo and all,
> Hope this is right place to post my question.
> For recording flow’s corresponding timestamp I use sql_history primitive
> and my sfacctd.conf looks like:
> ………………
> sql_dont_try_update: true
> sql_history: 1m
> !ql_history_roundoff: mh
> ……………..
>
> The sql data I got
> mysql> select * from acct_v9 limit 3;
> +-----+-------+----------+----------+-----+----------+-------------------+-------------------+------+--------+--------+-------------+---------------+----------+----------+-----------+----------+-----+---------+-------+-------+---------------------+---------------------+
> | cos | etype | mask_src | mask_dst | tag | class_id | mac_src |
> mac_dst | vlan | as_src | as_dst | ip_src | ip_dst |
> port_src | port_dst | tcp_flags | ip_proto | tos | packets | bytes | flows |
> stamp_inserted | stamp_updated |
> +-----+-------+----------+----------+-----+----------+-------------------+-------------------+------+--------+--------+-------------+---------------+----------+----------+-----------+----------+-----+---------+-------+-------+---------------------+---------------------+
> | 0 | 800 | 0 | 0 | 0 | unknown | 00:26:55:55:e0:06 |
> 80:71:1f:4c:be:01 | 100 | 0 | 0 | 10.100.1.2 | 140.96.27.220 |
> 53 | 34504 | 0 | udp | 0 | 1 | 428 | 0 |
> 2014-09-09 19:39:00 | 2014-09-09 19:40:01 |
> | 0 | 800 | 0 | 0 | 0 | unknown | 00:26:55:55:82:84 |
> 02:a0:98:28:51:d9 | 98 | 0 | 0 | 10.98.1.32 | 10.98.1.22 |
> 678 | 2049 | 16 | tcp | 0 | 1 | 1522 | 0 |
> 2014-09-09 19:39:00 | 2014-09-09 19:40:01 |
> | 0 | 800 | 0 | 0 | 0 | unknown | 00:e0:81:ce:9b:10 |
> 80:71:1f:4c:be:01 | 236 | 0 | 0 | 10.236.39.1 | 140.96.27.144 |
> 22 | 52098 | 16 | tcp | 16 | 3 | 4566 | 0 |
> 2014-09-09 19:39:00 | 2014-09-09 19:40:01 |
> +-----+-------+----------+----------+-----+----------+-------------------+-------------------+------+--------+--------+-------------+---------------+----------+----------+-----------+----------+-----+---------+-------+-------+---------------------+---------------------+
> 3 rows in set (0.00 sec)
>
>
> Flow are written into mysql every 1 second. (It’s nice to have such a
> timestamp for each flow.)
> And is there any more precise primitive or mechanism to use , for example,
> some timing information in packet header in millisecond precision?
>
> Thanks in advance. And good day :)
>
> TC Wu
>
>
>
>
> ====================================================================
> 本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。
> This email may contain confidential information. Please do not use or
> disclose it in any way and delete it if you are not the intended recipient.
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
====================================================================
本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。
This email may contain confidential information. Please do not use or disclose
it in any way and delete it if you are not the intended recipient.
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
