[flow-tools] Start time and end time of the processed raw data
Annie Tong
annie.tong@wcom.com
Mon, 22 Apr 2002 13:20:25 -0700
--Boundary_(ID_Ss9DN+TKcWBSoZP6mIS6Yw)
Content-type: text/plain; format=flowed; charset=us-ascii
Content-transfer-encoding: 7bit
Thanks Mark! You mentioned that the headers info will be gone if the
flows have been processed, is there any way that I can preserve the
header info in the processed flow? I passed the -p flag to flow-stat to
generate report on data that has been processed by flow-filter, it
prints "note, incomplete flow file" in the report. From ftio.c, it
seems the flag FT_HEADER_FLAG_PRELOADED is reset to 0 after the data has
been processed, how can I set the flag back to 1?
Thank you.
Regards,
Annie Tong
MAE Engineering
MCI WorldCom
Mark Fullmer wrote:
>Passing the -p flag to flow-stat will print additional header information, ie
>
># mode: normal
># capture hostname: XXXX
># exporter IP address: X.X.X.X
># capture start: Sat Apr 20 12:45:00 2002
># capture end: Sat Apr 20 12:50:00 2002
># capture period: 300 seconds
># compress: on
># byte order: little
># stream version: 3
># export version: 5
># lost flows: 0
># corrupt packets: 0
># sequencer resets: 0
># capture flows: 123244
>
>Unfortunately if the flows have been processed the headers from flow-capture are
>usually gone, in which case you would need to compute them on the fly.
>
>See ftio_header_print() in ftio.c and flow-print.c for more details.
>
>mark
>
>On Fri, Apr 19, 2002 at 01:47:52PM -0700, Annie Tong wrote:
>
>>Hi Mark,
>>
>>I'm trying to add the duration of the processed raw data in the header
>>of the report that is generated by flow-stat in the following format,
>>
>>"Processed <number of flows> flows between <Day> <Month> <Date> <Year>
>><Time> and <Day> <Month> <Date> <Year> <Time>"
>>
>>e.g.
>>"Processed 20000 flows between Fri Apr 12 2002 00:00:00 and Fri Apr 12
>>2002 09:59:59"
>>
>>I'm looking at your code flow-stat.c and found 2 variables,
>>fs0.time_start and fs0.time_end, which stores the start_time and the
>>end_time of the processed raw data, and they're in unsigned integer.
>> Can I use the function localtime() to convert them in the format I
>>want? Also where did you get the start_time and end_time of the
>>processed data? Are they stored in the packet as $startime and $endtime
>>(found the reference from Cflow.pm)?
>>
>>Thank you!
>>
>>Regards,
>>
>>Annie Tong
>>MAE Engineering
>>MCI WorldCom
>>
>>
>>_______________________________________________
>>flow-tools@splintered.net
>>http://www.splintered.net/sw/flow-tools
>>
>
>_______________________________________________
>flow-tools@splintered.net
>http://www.splintered.net/sw/flow-tools
>
--Boundary_(ID_Ss9DN+TKcWBSoZP6mIS6Yw)
Content-type: text/html; charset=us-ascii
Content-transfer-encoding: 7bit
<html>
<head>
</head>
<body>
Thanks Mark! You mentioned that the headers info will be gone if the flows
have been processed, is there any way that I can preserve the header info
in the processed flow? I passed the -p flag to flow-stat to generate report
on data that has been processed by flow-filter, it prints "note, incomplete
flow file" in the report. From ftio.c, it seems the flag FT_HEADER_FLAG_PRELOADED
is reset to 0 after the data has been processed, how can I set the flag back
to 1?<br>
<br>
Thank you.<br>
<br>
Regards, <br>
<br>
Annie Tong<br>
MAE Engineering<br>
MCI WorldCom <br>
<br>
<br>
<br>
Mark Fullmer wrote:<br>
<blockquote type="cite" cite="mid:20020420221034.B18249@net.ohio-state.edu">
<pre wrap="">Passing the -p flag to flow-stat will print additional header information, ie<br><br># mode: normal<br># capture hostname: XXXX<br># exporter IP address: X.X.X.X<br># capture start: Sat Apr 20 12:45:00 2002<br># capture end: Sat Apr 20 12:50:00 2002<br># capture period: 300 seconds<br># compress: on<br># byte order: little<br># stream version: 3<br># export version: 5<br># lost flows: 0<br># corrupt packets: 0<br># sequencer resets: 0<br># capture flows: 123244<br><br>Unfortunately if the flows have been processed the headers from flow-capture are<br>usually gone, in which case you would need to compute them on the fly.<br><br>See ftio_header_print() in ftio.c and flow-print.c for more details.<br><br>mark<br><br>On Fri, Apr 19, 2002 at 01:47:52PM -0700, Annie Tong wrote:<br></pre>
<blockquote type="cite">
<pre wrap="">Hi Mark,<br><br>I'm trying to add the duration of the processed raw data in the header <br>of the report that is generated by flow-stat in the following format,<br><br>"Processed <number of flows> flows between <Day> <Month> <Date> <Year> <br><Time> and <Day> <Month> <Date> <Year> <Time>"<br><br>e.g.<br>"Processed 20000 flows between Fri Apr 12 2002 00:00:00 and Fri Apr 12 <br>2002 09:59:59"<br><br>I'm looking at your code flow-stat.c and found 2 variables, <br>fs0.time_start and fs0.time_end, which stores the start_time and the <br>end_time of the processed raw data, and they're in unsigned integer. <br> Can I use the function localtime() to convert them in the format I <br>want? Also where did you get the start_time and end_time of the <br>processed data? Are they stored in the packet as $startime and $endtime <br>(found the reference from Cflow.pm)?<br><br>Thank you!<br><br>Regards,<br><b
r>Annie Tong<br>MAE Engineering<br>MCI WorldCom<br><br><br>_______________________________________________<br><a class="moz-txt-link-abbreviated" href="mailto:flow-tools@splintered.net">flow-tools@splintered.net</a><br><a class="moz-txt-link-freetext" href="http://www.splintered.net/sw/flow-tools">http://www.splintered.net/sw/flow-tools</a><br></pre>
</blockquote>
<pre wrap=""><!----><br>_______________________________________________<br><a class="moz-txt-link-abbreviated" href="mailto:flow-tools@splintered.net">flow-tools@splintered.net</a><br><a class="moz-txt-link-freetext" href="http://www.splintered.net/sw/flow-tools">http://www.splintered.net/sw/flow-tools</a><br><br></pre>
</blockquote>
<br>
</body>
</html>
--Boundary_(ID_Ss9DN+TKcWBSoZP6mIS6Yw)--