[flow-tools] Start time and end time of the processed raw data
Mark Fullmer
maf@eng.oar.net
Thu, 25 Apr 2002 02:01:06 -0400
The problem is some of the information flow-capture emits in the header can
not be known until after processing the entire stream. For example
the number of flows may change after filtering. When the output is
pipe there's no way to rewind and fix the header.
flow-cat has a -p flag which will preload all the headers and compute
start/end, nflows, etc. I guess flow-filter and friends could at least
preserve the time...
It's not that difficult to fix. All that needs to be done in is something
like:
time_start = ftio_get_cap_start(&ftio_in);
time_end = ftio_get_cap_end(&ftio_in);
ftio_set_cap_time(&ftio_out, time_start, time_end);
This will be the header time, not the time of the first non filtered
flow though.
mark
On Mon, Apr 22, 2002 at 01:20:25PM -0700, Annie Tong wrote:
> Thanks Mark! You mentioned that the headers info will be gone if the
> flows have been processed, is there any way that I can preserve the
> header info in the processed flow? I passed the -p flag to flow-stat to
> generate report on data that has been processed by flow-filter, it
> prints "note, incomplete flow file" in the report. From ftio.c, it
> seems the flag FT_HEADER_FLAG_PRELOADED is reset to 0 after the data has
> been processed, how can I set the flag back to 1?
>
> Thank you.
>
> Regards,
>
> Annie Tong
> MAE Engineering
> MCI WorldCom
>
>
>
> Mark Fullmer wrote:
>
> >Passing the -p flag to flow-stat will print additional header information, ie
> >
> ># mode: normal
> ># capture hostname: XXXX
> ># exporter IP address: X.X.X.X
> ># capture start: Sat Apr 20 12:45:00 2002
> ># capture end: Sat Apr 20 12:50:00 2002
> ># capture period: 300 seconds
> ># compress: on
> ># byte order: little
> ># stream version: 3
> ># export version: 5
> ># lost flows: 0
> ># corrupt packets: 0
> ># sequencer resets: 0
> ># capture flows: 123244
> >
> >Unfortunately if the flows have been processed the headers from flow-capture are
> >usually gone, in which case you would need to compute them on the fly.
> >
> >See ftio_header_print() in ftio.c and flow-print.c for more details.
> >
> >mark
> >
> >On Fri, Apr 19, 2002 at 01:47:52PM -0700, Annie Tong wrote:
> >
> >>Hi Mark,
> >>
> >>I'm trying to add the duration of the processed raw data in the header
> >>of the report that is generated by flow-stat in the following format,
> >>
> >>"Processed <number of flows> flows between <Day> <Month> <Date> <Year>
> >><Time> and <Day> <Month> <Date> <Year> <Time>"
> >>
> >>e.g.
> >>"Processed 20000 flows between Fri Apr 12 2002 00:00:00 and Fri Apr 12
> >>2002 09:59:59"
> >>
> >>I'm looking at your code flow-stat.c and found 2 variables,
> >>fs0.time_start and fs0.time_end, which stores the start_time and the
> >>end_time of the processed raw data, and they're in unsigned integer.
> >> Can I use the function localtime() to convert them in the format I
> >>want? Also where did you get the start_time and end_time of the
> >>processed data? Are they stored in the packet as $startime and $endtime
> >>(found the reference from Cflow.pm)?
> >>
> >>Thank you!
> >>
> >>Regards,
> >>
> >>Annie Tong
> >>MAE Engineering
> >>MCI WorldCom
> >>
> >>
> >>_______________________________________________
> >>flow-tools@splintered.net
> >>http://www.splintered.net/sw/flow-tools
> >>
> >
> >_______________________________________________
> >flow-tools@splintered.net
> >http://www.splintered.net/sw/flow-tools
> >
>