[flow-tools] Start time and end time of the processed raw data
Annie Tong
annie.tong@wcom.com
Thu, 25 Apr 2002 11:44:31 -0700
--Boundary_(ID_02wBK4TS6zaj2VJAS62ELg)
Content-type: text/plain; format=flowed; charset=us-ascii
Content-transfer-encoding: 7bit
Thanks Mark! Do I have to call ftio_write_header() to write the time
info to the stream header?
Regards,
Annie Tong
MAE Engineering
MCI WorldCom
Mark Fullmer wrote:
>The problem is some of the information flow-capture emits in the header can
>not be known until after processing the entire stream. For example
>the number of flows may change after filtering. When the output is
>pipe there's no way to rewind and fix the header.
>
>flow-cat has a -p flag which will preload all the headers and compute
>start/end, nflows, etc. I guess flow-filter and friends could at least
>preserve the time...
>
>It's not that difficult to fix. All that needs to be done in is something
>like:
>
>time_start = ftio_get_cap_start(&ftio_in);
>time_end = ftio_get_cap_end(&ftio_in);
>ftio_set_cap_time(&ftio_out, time_start, time_end);
>
>This will be the header time, not the time of the first non filtered
>flow though.
>
>mark
>
>On Mon, Apr 22, 2002 at 01:20:25PM -0700, Annie Tong wrote:
>
>>Thanks Mark! You mentioned that the headers info will be gone if the
>>flows have been processed, is there any way that I can preserve the
>>header info in the processed flow? I passed the -p flag to flow-stat to
>>generate report on data that has been processed by flow-filter, it
>>prints "note, incomplete flow file" in the report. From ftio.c, it
>>seems the flag FT_HEADER_FLAG_PRELOADED is reset to 0 after the data has
>>been processed, how can I set the flag back to 1?
>>
>>Thank you.
>>
>>Regards,
>>
>>Annie Tong
>>MAE Engineering
>>MCI WorldCom
>>
>>
>>
>>Mark Fullmer wrote:
>>
>>>Passing the -p flag to flow-stat will print additional header information, ie
>>>
>>># mode: normal
>>># capture hostname: XXXX
>>># exporter IP address: X.X.X.X
>>># capture start: Sat Apr 20 12:45:00 2002
>>># capture end: Sat Apr 20 12:50:00 2002
>>># capture period: 300 seconds
>>># compress: on
>>># byte order: little
>>># stream version: 3
>>># export version: 5
>>># lost flows: 0
>>># corrupt packets: 0
>>># sequencer resets: 0
>>># capture flows: 123244
>>>
>>>Unfortunately if the flows have been processed the headers from flow-capture are
>>>usually gone, in which case you would need to compute them on the fly.
>>>
>>>See ftio_header_print() in ftio.c and flow-print.c for more details.
>>>
>>>mark
>>>
>>>On Fri, Apr 19, 2002 at 01:47:52PM -0700, Annie Tong wrote:
>>>
>>>>Hi Mark,
>>>>
>>>>I'm trying to add the duration of the processed raw data in the header
>>>>of the report that is generated by flow-stat in the following format,
>>>>
>>>>"Processed <number of flows> flows between <Day> <Month> <Date> <Year>
>>>><Time> and <Day> <Month> <Date> <Year> <Time>"
>>>>
>>>>e.g.
>>>>"Processed 20000 flows between Fri Apr 12 2002 00:00:00 and Fri Apr 12
>>>>2002 09:59:59"
>>>>
>>>>I'm looking at your code flow-stat.c and found 2 variables,
>>>>fs0.time_start and fs0.time_end, which stores the start_time and the
>>>>end_time of the processed raw data, and they're in unsigned integer.
>>>>Can I use the function localtime() to convert them in the format I
>>>>want? Also where did you get the start_time and end_time of the
>>>>processed data? Are they stored in the packet as $startime and $endtime
>>>>(found the reference from Cflow.pm)?
>>>>
>>>>Thank you!
>>>>
>>>>Regards,
>>>>
>>>>Annie Tong
>>>>MAE Engineering
>>>>MCI WorldCom
>>>>
>>>>
>>>>_______________________________________________
>>>>flow-tools@splintered.net
>>>>http://www.splintered.net/sw/flow-tools
>>>>
>>>_______________________________________________
>>>flow-tools@splintered.net
>>>http://www.splintered.net/sw/flow-tools
>>>
>
--Boundary_(ID_02wBK4TS6zaj2VJAS62ELg)
Content-type: text/html; charset=us-ascii
Content-transfer-encoding: 7bit
<html>
<head>
</head>
<body>
Thanks Mark! Do I have to call ftio_write_header() to write the time info
to the stream header?<br>
<br>
Regards, <br>
<br>
Annie Tong<br>
MAE Engineering<br>
MCI WorldCom <br>
<br>
Mark Fullmer wrote:<br>
<blockquote type="cite" cite="mid:20020425020106.B43363@net.ohio-state.edu">
<pre wrap="">The problem is some of the information flow-capture emits in the header can<br>not be known until after processing the entire stream. For example<br>the number of flows may change after filtering. When the output is<br>pipe there's no way to rewind and fix the header.<br><br>flow-cat has a -p flag which will preload all the headers and compute<br>start/end, nflows, etc. I guess flow-filter and friends could at least<br>preserve the time...<br><br>It's not that difficult to fix. All that needs to be done in is something<br>like:<br><br>time_start = ftio_get_cap_start(&ftio_in);<br>time_end = ftio_get_cap_end(&ftio_in);<br>ftio_set_cap_time(&ftio_out, time_start, time_end);<br><br>This will be the header time, not the time of the first non filtered<br>flow though.<br><br>mark<br><br>On Mon, Apr 22, 2002 at 01:20:25PM -0700, Annie Tong wrote:<br></pre>
<blockquote type="cite">
<pre wrap="">Thanks Mark! You mentioned that the headers info will be gone if the <br>flows have been processed, is there any way that I can preserve the <br>header info in the processed flow? I passed the -p flag to flow-stat to <br>generate report on data that has been processed by flow-filter, it <br>prints "note, incomplete flow file" in the report. From ftio.c, it <br>seems the flag FT_HEADER_FLAG_PRELOADED is reset to 0 after the data has <br>been processed, how can I set the flag back to 1?<br><br>Thank you.<br><br>Regards,<br><br>Annie Tong<br>MAE Engineering<br>MCI WorldCom<br><br><br><br>Mark Fullmer wrote:<br><br></pre>
<blockquote type="cite">
<pre wrap="">Passing the -p flag to flow-stat will print additional header information, ie<br><br># mode: normal<br># capture hostname: XXXX<br># exporter IP address: X.X.X.X<br># capture start: Sat Apr 20 12:45:00 2002<br># capture end: Sat Apr 20 12:50:00 2002<br># capture period: 300 seconds<br># compress: on<br># byte order: little<br># stream version: 3<br># export version: 5<br># lost flows: 0<br># corrupt packets: 0<br># sequencer resets: 0<br># capture flows: 123244<br><br>Unfortunately if the flows have been processed the headers from flow-capture are<br>usually gone, in which case you would need to compute them on the fly.<br><br>See ftio_header_print() in ftio.c and flow-print.c for more details.<br><br>mark<br><br>On Fri, Apr 19, 2002 at 01:47:52PM -0700, Annie Tong wrote:<br><br></pre>
<blockquote type="cite">
<pre wrap="">Hi Mark,<br><br>I'm trying to add the duration of the processed raw data in the header <br>of the report that is generated by flow-stat in the following format,<br><br>"Processed <number of flows> flows between <Day> <Month> <Date> <Year> <br><Time> and <Day> <Month> <Date> <Year> <Time>"<br><br>e.g.<br>"Processed 20000 flows between Fri Apr 12 2002 00:00:00 and Fri Apr 12 <br>2002 09:59:59"<br><br>I'm looking at your code flow-stat.c and found 2 variables, <br>fs0.time_start and fs0.time_end, which stores the start_time and the <br>end_time of the processed raw data, and they're in unsigned integer. <br>Can I use the function localtime() to convert them in the format I <br>want? Also where did you get the start_time and end_time of the <br>processed data? Are they stored in the packet as $startime and $endtime <br>(found the reference from Cflow.pm)?<br><br>Thank you!<br><br>Regards,<br
><br>Annie Tong<br>MAE Engineering<br>MCI WorldCom<br><br><br>_______________________________________________<br><a class="moz-txt-link-abbreviated" href="mailto:flow-tools@splintered.net">flow-tools@splintered.net</a><br><a class="moz-txt-link-freetext" href="http://www.splintered.net/sw/flow-tools">http://www.splintered.net/sw/flow-tools</a><br><br></pre>
</blockquote>
<pre wrap="">_______________________________________________<br><a class="moz-txt-link-abbreviated" href="mailto:flow-tools@splintered.net">flow-tools@splintered.net</a><br><a class="moz-txt-link-freetext" href="http://www.splintered.net/sw/flow-tools">http://www.splintered.net/sw/flow-tools</a><br><br></pre>
</blockquote>
</blockquote>
<pre wrap=""><!----><br></pre>
</blockquote>
<br>
</body>
</html>
--Boundary_(ID_02wBK4TS6zaj2VJAS62ELg)--