[flow-tools] problems with expire

Mark Fullmer maf@eng.oar.net
Sun, 15 Dec 2002 12:04:02 -0500 

The default behavior of flow-capture is to compress the flow files.  On
the other hand flow-tag and the other programs that are used in a pipeline
have compression off by default.  Flow-capture is remembering the
compressed file size, flow-tag is inflating them.

Use -z0 with flow-capture, or use the inline tagging feature and what
you're doing should work.  The only downside of inline tagging right
now us that flow-capture needs to be restarted to read new tags.  This
will probably be fixed in 0.64.

mark

On Sun, Dec 15, 2002 at 03:39:59PM +0100, Michael Redinger wrote:
> 
> I found that flow-capture correctly cleans up its directory on startup.
> But then it somehow stops.
> 
> Below you find how I run flow-capture. Maybe there's a problem with the 
> rotate script and flow-capture doesn't like it that I tag the flow files
> in the directory they were created in?
> 
> 
> /usr/local/bin/flow-capture -S 5 -V 5 -E 8G -N 0 -n 95 -p  \
> /var/run/flow-capture.pid -w /var/local/netflow/flow-capture/ \
> -R /usr/local/sbin/capture-post 127.0.0.1/127.0.0.1/9801
> 
> 
> rotate script:
> /usr/local/bin/flow-tag -t /usr/local/netflow/var/cfg/xlates -TUIBK \
> 	< $1 > ${1}.tmp && mv ${1}.tmp ${1}
> /usr/local/bin/flow-report -s /usr/local/netflow/var/cfg/reports -Sall < $1
> 
> 
> 
> Michael
> 
> 
> 
> On Wed, 11 Dec 2002, Michael Redinger wrote:
> 
> > On Sun, 8 Dec 2002, Mark Fullmer wrote:
> > 
> > > Flow-capture needs to "own" its work directory.  Running flow-expire
> > > in the same dir will cause the type of problem you ran into.
> > > 
> > > I'm not aware of any problems with flow-capture expiring files.
> > > 
> > > What does du -s -k /var/local/netflow/flow-capture show?
> > 
> > Currenty it's 10794608 (so approx. 10G). (One flow file is about 20 MB 
> > here).
> > 
> > Michael
> > 
> > > On Sat, Dec 07, 2002 at 07:05:16PM +0100, Michael Redinger wrote:
> > > > 
> > > > Hello,
> > > > 
> > > > is there a bug in flow-capture that prevents it from expiring old flow 
> > > > files? This doesn't work for me.
> > > > 
> > > > I also tried to run flow-expire directly, but that's even worse: it 
> > > > deletes the temporary flow file (tmp-...). This even kills flow-capture then.
> > > > 
> > > > Here's how I run the two programs:
> > > > 
> > > > /usr/local/bin/flow-capture -S 5 -V 5 -E 8G -N 0 -n 95 -p \
> > > > 	/var/run/flow-capture.pid -w /var/local/netflow/flow-capture/ \
> > > > 	-R /usr/local/sbin/capture-post 127.0.0.1/127.0.0.1/9801
> > > > 
> > > > /usr/local/bin/flow-expire -E 8G -w /var/local/netflow/flow-capture/
> > > > 
> > > > 
> > > > Thanks,
> > > > 
> > > > Michael
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > _______________________________________________
> > > > flow-tools@splintered.net
> > > > http://www.splintered.net/sw/flow-tools
> > > 
> > > _______________________________________________
> > > flow-tools@splintered.net
> > > http://www.splintered.net/sw/flow-tools
> > > 
> > > 
> > 
> > 
> > 
> > _______________________________________________
> > flow-tools@splintered.net
> > http://www.splintered.net/sw/flow-tools
> > 
> > 
> 
> 
> _______________________________________________
> flow-tools@splintered.net
> http://www.splintered.net/sw/flow-tools