[netsa-tools-discuss] Flows per second in SiLK

Mark Thomas mthomas at cert.org
Mon Aug 10 13:26:37 EDT 2015


There are two answers to the question regarding the number of flow
records being received by SiLK.

1. If you are talking about how many flow records are being received
and processed by the rwflowpack or flowcap tools, the answer is
currently No, there is nothing that directly reports the number of
flow records received per second.

Every so often (described below), the rwflowpack and flowcap tools
report to the log file the number of flow records processed, for
example

  Mar 16 16:21:48 host flowcap[99294]: 'S9': forward 14, reverse 0, ignored 0, nf9: missing-pkts 0

If you divide the number that appears after "forward" with the time
period, you can get an average flow rate for the time period.

The time period is determined by the --timeout switch in flowcap and
the --flush-timeout switch in rwflowpack.  The daemons do a lot of
work when the timeout occurs, so I would suggest you not make
timeout smaller than 15 seconds.


2. Since the flow record is sent when the flow ends, you could get
an estimate of the number of flow records received per second by
using the rwcount tool.  Set the --bin-size to 1 and choose the
end-spike --load-scheme.

  $ rwcount --bin-size=1 --load-scheme=end --start-time=2009/02/13
                 Date|  Records|   Bytes|  Packets|
  2009/02/12T00:00:02|     2.00|  259.00|     2.00|
  2009/02/12T00:00:03|     1.00|  504.00|     9.00|
  2009/02/12T00:00:04|     0.00|    0.00|     0.00|
  2009/02/12T00:00:05|     0.00|    0.00|     0.00|

I hope that helps,

-Mark


-----Original Message-----
From: Hosam Hittini <hosam.hittini at ies.etisalat.ae>
Date: Mon, 10 Aug 2015 15:22:10 +0400
To: <netsa-tools-discuss at cert.org>, 'Ron Bandes' <rbandes at cert.org>,
	<netsa-help at cert.org>
Cc: 'Majid Qureshi' <mmajid at ies.etisalat.ae>
Subject: [netsa-tools-discuss] Flows per second in SiLK

Hi,

 

I was wondering if there's a way to get the number of flows per
second being received at SiLK

We have version 3.8.0

Thanks in advance

 



 


More information about the netsa-tools-discuss mailing list