[netsa-tools-discuss] Flows per second in SiLK

Hosam Hittini hosam.hittini at ies.etisalat.ae
Tue Aug 11 01:14:28 EDT 2015


Dear Mark,

I believe the first answer better suits what I'm looking for
When I tried this command rwflowpack
--sensor-configuration=/usr/local/etc/silk/sensor.conf --sensor-name=S1
--log-directory=`pwd` --root-directory=/silk_data_repository
I got the following errors
's1_probe': couldn't create socket listening to *:9996: Address already in
use
Is it possible to get a log without interrupting the operation?
Thanks in advance

Regards,
Hosam Hittini
System Security, Security Operations Center
E: 84/5733
M: +971 555 655 878

-----Original Message-----
From: Mark Thomas [mailto:mthomas at cert.org] 
Sent: Monday, August 10, 2015 9:27 PM
To: Hosam Hittini <hosam.hittini at ies.etisalat.ae>
Cc: netsa-tools-discuss at cert.org; 'Ron Bandes' <rbandes at cert.org>;
netsa-help at cert.org; 'Majid Qureshi' <mmajid at ies.etisalat.ae>
Subject: Re: [netsa-tools-discuss] Flows per second in SiLK

There are two answers to the question regarding the number of flow records
being received by SiLK.

1. If you are talking about how many flow records are being received and
processed by the rwflowpack or flowcap tools, the answer is currently No,
there is nothing that directly reports the number of flow records received
per second.

Every so often (described below), the rwflowpack and flowcap tools report to
the log file the number of flow records processed, for example

  Mar 16 16:21:48 host flowcap[99294]: 'S9': forward 14, reverse 0, ignored
0, nf9: missing-pkts 0

If you divide the number that appears after "forward" with the time period,
you can get an average flow rate for the time period.

The time period is determined by the --timeout switch in flowcap and the
--flush-timeout switch in rwflowpack.  The daemons do a lot of work when the
timeout occurs, so I would suggest you not make timeout smaller than 15
seconds.


2. Since the flow record is sent when the flow ends, you could get an
estimate of the number of flow records received per second by using the
rwcount tool.  Set the --bin-size to 1 and choose the end-spike
--load-scheme.

  $ rwcount --bin-size=1 --load-scheme=end --start-time=2009/02/13
                 Date|  Records|   Bytes|  Packets|
  2009/02/12T00:00:02|     2.00|  259.00|     2.00|
  2009/02/12T00:00:03|     1.00|  504.00|     9.00|
  2009/02/12T00:00:04|     0.00|    0.00|     0.00|
  2009/02/12T00:00:05|     0.00|    0.00|     0.00|

I hope that helps,

-Mark


-----Original Message-----
From: Hosam Hittini <hosam.hittini at ies.etisalat.ae>
Date: Mon, 10 Aug 2015 15:22:10 +0400
To: <netsa-tools-discuss at cert.org>, 'Ron Bandes' <rbandes at cert.org>,
	<netsa-help at cert.org>
Cc: 'Majid Qureshi' <mmajid at ies.etisalat.ae>
Subject: [netsa-tools-discuss] Flows per second in SiLK

Hi,

 

I was wondering if there's a way to get the number of flows per second being
received at SiLK

We have version 3.8.0

Thanks in advance

 



 



More information about the netsa-tools-discuss mailing list