[netsa-tools-discuss] Flows per second in SiLK

Mark Thomas mthomas at cert.org
Tue Aug 11 12:13:56 EDT 2015

You need to restart rwflowpack to change it settings.

However, your current rwflowpack invocation should be writing its
log messages somewhere.  If it not writing to a file, the messages
should be going into syslog (e.g., /var/log/messages on RedHat


-----Original Message-----
From: Hosam Hittini <hosam.hittini at ies.etisalat.ae>
Date: Tue, 11 Aug 2015 09:14:28 +0400
To: 'Mark Thomas' <mthomas at cert.org>
Cc: <netsa-tools-discuss at cert.org>, <netsa-help at cert.org>, 'Majid Qureshi'
	<mmajid at ies.etisalat.ae>
Subject: RE: [netsa-tools-discuss] Flows per second in SiLK

Dear Mark,

I believe the first answer better suits what I'm looking for
When I tried this command rwflowpack
--sensor-configuration=/usr/local/etc/silk/sensor.conf --sensor-name=S1
--log-directory=`pwd` --root-directory=/silk_data_repository
I got the following errors
's1_probe': couldn't create socket listening to *:9996: Address already in
Is it possible to get a log without interrupting the operation?
Thanks in advance

Hosam Hittini
System Security, Security Operations Center
E: 84/5733
M: +971 555 655 878

-----Original Message-----
From: Mark Thomas [mailto:mthomas at cert.org] 
Sent: Monday, August 10, 2015 9:27 PM
To: Hosam Hittini <hosam.hittini at ies.etisalat.ae>
Cc: netsa-tools-discuss at cert.org; 'Ron Bandes' <rbandes at cert.org>;
netsa-help at cert.org; 'Majid Qureshi' <mmajid at ies.etisalat.ae>
Subject: Re: [netsa-tools-discuss] Flows per second in SiLK

There are two answers to the question regarding the number of flow records
being received by SiLK.

1. If you are talking about how many flow records are being received and
processed by the rwflowpack or flowcap tools, the answer is currently No,
there is nothing that directly reports the number of flow records received
per second.

Every so often (described below), the rwflowpack and flowcap tools report to
the log file the number of flow records processed, for example

  Mar 16 16:21:48 host flowcap[99294]: 'S9': forward 14, reverse 0, ignored
0, nf9: missing-pkts 0

If you divide the number that appears after "forward" with the time period,
you can get an average flow rate for the time period.

The time period is determined by the --timeout switch in flowcap and the
--flush-timeout switch in rwflowpack.  The daemons do a lot of work when the
timeout occurs, so I would suggest you not make timeout smaller than 15

2. Since the flow record is sent when the flow ends, you could get an
estimate of the number of flow records received per second by using the
rwcount tool.  Set the --bin-size to 1 and choose the end-spike

  $ rwcount --bin-size=1 --load-scheme=end --start-time=2009/02/13
                 Date|  Records|   Bytes|  Packets|
  2009/02/12T00:00:02|     2.00|  259.00|     2.00|
  2009/02/12T00:00:03|     1.00|  504.00|     9.00|
  2009/02/12T00:00:04|     0.00|    0.00|     0.00|
  2009/02/12T00:00:05|     0.00|    0.00|     0.00|

I hope that helps,


-----Original Message-----
From: Hosam Hittini <hosam.hittini at ies.etisalat.ae>
Date: Mon, 10 Aug 2015 15:22:10 +0400
To: <netsa-tools-discuss at cert.org>, 'Ron Bandes' <rbandes at cert.org>,
	<netsa-help at cert.org>
Cc: 'Majid Qureshi' <mmajid at ies.etisalat.ae>
Subject: [netsa-tools-discuss] Flows per second in SiLK



I was wondering if there's a way to get the number of flows per second being
received at SiLK

We have version 3.8.0

Thanks in advance



More information about the netsa-tools-discuss mailing list