Re: [ipt-netflow] FIRST_SWTICHED being reset after export of active flow

[Michael K. <mic...@pl...>]

If you are looking for UDP as well, it becomes a bit harder because there is nothing that can guarantee the flow is new.
If you query the data from a database and group by IPs, ports and protocols then select the minimum start time stamp for the flows, you should get a relatively accurate count of flows.
You can use a modulus to normalize the timestamps into 1 minute buckets as a second step.
Pseudo-sql
Select srcIP,dstIP,srcPort,dstPort,protocol,min(flowstart) 
from database.flowsTable
Group by
srcIP,dstIP,srcPort,dstPort,protocol

This will give you the unique TCP,UDP(and ICMP sort of) conversations and their start times.
Adding a modulo function to the flow start timestamp will allow you to convert it to 1 minute resolution. 
Once you have done that, you will be able to count the flows in each bucket. 
You may have to do some work to figure out the "real" minutes of the flow because they generally are milliseconds since the system started, not absolute.
 
-Mike Krygeris 

> On Aug 15, 2015, at 6:45 AM, ABC <ab...@te...> wrote:
> 
> Phillip,
> 
>> On Fri, Aug 14, 2015 at 09:07:48PM +0000, Phillip Rzewski wrote:
>> Before I get into my question, what I'm ultimately trying to do is
>> find the best way to count new flows started per minute. [...] But I'm
>> open to other suggestions.
> 
> If you are interested only in TCP flows, you can analyse TCP_FLAGS(6)
> Element for presence of SYN flag. As you should know, first packet of
> TCP stream is marked with SYN bit. So you need only change your approach
> to counting only flows that is SYN marked.
> 
> -abc
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> ipt-netflow-users mailing list
> ipt...@li...
> https://lists.sourceforge.net/lists/listinfo/ipt-netflow-users