rasqlinsert data sometimes show negatives values with the flow duration field

Carter Bullard carter at qosient.com
Wed Oct 13 16:42:39 EDT 2010 

Hey Javier,
Check the description of the schema that is created.  Here is an example
of one of my tables;

% mysql
mysql> desc inode;
+--------+-----------------------+------+-----+---------+-------+
| Field  | Type                  | Null | Key | Default | Extra |
+--------+-----------------------+------+-----+---------+-------+
| ltime  | double(18,6) unsigned | NO   |     | NULL    |       | 
| dur    | double(18,6)          | NO   |     | NULL    |       | 
| srcid  | varchar(64)           | NO   | PRI |         |       | 
| mean   | double                | YES  |     | NULL    |       | 
| inode  | varchar(64)           | NO   | PRI |         |       | 
| sttl   | tinyint(3) unsigned   | NO   | PRI | 0       |       | 
| pkts   | bigint(20)            | YES  |     | NULL    |       | 
| record | blob                  | YES  |     | NULL    |       | 
+--------+-----------------------+------+-----+---------+-------+
8 rows in set (0.04 sec)

The dur is a signed double, which is pretty big.  Can't imagine that your dur is rolling over.
The dur is a calculated value (ltime - stime).  What is the stime and ltime when 
you see the dur go negative?

Carter

On Oct 13, 2010, at 4:19 PM, Javier Almillategui wrote:

> Hi all,
> 
> is there a possibility that argus will select the a limited value for the duration field? I'm seeing that the duration data sometimes is a negative value for long lasting flows.
> 
> I have inserted the data with the following syntax:
> 
> rasqlinsert -w mysql://argus:123456@localhost/anondb/masontap_test_%Y_%m_%d -r mason_tap_20100521_prepared.argus -s +2seq -s +3ltime -s +4dur -s +loss -s +1srcid -s -record -m none -M time 1d




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101013/d1007ccb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101013/d1007ccb/attachment.bin>

More information about the argus mailing list