[flow-tools] performance question [resend]
Craig A. Finseth
fin@finseth.com
Tue, 28 Jan 2003 15:42:14 -0600 (CST)
On Fri, Jan 24, 2003 at 10:14:36AM -0600, Craig A. Finseth wrote:
> As I mentioned in an earlier message (which may have yet to wend its way
> through the queues...), this problem has been fixed by writing tailored
> code for flow-tag.
What did you do to flow-tag? Is this something that would be of general
use? Is it faster / more functional than the suggestion I made earlier
about reformatting the config file? Your original post effectively
boiled down to
foreach customer # 500 customers
patricia_trie_lookup()
done
Where all that was necessary is
patricial_trie_lookup()
You are correct.
You can send any fixes to the list, I'll try to get them integrated into
the next snapshot.
As I mentioned in my reply, I don't understand how to restructure the
filter to be able to get the same effect but using your structure. The
supplied documentation does not imply that it is possible. (It doesn't
say that it isn't, just doesn't say anything much.)
While it is of general use, I suspect that the community would be better
served by putting energy into improving the documentation to the point
where it is moot.
That said, I'll be happy to send you the changes. Be warned that
they're fairly large and raw.
On the split timing problem...I need to think about this a little more, but
I think it's a bug. flow-split is probably assuming the clock doesn't
go away for more than a split period. The time-series option in flow-report
probably behaves the same way.
Probably. My customers often go large amounts of time (e.g., overnight)
with no data being sent, so many of the 15-minute periods are completely
empty of flows.
Craig