Data every 60 seconds

[gganascim]

I've using nfcapd and nfdump to check my flows and data. I would like to generate data in realtime to take a DDoS Attacks as soon as possible but I can just view data after 60 seconds.

My goal is receive flow and detect DDoS Attack to automatize to send BGP Blackhole Route.

I would like to know, if possible to show data in less time

I'm using nfcapd with this parameters: /usr/bin/nfcapd -B 128000 -e -s 1 -w -D -T all -p 2055 -n made4flow,10.1.1.1,/netflow/demo/RT-DEMO/ -S 1 -t 300 -x '/opt/script.pl'

I'm reading the current file to take information in less time as possible. I'm reading this file because I have a script when file cycle (300 seconds) run analyses for many IPs address in my internal network, so i need read data each 20 seconds and after 5 minutes i need run my script to collect data about many IPs.

Is possible to read the current file in less of 60 seconds?

I tried put less size of buffer, with parameter -B with a lower number, but all of my test with same result, just read current data after 60 seconds.

Regards

[phaag]

I don't know, if I understand you correctly. The -t parameters allows you to set the cycletime. This can be as low as 2s. If your cycletime is less than 60s nfcapd automatically appends the seconds to the file name. However, this filename change may break other scripts, you mat have. The -B buffer size applies to the socket and has nothing to do with the cycletime. There is only 1 cycletime per nfcapd process, which applies to all sources. If you have multiple tasks, one in 20s and one in 300s you may start 2 nfcapd processes in a daisy chain (-R ) with different cycletimes to process the files differently (-x) Does that help?

[phaag]

No new input. @gganascim - I close this issue. If you have some more questions, feel free to open a new ticket.