Will you accept a patch to allow ignoring pdu duplicates?

[GoogleCodeExporter]

Currently I maintain a small patch to flow tools at my site to silence the 
ftpdu_seq_check() message, which freaks out if you have multiple flow sources 
feeding into a single capture.

Currently we just hard compile it out, but if I clean this up to make it an cmd 
line option, would you integrate it? We'd much rather stop hanging onto the 
local patch.  

Without it our logs get FLOODED with the messages due to the level of traffic 
and duplicate sequence numbers. 

         fterr_warnx(
           "ftpdu_seq_check(): src_ip=%s dst_ip=%s d_version=%d expecting=%lu received=%lu lost=%lu",
           fmt_src_ip, fmt_dst_ip, (int)ftpdu.ftv.d_version,
           (u_long)ftch_recexpp->ftseq.seq_exp,
           (u_long)ftch_recexpp->ftseq.seq_rcv,
           (u_long)ftch_recexpp->ftseq.seq_lost);


Alternatively, can you suggest any alternative means with flow-fanout to get 
rid of the warnings? (If it really is an issue, I'd rather fix it properly if 
possible.)

Original issue reported on code.google.com by [email protected] on 28 Sep 2012 at 4:38

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Use samplicator instead of flow-fanout. Samplicator makes exact UDP copies 
without corrupting the sequence numbers.

Also, instead of flow-capture, consider using flowd 
(http://www.mindrot.org/projects/flowd/). I've submitted a flowd patch that 
handles out-of-order and duplicate export packets that are common on large 
networks (http://code.google.com/r/cweinhold-flowd-sequence). 

As your flows are captured by flowd, you can use the included flowd-reader 
program to move them into flow-tools format (a script for this is at 
http://mailman.splintered.net/pipermail/flow-tools/2010-May/003861.html). After 
that, normal flow-tools commands work fine.

Original comment by [email protected] on 26 Feb 2013 at 6:08