Very big traffic_tmp (UTM4)

[BobiTo]

Hi
I use UTM4 + netflow. I use UTM4 from 2 years from now and everything was OK. Since 2 weeks I have this problem:
when UTM collect traffic in traffic_netflow everything is ok, but when tsave start and send from traffic_netflow to traffic_tmp the second file become twice bigger !

Example:
traffic_netlfow: 14MB
traffic_tmp: 26MB

mysql> show columns from traffic_netflow;
+-----------+----------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+----------------------+------+-----+---------+----------------+
| id | int(10) unsigned | | PRI | NULL | auto_increment |
| srcaddr | int(10) unsigned | | | 0 | |
| dstaddr | int(10) unsigned | | | 0 | |
| nexthop | int(10) unsigned | | | 0 | |
| input | smallint(5) unsigned | | | 0 | |
| output | smallint(5) unsigned | | | 0 | |
| dPkts | int(10) unsigned | | | 0 | |
| dOctets | int(10) unsigned | | | 0 | |
| First | int(10) unsigned | | | 0 | |
| Last | int(10) unsigned | | | 0 | |
| srcport | smallint(5) unsigned | | | 0 | |
| dstport | smallint(5) unsigned | | | 0 | |
| pad | tinyint(3) unsigned | | | 0 | |
| tcp_flags | tinyint(3) unsigned | | | 0 | |
| prot | tinyint(3) unsigned | | | 0 | |
| tos | tinyint(3) unsigned | | | 0 | |
| src_as | smallint(5) unsigned | | | 0 | |
| dst_as | smallint(5) unsigned | | | 0 | |
| src_mask | tinyint(3) unsigned | | | 0 | |
| dst_mask | tinyint(3) unsigned | | | 0 | |
| t_class | int(10) unsigned | | | 0 | |
| uid | int(10) unsigned | | | 0 | |
+-----------+----------------------+------+-----+---------+----------------+
22 rows in set (0.00 sec)


mysql> show columns from traffic_tmp;
+------------+----------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+------------+----------------------+------+-----+---------+-------+
| ip_from | char(20) | | | | |
| ip_to | char(20) | | | | |
| bytes_data | int(11) | | | 0 | |
| bytes_all | int(11) | | | 0 | |
| ftime | int(11) | | | 0 | |
| ltime | int(11) | | | 0 | |
| t_class | int(10) unsigned | | | 0 | |
| uid | int(10) unsigned | | MUL | 0 | |
| nexthop | int(10) unsigned | | | 0 | |
| input | smallint(5) unsigned | | | 0 | |
| output | smallint(5) unsigned | | | 0 | |
| packets | int(10) unsigned | | | 0 | |
| First | int(10) unsigned | | | 0 | |
| Last | int(10) unsigned | | | 0 | |
| srcport | smallint(5) unsigned | | | 0 | |
| dstport | smallint(5) unsigned | | | 0 | |
| pad | tinyint(3) unsigned | | | 0 | |
| tcp_flags | tinyint(3) unsigned | | | 0 | |
| prot | tinyint(3) unsigned | | | 0 | |
| tos | tinyint(3) unsigned | | | 0 | |
| src_as | smallint(5) unsigned | | | 0 | |
| dst_as | smallint(5) unsigned | | | 0 | |
| src_mask | tinyint(3) unsigned | | | 0 | |
| dst_mask | tinyint(3) unsigned | | | 0 | |
+------------+----------------------+------+-----+---------+-------+
24 rows in set (0.00 sec)


Why is that ?

[UncleDen]

You have tviced records in traffic_tmp or what?
When tsave is end, table traffic_tmp is empty or no?
Run tsave manually and look at the log on screen.

[BobiTo]

10x
but I decide to update to UTM5. And actually right now I convert the database.
10x anyway
and by the way traffic_tmp is empty when tsave finish. I check the traffic_tmp and there are not 2 records per flow. There exactly the same number of lines.