[netflow-tools] Weird duplicate netflow records
Damien Miller
djm at mindrot.org
Mon Jan 5 18:29:20 EST 2009
On Mon, 5 Jan 2009, Franz Böhm wrote:
> Please have a look at the following netflow records. Sometimes I get
> double records like the samples below.
> They were generated with pfflowd, collected with nfcapd and viewed with
> nfdump.
I'm not sure what could be causing this - pfflowd should only send
duplicate-looking flows when it encounters expired pf states that
have recorded more traffic that will fit in a 32-bit integer.
Can you correlate the records with a tcpdump on the pfsync interface
that pfflowd is listening to? That will tell you whether the duplicate
flows are coming from pfflowd or pfsync.
-d
> 2009-01-04 11:00:26.556 5167.000 TCP 10.0.3.34:4147 ->
> 80.140.195.57:30730 8118 9.4 M 1
> 2009-01-04 11:00:26.556 5167.000 TCP 80.140.195.57:30730 ->
> 10.0.3.34:4147 4583 188560 1
> 2009-01-04 11:00:25.990 5178.000 TCP 10.0.3.34:4147 ->
> 80.140.195.57:30730 8118 9.4 M 1
> 2009-01-04 11:00:25.990 5178.000 TCP 80.140.195.57:30730 ->
> 10.0.3.34:4147 4583 188560 1
>
> 2009-01-04 14:25:26.720 800.000 TCP 10.0.3.50:1942 ->
> 87.248.217.89:80 19858 802352 1
> 2009-01-04 14:25:26.720 800.000 TCP 87.248.217.89:80 ->
> 10.0.3.50:1942 38147 53.9 M 1
> 2009-01-04 14:25:25.720 801.000 TCP 10.0.3.50:1942 ->
> 87.248.217.89:80 19858 802352 1
> 2009-01-04 14:25:25.720 801.000 TCP 87.248.217.89:80 ->
> 10.0.3.50:1942 38147 53.9 M 1
>
> I would be very thankful if someone has a hint for me.
> _______________________________________________
> netflow-tools mailing list
> netflow-tools at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/netflow-tools
>
More information about the netflow-tools
mailing list