From vsdssd at gmail.com  Thu Aug 28 15:22:03 2014
From: vsdssd at gmail.com (Varun Sharma)
Date: Thu, 28 Aug 2014 10:52:03 +0530
Subject: [netflow-tools] Softflowd IPFIX date and time problem.
Message-ID: <CAFat2-j_Af_o1b8ZukCGuFq2uXjXwU4=W-Sffa=+b06gs4n-_Q@mail.gmail.com>

Hi ,

I am using Softflowd IPFIX supported version ( Revision : 80aac3b2fec3
) downloaded from google code. I export flows in IPFIX format to
collector server ( NFDUMP 1.6.10 ) . I am seeing  issue  with date and
time field when I am reading nfdump logs .

Whereas In case of Netflow v5 and v9 it is working fine means proper
date and time comes in nfdump logs.

Command run :

softflowd  -i eth3 -n 192.168.50.2:9995 -v 10 -d -t maxlife=30  -D -A milli

nfdump log :

$ nfdump -r nfcapd.201408280909

Date first seen          Duration Proto      Src IP Addr:Port
Dst IP Addr:Port   Packets    Bytes Flows

2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
  192.168.50.1:43241 ->     192.168.50.2:5001  .AP.SF   0    17405
823.5 M     1

2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
  192.168.50.2:5001  ->     192.168.50.1:43241 .A..SF   0    15470
711626     1

2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
  192.168.50.1:43242 ->     192.168.50.2:5001  .AP.SF   0    20138
928.1 M     1

2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
  192.168.50.2:5001  ->     192.168.50.1:43242 .A..SF   0    20814
957450     1

2005-04-02 04:35:37.967 1970-01-01 05:30:00.000 3182570558.033 TCP
  192.168.50.1:43243 ->     192.168.50.2:5001  .AP.SF   0    20031
925.8 M     1

.......

2015-06-17 11:04:55.259 1970-01-01 05:30:00.000 2860448000.741 TCP
  192.168.50.1:43257 ->     192.168.50.2:5001  .AP.SF   0     7235
348.3 M     1

2015-06-17 11:04:55.259 1970-01-01 05:30:00.000 2860448000.741 TCP
  192.168.50.2:5001  ->     192.168.50.1:43257 .A..SF   0    10138
466354     1

2015-06-17 11:04:55.248 1970-01-01 05:30:00.000 2860448000.752 TCP
  192.168.50.1:43258 ->     192.168.50.2:5001  .AP.SF   0    13164
610.1 M     1

2015-06-17 11:04:55.248 1970-01-01 05:30:00.000 2860448000.752 TCP
  192.168.50.2:5001  ->     192.168.50.1:43258 .A..SF   0    15663
720504     1
.......

2016-01-02 07:16:04.432 1970-01-01 05:30:00.000 2843268131.568 TCP
  192.168.50.2:5001  ->     192.168.50.1:43268 .A..SF   0    18639
857400     1

2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
  192.168.50.1:43269 ->     192.168.50.2:5001  .AP.SF   0    28301
1.3 G     1

2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
  192.168.50.2:5001  ->     192.168.50.1:43269 .A..SF   0    34656
1.6 M     1

2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
  192.168.50.1:43270 ->     192.168.50.2:5001  .AP.SF   0    29209
1.3 G     1


....

Summary: total flows: 162, total bytes: 59.4 G, total packets: 2.6 M,
avg bps: 0, avg pps: 0, avg bpp: 0
Time window: 2014-08-28 09:09:31 - 2014-08-28 09:14:31
Total flows processed: 162, Blocks skipped: 0, Bytes read: 9832
Sys: 0.005s flows/second: 27009.0    Wall: 0.005s flows/second: 30291.7


I also used sec with ?A option but in that case also same problem
persist.  I attached tcpdump pcap file also. Pls find attachment.

Can anybody know why it?s happening ?


Regards
Varun
-------------- next part --------------
A non-text attachment was scrubbed...
Name: softflowd IPIX.pcap
Type: application/octet-stream
Size: 2278 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20140828/ccd5e0ee/attachment.obj>

From irino at sfc.wide.ad.jp  Thu Aug 28 22:55:57 2014
From: irino at sfc.wide.ad.jp (Hitoshi Irino)
Date: Thu, 28 Aug 2014 21:55:57 +0900
Subject: [netflow-tools] Softflowd IPFIX date and time problem.
In-Reply-To: <CAFat2-j_Af_o1b8ZukCGuFq2uXjXwU4=W-Sffa=+b06gs4n-_Q@mail.gmail.com>
References: <CAFat2-j_Af_o1b8ZukCGuFq2uXjXwU4=W-Sffa=+b06gs4n-_Q@mail.gmail.com>
Message-ID: <53FF26DD.3020106@sfc.wide.ad.jp>

Hello Varun,

I tested on Ubuntu Linux 14.04.1 64bit version.
In my test environment, softflowd observed packets sent by nmap -sU(UDP 
port scan). It works well. Exported IPFIX flow records include accurate 
flow end time.

Could you teach me your environment?

Regards,
Hitoshi

On 2014/08/28 14:22, Varun Sharma wrote:
> Hi ,
>
> I am using Softflowd IPFIX supported version ( Revision : 80aac3b2fec3
> ) downloaded from google code. I export flows in IPFIX format to
> collector server ( NFDUMP 1.6.10 ) . I am seeing  issue  with date and
> time field when I am reading nfdump logs .
>
> Whereas In case of Netflow v5 and v9 it is working fine means proper
> date and time comes in nfdump logs.
>
> Command run :
>
> softflowd  -i eth3 -n 192.168.50.2:9995 -v 10 -d -t maxlife=30  -D -A milli
>
> nfdump log :
>
> $ nfdump -r nfcapd.201408280909
>
> Date first seen          Duration Proto      Src IP Addr:Port
> Dst IP Addr:Port   Packets    Bytes Flows
>
> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>    192.168.50.1:43241 ->     192.168.50.2:5001  .AP.SF   0    17405
> 823.5 M     1
>
> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>    192.168.50.2:5001  ->     192.168.50.1:43241 .A..SF   0    15470
> 711626     1
>
> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>    192.168.50.1:43242 ->     192.168.50.2:5001  .AP.SF   0    20138
> 928.1 M     1
>
> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>    192.168.50.2:5001  ->     192.168.50.1:43242 .A..SF   0    20814
> 957450     1
>
> 2005-04-02 04:35:37.967 1970-01-01 05:30:00.000 3182570558.033 TCP
>    192.168.50.1:43243 ->     192.168.50.2:5001  .AP.SF   0    20031
> 925.8 M     1
>
> .......
>
> 2015-06-17 11:04:55.259 1970-01-01 05:30:00.000 2860448000.741 TCP
>    192.168.50.1:43257 ->     192.168.50.2:5001  .AP.SF   0     7235
> 348.3 M     1
>
> 2015-06-17 11:04:55.259 1970-01-01 05:30:00.000 2860448000.741 TCP
>    192.168.50.2:5001  ->     192.168.50.1:43257 .A..SF   0    10138
> 466354     1
>
> 2015-06-17 11:04:55.248 1970-01-01 05:30:00.000 2860448000.752 TCP
>    192.168.50.1:43258 ->     192.168.50.2:5001  .AP.SF   0    13164
> 610.1 M     1
>
> 2015-06-17 11:04:55.248 1970-01-01 05:30:00.000 2860448000.752 TCP
>    192.168.50.2:5001  ->     192.168.50.1:43258 .A..SF   0    15663
> 720504     1
> .......
>
> 2016-01-02 07:16:04.432 1970-01-01 05:30:00.000 2843268131.568 TCP
>    192.168.50.2:5001  ->     192.168.50.1:43268 .A..SF   0    18639
> 857400     1
>
> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
>    192.168.50.1:43269 ->     192.168.50.2:5001  .AP.SF   0    28301
> 1.3 G     1
>
> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
>    192.168.50.2:5001  ->     192.168.50.1:43269 .A..SF   0    34656
> 1.6 M     1
>
> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
>    192.168.50.1:43270 ->     192.168.50.2:5001  .AP.SF   0    29209
> 1.3 G     1
>
>
> ....
>
> Summary: total flows: 162, total bytes: 59.4 G, total packets: 2.6 M,
> avg bps: 0, avg pps: 0, avg bpp: 0
> Time window: 2014-08-28 09:09:31 - 2014-08-28 09:14:31
> Total flows processed: 162, Blocks skipped: 0, Bytes read: 9832
> Sys: 0.005s flows/second: 27009.0    Wall: 0.005s flows/second: 30291.7
>
>
> I also used sec with ?A option but in that case also same problem
> persist.  I attached tcpdump pcap file also. Pls find attachment.
>
> Can anybody know why it?s happening ?
>
>
> Regards
> Varun
>
>
>
> _______________________________________________
> netflow-tools mailing list
> netflow-tools at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/netflow-tools
>