[netflow-tools] Softflowd IPFIX date and time problem.

Hitoshi Irino irino at sfc.wide.ad.jp
Fri Sep 5 11:09:04 EST 2014 

Hello Varun,

Could you show me reuslt of this command:

grep ^# config.h

Regards,
Hitoshi

On 2014/09/01 13:14, Varun Sharma wrote:
> Hi Hitoshi,
>
> Test environment :
>
> Two 16 core machines are connected back to back using dual port 10G
> card. CentOS release 6.2 (Final) 64bit version install on both
> machines.
> $ uname -a
> Linux hwcentos 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT
> 2011 x86_64 x86_64 x86_64 GNU/Linux
>
> On one of machine I install Softflowd(Revision:80aac3b2fec3).
> Softflowd observed packet sent by iperf client.
>
>
> I go through the ipfix.c code. If I comment line number 409 and 426 in
> ipfix.c file.
>
> 409 : //#if defined (_BSD_SOURCE) && defined (HAVE_ENDIAN_H) ||
> defined (HAVE_HTOBE64) || defined (HAVE_HTONLL)
>
> 426 : //#endif
>
> Now Exported IPFIX flow records include accurate flow end time in
> milliseconds format and also read properly on collector(nfdump) side.
> I think  (HAVE_ENDIAN_H) is not defined  that’s why problem persist.
>
> How to resolve this problem ?
>
> Thanks in advance .
>
> Regards,
> Varun
>
> On Thu, Aug 28, 2014 at 6:25 PM, Hitoshi Irino <irino at sfc.wide.ad.jp> wrote:
>> Hello Varun,
>>
>> I tested on Ubuntu Linux 14.04.1 64bit version.
>> In my test environment, softflowd observed packets sent by nmap -sU(UDP port
>> scan). It works well. Exported IPFIX flow records include accurate flow end
>> time.
>>
>> Could you teach me your environment?
>>
>> Regards,
>> Hitoshi
>>
>>
>> On 2014/08/28 14:22, Varun Sharma wrote:
>>>
>>> Hi ,
>>>
>>> I am using Softflowd IPFIX supported version ( Revision : 80aac3b2fec3
>>> ) downloaded from google code. I export flows in IPFIX format to
>>> collector server ( NFDUMP 1.6.10 ) . I am seeing  issue  with date and
>>> time field when I am reading nfdump logs .
>>>
>>> Whereas In case of Netflow v5 and v9 it is working fine means proper
>>> date and time comes in nfdump logs.
>>>
>>> Command run :
>>>
>>> softflowd  -i eth3 -n 192.168.50.2:9995 -v 10 -d -t maxlife=30  -D -A
>>> milli
>>>
>>> nfdump log :
>>>
>>> $ nfdump -r nfcapd.201408280909
>>>
>>> Date first seen          Duration Proto      Src IP Addr:Port
>>> Dst IP Addr:Port   Packets    Bytes Flows
>>>
>>> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>>>     192.168.50.1:43241 ->     192.168.50.2:5001  .AP.SF   0    17405
>>> 823.5 M     1
>>>
>>> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>>>     192.168.50.2:5001  ->     192.168.50.1:43241 .A..SF   0    15470
>>> 711626     1
>>>
>>> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>>>     192.168.50.1:43242 ->     192.168.50.2:5001  .AP.SF   0    20138
>>> 928.1 M     1
>>>
>>> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>>>     192.168.50.2:5001  ->     192.168.50.1:43242 .A..SF   0    20814
>>> 957450     1
>>>
>>> 2005-04-02 04:35:37.967 1970-01-01 05:30:00.000 3182570558.033 TCP
>>>     192.168.50.1:43243 ->     192.168.50.2:5001  .AP.SF   0    20031
>>> 925.8 M     1
>>>
>>> .......
>>>
>>> 2015-06-17 11:04:55.259 1970-01-01 05:30:00.000 2860448000.741 TCP
>>>     192.168.50.1:43257 ->     192.168.50.2:5001  .AP.SF   0     7235
>>> 348.3 M     1
>>>
>>> 2015-06-17 11:04:55.259 1970-01-01 05:30:00.000 2860448000.741 TCP
>>>     192.168.50.2:5001  ->     192.168.50.1:43257 .A..SF   0    10138
>>> 466354     1
>>>
>>> 2015-06-17 11:04:55.248 1970-01-01 05:30:00.000 2860448000.752 TCP
>>>     192.168.50.1:43258 ->     192.168.50.2:5001  .AP.SF   0    13164
>>> 610.1 M     1
>>>
>>> 2015-06-17 11:04:55.248 1970-01-01 05:30:00.000 2860448000.752 TCP
>>>     192.168.50.2:5001  ->     192.168.50.1:43258 .A..SF   0    15663
>>> 720504     1
>>> .......
>>>
>>> 2016-01-02 07:16:04.432 1970-01-01 05:30:00.000 2843268131.568 TCP
>>>     192.168.50.2:5001  ->     192.168.50.1:43268 .A..SF   0    18639
>>> 857400     1
>>>
>>> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
>>>     192.168.50.1:43269 ->     192.168.50.2:5001  .AP.SF   0    28301
>>> 1.3 G     1
>>>
>>> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
>>>     192.168.50.2:5001  ->     192.168.50.1:43269 .A..SF   0    34656
>>> 1.6 M     1
>>>
>>> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
>>>     192.168.50.1:43270 ->     192.168.50.2:5001  .AP.SF   0    29209
>>> 1.3 G     1
>>>
>>>
>>> ....
>>>
>>> Summary: total flows: 162, total bytes: 59.4 G, total packets: 2.6 M,
>>> avg bps: 0, avg pps: 0, avg bpp: 0
>>> Time window: 2014-08-28 09:09:31 - 2014-08-28 09:14:31
>>> Total flows processed: 162, Blocks skipped: 0, Bytes read: 9832
>>> Sys: 0.005s flows/second: 27009.0    Wall: 0.005s flows/second: 30291.7
>>>
>>>
>>> I also used sec with –A option but in that case also same problem
>>> persist.  I attached tcpdump pcap file also. Pls find attachment.
>>>
>>> Can anybody know why it’s happening ?
>>>
>>>
>>> Regards
>>> Varun
>>>
>>>
>>>
>>> _______________________________________________
>>> netflow-tools mailing list
>>> netflow-tools at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/netflow-tools
>>>
>>
>

More information about the netflow-tools mailing list