[netflow-tools] Softflowd IPFIX date and time problem.

Varun Sharma vsdssd at gmail.com
Wed Sep 17 16:03:56 EST 2014


Hi Hitoshi ,

I found that HAVE_ENDIAN_H not defined in configure script that’s why
problem persist. After define HAVE_ENDIAN_H problem is solved.

$ grep ^# config.h

#define HAVE_DAEMON 1

#define HAVE_INT16_T 1

#define HAVE_INT32_T 1

#define HAVE_INT64_T 1

#define HAVE_INT8_T 1

#define HAVE_INTTYPES_H 1

#define HAVE_LIBPCAP 1

#define HAVE_MEMORY_H 1

#define HAVE_PCAP_BPF_H 1

#define HAVE_PCAP_H 1

#define HAVE_SETGID 1

#define HAVE_SETRESGID 1

#define HAVE_SETRESUID 1

#define HAVE_SETREUID 1

#define HAVE_STDINT_H 1

#define HAVE_STDLIB_H 1

#define HAVE_STRINGS_H 1

#define HAVE_STRING_H 1

#define HAVE_STRUCT_IP6_EXT 1

#define HAVE_SYS_STAT_H 1

#define HAVE_SYS_TYPES_H 1

#define HAVE_UINT16_T 1

#define HAVE_UINT32_T 1

#define HAVE_UINT64_T 1

#define HAVE_UINT8_T 1

#define HAVE_UNISTD_H 1

#define HAVE_U_INT16_T 1

#define HAVE_U_INT32_T 1

#define HAVE_U_INT64_T 1

#define HAVE_U_INT8_T 1

#define OUR_CFG_INT16_T short int

#define OUR_CFG_INT32_T int

#define OUR_CFG_INT64_T long int

#define OUR_CFG_INT8_T signed char

#define OUR_CFG_U_INT16_T uint16_t

#define OUR_CFG_U_INT32_T uint32_t

#define OUR_CFG_U_INT64_T uint64_t

#define OUR_CFG_U_INT8_T uint8_t

#define PACKAGE_BUGREPORT ""

#define PACKAGE_NAME ""

#define PACKAGE_STRING ""

#define PACKAGE_TARNAME ""

#define PACKAGE_URL ""

#define PACKAGE_VERSION ""

#define SIZEOF_CHAR 1

#define SIZEOF_INT 4

#define SIZEOF_LONG_INT 8

#define SIZEOF_LONG_LONG_INT 8

#define SIZEOF_SHORT_INT 2

#define STDC_HEADERS 1



There is need to update configure script and config.h.in file. In
configure script add check for endian.h file.



for ac_header in endian.h

do :

  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`

ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header"
"$ac_includes_default"

if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :

  cat >>confdefs.h <<_ACEOF

#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
_ACEOF

fi
done


In config.h.in add  #undef HAVE_ENDIAN_H line.


Regards,
Varun


On Fri, Sep 5, 2014 at 6:39 AM, Hitoshi Irino <irino at sfc.wide.ad.jp> wrote:
> Hello Varun,
>
> Could you show me reuslt of this command:
>
> grep ^# config.h
>
> Regards,
> Hitoshi
>
>
> On 2014/09/01 13:14, Varun Sharma wrote:
>>
>> Hi Hitoshi,
>>
>> Test environment :
>>
>> Two 16 core machines are connected back to back using dual port 10G
>> card. CentOS release 6.2 (Final) 64bit version install on both
>> machines.
>> $ uname -a
>> Linux hwcentos 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT
>> 2011 x86_64 x86_64 x86_64 GNU/Linux
>>
>> On one of machine I install Softflowd(Revision:80aac3b2fec3).
>> Softflowd observed packet sent by iperf client.
>>
>>
>> I go through the ipfix.c code. If I comment line number 409 and 426 in
>> ipfix.c file.
>>
>> 409 : //#if defined (_BSD_SOURCE) && defined (HAVE_ENDIAN_H) ||
>> defined (HAVE_HTOBE64) || defined (HAVE_HTONLL)
>>
>> 426 : //#endif
>>
>> Now Exported IPFIX flow records include accurate flow end time in
>> milliseconds format and also read properly on collector(nfdump) side.
>> I think  (HAVE_ENDIAN_H) is not defined  that’s why problem persist.
>>
>> How to resolve this problem ?
>>
>> Thanks in advance .
>>
>> Regards,
>> Varun
>>
>> On Thu, Aug 28, 2014 at 6:25 PM, Hitoshi Irino <irino at sfc.wide.ad.jp>
>> wrote:
>>>
>>> Hello Varun,
>>>
>>> I tested on Ubuntu Linux 14.04.1 64bit version.
>>> In my test environment, softflowd observed packets sent by nmap -sU(UDP
>>> port
>>> scan). It works well. Exported IPFIX flow records include accurate flow
>>> end
>>> time.
>>>
>>> Could you teach me your environment?
>>>
>>> Regards,
>>> Hitoshi
>>>
>>>
>>> On 2014/08/28 14:22, Varun Sharma wrote:
>>>>
>>>>
>>>> Hi ,
>>>>
>>>> I am using Softflowd IPFIX supported version ( Revision : 80aac3b2fec3
>>>> ) downloaded from google code. I export flows in IPFIX format to
>>>> collector server ( NFDUMP 1.6.10 ) . I am seeing  issue  with date and
>>>> time field when I am reading nfdump logs .
>>>>
>>>> Whereas In case of Netflow v5 and v9 it is working fine means proper
>>>> date and time comes in nfdump logs.
>>>>
>>>> Command run :
>>>>
>>>> softflowd  -i eth3 -n 192.168.50.2:9995 -v 10 -d -t maxlife=30  -D -A
>>>> milli
>>>>
>>>> nfdump log :
>>>>
>>>> $ nfdump -r nfcapd.201408280909
>>>>
>>>> Date first seen          Duration Proto      Src IP Addr:Port
>>>> Dst IP Addr:Port   Packets    Bytes Flows
>>>>
>>>> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>>>>     192.168.50.1:43241 ->     192.168.50.2:5001  .AP.SF   0    17405
>>>> 823.5 M     1
>>>>
>>>> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>>>>     192.168.50.2:5001  ->     192.168.50.1:43241 .A..SF   0    15470
>>>> 711626     1
>>>>
>>>> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>>>>     192.168.50.1:43242 ->     192.168.50.2:5001  .AP.SF   0    20138
>>>> 928.1 M     1
>>>>
>>>> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>>>>     192.168.50.2:5001  ->     192.168.50.1:43242 .A..SF   0    20814
>>>> 957450     1
>>>>
>>>> 2005-04-02 04:35:37.967 1970-01-01 05:30:00.000 3182570558.033 TCP
>>>>     192.168.50.1:43243 ->     192.168.50.2:5001  .AP.SF   0    20031
>>>> 925.8 M     1
>>>>
>>>> .......
>>>>
>>>> 2015-06-17 11:04:55.259 1970-01-01 05:30:00.000 2860448000.741 TCP
>>>>     192.168.50.1:43257 ->     192.168.50.2:5001  .AP.SF   0     7235
>>>> 348.3 M     1
>>>>
>>>> 2015-06-17 11:04:55.259 1970-01-01 05:30:00.000 2860448000.741 TCP
>>>>     192.168.50.2:5001  ->     192.168.50.1:43257 .A..SF   0    10138
>>>> 466354     1
>>>>
>>>> 2015-06-17 11:04:55.248 1970-01-01 05:30:00.000 2860448000.752 TCP
>>>>     192.168.50.1:43258 ->     192.168.50.2:5001  .AP.SF   0    13164
>>>> 610.1 M     1
>>>>
>>>> 2015-06-17 11:04:55.248 1970-01-01 05:30:00.000 2860448000.752 TCP
>>>>     192.168.50.2:5001  ->     192.168.50.1:43258 .A..SF   0    15663
>>>> 720504     1
>>>> .......
>>>>
>>>> 2016-01-02 07:16:04.432 1970-01-01 05:30:00.000 2843268131.568 TCP
>>>>     192.168.50.2:5001  ->     192.168.50.1:43268 .A..SF   0    18639
>>>> 857400     1
>>>>
>>>> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
>>>>     192.168.50.1:43269 ->     192.168.50.2:5001  .AP.SF   0    28301
>>>> 1.3 G     1
>>>>
>>>> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
>>>>     192.168.50.2:5001  ->     192.168.50.1:43269 .A..SF   0    34656
>>>> 1.6 M     1
>>>>
>>>> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
>>>>     192.168.50.1:43270 ->     192.168.50.2:5001  .AP.SF   0    29209
>>>> 1.3 G     1
>>>>
>>>>
>>>> ....
>>>>
>>>> Summary: total flows: 162, total bytes: 59.4 G, total packets: 2.6 M,
>>>> avg bps: 0, avg pps: 0, avg bpp: 0
>>>> Time window: 2014-08-28 09:09:31 - 2014-08-28 09:14:31
>>>> Total flows processed: 162, Blocks skipped: 0, Bytes read: 9832
>>>> Sys: 0.005s flows/second: 27009.0    Wall: 0.005s flows/second: 30291.7
>>>>
>>>>
>>>> I also used sec with –A option but in that case also same problem
>>>> persist.  I attached tcpdump pcap file also. Pls find attachment.
>>>>
>>>> Can anybody know why it’s happening ?
>>>>
>>>>
>>>> Regards
>>>> Varun
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> netflow-tools mailing list
>>>> netflow-tools at mindrot.org
>>>> https://lists.mindrot.org/mailman/listinfo/netflow-tools
>>>>
>>>
>>
>


More information about the netflow-tools mailing list