From thealy at bnl.gov Wed Dec 2 03:56:29 2009 From: thealy at bnl.gov (thealy) Date: Tue, 01 Dec 2009 11:56:29 -0500 Subject: [netflow-tools] PCAP file -> NetFlow v5 Message-ID: <4B154ABD.2030102@bnl.gov> Hello- I'm using sysflowd to read in PCAP files and generate NetFlow packets. Unfortunately it does not appear to retain the original timestamps, but rather inserts the time that the program is run. I'm running it with these options: softflowd -r filtered-23nov09.pcap -n 1.2.34:1111 Is there a way to preserve the original timestamp, or another tool that will achieve the same goal? Thanks, Terry From sokvantha at gmail.com Wed Dec 2 14:37:18 2009 From: sokvantha at gmail.com (Sokvantha YOUK) Date: Wed, 2 Dec 2009 10:37:18 +0700 Subject: [netflow-tools] cisco asr 1006 netflowtool Message-ID: Dear All, I am having trouble in timestamp that sent from Cisco ASR Router 1006 to my flowtools capture. The problem is the time stamp is late 5 hours compare with file name. Could you please advice me what should i do to get this problem solved? /usr/local/flowtool/bin/flow-print -f5 < ft-v05.2009-12-01.141500+0700 > /home/sokvantha/flow-timestamp-debug.txt Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets 1201.09:22:16.372 1201.09:43:16.705 27 119.82.250.11 16752 4 194.183.68.237 20458 17 0 42588 2422926 1201.09:22:26.056 1201.09:43:16.716 27 119.82.250.11 16753 4 194.183.68.237 20459 17 0 249 39780 1201.09:38:58.420 1201.09:43:16.348 4 93.182.188.39 11710 27 119.82.252.133 64319 6 0 448 248826 1201.09:39:30.323 1201.09:43:16.561 4 66.96.134.10 80 28 110.74.223.13 54438 6 0 2606 3770046 1201.09:41:04.423 1201.09:43:16.967 34 118.67.204.20 49652 4 122.224.114.157 35883 6 0 581 325600 1201.09:41:04.503 1201.09:43:16.959 4 122.224.114.157 35883 34 118.67.204.20 49652 6 0 325 15402 1201.09:41:14.343 1201.09:43:16.882 4 76.117.146.191 29559 28 110.74.223.142 4544 6 0 228 215922 1201.09:41:14.726 1201.09:43:16.386 28 110.74.223.142 4544 4 76.117.146.191 29559 6 0 275 196013 1201.09:41:25.958 1201.09:43:16.226 2 218.253.64.60 10154 27 110.74.196.36 4619 6 0 68 3142 1201.09:41:59.233 1201.09:43:16.575 27 119.82.252.41 29797 4 58.61.165.218 8000 17 0 12 952 1201.09:41:59.743 1201.09:43:16.669 2 221.7.93.225 18218 28 110.74.197.34 7078 17 0 107 6984 1201.09:42:15.183 1201.09:43:16.416 4 96.49.82.47 11246 34 118.67.204.20 15000 17 0 17 1150 1201.09:42:15.187 1201.09:43:16.420 4 96.49.82.47 11246 34 118.67.204.20 56937 17 0 15 1024 1201.09:42:16.356 1201.09:43:16.009 27 119.82.253.149 37327 4 203.218.92.44 55561 6 0 17 926 1201.09:42:18.533 1201.09:43:16.230 28 119.82.253.53 1605 4 79.141.174.36 80 6 1 88 4518 1201.09:42:18.879 1201.09:43:16.217 2 79.141.174.36 80 28 119.82.253.53 1605 6 1 124 175648 1201.09:42:25.333 1201.09:43:16.281 34 118.67.204.55 57617 4 217.22.246.78 25 6 0 54 7124 1201.09:42:25.699 1201.09:43:16.645 4 217.22.246.78 25 34 118.67.204.55 57617 6 0 29 2339 1201.09:42:27.228 1201.09:43:16.830 2 114.249.128.159 63672 28 119.82.255.11 1517 6 0 28 22072 1201.09:42:27.234 1201.09:43:16.851 28 119.82.255.11 1517 4 114.249.128.159 63672 6 0 18 1118 1201.09:42:32.081 1201.09:43:16.737 27 110.74.196.133 65303 4 75.64.54.46 6244 6 0 22 1409 1201.09:42:32.408 1201.09:43:16.243 27 119.82.252.17 16291 4 208.94.234.75 80 6 1 1092 46996 1201.09:42:32.647 1201.09:43:16.237 4 208.94.234.75 80 28 119.82.252.17 16291 6 1 1781 2058359 -- Best Regards, YOUK Sokvantha Tell: (855) 89896589 email: sokvantha at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwlucas at blackhelicopters.org Wed Dec 2 15:18:20 2009 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Tue, 1 Dec 2009 23:18:20 -0500 Subject: [netflow-tools] cisco asr 1006 netflowtool In-Reply-To: References: Message-ID: <20091202041820.GA49491@bewilderbeast.blackhelicopters.org> Common issue. Check the time and time zone on your router with "sho clock". I suggest using ntp if possible, my Ciscos clock-skew pretty easily. On Wed, Dec 02, 2009 at 10:37:18AM +0700, Sokvantha YOUK wrote: > Dear All, > > I am having trouble in timestamp that sent from Cisco ASR Router 1006 to my > flowtools capture. The problem is the time stamp is late 5 hours compare > with file name. > > Could you please advice me what should i do to get this problem solved? > > /usr/local/flowtool/bin/flow-print -f5 < ft-v05.2009-12-01.141500+0700 > > /home/sokvantha/flow-timestamp-debug.txt > > Start End Sif SrcIPaddress SrcP DIf > DstIPaddress DstP P Fl Pkts Octets > > 1201.09:22:16.372 1201.09:43:16.705 27 119.82.250.11 16752 4 > 194.183.68.237 20458 17 0 42588 2422926 > 1201.09:22:26.056 1201.09:43:16.716 27 119.82.250.11 16753 4 > 194.183.68.237 20459 17 0 249 39780 > 1201.09:38:58.420 1201.09:43:16.348 4 93.182.188.39 11710 27 > 119.82.252.133 64319 6 0 448 248826 > 1201.09:39:30.323 1201.09:43:16.561 4 66.96.134.10 80 28 > 110.74.223.13 54438 6 0 2606 3770046 > 1201.09:41:04.423 1201.09:43:16.967 34 118.67.204.20 49652 4 > 122.224.114.157 35883 6 0 581 325600 > 1201.09:41:04.503 1201.09:43:16.959 4 122.224.114.157 35883 34 > 118.67.204.20 49652 6 0 325 15402 > 1201.09:41:14.343 1201.09:43:16.882 4 76.117.146.191 29559 28 > 110.74.223.142 4544 6 0 228 215922 > 1201.09:41:14.726 1201.09:43:16.386 28 110.74.223.142 4544 4 > 76.117.146.191 29559 6 0 275 196013 > 1201.09:41:25.958 1201.09:43:16.226 2 218.253.64.60 10154 27 > 110.74.196.36 4619 6 0 68 3142 > 1201.09:41:59.233 1201.09:43:16.575 27 119.82.252.41 29797 4 > 58.61.165.218 8000 17 0 12 952 > 1201.09:41:59.743 1201.09:43:16.669 2 221.7.93.225 18218 28 > 110.74.197.34 7078 17 0 107 6984 > 1201.09:42:15.183 1201.09:43:16.416 4 96.49.82.47 11246 34 > 118.67.204.20 15000 17 0 17 1150 > 1201.09:42:15.187 1201.09:43:16.420 4 96.49.82.47 11246 34 > 118.67.204.20 56937 17 0 15 1024 > 1201.09:42:16.356 1201.09:43:16.009 27 119.82.253.149 37327 4 > 203.218.92.44 55561 6 0 17 926 > 1201.09:42:18.533 1201.09:43:16.230 28 119.82.253.53 1605 4 > 79.141.174.36 80 6 1 88 4518 > 1201.09:42:18.879 1201.09:43:16.217 2 79.141.174.36 80 28 > 119.82.253.53 1605 6 1 124 175648 > 1201.09:42:25.333 1201.09:43:16.281 34 118.67.204.55 57617 4 > 217.22.246.78 25 6 0 54 7124 > 1201.09:42:25.699 1201.09:43:16.645 4 217.22.246.78 25 34 > 118.67.204.55 57617 6 0 29 2339 > 1201.09:42:27.228 1201.09:43:16.830 2 114.249.128.159 63672 28 > 119.82.255.11 1517 6 0 28 22072 > 1201.09:42:27.234 1201.09:43:16.851 28 119.82.255.11 1517 4 > 114.249.128.159 63672 6 0 18 1118 > 1201.09:42:32.081 1201.09:43:16.737 27 110.74.196.133 65303 4 > 75.64.54.46 6244 6 0 22 1409 > 1201.09:42:32.408 1201.09:43:16.243 27 119.82.252.17 16291 4 > 208.94.234.75 80 6 1 1092 46996 > 1201.09:42:32.647 1201.09:43:16.237 4 208.94.234.75 80 28 > 119.82.252.17 16291 6 1 1781 2058359 > > -- > Best Regards, > YOUK Sokvantha > Tell: (855) 89896589 > email: sokvantha at gmail.com > _______________________________________________ > netflow-tools mailing list > netflow-tools at mindrot.org > https://lists.mindrot.org/mailman/listinfo/netflow-tools -- Michael W. Lucas mwlucas at BlackHelicopters.org http://www.MichaelWLucas.com/ Latest book: Cisco Routers for the Desperate, 2nd Edition http://www.CiscoRoutersForTheDesperate.com/ From sokvantha at gmail.com Wed Dec 2 18:53:01 2009 From: sokvantha at gmail.com (Sokvantha YOUK) Date: Wed, 2 Dec 2009 14:53:01 +0700 Subject: [netflow-tools] cisco asr 1006 netflowtool In-Reply-To: References: Message-ID: Dear Michael, * * *My time in Linux and router is the same. We are using NTP. Please find below result: * * * Time in Router ASR 1006 14:49:08.926 GMT+7 Wed Dec 2 2009 Time in Linux x64 Wed Dec 2 14:49:31 ICT 2009 Are there any other ways should I check more? Thank you so much for your responsed. On Wed, Dec 2, 2009 at 10:37 AM, Sokvantha YOUK wrote: > Dear All, > > I am having trouble in timestamp that sent from Cisco ASR Router 1006 to my > flowtools capture. The problem is the time stamp is late 5 hours compare > with file name. > > Could you please advice me what should i do to get this problem solved? > > /usr/local/flowtool/bin/flow-print -f5 < ft-v05.2009-12-01.141500+0700 > > /home/sokvantha/flow-timestamp-debug.txt > > Start End Sif SrcIPaddress SrcP DIf > DstIPaddress DstP P Fl Pkts Octets > > 1201.09:22:16.372 1201.09:43:16.705 27 119.82.250.11 16752 4 > 194.183.68.237 20458 17 0 42588 2422926 > 1201.09:22:26.056 1201.09:43:16.716 27 119.82.250.11 16753 4 > 194.183.68.237 20459 17 0 249 39780 > 1201.09:38:58.420 1201.09:43:16.348 4 93.182.188.39 11710 27 > 119.82.252.133 64319 6 0 448 248826 > 1201.09:39:30.323 1201.09:43:16.561 4 66.96.134.10 80 28 > 110.74.223.13 54438 6 0 2606 3770046 > 1201.09:41:04.423 1201.09:43:16.967 34 118.67.204.20 49652 4 > 122.224.114.157 35883 6 0 581 325600 > 1201.09:41:04.503 1201.09:43:16.959 4 122.224.114.157 35883 34 > 118.67.204.20 49652 6 0 325 15402 > 1201.09:41:14.343 1201.09:43:16.882 4 76.117.146.191 29559 28 > 110.74.223.142 4544 6 0 228 215922 > 1201.09:41:14.726 1201.09:43:16.386 28 110.74.223.142 4544 4 > 76.117.146.191 29559 6 0 275 196013 > 1201.09:41:25.958 1201.09:43:16.226 2 218.253.64.60 10154 27 > 110.74.196.36 4619 6 0 68 3142 > 1201.09:41:59.233 1201.09:43:16.575 27 119.82.252.41 29797 4 > 58.61.165.218 8000 17 0 12 952 > 1201.09:41:59.743 1201.09:43:16.669 2 221.7.93.225 18218 28 > 110.74.197.34 7078 17 0 107 6984 > 1201.09:42:15.183 1201.09:43:16.416 4 96.49.82.47 11246 34 > 118.67.204.20 15000 17 0 17 1150 > 1201.09:42:15.187 1201.09:43:16.420 4 96.49.82.47 11246 34 > 118.67.204.20 56937 17 0 15 1024 > 1201.09:42:16.356 1201.09:43:16.009 27 119.82.253.149 37327 4 > 203.218.92.44 55561 6 0 17 926 > 1201.09:42:18.533 1201.09:43:16.230 28 119.82.253.53 1605 4 > 79.141.174.36 80 6 1 88 4518 > 1201.09:42:18.879 1201.09:43:16.217 2 79.141.174.36 80 28 > 119.82.253.53 1605 6 1 124 175648 > 1201.09:42:25.333 1201.09:43:16.281 34 118.67.204.55 57617 4 > 217.22.246.78 25 6 0 54 7124 > 1201.09:42:25.699 1201.09:43:16.645 4 217.22.246.78 25 34 > 118.67.204.55 57617 6 0 29 2339 > 1201.09:42:27.228 1201.09:43:16.830 2 114.249.128.159 63672 28 > 119.82.255.11 1517 6 0 28 22072 > 1201.09:42:27.234 1201.09:43:16.851 28 119.82.255.11 1517 4 > 114.249.128.159 63672 6 0 18 1118 > 1201.09:42:32.081 1201.09:43:16.737 27 110.74.196.133 65303 4 > 75.64.54.46 6244 6 0 22 1409 > 1201.09:42:32.408 1201.09:43:16.243 27 119.82.252.17 16291 4 > 208.94.234.75 80 6 1 1092 46996 > 1201.09:42:32.647 1201.09:43:16.237 4 208.94.234.75 80 28 > 119.82.252.17 16291 6 1 1781 2058359 > > -- > Best Regards, > YOUK Sokvantha > Tell: (855) 89896589 > email: sokvantha at gmail.com > -- YOUK Sokvantha Tell: (855) 89896589 email: sokvantha at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jloiacon at csc.com Thu Dec 3 00:33:50 2009 From: jloiacon at csc.com (Joe Loiacono) Date: Wed, 2 Dec 2009 08:33:50 -0500 Subject: [netflow-tools] cisco asr 1006 netflowtool In-Reply-To: References: Message-ID: Sokvantha, Can you show us your flow-capture statement? Joe From: Sokvantha YOUK To: netflow-tools at mindrot.org Date: 12/02/2009 02:53 AM Subject: Re: [netflow-tools] cisco asr 1006 netflowtool Dear Michael, My time in Linux and router is the same. We are using NTP. Please find below result: Time in Router ASR 1006 14:49:08.926 GMT+7 Wed Dec 2 2009 Time in Linux x64 Wed Dec 2 14:49:31 ICT 2009 Are there any other ways should I check more? Thank you so much for your responsed. On Wed, Dec 2, 2009 at 10:37 AM, Sokvantha YOUK wrote: Dear All, I am having trouble in timestamp that sent from Cisco ASR Router 1006 to my flowtools capture. The problem is the time stamp is late 5 hours compare with file name. Could you please advice me what should i do to get this problem solved? /usr/local/flowtool/bin/flow-print -f5 < ft-v05.2009-12-01.141500+0700 > /home/sokvantha/flow-timestamp-debug.txt Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets 1201.09:22:16.372 1201.09:43:16.705 27 119.82.250.11 16752 4 194.183.68.237 20458 17 0 42588 2422926 1201.09:22:26.056 1201.09:43:16.716 27 119.82.250.11 16753 4 194.183.68.237 20459 17 0 249 39780 1201.09:38:58.420 1201.09:43:16.348 4 93.182.188.39 11710 27 119.82.252.133 64319 6 0 448 248826 1201.09:39:30.323 1201.09:43:16.561 4 66.96.134.10 80 28 110.74.223.13 54438 6 0 2606 3770046 1201.09:41:04.423 1201.09:43:16.967 34 118.67.204.20 49652 4 122.224.114.157 35883 6 0 581 325600 1201.09:41:04.503 1201.09:43:16.959 4 122.224.114.157 35883 34 118.67.204.20 49652 6 0 325 15402 1201.09:41:14.343 1201.09:43:16.882 4 76.117.146.191 29559 28 110.74.223.142 4544 6 0 228 215922 1201.09:41:14.726 1201.09:43:16.386 28 110.74.223.142 4544 4 76.117.146.191 29559 6 0 275 196013 1201.09:41:25.958 1201.09:43:16.226 2 218.253.64.60 10154 27 110.74.196.36 4619 6 0 68 3142 1201.09:41:59.233 1201.09:43:16.575 27 119.82.252.41 29797 4 58.61.165.218 8000 17 0 12 952 1201.09:41:59.743 1201.09:43:16.669 2 221.7.93.225 18218 28 110.74.197.34 7078 17 0 107 6984 1201.09:42:15.183 1201.09:43:16.416 4 96.49.82.47 11246 34 118.67.204.20 15000 17 0 17 1150 1201.09:42:15.187 1201.09:43:16.420 4 96.49.82.47 11246 34 118.67.204.20 56937 17 0 15 1024 1201.09:42:16.356 1201.09:43:16.009 27 119.82.253.149 37327 4 203.218.92.44 55561 6 0 17 926 1201.09:42:18.533 1201.09:43:16.230 28 119.82.253.53 1605 4 79.141.174.36 80 6 1 88 4518 1201.09:42:18.879 1201.09:43:16.217 2 79.141.174.36 80 28 119.82.253.53 1605 6 1 124 175648 1201.09:42:25.333 1201.09:43:16.281 34 118.67.204.55 57617 4 217.22.246.78 25 6 0 54 7124 1201.09:42:25.699 1201.09:43:16.645 4 217.22.246.78 25 34 118.67.204.55 57617 6 0 29 2339 1201.09:42:27.228 1201.09:43:16.830 2 114.249.128.159 63672 28 119.82.255.11 1517 6 0 28 22072 1201.09:42:27.234 1201.09:43:16.851 28 119.82.255.11 1517 4 114.249.128.159 63672 6 0 18 1118 1201.09:42:32.081 1201.09:43:16.737 27 110.74.196.133 65303 4 75.64.54.46 6244 6 0 22 1409 1201.09:42:32.408 1201.09:43:16.243 27 119.82.252.17 16291 4 208.94.234.75 80 6 1 1092 46996 1201.09:42:32.647 1201.09:43:16.237 4 208.94.234.75 80 28 119.82.252.17 16291 6 1 1781 2058359 -- Best Regards, YOUK Sokvantha Tell: (855) 89896589 email: sokvantha at gmail.com -- YOUK Sokvantha Tell: (855) 89896589 email: sokvantha at gmail.com_______________________________________________ netflow-tools mailing list netflow-tools at mindrot.org https://lists.mindrot.org/mailman/listinfo/netflow-tools -------------- next part -------------- An HTML attachment was scrubbed... URL: From JCasale at activenetwerx.com Sat Dec 12 01:43:47 2009 From: JCasale at activenetwerx.com (Joseph L. Casale) Date: Fri, 11 Dec 2009 14:43:47 +0000 Subject: [netflow-tools] pfflowd issue Message-ID: I am attempting to monitor traffic through a Tun interface on a pfSense appliance using pfflowd which seems to be working ok only during small or short transfers. If I transfer any sizable amount of data through the vpn it gets missed by the monitoring apps (ManageEngine netflow or Orion etc). Is this to be expected, or is there something I can do about this? Thanks! jlc From Jeffrey.Isherwood at itt.com Tue Dec 29 05:37:59 2009 From: Jeffrey.Isherwood at itt.com (Isherwood, Jeffrey - AES) Date: Mon, 28 Dec 2009 13:37:59 -0500 Subject: [netflow-tools] Netflow aggregation and redirection... Message-ID: <241B25198E2A5F44A5FE4FDAA37790F40148A1415D@01AESMX09-1.aes.de.ittind.com> Hi, I'm working on a research project requires Netflow data. I've got a small problem, all of our network equipment will do Netflow, but only to two destinations, and both of them are being used right now, so I can't get the data. I'd like to "split the stream" and get that Netflow to more servers... here's what I have in mind: Allow all the devices to continue to send feed #1 to the "authorized corporate Netflow analyzer" Stand up a new server, and send feed #2 from all the devices to the new server that receives all inbound flows, store a copy locally (for integrity) and then redirect the flows outbound to multiple analyzers (managed services providers, R&D folks etc...) ______ I thought that I'd use NFDUMP/NFCAPD to do it, but I seem to be having problems pulling this off. It could be operator error, but if it is, I cannot see where I am going wrong. Both nfdump & nfcapd are installed, and they run, but nfcapd does not seem to be collecting anything. I was trying to originally run it with the following flags: nfcapd -D -p 9996 -l /var/local/nfdump/flows -R 10.17.142.56/9996 I tried using nfdump and nfreplay to see the contents of the stored flow files and they all appear to be empty except for headers. At the suggestion of the nfdump mailing list I tried running this: nfcapd -E -l /var/local/nfdump/flows -p 9996 This is supposed to give me stdout for the flow data but it just sits there and I see nothing... which I believe means that it is not seeing any flow data. I do however have 12 routers currently pointing to this server, all on port 9996 so it should be seeing something. When I run "tcpdump port 9996" I see a lot of the following: 09:06:33.163439 IP 10.17.29.22.64629 > 10.17.142.42.palace-5: UDP, length 696 So I know that the routers are sending stuff, but apparently nfcapd is not seeing it. Is anybody else doing this sort of thing? If so, how are you doing it? If these ARE the right tools to use, does anybody have a clue as to where I'm going wrong? All help greatly appreciated. ________________________________ This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: