[netflow-tools] Softflowd IPFIX date and time problem.

Varun Sharma vsdssd at gmail.com
Mon Sep 1 14:14:54 EST 2014 

Hi Hitoshi,

Test environment :

Two 16 core machines are connected back to back using dual port 10G
card. CentOS release 6.2 (Final) 64bit version install on both
machines.
$ uname -a
Linux hwcentos 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT
2011 x86_64 x86_64 x86_64 GNU/Linux

On one of machine I install Softflowd(Revision:80aac3b2fec3).
Softflowd observed packet sent by iperf client.


I go through the ipfix.c code. If I comment line number 409 and 426 in
ipfix.c file.

409 : //#if defined (_BSD_SOURCE) && defined (HAVE_ENDIAN_H) ||
defined (HAVE_HTOBE64) || defined (HAVE_HTONLL)

426 : //#endif

Now Exported IPFIX flow records include accurate flow end time in
milliseconds format and also read properly on collector(nfdump) side.
I think  (HAVE_ENDIAN_H) is not defined  that’s why problem persist.

How to resolve this problem ?

Thanks in advance .

Regards,
Varun

On Thu, Aug 28, 2014 at 6:25 PM, Hitoshi Irino <irino at sfc.wide.ad.jp> wrote:
> Hello Varun,
>
> I tested on Ubuntu Linux 14.04.1 64bit version.
> In my test environment, softflowd observed packets sent by nmap -sU(UDP port
> scan). It works well. Exported IPFIX flow records include accurate flow end
> time.
>
> Could you teach me your environment?
>
> Regards,
> Hitoshi
>
>
> On 2014/08/28 14:22, Varun Sharma wrote:
>>
>> Hi ,
>>
>> I am using Softflowd IPFIX supported version ( Revision : 80aac3b2fec3
>> ) downloaded from google code. I export flows in IPFIX format to
>> collector server ( NFDUMP 1.6.10 ) . I am seeing  issue  with date and
>> time field when I am reading nfdump logs .
>>
>> Whereas In case of Netflow v5 and v9 it is working fine means proper
>> date and time comes in nfdump logs.
>>
>> Command run :
>>
>> softflowd  -i eth3 -n 192.168.50.2:9995 -v 10 -d -t maxlife=30  -D -A
>> milli
>>
>> nfdump log :
>>
>> $ nfdump -r nfcapd.201408280909
>>
>> Date first seen          Duration Proto      Src IP Addr:Port
>> Dst IP Addr:Port   Packets    Bytes Flows
>>
>> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>>    192.168.50.1:43241 ->     192.168.50.2:5001  .AP.SF   0    17405
>> 823.5 M     1
>>
>> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>>    192.168.50.2:5001  ->     192.168.50.1:43241 .A..SF   0    15470
>> 711626     1
>>
>> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>>    192.168.50.1:43242 ->     192.168.50.2:5001  .AP.SF   0    20138
>> 928.1 M     1
>>
>> 2005-04-02 04:35:37.968 1970-01-01 05:30:00.000 3182570558.032 TCP
>>    192.168.50.2:5001  ->     192.168.50.1:43242 .A..SF   0    20814
>> 957450     1
>>
>> 2005-04-02 04:35:37.967 1970-01-01 05:30:00.000 3182570558.033 TCP
>>    192.168.50.1:43243 ->     192.168.50.2:5001  .AP.SF   0    20031
>> 925.8 M     1
>>
>> .......
>>
>> 2015-06-17 11:04:55.259 1970-01-01 05:30:00.000 2860448000.741 TCP
>>    192.168.50.1:43257 ->     192.168.50.2:5001  .AP.SF   0     7235
>> 348.3 M     1
>>
>> 2015-06-17 11:04:55.259 1970-01-01 05:30:00.000 2860448000.741 TCP
>>    192.168.50.2:5001  ->     192.168.50.1:43257 .A..SF   0    10138
>> 466354     1
>>
>> 2015-06-17 11:04:55.248 1970-01-01 05:30:00.000 2860448000.752 TCP
>>    192.168.50.1:43258 ->     192.168.50.2:5001  .AP.SF   0    13164
>> 610.1 M     1
>>
>> 2015-06-17 11:04:55.248 1970-01-01 05:30:00.000 2860448000.752 TCP
>>    192.168.50.2:5001  ->     192.168.50.1:43258 .A..SF   0    15663
>> 720504     1
>> .......
>>
>> 2016-01-02 07:16:04.432 1970-01-01 05:30:00.000 2843268131.568 TCP
>>    192.168.50.2:5001  ->     192.168.50.1:43268 .A..SF   0    18639
>> 857400     1
>>
>> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
>>    192.168.50.1:43269 ->     192.168.50.2:5001  .AP.SF   0    28301
>> 1.3 G     1
>>
>> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
>>    192.168.50.2:5001  ->     192.168.50.1:43269 .A..SF   0    34656
>> 1.6 M     1
>>
>> 2016-01-02 07:16:04.421 1970-01-01 05:30:00.000 2843268131.579 TCP
>>    192.168.50.1:43270 ->     192.168.50.2:5001  .AP.SF   0    29209
>> 1.3 G     1
>>
>>
>> ....
>>
>> Summary: total flows: 162, total bytes: 59.4 G, total packets: 2.6 M,
>> avg bps: 0, avg pps: 0, avg bpp: 0
>> Time window: 2014-08-28 09:09:31 - 2014-08-28 09:14:31
>> Total flows processed: 162, Blocks skipped: 0, Bytes read: 9832
>> Sys: 0.005s flows/second: 27009.0    Wall: 0.005s flows/second: 30291.7
>>
>>
>> I also used sec with –A option but in that case also same problem
>> persist.  I attached tcpdump pcap file also. Pls find attachment.
>>
>> Can anybody know why it’s happening ?
>>
>>
>> Regards
>> Varun
>>
>>
>>
>> _______________________________________________
>> netflow-tools mailing list
>> netflow-tools at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/netflow-tools
>>
>

More information about the netflow-tools mailing list