Hi all, One small question before holidays. As we know, flow expiration on the exporter runs if no packet comes in a flow or if a "end of session" tcp flag is detected. Then the exporter will inform nfcapd in an udp packet.
What's happens if this packet is lost on the network ? Will nfsen never see that this flow has expired ? I found flows with duration up to 4 000 000 000 ms and only 1 flow. here a example anonymized : Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2012-07-24 10:59:54.007 2.000 UDP 113.107.214.100:61918 -> 216.67.102.45:2122 1 131 1 2012-07-24 10:59:54.007 2.000 UDP 216.67.102.45:2122 -> 113.107.214.100:61918 1 305 1 2012-07-24 10:59:59.007 3.000 UDP 62.252.190.196:123 -> 61.192.94.167:123 4 304 1 2012-07-24 10:59:59.007 3.000 UDP 61.192.94.167:123 -> 62.252.190.196:123 4 304 1 2012-06-04 17:59:57.711 4294966.296 UDP 113.107.184.123:27057 -> 216.67.102.45:2122 1 126 1 2012-06-04 17:59:57.711 4294966.296 UDP 216.67.102.45:2122 -> 113.107.184.123:27057 1 309 1 2012-07-24 11:32:08.008 116.000 TCP 113.107.219.116:36157 -> 218.185.100.221:80 7 730 1 2012-07-24 11:32:08.008 116.000 TCP 218.185.100.221:80 -> 113.107.219.116:36157 5 1764 1 2012-07-24 11:54:54.008 9.000 TCP 113.107.79.246:38264 -> 242.194.34.210:25 3 156 1 2012-07-24 11:59:59.008 1.000 UDP 62.252.190.196:123 -> 61.192.94.167:123 4 304 1 2012-07-24 11:59:59.008 1.000 UDP 61.192.94.167:123 -> 62.252.190.196:123 4 304 1 IP addresses anonymized Summary: total flows: 11, total bytes: 4737, total packets: 35, avg bps: 0, avg pps: 0, avg bpp: 135 Time window: 2012-06-04 17:59:57 - 2012-07-24 12:00:00 Total flows processed: 3783450, Blocks skipped: 0, Bytes read: 196757126 Sys: 1.618s flows/second: 2337262.1 Wall: 1.612s flows/second: 2345863.0 All flows with duration > 4000000000 started the same day : 2012-04-06 Am I wrong if I think this should not happen ? Could a packet loss be the reason of my problem ? What else if not ? Is there a way to force nfcapd to expire flows for which he recieves no more information ? The exporter is a Packetfilter firewall running on OpenBSD with pflow enabled. Thanks ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
