In the case of softflowd I looked at this a few months ago, it appears that it's "doing it wrong" with the "microseconds since boot" timestamps in the v9 packets, it results in the length of a flows life being negative.
I didn't log it with the softflowd devs at the time as we were working to replace it with an in house app that consumed data from a Juniper SRX syslog output and produces v9 NetFlow. As a side note, v9 has issues with flows which are over 49ish days old as well, or if you're trying to export two flows in the same packet with start and stop dates which end up being longer then this period. In my project I end up manipulating the system boot time of the collector in the packet header depending on the content of the records being exported to make sure they always fell in a valid range. The issue is fairly easy to spot if you open up a pcap capture of it with Wireshark and decode the stream as cFlow. Peter. -- Peter Wood Network Security Specialist Information Systems Services Lancaster University Tel: (01524 5)10153 Email: p.w...@lancaster.ac.uk ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
