Re: [Nfsen-discuss] incorrect timestamps in v0.9.8 with v9 exports

[Peter Haag]

Hi Greg,
I also had issues every now and then with softflowd. Furthermore softflowd can 
become quite resource intensive on busy
interfaces. In order to overcome these issues, there is nfpcapd. It's still 
considered to be experimental but already
included in nfdump-1.6.10. It's basically a melt between softflowd and nfcapd. 
It either listens on an interface or
reads from a pcap file and directly creates nfcapd files without any netflow 
protocol overhead.
Maybe this does not help you directly with pfsense.

- Peter

On 23/10/13 21:22, greg whynott wrote:
 just as an FYI in case someone else is searching the webs for this.
 
 i'm using a current release of pfsense and exporting netflow data via
 softflowd v 0.9.8.
 
 we analyse the exports with nfdump and noticed if you are exporting v9 the
 time stamps will be very wrong (by weeks/months).using v5 exports
 provides correct time stamps.
 
 
 I'm not sure why pfsense is still using what seems to be a very old version
 (0.9.8 vrs 1.6.9) but there it is...
 
 
 thanks,
 greg
 
 
 
 --
 October Webinars: Code for Performance
 Free Intel webinars can help you accelerate application performance.
 Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
 the latest Intel processors and coprocessors. See abstracts and register 
 http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk
 
 
 
 ___
 Nfsen-discuss mailing list
 Nfsen-discuss@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
 

-- 
Be nice to your netflow data. Use NfSen and nfdump :)

--
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk
___
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Re: [Nfsen-discuss] incorrect timestamps in v0.9.8 with v9 exports

[Wood, Peter (ISS)]

In the case of softflowd I looked at this a few months ago, it appears that 
it's doing it wrong with the microseconds since boot timestamps in the v9 
packets, it results in the length of a flows life being negative. 

I didn't log it with the softflowd devs at the time as we were working to 
replace it with an in house app that consumed data from a Juniper SRX syslog 
output and produces v9 NetFlow. 

As a side note, v9 has issues with flows which are over 49ish days old as well, 
or if you're trying to export two flows in the same packet with start and stop 
dates which end up being longer then this period. In my project I end up 
manipulating the system boot time of the collector in the packet header 
depending on the content of the records being exported to make sure they always 
fell in a valid range.

The issue is fairly easy to spot if you open up a pcap capture of it with 
Wireshark and decode the stream as cFlow.

Peter.
-- 
Peter Wood
Network Security Specialist
Information Systems Services
Lancaster University

Tel: (01524 5)10153
Email: p.w...@lancaster.ac.uk

--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register 
http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk
___
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss