Hi Peter,
>From some devices I've been seeing flows with start and end time in
past - exactly 2^32 ms old (which is around 49 days).
Although I compiled nfcapd with the -DFIXTIMEBUG option, the same
thing still kept repeating.
What is weird that only some flows from certain devices had such
incorrect timestamps set.
Anyway, after quite some time debugging all this, I managed to find
out that this was caused by a Cisco IOS bug CSCei12353 (or
CSCsk67578).
The bug says: Flow End sysUpTime higher value than the Router
sysUpTime. And indeed, some flows have end sysUpTime higher than the
router sysUpTime.
This causes nfcapd to incorrectly subtract 0x100000000LL from
start_time and end_time.
Now this is done to catch when overflow happened after flow ended but
before it was exported. If this happened, there will have to be a huge
difference between Last and sysUpTime in the header, so the following
patch should help:
diff netflow_v5_v7.c nfdump-1.6.6/bin/netflow_v5_v7.c
517c517
< if ( Last > v5_header->SysUptime && (
( Last - v5_header->SysUptime) > 100000) ) {
---
> if ( Last > v5_header->SysUptime ) {
Indeed, after this all flows are processed correctly. This might help
other people who are seeing flows with incorrect timestamps.
Cheers,
Bojan
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
