Re: [Nfdump-discuss] Duration error (wrap-around?) with softflowd

Thu, 16 Jun 2016 04:46:29 -0700 

Hi all,
Same problem here with our new pair of L2 switch 4500-x (VSS) (No routing)
When I download an iso file across 2 equipment netflow equipped, I've got a regular duration on our openbsd/pf router but not on L2 cisco 4500-x : 
It looks like that last two flows don't have good start time value.

No sampling, ntp configured on each hardware and on collector.
I'm not sure which value to configure for :

 cache timeout active (actual 60s)
 cache timeout inactive (actual 15s = default)
 cache timeout   update (actual 1800s = default)

I'm not sure too what they are used for ?

Does anybody use 4500-x's machines with nfsen ?
What configuration did you deploy ?
Any idea on what I could have a look ?

Thanks very much
Cédric
Joins : A file whith nfdump requests for pf router, cs4500 and cs4500 raw mode. 
My actual cisco Configuration is :

flow exporter NETFLOW_EXPORTER-2
 destination Nfsen.Server.IP.Address
 source Vlan1
 transport udp 9998
 template data timeout 300

flow record NETFLOW_RECORD-1
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect transport tcp flags
 collect interface output
 collect counter bytes long
 collect counter packets long
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last


flow monitor FLOW-MONITOR-1
 description Used for monitoring IPv4 traffic
 record NETFLOW_RECORD-1
 exporter NETFLOW_EXPORTER-2
 cache timeout active 60

interface TenGigabitEthernet1/1/29
 description vers router eth3-02
 switchport trunk native vlan 4094
 switchport trunk allowed vlan 8
 switchport mode trunk
 ip flow monitor FLOW-MONITOR-1 input
end


Flow Monitor FLOW-MONITOR-1:
  Description:       Used for monitoring IPv4 traffic
  Flow Record:       NETFLOW_RECORD-1
  Flow Exporter:     NETFLOW_EXPORTER-2
  Cache:
    Type:              normal
    Status:            allocated
    Size:              4096 entries / 311316 bytes
    Inactive Timeout:  15 secs
    Active Timeout:    60 secs
    Update Timeout:    1800 secs





Le 09/06/2016 à 20:26, Brian Candler a écrit :

On 05/06/2016 15:06, Peter Haag wrote:

This time-wrap is a kind of hassle since ever. It actually has been tested on
many exporters - ok mainly on Cisco's, as it seemed to be used widely.

<sorry was busy...>

I ran a tcpdump, I will send you a pcap file off-list shortly.

I haven't looked into softflowd overruns, as I expected them too behave the 
same.
I am open to help debugging the stuff, you have me a pcap with an overflow,
which could be rather difficult to produce.

Alternatively, you could add some LogInfo() messages in case of a wrap around
to log the original values to see how compensation needs to be done correctly
or even better to fix softflowd.


How do I generate LogInfo() messages?
Anyway, looking at my netflow, I picked a host which had a relatively small number of flows/packets in the 5 minute window, but also a silly duration, and then restricted my query just to that host: 

** nfdump -M /var/nfsen/profiles-data/live/lch-fw1  -T  -r 
2016/06/09/nfcapd.201606091700 -n 500 -s ip/bytes
nfdump filter:
host 74.125.206.156
Top 500 IP Addr ordered by bytes:
Date first seen          Duration Proto           IP Addr    Flows(%)     
Packets(%)       Bytes(%)         pps      bps   bpp
2016-04-20 23:52:34.099 4294727.209 any10.26.1.189 
<http://localhost:8888/nfsen/nfsen.php#null>         2(100.0)       44(100.0)   
  7967(100.0)        0        0   181
2016-04-20 23:52:34.099 4294727.209 any74.125.206.156 
<http://localhost:8888/nfsen/nfsen.php#null>         2(100.0)       44(100.0)   
  7967(100.0)        0        0   181

Summary: total flows: 2, total bytes: 7967, total packets: 44, avg bps: 0, avg 
pps: 0, avg bpp: 181
Time window: 2016-04-20 23:39:14 - 2016-06-09 17:02:35
Total flows processed: 18130, Blocks skipped: 0, Bytes read: 1169124
Sys: 0.008s flows/second: 2266250.0  Wall: 0.008s flows/second: 2044429.4
Looking at the individual flows I an see only "date first seen":
** nfdump -M /var/nfsen/profiles-data/live/lch-fw1  -T  -r 
2016/06/09/nfcapd.201606091700 -c 20
nfdump filter:
host 74.125.206.156
Date first seen          Event  XEvent Proto      Src IP Addr:Port          Dst 
IP Addr:Port     X-Src IP Addr:Port        X-Dst IP Addr:Port   In Byte Out Byte
2016-06-09 15:45:27.091 INVALID  Ignore TCP10.26.1.189:62498 
<http://localhost:8888/nfsen/nfsen.php#null>  ->74.125.206.156:443 
<http://localhost:8888/nfsen/nfsen.php#null>             0.0.0.0:0 
<http://localhost:8888/nfsen/nfsen.php#null>      ->0.0.0.0:0 
<http://localhost:8888/nfsen/nfsen.php#null>          1984        0
2016-04-20 23:52:34.099 INVALID  Ignore TCP74.125.206.156:443 
<http://localhost:8888/nfsen/nfsen.php#null>    ->10.26.1.189:62498 
<http://localhost:8888/nfsen/nfsen.php#null>           0.0.0.0:0 
<http://localhost:8888/nfsen/nfsen.php#null>      ->0.0.0.0:0 
<http://localhost:8888/nfsen/nfsen.php#null>          5983        0
Summary: total flows: 2, total bytes: 7967, total packets: 44, avg bps: 0, avg 
pps: 0, avg bpp: 181
Time window: 2016-04-20 23:39:14 - 2016-06-09 17:02:35
Total flows processed: 18130, Blocks skipped: 0, Bytes read: 1169124
Sys: 0.008s flows/second: 2266250.0  Wall: 0.009s flows/second: 1945696.5
Doing this again at the CLI with -o raw, I can see "first" and "last": $ nfdump -M /var/nfsen/profiles-data/live/lch-fw1 -T -r 2016/06/09/nfcapd.201606091700 -c 20 -o raw 'host 74.125.206.156' Flow Record: Flags = 0x06 FLOW, Unsampled export sysid = 1 size = 56 first = 1465483527 [2016-06-09 15:45:27] last = 1465487481 [2016-06-09 16:51:21] msec_first = 91 msec_last = 308 src addr = 10.26.1.189 dst addr = 74.125.206.156 src port = 62498 dst port = 443 fwd status = 0 tcp flags = 0x1b .AP.SF proto = 6 TCP (src)tos = 0 (in)packets = 21 (in)bytes = 1984 Flow Record: Flags = 0x06 FLOW, Unsampled export sysid = 1 size = 56 first = 1461192754 [2016-04-20 23:52:34] last = 1465487481 [2016-06-09 16:51:21] msec_first = 99 msec_last = 308 src addr = 74.125.206.156 dst addr = 10.26.1.189 src port = 443 dst port = 62498 fwd status = 0 tcp flags = 0x1b .AP.SF proto = 6 TCP (src)tos = 0 (in)packets = 23 (in)bytes = 5983 Summary: total flows: 2, total bytes: 7967, total packets: 44, avg bps: 0, avg pps: 0, avg bpp: 181 Time window: 2016-04-20 23:39:14 - 2016-06-09 17:02:35 Total flows processed: 18130, Blocks skipped: 0, Bytes read: 1169124 Sys: 0.012s flows/second: 1510833.3 Wall: 0.010s flows/second: 1730457.2 Now, looking at my pcap file: First packet after Template has Arrival Time: Jun 9, 2016 16:42:51.064505000 BST Epoch Time: 1465486971.064505000 seconds If I now decode this with tshark: $ sudo tshark -r fw1.pcap -nnV -d udp.port==9995,cflow | less ... search for 74.125.206.156 Frame 21073: 534 bytes on wire (4272 bits), 534 bytes captured (4272 bits) Arrival Time: Jun 9, 2016 17:37:09.499219000 BST Epoch Time: 1465490229.499219000 seconds ... Cisco NetFlow/IPFIX Version: 9 Count: 15 SysUptime: 273579393 Timestamp: Jun 9, 2016 17:37:09.000000000 BST CurrentSecs: 1465490229 FlowSequence: 4885983 SourceId: 0 FlowSet 1 FlowSet Id: (Data) (1024) FlowSet Length: 472 Flow 1 SrcAddr: 10.26.1.189 (10.26.1.189) DstAddr: 74.125.206.156 (74.125.206.156) [Duration: -240.057000000 seconds] StartTime: 273335.501000000 seconds EndTime: 273095.444000000 seconds Octets: 2223 Packets: 20 SrcPort: 63141 DstPort: 443 Protocol: 6 TCP Flags: 0x1b IPVersion: 04 Flow 2 SrcAddr: 74.125.206.156 (74.125.206.156) DstAddr: 10.26.1.189 (10.26.1.189) [Duration: -240.057000000 seconds] StartTime: 273335.501000000 seconds EndTime: 273095.444000000 seconds Octets: 2031 Packets: 20 SrcPort: 443 DstPort: 63141 Protocol: 6 TCP Flags: 0x1b IPVersion: 04 This is not exactly the same flow. However you can see that according to tshark, StartTime is after EndTime; this seems to be true for other flows too. This might just be a bug in softflowd (although strange if no one has noticed it before). I'll send you the pcap file. Cheers, Brian. 

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Netflow from Openbsd/Pf

nfdump -M /data/nfsen/profiles-data/live/PF  -T  -R 
2016-06-16/nfcapd.201606161045:2016-06-16/nfcapd.201606161055 -o "fmt:%ts %td 
%pr %sap -> %dap %dir %in -> %out %flg %pkt %ibyt %obyt %fl %bps %pps %bpp" 'ip 
129.20.185.195 and ip 91.189.88.160'
Date first seen          Duration Proto      Src IP Addr:Port          Dst IP 
Addr:Port  Dir  Input    Output  Flags  Packets  In Byte Out Byte Flows      
bps      pps    Bpp
2016-06-16 10:48:56.937    89.000 TCP     my.host.195:48356 ->    
91.189.88.160:80      I      0 ->      0 ......   226439   11.9 M        0     
1    1.1 M     2544     52
2016-06-16 10:48:56.937    89.000 TCP      91.189.88.160:80    ->   
my.host.195:48356   I      0 ->      0 ......   474431  711.6 M        0     1  
 64.0 M     5330   1499
Summary: total flows: 2, total bytes: 723513226, total packets: 700870, avg 
bps: 65034896, avg pps: 7874, avg bpp: 1032
Time window: 2016-06-06 17:12:26 - 2016-06-16 10:59:59
Total flows processed: 1566300, Blocks skipped: 0, Bytes read: 81448884
Sys: 0.314s flows/second: 4973154.6  Wall: 0.312s flows/second: 5004777.0 

Same from c4500x (filter "if 5" because trafic cross 2 times the 4500)

nfdump -M /data/nfsen/profiles-data/live/cs4500x32  -T  -R 
2016-06-16/nfcapd.201606161045:2016-06-16/nfcapd.201606161055 -o "fmt:%ts %td 
%pr %sap -> %dap %dir %in -> %out %flg %pkt %ibyt %obyt %fl %bps %pps %bpp" 'ip 
129.20.185.195 and ip 91.189.88.160 and if 5'
Date first seen          Duration Proto      Src IP Addr:Port          Dst IP 
Addr:Port  Dir  Input    Output  Flags  Packets  In Byte Out Byte Flows      
bps      pps    Bpp
2016-06-16 10:48:56.952     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 ....S.        1       82        0     
1        0        0     82
2016-06-16 10:48:57.944     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .A....      550   837100        0     
1        0        0   1522
2016-06-16 10:48:56.956     3.996 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .AP.S.    15419    1.2 M        0     
1    2.3 M     3858     75
2016-06-16 10:49:01.948     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.     3956   297400        0     
1        0        0     75
2016-06-16 10:48:57.936     4.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    31879   48.5 M        0     
1   97.0 M     7969   1522
2016-06-16 10:49:02.912     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...     8104   12.3 M        0     
1        0        0   1522
2016-06-16 10:49:06.956     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.    19678    1.5 M        0     
1        0        0     74
2016-06-16 10:49:07.944     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    32542   49.5 M        0     
1        0        0   1522
2016-06-16 10:49:11.956     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.    15970    1.2 M        0     
1        0        0     75
2016-06-16 10:49:12.952     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    39851   60.7 M        0     
1        0        0   1522
2016-06-16 10:49:16.956     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.    19902    1.5 M        0     
1        0        0     74
2016-06-16 10:49:17.920     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    40270   61.3 M        0     
1        0        0   1522
2016-06-16 10:49:21.960     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.    11587   880462        0     
1        0        0     75
2016-06-16 10:49:22.948     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    18043   27.5 M        0     
1        0        0   1522
2016-06-16 10:49:26.944     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.     7548   559644        0     
1        0        0     74
2016-06-16 10:49:27.956     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    19078   29.0 M        0     
1        0        0   1522
2016-06-16 10:49:31.960     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.    13757    1.0 M        0     
1        0        0     74
2016-06-16 10:49:32.896     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    30097   45.8 M        0     
1        0        0   1522
2016-06-16 10:49:36.956     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.    15770    1.2 M        0     
1        0        0     74
2016-06-16 10:49:37.948     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    32909   50.1 M        0     
1        0        0   1522
2016-06-16 10:49:41.948     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.    11608   861704        0     
1        0        0     74
2016-06-16 10:49:42.952     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    24945   38.0 M        0     
1        0        0   1522
2016-06-16 10:49:46.944     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.    13422   997800        0     
1        0        0     74
2016-06-16 10:49:47.892     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    27225   41.4 M        0     
1        0        0   1522
2016-06-16 10:49:51.948     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.    10477   780046        0     
1        0        0     74
2016-06-16 10:49:52.932     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    21037   32.0 M        0     
1        0        0   1522
2016-06-16 10:49:56.952     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.     9887   731638        0     
1        0        0     74
2016-06-16 10:49:57.944     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    23807   36.2 M        0     
1        0        0   1522
2016-06-16 10:50:01.956     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.    10201   760538        0     
1        0        0     74
2016-06-16 10:50:02.900     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    19205   29.2 M        0     
1        0        0   1522
2016-06-16 10:50:06.956     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.     9298   688052        0     
1        0        0     74
2016-06-16 10:50:07.948     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    22688   34.5 M        0     
1        0        0   1522
2016-06-16 10:50:11.956     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.    12359   918354        0     
1        0        0     74
2016-06-16 10:50:12.948     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    25185   38.3 M        0     
1        0        0   1522
2016-06-16 10:50:16.956     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.     8002   596844        0     
1        0        0     74
2016-06-16 10:50:17.892     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    15099   23.0 M        0     
1        0        0   1522
2016-06-16 10:50:21.956     0.000 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..S.     8354   618196        0     
1        0        0     74
2016-06-16 10:50:22.948     0.000 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    20959   31.9 M        0     
1        0        0   1522
2016-04-27 17:47:39.660 4294966.296 TCP     129.20.185.195:48356 ->    
91.189.88.160:80      I     77 ->      5 .A..SF     9243   683982        0     
1        1        0     74
2016-04-27 17:47:40.652 4294965.296 TCP      91.189.88.160:80    ->   
129.20.185.195:48356   I      5 ->     77 .AP...    14079   21.4 M        0     
1       39        0   1522
Summary: total flows: 40, total bytes: 728470422, total packets: 693991, avg 
bps: 1356, avg pps: 0, avg bpp: 1049
Time window: 2016-04-27 17:42:10 - 2016-06-16 10:59:58
Total flows processed: 4601155, Blocks skipped: 0, Bytes read: 276073128
Sys: 1.197s flows/second: 3841283.8  Wall: 1.195s flows/second: 3849279.2 

in raw mode :

 nfdump -M /data/nfsen/profiles-data/live/cs4500x32  -T  -R 
2016-06-16/nfcapd.201606161045:2016-06-16/nfcapd.201606161055 -o "fmt:%ts %td 
%pr %sap -> %dap %dir %in -> %out %flg %pkt %ibyt %obyt %fl %bps %pps %bpp" 'ip 
129.20.185.195 and ip 91.189.88.160 and if 77' -o raw -O tstart | head -80

Flow Record: 
  Flags        =              0x06 FLOW, Unsampled
  export sysid =                 1
  size         =                60
  first        =        1461772059 [2016-04-27 17:47:39]
  last         =        1466067025 [2016-06-16 10:50:25]
  msec_first   =               660
  msec_last    =               956
  src addr     =    129.20.185.195
  dst addr     =     91.189.88.160
  src port     =             48356
  dst port     =                80
  fwd status   =                 0
  tcp flags    =              0x13 .A..SF
  proto        =                 6 TCP  
  (src)tos     =                 0
  (in)packets  =              9243
  (in)bytes    =            683982
  input        =                77
  output       =                 5


Flow Record: 
  Flags        =              0x06 FLOW, Unsampled
  export sysid =                 1
  size         =                60
  first        =        1461772060 [2016-04-27 17:47:40]
  last         =        1466067025 [2016-06-16 10:50:25]
  msec_first   =               652
  msec_last    =               948
  src addr     =     91.189.88.160
  dst addr     =    129.20.185.195
  src port     =                80
  dst port     =             48356
  fwd status   =                 0
  tcp flags    =              0x18 .AP...
  proto        =                 6 TCP  
  (src)tos     =                 0
  (in)packets  =             14079
  (in)bytes    =          21428238
  input        =                 5
  output       =                77


Flow Record: 
  Flags        =              0x06 FLOW, Unsampled
  export sysid =                 1
  size         =                60
  first        =        1466066936 [2016-06-16 10:48:56]
  last         =        1466066936 [2016-06-16 10:48:56]
  msec_first   =               952
  msec_last    =               952
  src addr     =    129.20.185.195
  dst addr     =     91.189.88.160
  src port     =             48356
  dst port     =                80
  fwd status   =                 0
  tcp flags    =              0x02 ....S.
  proto        =                 6 TCP  
  (src)tos     =                 0
  (in)packets  =                 1
  (in)bytes    =                82
  input        =                77
  output       =                 5


Flow Record: 
  Flags        =              0x06 FLOW, Unsampled
  export sysid =                 1
  size         =                60
  first        =        1466066936 [2016-06-16 10:48:56]
  last         =        1466066940 [2016-06-16 10:49:00]
  msec_first   =               956
  msec_last    =               952
  src addr     =    129.20.185.195
  dst addr     =     91.189.88.160
  src port     =             48356
  dst port     =                80
  fwd status   =                 0

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to