Usually the network device which sends flows (the router) will expire flows
based on flow termination or on a specific timeout value. For Cisco you can
set timeouts for active flows to force them to expire even if there is
still traffic (useful in case of a DOS attack).
I don't remember the commands but I can look them up if you need them.
I don't think nfcapd can do anything about this - the timestamps you are
getting look like a bug - it looks awfully close to 4294967296 - which is
2^32. So I would suspect a variable overflow somewhere. Negative time
perhaps, with a positive int?
On Tue, Jul 24, 2012 at 5:02 PM, cedric.delaunay
<cedric.delau...@gmail.com>wrote:
> Hi all,
> One small question before holidays.
>
> As we know, flow expiration on the exporter runs if no packet comes in a
> flow or if a "end of session" tcp flag is detected.
> Then the exporter will inform nfcapd in an udp packet.
>
> What's happens if this packet is lost on the network ? Will nfsen never
> see that this flow has expired ?
> I found flows with duration up to 4 000 000 000 ms and only 1 flow.
> here a example anonymized :
>
> Date flow start Duration Proto Src IP Addr:Port Dst
> IP Addr:Port Packets Bytes Flows
> 2012-07-24 10:59:54.007 2.000 UDP 113.107.214.100:61918 ->
> 216.67.102.45:2122 1 131 1
> 2012-07-24 10:59:54.007 2.000 UDP 216.67.102.45:2122 ->
> 113.107.214.100:61918 1 305 1
> 2012-07-24 10:59:59.007 3.000 UDP 62.252.190.196:123 ->
> 61.192.94.167:123 4 304 1
> 2012-07-24 10:59:59.007 3.000 UDP 61.192.94.167:123 ->
> 62.252.190.196:123 4 304 1
> 2012-06-04 17:59:57.711 4294966.296 UDP 113.107.184.123:27057 ->
> 216.67.102.45:2122 1 126 1
> 2012-06-04 17:59:57.711 4294966.296 UDP 216.67.102.45:2122 ->
> 113.107.184.123:27057 1 309 1
> 2012-07-24 11:32:08.008 116.000 TCP 113.107.219.116:36157 ->
> 218.185.100.221:80 7 730 1
> 2012-07-24 11:32:08.008 116.000 TCP 218.185.100.221:80 ->
> 113.107.219.116:36157 5 1764 1
> 2012-07-24 11:54:54.008 9.000 TCP 113.107.79.246:38264 ->
> 242.194.34.210:25 3 156 1
> 2012-07-24 11:59:59.008 1.000 UDP 62.252.190.196:123 ->
> 61.192.94.167:123 4 304 1
> 2012-07-24 11:59:59.008 1.000 UDP 61.192.94.167:123 ->
> 62.252.190.196:123 4 304 1
> IP addresses anonymized
> Summary: total flows: 11, total bytes: 4737, total packets: 35, avg bps:
> 0, avg pps: 0, avg bpp: 135
> Time window: 2012-06-04 17:59:57 - 2012-07-24 12:00:00
> Total flows processed: 3783450, Blocks skipped: 0, Bytes read: 196757126
> Sys: 1.618s flows/second: 2337262.1 Wall: 1.612s flows/second: 2345863.0
>
>
> All flows with duration > 4000000000 started the same day : 2012-04-06
>
> Am I wrong if I think this should not happen ?
> Could a packet loss be the reason of my problem ? What else if not ?
> Is there a way to force nfcapd to expire flows for which he recieves no
> more information ?
>
> The exporter is a Packetfilter firewall running on OpenBSD with pflow
> enabled.
> Thanks
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
