Hi,
Thanks for your answers.
I'll try to upgrade nfsen and nfdump to lastest versions (currently
1.3.5 and 1.6.1p1)
I can't see how to capture the flows as a tcpdump on collector's machine
won't give me packets content. Am I wrong ? Any Idea howto ? Maybe with
"-E" option on nfcapd but data are already interpreted...
I'm unable to read data like
00:05:00:1e:06:32:4d:c0:50:0e:c8:44:00:9e:61:4e:03:22:64:3a:2a:2a:00:00:26:71:a5:50:81:14:5e:1b:00:00:00:00:00:00:00:00:00:00:00:04:00:00:00:ae:06:30:e2:78:06:30
;)
I will see when I'll be back thursday.
Bye
Le 24/07/2012 17:22, Jan Pazdera a écrit :
Hi,
this can sometimes happen, if the exporter shifts its system time, for
example during NTP time correction. Try to check, whether the exporter
does this or not and if so, turn it off to see, if this is the reason.
The problem is connected with nfcapd > v1.6. When it detects a time
shift, it performs a time correction, which sometimes leads to overflow.
Regards,
Jan
Jan Pazdera <pazdera at invea.cz>
INVEA-TECH a.s.
U Vodarny 2965/2, 61600 Brno, Czech Republic
Tel: +420 511 205 251
www.invea-tech.com
Key 0x89F62F78: 41A7 28C2 C624 FBD1 E236 6827 42EB 3694 89F6 2F78
On 24.7.2012 17:05, Adrian Popa wrote:
I guess a packet capture of those flows might help determine if they
are sent with this duration timestamp incorrectly set, or if nfcapd
interprets them incorrectly.
Peter will be able to tell you more.
On Tue, Jul 24, 2012 at 6:00 PM, Adrian Popa
<adrian.popa...@gmail.com <mailto:adrian.popa...@gmail.com>> wrote:
Usually the network device which sends flows (the router) will
expire flows based on flow termination or on a specific timeout
value. For Cisco you can set timeouts for active flows to force
them to expire even if there is still traffic (useful in case of
a DOS attack).
I don't remember the commands but I can look them up if you need
them.
I don't think nfcapd can do anything about this - the timestamps
you are getting look like a bug - it looks awfully close to
4294967296 - which is 2^32. So I would suspect a variable
overflow somewhere. Negative time perhaps, with a positive int?
On Tue, Jul 24, 2012 at 5:02 PM, cedric.delaunay
<cedric.delau...@gmail.com <mailto:cedric.delau...@gmail.com>> wrote:
Hi all,
One small question before holidays.
As we know, flow expiration on the exporter runs if no packet
comes in a
flow or if a "end of session" tcp flag is detected.
Then the exporter will inform nfcapd in an udp packet.
What's happens if this packet is lost on the network ? Will
nfsen never
see that this flow has expired ?
I found flows with duration up to 4 000 000 000 ms and only 1
flow.
here a example anonymized :
Date flow start Duration Proto Src IP Addr:Port
Dst IP Addr:Port Packets Bytes Flows
2012-07-24 10:59:54.007 2.000 UDP 113.107.214.100:61918
<http://113.107.214.100:61918> -> 216.67.102.45:2122
<http://216.67.102.45:2122> 1 131 1
2012-07-24 10:59:54.007 2.000 UDP 216.67.102.45:2122
<http://216.67.102.45:2122> -> 113.107.214.100:61918
<http://113.107.214.100:61918> 1 305 1
2012-07-24 10:59:59.007 3.000 UDP 62.252.190.196:123
<http://62.252.190.196:123> -> 61.192.94.167:123
<http://61.192.94.167:123> 4 304 1
2012-07-24 10:59:59.007 3.000 UDP 61.192.94.167:123
<http://61.192.94.167:123> -> 62.252.190.196:123
<http://62.252.190.196:123> 4 304 1
2012-06-04 17:59:57.711 4294966.296 UDP 113.107.184.123:27057
<http://113.107.184.123:27057> -> 216.67.102.45:2122
<http://216.67.102.45:2122> 1 126 1
2012-06-04 17:59:57.711 4294966.296 UDP 216.67.102.45:2122
<http://216.67.102.45:2122> -> 113.107.184.123:27057
<http://113.107.184.123:27057> 1 309 1
2012-07-24 11:32:08.008 116.000 TCP 113.107.219.116:36157
<http://113.107.219.116:36157> -> 218.185.100.221:80
<http://218.185.100.221:80> 7 730 1
2012-07-24 11:32:08.008 116.000 TCP 218.185.100.221:80
<http://218.185.100.221:80> -> 113.107.219.116:36157
<http://113.107.219.116:36157> 5 1764 1
2012-07-24 11:54:54.008 9.000 TCP 113.107.79.246:38264
<http://113.107.79.246:38264> -> 242.194.34.210:25
<http://242.194.34.210:25> 3 156 1
2012-07-24 11:59:59.008 1.000 UDP 62.252.190.196:123
<http://62.252.190.196:123> -> 61.192.94.167:123
<http://61.192.94.167:123> 4 304 1
2012-07-24 11:59:59.008 1.000 UDP 61.192.94.167:123
<http://61.192.94.167:123> -> 62.252.190.196:123
<http://62.252.190.196:123> 4 304 1
IP addresses anonymized
Summary: total flows: 11, total bytes: 4737, total packets:
35, avg bps: 0, avg pps: 0, avg bpp: 135
Time window: 2012-06-04 17:59:57 - 2012-07-24 12:00:00
Total flows processed: 3783450, Blocks skipped: 0, Bytes
read: 196757126
Sys: 1.618s flows/second: 2337262.1 Wall: 1.612s
flows/second: 2345863.0
All flows with duration > 4000000000 started the same day :
2012-04-06
Am I wrong if I think this should not happen ?
Could a packet loss be the reason of my problem ? What else
if not ?
Is there a way to force nfcapd to expire flows for which he
recieves no
more information ?
The exporter is a Packetfilter firewall running on OpenBSD
with pflow
enabled.
Thanks
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.
Discussions
will include endpoint security, mobile security and the
latest in malware
threats.
http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
<mailto:Nfsen-discuss@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats.http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
