Hello NFSEN-DISCUSS,
I am using nfcapd with a couple devices, among them an OpenBSD "pflow"
device, which purports to be an IPFIX (Netflow 10) compatible, and a
Sophos UTM 9.4-08 Software Appliance, which makes the same claim to
support IPFIX.
Nfcapd supports the OpenBSD "pflow" device just fine and captures all
the data as expected according to the templates, but Nfcapd does not
interpret the flow record times from the Sophos UTM appliance. It
displays them as "12-31-69".
Upon request, I will furnish anyone interested with some sample captures
showing the main observation I see that may be relevant and that is the
difference in length of the flow record timestamps:
1. rex.lab.9995.pcap - shows IPFIX from an OpenBSD "pflow" device,
which from what I can tell is RFC7011-compliant, displays flow
records as 64 bit dateTimeMilliseconds
2. utm08-2.pcap - from a Sophos UTM 9.4 08 Software Appliance - which
what I can tell is RFC7011-compliant, displays flow records as 32
bit dateTimeSeconds
Both captures have have 32-bit IPFIX Message Header Export Timestamps.
Please note the template packets for each capture describes the
timestamps with accurate lengths (8-byte and 4-byte, respectively).
Am I reading the spec correctly? I am referring to RFC7011, section
5.1-6.1.8. It seems to leave open using either absolute or relative
times, as well as dateTimeSeconds or dateTimeMilliseconds or
dateTimeMicroSeconds. If the RFC allows for each all of those types of
timestamps, I am wondering which are supported by nfcapd? I can't find
any reference in the docs or on this list to show me which of those are
supported by nfcapd. Is RFC7011 the correct reference I should be using
here?
What RFCs and or other documents are recommended as a guide to debugging
NetFlow data, specifically in reference to nfcapd, nfsen? I have seen a
wide range of implementations of NetFlow among various Net Flow-enabled
devices. It would be great to know where the "keys" are, in order to
make a good analysis.
Many thanks for reading and for any information you can provide!
CP
--
Rex ConsultingChris Paul
Rex Consulting, Inc
5652 Florence Terrace, Oakland, CA 94611
email: chris.p...@rexconsulting.net
web: http://www.rexconsulting.net
phone, toll-free: +1 (888) 403-8996 ext 1
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon, this information by persons
or entities other than the intended recipient is prohibited.
Rex Consulting, Inc. has been a California Corporation since 2001.
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
