subject:"Re\: \[Nfdump\-discuss\] Fwd\: nfdump not showing the right timestamps"

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

2016-10-18 Thread Octavio Alfageme

Gaspard, Matěj, Peter, Ivan, thanks a lot for your help once again,
guys. It's working as expected. I noticed that I didn't install
neither nel nor nsel extensions, so I reinstalled nfdump the following
way:

".\configure  --enable-nel  --enable-nsel  --enable-nfprofile
--enable-nftrack  --enable-sflow  --enable-readpcap --enable-nfpcapd"

Now, with "T -nel" I get what I wanted.

Thank you very much indeed for your help

Octavio

On Wed, Oct 12, 2016 at 1:31 PM, Octavio Alfageme
 wrote:
> Gaspard, Matěj, Peter, Ivan, thanks a lot for your help, guys. I'm a
> newbie with nfdump and I overlooked that option in the man page. Sorry
> about that. Tomorrow I'll be back in my lab and I'll try -T option
> once I carefully review the man page. As soon as it works I'll be back
> to you.
>
> One again, thank you for your so valuable assist.
>
> Regards
>
> Octavio
>
> On Wed, Oct 12, 2016 at 12:40 PM, Gaspard Laurent  wrote:
>> Try to launch it with -Tall or select the extensions you want (-T NEL for
>> sure).
>>
>> G.
>>
>> On 12 October 2016 at 07:19, Octavio Alfageme 
>> wrote:
>>>
>>> Great, Gaspard!!! That's what I'm looking for. Thanks a lot for your help.
>>>
>>> I launch it this way.
>>>
>>> nfcapd -w -D -l /netflow/spool/allflows -p 9996
>>>
>>> If you see my output I don't get the "create" and "delete" events
>>> either, so there's something I'm doing wrong.
>>>
>>> Thanks a lot for your help
>>>
>>> Kind regards
>>>
>>> Octavio
>>>
>>> On Wed, Oct 12, 2016 at 11:57 AM, Gaspard Laurent 
>>> wrote:
>>> > Hello Octavio,
>>> >
>>> > Thanks to the great set of tools provided by NFDump, I am succesfuly
>>> > logging
>>> > ASR 1000 NEL records with nfcapd 1.6.13, see attached.
>>> >
>>> > Which arguments do you use to launch your nfcapd daemon?
>>> >
>>> > Best
>>> > Gaspard
>>> >
>>> > On 12 October 2016 at 05:56, Octavio Alfageme
>>> > 
>>> > wrote:
>>> >>
>>> >> Sorry, by mistake, I sent the previous message as html.
>>> >>
>>> >> Thanks a lot, Peter. Unfortunately, I think that's not the case. Here
>>> >> you
>>> >> have an snapshot of a packet capture at the collector. As you can see
>>> >> there
>>> >> is a 'Timestamp' Jun 30, 2016 13:16:43.0 CEST. It's as nfdump
>>> >> had
>>> >> problems storing that information.
>>> >>
>>> >> Thank you
>>> >>
>>> >> Octavio
>>> >>
>>> >> On Wed, Oct 12, 2016 at 9:16 AM, Peter Haag
>>> >> 
>>> >> wrote:
>>> >>>
>>> >>> So it seems your device does not export any timestamps at all.
>>> >>>
>>> >>> 1970-01-01 means timestamp '0'
>>> >>>
>>> >>> - Peter
>>> >>>
>>> >>> On 12/10/16 09:09, Octavio Alfageme wrote:
>>> >>> > Dear all,
>>> >>> >
>>> >>> > I'm working with nfcapd version 1.6.13 and collecting Netflowv9
>>> >>> > based
>>> >>> > CGNAT logs from a Cisco ASR1000. My linux machine running as a
>>> >>> > virtual-machine on vmware is properly synchronized by NTP. The
>>> >>> > ASR1000 is
>>> >>> > synchronized to the same reference and the
>>> >>> > sent Netflowv9 records have the right timestamps. I properly collect
>>> >>> > the Netflowv9 traffic coming from the router, but ,when I review the
>>> >>> > records, the date first seen and the duration are all "0s" and don't
>>> >>> > represent the timestamp of the received
>>> >>> > Netflowv9 based CGNAT records.
>>> >>> >
>>> >>> > [root@GRA-VS01 allflows]# nfdump -r nfcapd.201610031240
>>> >>> > Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port
>>> >>> > Packets Bytes Flows
>>> >>> > 1970-01-01 01:00:00.000 0.000 TCP 100.64.32.46:62651
>>> >>> >  -> 17.146.1.72:443
>>> >>> >  0
>>> >>> > 0 1
>>> >>> > 1970-01-01 01:00:00.000 0.000 UDP 100.64.48.86:36702
>>> >>> >  -> 172.31.205.3:123
>>> >>> > 
>>> >>> > 0 0 1
>>> >>> > 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.5:62848
>>> >>> >  -> 4.2.2.3:53  0 0 1
>>> >>> > 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.4:58216
>>> >>> >  -> 8.8.4.4:53  0 0 1
>>> >>> >
>>> >>> > I would be grateful if anyone could give me a hint about what is
>>> >>> > happening.
>>> >>> >
>>> >>> > Thanks in advance
>>> >>> >
>>> >>> > Kind regards
>>> >>> >
>>> >>> > Octavio
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> > --
>>> >>> > Check out the vibrant tech community on one of the world's most
>>> >>> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> > ___
>>> >>> > Nfdump-discuss mailing list
>>> >>> > Nfdump-discuss@lists.sourceforge.net
>>> >>> > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>>> >>> >
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Check out the vibrant tech community on one of

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

2016-10-12 Thread Octavio Alfageme

Gaspard, Matěj, Peter, Ivan, thanks a lot for your help, guys. I'm a
newbie with nfdump and I overlooked that option in the man page. Sorry
about that. Tomorrow I'll be back in my lab and I'll try -T option
once I carefully review the man page. As soon as it works I'll be back
to you.

One again, thank you for your so valuable assist.

Regards

Octavio

On Wed, Oct 12, 2016 at 12:40 PM, Gaspard Laurent  wrote:
> Try to launch it with -Tall or select the extensions you want (-T NEL for
> sure).
>
> G.
>
> On 12 October 2016 at 07:19, Octavio Alfageme 
> wrote:
>>
>> Great, Gaspard!!! That's what I'm looking for. Thanks a lot for your help.
>>
>> I launch it this way.
>>
>> nfcapd -w -D -l /netflow/spool/allflows -p 9996
>>
>> If you see my output I don't get the "create" and "delete" events
>> either, so there's something I'm doing wrong.
>>
>> Thanks a lot for your help
>>
>> Kind regards
>>
>> Octavio
>>
>> On Wed, Oct 12, 2016 at 11:57 AM, Gaspard Laurent 
>> wrote:
>> > Hello Octavio,
>> >
>> > Thanks to the great set of tools provided by NFDump, I am succesfuly
>> > logging
>> > ASR 1000 NEL records with nfcapd 1.6.13, see attached.
>> >
>> > Which arguments do you use to launch your nfcapd daemon?
>> >
>> > Best
>> > Gaspard
>> >
>> > On 12 October 2016 at 05:56, Octavio Alfageme
>> > 
>> > wrote:
>> >>
>> >> Sorry, by mistake, I sent the previous message as html.
>> >>
>> >> Thanks a lot, Peter. Unfortunately, I think that's not the case. Here
>> >> you
>> >> have an snapshot of a packet capture at the collector. As you can see
>> >> there
>> >> is a 'Timestamp' Jun 30, 2016 13:16:43.0 CEST. It's as nfdump
>> >> had
>> >> problems storing that information.
>> >>
>> >> Thank you
>> >>
>> >> Octavio
>> >>
>> >> On Wed, Oct 12, 2016 at 9:16 AM, Peter Haag
>> >> 
>> >> wrote:
>> >>>
>> >>> So it seems your device does not export any timestamps at all.
>> >>>
>> >>> 1970-01-01 means timestamp '0'
>> >>>
>> >>> - Peter
>> >>>
>> >>> On 12/10/16 09:09, Octavio Alfageme wrote:
>> >>> > Dear all,
>> >>> >
>> >>> > I'm working with nfcapd version 1.6.13 and collecting Netflowv9
>> >>> > based
>> >>> > CGNAT logs from a Cisco ASR1000. My linux machine running as a
>> >>> > virtual-machine on vmware is properly synchronized by NTP. The
>> >>> > ASR1000 is
>> >>> > synchronized to the same reference and the
>> >>> > sent Netflowv9 records have the right timestamps. I properly collect
>> >>> > the Netflowv9 traffic coming from the router, but ,when I review the
>> >>> > records, the date first seen and the duration are all "0s" and don't
>> >>> > represent the timestamp of the received
>> >>> > Netflowv9 based CGNAT records.
>> >>> >
>> >>> > [root@GRA-VS01 allflows]# nfdump -r nfcapd.201610031240
>> >>> > Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port
>> >>> > Packets Bytes Flows
>> >>> > 1970-01-01 01:00:00.000 0.000 TCP 100.64.32.46:62651
>> >>> >  -> 17.146.1.72:443
>> >>> >  0
>> >>> > 0 1
>> >>> > 1970-01-01 01:00:00.000 0.000 UDP 100.64.48.86:36702
>> >>> >  -> 172.31.205.3:123
>> >>> > 
>> >>> > 0 0 1
>> >>> > 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.5:62848
>> >>> >  -> 4.2.2.3:53  0 0 1
>> >>> > 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.4:58216
>> >>> >  -> 8.8.4.4:53  0 0 1
>> >>> >
>> >>> > I would be grateful if anyone could give me a hint about what is
>> >>> > happening.
>> >>> >
>> >>> > Thanks in advance
>> >>> >
>> >>> > Kind regards
>> >>> >
>> >>> > Octavio
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > --
>> >>> > Check out the vibrant tech community on one of the world's most
>> >>> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> >>> >
>> >>> >
>> >>> >
>> >>> > ___
>> >>> > Nfdump-discuss mailing list
>> >>> > Nfdump-discuss@lists.sourceforge.net
>> >>> > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>> >>> >
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Check out the vibrant tech community on one of the world's most
>> >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> >> ___
>> >> Nfdump-discuss mailing list
>> >> Nfdump-discuss@lists.sourceforge.net
>> >> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>> >>
>> >
>
>

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

2016-10-12 Thread Matěj Grégr

Hi,
  add -T all or select only the extensions you want to store. It's
documented in nfcapd man page.

M.

On 10/12/2016 12:19 PM, Octavio Alfageme wrote:
> Great, Gaspard!!! That's what I'm looking for. Thanks a lot for your help.
> 
> I launch it this way.
> 
> nfcapd -w -D -l /netflow/spool/allflows -p 9996
> 
> If you see my output I don't get the "create" and "delete" events
> either, so there's something I'm doing wrong.
> 
> Thanks a lot for your help
> 
> Kind regards
> 
> Octavio
> 
> On Wed, Oct 12, 2016 at 11:57 AM, Gaspard Laurent  wrote:
>> Hello Octavio,
>>
>> Thanks to the great set of tools provided by NFDump, I am succesfuly logging
>> ASR 1000 NEL records with nfcapd 1.6.13, see attached.
>>
>> Which arguments do you use to launch your nfcapd daemon?
>>
>> Best
>> Gaspard
>>
>> On 12 October 2016 at 05:56, Octavio Alfageme 
>> wrote:
>>>
>>> Sorry, by mistake, I sent the previous message as html.
>>>
>>> Thanks a lot, Peter. Unfortunately, I think that's not the case. Here you
>>> have an snapshot of a packet capture at the collector. As you can see there
>>> is a 'Timestamp' Jun 30, 2016 13:16:43.0 CEST. It's as nfdump had
>>> problems storing that information.
>>>
>>> Thank you
>>>
>>> Octavio
>>>
>>> On Wed, Oct 12, 2016 at 9:16 AM, Peter Haag 
>>> wrote:

 So it seems your device does not export any timestamps at all.

 1970-01-01 means timestamp '0'

 - Peter

 On 12/10/16 09:09, Octavio Alfageme wrote:
> Dear all,
>
> I'm working with nfcapd version 1.6.13 and collecting Netflowv9 based
> CGNAT logs from a Cisco ASR1000. My linux machine running as a
> virtual-machine on vmware is properly synchronized by NTP. The ASR1000 is
> synchronized to the same reference and the
> sent Netflowv9 records have the right timestamps. I properly collect
> the Netflowv9 traffic coming from the router, but ,when I review the
> records, the date first seen and the duration are all "0s" and don't
> represent the timestamp of the received
> Netflowv9 based CGNAT records.
>
> [root@GRA-VS01 allflows]# nfdump -r nfcapd.201610031240
> Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port
> Packets Bytes Flows
> 1970-01-01 01:00:00.000 0.000 TCP 100.64.32.46:62651
>  -> 17.146.1.72:443  > 0
> 0 1
> 1970-01-01 01:00:00.000 0.000 UDP 100.64.48.86:36702
>  -> 172.31.205.3:123 
> 
> 0 0 1
> 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.5:62848
>  -> 4.2.2.3:53  0 0 1
> 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.4:58216
>  -> 8.8.4.4:53  0 0 1
>
> I would be grateful if anyone could give me a hint about what is
> happening.
>
> Thanks in advance
>
> Kind regards
>
> Octavio
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> ___
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
>>>
>>>
>>>
>>>
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>> ___
>>> Nfdump-discuss mailing list
>>> Nfdump-discuss@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>>>
>>
> 
> --
> Check out the vibrant tech community on one of the world's most 
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 




smime.p7s
Description: S/MIME Cryptographic Signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

2016-10-12 Thread Gaspard Laurent

Try to launch it with -Tall or select the extensions you want (-T NEL for
sure).

G.

On 12 October 2016 at 07:19, Octavio Alfageme 
wrote:

> Great, Gaspard!!! That's what I'm looking for. Thanks a lot for your help.
>
> I launch it this way.
>
> nfcapd -w -D -l /netflow/spool/allflows -p 9996
>
> If you see my output I don't get the "create" and "delete" events
> either, so there's something I'm doing wrong.
>
> Thanks a lot for your help
>
> Kind regards
>
> Octavio
>
> On Wed, Oct 12, 2016 at 11:57 AM, Gaspard Laurent 
> wrote:
> > Hello Octavio,
> >
> > Thanks to the great set of tools provided by NFDump, I am succesfuly
> logging
> > ASR 1000 NEL records with nfcapd 1.6.13, see attached.
> >
> > Which arguments do you use to launch your nfcapd daemon?
> >
> > Best
> > Gaspard
> >
> > On 12 October 2016 at 05:56, Octavio Alfageme <
> octavio.alfag...@gmail.com>
> > wrote:
> >>
> >> Sorry, by mistake, I sent the previous message as html.
> >>
> >> Thanks a lot, Peter. Unfortunately, I think that's not the case. Here
> you
> >> have an snapshot of a packet capture at the collector. As you can see
> there
> >> is a 'Timestamp' Jun 30, 2016 13:16:43.0 CEST. It's as nfdump
> had
> >> problems storing that information.
> >>
> >> Thank you
> >>
> >> Octavio
> >>
> >> On Wed, Oct 12, 2016 at 9:16 AM, Peter Haag <
> ph...@users.sourceforge.net>
> >> wrote:
> >>>
> >>> So it seems your device does not export any timestamps at all.
> >>>
> >>> 1970-01-01 means timestamp '0'
> >>>
> >>> - Peter
> >>>
> >>> On 12/10/16 09:09, Octavio Alfageme wrote:
> >>> > Dear all,
> >>> >
> >>> > I'm working with nfcapd version 1.6.13 and collecting Netflowv9 based
> >>> > CGNAT logs from a Cisco ASR1000. My linux machine running as a
> >>> > virtual-machine on vmware is properly synchronized by NTP. The
> ASR1000 is
> >>> > synchronized to the same reference and the
> >>> > sent Netflowv9 records have the right timestamps. I properly collect
> >>> > the Netflowv9 traffic coming from the router, but ,when I review the
> >>> > records, the date first seen and the duration are all "0s" and don't
> >>> > represent the timestamp of the received
> >>> > Netflowv9 based CGNAT records.
> >>> >
> >>> > [root@GRA-VS01 allflows]# nfdump -r nfcapd.201610031240
> >>> > Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port
> >>> > Packets Bytes Flows
> >>> > 1970-01-01 01:00:00.000 0.000 TCP 100.64.32.46:62651
> >>> >  -> 17.146.1.72:443 <
> http://17.146.1.72:443/> 0
> >>> > 0 1
> >>> > 1970-01-01 01:00:00.000 0.000 UDP 100.64.48.86:36702
> >>> >  -> 172.31.205.3:123 <
> http://172.31.205.3:123/>
> >>> > 0 0 1
> >>> > 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.5:62848
> >>> >  -> 4.2.2.3:53  0 0 1
> >>> > 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.4:58216
> >>> >  -> 8.8.4.4:53  0 0 1
> >>> >
> >>> > I would be grateful if anyone could give me a hint about what is
> >>> > happening.
> >>> >
> >>> > Thanks in advance
> >>> >
> >>> > Kind regards
> >>> >
> >>> > Octavio
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > 
> --
> >>> > Check out the vibrant tech community on one of the world's most
> >>> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >>> >
> >>> >
> >>> >
> >>> > ___
> >>> > Nfdump-discuss mailing list
> >>> > Nfdump-discuss@lists.sourceforge.net
> >>> > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> >>> >
> >>
> >>
> >>
> >>
> >> 
> --
> >> Check out the vibrant tech community on one of the world's most
> >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >> ___
> >> Nfdump-discuss mailing list
> >> Nfdump-discuss@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> >>
> >
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

2016-10-12 Thread Octavio Alfageme

Great, Gaspard!!! That's what I'm looking for. Thanks a lot for your help.

I launch it this way.

nfcapd -w -D -l /netflow/spool/allflows -p 9996

If you see my output I don't get the "create" and "delete" events
either, so there's something I'm doing wrong.

Thanks a lot for your help

Kind regards

Octavio

On Wed, Oct 12, 2016 at 11:57 AM, Gaspard Laurent  wrote:
> Hello Octavio,
>
> Thanks to the great set of tools provided by NFDump, I am succesfuly logging
> ASR 1000 NEL records with nfcapd 1.6.13, see attached.
>
> Which arguments do you use to launch your nfcapd daemon?
>
> Best
> Gaspard
>
> On 12 October 2016 at 05:56, Octavio Alfageme 
> wrote:
>>
>> Sorry, by mistake, I sent the previous message as html.
>>
>> Thanks a lot, Peter. Unfortunately, I think that's not the case. Here you
>> have an snapshot of a packet capture at the collector. As you can see there
>> is a 'Timestamp' Jun 30, 2016 13:16:43.0 CEST. It's as nfdump had
>> problems storing that information.
>>
>> Thank you
>>
>> Octavio
>>
>> On Wed, Oct 12, 2016 at 9:16 AM, Peter Haag 
>> wrote:
>>>
>>> So it seems your device does not export any timestamps at all.
>>>
>>> 1970-01-01 means timestamp '0'
>>>
>>> - Peter
>>>
>>> On 12/10/16 09:09, Octavio Alfageme wrote:
>>> > Dear all,
>>> >
>>> > I'm working with nfcapd version 1.6.13 and collecting Netflowv9 based
>>> > CGNAT logs from a Cisco ASR1000. My linux machine running as a
>>> > virtual-machine on vmware is properly synchronized by NTP. The ASR1000 is
>>> > synchronized to the same reference and the
>>> > sent Netflowv9 records have the right timestamps. I properly collect
>>> > the Netflowv9 traffic coming from the router, but ,when I review the
>>> > records, the date first seen and the duration are all "0s" and don't
>>> > represent the timestamp of the received
>>> > Netflowv9 based CGNAT records.
>>> >
>>> > [root@GRA-VS01 allflows]# nfdump -r nfcapd.201610031240
>>> > Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port
>>> > Packets Bytes Flows
>>> > 1970-01-01 01:00:00.000 0.000 TCP 100.64.32.46:62651
>>> >  -> 17.146.1.72:443  >>> > 0
>>> > 0 1
>>> > 1970-01-01 01:00:00.000 0.000 UDP 100.64.48.86:36702
>>> >  -> 172.31.205.3:123 
>>> > 
>>> > 0 0 1
>>> > 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.5:62848
>>> >  -> 4.2.2.3:53  0 0 1
>>> > 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.4:58216
>>> >  -> 8.8.4.4:53  0 0 1
>>> >
>>> > I would be grateful if anyone could give me a hint about what is
>>> > happening.
>>> >
>>> > Thanks in advance
>>> >
>>> > Kind regards
>>> >
>>> > Octavio
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Check out the vibrant tech community on one of the world's most
>>> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>> >
>>> >
>>> >
>>> > ___
>>> > Nfdump-discuss mailing list
>>> > Nfdump-discuss@lists.sourceforge.net
>>> > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>>> >
>>
>>
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> ___
>> Nfdump-discuss mailing list
>> Nfdump-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>>
>

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

2016-10-12 Thread Gaspard Laurent

Hello Octavio,

Thanks to the great set of tools provided by NFDump, I am succesfuly
logging ASR 1000 NEL records with nfcapd 1.6.13, see attached.

Which arguments do you use to launch your nfcapd daemon?

Best
Gaspard

On 12 October 2016 at 05:56, Octavio Alfageme 
wrote:

> Sorry, by mistake, I sent the previous message as html.
>
> Thanks a lot, Peter. Unfortunately, I think that's not the case. Here you
> have an snapshot of a packet capture at the collector. As you can see there
> is a 'Timestamp' Jun 30, 2016 13:16:43.0 CEST. It's as nfdump had
> problems storing that information.
>
> Thank you
>
> Octavio
>
> On Wed, Oct 12, 2016 at 9:16 AM, Peter Haag 
> wrote:
>
>> So it seems your device does not export any timestamps at all.
>>
>> 1970-01-01 means timestamp '0'
>>
>> - Peter
>>
>> On 12/10/16 09:09, Octavio Alfageme wrote:
>> > Dear all,
>> >
>> > I'm working with nfcapd version 1.6.13 and collecting Netflowv9 based
>> CGNAT logs from a Cisco ASR1000. My linux machine running as a
>> virtual-machine on vmware is properly synchronized by NTP. The ASR1000 is
>> synchronized to the same reference and the
>> > sent Netflowv9 records have the right timestamps. I properly collect
>> the Netflowv9 traffic coming from the router, but ,when I review the
>> records, the date first seen and the duration are all "0s" and don't
>> represent the timestamp of the received
>> > Netflowv9 based CGNAT records.
>> >
>> > [root@GRA-VS01 allflows]# nfdump -r nfcapd.201610031240
>> > Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port
>> Packets Bytes Flows
>> > 1970-01-01 01:00:00.000 0.000 TCP 100.64.32.46:62651 <
>> http://100.64.32.46:62651/> -> 17.146.1.72:443 
>> 0 0 1
>> > 1970-01-01 01:00:00.000 0.000 UDP 100.64.48.86:36702 <
>> http://100.64.48.86:36702/> -> 172.31.205.3:123 
>> 0 0 1
>> > 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.5:62848 <
>> http://172.30.41.5:62848/> -> 4.2.2.3:53  0 0 1
>> > 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.4:58216 <
>> http://172.30.41.4:58216/> -> 8.8.4.4:53  0 0 1
>> >
>> > I would be grateful if anyone could give me a hint about what is
>> happening.
>> >
>> > Thanks in advance
>> >
>> > Kind regards
>> >
>> > Octavio
>> >
>> >
>> >
>> > 
>> --
>> > Check out the vibrant tech community on one of the world's most
>> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> >
>> >
>> >
>> > ___
>> > Nfdump-discuss mailing list
>> > Nfdump-discuss@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>> >
>>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

2016-10-12 Thread Ivan Strelnikov


Hello everyone.

I recommend to:

1. wireshark the packet to know if there is any date or not.
2. Stop the collector, stop the sender (ASR). Then start the collector
   and after that start the netflow exporting.


12.10.2016 10:16, Peter Haag пишет:

So it seems your device does not export any timestamps at all.

1970-01-01 means timestamp '0'

- Peter

On 12/10/16 09:09, Octavio Alfageme wrote:

Dear all,

I'm working with nfcapd version 1.6.13 and collecting Netflowv9 based CGNAT 
logs from a Cisco ASR1000. My linux machine running as a virtual-machine on 
vmware is properly synchronized by NTP. The ASR1000 is synchronized to the same 
reference and the
sent Netflowv9 records have the right timestamps. I properly collect the Netflowv9 
traffic coming from the router, but ,when I review the records, the date first seen and 
the duration are all "0s" and don't represent the timestamp of the received
Netflowv9 based CGNAT records.

[root@GRA-VS01 allflows]# nfdump -r nfcapd.201610031240
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes 
Flows
1970-01-01 01:00:00.000 0.000 TCP 100.64.32.46:62651  -> 
17.146.1.72:443  0 0 1
1970-01-01 01:00:00.000 0.000 UDP 100.64.48.86:36702  -> 
172.31.205.3:123  0 0 1
1970-01-01 01:00:00.000 0.000 UDP 172.30.41.5:62848  -> 
4.2.2.3:53  0 0 1
1970-01-01 01:00:00.000 0.000 UDP 172.30.41.4:58216  -> 
8.8.4.4:53  0 0 1

I would be grateful if anyone could give me a hint about what is happening.

Thanks in advance

Kind regards

Octavio



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot



___
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

2016-10-12 Thread Peter Haag

So it seems your device does not export any timestamps at all.

1970-01-01 means timestamp '0'

- Peter

On 12/10/16 09:09, Octavio Alfageme wrote:
> Dear all,
> 
> I'm working with nfcapd version 1.6.13 and collecting Netflowv9 based CGNAT 
> logs from a Cisco ASR1000. My linux machine running as a virtual-machine on 
> vmware is properly synchronized by NTP. The ASR1000 is synchronized to the 
> same reference and the
> sent Netflowv9 records have the right timestamps. I properly collect the 
> Netflowv9 traffic coming from the router, but ,when I review the records, the 
> date first seen and the duration are all "0s" and don't represent the 
> timestamp of the received
> Netflowv9 based CGNAT records.
> 
> [root@GRA-VS01 allflows]# nfdump -r nfcapd.201610031240
> Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets 
> Bytes Flows
> 1970-01-01 01:00:00.000 0.000 TCP 100.64.32.46:62651 
>  -> 17.146.1.72:443  0 0 
> 1
> 1970-01-01 01:00:00.000 0.000 UDP 100.64.48.86:36702 
>  -> 172.31.205.3:123  0 
> 0 1
> 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.5:62848 
>  -> 4.2.2.3:53  0 0 1
> 1970-01-01 01:00:00.000 0.000 UDP 172.30.41.4:58216 
>  -> 8.8.4.4:53  0 0 1
> 
> I would be grateful if anyone could give me a hint about what is happening.
> 
> Thanks in advance
> 
> Kind regards
> 
> Octavio
> 
> 
> 
> --
> Check out the vibrant tech community on one of the world's most 
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> 
> 
> 
> ___
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

Re: [Nfdump-discuss] Fwd: nfdump not showing the right timestamps

8 matches

Site Navigation

Mail list logo

Footer information