Please have a look at the following netflow records. Sometimes I get double records like the samples below. They were generated with pfflowd, collected with nfcapd and viewed with nfdump. 2009-01-04 11:00:26.556 5167.000 TCP 10.0.3.34:4147 -> 80.140.195.57:30730 8118 9.4 M 1 2009-01-04 11:00:26.556 5167.000 TCP 80.140.195.57:30730 -> 10.0.3.34:4147 4583 188560 1 2009-01-04 11:00:25.990 5178.000 TCP 10.0.3.34:4147 -> 80.140.195.57:30730 8118 9.4 M 1 2009-01-04 11:00:25.990 5178.000 TCP 80.140.195.57:30730 -> 10.0.3.34:4147 4583 188560 1 2009-01-04 14:25:26.720 800.000 TCP 10.0.3.50:1942 -> 87.248.217.89:80 19858 802352 1 2009-01-04 14:25:26.720 800.000 TCP 87.248.217.89:80 -> 10.0.3.50:1942 38147 53.9 M 1 2009-01-04 14:25:25.720 801.000 TCP 10.0.3.50:1942 -> 87.248.217.89:80 19858 802352 1 2009-01-04 14:25:25.720 801.000 TCP 87.248.217.89:80 -> 10.0.3.50:1942 38147 53.9 M 1 I would be very thankful if someone has a hint for me.
On Mon, Jan 05, 2009 at 12:14:58AM +0100, Franz B?hm wrote:> Please have a look at the following netflow records. Sometimes I get > double records like the samples below. > They were generated with pfflowd, collected with nfcapd and viewed with > nfdump. > > 2009-01-04 11:00:26.556 5167.000 TCP 10.0.3.34:4147 -> > 80.140.195.57:30730 8118 9.4 M 1 > 2009-01-04 11:00:26.556 5167.000 TCP 80.140.195.57:30730 -> > 10.0.3.34:4147 4583 188560 1 > 2009-01-04 11:00:25.990 5178.000 TCP 10.0.3.34:4147 -> > 80.140.195.57:30730 8118 9.4 M 1 > 2009-01-04 11:00:25.990 5178.000 TCP 80.140.195.57:30730 -> > 10.0.3.34:4147 4583 188560 1 > > 2009-01-04 14:25:26.720 800.000 TCP 10.0.3.50:1942 -> > 87.248.217.89:80 19858 802352 1 > 2009-01-04 14:25:26.720 800.000 TCP 87.248.217.89:80 -> > 10.0.3.50:1942 38147 53.9 M 1 > 2009-01-04 14:25:25.720 801.000 TCP 10.0.3.50:1942 -> > 87.248.217.89:80 19858 802352 1 > 2009-01-04 14:25:25.720 801.000 TCP 87.248.217.89:80 -> > 10.0.3.50:1942 38147 53.9 M 1 > > I would be very thankful if someone has a hint for me.Just guessing: Are the states bound to one interface or two interfaces? Regards, cstamas -- CSILLAG Tamas (cstamas) - http://digitus.itk.ppke.hu/~cstamas The present need for security products far exceeds the number of individuals capable of designing secure systems. Consequently, industry has resorted to employing folks and purchasing "solutions" from vendors that shouldn''t be let near a project involving securing a system. -- Lucky Green
On Mon, 5 Jan 2009, Franz B?hm wrote:> Please have a look at the following netflow records. Sometimes I get > double records like the samples below. > They were generated with pfflowd, collected with nfcapd and viewed with > nfdump.I''m not sure what could be causing this - pfflowd should only send duplicate-looking flows when it encounters expired pf states that have recorded more traffic that will fit in a 32-bit integer. Can you correlate the records with a tcpdump on the pfsync interface that pfflowd is listening to? That will tell you whether the duplicate flows are coming from pfflowd or pfsync. -d> 2009-01-04 11:00:26.556 5167.000 TCP 10.0.3.34:4147 -> > 80.140.195.57:30730 8118 9.4 M 1 > 2009-01-04 11:00:26.556 5167.000 TCP 80.140.195.57:30730 -> > 10.0.3.34:4147 4583 188560 1 > 2009-01-04 11:00:25.990 5178.000 TCP 10.0.3.34:4147 -> > 80.140.195.57:30730 8118 9.4 M 1 > 2009-01-04 11:00:25.990 5178.000 TCP 80.140.195.57:30730 -> > 10.0.3.34:4147 4583 188560 1 > > 2009-01-04 14:25:26.720 800.000 TCP 10.0.3.50:1942 -> > 87.248.217.89:80 19858 802352 1 > 2009-01-04 14:25:26.720 800.000 TCP 87.248.217.89:80 -> > 10.0.3.50:1942 38147 53.9 M 1 > 2009-01-04 14:25:25.720 801.000 TCP 10.0.3.50:1942 -> > 87.248.217.89:80 19858 802352 1 > 2009-01-04 14:25:25.720 801.000 TCP 87.248.217.89:80 -> > 10.0.3.50:1942 38147 53.9 M 1 > > I would be very thankful if someone has a hint for me. > _______________________________________________ > netflow-tools mailing list > netflow-tools at mindrot.org > https://lists.mindrot.org/mailman/listinfo/netflow-tools >