openssh bugs - Apr 2010 - [Bug 1760] New: Timestamp offset using softflowd with nfdump

https://bugzilla.mindrot.org/show_bug.cgi?id=1760

           Summary: Timestamp offset using softflowd with nfdump
           Product: softflowd
           Version: -current
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: softflowd
        AssignedTo: djm at mindrot.org
        ReportedBy: stephen at sfnelson.org


Using softflowd with nfdump on ubuntu. All tcp flows are off by about
4294717.379 seconds. This is suspiciously similar to the size of an
unsigned integer in milliseconds. Several google hits of people
reporting this to the nfdump mailing lists and others, discussion there
indicated that it wasn't a nfdump problem.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1760

--- Comment #1 from Stephen Nelson <stephen at sfnelson.org>  ---
Turns out that this is because softflow is still mixing the
first_switched and last_switched fields in netflow9 output. These have
been corrected in the header, but the struct which they are actually
written to is wrong. Patch attached.

Confirmation of this bug can be obtained by examining a softflowd
packet using wireshark's "CFLOW" decoder. If the packet includes
the
template then wireshark will show that the last_switched field is
greater than the first_swtiched field. After applying the submitted
patch, the fields are in the correct order.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1760

--- Comment #2 from Stephen Nelson <stephen at sfnelson.org>  ---
Created attachment 1845
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1845
Fixes bug by switching the order of first and last switched fields in
the NF9_SOFTFLOWD_DATA_COMMON struct

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1760

Stephen Nelson <stephen at sfnelson.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |stephen at sfnelson.org

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1760

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #3 from Damien Miller <djm at mindrot.org>  ---
nice work - thanks. I have applied the patch and it will be in
softflowd-0.9.9.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1760

screw <screw.you at seznam.cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |screw.you at seznam.cz
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |

--- Comment #4 from screw <screw.you at seznam.cz>  ---
using last build from http://www.mindrot.org/softflowd_snap/ (with
applied bugfix) on ubuntu with nfcapd (1.6.1) and still getting bad
timestamps with -v 5 and completely wrong result(wrong/no IP, wrong/no
port,...) with -v 9.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1760

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |FIXED

--- Comment #5 from Damien Miller <djm at mindrot.org>  ---
I think nfdump on Ubuntu is broken. It seems to decode the first flow
in a softflowd netflow 9 export packet correctly (and has correct
timers), but subsequent ones are corrupt. It is probably failing to
calculate an increment length correctly when skipping to the end of a
flow.

nfdump seems to decode v.5 flows correctly in all cases and has correct
timestamps.

Wireshark decodes the flows correctly and gives correct times for both
v5 and v9 flows.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1760

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> 2011-01-24 12:33:32
EST ---
Move resolved bugs to CLOSED after 5.7 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.