bugzilla-daemon at bugzilla.mindrot.org
2011-Oct-19 06:00 UTC
[Bug 1944] New: Wrong "Date flow start" and "Duration Proto" in version 9 with nfcapd
https://bugzilla.mindrot.org/show_bug.cgi?id=1944
Bug #: 1944
Summary: Wrong "Date flow start" and "Duration
Proto" in
version 9 with nfcapd
Classification: Unclassified
Product: softflowd
Version: -current
Platform: amd64
OS/Version: FreeBSD
Status: NEW
Severity: critical
Priority: P2
Component: softflowd
AssignedTo: djm at mindrot.org
ReportedBy: 8509985 at gmail.com
Hello, i'm from Russia, so sorry my english please.
We have:
1. Sensor:
# uname -a
FreeBSD HOST 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Sat Oct 8 16:37:12
MSD 2011 root at HOST:/usr/obj/usr/src/sys/MYKERNEL amd64
# date
Wed Oct 19 09:50:03 MSD 2011
# pkg_info | grep softflowd
softflowd-0.9.8_2 Softflowd is flow-based network traffic analyser
with expor
Start softflowd daemon like:
/usr/local/sbin/softflowd -v 9 -i lan -n COLLECTOR:9998 -p
/var/run/softflowd.lan.pid -c /var/run/softflowd.lan.ctl -m 819200 -t
maxlife=20m -t general=20m -t tcp=20m
2. Collector
# uname -a
Linux COLLECTOR 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009
x86_64 x86_64 x86_64 GNU/Linux
# date
??? ??? 19 09:49:48 MSD 2011
# nfcapd -V
nfcapd: Version: 1.6.1 $LastChangedDate: 2010-03-05 07:50:35 +0100
(Fri, 05 Mar 2010) $
$Id: nfcapd.c 51 2010-01-29 09:01:54Z haag $
Start collector nfcapd like:
/usr/local/bin/nfcapd -w -D -z -n SENSOR sensor_ip /tmp/netflowv9 -p
9998 -t 300 -u username -g usergroup -P /tmp/netflowv9/9998.pid -x
/tmp/netflowv9/nfcapdmv -B 200000
So, we have this:
# nfdump -r nfcapd.201110190940
Date flow start Duration Proto Src IP Addr:Port
Dst IP Addr:Port Packets Bytes Flows
...
...
2011-08-30 16:16:29.631 4294958.395 TCP 10.7.8.51:3032 ->
194.186.138.86:55571 3 144 1
2011-08-30 16:16:29.631 4294958.395 TCP 10.7.8.51:3033 ->
85.234.28.15:40435 3 144 1
2011-08-30 16:16:29.631 4294958.395 TCP 10.7.8.51:3034 ->
85.143.60.93:37867 3 144 1
2011-08-30 16:31:20.713 4294591.301 UDP 10.7.8.51:39759 ->
213.142.50.205:28909 6 348 1
2011-08-30 16:31:22.295 4294965.814 TCP 10.7.8.223:59668 ->
83.149.29.243:8888 4 216 1
2011-08-30 16:31:22.295 4294965.814 TCP 83.149.29.243:8888 ->
10.7.8.223:59668 3 164 1
2011-08-30 16:16:31.643 4294958.359 TCP 10.7.8.51:3038 ->
82.151.198.182:49674 3 144 1
2011-08-30 16:31:22.728 4294419.301 UDP 10.7.8.51:39759 ->
178.70.190.49:47659 6 348 1
2011-10-19 09:34:09.998 0.000 UDP 10.7.8.51:39759 ->
95.32.209.62:10951 1 95 1
2011-10-19 09:34:09.998 0.000 UDP 10.7.8.51:39759 ->
94.45.20.135:35691 1 95 1
2011-10-19 09:34:09.998 0.000 UDP 10.7.8.51:39759 ->
95.31.31.38:42219 1 95 1
2011-10-19 09:34:09.998 0.000 UDP 10.7.8.51:39759 ->
95.134.28.165:49557 1 95 1
2011-08-30 16:31:23.415 4294966.609 TCP 10.7.8.51:4677 ->
95.72.152.15:59368 5 294 1
2011-08-30 16:31:23.415 4294966.609 TCP 95.72.152.15:59368 ->
10.7.8.51:4677 3 128 1
...
...
Wrong "Date flow start" and "Duration Proto" ...
PS: On the page http://www.freebsd.org/ru/ports/net-mgmt.html for port
softflowd-0.9.8_2 we need packages: gettext-0.18.1.1, gmake-3.82,
libiconv-1.13.1_1, but we haven't install gmake-3.82 before ... It can
be a reason?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Oct-19 07:40 UTC
[Bug 1944] Wrong "Date flow start" and "Duration Proto" in version 9 with nfcapd
https://bugzilla.mindrot.org/show_bug.cgi?id=1944 --- Comment #1 from a-zazell <8509985 at gmail.com> 2011-10-19 18:40:14 EST --- Now we install nfdump on Sensor machine: # pkg_info | grep nfdump nfdump-1.6.4 Command-line tools to collect and process NetFlow data Same problem ... -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Oct-19 19:30 UTC
[Bug 1944] Wrong "Date flow start" and "Duration Proto" in version 9 with nfcapd
https://bugzilla.mindrot.org/show_bug.cgi?id=1944 --- Comment #2 from a-zazell <8509985 at gmail.com> 2011-10-20 06:30:17 EST --- Now i try this: #softflowd -i lan -n 127.0.0.1:9998 -p /var/run/softflowd.lan.pid -c /var/run/softflowd.lan.ctl -t maxlife=300 #nfcapd -w -D -z -n local,127.0.0.1,/tmp/netflowv9 -p 9998 -t 300 -P /tmp/netflowv9/9998.pid -B 200000 And we have norm output: # nfdump -r nfcapd.201110192310 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2011-10-19 23:09:20.381 0.000 TCP 64.4.62.124:81 -> 10.7.8.230:1825 1 40 1 2011-10-19 23:11:47.595 12.775 TCP 10.7.8.230:1847 -> 74.125.79.104:80 17 4589 1 2011-10-19 23:11:47.595 12.775 TCP 74.125.79.104:80 -> 10.7.8.230:1847 31 28173 1 2011-10-19 23:11:56.585 3.477 TCP 10.7.8.230:1862 -> 74.125.79.104:80 22 4825 1 2011-10-19 23:11:56.585 3.477 TCP 74.125.79.104:80 -> 10.7.8.230:1862 46 49094 1 2011-10-19 23:09:17.224 317.015 ICMP 10.7.8.20:0 -> 8.8.8.8:8.0 309 18540 1 2011-10-19 23:09:17.314 316.015 ICMP 8.8.8.8:0 -> 10.7.8.20:0.0 306 18360 1 2011-10-19 23:09:18.014 320.709 ICMP 10.7.8.230:0 -> 8.8.8.8:8.0 189 11340 1 ... ... Summary: total flows: 55, total bytes: 483200, total packets: 3268, avg bps: 11975, avg pps: 10, avg bpp: 147 Time window: 2011-10-19 23:09:16 - 2011-10-19 23:14:39 Total flows processed: 55, Blocks skipped: 0, Bytes read: 2912 Sys: 0.002s flows/second: 24336.3 Wall: 0.000s flows/second: 77355.8 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Oct-19 19:34 UTC
[Bug 1944] Wrong "Date flow start" and "Duration Proto" in version 9 with nfcapd
https://bugzilla.mindrot.org/show_bug.cgi?id=1944
a-zazell <8509985 at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |8509985 at gmail.com
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
Apparently Analagous Threads
- [Bug 1760] New: Timestamp offset using softflowd with nfdump
- problems building nfdump / nfsen
- [Bug 1959] New: Incorrect Sequence Numbers for NetFlow v9 export.
- [Bug 1831] New: Repeatable crash of softflowd on high PPS collector?
- install rrdtools-devel / rrdtool-perl