[netsa-tools-discuss] incorrect flow times in silk 3.16

[Mark Thomas]

Tim-

To debug the issue, I suggest modifying the sensor.conf file used by
rwflowpack to add 'record-timestamps' to the 'log-flags' setting for
the probe(s) that collect the NetFlow v9 data from from Cisco NX-OS:

  probe P1 netflow-v9
    log-flags default record-timestamps
    ...
  end probe

After you restart rwflowpack, for every NetFlow v9 record,
rwflowpack writes to the log file the values it read from the
incoming NetFlow v9 data.  Knowing those values will help in
debugging the issue.

That log-flags setting generates a lot of output.  Once you have
collected some timestamp information I suggest you disable the flag.

I can assist in debugging in the issue further once I know which
information elements SiLK is using and the values of those elements.

Cheers,

-Mark


-----Original Message-----
From: Tim Stevenson <tstevens at cisco.com>
Date: Fri, 11 Aug 2017 10:22:58 -0700
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] incorrect flow times in silk 3.16

Hi,

I'm having an odd problem with silk flow times in the data files 
being created from NFv9 exports. The dates/times reported via 
rwfilter are all ~10 days in the past.

The server where silk is running (ubuntu 16.04.2 x64) is sync'd via 
NTP, date output on the server is correct. The switch exporting the 
data is also NTP sync'd to the same source and the date is correct 
there as well.

I've also captured the NDE packets coming from the switch and decoded 
them via the CFLOW dissector in wireshark, all the times/dates in 
those packets are correct as well.

I tried recompiling with and without the localtime option, the 
relative time/date changes but both are still resulting in dates in the past.

Any suggestions on how to further debug this problem?

Thanks,
Tim





Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Distinguished Engineer, Technical Marketing
Data Center Switching
Cisco - http://www.cisco.com
+1(408)526-6759