[netsa-tools-discuss] Help with RWMatch

Tue Mar 24 15:57:44 EDT 2015

Hello,

I'm hoping someone can help me with a problem I am experiencing when using RWMatch to marry up unidirectional Netflow v5 records. For the most part RWMatch works great, I give it the 2 time sorted input files (query and response), and it produces a nice output with the direction of the communication (when using rwcut with the cumatch.so plugin). The problem I am having is with one particular communication that doesn't have a port number <=1024 and the start times of each record are exactly the same down to the millisecond.

I have seen some other Netflow records where the start times are exactly the same down to the millisecond, and neither port is <=1024. However, with the other Netflow records, the end time of the response is greater than the end time of the query. In my example, it appears that the end time of the response is actually smaller than the end time of the query, and that's what I believe could be the issue for why RWMatch is not correctly marrying up these particular flows.

Has anyone experienced anything similar?
Is there an RWMatch master on this email distro?
Are there any workarounds?

sIP

            dIP

sPort

dPort

pro

   packets

     bytes

   flags

                  sTime

duration

                  eTime

sen

     10.10.10.10

  10.20.20.20

49143

1302

6

9

877

FS PA

2015/01/01T00:00:15.442

15.396

2015/01/01T00:00:30.838

S0

  10.20.20.20

     10.10.10.10

1302

49143

6

6

624

FS PA

2015/01/01T00:00:15.442

15.296

2015/01/01T00:00:30.738

S0

Thanks,
Adam Robertson

NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.
-------------- next part --------------
HTML attachment scrubbed and removed