[netsa-tools-discuss] rwflowpack bug?

Vincent Ragosta ragosta at plummerslade.com
Fri Nov 20 11:54:59 EST 2015


Hello,

On my system rwflowpack is saving some of the SiLK records with an incorrect sTime value of 10/01/2015:

Nov 19 19:28:07 silk-01 rwflowpack[7606]: Flushing files after 120 seconds.
Nov 19 19:28:07 silk-01 rwflowpack[7606]: /data/pfSense/inweb/2015/10/01/iw-pfSense_20151001.07: 42 recs
Nov 19 19:28:07 silk-01 rwflowpack[7606]: /data/pfSense/outweb/2015/10/01/ow-pfSense_20151001.07: 42 recs
Nov 19 19:28:07 silk-01 rwflowpack[7606]: /data/pfSense/int2int/2015/11/20/int2int-pfSense_20151120.00: 48 recs
Nov 19 19:28:07 silk-01 rwflowpack[7606]: /data/pfSense/int2int/2015/10/01/int2int-pfSense_20151001.07: 88 recs
Nov 19 19:28:07 silk-01 rwflowpack[7606]: /data/pfSense/in/2015/10/01/in-pfSense_20151001.07: 4 recs
Nov 19 19:28:07 silk-01 rwflowpack[7606]: /data/pfSense/out/2015/10/01/out-pfSense_20151001.07: 4 recs
Nov 19 19:28:07 silk-01 rwflowpack[7606]: 'pfSense': forward 228, reverse 0, ignored 0, nf9: missing-pkts 108

This is similar behavior to that previously reported on the listserv -- https://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/2014-October/000032.html.

I performed a packet capture of the netflow data coming off of my router and could not detect any invalid time stamps.

Here is some supplemental data that may be of use:

psi at silk-01:/data$ rwcut /data/pfSense/out/2015/10/01/out-pfSense_20151001.07 | tail
                           192.168.1.97|                            224.0.0.252|61130| 5355| 17|         2|       100|        |2015/10/01T07:31:14.121|4294966.879|2015/11/20T00:34:01.000|pfSense|
                           192.168.1.97|                            224.0.0.252|51671| 5355| 17|         2|       100|        |2015/10/01T07:31:14.121|4294966.879|2015/11/20T00:34:01.000|pfSense|
                           192.168.1.97|                            224.0.0.252|61130| 5355| 17|         2|       100|        |2015/10/01T07:31:14.121|4294966.879|2015/11/20T00:34:01.000|pfSense|
                           192.168.1.97|                            224.0.0.252|51671| 5355| 17|         2|       100|        |2015/10/01T07:31:14.121|4294966.879|2015/11/20T00:34:01.000|pfSense|
                           192.168.1.11|                          74.125.21.125|56701| 5222|  6|         9|      1836|   PA   |2015/10/01T07:45:55.584|4294145.416|2015/11/20T00:35:01.000|pfSense|
                           192.168.1.11|                          74.125.21.125|56701| 5222|  6|         9|      1836|   PA   |2015/10/01T07:45:55.584|4294145.416|2015/11/20T00:35:01.000|pfSense|
                           192.168.1.79|                                8.8.8.8| 3530|   53| 17|         1|        58|        |2015/10/01T07:33:13.732|4294967.268|2015/11/20T00:36:01.000|pfSense|
                           192.168.1.79|                         128.182.58.100| 3528|  123| 17|         1|        76|        |2015/10/01T07:33:13.727|4294967.273|2015/11/20T00:36:01.000|pfSense|
                           192.168.1.79|                                8.8.8.8| 3530|   53| 17|         1|        58|        |2015/10/01T07:33:13.732|4294967.268|2015/11/20T00:36:01.000|pfSense|
                           192.168.1.79|                         128.182.58.100| 3528|  123| 17|         1|        76|        |2015/10/01T07:33:13.727|4294967.273|2015/11/20T00:36:01.000|pfSense|


psi at silk-01:/data$ cat sensors.conf
probe pfSense netflow-v9
    listen-on-port 9900
    protocol udp
    accept-from-host 192.168.10.250
end probe

group my-network
    ipblocks 192.168.10.0/24
    ipblocks 192.168.1.0/24
    ipblocks 192.168.5.0/24
end group

sensor pfSense
    netflow-v9-probes pfSense
    internal-ipblocks @my-network
    external-ipblocks remainder
end sensor


psi at silk-01:/data$ rwflowpack --version
rwflowpack: part of SiLK 3.11.0.1; configuration settings:
    * Root of packed data tree:         /data
    * Packing logic:                    Run-time plug-in
    * Timezone support:                 UTC
    * Available compression methods:    none [default], zlib
    * IPv6 network connections:         yes
    * IPv6 flow record support:         yes
    * IPFIX/NetFlow9/sFlow collection:  ipfix,netflow9,sflow
    * Transport encryption:             no
    * PySiLK support:                   /usr/lib/python2.7/dist-packages
    * Enable assert():                  no


psi at silk-01:/data$ cat /etc/issue
Ubuntu 14.04.3 LTS \n \l

Please let me know if any additional data is required.


Thanks,

Vincent
-------------- next part --------------
HTML attachment scrubbed and removed


More information about the netsa-tools-discuss mailing list