[netsa-tools-discuss] Validating flow export time

Mark Thomas mthomas at cert.org
Mon Apr 3 14:38:43 EDT 2017


asad-

The CFLOW filter in Wireshark understands NetFlow and IPFIX
packets.

To compare that information with the data in SiLK, modify the
sensor.conf file by adding a log-flags statement to the probe
block(s) that looks like:

  log-flags default record-timestamps

Save the sensor.conf file and then restart rwflowpack or flowcap.
The change to the sensor.conf file causes rwflowpack to write the
timestamps of every flow record to the log file.  (This produces a
lot of output.)

You may then compare the values that rwflowpack is reporting with
the values shown in Wireshark.

I hope that answers your question.

-Mark


-----Original Message-----
From: asad <a.alii85 at gmail.com>
Date: Wed, 29 Mar 2017 22:07:46 +0500
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] Validating flow export time

Hi

Is there a non trival way of knowing flow export time. The problem is that
I have confugured netflows on PaloAlto firewalls. Timeout is set for 60
seconds. Is by using e.g wireshark or some other tools can i see or
validate through some fields in protocol.

Thanks
regards
asad


More information about the netsa-tools-discuss mailing list