[netsa-tools-discuss] incorrect flow times in silk 3.16
Tim Stevenson
tstevens at cisco.com
Tue Aug 15 21:22:36 EDT 2017
Hi Mark,
Thank you for the reply & sorry for the delay, I am not subscribed to
the list so had to remember to come back & check for a response. If
you wouldn't mind cc'ing me directly on any response I'd appreciate it...
This is what I see in the logs with record-timestamps enabled for an
NXOS v9 exporter:
Aug 15 12:17:54 tstevens-silk-sandbox rwflowpack[2071]:
'tstevens-93180yc-fx-1': Set sTime=2017/08/10T21:16:28.474Z,
dur=4294967.173s from incoming record flowStartSysUpTime=3881082770,
flowEndSysUpTime=3881082647,
systemInitTimeMilliseconds=1502813673000,
exportTimeSeconds=1502824674, calculated sysUpTime=11001000, assume
sysUpTime rollover, assume flowEndSysUpTime rollover
Aug 15 12:18:04 tstevens-silk-sandbox rwflowpack[2071]:
'tstevens-93180yc-fx-1': Set sTime=2017/08/10T21:16:34.368Z,
dur=4294967.173s from incoming record flowStartSysUpTime=3881088664,
flowEndSysUpTime=3881088541,
systemInitTimeMilliseconds=1502813673000,
exportTimeSeconds=1502824684, calculated sysUpTime=11011000, assume
sysUpTime rollover, assume flowEndSysUpTime rollover
Aug 15 12:18:04 tstevens-silk-sandbox rwflowpack[2071]:
'tstevens-93180yc-fx-1': Set sTime=2017/08/10T21:16:35.848Z,
dur=4294967.173s from incoming record flowStartSysUpTime=3881090144,
flowEndSysUpTime=3881090021,
systemInitTimeMilliseconds=1502813673000,
exportTimeSeconds=1502824684, calculated sysUpTime=11011000, assume
sysUpTime rollover, assume flowEndSysUpTime rollover
I guess this is the problem: "assume sysUpTime rollover, assume
flowEndSysUpTime rollover"... Looks like flowStartSysUpTime
(3881090144) is bigger than flowEndSysUpTime (3881090021).
But when I capture these NDE packets in wireshark and decode with the
CFLOW dissector, it's interpreting them in the opposite way - ie,
start time is always smaller than end time, ie as expected. So
wireshark is parsing them correctly.
I did find an IOS box (6500 sup720) and enabled v9 export there and
all the timestamps are handled correctly by rwflowpack, the date/time
is correct for that. I did notice that the actual order of fields in
the templates/packets are different between NXOS & IOS packet
captures when viewed in wireshark. I can provide the two pcap files
(as well as switch configs) if you like.
Let me know, thanks,
Tim
>Tim-
>
>To debug the issue, I suggest modifying the sensor.conf file used by
>rwflowpack to add 'record-timestamps' to the 'log-flags' setting for
>the probe(s) that collect the NetFlow v9 data from from Cisco NX-OS:
>
> probe P1 netflow-v9
> log-flags default record-timestamps
> ...
> end probe
>
>After you restart rwflowpack, for every NetFlow v9 record,
>rwflowpack writes to the log file the values it read from the
>incoming NetFlow v9 data. Knowing those values will help in
>debugging the issue.
>
>That log-flags setting generates a lot of output. Once you have
>collected some timestamp information I suggest you disable the flag.
>
>I can assist in debugging in the issue further once I know which
>information elements SiLK is using and the values of those elements.
>
>Cheers,
>
>-Mark
Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Distinguished Engineer, Technical Marketing
Data Center Switching
Cisco - http://www.cisco.com
+1(408)526-6759
More information about the netsa-tools-discuss
mailing list