[netsa-tools-discuss] Problems with duration and flow start times in Juniper

Bartosz Iwanski biwanski at gmail.com
Thu Aug 29 06:30:50 EDT 2019 

Hello,
I have encountered interesting and problematic quirk in juniper way of
handling long running flows.
There exists an option - active-flow-timeout that makes the device to
export data about active flows - similar to
ip flow-cache timeout active
in Cisco devices.
There is however an issue with what Juniper actually exports - the start of
the flow does not change in the updates as it does in Cisco - Cisco exports
a series of flows where when one ends, next one starts until the devices
sees end of traffic.
Juniper exports series of flows that have the same start time, but
different end times, like that:
         sIP|        dIP| packets|     bytes|                   sTime|
duration|                  eTime|
 192.168.1.1|   10.1.1.1|     927|    138680|
2019/08/28T21:49:20.917|35704.926|2019/08/29T07:44:25.843|
 192.168.1.1|   10.1.1.1|     953|    149352|
2019/08/28T21:49:20.917|36004.401|2019/08/29T07:49:25.318|
 192.168.1.1|   10.1.1.1|     998|    192608|
2019/08/28T21:49:20.917|36304.894|2019/08/29T07:54:25.811|
 192.168.1.1|   10.1.1.1|     979|    181192|
2019/08/28T21:49:20.917|36604.890|2019/08/29T07:59:25.807|
 192.168.1.1|   10.1.1.1|     949|    149784|
2019/08/28T21:49:20.917|36904.572|2019/08/29T08:04:25.489|
 192.168.1.1|   10.1.1.1|     733|    107448|
2019/08/28T21:49:20.917|37167.538|2019/08/29T08:08:48.455|
 192.168.1.1|   10.1.1.1|     700|    116048|
2019/08/28T21:49:20.917|37504.815|2019/08/29T08:14:25.732|
 192.168.1.1|   10.1.1.1|     926|    138432|
2019/08/28T21:49:20.917|37804.504|2019/08/29T08:19:25.421|
 192.168.1.1|   10.1.1.1|     931|    140568|
2019/08/28T21:49:20.917|38104.520|2019/08/29T08:24:25.437|

What is interesting, is that the bytes and packets fields are not added to
previous values and but are generate per time interval.

My question is  - is there a way to make silk handle this weird behavior -
and mayby modfify start times of recieved flows to let's say 'end-time -
active-flow-timeout' to store it as it would Cisco generated flows?
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the netsa-tools-discuss mailing list