Thread: Weird time issues
View Single Post
  #8   (View Single Post)  
Old 26th October 2009
schrodinger's Avatar
schrodinger schrodinger is offline
Fdisk Soldier
  
Join Date: May 2008
Location: Ireland
Posts: 69
Default
Sorry to drag up the semi-dead but I'm having time issues with Netflow with the supported OpenBSD flowt-tools package.

The "capture start" and "capture end" times in the netflow header are fine. However the actual StartTime and EndTime in the output seems to be _way_ off...... or perhaps I am reading it wrong.

Code:
root@magellan # flow-cat -p * | flow-print -l -f 1 -p -w | head -n 40 
#
# mode:                 streaming
# capture start:        Mon Oct 26 14:10:43 2009
# capture end:          Mon Oct 26 15:15:00 2009
# capture period:       3857 seconds
# compress:             off
# byte order:           little
# stream version:       3
# export version:       5
# lost flows:           0
# corrupt packets:      0
# capture flows:        2797
#
Sif  SrcIPaddress     DIf  DstIPaddress      Pr SrcP DstP  Pkts  Octets
 StartTime          EndTime             Active   B/Pk Ts Fl

0000 89.100.77.184    0000 89.101.160.5      11 2914 35    1          73        
 1106.01:37:52.721  1106.01:38:30.721     38.000 73  00 00

0000 89.101.160.5     0000 89.100.77.184     11 35   2914  1          89        
 1106.01:37:52.721  1106.01:38:30.721     38.000 89  00 00

0000 10.51.3.35       0000 199.7.59.72       06 e8b5 50    5          853       
 1106.01:37:52.721  1106.01:38:30.721     38.000 170 00 00

0000 199.7.59.72      0000 10.51.3.35        06 50   e8b5  5          1682      
 1106.01:37:52.721  1106.01:38:30.721     38.000 336 00 00

0000 89.100.77.184    0000 199.7.59.72       06 faf1 50    5          853       
 1106.01:37:52.721  1106.01:38:30.721     38.000 170 00 00

0000 199.7.59.72      0000 89.100.77.184     06 50   faf1  5          1682      
 1106.01:37:52.721  1106.01:38:30.721     38.000 336 00 00

0000 10.51.3.35       0000 74.125.39.103     06 a4f1 1bb   15         2192      
 1106.01:37:53.721  1106.01:38:31.721     38.000 146 00 00

0000 74.125.39.103    0000 10.51.3.35        06 1bb  a4f1  17         14682     
 1106.01:37:53.721  1106.01:38:31.721     38.000 863 00 00
Code:
root@magellan # pkg_info | grep flow                                                                                      
flow-tools-0.68p0   cisco NetFlow utilities
flowd-0.9.1         NetFlow collector
p5-flowd-0.9.1      Perl API to flowd binary logfiles
root@magellan # ps -awux | grep flow
root     19939  0.0  1.2  1544  1528 ??  Ss     2:10PM    0:00.63 flow-capture -w /var/spool/netflow -N 0 0/0/12345
root     27843  0.0  0.6   280   792 p2  S+     3:14PM    0:00.02 grep flow
root@magellan # ls /var/spool/netflow/                                                                                    
ft-v05.2009-10-26.141043+0000  ft-v05.2009-10-26.143001+0000  tmp-v05.2009-10-26.150001+0000
ft-v05.2009-10-26.141501+0000  ft-v05.2009-10-26.144501+0000
root@magellan # flow-cat -p * | flow-print -l -f 1 -p -w | less                                                           
root@magellan # pwd
/var/spool/netflow
root@magellan #
The netflow data is being exported from my primary firewall, defiant.

Code:
root@defiant # fgrep pflow /etc/pf.defiant                                                                                
set state-defaults pflow
root@defiant # ifconfig pflow0                                                                                            
pflow0: flags=41<UP,RUNNING> mtu 1492
        priority: 0
        pflow: sender: 10.51.2.129 receiver: 10.51.2.130:12345
        groups: pflow
root@defiant # pfctl -ss -vv | grep pflow 
   age 425:31:50, expires in 03:28:40, 17622:19975 pkts, 963961:3156789 bytes, pflow
   age 191:05:23, expires in 04:23:49, 17754:19187 pkts, 1331997:2717397 bytes, pflow
   age 67:52:19, expires in 04:59:32, 8475:5515 pkts, 714935:665149 bytes, rule 108, pflow
   age 67:52:19, expires in 04:59:32, 8475:5515 pkts, 714935:665149 bytes, rule 46, pflow
   age 67:52:19, expires in 00:00:38, 21784:15014 pkts, 2440747:2606829 bytes, rule 41, pflow
   age 67:51:50, expires in 04:59:38, 10607:6699 pkts, 1010806:1235487 bytes, rule 108, pflow
   age 67:51:50, expires in 04:59:38, 10607:6699 pkts, 1010806:1235487 bytes, rule 46, pflow
   age 21:16:05, expires in 03:28:39, 13831:13812 pkts, 736397:2481648 bytes, rule 101, pflow
   age 21:16:05, expires in 03:28:39, 13831:13812 pkts, 736397:2481648 bytes, rule 70, pflow
   age 02:25:17, expires in 02:55:01, 183:362 pkts, 10845:41603 bytes, rule 103, pflow
   age 02:25:17, expires in 02:55:01, 183:362 pkts, 10845:41603 bytes, rule 43, pflow
   age 02:25:12, expires in 04:59:48, 395:379 pkts, 19469:30832 bytes, rule 103, pflow
   age 02:25:12, expires in 04:59:48, 395:379 pkts, 19469:30832 bytes, rule 43, pflow
   age 02:25:11, expires in 04:57:53, 42:38 pkts, 2116:3748 bytes, rule 103, pflow
   age 02:25:11, expires in 04:57:53, 42:38 pkts, 2116:3748 bytes, rule 43, pflow
   age 02:02:26, expires in 03:55:12, 342:456 pkts, 18930:62673 bytes, rule 103, pflow
   age 02:02:26, expires in 03:55:12, 342:456 pkts, 18930:62673 bytes, rule 43, pflow
   age 01:02:44, expires in 04:56:16, 366:455 pkts, 20424:53851 bytes, rule 103, pflow
   age 01:02:44, expires in 04:56:16, 366:455 pkts, 20424:53851 bytes, rule 43, pflow
   age 00:04:48, expires in 04:55:13, 10:8 pkts, 859:1416 bytes, rule 103, pflow
   age 00:04:48, expires in 04:55:13, 10:8 pkts, 859:1416 bytes, rule 43, pflow
   age 00:02:11, expires in 00:00:02, 5:0 pkts, 3284:0 bytes, rule 84, pflow
   age 00:02:10, expires in 05:00:00, 451:316 pkts, 33628:45625 bytes, rule 103, pflow
   age 00:01:33, expires in 04:59:16, 176:354 pkts, 9932:40696 bytes, rule 103, pflow
   age 00:01:33, expires in 04:59:16, 176:354 pkts, 9932:40696 bytes, rule 43, pflow
   age 00:01:23, expires in 04:59:19, 18:15 pkts, 1966:6317 bytes, rule 103, pflow
   age 00:01:23, expires in 04:59:19, 18:15 pkts, 1966:6317 bytes, rule 43, pflow
   age 00:00:23, expires in 00:00:00, 1:0 pkts, 64:0 bytes, rule 48, pflow
   age 00:00:23, expires in 00:00:00, 1:0 pkts, 64:0 bytes, rule 48, pflow
   age 00:00:12, expires in 00:00:48, 1:0 pkts, 114:0 bytes, rule 44, pflow
   age 00:00:10, expires in 00:00:20, 1:1 pkts, 76:76 bytes, rule 104, pflow
   age 00:00:07, expires in 00:00:23, 1:1 pkts, 59:203 bytes, rule 103, pflow
   age 00:00:07, expires in 00:00:23, 1:1 pkts, 73:169 bytes, rule 44, pflow
   age 00:00:07, expires in 00:00:23, 10:8 pkts, 2122:3882 bytes, rule 103, pflow
   age 00:00:07, expires in 00:00:23, 10:8 pkts, 2122:3882 bytes, rule 43, pflow
   age 00:00:07, expires in 00:00:23, 1:1 pkts, 64:194 bytes, rule 103, pflow
   age 00:00:07, expires in 00:00:23, 1:1 pkts, 77:173 bytes, rule 44, pflow
   age 00:00:07, expires in 00:00:23, 6:4 pkts, 1088:362 bytes, rule 103, pflow
   age 00:00:07, expires in 00:00:23, 6:4 pkts, 1088:362 bytes, rule 43, pflow
defiant:
Code:
OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
    deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: VIA C7-D Processor 1500MHz ("CentaurHauls" 686-class) 1.50 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,xTPR
real mem  = 1006137344 (959MB)
avail mem = 964476928 (919MB)
magellan:
Code:
OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
    deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC" 586-class) 267 MHz
cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
real mem  = 133787648 (127MB)
avail mem = 121090048 (115MB)
__________________
It was a new day yesterday, but it's an old day now.
Reply With Quote