Re: [Nfdump-discuss] nfdump-1.5.8-NSEL ant first_time value
netflow collecting and processing tools
Brought to you by:
phaag
From: <ko...@in...> - 2014-10-30 14:49:50
|
<span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">Hi again. Need to return to this question. We've got new Cisco hardware, so I've installed latest version of nfdump for tests. (1.6.12)</span><br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">The problem is the same. Netflow traffic was generated by simple network device, who cannot calculate flows or do some intellectual job. So, it send all information about traffic, but in a simple way (this is done to improve the bandwidth, as I understand).</span><br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">So, each flow contains (picture attached):</span><br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">Ingress VRFID (cflow.ingress_vrfid)</span><br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <span class="c1" style="line-height: 20.7999992370605px; color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans;">Egress VRFID (</span><span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">cflow.egress_vrfid</span><span class="c1" style="line-height: 20.7999992370605px; color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans;">)</span><br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">SrcAddr (cflow.srcaddr)</span><br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">Post NAT Source IPv4 Address (cflow.post_natsource_ipv4_address)</span><br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">SrcPort (cflow.srcport)</span><br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">Post NAPT Source Transport Port (cflow.post_naptsource_transport_port)</span><br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">DstAddr (cflow.dstaddr)</span><br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">DstPort (cflow.dstport)</span><br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">Protocol (cflow.protocol)</span><br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">No info about a time in each flow. So, the only way how we can get it - we need to take Cisco Netflow/IPFIX timestamp... The main question - is it possible without writing my own hacks? I cannot leave this field empty, because this is very important key for future analytic job.</span><br style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;" /> <span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation Sans', Helvetica, sans; line-height: 16.0029983520508px;">Thanks in advance. </span><br /> <div>Цитирование <b>Peter Haag <a href="mailto:ph...@us..."><ph...@us...></a></b> :</div> <blockquote class="c1">Hi,<br /> nfdump-1.5.8-NSEL was a release for CISCO ASA in the early ASA days. This version is ways back in time and does not<br /> support newer ASA/NSEL models. It's recommended to migrate to nfdump-1.6.12, although the painful part is - 1.5.8-NSEL<br /> files can not be read by 1.6.12.<br /> <br /> btw. time stamps are always a metter of difficulty. What do you define as "current timestamp" ?<br /> <br /> Cheers<br /> <br /> - Peter<br /> <br /> On 29.07.14 15:58, ko...@in... wrote:<br /> > Hi all. I'm using nfdump-1.5.8-NSEL to catch and process our traffic (CFLOW).<br /> > But our new firewall configuration cannot provide basic time values - duration,<br /> > first_seen, last_seen. :(<br /> > I'm not C guru, so could you advise me, how can I substitute first_seen,<br /> > last_seen with current timestamp. This is definitely not the best solution, but<br /> > it is suitable for my purposes...<br /> ><br /> > Thanks!<br /> ><br /> ><br /> ><br /> > ------------------------------------------------------------------------------<br /> > Infragistics Professional<br /> > Build stunning WinForms apps today!<br /> > Reboot your WinForms applications with our WinForms controls.<br /> > Build a bridge from your legacy apps to the future.<br /> > <a href="http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk</a><br /> ><br /> ><br /> ><br /> > _______________________________________________<br /> > Nfdump-discuss mailing list<br /> > Nfd...@li...<br /> > <a href="https://lists.sourceforge.net/lists/listinfo/nfdump-discuss" target="_blank">https://lists.sourceforge.net/lists/listinfo/nfdump-discuss</a><br /> ><br /> <br /> --<br /> Be nice to your netflow data. Use NfSen and nfdump :)</blockquote> <div class="ckeditor4_signature-empty" id="ckeditor4_signature"> </div> |