Re: [Nfdump-discuss] Cisco 4500x netflow v9 and IPFIX gives bad timestamps in nfcapd

[Peter H. <ph...@us...>]

Hi Brian,
CISCO changes every know and then a bit their way of sending/coding data ....
It's not always easy to follow the trail.
If you have 1.6.13 in use and still trouble, please send my me a long enough pcap
( including template as well as data records ) for checking.
All data is treated confidentially of cource. Please send it to me
directly, not to the list.

Thanks

	- Peter

On 04.08.15 15:15, Brian Epstein wrote:
> Robert, Peter,
> 
> Thanks for your help on this.  My main problem is that the
> Date/Timestamp is wrong.  They are all showing up as 1969-12-31
> 19:00:00.000.  Any idea on how to fix that?
> 
> Thanks,
> ep
> 
> On 07/10/2015 09:57 AM, Brian Epstein wrote:
>> Hi,
> 
>> We've been using nfdump with nfsen for years.  Thanks for
>> supporting such a great product.
> 
>> Recently, we've been trying to implement IPFIX with a couple of
>> Cisco 4500X's and have been seeing an odd problem.  The dumps come
>> out with the wrong timestamp and INVALID as the event.
> 
>> $ nfdump -r nfcapd.201507081630-sample Date first seen
>> Event  XEvent Proto      Src IP Addr:Port Dst IP Addr:Port
>> X-Src IP Addr:Port        X-Dst IP Addr:Port   In Byte Out Byte
> 
>> 1969-12-31 19:00:00.000 INVALID  Ignore TCP
>> 157.55.39.187:32086 ->    172.16.52.154:80             0.0.0.0:0
>> ->          0.0.0.0:0 70        0
> 
>> 1969-12-31 19:00:00.000 INVALID  Ignore TCP
>> 172.16.48.51:62584 ->     172.16.19.20:443            0.0.0.0:0
>> ->          0.0.0.0:0 3168        0
> 
>> 1969-12-31 19:00:00.000 INVALID  Ignore TCP
>> 157.55.39.187:32086 ->    172.16.52.154:80             0.0.0.0:0
>> ->          0.0.0.0:0 5552        0 Summary: total flows: 3, total
>> bytes: 8790, total packets: 106, avg bps: 0, avg pps: 0, avg bpp:
>> 0 Time window: <unknown> Total flows processed: 3, Blocks skipped:
>> 0, Bytes read: 312 Sys: 0.003s flows/second: 961.8      Wall:
>> 0.000s flows/second: 5639.1
> 
>> I thought this might be due to the template not being sent enough,
>> so I manually added the "template data timeout 30" to the flow
>> exporter. This does show the template being sent every 30 seconds
>> now in the packet captures, but the date/time and event is still
>> incorrect.
> 
>> Originally I was running 1.6.11 that comes with EL6, but then I 
>> compiled and installed 1.6.13 to see if it was fixed there.  I'm
>> still seeing the same behavior.
> 
>> Attached is a packet capture with three packets.  Two have a
>> template, and one does not.  Also, is an nfcapd file that shows
>> some of those flows that were included in the packet capture.
> 
>> Let me know if there is anything else I can do to help
>> troubleshoot.
> 
>> Thanks, Brian
> 
> 
> 
> 
>> ----------------------------------------------------------------------
> --------
> 
> 
> Don't Limit Your Business. Reach for the Cloud.
>> GigeNET's Cloud Solutions provide you with the tools and support
>> that you need to offload your IT needs and focus on growing your
>> business. Configured For All Businesses. Start Your Cloud Today. 
>> https://www.gigenetcloud.com/
> 
> 
> 
>> _______________________________________________ Nfdump-discuss
>> mailing list Nfd...@li... 
>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Nfdump-discuss mailing list
> Nfd...@li...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 

-- 
Be nice to your netflow data. Use NfSen and nfdump :)