Bug 1944

Summary: Wrong "Date flow start" and "Duration Proto" in version 9 with nfcapd
Product: softflowd Reporter: a-zazell <8509985>
Component: softflowdAssignee: Damien Miller <djm>
Status: CLOSED INVALID    
Severity: critical CC: 8509985
Priority: P2    
Version: -current   
Hardware: amd64   
OS: FreeBSD   

Description a-zazell 2011-10-19 17:00:05 AEDT 
Hello, i'm from Russia, so sorry my english please.
We have:
1. Sensor:
# uname -a
FreeBSD HOST 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Sat Oct  8 16:37:12 MSD 2011     root@HOST:/usr/obj/usr/src/sys/MYKERNEL  amd64

# date
Wed Oct 19 09:50:03 MSD 2011

# pkg_info | grep softflowd
softflowd-0.9.8_2   Softflowd is flow-based network traffic analyser with expor

Start softflowd daemon like:
/usr/local/sbin/softflowd -v 9 -i lan -n COLLECTOR:9998 -p /var/run/softflowd.lan.pid -c /var/run/softflowd.lan.ctl -m 819200 -t maxlife=20m -t general=20m -t tcp=20m

2. Collector
# uname -a
Linux COLLECTOR 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

# date
Срд Окт 19 09:49:48 MSD 2011

# nfcapd -V
nfcapd: Version: 1.6.1 $LastChangedDate: 2010-03-05 07:50:35 +0100 (Fri, 05 Mar 2010) $
$Id: nfcapd.c 51 2010-01-29 09:01:54Z haag $

Start collector nfcapd like:
/usr/local/bin/nfcapd -w -D -z -n SENSOR sensor_ip /tmp/netflowv9 -p 9998 -t 300 -u username -g usergroup -P /tmp/netflowv9/9998.pid -x /tmp/netflowv9/nfcapdmv -B 200000


So, we have this:

# nfdump -r nfcapd.201110190940
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
...
...
2011-08-30 16:16:29.631 4294958.395 TCP          10.7.8.51:3032  ->   194.186.138.86:55571        3      144     1
2011-08-30 16:16:29.631 4294958.395 TCP          10.7.8.51:3033  ->     85.234.28.15:40435        3      144     1
2011-08-30 16:16:29.631 4294958.395 TCP          10.7.8.51:3034  ->     85.143.60.93:37867        3      144     1
2011-08-30 16:31:20.713 4294591.301 UDP          10.7.8.51:39759 ->   213.142.50.205:28909        6      348     1
2011-08-30 16:31:22.295 4294965.814 TCP         10.7.8.223:59668 ->    83.149.29.243:8888         4      216     1
2011-08-30 16:31:22.295 4294965.814 TCP      83.149.29.243:8888  ->       10.7.8.223:59668        3      164     1
2011-08-30 16:16:31.643 4294958.359 TCP          10.7.8.51:3038  ->   82.151.198.182:49674        3      144     1
2011-08-30 16:31:22.728 4294419.301 UDP          10.7.8.51:39759 ->    178.70.190.49:47659        6      348     1
2011-10-19 09:34:09.998     0.000 UDP          10.7.8.51:39759 ->     95.32.209.62:10951        1       95     1
2011-10-19 09:34:09.998     0.000 UDP          10.7.8.51:39759 ->     94.45.20.135:35691        1       95     1
2011-10-19 09:34:09.998     0.000 UDP          10.7.8.51:39759 ->      95.31.31.38:42219        1       95     1
2011-10-19 09:34:09.998     0.000 UDP          10.7.8.51:39759 ->    95.134.28.165:49557        1       95     1
2011-08-30 16:31:23.415 4294966.609 TCP          10.7.8.51:4677  ->     95.72.152.15:59368        5      294     1
2011-08-30 16:31:23.415 4294966.609 TCP       95.72.152.15:59368 ->        10.7.8.51:4677         3      128     1
...
...

Wrong "Date flow start" and "Duration Proto" ...

PS: On the page http://www.freebsd.org/ru/ports/net-mgmt.html for port softflowd-0.9.8_2 we need packages: gettext-0.18.1.1, gmake-3.82, libiconv-1.13.1_1, but we haven't install gmake-3.82 before ... It can be a reason?
Comment 1 a-zazell 2011-10-19 18:40:14 AEDT 
Now we install nfdump on Sensor machine:

# pkg_info | grep nfdump
nfdump-1.6.4        Command-line tools to collect and process NetFlow data

Same problem ...
Comment 2 a-zazell 2011-10-20 06:30:17 AEDT 
Now i try this:

#softflowd -i lan -n 127.0.0.1:9998 -p /var/run/softflowd.lan.pid -c /var/run/softflowd.lan.ctl -t maxlife=300
#nfcapd -w -D -z -n local,127.0.0.1,/tmp/netflowv9 -p 9998 -t 300 -P /tmp/netflowv9/9998.pid -B 200000

And we have norm output:

# nfdump -r nfcapd.201110192310
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2011-10-19 23:09:20.381     0.000 TCP        64.4.62.124:81    ->       10.7.8.230:1825         1       40     1
2011-10-19 23:11:47.595    12.775 TCP         10.7.8.230:1847  ->    74.125.79.104:80          17     4589     1
2011-10-19 23:11:47.595    12.775 TCP      74.125.79.104:80    ->       10.7.8.230:1847        31    28173     1
2011-10-19 23:11:56.585     3.477 TCP         10.7.8.230:1862  ->    74.125.79.104:80          22     4825     1
2011-10-19 23:11:56.585     3.477 TCP      74.125.79.104:80    ->       10.7.8.230:1862        46    49094     1
2011-10-19 23:09:17.224   317.015 ICMP         10.7.8.20:0     ->          8.8.8.8:8.0        309    18540     1
2011-10-19 23:09:17.314   316.015 ICMP           8.8.8.8:0     ->        10.7.8.20:0.0        306    18360     1
2011-10-19 23:09:18.014   320.709 ICMP        10.7.8.230:0     ->          8.8.8.8:8.0        189    11340     1
...
...
Summary: total flows: 55, total bytes: 483200, total packets: 3268, avg bps: 11975, avg pps: 10, avg bpp: 147
Time window: 2011-10-19 23:09:16 - 2011-10-19 23:14:39
Total flows processed: 55, Blocks skipped: 0, Bytes read: 2912
Sys: 0.002s flows/second: 24336.3    Wall: 0.000s flows/second: 77355.8
Comment 3 Damien Miller 2019-01-23 20:05:01 AEDT 
softflowd is not longer in this bugtracker
Comment 4 Damien Miller 2019-01-23 20:06:01 AEDT 
softflowd is not longer in this bugtracker
Comment 5 Damien Miller 2022-02-25 13:56:10 AEDT 
closing bugs resolved before openssh-8.9