Hi all,
I have a question about netflow data. A network device of one of our customers is not able to provide the current date and time to the netflow data and the information within the Network Analyzer for this source is incomplete. The nfcapd files shows a date of 1970-01-01.
I have configured a Linux server which sents netflows according to the Knowledge Base article "Configuring a Linux Server To Send Netflow Data" and it works as it should be, so we know how these nfcapd files should look like.
Is there a way to add a current timestamp which replaces the timestamps of 1970-01-01 on the Linux server which is running the Network Analyzer? It doesn't have to be the exact timestamp, if it has a timestamp which differs several minutes from it that's acceptable. Main goal is to see the traffic from the source.
Regards,
Fred
Adjust date first seen in netflow data
-
- Posts: 66
- Joined: Wed Dec 27, 2017 2:20 pm
- Location: Nieuwegein, The Netherlands
- Contact:
Adjust date first seen in netflow data
You do not have the required permissions to view the files attached to this post.
Re: Adjust date first seen in netflow data
Hello [user]support@nagios.nl[/user]
Thanks for reaching out, we see that this issue pops up and found a similar issue. First thing is to make sure that the system date/time/timezone is synced across os/Apache/etc...
Let's find out what version and compare to sourceforge.
To upgrade: (Please note that you may lose previous flow information by performing this procedure)
To verify nfdump and whether NSEL support is on with the following command:
Thanks,
Perry
Thanks for reaching out, we see that this issue pops up and found a similar issue. First thing is to make sure that the system date/time/timezone is synced across os/Apache/etc...
Let's find out what version and compare to sourceforge.
Code: Select all
nfdump -V
Code: Select all
cd /tmp
wget http://sourceforge.net/projects/nfdump/files/stable/nfdump-thelatestversionhere/nfdump-x.xx.xx.tar.gz/download
tar xzf download
cd nfdump-x.xx.xx/
./configure --enable-sflow --enable-nsel
make
make install
Code: Select all
nfdump -V
Perry
-
- Posts: 66
- Joined: Wed Dec 27, 2017 2:20 pm
- Location: Nieuwegein, The Netherlands
- Contact:
Re: Adjust date first seen in netflow data
Hi Perry,
The Linux server, which sends netflows as a test, is showing the correct time first seen field, so all time related settings are correct.
The latest version I am seeing at sourgeforge.net is nfdump-1.6.3
When I look at the version of nfdump and related commands on the server they are from a newer version.
Thereby is visible that nsel is enabled, I presume.
Is it perhaps possible to use the nfcapd command to provide the netflow data from a current timestamp?
I have to examine the specific parameters and what they do exactly, but if you have some experience with using it, please let us know!
Kind regards,
Fred
The Linux server, which sends netflows as a test, is showing the correct time first seen field, so all time related settings are correct.
The latest version I am seeing at sourgeforge.net is nfdump-1.6.3
When I look at the version of nfdump and related commands on the server they are from a newer version.
Code: Select all
[root@nna flows]# for PROG in {s,n}fcapd nfdump; do $PROG -V;done
sfcapd: Version: 1.6.22
nfcapd: Version: 1.6.22
nfdump: Version: NSEL-NEL1.6.22
Is it perhaps possible to use the nfcapd command to provide the netflow data from a current timestamp?
Code: Select all
nna 49106 1 0 Nov25 ? 00:00:01 /usr/local/bin/nfcapd -I 5 -l /usr/local/nagiosna/var/<site1>/flows -p 9202 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/<site1>/9202.pid -D -e -w -z -T all
nna 49107 49106 0 Nov25 ? 00:00:02 /usr/local/bin/nfcapd -I 5 -l /usr/local/nagiosna/var/<site1>/flows -p 9202 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/<site1>/9202.pid -D -e -w -z -T all
Kind regards,
Fred
Re: Adjust date first seen in netflow data
Hello @support.nagios.nl
Thanks for following up, I brought this topic to our team meeting this morning to bounce ideas and options.
We wonder what the name, make, and model of the device that you are receiving NetFlow data from? Want to find out if it is possible to put the time/date from it. But, sounds like you have already determined that it is not able to. To answer your question, there is not a way to "pipe" in the date/time into the flow data it has to be included at the source. I understand that downgrading to Netflow version 5 can provide a workaround, but that would need to be tested and verified as a possible workaround.
Thanks,
Perry
Thanks for following up, I brought this topic to our team meeting this morning to bounce ideas and options.
We wonder what the name, make, and model of the device that you are receiving NetFlow data from? Want to find out if it is possible to put the time/date from it. But, sounds like you have already determined that it is not able to. To answer your question, there is not a way to "pipe" in the date/time into the flow data it has to be included at the source. I understand that downgrading to Netflow version 5 can provide a workaround, but that would need to be tested and verified as a possible workaround.
Thanks,
Perry
-
- Posts: 66
- Joined: Wed Dec 27, 2017 2:20 pm
- Location: Nieuwegein, The Netherlands
- Contact:
Re: Adjust date first seen in netflow data
Hello Perry,
Thank you in advance for your advice.
Best regards, Jørgen van der Meulen
This device is (most probably) a Cisco 920 ASR. As Fred explained the time/date that is stored using the nfcapd reads '1970-01-01 ..'.pbroste wrote: We wonder what the name, make, and model of the device that you are receiving NetFlow data from? Want to find out if it is possible to put the time/date from it. But, sounds like you have already determined that it is not able to. To answer your question, there is not a way to "pipe" in the date/time into the flow data it has to be included at the source. I understand that downgrading to Netflow version 5 can provide a workaround, but that would need to be tested and verified as a possible workaround.
Thank you in advance for your advice.
Best regards, Jørgen van der Meulen
Re: Adjust date first seen in netflow data
Hello [user]support@nagios.nl[/user]
Thanks for following up, not sure equivalent options are found in the Cisco model that you are working with but we did find this:
https://www.cisco.com/c/en/us/td/docs/r ... asr920.pdf
An example: Configuring Network Time Protocol including other options:
Perry
Thanks for following up, not sure equivalent options are found in the Cisco model that you are working with but we did find this:
https://www.cisco.com/c/en/us/td/docs/r ... asr920.pdf
An example: Configuring Network Time Protocol including other options:
Thanks,In the following example, a device with a hardware clock that has server associations with two other systems
sends broadcast NTP packets, periodically updates the hardware clock, and redistributes time into VINES:
clock timezone PST -8
clock summer-time PDT recurring
ntp server 192.168.13.57
ntp server 192.168.11.58
interface GigabitEthernet 0/0
Perry