Adjust date first seen in netflow data

This support forum board is for support questions relating to Nagios Network Analyzer, our network traffic and bandwidth analysis solution.
Locked
support@nagios.nl
Posts: 66
Joined: Wed Dec 27, 2017 2:20 pm
Location: Nieuwegein, The Netherlands
Contact:

Adjust date first seen in netflow data

Post by support@nagios.nl »

Hi all,

I have a question about netflow data. A network device of one of our customers is not able to provide the current date and time to the netflow data and the information within the Network Analyzer for this source is incomplete. The nfcapd files shows a date of 1970-01-01.
I have configured a Linux server which sents netflows according to the Knowledge Base article "Configuring a Linux Server To Send Netflow Data" and it works as it should be, so we know how these nfcapd files should look like.
Is there a way to add a current timestamp which replaces the timestamps of 1970-01-01 on the Linux server which is running the Network Analyzer? It doesn't have to be the exact timestamp, if it has a timestamp which differs several minutes from it that's acceptable. Main goal is to see the traffic from the source.


Regards,
Fred
You do not have the required permissions to view the files attached to this post.
User avatar
pbroste
Posts: 1288
Joined: Tue Jun 01, 2021 1:27 pm

Re: Adjust date first seen in netflow data

Post by pbroste »

Hello [user]support@nagios.nl[/user]

Thanks for reaching out, we see that this issue pops up and found a similar issue. First thing is to make sure that the system date/time/timezone is synced across os/Apache/etc...

Let's find out what version and compare to sourceforge.

Code: Select all

nfdump -V
To upgrade: (Please note that you may lose previous flow information by performing this procedure)

Code: Select all

cd /tmp
wget http://sourceforge.net/projects/nfdump/files/stable/nfdump-thelatestversionhere/nfdump-x.xx.xx.tar.gz/download
tar xzf download
cd nfdump-x.xx.xx/
./configure --enable-sflow --enable-nsel
make
make install
To verify nfdump and whether NSEL support is on with the following command:

Code: Select all

nfdump -V
Thanks,
Perry
support@nagios.nl
Posts: 66
Joined: Wed Dec 27, 2017 2:20 pm
Location: Nieuwegein, The Netherlands
Contact:

Re: Adjust date first seen in netflow data

Post by support@nagios.nl »

Hi Perry,

The Linux server, which sends netflows as a test, is showing the correct time first seen field, so all time related settings are correct.
The latest version I am seeing at sourgeforge.net is nfdump-1.6.3
When I look at the version of nfdump and related commands on the server they are from a newer version.

Code: Select all

[root@nna flows]# for PROG in {s,n}fcapd nfdump; do $PROG -V;done
sfcapd: Version: 1.6.22
nfcapd: Version: 1.6.22
nfdump: Version: NSEL-NEL1.6.22
Thereby is visible that nsel is enabled, I presume.

Is it perhaps possible to use the nfcapd command to provide the netflow data from a current timestamp?

Code: Select all

nna        49106       1  0 Nov25 ?        00:00:01 /usr/local/bin/nfcapd -I 5 -l /usr/local/nagiosna/var/<site1>/flows -p 9202 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/<site1>/9202.pid -D -e -w -z -T all
nna        49107   49106  0 Nov25 ?        00:00:02 /usr/local/bin/nfcapd -I 5 -l /usr/local/nagiosna/var/<site1>/flows -p 9202 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/<site1>/9202.pid -D -e -w -z -T all
I have to examine the specific parameters and what they do exactly, but if you have some experience with using it, please let us know!

Kind regards,
Fred
User avatar
pbroste
Posts: 1288
Joined: Tue Jun 01, 2021 1:27 pm

Re: Adjust date first seen in netflow data

Post by pbroste »

Hello @support.nagios.nl

Thanks for following up, I brought this topic to our team meeting this morning to bounce ideas and options.

We wonder what the name, make, and model of the device that you are receiving NetFlow data from? Want to find out if it is possible to put the time/date from it. But, sounds like you have already determined that it is not able to. To answer your question, there is not a way to "pipe" in the date/time into the flow data it has to be included at the source. I understand that downgrading to Netflow version 5 can provide a workaround, but that would need to be tested and verified as a possible workaround.

Thanks,
Perry
support@nagios.nl
Posts: 66
Joined: Wed Dec 27, 2017 2:20 pm
Location: Nieuwegein, The Netherlands
Contact:

Re: Adjust date first seen in netflow data

Post by support@nagios.nl »

Hello Perry,
pbroste wrote: We wonder what the name, make, and model of the device that you are receiving NetFlow data from? Want to find out if it is possible to put the time/date from it. But, sounds like you have already determined that it is not able to. To answer your question, there is not a way to "pipe" in the date/time into the flow data it has to be included at the source. I understand that downgrading to Netflow version 5 can provide a workaround, but that would need to be tested and verified as a possible workaround.
This device is (most probably) a Cisco 920 ASR. As Fred explained the time/date that is stored using the nfcapd reads '1970-01-01 ..'.
Thank you in advance for your advice.

Best regards, Jørgen van der Meulen
User avatar
pbroste
Posts: 1288
Joined: Tue Jun 01, 2021 1:27 pm

Re: Adjust date first seen in netflow data

Post by pbroste »

Hello [user]support@nagios.nl[/user]

Thanks for following up, not sure equivalent options are found in the Cisco model that you are working with but we did find this:

https://www.cisco.com/c/en/us/td/docs/r ... asr920.pdf

An example: Configuring Network Time Protocol including other options:
In the following example, a device with a hardware clock that has server associations with two other systems
sends broadcast NTP packets, periodically updates the hardware clock, and redistributes time into VINES:
clock timezone PST -8
clock summer-time PDT recurring
ntp server 192.168.13.57
ntp server 192.168.11.58
interface GigabitEthernet 0/0
Thanks,
Perry
Locked