Nagios Support Forum

Posted: **Tue Mar 15, 2016 4:26 pm**

I have been having this issue for some time now. I had posted it to the other support forums, before we had purchased nagiosna. Now that we have purchased, I figured I might try here for some help.

I am collecting Netflow data from Fortigate firewalls. The date and time is set correctly on the firewalls and also in nagiosna server. I have done packet captures on both the firewall and nagiosna server, and timestamps on the packets are correct. However, upon running nfdump on the flows, the date and time is off significantly, I am talking anywhere from a few days to a month.

Here is a bit of a dump that I am getting.

Code: Select all

nfdump -R ./nfcapd.201603151555
Date first seen          Event  XEvent Proto      Src IP Addr:Port          Dst IP Addr:Port     X-Src IP Addr:Port        X-Dst IP Addr:Port   In Byte Out Byte
2016-04-30 21:25:20.156 INVALID  Ignore TCP       10.10.63.152:58234 ->   66.119.144.157:443      50.248.107.49:58234 ->          0.0.0.0:0       72.0 M    3.7 M
2016-04-30 21:25:42.536 INVALID  Ignore TCP       10.10.63.145:51613 ->      10.10.10.24:63618          0.0.0.0:0     ->          0.0.0.0:0      248.5 M    7.6 M
2016-04-30 21:27:06.116 INVALID  Ignore TCP       10.10.63.145:51659 ->      10.10.10.24:63618          0.0.0.0:0     ->          0.0.0.0:0        6.6 M    4.2 M
2016-04-30 21:27:58.556 INVALID  Ignore TCP       10.10.63.113:60936 ->   199.193.102.49:8443     50.248.107.49:60936 ->          0.0.0.0:0       191672   303563
2016-04-30 21:25:03.326 INVALID  Ignore UDP       10.10.63.145:55012 ->    10.128.247.20:53             0.0.0.0:0     ->          0.0.0.0:0        18031    39026
2016-04-30 21:27:57.546 INVALID  Ignore TCP       10.10.63.130:57619 ->   199.193.102.49:8443     50.248.107.49:57619 ->          0.0.0.0:0       222547   523393
2016-04-30 21:25:01.776 INVALID  Ignore UDP       10.10.63.131:57198 ->    10.128.247.20:53             0.0.0.0:0     ->          0.0.0.0:0        18525    50635
Summary: total flows: 3249, total bytes: 137294870219, total packets: 131622842, avg bps: 1671231, avg pps: 200, avg bpp: 1043
Time window: 2016-04-23 07:09:17 - 2016-04-30 21:42:53
Total flows processed: 3249, Blocks skipped: 0, Bytes read: 240440
Sys: 0.113s flows/second: 28504.8    Wall: 0.171s flows/second: 18907.9

What could be the problem? If you notice the time stamp on the file, and the time window being searched, they are way off. I would assume that the time stamp on the flow data is off, but according to the captures, it is correct.

Code: Select all

Cisco NetFlow/IPFIX
    Version: 9
    Count: 18
    SysUptime: -6863.1726850592 seconds
    Timestamp: Mar 15, 2016 15:53:00.000000000 Central Daylight Time
        CurrentSecs: 1458075180
    FlowSequence: 1406643
    SourceId: 1

Any help is much appreciated.

Posted: **Wed Mar 16, 2016 10:35 am**

Thanks for the details, cpspain.

Since the timestamp written to/in the file is wrong, then the issue is likely at the source, Fortigate (or possibly nfcapd) - NNA simply reads these files. We've had other users post about wrong timestamps and Fortigate before and I've directed them to this thread at Fortinet, perhaps you've already seen it though:
https://forum.fortinet.com/tm.aspx?m=127604

Here is another post where neither NNA and Fortigate were involved, yet the scenario is the same (while using netflow v9). Interestingly, the OP concluded that nfcapd was the culprit:
https://github.com/phaag/nfdump/issues/14

The only thing I could suggest trying is to switch netflow versions (if possible) and see if there are any differences then.

- Hope this helps -

Nagios Support Forum

No Data Found - nfdump incorrect timestamp

No Data Found - nfdump incorrect timestamp

Re: No Data Found - nfdump incorrect timestamp