Page 1 of 1
Adjust date first seen in netflow data
Posted: Tue Nov 30, 2021 10:41 am
by support@nagios.nl
Hi all,
I have a question about netflow data. A network device of one of our customers is not able to provide the current date and time to the netflow data and the information within the Network Analyzer for this source is incomplete. The nfcapd files shows a date of 1970-01-01.
I have configured a Linux server which sents netflows according to the Knowledge Base article "Configuring a Linux Server To Send Netflow Data" and it works as it should be, so we know how these nfcapd files should look like.
Is there a way to add a current timestamp which replaces the timestamps of 1970-01-01 on the Linux server which is running the Network Analyzer? It doesn't have to be the exact timestamp, if it has a timestamp which differs several minutes from it that's acceptable. Main goal is to see the traffic from the source.
Regards,
Fred
Re: Adjust date first seen in netflow data
Posted: Tue Nov 30, 2021 4:54 pm
by pbroste
Hello [user]
support@nagios.nl[/user]
Thanks for reaching out, we see that this issue pops up and found a similar issue.
First thing is to make sure that the system date/time/timezone is synced across os/Apache/etc...
Let's find out what version and compare to
sourceforge.
To upgrade:
(Please note that you may lose previous flow information by performing this procedure)
Code: Select all
cd /tmp
wget http://sourceforge.net/projects/nfdump/files/stable/nfdump-thelatestversionhere/nfdump-x.xx.xx.tar.gz/download
tar xzf download
cd nfdump-x.xx.xx/
./configure --enable-sflow --enable-nsel
make
make install
To verify nfdump and whether NSEL support is on with the following command:
Thanks,
Perry
Re: Adjust date first seen in netflow data
Posted: Wed Dec 01, 2021 8:03 am
by support@nagios.nl
Hi Perry,
The Linux server, which sends netflows as a test, is showing the correct time first seen field, so all time related settings are correct.
The latest version I am seeing at sourgeforge.net is nfdump-1.6.3
When I look at the version of nfdump and related commands on the server they are from a newer version.
Code: Select all
[root@nna flows]# for PROG in {s,n}fcapd nfdump; do $PROG -V;done
sfcapd: Version: 1.6.22
nfcapd: Version: 1.6.22
nfdump: Version: NSEL-NEL1.6.22
Thereby is visible that nsel is enabled, I presume.
Is it perhaps possible to use the nfcapd command to provide the netflow data from a current timestamp?
Code: Select all
nna 49106 1 0 Nov25 ? 00:00:01 /usr/local/bin/nfcapd -I 5 -l /usr/local/nagiosna/var/<site1>/flows -p 9202 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/<site1>/9202.pid -D -e -w -z -T all
nna 49107 49106 0 Nov25 ? 00:00:02 /usr/local/bin/nfcapd -I 5 -l /usr/local/nagiosna/var/<site1>/flows -p 9202 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/<site1>/9202.pid -D -e -w -z -T all
I have to examine the specific parameters and what they do exactly, but if you have some experience with using it, please let us know!
Kind regards,
Fred
Re: Adjust date first seen in netflow data
Posted: Thu Dec 02, 2021 10:44 am
by pbroste
Hello
@support.nagios.nl
Thanks for following up, I brought this topic to our team meeting this morning to bounce ideas and options.
We wonder what the name, make, and model of the device that you are receiving NetFlow data from? Want to find out if it is possible to put the time/date from it. But, sounds like you have already determined that it is not able to. To answer your question, there is not a way to "pipe" in the date/time into the flow data it has to be included at the source. I understand that downgrading to Netflow version 5 can provide a workaround, but that would need to be tested and verified as a possible workaround.
Thanks,
Perry
Re: Adjust date first seen in netflow data
Posted: Mon Dec 06, 2021 10:06 am
by support@nagios.nl
Hello Perry,
pbroste wrote:
We wonder what the name, make, and model of the device that you are receiving NetFlow data from? Want to find out if it is possible to put the time/date from it. But, sounds like you have already determined that it is not able to. To answer your question, there is not a way to "pipe" in the date/time into the flow data it has to be included at the source. I understand that downgrading to Netflow version 5 can provide a workaround, but that would need to be tested and verified as a possible workaround.
This device is (most probably) a Cisco 920 ASR. As Fred explained the time/date that is stored using the nfcapd reads '1970-01-01 ..'.
Thank you in advance for your advice.
Best regards, Jørgen van der Meulen
Re: Adjust date first seen in netflow data
Posted: Mon Dec 06, 2021 2:49 pm
by pbroste
Hello [user]
support@nagios.nl[/user]
Thanks for following up, not sure equivalent options are found in the Cisco model that you are working with but we did find this:
https://www.cisco.com/c/en/us/td/docs/r ... asr920.pdf
An example: Configuring Network Time Protocol including other options:
In the following example, a device with a hardware clock that has server associations with two other systems
sends broadcast NTP packets, periodically updates the hardware clock, and redistributes time into VINES:
clock timezone PST -8
clock summer-time PDT recurring
ntp server 192.168.13.57
ntp server 192.168.11.58
interface GigabitEthernet 0/0
Thanks,
Perry