[5.1] pflow(4) flow with starttime *after* endtime

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[5.1] pflow(4) flow with starttime *after* endtime

Patrick Lamaiziere
Hello,

We have just noticed that pflow (v5) sometime (but often) uses a
StartTime value which is later than the EndTime.
So the duration is interpreted 4294966.296000000 secondes.
This confuses our collector (nfsen).

(wireshark)
   pdu 19/30
        SrcAddr: 194.57.169.116 (194.57.169.116)
        DstAddr: 129.20.254.1 (129.20.254.1)
        NextHop: 0.0.0.0 (0.0.0.0)
        InputInt: 0
        OutputInt: 0
        Packets: 3
        Octets: 164
        [Duration: 4294966.296000000 seconds]
            StartTime: 251367.000000000 seconds
            EndTime: 251366.000000000 seconds
        SrcPort: 55680
        DstPort: 53
        padding
        TCP Flags: 0x00
        Protocol: 6
        IP ToS: 0x00
        SrcAS: 0
        DstAS: 0
        SrcMask: 0 (prefix: 194.57.169.116/32)
        DstMask: 0 (prefix: 129.20.254.1/32)
        padding

Any clue?
Thanks, regards.

Reply | Threaded
Open this post in threaded view
|

Re: [5.1] pflow(4) flow with starttime *after* endtime

Hrvoje Popovski
On 26.7.2012. 18:31, Patrick Lamaiziere wrote:

> Hello,
>
> We have just noticed that pflow (v5) sometime (but often) uses a
> StartTime value which is later than the EndTime.
> So the duration is interpreted 4294966.296000000 secondes.
> This confuses our collector (nfsen).
>
> (wireshark)
>    pdu 19/30
>         SrcAddr: 194.57.169.116 (194.57.169.116)
>         DstAddr: 129.20.254.1 (129.20.254.1)
>         NextHop: 0.0.0.0 (0.0.0.0)
>         InputInt: 0
>         OutputInt: 0
>         Packets: 3
>         Octets: 164
>         [Duration: 4294966.296000000 seconds]
>             StartTime: 251367.000000000 seconds
>             EndTime: 251366.000000000 seconds
>         SrcPort: 55680
>         DstPort: 53
>         padding
>         TCP Flags: 0x00
>         Protocol: 6
>         IP ToS: 0x00
>         SrcAS: 0
>         DstAS: 0
>         SrcMask: 0 (prefix: 194.57.169.116/32)
>         DstMask: 0 (prefix: 129.20.254.1/32)
>         padding
>
> Any clue?
> Thanks, regards.
>

i have same problem, 4294906.296 is the most common flow duration in
nfsen :)

Reply | Threaded
Open this post in threaded view
|

Re: [5.1] pflow(4) flow with starttime *after* endtime

Patrick Lamaiziere
Le Fri, 27 Jul 2012 11:13:21 +0200,
Hrvoje Popovski <[hidden email]> a écrit :

> On 26.7.2012. 18:31, Patrick Lamaiziere wrote:
> > Hello,
> >
> > We have just noticed that pflow (v5) sometime (but often) uses a
> > StartTime value which is later than the EndTime.
> > So the duration is interpreted 4294966.296000000 secondes.
> > This confuses our collector (nfsen).

For the record, that should be fixed in current (r1.21).
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflow.c

Thanks, regards.