[c-nsp] Sup2T / EARL8 Netflow oddities
Simon Leinen
simon.leinen at switch.ch
Sun May 5 16:03:58 EDT 2013
Jeroen van Ingen writes:
> Our university upgraded from Cat6k/Sup720-3B to Cat6k/Sup2TXL a while
> ago. Recently a few researchers who use our NetFlow data noticed that
> the NetFlow exports sometimes contain strange values: there are flow
> records with a negative duration (flow end before flow start time) and
> some exported flows are far (>1 month) in the past or future.
> We're currently running IOS 15.1(1)SY. Has anyone else noticed
> something similar?
Yes, in all releases since we got our first Sup 2Ts. Quite annoying.
No idea whether this was already reported to Cisco as a bug.
If this happens, the start time looks reasonable, but the end time is
typically around 4194 seconds *lower* than the start time. In my own
code, I "fix" this by increasing the end time by 4194 seconds (maybe
4195 would be better).
> If anyone wants to check their NetFlow v9 exports: Wireshark will show
> flowsets containing flow records with negative duration when using the
> display filter 'cflow.timedelta < 0'.
Great tip, thanks! As an illustration, here's an extract of a decoded
trace of Netflow v9 packets from one of our Sup 2T routers. It shows
the range of the time differences:
$ tshark -V -d udp.port==9910,cflow -r ce3-flows.pcap 'cflow.timedelta < 0' | grep 'Duration: -'
[Duration: -4194.050000000 seconds]
[Duration: -4194.050000000 seconds]
[Duration: -4194.050000000 seconds]
[Duration: -4194.050000000 seconds]
[Duration: -4194.050000000 seconds]
[Duration: -4194.050000000 seconds]
[Duration: -4194.050000000 seconds]
[Duration: -4194.050000000 seconds]
[Duration: -4194.050000000 seconds]
[Duration: -4194.100000000 seconds]
[Duration: -4194.100000000 seconds]
[Duration: -4194.100000000 seconds]
[Duration: -4194.050000000 seconds]
[Duration: -4194.050000000 seconds]
[Duration: -4194.050000000 seconds]
[...]
--
Simon.
More information about the cisco-nsp
mailing list