Your exporter does not send any event time per record.
What you see in wireshark is the timestamp of the netflow packet header, which
is
not necessarily the correct event time of your events. You can also take the
time
received timestamp in order to get a rough estimation. it means, you have the
received
time per record instead of the the event time.
Regards
- Peter
On 30.10.14 15:30, k...@inbox.lv wrote:
> Hi again. Need to return to this question. We've got new Cisco hardware, so
> I've
> installed latest version of nfdump for tests. (1.6.12)
>
> The problem is the same. Netflow traffic was generated by simple network
> device,
> who cannot calculate flows or do some intellectual job. So, it send all
> information about traffic, but in a simple way (this is done to improve the
> bandwidth, as I understand).
> So, each flow contains (picture attached):
> Ingress VRFID (cflow.ingress_vrfid)
> Egress VRFID (cflow.egress_vrfid)
> SrcAddr (cflow.srcaddr)
> Post NAT Source IPv4 Address (cflow.post_natsource_ipv4_address)
> SrcPort (cflow.srcport)
> Post NAPT Source Transport Port (cflow.post_naptsource_transport_port)
> DstAddr (cflow.dstaddr)
> DstPort (cflow.dstport)
> Protocol (cflow.protocol)
>
> No info about a time in each flow. So, the only way how we can get it - we
> need
> to take Cisco Netflow/IPFIX timestamp... The main question - is it possible
> without writing my own hacks? I cannot leave this field empty, because this
> is
> very important key for future analytic job.
> Thanks in advance.
> Цитирование *Peter Haag <ph...@users.sourceforge.net>
> <mailto:ph...@users.sourceforge.net>* :
>
> Hi,
> nfdump-1.5.8-NSEL was a release for CISCO ASA in the early ASA days. This
> version is ways back in time and does not
> support newer ASA/NSEL models. It's recommended to migrate to
> nfdump-1.6.12,
> although the painful part is - 1.5.8-NSEL
> files can not be read by 1.6.12.
>
> btw. time stamps are always a metter of difficulty. What do you define as
> "current timestamp" ?
>
> Cheers
>
> - Peter
>
> On 29.07.14 15:58, k...@inbox.lv wrote:
> > Hi all. I'm using nfdump-1.5.8-NSEL to catch and process our traffic
> (CFLOW).
> > But our new firewall configuration cannot provide basic time values -
> duration,
> > first_seen, last_seen. :(
> > I'm not C guru, so could you advise me, how can I substitute first_seen,
> > last_seen with current timestamp. This is definitely not the best
> solution, but
> > it is suitable for my purposes...
> >
> > Thanks!
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Infragistics Professional
> > Build stunning WinForms apps today!
> > Reboot your WinForms applications with our WinForms controls.
> > Build a bridge from your legacy apps to the future.
>
> >http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> >
> >
> >
> > _______________________________________________
> > Nfdump-discuss mailing list
> > Nfdump-discuss@lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> >
>
> --
> Be nice to your netflow data. Use NfSen and nfdump :)
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
