Hi there,
we use nProbe Pro to provide customers with flow data filtered to only their ASN flows.
Customer uses Andrisoft Wansight for visualization and Wansight complains about flows coming from the future.
After capturing flows via nfcapd from before and after nProbe processing and dumping them with nfdump I noticed the following:
- Before Flows contain timestamp.microseconds
- After Flows contain timestamp.000
- nProbe seems to be rounding up to the next full second
- nProbe is adding 60 seconds to the timestamp as well
I filtered out one IP and used Excel to sort the output by DstPort to make it easier to compare. It was totally consistent with always 1 minute added + rounded to next full second.
Which correlates with our customer reporting flows are between 1 and 55 seconds from the future.
These are our nProbe parameters:
nprobe --sender-address <ip>:2055 --collector-port 2056 --collector <ip>:10000 --flow-version 9 --sample-rate @5000:1:1 --interface none --verbose 1 --in-iface-idx 910 --out-iface-idx 917 -min-num-flows 1 --flows-intra-templ=1
Default ?timestamp-format seems to be 1. When changing it to 0, nfdump only gets 1st Jan 1970 as timestamp.
I tested this on v.8.5.180523 but this seems also to be with v.8.3.180327
I guess this is a bug or are there any options I am missing that would be causing this?
Best regards,
Benjamin Weik
we use nProbe Pro to provide customers with flow data filtered to only their ASN flows.
Customer uses Andrisoft Wansight for visualization and Wansight complains about flows coming from the future.
After capturing flows via nfcapd from before and after nProbe processing and dumping them with nfdump I noticed the following:
- Before Flows contain timestamp.microseconds
- After Flows contain timestamp.000
- nProbe seems to be rounding up to the next full second
- nProbe is adding 60 seconds to the timestamp as well
I filtered out one IP and used Excel to sort the output by DstPort to make it easier to compare. It was totally consistent with always 1 minute added + rounded to next full second.
Which correlates with our customer reporting flows are between 1 and 55 seconds from the future.
These are our nProbe parameters:
nprobe --sender-address <ip>:2055 --collector-port 2056 --collector <ip>:10000 --flow-version 9 --sample-rate @5000:1:1 --interface none --verbose 1 --in-iface-idx 910 --out-iface-idx 917 -min-num-flows 1 --flows-intra-templ=1
Default ?timestamp-format seems to be 1. When changing it to 0, nfdump only gets 1st Jan 1970 as timestamp.
I tested this on v.8.5.180523 but this seems also to be with v.8.3.180327
I guess this is a bug or are there any options I am missing that would be causing this?
Best regards,
Benjamin Weik