[Nfsen-discuss] bogus flow data

[Raimund Sacherer]

Hi List, 

I just installed yesterday nfsen and it seems to work nice, tough I have lot's 
of bogus data from 2012-03-13, all bogus data starts at this date, all data 
from 14. on seem to be OK. 

Example of 20 lines of this bogus data: 
root@netflow:/usr/local/nfsen/profiles-data# nfdump -M 
/usr/local/nfsen/profiles-data/live/fw_02 -T -r 2012/03/14/nfcapd.201203141225 
-n 20 -s record/bytes -A proto,srcip,srcport,dstip,dstport 
Aggregated flows 4526 
Top 20 flows ordered by bytes: 
Date flow start Duration Proto Src IP Addr Src Pt Dst IP Addr Dst Pt Packets 
Bytes bps Bpp Flows 
2012-03-13 22:59:50.874 4283826.177 0 120.111.192.168 15866 2.206.80.58 60149 
16044.1 T 17071457.3 T 1.7 T 1064 1 
2012-03-13 22:59:51.024 1617494.016 0 240.242.10.100 718 202.173.192.168 57829 
24488.3 T 16589290.7 T 2.2 T 677 2 
2012-03-13 22:59:51.138 1968177.152 0 234.129.10.100 718 202.173.192.168 58687 
19421.8 T 11895976.9 T 1.5 T 612 1 
2012-03-13 22:59:51.749 2714566.657 0 22.254.192.168 15866 2.206.80.58 63190 
17451.4 T 11895976.9 T 1.1 T 681 1 
2012-03-13 22:59:51.154 1508376.576 0 234.113.192.168 33433 3.44.157.55 38384 
16888.5 T 11895976.9 T 1.9 T 704 1 
2012-03-13 22:59:50.866 2510290.945 0 22.137.192.168 15866 2.206.80.58 63058 
16888.5 T 11895976.9 T 1.2 T 704 1 
2012-03-13 22:59:51.077 1679556.608 0 244.165.192.168 15866 2.206.80.58 54038 
19140.3 T 9983917.4 T 3.6 T 521 1 
2012-03-13 22:59:51.138 1968177.152 0 234.129.192.168 15866 2.206.80.58 49908 
19140.3 T 7118220.7 T 815.7 G 371 2 
2012-03-13 22:59:51.154 1442840.576 0 234.113.192.168 15866 2.206.80.58 58369 
18014.4 T 7118220.7 T 1.1 T 395 2 
2012-03-13 22:59:51.077 1679556.608 0 244.165.192.168 15866 2.206.80.58 63330 
18295.9 T 7098798.9 T 863.4 G 387 2 
2012-03-13 23:02:02.163 433324.032 0 240.175.10.100 355 202.5.192.168 64287 
89509.0 T 7019985.9 T 1.9 T 78 1 
2012-03-13 22:58:45.263 48476.737 0 2.228.62.226 20538 192.168.2.206 15866 
274.9 G 1225160.6 T 202.2 T 4457108 1 
2012-03-13 22:58:45.082 48340.918 0 2.228.94.247 55682 192.168.3.140 7502 39.2 
T 1225160.6 T 202.8 T 31274 1 
2012-03-13 22:58:45.318 48342.682 0 2.226.35.156 57344 10.100.202.187 252 446.7 
G 1225141.6 T 202.7 T 2742793 1 
2012-03-13 22:58:45.455 48438.545 0 2.227.154.18 40248 192.168.3.67 13349 253.4 
G 1225039.2 T 202.3 T 4834350 1 
2012-03-13 22:58:45.319 48372.681 0 2.226.160.154 44638 10.100.202.111 22303 
197.6 G 1224981.0 T 202.6 T 6200285 1 
2012-03-13 22:58:44.592 48469.408 0 2.228.22.137 20538 192.168.2.206 15866 
292.1 G 1224979.7 T 202.2 T 4194306 1 
2012-03-13 22:58:45.168 48407.832 0 2.227.69.67 615 192.168.3.65 20699 1.8 T 
1224979.2 T 202.4 T 688919 1 
2012-03-13 22:58:45.538 48403.462 0 2.227.149.215 61439 192.168.3.67 65530 
691.5 G 1224979.2 T 202.5 T 1771507 1 
2012-03-13 22:58:45.320 48341.680 0 2.226.35.153 20538 192.168.2.206 15866 
566.9 G 1224979.2 T 202.7 T 2160702 1 

Summary: total flows: 8176, total bytes: 1295767.7 T, total packets: 6760279.0 
T, avg bps: 2.4 T, avg pps: 1.6 T, avg bpp: 0 
Time window: 2012-03-13 22:58:44 - 2012-05-02 13:38:28 
Total flows processed: 8176, Blocks skipped: 0, Bytes read: 393228 
Sys: 0.020s flows/second: 408800.0 Wall: 0.017s flows/second: 471810.3 


I therefore tried to delete this data: 

* deleted the files on the day 13 in the profiles-data directory 
* tried to rebuild the profiles with different strategies 
* tried to use the nfexpire script with the output below 

root@netflow:/usr/local/nfsen/profiles-stat/live# nfexpire -l 
/usr/local/nfsen/profiles-data/live/fw_02 
Include nfcapd bookeeping record in /usr/local/nfsen/profiles-data/live/fw_02 
First: 2012-03-14 01:20:00 
Last: 2012-03-14 14:10:00 
Lifetime: 46200 = 12.8 hours 
Numfiles: 154 
Filesize: 17350656 = 16.5 MB 
Max Size: <none> 
Max Life: 46800 = 13.0 hours 
Watermark: 95% 
Status: OK 


after the expire (as you can see above) it says it has only data from the 14th 
but still it shows the bogus data and I can't get rid of this values, how can I 
weed this out? 

thanks, best regards 
Raimund 



------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss