Re: [Nfsen-discuss] bogus flow data

Thu, 15 Mar 2012 06:30:44 -0700 

On 3/15/12 9:53, Raimund Sacherer wrote:
> Hi List,
> 
> I just installed yesterday nfsen and it seems to work nice, tough I have 
> lot's of bogus data from 2012-03-13, all bogus
> data starts at this date, all data from 14. on seem to be OK.
> 
> Example of 20 lines of this bogus data:
> root@netflow:/usr/local/nfsen/profiles-data# nfdump -M 
> /usr/local/nfsen/profiles-data/live/fw_02  -T  -r
> 2012/03/14/nfcapd.201203141225 -n 20 -s record/bytes -A 
> proto,srcip,srcport,dstip,dstport
> Aggregated flows 4526
> Top 20 flows ordered by bytes:
> Date flow start          Duration  Proto      Src IP Addr Src Pt      Dst IP 
> Addr Dst Pt   Packets    Bytes      bps   
> Bpp Flows
> 2012-03-13 22:59:50.874 4283826.177      0 120.111.192.168  15866      
> 2.206.80.58  60149  16044.1 T 17071457.3 T    1.7
> T   1064     1
> 2012-03-13 22:59:51.024 1617494.016      0   240.242.10.100    718 
> 202.173.192.168  57829  24488.3 T 16589290.7 T    2.2
> T    677     2
> 2012-03-13 22:59:51.138 1968177.152      0   234.129.10.100    718 
> 202.173.192.168  58687  19421.8 T 11895976.9 T    1.5
> T    612     1
> 2012-03-13 22:59:51.749 2714566.657      0   22.254.192.168  15866      
> 2.206.80.58  63190  17451.4 T 11895976.9 T   
> 1.1 T    681     1
> 2012-03-13 22:59:51.154 1508376.576      0 234.113.192.168  33433      
> 3.44.157.55  38384  16888.5 T 11895976.9 T    1.9
> T    704     1
> 2012-03-13 22:59:50.866 2510290.945      0   22.137.192.168  15866      
> 2.206.80.58  63058  16888.5 T 11895976.9 T   
> 1.2 T    704     1
> 2012-03-13 22:59:51.077 1679556.608      0 244.165.192.168  15866      
> 2.206.80.58  54038  19140.3 T 9983917.4 T    3.6
> T    521     1
> 2012-03-13 22:59:51.138 1968177.152      0 234.129.192.168  15866      
> 2.206.80.58  49908  19140.3 T 7118220.7 T  815.7
> G    371     2
> 2012-03-13 22:59:51.154 1442840.576      0 234.113.192.168  15866      
> 2.206.80.58  58369  18014.4 T 7118220.7 T    1.1
> T    395     2
> 2012-03-13 22:59:51.077 1679556.608      0 244.165.192.168  15866      
> 2.206.80.58  63330  18295.9 T 7098798.9 T  863.4
> G    387     2
> 2012-03-13 23:02:02.163 433324.032      0   240.175.10.100    355    
> 202.5.192.168  64287  89509.0 T 7019985.9 T    1.9
> T     78     1
> 2012-03-13 22:58:45.263 48476.737      0     2.228.62.226  20538    
> 192.168.2.206  15866   274.9 G 1225160.6 T  202.2 T
> 4457108     1
> 2012-03-13 22:58:45.082 48340.918      0     2.228.94.247  55682    
> 192.168.3.140   7502    39.2 T 1225160.6 T  202.8 T 
> 31274     1
> 2012-03-13 22:58:45.318 48342.682      0     2.226.35.156  57344   
> 10.100.202.187    252   446.7 G 1225141.6 T  202.7 T
> 2742793     1
> 2012-03-13 22:58:45.455 48438.545      0     2.227.154.18  40248     
> 192.168.3.67  13349   253.4 G 1225039.2 T  202.3 T
> 4834350     1
> 2012-03-13 22:58:45.319 48372.681      0    2.226.160.154  44638   
> 10.100.202.111  22303   197.6 G 1224981.0 T  202.6 T
> 6200285     1
> 2012-03-13 22:58:44.592 48469.408      0     2.228.22.137  20538    
> 192.168.2.206  15866   292.1 G 1224979.7 T  202.2 T
> 4194306     1
> 2012-03-13 22:58:45.168 48407.832      0      2.227.69.67    615     
> 192.168.3.65  20699     1.8 T 1224979.2 T  202.4 T
> 688919     1
> 2012-03-13 22:58:45.538 48403.462      0    2.227.149.215  61439     
> 192.168.3.67  65530   691.5 G 1224979.2 T  202.5 T
> 1771507     1
> 2012-03-13 22:58:45.320 48341.680      0     2.226.35.153  20538    
> 192.168.2.206  15866   566.9 G 1224979.2 T  202.7 T
> 2160702     1
> 
> Summary: total flows: 8176, total bytes: 1295767.7 T, total packets: 
> 6760279.0 T, avg bps: 2.4 T, avg pps: 1.6 T, avg bpp: 0
> Time window: 2012-03-13 22:58:44 - 2012-05-02 13:38:28
> Total flows processed: 8176, Blocks skipped: 0, Bytes read: 393228
> Sys: 0.020s flows/second: 408800.0   Wall: 0.017s flows/second: 471810.3 
> 
> 
> I therefore tried to delete this data:
> 
> * deleted the files on the day 13 in the profiles-data directory
> * tried to rebuild the profiles with different strategies
> * tried to use the nfexpire script with the output below
> 
> root@netflow:/usr/local/nfsen/profiles-stat/live# nfexpire -l 
> /usr/local/nfsen/profiles-data/live/fw_02
> Include nfcapd bookeeping record in /usr/local/nfsen/profiles-data/live/fw_02
> First:     2012-03-14 01:20:00
> Last:      2012-03-14 14:10:00
> Lifetime:  46200 = 12.8 hours
> Numfiles:  154
> Filesize:  17350656 = 16.5 MB
> Max Size:  <none>
> Max Life:  46800 = 13.0 hours
> Watermark: 95%
> Status:    OK
> 
> 
> after the expire (as you can see above) it says it has only data from the 
> 14th but still it shows the bogus data and I
> can't get rid of this values, how can I weed this out?

Do not mistaken the date in the flows and the dates of your profile! Above you 
will find the time slot when you
collected the netflow data.
Within those fles you will find the timestamps related to the flow. Therefore, 
you need to find the file(s) were those
bogus are and delete then or filter them out, then rebuild the profile.

        - Peter
> 
> thanks, best regards
> Raimund
> 
> 
> 
> 
> This body part will be downloaded on demand.
> 
> 
> 
> This body part will be downloaded on demand.

-- 
--
Be nice to your netflow data

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to