Radium/ra client tools flow timestamps oddities with direct Netflow

Drew Dixon dwdixon at umich.edu
Fri Dec 1 16:41:15 EST 2017 

Hi all,

Currently as an interim solution we are reading an older Netflow v5
conversion we had already available to us due to radium not supporting
IPFIX/v10 flow data.

Netflow v5 --> radium --> racluster --> xz archives <-- ra client tool <--
user

The flow data we are getting is great and useful but I'm seeing some very
strange issues with timestamps using just the default options...the
timestamps appear to be about ~8 hours in the future (from current EST) for
some reason...ntp is fine everything is setup properly with the time on
everything upstream of the box running radium/racluster and on that box as
well.

Is there not support for properly calculating timestamps when using radium
for reading Netflow data directly from network devices (without generating
our own off the wire using an argus server)?  I know radium/ra prints the
start time of the flow by default from what I can tell reading the docs.

Still not fully certain on all this but I took some pcaps before the data
we are reading with radium gets processed by radium and from what I
understand it's something like this in order to get the actual timestamp of
the flow:

In the pcap, the timestamp (listed above the individual flows, once per
netflow packet) is set to ~49 days ago (49 days, 17 hours, 2 minutes and 47
seconds, exactly) to allow for the maximum possible values (up to overflow
per flow).  So I believe you need to add the StartTime seconds (per flow)
to the TimeStamp (per packet) to get the actual real/current start time
timestamp of the flow.

I'm not sure if I'm on the right track with figuring this all out, I dug
into all the time stamp and time sync options available in radium/ra and
nothing really seems to fit/be an appropriate solution or really do
anything for me.

Does any of this sound familiar to anyone?

For example flows coming in off the wire right now (~16:30) after being
read/parsed by radium are showing a timestamp of (~00:30).

Am I missing something obvious here or maybe not so obvious?  How can I get
radium to calculate the timestamps properly or adjust properly and display
them accurately in the radium parsed flow data?

Thank you much in advance,

-Drew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20171201/67dad82b/attachment.html>

More information about the argus mailing list