Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

  1. Kemp Support
  2. Knowledge Base
  3. Flowmon General
  4. Flowmon OS

Wrong timestamp of the flow

Updated

 

Information

 

Summary:

Timestamp of the flow is in the past or the future.
Environment:

Product: Flowmon

Version: any

Platform: any
Question/Problem Description: In advanced analysis are flows that differ with the selected time interval.
Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:

Incorrect timestamps usually occur if the flow source is a third-party device. Relative timestamps are sent in netflow v9 or IPFIX if there is missing SysUptime information or this value is incorrect.

For verification:

1. Create packet capture by tcpdump, eg:
tcpdump -i eth0 -w /tmp/flows.pcap 'host <flow_source_IP>

2. Calculate the timestamp of the flow and compare this value in the advanced analysis.

SysUptime -> time in seconds since the device boot/flow export initialization.
CurrentSecs -> absolute timestamp of packet export with flow data (time in seconds from 1.1.1970).
The relative timestamp calculation is for each flow:
CurrentSecs - SysUptime + StartTime/EndTime (start/end time in seconds).
Resolution:
  1. Ask support of the flow source manufacturer, if this device can send absolute timestamps.
  2. In FOS 12.2, the timestamps can be fixed on the listening port (Configuration Center - FMC Configuration - Listening ports - Edit - Adjust flow timestamps to the flow receive time) This feature uses receive time of the collector as an end time and "receive time of the collector - duration" as a start time.
    This avoids a wrong timestamp calculation based on an incorrect SysUptime value.
Workaround:  
Notes: mceclip0.png
Was this article helpful?
0 out of 0 found this helpful

Comments

In this document