Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

  1. Kemp Support
  2. Knowledge Base
  3. Flowmon General
  4. Flowmon OS

Wrong timestamp of the flow

Updated

 

Information

 

Summary:

Timestamp of the flow is in the past or the future.
Environment:

Product: Flowmon

Version: any

Platform: any
Question/Problem Description: In advanced analysis are flows that differ with the selected time interval.
Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:

Incorrect timestamps usually occure if the flow source is a third party device.  Relative timestamps are send in IPFIX but there is missing SysUptime information or this value is incorrect.

For verification:

1. Create packet capture by tcpdump, eg:
tcpdump -i eth0 -w /tmp/flows.pcap 'host <flow_source_IP>

2. Calculate the timestamp of the flow and compare this value in the advanced analysis.

SysUptime -> time in seconds since the device boot/flow export initialization.
CurrentSecs -> absolute timestamp of packet export with flow data (time in seconds from 1.1.1970).
The relative timestamp calculation is for each flow:
CurrentSecs - SysUptime + StartTime/EndTime (start/end time in seconds).
Resolution:
  1. Ask support of the flow source manufacturer, if this device can send absolute timestamps.
  2. In the FOS 12.2. the timestamps will be counted differently (receive time of the collector = end time
    receive time of the collector - duration = start time ). This avoids a wrong timestamp calculation based on incorrect values.
Workaround:  
Notes: mceclip0.png
Was this article helpful?
0 out of 0 found this helpful

Comments

In this document