Skip to main content
firestarter4711
firestarter4711
New Member
September 2, 2015
Question

Mixed up Timestamps in Netflow

  • September 2, 2015
  • 3 replies
  • 9899 views

Hi everbody,

 

I've got a strange issue regarding the timestamp when displaying exported netflow data from several fortigates with nfdump.

 

The issues's as follows:

I setup netflow in my main FGT90D running 5.2.3 and exported these data into a nfdump/nfsen collector/analyzer. Here I got flows which seemed to be first seen in future. First there'd been flows with a timestamp from september 13. Today in the morning the timestamps matched my time but up to now they're some 24 hours ahead.

 

So I setup another FGT100D with 5.2.3 and it's timestamps are around 5 hours and ten minutes ahead.

So I setup a third fortigate, another 100D with 5.2.4 and finally it's timestamps seem to match my actual time.

 

I'm researching this issue for several days now - meanwhile implementing an Cisco 3620 Router - netflow enabled and two distributed Switches from my ESX-Farm sending it's data into the collector - just to be sure that it's no general issue. Countless times I set up ntp configurations and configured timezones just to be sure.

 

But whatever I tried up to now, these timing offsets only are to be seen from the fortigates, especially from the two boxes running 5.2.3. What's a little bit worse is that the timeshift seem to vary - as wrote above from my FGT90D so that you even can't just calculate with a fix time offset to get it right.

 

One strange thing I discovered - but I don't know if it's by design or not because I no netflow-packet sepcialist. I captured those netflow packets from all three boxes and discovered the FGT100D running 5.2.3 is sending packets with a negative sysuptime value. The other two have positive ones. Don't know if it's just a byte-overflow issue or something like that.

 

Has anyone playing aroung with netflow seen anything like that and could give me a hint where to look next?

If it's important, my collector/analyzer is running nfdum/nfsen on debian 8 - if it got something to do with it.

3 replies

emnoc
emnoc
New Member
September 2, 2015

Dumb Qs do you have ntp setup and the time validate? A lot of devices ( i.e Juniper ) requires  NTP is enabled 1st & b4 you run netfow or ipfix .

koelschman
koelschman
New Member
September 30, 2015

hello,

we have the same issue with a fg 1500d running 5.2.2, timeshifts with 1 or 2 days in the future. 

 

both systems, fg and server are managed by ntp. So time should be correctly.

 

Does anybody know about the reason

 

Regards

    emnoc
    emnoc
    New Member
    October 2, 2015

    how far are the time off? a day a few mins or hours?

    koelschman
    koelschman
    New Member
    October 2, 2015

    its not days, the time difference are days. approx 10 days.

     

    dspelfrey
    dspelfrey
    New Member
    October 13, 2015

    Hello,

     

    I am seeing a similar issue with 5.2.4.

     

    -bash-4.1$ nfdump -V nfdump: Version: NSEL-NEL1.6.11 $Date: 2013-11-16 09:04:43 +0100 (Sat, 16 Nov 2013) $

    When I do: execute time, I see the correct time date stamp and that it is NTP synched. When I grab a PCAP from my Fortinet to nfdump sever, and view it in wireshark (Click analyze, decode as, Transport select destination 9985 and port as CFLOW).

    I see the correct time stamps in the packet, so I am not sure if this is a Fortinet problem, or nfdump problem.

     

    Today at ~ 10:30: Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Flags Tos  Packets    Bytes      pps      bps    Bpp Flows 2015-10-21 00:44:19.184 ....

    Has anyone opened a ticket with Fortinet yet or posted anything yet here? [link]http://sourceforge.net/projects/nfdump/[/link]

     

    What version of nfdump are you running?

    Terms & ConditionsAccessibility statement