3.1 netflow bad sequence calculating

brammator · July 4, 2008, 8:31am

Note “FlowSequence: 442468” on frame 39 and then “FlowSequence: 442470” on 40 and 41 frames (completely different, it’s not dupes). Then it’s

39 442468
40 442470
41 442470
42 442470
43 442470
44 442470
45 442470
46 442474
47 442475
48 442475
49 442475
50 442476
51 442477
52 442481
53 442482

and so on.

MT ROS 3.1, not found this glitch in 3.1-3.10 changelog. Can it be fixed?

Frame 39 (162 bytes on wire, 162 bytes captured)
    Arrival Time: Jul  3, 2008 15:41:33.850790000
    [Time delta from previous captured frame: 1.999973000 seconds]
    [Time delta from previous displayed frame: 1.999973000 seconds]
    [Time since reference or first frame: 383.991018000 seconds]
    Frame Number: 39
    Frame Length: 162 bytes
    Capture Length: 162 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:cflow]
Ethernet II, Src: 00:0d:61:70:7d:8b (00:0d:61:70:7d:8b), Dst: 00:04:23:df:34:f8 (00:04:23:df:34:f8)
    Destination: 00:04:23:df:34:f8 (00:04:23:df:34:f8)
        Address: 00:04:23:df:34:f8 (00:04:23:df:34:f8)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 00:0d:61:70:7d:8b (00:0d:61:70:7d:8b)
        Address: 00:0d:61:70:7d:8b (00:0d:61:70:7d:8b)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 10.87.244.21 (10.87.244.21), Dst: 10.87.244.23 (10.87.244.23)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 148
    Identification: 0xa2a7 (41639)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: UDP (0x11)
    Header checksum: 0x689d [correct]
        [Good: True]
        [Bad : False]
    Source: 10.87.244.21 (10.87.244.21)
    Destination: 10.87.244.23 (10.87.244.23)
User Datagram Protocol, Src Port: 9998 (9998), Dst Port: 9998 (9998)
    Source port: 9998 (9998)
    Destination port: 9998 (9998)
    Length: 128
    Checksum: 0x0000 (none)
        Good Checksum: False
        Bad Checksum: False
Cisco NetFlow/IPFIX
    Version: 5
    Count: 2
    SysUptime: 4168613180
    Timestamp: Jul  3, 2008 15:40:43.806375000
        CurrentSecs: 1215085243
        CurrentNSecs: 806375000
    FlowSequence: 442468
    EngineType: 0
    EngineId: 0
    00.. .... .... .... = SamplingMode: No sampling mode configured (0)
    ..00 0000 0000 0000 = SampleRate: 0
    pdu 1/2
        SrcAddr: 69.228.42.238 (69.228.42.238)
        DstAddr: 10.217.170.2 (10.217.170.2)
        NextHop: 10.217.170.2 (10.217.170.2)
        InputInt: 67
        OutputInt: 0
        Packets: 3
        Octets: 192
        [Duration: 1.380000000 seconds]
            StartTime: 4168594.800000000 seconds
            EndTime: 4168596.180000000 seconds
        SrcPort: 31827
        DstPort: 139
        padding
        TCP Flags: 0x02
        Protocol: 6
        IP ToS: 0x00
        SrcAS: 0
        DstAS: 0
        SrcMask: 0 (prefix: 69.228.42.238/32)
        DstMask: 0 (prefix: 10.217.170.2/32)
        padding
    pdu 2/2
        SrcAddr: 10.217.170.2 (10.217.170.2)
        DstAddr: 69.228.42.238 (69.228.42.238)
        NextHop: 10.217.170.1 (10.217.170.1)
        InputInt: 0
        OutputInt: 67
        Packets: 3
        Octets: 120
        [Duration: 1.380000000 seconds]
            StartTime: 4168594.800000000 seconds
            EndTime: 4168596.180000000 seconds
        SrcPort: 139
        DstPort: 31827
        padding
        TCP Flags: 0x14
        Protocol: 6
        IP ToS: 0x00
        SrcAS: 0
        DstAS: 0
        SrcMask: 0 (prefix: 10.217.170.2/32)
        DstMask: 0 (prefix: 69.228.42.238/32)
        padding

Frame 40 (162 bytes on wire, 162 bytes captured)
    Arrival Time: Jul  3, 2008 15:41:39.850660000
    [Time delta from previous captured frame: 5.999870000 seconds]
    [Time delta from previous displayed frame: 5.999870000 seconds]
    [Time since reference or first frame: 389.990888000 seconds]
    Frame Number: 40
    Frame Length: 162 bytes
    Capture Length: 162 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:cflow]
Ethernet II, Src: 00:0d:61:70:7d:8b (00:0d:61:70:7d:8b), Dst: 00:04:23:df:34:f8 (00:04:23:df:34:f8)
    Destination: 00:04:23:df:34:f8 (00:04:23:df:34:f8)
        Address: 00:04:23:df:34:f8 (00:04:23:df:34:f8)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 00:0d:61:70:7d:8b (00:0d:61:70:7d:8b)
        Address: 00:0d:61:70:7d:8b (00:0d:61:70:7d:8b)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 10.87.244.21 (10.87.244.21), Dst: 10.87.244.23 (10.87.244.23)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 148
    Identification: 0xa2a8 (41640)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: UDP (0x11)
    Header checksum: 0x689c [correct]
        [Good: True]
        [Bad : False]
    Source: 10.87.244.21 (10.87.244.21)
    Destination: 10.87.244.23 (10.87.244.23)
User Datagram Protocol, Src Port: 9998 (9998), Dst Port: 9998 (9998)
    Source port: 9998 (9998)
    Destination port: 9998 (9998)
    Length: 128
    Checksum: 0x0000 (none)
        Good Checksum: False
        Bad Checksum: False
Cisco NetFlow/IPFIX
    Version: 5
    Count: 2
    SysUptime: 4168619180
    Timestamp: Jul  3, 2008 15:40:49.806204000
        CurrentSecs: 1215085249
        CurrentNSecs: 806204000
    FlowSequence: 442470
    EngineType: 0
    EngineId: 0
    00.. .... .... .... = SamplingMode: No sampling mode configured (0)
    ..00 0000 0000 0000 = SampleRate: 0
    pdu 1/2
        SrcAddr: 69.228.42.238 (69.228.42.238)
        DstAddr: 10.217.170.2 (10.217.170.2)
        NextHop: 10.217.170.2 (10.217.170.2)
        InputInt: 67
        OutputInt: 0
        Packets: 3
        Octets: 192
        [Duration: 1.410000000 seconds]
            StartTime: 4168600.800000000 seconds
            EndTime: 4168602.210000000 seconds
        SrcPort: 32093
        DstPort: 445
        padding
        TCP Flags: 0x02
        Protocol: 6
        IP ToS: 0x00
        SrcAS: 0
        DstAS: 0
        SrcMask: 0 (prefix: 69.228.42.238/32)
        DstMask: 0 (prefix: 10.217.170.2/32)
        padding
    pdu 2/2
        SrcAddr: 10.217.170.2 (10.217.170.2)
        DstAddr: 69.228.42.238 (69.228.42.238)
        NextHop: 10.217.170.1 (10.217.170.1)
        InputInt: 0
        OutputInt: 67
        Packets: 3
        Octets: 120
        [Duration: 1.410000000 seconds]
            StartTime: 4168600.800000000 seconds
            EndTime: 4168602.210000000 seconds
        SrcPort: 445
        DstPort: 32093
        padding
        TCP Flags: 0x14
        Protocol: 6
        IP ToS: 0x00
        SrcAS: 0
        DstAS: 0
        SrcMask: 0 (prefix: 10.217.170.2/32)
        DstMask: 0 (prefix: 69.228.42.238/32)
        padding

Frame 41 (114 bytes on wire, 114 bytes captured)
    Arrival Time: Jul  3, 2008 15:41:43.850554000
    [Time delta from previous captured frame: 3.999894000 seconds]
    [Time delta from previous displayed frame: 3.999894000 seconds]
    [Time since reference or first frame: 393.990782000 seconds]
    Frame Number: 41
    Frame Length: 114 bytes
    Capture Length: 114 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:cflow]
Ethernet II, Src: 00:0d:61:70:7d:8b (00:0d:61:70:7d:8b), Dst: 00:04:23:df:34:f8 (00:04:23:df:34:f8)
    Destination: 00:04:23:df:34:f8 (00:04:23:df:34:f8)
        Address: 00:04:23:df:34:f8 (00:04:23:df:34:f8)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 00:0d:61:70:7d:8b (00:0d:61:70:7d:8b)
        Address: 00:0d:61:70:7d:8b (00:0d:61:70:7d:8b)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 10.87.244.21 (10.87.244.21), Dst: 10.87.244.23 (10.87.244.23)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 100
    Identification: 0xa2a9 (41641)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: UDP (0x11)
    Header checksum: 0x68cb [correct]
        [Good: True]
        [Bad : False]
    Source: 10.87.244.21 (10.87.244.21)
    Destination: 10.87.244.23 (10.87.244.23)
User Datagram Protocol, Src Port: 9998 (9998), Dst Port: 9998 (9998)
    Source port: 9998 (9998)
    Destination port: 9998 (9998)
    Length: 80
    Checksum: 0x0000 (none)
        Good Checksum: False
        Bad Checksum: False
Cisco NetFlow/IPFIX
    Version: 5
    Count: 1
    SysUptime: 4168623180
    Timestamp: Jul  3, 2008 15:40:53.806090000
        CurrentSecs: 1215085253
        CurrentNSecs: 806090000
    FlowSequence: 442470
    EngineType: 0
    EngineId: 0
    00.. .... .... .... = SamplingMode: No sampling mode configured (0)
    ..00 0000 0000 0000 = SampleRate: 0
    pdu 1/1
        SrcAddr: 172.20.64.2 (172.20.64.2)
        DstAddr: 172.20.64.31 (172.20.64.31)
        NextHop: 172.20.64.31 (172.20.64.31)
        InputInt: 65
        OutputInt: 0
        Packets: 1
        Octets: 229
        [Duration: 0.000000000 seconds]
            StartTime: 4168606.730000000 seconds
            EndTime: 4168606.730000000 seconds
        SrcPort: 138
        DstPort: 138
        padding
        TCP Flags: 0x00
        Protocol: 17
        IP ToS: 0x00
        SrcAS: 0
        DstAS: 0
        SrcMask: 0 (prefix: 172.20.64.2/32)
        DstMask: 0 (prefix: 172.20.64.31/32)
        padding

Frame 42 (114 bytes on wire, 114 bytes captured)
    Arrival Time: Jul  3, 2008 15:41:49.850422000
    [Time delta from previous captured frame: 5.999868000 seconds]
    [Time delta from previous displayed frame: 5.999868000 seconds]
    [Time since reference or first frame: 399.990650000 seconds]
    Frame Number: 42
    Frame Length: 114 bytes
    Capture Length: 114 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:cflow]
Ethernet II, Src: 00:0d:61:70:7d:8b (00:0d:61:70:7d:8b), Dst: 00:04:23:df:34:f8 (00:04:23:df:34:f8)
    Destination: 00:04:23:df:34:f8 (00:04:23:df:34:f8)
        Address: 00:04:23:df:34:f8 (00:04:23:df:34:f8)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 00:0d:61:70:7d:8b (00:0d:61:70:7d:8b)
        Address: 00:0d:61:70:7d:8b (00:0d:61:70:7d:8b)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 10.87.244.21 (10.87.244.21), Dst: 10.87.244.23 (10.87.244.23)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 100
    Identification: 0xa2aa (41642)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: UDP (0x11)
    Header checksum: 0x68ca [correct]
        [Good: True]
        [Bad : False]
    Source: 10.87.244.21 (10.87.244.21)
    Destination: 10.87.244.23 (10.87.244.23)
User Datagram Protocol, Src Port: 9998 (9998), Dst Port: 9998 (9998)
    Source port: 9998 (9998)
    Destination port: 9998 (9998)
    Length: 80
    Checksum: 0x0000 (none)
        Good Checksum: False
        Bad Checksum: False
Cisco NetFlow/IPFIX
    Version: 5
    Count: 1
    SysUptime: 4168629180
    Timestamp: Jul  3, 2008 15:40:59.805919000
        CurrentSecs: 1215085259
        CurrentNSecs: 805919000
    FlowSequence: 442470
    EngineType: 0
    EngineId: 0
    00.. .... .... .... = SamplingMode: No sampling mode configured (0)
    ..00 0000 0000 0000 = SampleRate: 0
    pdu 1/1
        SrcAddr: 172.20.64.1 (172.20.64.1)
        DstAddr: 255.255.255.255 (255.255.255.255)
        NextHop: 255.255.255.255 (255.255.255.255)
        InputInt: 65
        OutputInt: 0
        Packets: 1
        Octets: 76
        [Duration: 0.000000000 seconds]
            StartTime: 4168612.800000000 seconds
            EndTime: 4168612.800000000 seconds
        SrcPort: 5678
        DstPort: 5678
        padding
        TCP Flags: 0x00
        Protocol: 17
        IP ToS: 0x00
        SrcAS: 0
        DstAS: 0
        SrcMask: 0 (prefix: 172.20.64.1/32)
        DstMask: 0 (prefix: 255.255.255.255/32)
        padding

vasiliy0 · April 25, 2010, 9:16am

I have the same problem on RB/750G RouterOS 4.7 fw2.26 from master ethernet port - wrong netflow5 sequence numbers. Any solutions?

dssmiktik · April 26, 2010, 6:57am

Would this effect NTop? I’m using RouterOS v4.7 x86 IP → Traffic Flow v5 to an NTop machine, and it seems to collect data fine.

What would the symptoms of an invalid sequence number be?

brammator · April 26, 2010, 7:06am

Don’t remember clearly from 2008, but I think I got duplicate-numbered flows dropped on some collectors.

sergejs · April 26, 2010, 11:37am

For traffic-flow v5,
Flow sequence number is showing =sent flows+active flows. As you do not know active flow number at the current time, then the sequence looks like correct.
However the question is open for traffic-flow v9.

vasiliy0 · April 27, 2010, 4:19pm

I still dont understand how to use it with flow-tools. flow-capture floods my
syslog, its unacceptable. Using first version of netflow is not good idea too.

Chupaka · April 28, 2010, 4:20pm

“+ active flows” is error. this field is only for checking whether some packets are missing
Sergejs, could you please ask that developer to comment, how it is possible to check for lost packets if you have pseudo-random addition to the sent flows?..

in v9, packets with templates have the same number as packets with data ← should be fixed. also, I don’t understand why ROS sends separate packets for each FlowSet =) it’s useless and just increases the number of packets

sergejs · May 17, 2010, 11:27am

Traffic Flow v5 Flow_Sequence counting algorithm will be improved at the next MikroTik RouterOS version.
Thank you very much for report and for your help to solve the problem.

Chupaka · May 17, 2010, 11:49am

Thanks, Sergejs!

Now it’s time to play with ICMP rejects in NetFlow