Netflow durations

sully0182 · January 28, 2013, 3:58pm

Hi,

I’m using nfdump to capture netflow off of my mikrotik routerboard but I’m getting some weird results!
As you can see from the results below I’m getting a lot of flows where the duration is equal to 0, can this be right?
Is there something I’ve done wrong with my config?

Sample (duration is second column, after date & time):

1970-01-02 07:41:13.100 1970-01-02 07:41:13.100 1970-01-02 07:41:13.100 1970-01-02 07:41:13.470 1970-01-02 07:41:13.660 1970-01-02 07:41:12.500 1970-01-02 07:41:13.690 1970-01-02 07:41:13.450 1970-01-02 07:41:12.290 1970-01-02 07:41:18.120 1970-01-02 07:41:18.120 1970-01-02 07:41:18.120 1970-01-02 07:41:18.120 1970-01-02 07:41:18.130 1970-01-02 07:41:18.130 1970-01-02 07:41:18.130 1970-01-02 07:41:18.140 1970-01-02 07:40:49.250 1970-01-02 07:40:49.350 1970-01-02 07:40:49.350 1970-01-02 07:40:49.570 1970-01-02 07:41:04.640 1970-01-02 07:41:04.640 1970-01-02 07:41:04.650 1970-01-02 07:41:04.650 1970-01-02 07:40:55.880 1970-01-02 07:40:55.890 0.000 TCP 74.125.24.94:80 → 192.168.88.200:39864 2 80 1
0.000 TCP 74.125.24.94:80 → 192.168.88.200:39865 2 80 1
0.000 TCP 74.125.24.94:80 → 192.168.88.200:39861 2 80 1
0.000 TCP 192.168.88.200:53572 → 69.171.235.16:80 2 104 1
0.000 TCP 50.18.120.15:80 → 192.168.88.200:59169 2 120 1
1.160 TCP 192.168.88.200:59169 → 50.18.120.15:80 4 232 1
0.000 TCP 69.171.235.16:80 → 192.168.88.200:53572 2 104 1
4.230 TCP 50.18.120.15:80 → 192.168.88.200:59151 12 12958 1
5.390 TCP 192.168.88.200:59151 → 50.18.120.15:80 15 1939 1
0.000 UDP 192.168.88.200:52036 → 192.168.88.1:53 2 150 1
0.000 UDP 192.168.88.200:26309 → 192.168.88.1:53 2 148 1
0.000 UDP 192.168.5.201:47986 → 192.168.20.11:53 2 150 1
0.000 UDP 192.168.5.201:44674 → 192.168.20.11:53 2 148 1
0.000 UDP 192.168.20.11:53 → 192.168.5.201:47986 2 550 1
0.000 UDP 192.168.88.1:53 → 192.168.88.200:52036 2 550 1
0.000 UDP 192.168.88.200:57286 → 192.168.88.1:53 2 150 1
0.000 UDP 192.168.88.1:53 → 192.168.88.200:57286 2 550 1
13.880 TCP 2.22.48.147:80 → 192.168.88.200:55970 3 172 1
13.930 TCP 69.171.235.16:80 → 192.168.88.200:53542 3 172 1
13.930 TCP 69.171.235.16:80 → 192.168.88.200:53541 4 224 1
13.710 TCP 69.171.229.25:80 → 192.168.88.200:59531 4 224 1
0.000 TCP 192.168.88.200:59065 → 193.1.253.139:80 2 104 1
0.000 TCP 192.168.88.200:59067 → 193.1.253.139:80 2 104 1
0.000 TCP 193.1.253.139:80 → 192.168.88.200:59065 2 104 1
0.000 TCP 193.1.253.139:80 → 192.168.88.200:59067 2 104 1
9.630 TCP 192.168.88.200:39862 → 74.125.24.94:80 18 5404 1
9.660 TCP 74.125.24.94:80 → 192.168.88.200:39862 14 5162 1

Any help would be appreciated!

Thanks,
Shane

sully0182 · January 28, 2013, 4:59pm

I think I figured out my problem. The durations are probably correct but are all given in milliseconds.
Is there any way to get flow durations in micro or nano seconds using nfdump?
Or is there other netflow software that does this maybe?

Thanks,
Shane