Don't seem to receive timestamps in nprobe from Cisco ASA 5510 netflow

[johanteekens]

• My setup: Cisco ASA 5510 sending netflow to a Centos Linux machine according to https://supportforums.cisco.com/document/30476/configuring-netflow-asa-asdm
• Setup ntopng according to http://packages.ntop.org/centos/
• I’ve set my Cisco asa to send a template every 5 minutes.
• I’m running nprobe and ntopng on the Centos Linux machine
• I’ve setup ntp to make sure both systems have the same time.
• Probe line: nprobe --zmq "tcp://*:5556" -i none -n none --collector-port 2055
• cat /etc/ntopng/ntopng.conf 
 -G=/var/tmp/ntopng.pid
 --community
 --local-networks=“x.y.z.n/24,a.b.c.d/24,q.w.e.r/28" 
-i=tcp://127.0.0.1:5556 
 -d=/var/tmp 

-w=3000 


* During the capture I’ve shutdown nprobe to make sure nothing interferes.
* For debugging I ran for 12 minutes: tcpdump -i eth0 -s 65535 port 2055 -w cap1.pcap (send as private message) Because the ASA sends a template every 5 minutes, the template is in the pcap file. 

Ntopng does receive packets from nprobe and is fully operational but has no time scale. 
In the interface statistics I only see spikes, sometimes up to 10Gbit while my internet connection is 50Mbit.
So all flow data seems to be processed without timestamps and ntopng thinks the flow happens the same second the netflow packet arrives. 
To me it looks like the timestamps are not picked up but I’m definitely not an expert.

[lucaderi]

@johanteekens please send deri@ntop.org and mainardi@ntop.org the pcap for debugging.

[lucaderi]

@johanteekens I have looked at your problem. The flows ASA generate do not have both the start and the end time (they look like flows but are not properly exported)

This means that the only thing nprobe can do is to assume that the flow has lasted just the time specified. As exports happen periodically, you see a period of nothing and a short export period where all traffic is packet in a couple of seconds. This causes the spikes that you have reported. So the issue is definitively on the ASA side, but I don't think you can do much as ASA is not a real netflow probe but a firewall that exports flows when the communication has been processed.

Bottom line, feel free to suggest us a way to circumvent the issue (the only think that comes to my mind is to compute flow throughput every min instead of every sec, but this is not a solution but rather a sort of workaround). Beside these peaks I believe that all the rest works as expected and so you can probably survive with these limitations.

[tttyu]

Pls someone help me. How to calculate throughput of a flow using nprobe?