PPS and the Mbps are not being calculated correctly on Mikrotik boxes - vendor's issue

ateixeirag commented 7 years ago

Hello,

I have being testing the fastnetmon service and it is working but the PPS and the Mbps are not being calculated correctly.

I read many post and adjust the average_calculation_time, setting it equal and greater than active/inactive timeouts. But in any cases PPS and Mbps are not accurate.

The real Mbps are like 90 Mbps and the fastnetmon shows over 300 Mbps. The real PPS are 10.000 and fastnetmon shows over 15.000.000 for one host in some cases.

I tested several combinations:

NetFlow v5
NetFlow v9
IPFIX

I all case the same happens.

We are using MikroTik CCR with last RouterOS: 6.37.3

Any advice?

Configuration, screenshots and logs are here: https://dl.dropboxusercontent.com/u/3817372/share-public_v3/fastnetmon-actual.zip

Best regards.

pavel-odintsov commented 7 years ago

Hello

Thank you for detailed report!

Netflow accuracy is tightly related with vendor's implementation of this protocol.

A lot of vendors just ignore values in active/inactive timeout specified in configuration and send packets with much times larger interval.

If you could share netflow data in pcap format for ~10 minutes I could check it.

You could share this data privately with me via email pavel.odintsov@gmail.com

On Sat, 24 Dec 2016 at 13:30, ateixeirag notifications@github.com wrote:

Hello,

I have being testing the fastnetmon service and it is working but the PPS and the Mbps are not being calculated correctly.

I read many post and adjust the average_calculation_time, setting it equal and greater than active/inactive timeouts. But in any cases PPS and Mbps are not accurate.

The real Mbps are like 90 Mbps and the fastnetmon shows over 300 Mbps. The real PPS are 10.000 and fastnetmon shows over 15.000.000 for one host in some cases.

I tested several combinations:

NetFlow v5

NetFlow v9

IPFIX

I all case the same happens.

We are using MikroTik CCR with last RouterOS: 6.37.3

Any advice?

Configuration, screenshots and logs are here:

https://dl.dropboxusercontent.com/u/3817372/share-public_v3/fastnetmon-actual.zip

Best regards.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/620, or mute the thread https://github.com/notifications/unsubscribe-auth/ACnfZsolK9fMZRQ3ZwHrtMdTBVVHx_tIks5rLR5rgaJpZM4LVOe2 .

ateixeirag commented 7 years ago

Hello,

Thank you for your answer.

I just sent the email.

Best regards.

ateixeirag commented 7 years ago

I am using ubuntu server 14.04.5

Best regards.

ateixeirag commented 7 years ago

Here is an example:

IP: x.x.x.x Attack type: udp_flood Initial attack power: 6082462 packets per second Peak attack power: 6082462 packets per second Attack direction: incoming Attack protocol: udp Total incoming traffic: 0 mbps Total outgoing traffic: 0 mbps Total incoming pps: 6082462 packets per second Total outgoing pps: 92 packets per second Total incoming flows: 0 flows per second Total outgoing flows: 0 flows per second Average incoming traffic: 0 mbps Average outgoing traffic: 0 mbps Average incoming pps: 6082462 packets per second Average outgoing pps: 92 packets per second Average incoming flows: 0 flows per second Average outgoing flows: 0 flows per second Incoming ip fragmented traffic: 0 mbps Outgoing ip fragmented traffic: 0 mbps Incoming ip fragmented pps: 0 packets per second Outgoing ip fragmented pps: 0 packets per second Incoming tcp traffic: 0 mbps Outgoing tcp traffic: 0 mbps Incoming tcp pps: 0 packets per second Outgoing tcp pps: 0 packets per second Incoming syn tcp traffic: 0 mbps Outgoing syn tcp traffic: 0 mbps Incoming syn tcp pps: 0 packets per second Outgoing syn tcp pps: 0 packets per second Incoming udp traffic: 0 mbps Outgoing udp traffic: 0 mbps Incoming udp pps: 6082462 packets per second Outgoing udp pps: 92 packets per second Incoming icmp traffic: 0 mbps Outgoing icmp traffic: 0 mbps Incoming icmp pps: 0 packets per second Outgoing icmp pps: 0 packets per second

Average packet size for incoming traffic: 0.0 bytes Average packet size for outgoing traffic: 77.0 bytes

2016-12-24 12:18:47.000000 8.8.4.4:53 > x.x.x.x:16945 protocol: udp frag: 0 packets: 2 size: 232 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:16890 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 134 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:11061 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 134 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.4.4:53 > x.x.x.x:11061 protocol: udp frag: 0 packets: 2 size: 246 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.4.4:53 > x.x.x.x:16890 protocol: udp frag: 0 packets: 2 size: 198 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.4.4:53 > x.x.x.x:59148 protocol: udp frag: 0 packets: 2 size: 256 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:2294 > 199.19.54.1:53 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:60322 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 160 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:14712 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 126 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:14712 protocol: udp frag: 0 packets: 2 size: 300 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:56518 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 122 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:20834 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:56518 protocol: udp frag: 0 packets: 2 size: 266 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:53952 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 154 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:20834 protocol: udp frag: 0 packets: 2 size: 242 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.4.4:53 > x.x.x.x:51643 protocol: udp frag: 0 packets: 2 size: 194 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:53952 protocol: udp frag: 0 packets: 2 size: 282 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 58.242.4.202:53 > x.x.x.x:58579 protocol: udp frag: 0 packets: 2 size: 166 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 199.19.54.1:53 > x.x.x.x:2294 protocol: udp frag: 0 packets: 2 size: 1258 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 200.54.101.82:27880 > x.x.x.x:53 protocol: udp frag: 0 packets: 2 size: 132 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:18675 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 148 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:18675 protocol: udp frag: 0 packets: 2 size: 180 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:23136 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 148 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:42527 > 69.28.95.170:53 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:53 > 200.54.101.82:27880 protocol: udp frag: 0 packets: 2 size: 132 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:16288 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:6480 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 134 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:8823 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 134 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:6480 protocol: udp frag: 0 packets: 2 size: 390 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:8823 protocol: udp frag: 0 packets: 2 size: 166 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:16288 protocol: udp frag: 0 packets: 2 size: 238 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:28455 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 148 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:34825 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 166 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:29041 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 114 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:26854 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 114 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:43582 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:29041 protocol: udp frag: 0 packets: 2 size: 178 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:26854 protocol: udp frag: 0 packets: 2 size: 226 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:33423 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 148 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:33423 protocol: udp frag: 0 packets: 2 size: 242 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:28455 protocol: udp frag: 0 packets: 2 size: 292 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:23136 protocol: udp frag: 0 packets: 2 size: 254 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 8.8.8.8:53 > x.x.x.x:43582 protocol: udp frag: 0 packets: 2 size: 238 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:61934 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 152 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:21269 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:6636 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 158 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:63304 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 150 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:47.000000 x.x.x.x:11851 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 152 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:21464 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 130 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:58373 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 130 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:21464 protocol: udp frag: 0 packets: 2 size: 162 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:58373 protocol: udp frag: 0 packets: 2 size: 236 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:21269 protocol: udp frag: 0 packets: 2 size: 212 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:54753 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 150 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:57293 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:57293 protocol: udp frag: 0 packets: 2 size: 242 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:63304 protocol: udp frag: 0 packets: 2 size: 256 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:11698 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:61934 protocol: udp frag: 0 packets: 2 size: 280 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:12711 > 210.245.0.10:53 protocol: udp frag: 0 packets: 2 size: 164 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:9622 > 210.245.0.131:53 protocol: udp frag: 0 packets: 2 size: 164 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:40314 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 114 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.4.4:53 > x.x.x.x:40314 protocol: udp frag: 0 packets: 2 size: 210 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:16920 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.4.4:53 > x.x.x.x:16920 protocol: udp frag: 0 packets: 2 size: 236 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:44685 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 154 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:4014 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 136 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:11851 protocol: udp frag: 0 packets: 2 size: 152 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.4.4:53 > x.x.x.x:4014 protocol: udp frag: 0 packets: 2 size: 168 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:24922 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.4.4:53 > x.x.x.x:24922 protocol: udp frag: 0 packets: 2 size: 238 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:54753 protocol: udp frag: 0 packets: 2 size: 272 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:35889 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.4.4:53 > x.x.x.x:35889 protocol: udp frag: 0 packets: 2 size: 242 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:38696 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.4.4:53 > x.x.x.x:38696 protocol: udp frag: 0 packets: 2 size: 250 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:32348 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.4.4:53 > x.x.x.x:44685 protocol: udp frag: 0 packets: 2 size: 282 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:47995 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 150 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.4.4:53 > x.x.x.x:32348 protocol: udp frag: 0 packets: 2 size: 256 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.4.4:53 > x.x.x.x:47995 protocol: udp frag: 0 packets: 2 size: 150 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:32619 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 172 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:55942 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:57450 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 156 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:11571 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 140 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.4.4:53 > x.x.x.x:57450 protocol: udp frag: 0 packets: 2 size: 156 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.4.4:53 > x.x.x.x:11571 protocol: udp frag: 0 packets: 2 size: 234 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:28290 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 178 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:51937 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 138 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.4.4:53 > x.x.x.x:51937 protocol: udp frag: 0 packets: 2 size: 200 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:35908 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:61196 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 176 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:1735 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 176 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 210.245.0.131:53 > x.x.x.x:9622 protocol: udp frag: 0 packets: 2 size: 164 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:55198 > 210.245.0.10:53 protocol: udp frag: 0 packets: 2 size: 164 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 210.245.0.10:53 > x.x.x.x:12711 protocol: udp frag: 0 packets: 2 size: 164 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:12711 > 210.245.0.10:53 protocol: udp frag: 0 packets: 2 size: 220 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:14293 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 162 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:14293 protocol: udp frag: 0 packets: 2 size: 162 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:10022 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 184 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:18549 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 162 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.4.4:53 > x.x.x.x:35908 protocol: udp frag: 0 packets: 2 size: 242 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:47769 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 130 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:19844 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 130 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:47769 protocol: udp frag: 0 packets: 2 size: 162 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:19844 protocol: udp frag: 0 packets: 2 size: 304 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:28789 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 148 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:21340 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:51803 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 118 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:51803 protocol: udp frag: 0 packets: 2 size: 150 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:57664 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 124 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:57664 protocol: udp frag: 0 packets: 2 size: 256 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 210.245.0.10:53 > x.x.x.x:55198 protocol: udp frag: 0 packets: 2 size: 164 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:61895 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 x.x.x.x:4081 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 148 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:48.000000 8.8.8.8:53 > x.x.x.x:4081 protocol: udp frag: 0 packets: 2 size: 292 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:18869 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 120 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.8.8:53 > x.x.x.x:18869 protocol: udp frag: 0 packets: 2 size: 152 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:31751 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 126 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:53585 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 126 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.8.8:53 > x.x.x.x:31751 protocol: udp frag: 0 packets: 2 size: 158 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.8.8:53 > x.x.x.x:53585 protocol: udp frag: 0 packets: 2 size: 300 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:47916 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 134 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:44714 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 134 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:29792 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.8.8:53 > x.x.x.x:47916 protocol: udp frag: 0 packets: 2 size: 198 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.8.8:53 > x.x.x.x:25253 protocol: udp frag: 0 packets: 2 size: 150 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:25253 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 206 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.8.8:53 > x.x.x.x:1408 protocol: udp frag: 0 packets: 2 size: 156 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:1408 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 212 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:62846 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 140 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.8.8:53 > x.x.x.x:62846 protocol: udp frag: 0 packets: 2 size: 140 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:4030 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 140 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.4.4:53 > x.x.x.x:4030 protocol: udp frag: 0 packets: 2 size: 140 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:28123 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 162 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.4.4:53 > x.x.x.x:25481 protocol: udp frag: 0 packets: 2 size: 154 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:25481 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 210 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.4.4:53 > x.x.x.x:60583 protocol: udp frag: 0 packets: 2 size: 162 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:60583 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 218 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.8.8:53 > x.x.x.x:21340 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:62871 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.8.8:53 > x.x.x.x:28789 protocol: udp frag: 0 packets: 2 size: 238 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:1517 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.4.4:53 > x.x.x.x:1517 protocol: udp frag: 0 packets: 2 size: 242 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:35755 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.4.4:53 > x.x.x.x:35755 protocol: udp frag: 0 packets: 2 size: 214 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.8.8:53 > x.x.x.x:61895 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:20353 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:47754 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 138 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:3245 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 160 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.4.4:53 > x.x.x.x:3245 protocol: udp frag: 0 packets: 2 size: 224 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:45151 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 148 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 x.x.x.x:49396 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 192 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.4.4:53 > x.x.x.x:47754 protocol: udp frag: 0 packets: 2 size: 258 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.4.4:53 > x.x.x.x:45151 protocol: udp frag: 0 packets: 2 size: 254 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:49.000000 8.8.4.4:53 > x.x.x.x:49396 protocol: udp frag: 0 packets: 2 size: 310 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:20272 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 120 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 8.8.4.4:53 > x.x.x.x:20272 protocol: udp frag: 0 packets: 2 size: 152 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:40785 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 162 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:38639 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 158 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 8.8.4.4:53 > x.x.x.x:20353 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:33796 > 210.245.31.10:53 protocol: udp frag: 0 packets: 2 size: 168 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:63753 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 116 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 8.8.4.4:53 > x.x.x.x:63753 protocol: udp frag: 0 packets: 2 size: 158 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:36325 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 126 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 8.8.4.4:53 > x.x.x.x:36325 protocol: udp frag: 0 packets: 2 size: 158 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 8.8.4.4:53 > x.x.x.x:62871 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:22471 > 202.97.230.4:53 protocol: udp frag: 0 packets: 2 size: 166 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:15361 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 158 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 8.8.4.4:53 > x.x.x.x:15361 protocol: udp frag: 0 packets: 2 size: 214 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:6120 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:43312 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 180 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 210.245.31.10:53 > x.x.x.x:33796 protocol: udp frag: 0 packets: 2 size: 1414 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:36966 > 210.245.31.130:53 protocol: udp frag: 0 packets: 2 size: 168 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:54485 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 8.8.4.4:53 > x.x.x.x:54485 protocol: udp frag: 0 packets: 2 size: 276 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:9303 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 8.8.4.4:53 > x.x.x.x:9303 protocol: udp frag: 0 packets: 2 size: 236 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:27739 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 158 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:9522 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 162 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 202.97.230.4:53 > x.x.x.x:22471 protocol: udp frag: 0 packets: 2 size: 166 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:50.000000 x.x.x.x:44830 > 202.97.224.80:53 protocol: udp frag: 0 packets: 2 size: 166 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:60958 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:19386 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 154 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:13642 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 210.245.31.130:53 > x.x.x.x:36966 protocol: udp frag: 0 packets: 2 size: 1414 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:25008 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 148 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:24592 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 172 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 8.8.8.8:53 > x.x.x.x:25008 protocol: udp frag: 0 packets: 2 size: 148 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:24795 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 170 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:14641 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 150 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:10783 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 154 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:60158 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 148 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:26570 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 140 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:55344 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 134 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:23345 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 180 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 8.8.4.4:53 > x.x.x.x:10783 protocol: udp frag: 0 packets: 2 size: 276 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:58444 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 8.8.4.4:53 > x.x.x.x:58444 protocol: udp frag: 0 packets: 2 size: 246 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 8.8.4.4:53 > x.x.x.x:27739 protocol: udp frag: 0 packets: 2 size: 190 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 8.8.4.4:53 > x.x.x.x:55344 protocol: udp frag: 0 packets: 2 size: 246 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:58619 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 152 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:10432 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 140 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:15500 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 136 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 202.97.224.80:53 > x.x.x.x:44830 protocol: udp frag: 0 packets: 2 size: 166 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:56242 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 156 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:15557 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 158 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 8.8.8.8:53 > x.x.x.x:10432 protocol: udp frag: 0 packets: 2 size: 246 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:2343 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 170 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 8.8.8.8:53 > x.x.x.x:56242 protocol: udp frag: 0 packets: 2 size: 278 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:17937 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 170 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:47092 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 118 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 8.8.8.8:53 > x.x.x.x:47092 protocol: udp frag: 0 packets: 2 size: 150 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:64518 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 148 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:45755 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 112 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 8.8.8.8:53 > x.x.x.x:45755 protocol: udp frag: 0 packets: 2 size: 294 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:31164 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 168 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 8.8.8.8:53 > x.x.x.x:64518 protocol: udp frag: 0 packets: 2 size: 254 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:51.000000 x.x.x.x:16303 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 152 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:25616 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:17121 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 164 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:20226 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 154 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.4.4:53 > x.x.x.x:6120 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:5560 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.8.8:53 > x.x.x.x:16303 protocol: udp frag: 0 packets: 2 size: 280 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:15037 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 152 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:52464 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 174 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:4971 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 152 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:9270 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 166 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:34316 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 150 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:58455 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 164 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:52793 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:41022 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 114 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:60616 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 114 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.8.8:53 > x.x.x.x:41022 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.8.8:53 > x.x.x.x:60616 protocol: udp frag: 0 packets: 2 size: 224 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.8.8:53 > x.x.x.x:58455 protocol: udp frag: 0 packets: 2 size: 164 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:33005 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 166 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.8.8:53 > x.x.x.x:52464 protocol: udp frag: 0 packets: 2 size: 174 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.8.8:53 > x.x.x.x:34316 protocol: udp frag: 0 packets: 2 size: 278 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.8.8:53 > x.x.x.x:9270 protocol: udp frag: 0 packets: 2 size: 166 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.8.8:53 > x.x.x.x:52793 protocol: udp frag: 0 packets: 2 size: 252 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:53756 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.8.8:53 > x.x.x.x:15037 protocol: udp frag: 0 packets: 2 size: 152 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.8.8:53 > x.x.x.x:4971 protocol: udp frag: 0 packets: 2 size: 152 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:24363 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:42361 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 150 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:39525 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 180 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.8.8:53 > x.x.x.x:53756 protocol: udp frag: 0 packets: 2 size: 210 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:45304 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 128 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.8.8:53 > x.x.x.x:42361 protocol: udp frag: 0 packets: 2 size: 256 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:59635 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 112 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:12537 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:56357 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 164 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.8.8:53 > x.x.x.x:12537 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:30356 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 8.8.4.4:53 > x.x.x.x:30356 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:52.000000 x.x.x.x:26809 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 172 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.8.8:53 > x.x.x.x:59635 protocol: udp frag: 0 packets: 2 size: 232 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:13552 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 166 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.8.8:53 > x.x.x.x:45304 protocol: udp frag: 0 packets: 2 size: 160 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 200.54.101.82:32574 > x.x.x.x:53 protocol: udp frag: 0 packets: 2 size: 132 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:53 > 200.54.101.82:32574 protocol: udp frag: 0 packets: 2 size: 132 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:45333 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 154 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:59260 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 130 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.4.4:53 > x.x.x.x:45333 protocol: udp frag: 0 packets: 2 size: 154 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:16688 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 176 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:43315 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.8.8:53 > x.x.x.x:43315 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:51792 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.4.4:53 > x.x.x.x:51792 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.8.8:53 > x.x.x.x:59260 protocol: udp frag: 0 packets: 2 size: 162 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:2799 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:23027 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.8.8:53 > x.x.x.x:2799 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:25095 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.8.8:53 > x.x.x.x:23027 protocol: udp frag: 0 packets: 2 size: 220 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.4.4:53 > x.x.x.x:25095 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:14152 > 8.8.8.8:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.8.8:53 > x.x.x.x:14152 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:13858 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.4.4:53 > x.x.x.x:13858 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.8.8:53 > x.x.x.x:26809 protocol: udp frag: 0 packets: 2 size: 268 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.8.8:53 > x.x.x.x:5560 protocol: udp frag: 0 packets: 2 size: 144 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 200.54.101.82:59714 > x.x.x.x:53 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:53 > 200.54.101.82:59714 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:41671 > 58.242.4.206:53 protocol: udp frag: 0 packets: 2 size: 166 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:34313 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:21753 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 148 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.4.4:53 > x.x.x.x:21753 protocol: udp frag: 0 packets: 2 size: 292 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:56578 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 154 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:49141 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 146 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:64540 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 142 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:63732 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 178 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:63245 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 156 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:13438 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 118 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.4.4:53 > x.x.x.x:13438 protocol: udp frag: 0 packets: 2 size: 362 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.4.4:53 > x.x.x.x:49141 protocol: udp frag: 0 packets: 2 size: 252 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:48319 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 160 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:22527 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 164 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:29152 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 134 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:35883 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 170 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:43397 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 132 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:55801 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 136 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.4.4:53 > x.x.x.x:29152 protocol: udp frag: 0 packets: 2 size: 232 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 8.8.4.4:53 > x.x.x.x:43397 protocol: udp frag: 0 packets: 2 size: 132 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:19932 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 136 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:18584 > 8.8.4.4:53 protocol: udp frag: 0 packets: 2 size: 162 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:18546 > 71.163.15.130:53 protocol: udp frag: 0 packets: 2 size: 178 bytes ttl: 0 sample ratio: 1
2016-12-24 12:18:53.000000 x.x.x.x:19940 > 8.8.4.4:53 protocol:

pavel-odintsov commented 7 years ago

Hello!

Thank you for your pcap dumps!

I just processed it and found very-very-very interesting things inside it. As you know, netflow 5 pdu's has special fields for tracking time when flow was started and when it was finished.

They are very useful for very long-lasting downloads/uploads.

I'just extracted duration time (start and finish time difference) with tshark this way: tshark -r netflow.pcap -V|grep Duration|sort | uniq -c | sort -g

And got following output:

   1         [Duration: 0.004000000 seconds]
   1         [Duration: 0.008000000 seconds]
   1         [Duration: 0.016000000 seconds]
   1         [Duration: 0.064000000 seconds]
   1         [Duration: 0.116000000 seconds]
   1         [Duration: 0.127000000 seconds]
   1         [Duration: 0.144000000 seconds]
   1         [Duration: 0.168000000 seconds]
   1         [Duration: 0.191000000 seconds]
   1         [Duration: 0.213000000 seconds]
   1         [Duration: 0.266000000 seconds]
   1         [Duration: 0.376000000 seconds]
   1         [Duration: 0.445000000 seconds]
   1         [Duration: 0.456000000 seconds]
   1         [Duration: 0.462000000 seconds]
   1         [Duration: 0.513000000 seconds]
   1         [Duration: 0.550000000 seconds]
   1         [Duration: 0.624000000 seconds]
   1         [Duration: 0.642000000 seconds]
   1         [Duration: 0.698000000 seconds]
   1         [Duration: 0.728000000 seconds]
   1         [Duration: 0.749000000 seconds]
   1         [Duration: 0.919000000 seconds]
   1         [Duration: 1.026000000 seconds]
   1         [Duration: 1.066000000 seconds]
   1         [Duration: 1.152000000 seconds]
   1         [Duration: 1.203000000 seconds]
   1         [Duration: 1.236000000 seconds]
   1         [Duration: 1.274000000 seconds]
   1         [Duration: 1.570000000 seconds]
   1         [Duration: 103.431000000 seconds]
   1         [Duration: 1048.448000000 seconds]
   1         [Duration: 1073739.776000000 seconds]
   1         [Duration: 1073741.826000000 seconds]
   1         [Duration: 1073743.872000000 seconds]
   1         [Duration: 130.816000000 seconds]
   1         [Duration: 131.056000000 seconds]
   1         [Duration: 131.072000000 seconds]
   1         [Duration: 131.328000000 seconds]
   1         [Duration: 134201.344000000 seconds]
   1         [Duration: 134234.112000000 seconds]
   1         [Duration: 16.416000000 seconds]
   1         [Duration: 16.431000000 seconds]
   1         [Duration: 16775.168000000 seconds]
   1         [Duration: 2097.148000000 seconds]
   1         [Duration: 2147483.652000000 seconds]
   1         [Duration: 2147487.744000000 seconds]
   1         [Duration: 2164260.868000000 seconds]
   1         [Duration: 262.112000000 seconds]
   1         [Duration: 262.176000000 seconds]
   1         [Duration: 262.656000000 seconds]
   1         [Duration: 268468.224000000 seconds]
   1         [Duration: 32.704000000 seconds]
   1         [Duration: 32.832000000 seconds]
   1         [Duration: 3221225.472000000 seconds]
   1         [Duration: 3221225.474000000 seconds]
   1         [Duration: 33488.888000000 seconds]
   1         [Duration: 33488.904000000 seconds]
   1         [Duration: 33558.528000000 seconds]
   1         [Duration: 3758096.385000000 seconds]
   1         [Duration: 4.197000000 seconds]
   1         [Duration: 4160487.456000000 seconds]
   1         [Duration: 4219469.824000000 seconds]
   1         [Duration: 4257218.560000000 seconds]
   1         [Duration: 4261408.768000000 seconds]
   1         [Duration: 4276092.928000000 seconds]
   1         [Duration: 4278190.080000000 seconds]
   1         [Duration: 4286578.688000000 seconds]
   1         [Duration: 4290764.800000000 seconds]
   1         [Duration: 4292870.144000000 seconds]
   1         [Duration: 4293916.672000000 seconds]
   1         [Duration: 4294441.984000000 seconds]
   1         [Duration: 4294442.944000000 seconds]
   1         [Duration: 4294443.007000000 seconds]
   1         [Duration: 4294444.032000000 seconds]
   1         [Duration: 4294852.608000000 seconds]
   1         [Duration: 4294893.568000000 seconds]
   1         [Duration: 4294934.464000000 seconds]
   1         [Duration: 4294934.784000000 seconds]
   1         [Duration: 4294950.944000000 seconds]
   1         [Duration: 4294959.120000000 seconds]
   1         [Duration: 4294965.252000000 seconds]
   1         [Duration: 4294966.400000000 seconds]
   1         [Duration: 4294967.040000000 seconds]
   1         [Duration: 4294967.280000000 seconds]
   1         [Duration: 4294967.294000000 seconds]
   1         [Duration: 5.916000000 seconds]
   1         [Duration: 5.990000000 seconds]
   1         [Duration: 52.936000000 seconds]
   1         [Duration: 524.224000000 seconds]
   1         [Duration: 535822.208000000 seconds]
   1         [Duration: 57.344000000 seconds]
   1         [Duration: 65.536000000 seconds]
   1         [Duration: 73.711000000 seconds]
   1         [Duration: 8.214000000 seconds]
   2         [Duration: 0.001000000 seconds]
   2         [Duration: 0.002000000 seconds]
   2         [Duration: 0.080000000 seconds]
   2         [Duration: 0.117000000 seconds]
   2         [Duration: 0.126000000 seconds]
   2         [Duration: 0.128000000 seconds]
   2         [Duration: 0.169000000 seconds]
   2         [Duration: 0.256000000 seconds]
   2         [Duration: 0.280000000 seconds]
   2         [Duration: 0.282000000 seconds]
   2         [Duration: 0.512000000 seconds]
   2         [Duration: 1073741.822000000 seconds]
   2         [Duration: 1073741.824000000 seconds]
   2         [Duration: 134217.728000000 seconds]
   2         [Duration: 16777.216000000 seconds]
   2         [Duration: 2.052000000 seconds]
   2         [Duration: 2097.152000000 seconds]
   2         [Duration: 2097.156000000 seconds]
   2         [Duration: 2147479.552000000 seconds]
   2         [Duration: 2147483.644000000 seconds]
   2         [Duration: 262.144000000 seconds]
   2         [Duration: 268402.688000000 seconds]
   2         [Duration: 32.768000000 seconds]
   2         [Duration: 3221225.470000000 seconds]
   2         [Duration: 3758097.408000000 seconds]
   2         [Duration: 4026007.488000000 seconds]
   2         [Duration: 4026007.616000000 seconds]
   2         [Duration: 4027056.064000000 seconds]
   2         [Duration: 4161011.680000000 seconds]
   2         [Duration: 4194.304000000 seconds]
   2         [Duration: 4292866.048000000 seconds]
   2         [Duration: 4293918.722000000 seconds]
   2         [Duration: 4293920.768000000 seconds]
   2         [Duration: 4294705.184000000 seconds]
   2         [Duration: 4294819.840000000 seconds]
   2         [Duration: 4294963.192000000 seconds]
   2         [Duration: 4294966.272000000 seconds]
   2         [Duration: 4294966.784000000 seconds]
   2         [Duration: 4294967.167000000 seconds]
   2         [Duration: 4294967.264000000 seconds]
   2         [Duration: 4294967.288000000 seconds]
   2         [Duration: 524.288000000 seconds]
   2         [Duration: 67108.864000000 seconds]
   2         [Duration: 67117.056000000 seconds]
   2         [Duration: 8388.592000000 seconds]
   2         [Duration: 8388.608000000 seconds]
   2         [Duration: 8388.624000000 seconds]
   3         [Duration: 0.032000000 seconds]
   3         [Duration: 0.118000000 seconds]
   3         [Duration: 0.278000000 seconds]
   3         [Duration: 4227866.624000000 seconds]
   3         [Duration: 4261416.960000000 seconds]
   3         [Duration: 4278188.032000000 seconds]
   3         [Duration: 4286562.304000000 seconds]
   3         [Duration: 4293918.720000000 seconds]
   3         [Duration: 4294959.104000000 seconds]
   3         [Duration: 4294966.785000000 seconds]
   3         [Duration: 8.192000000 seconds]
   4         [Duration: 134217.984000000 seconds]
   4         [Duration: 4026531.840000000 seconds]
   4         [Duration: 4227858.432000000 seconds]
   4         [Duration: 4292874.240000000 seconds]
   4         [Duration: 4294443.008000000 seconds]
   4         [Duration: 4294934.528000000 seconds]
   4         [Duration: 4294967.168000000 seconds]
   5         [Duration: 0.078000000 seconds]
   5         [Duration: 2151677.952000000 seconds]
   5         [Duration: 33554.432000000 seconds]
   5         [Duration: 4294836.224000000 seconds]
   6         [Duration: 0.102000000 seconds]
   6         [Duration: 2147483.648000000 seconds]
3060             [Duration: 0.000000000 seconds]
2014398         [Duration: 0.000000000 seconds]

As you can see, almost all your flows has zero difference, it's FINE.

But I see about ~100 packets with too HUGE duration: [Duration: 4294836.224000000 seconds]

It's definitely misbehaviour / bug / ugly feature (select term what do you like more) of Mikrotik's netflow implementation. 4294836 it's about 49 days and it's definitely impossible to have so huge / long lasting downloads.

For curiosity reasons I tried to extract PDU with so long loving session and GOT amazing results:

    pdu 26/30
        SrcAddr: xxxx
        DstAddr: xxx
        NextHop: xxxxx
        InputInt: 8
        OutputInt: 1
        Packets: 8388612
        Octets: 17070
        [Duration: 4294836.224000000 seconds]
            StartTime: 655309.442000000 seconds
            EndTime: 655178.370000000 seconds
        SrcPort: 80
        DstPort: 49655
        Padding: 00
        TCP Flags: 0x10
        Protocol: TCP (6)
        IP ToS: 0x00
        SrcAS: 0
        DstAS: 0
        SrcMask: 0 (prefix: xxxx)
        DstMask: 0 (prefix: xxx)
        Padding: 0000

You could find that this flow has "8 388 612" (Yes, 8 millions packets per second!). That's reason why FastNetMon triggered attack notification for this flow.

This one flow is enough to break whole smart processing logic of FastNetMon.

pavel-odintsov commented 7 years ago

Haha, it's more fun than I expected!

Look on this please:

StartTime: 655309.442000000 seconds
EndTime: 655178.370000000 seconds

EndTime is smaller than StartTime :) Time travelling is possible! :)

But real time how long your flow was "collected" is about 130 seconds. So your Mikrotik device for some reasons collected 8 millions of packets for 130 seconds. And with reported by you 200kpps of data at average...it's about 65k packets per second!

So finally, Mikrotik's implementation has following bugs:

It ignores active/inactive timeout and produce packets with 120+ second duration
It produces enormously hight number of packets inside netflow PDU (8 millions for 120 seconds, really?)
It produces weird Start/EndTime and sometimes (as I mentioned earlier) EndTime could be smaller than StartTime :)

Finally, I could partially fix this issue in FNM and add special flag in FastNetMon to DROP such packets (if packet's duration is bigger than average_calculation_time).

But I'm not sure it could help a lot because NetFlow data is really corrupted and it's very complicated to produce reliable results with so unreliable input data.

ateixeirag commented 7 years ago

Hello,

Thank you for your detailed answer. I understand and I will contact MikroTik support.

Best regards.

elmaxid commented 7 years ago

Hi

I wrote to MikroTik support with this issue. We have to wait.

M.

henry-spanka commented 7 years ago

I can confirm this. Had no luck with Mikrotik's implementation of NetFlow either and therefore switched to Port mirroring as it's the best and most accurate collector. Mikrotik's RouterOS software has a lot of bugs not only related to NetFlow. Can't even handle a full IPv4 BGP table :)

alfredosola commented 7 years ago

I beg to differ. I have many Mikrotik CCRs with full IPv4 tables, with different transit providers. Yes, they do have bugs, but overall they have been working well for us, including NetFlow export to fastnetmon.

henry-spanka commented 7 years ago

Have you tried searching for a specific route in the table? It takes several minutes to complete. Other vendors do this kind of stuff in less than a second.

pavel-odintsov commented 7 years ago

@elmaxid thanks for escalating this! :)

ateixeirag commented 7 years ago

Thank you for writing to MikroTik support. Please let us know any news about it.

Regards.

elmaxid commented 7 years ago

@ateixeirag I need contact you because the MikroTik's Support need some info of your config. Please contact me at elmaxi[at]gmail.com

pavel-odintsov commented 7 years ago

@elmaxid thank you so much for great attention to this issue! :)

ateixeirag commented 7 years ago

Hello.

We are already in contact. So we will let you know about any news.

Best Regards.

AndrewThrift commented 7 years ago

Hi guys, we too are having this problem.

I notice a fix in RouterOS 6.38 changelog: *) traffic-flow - fixed flow sequence counter and length;

Is this by any chance a fix for the above issue ?

Also, What is the Mikrotik ticket number ? I will file some more information with them.

ateixeirag commented 7 years ago

Hello,

We will test it today and we will let you know.

Regards.

ateixeirag commented 7 years ago

Hello,

I made some test with last RouterOS version 6.38

fastnetmon configuration:

ban_time = 30
unban_only_if_attack_finished = off
threshold_pps = 4000
threshold_mbps = 20
average_calculation_time = 60

MikroTik configuration:

/ip traffic-flow
set active-flow-timeout=1m cache-entries=8k enabled=yes inactive-flow-timeout=1m interfaces=sfp-sfpplus1-in
/ip traffic-flow target
add dst-address=34.195.51.66 src-address=10.77.77.193 v9-template-refresh=60 v9-template-timeout=1m version=5

Here is the CAP file: https://dl.dropboxusercontent.com/u/3817372/share-public_v3/v5-test.zip

Using tshark: tshark -r v5-test.cap -V|grep Duration|sort | uniq -c | sort -g

1 [Duration: 10.190000000 seconds] 1 [Duration: 17.860000000 seconds] 1 [Duration: 3.080000000 seconds] 1 [Duration: 43.280000000 seconds] 1 [Duration: 5.220000000 seconds] 1 [Duration: 59.120000000 seconds] 1 [Duration: 7.000000000 seconds] 1 [Duration: 9.240000000 seconds] 1920301 [Duration: 0.000000000 seconds]

Is that ok? I am not an expert using NetFlow. I am using version 5.

The attack detection was (fastnetmon sends to SQL): https://dl.dropboxusercontent.com/u/3817372/share-public_v3/Screenshot_17.png

Regards

ateixeirag commented 7 years ago

Hello,

Here is another example: https://dl.dropboxusercontent.com/u/3817372/share-public_v3/v5-test3.zip

Attack reports: https://dl.dropboxusercontent.com/u/3817372/share-public_v3/Screenshot_18.png

Is this helpful?

Regards.

pavel-odintsov commented 7 years ago

Hello!

I think duration "bug" was fixed.

   1         [Duration: 10.190000000 seconds]
   1         [Duration: 17.860000000 seconds]
   1         [Duration: 3.080000000 seconds]
   1         [Duration: 43.280000000 seconds]
   1         [Duration: 5.220000000 seconds]
   1         [Duration: 59.120000000 seconds]
   1         [Duration: 7.000000000 seconds]
   1         [Duration: 9.240000000 seconds]
1920301         [Duration: 0.000000000 seconds]

Same for v5-test3.pcap:

1         [Duration: 12.300000000 seconds]
4557397         [Duration: 0.000000000 seconds]

But I still see insane "millionaire flows" in v5-test3.pcap:

tshark -n  -r v5-test3.pcap -V|grep 'Packets: 1482184792' -C 10 --color
        DstAS: 0
        SrcMask: 0 (prefix: 44.58.228.53/32)
        DstMask: 0 (prefix: 30.30.30.99/32)
        Padding: 0000
    pdu 6/30
        SrcAddr: 19.102.168.101
        DstAddr: 30.30.30.99
        NextHop: 10.25.25.2
        InputInt: 22616
        OutputInt: 22616
        Packets: 1482184792
        Octets: 1482184792
        [Duration: 0.000000000 seconds]
            StartTime: 1482184.792000000 seconds
            EndTime: 1482184.792000000 seconds
        SrcPort: 22616
        DstPort: 22616
        Padding: 58
        TCP Flags: 0x58
        Protocol: EIGRP (88)
        IP ToS: 0x58
--
--
        DstAS: 22616
        SrcMask: 88 (prefix: 19.102.168.0/88)
        DstMask: 88 (prefix: 30.30.30.0/88)
        Padding: 5858
    pdu 7/30
        SrcAddr: 88.88.88.88
        DstAddr: 88.88.88.88
        NextHop: 88.88.88.88
        InputInt: 22616
        OutputInt: 22616
        Packets: 1482184792
        Octets: 1482184792
        [Duration: 0.000000000 seconds]
            StartTime: 1482184.792000000 seconds
            EndTime: 1482184.792000000 seconds
        SrcPort: 22616
        DstPort: 22616
        Padding: 58
        TCP Flags: 0x58
        Protocol: EIGRP (88)
        IP ToS: 0x58
--

So this part of bug is will exists.

pavel-odintsov commented 7 years ago

I think it's worth to mention that flow with issue belong to protocol EIGRP (88). It could be useful to report to Mikrotik.

ateixeirag commented 7 years ago

Hello,

Here is an example of CAP file related with the "simulated attack": https://dl.dropboxusercontent.com/u/3817372/share-public_v3/attack.zip

There is NO "Protocol: EIGRP (88)". The attack is this (raw IP mode): hping3 30.30.30.99 -0 -d 10 -p 80 -i u100 --rand-source

There is something wrong with the way MikroTik inform about protocol in NetFlow.

Regards.

pavel-odintsov commented 7 years ago

Yep, right. Very-very strange way :)

elico commented 7 years ago

@pavel-odintsov I followed the thread and unable to understand if the issue was resolved or not. Also if it was not fixed and there is no bug, what is causing the issue?

pavel-odintsov commented 7 years ago

Now it blocked on Mikrotik support. They fixed issue with negative duration but they could not reproduce issue when Mikrotik generates millions packets per second with strange protocol number.

But I think at this moment they could work enough well. If you have issues please describe it here.

On Sun, 21 May 2017 at 00:33, Eliezer Croitoru notifications@github.com wrote:

elico commented 7 years ago

@pavel-odintsov Thanks!. I didn't tried so I cannot say but was wondering about the options since I have a bunch Mikrotik devices which I am considering to use netflow with.

pavel-odintsov commented 7 years ago

@elico you definitely should try to use FastNetMon! :) I would recommend to enable Graphite and check your traffic speed calculation accuracy.

And if you hit some issues feel free to open an issue and we will investigate the issue and report it to support team of Mikrotik :)

prtomasi commented 7 years ago

Hi,

We are using Mikrotik 6.38.7 to send flow to FastNetMon. Alerts are going to Slack perfectly.

The problem about false positive still occurs: We are receiving alerts of > 50,000,000 PPS

Is there a tune to make Mikrotik and FastNetMon work together? We're using: Cache entries = 4M Active Flow Timeout = 00:01:00 Inactive Flow Timeout = 00:01:00

Is there a way to filter alerts on notify_with_slack.sh script? Maybe send alerts if ban = yes && threshold < 10,000,000 PPS only?

Thanks!

pavel-odintsov commented 7 years ago

@prtomasi I'm so sorry but there are no ways to fix this issue from FNM side without changing the code.

But if you could collect pcap dumps with all netflow packets in time when issue happens it could help a lot.

I could check them and help to isolate bug. You could share pcap with me privately pavel@fastnetmon.com

alfredosola commented 7 years ago

@prtomasi Netflow works well for us with fastnetmon and some other stuff. But we use Netflow v9. Unless anything blocks you for doing so, I would check switching to v9. The only sorely missed feature in v9 is ASN export, but I have seen it hinted in the forum that it could come with RouterOS 7.

elico commented 6 years ago

Mikrotik current firmware is at 6.40.4 but havn't had the time to check it. I hope I will have time to check it in the next 4 weeks.

pavel-odintsov commented 6 years ago

It would be nice to check it! Thanks!

On Wed, 18 Oct 2017 at 00:47, Eliezer Croitoru notifications@github.com wrote:

Mikrotik current firmware is at 6.40.4 but havn't had the time to check it. I hope I will have time to check it in the next 4 weeks.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/620#issuecomment-337412034, or mute the thread https://github.com/notifications/unsubscribe-auth/ACnfZl2yeU-jKIbBo5kCDT0d7TGbqAaBks5stTxtgaJpZM4LVOe2 .

-- Sincerely yours, Pavel Odintsov

elico commented 6 years ago

@pavel-odintsov I want to test some of this with my latest RouterOS device but not sure about how to put all this setup together. Is there a recommended OS or any recommended settings to test my setup?

pavel-odintsov commented 6 years ago

Hello!

You could use this guide https://forum.mikrotik.com/viewtopic.php?t=124958

On Sun, 21 Jan 2018 at 02:15, Eliezer Croitoru notifications@github.com wrote:

@pavel-odintsov https://github.com/pavel-odintsov I want to test some of this with my latest RouterOS device but not sure about how to put all this setup together. Is there a recommended OS or any recommended settings to test my setup?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/620#issuecomment-359218327, or mute the thread https://github.com/notifications/unsubscribe-auth/ACnfZghy5mwh6Fw3JrP7CTbqW5S9MK4Fks5tMp2pgaJpZM4LVOe2 .

-- Sincerely yours, Pavel Odintsov

blue-yu commented 6 years ago

Hello,

I don't want to open a new ticket, so I will ask here: Mikrotik plugin is only for local blackhole. Is there a scrypt for RTBH that relies on bgp network advertising and bgp filtering to upstream provider? I know how to do that manually, but I have 0 experience with mikrotik api scrypts...

pavel-odintsov commented 6 years ago

Hello!

This ticket is already very huge. Please keep off-topic questions out of the issue. You could use official Mikrotik forum for such questions: https://forum.mikrotik.com/viewtopic.php?t=124958

connectivityengineer commented 6 years ago

Is this still an issue? Any particular TIK version we should use when testing FastNetMon?

pavel-odintsov commented 6 years ago

Hello!

Please use latest recommended version and everything should be fine. Otherwise, please collect pcap and share with us for debugging.

elmaxid commented 5 years ago

Hello

at the last v6.44[testing] the new timeout is:

traffic-flow - reduced minimal value of "active-flow-timeout" parameter to 1s;

via: https://forum.mikrotik.com/viewtopic.php?f=21&t=139057&start=150#p700201

Excelent news.

M.

pavel-odintsov commented 5 years ago

Awesome! Thank you so much for sharing it!

pavel-odintsov commented 5 years ago

I think we can close this long thread because Mikrotik fixed their original issue many months ago.

pavel-odintsov / fastnetmon

PPS and the Mbps are not being calculated correctly on Mikrotik boxes - vendor's issue #620