topic Netflow ED missing more real-life examples? in Network Management

Netflow ED missing more real-life examples?

mpetcu — Fri, 26 Apr 2013 14:29:54 GMT

Hello All,

EEM v3.0 introduced a very powerful event detector in my opinion: Netflow Event Detector.

However, I wasn’t able to find too many EEM applets/TCL scripts taking advantage of this Netflow ED or even tutorials that explains how to use it appropriately (especially how to use it with TCL scripts).

I was able to find only one TCL script on many forums/blogs: yes, you may know it; it’s how to identify the “TTL low than 5” flows.

I’m asking the community whether you have more useful real-life examples of applets/scripts that use it.

For example, I was thinking of using it to detect packet retransmissions (using the “TCP sequence number” field values) or to find if certain packets that should come at predefined intervals (like SCCP keepalives or EIGRP hellos) are missing (using the “timestamp sysuptime last” field value).

I was able to “read” the sysuptime last timestamp, but I haven’t found out a way to compare two timestamps to see if there’s a missed packet inside the interval. Do you know what format has “timestamp” field?

Thank you,

Mihai

Netflow ED missing more real-life examples?

Joe Clarke — Fri, 26 Apr 2013 14:45:59 GMT

I don't have any other NF ED examples, but the sysUpTime timestamp is the value of sysUpTime when the flow was matched. SysUpTime is tracked in hundredths of a second. It counts up monotonically until it hits 2^32-1 (just over a year), then it will reset to zero. Assuming a wrap did not occur, you can simply subtract the later from the earlier then multiply by 100 to get a diff in seconds.

Netflow ED missing more real-life examples?

mpetcu — Fri, 26 Apr 2013 15:38:13 GMT

Hello Joe,

Thank you for your quick reply!

Please find below the configuration I have tested:

flow record FNF

match ipv4 source address

match ipv4 destination address

collect timestamp sys-uptime first

collect timestamp sys-uptime last

flow monitor FNF

record FNF

cache timeout inactive 300

cache timeout active 604800

cache timeout update 604800

cache entries 9000

event manager applet fnf

event nf monitor-name "FNF" event-type update event1 entry-value "224.0.0.10" field ipv4 destination address entry-op eq event2 field timestamp sys-uptime last entry-op wc maxrun 60

action 010 puts "$_nf_monitor_name"

action 020 puts "$_nf_dest_address"

action 030 puts "$_nf_event2_field"

action 040 puts "$_nf_event2_value"

action 041 puts "$_event_pub_time"

action 050 wait 16

action 060 set x $_event_pub_time

action 070 puts "x = $x"

action 080 wait 16

action 090 set y $_event_pub_time

action 100 puts "y = $y"

action 110 subtract $x $y

action 120 puts "$_result"

And I had the following results:

R1#

Apr 26 18:30:11.591: %HA_EM-6-LOG: fnf: x = Apr 26 18:29:55.511

R1#

Apr 26 18:30:14.179: %HA_EM-6-LOG: fnf: y = Apr 26 18:29:42.047

Apr 26 18:30:14.179: %HA_EM-6-FMPD_OPERAND_INVALID: Invalid operand in action, expected value within range -2147483648 to 2147483647, received: Apr 26 18:29:42.047

Apr 26 18:30:14.179: %HA_EM-3-FMPD_ERROR: Error executing applet fnf statement 110

R1#

I was able to obtain variables “x” and “y” as timestamps but somehow I wasn’t able to subtract.

Am I missing something obvious?

Thank you,

Mihai

Netflow ED missing more real-life examples?

Joe Clarke — Fri, 26 Apr 2013 16:57:06 GMT

You're not using the NetFlow timestamp, you're using the EEM event timestamp. These are very different. If you want to use the event time, then use _event_pub_sec.

Netflow ED missing more real-life examples?

mpetcu — Fri, 26 Apr 2013 17:10:39 GMT

Sorry I have pasted another applet version - I have plenty of variants but none was working, inclusing the below version which uses Netflow timestamp:

event manager applet fnf

event nf monitor-name "FNF" event-type update event1 entry-value "224.0.0.10" field ipv4 destination address entry-op eq event2 field timestamp sys-uptime last entry-op wc maxrun 60

action 010 puts "$_nf_monitor_name"

action 020 puts "$_nf_dest_address"

action 030 puts "$_nf_event2_field"

action 040 puts "$_nf_event2_value"

action 050 wait 16

action 060 set x $_nf_event2_value

action 070 puts "x = $x"

action 080 wait 16

action 090 set y $_nf_event2_value

action 100 puts "y = $y"

action 110 subtract $x $y

action 120 puts "$_result"

Apr 26 18:43:22.871: %HA_EM-6-LOG: fnf: timestamp sys-uptime last

Apr 26 18:43:22.871: %HA_EM-6-LOG: fnf: 18:43:23.767

R1#

Apr 26 18:43:25.119: %HA_EM-6-LOG: fnf: x = 18:43:08.019

R1#

Apr 26 18:43:26.739: %HA_EM-6-LOG: fnf: y = 18:42:55.627

Apr 26 18:43:26.743: %HA_EM-6-FMPD_OPERAND_INVALID: Invalid operand in action, expected value within range -2147483648 to 2147483647, received: 18:42:55.627

R1#

Apr 26 18:43:26.747: %HA_EM-3-FMPD_ERROR: Error executing applet fnf statement 110

R1#

Thank you for your feedback!

Netflow ED missing more real-life examples?

Joe Clarke — Fri, 26 Apr 2013 17:16:11 GMT

Looks like sysUpTime is being translated to actual time automatically. That won't work for you. What if you try the absolute time instead?

Netflow ED missing more real-life examples?

mpetcu — Fri, 26 Apr 2013 17:39:46 GMT

By "absolute time" do you mean _event_pub_sec?

Netflow ED missing more real-life examples?

Joe Clarke — Fri, 26 Apr 2013 18:03:25 GMT

No. There is an absolute parameter to timestamp in the flow record. Can you tap into that metric instead? It should give you epoch time.