How you could investigate issues with Netflow


Recently I discovered one pretty ugly bug with Mikrotik devices:

It was caused by software error because for some reasons Mikrotik produced flows with negative length.

It’s pretty tricky to find this sort of bugs because only small number of Netflow collector software will notify you about incorrectly crafted Netflow.

Also I found that pretty big number of devices from well known vendors could ignore specified values of active and inactive time for Netflow and produce significantly bigger duration for netflow packets.

If you saw significant bursts or high inaccuracy for your graphics in Netflow collector software then time to check your Netflow implementation has come.

I’m working on Mac OS and will try to execute all operations from my laptop. First of all, you could need pcap dump from your device. Then you need fresh version of Wireshark.

It’s pretty complicated to process big amount of numbers manually and I prefer to use histograms for data visualisation you could grab one with command:

pip install hist

Full command for preparing histogram for Neflow packet durations is here:

tshark -r netflow.pcap -V -T fields -e cflow.timedelta|perl -e 'do{print join "\n", split ","}for<>'|hist


Also you could install matplotlib for generating nice images:

brew install matplotlib

Also you could use results from this small research for detecting affordable value for FastNetMon’s average_calculation_time value. For image from article you could use 30-45 seconds to cover almost all traffic in your network. But please be careful .

Also it’s useful to check cflow.packets and cflow.octets to check bursts. Some devices really like to make bursts from long-living connections or big file downloads in single packet.

For my test dataset you could find following distribution for octet length’s:


And for packets:


Finally, tshark with some perl and python scripting could provide really nice opportunity to get more information about your Netflow agent and report few nice bugs to developers.