All NetFlow time stamp information displayed on the AlienVault USM Appliance Server is based on data inserted into the incoming FLOW packet.
The template for NetFlow Version 9 Flow-Record Format packet can be found here: http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html
In Table 6, NetFlow Version 9 Field Type Definitions, for time stamp data, the affected field types are Type 21 (LAST_SWITCHED) and Type 22 (FIRST_SWITCHED). The displayed time stamp information is generated from the data in these two fields.
To verify the validity of the time stamp information in the inbound packet, perform these steps. You will need a CLI instance on the USM Appliance Server.
- The USM Server uses the nfcapd process for the packet capture and collection. This displays all running nfcapd processes and their collection options.
- Change directory to the given capture directory:
cd /var/cache/nfdump/flows//live/<capture-directory-name>/<date_directory> (typical format is YYYY-MM-DD)
The files in the directory are in raw format, captured every 5 minutes (default).
The file extension is the date/timestamp of the data collection window. (format is YYYYMMDDhhmm).
- Display data packets, using the nfdump command.
ps aux | grep nfcapd
Determine which is the process for the Fortigate device. The
-l option displays the data capture directory. The
-p option shows the reporting port number.
This is an example invocation:
nfdump -r nfcapd.201609191510 -o raw -c 1
This will display the first record in the file (-c 1 option), in text format.
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 60
first = 1463259223 [2016-09-14 16:53:43] <-- time stamp data
last = 1463259223 [2016-09-14 16:53:43] <-- time stamp data
msec_first = 604
msec_last = 714
src addr = 192.168.104.8
dst addr = 188.8.131.52
src port = 42073
dst port = 53
Note the information in the fields first = and last = .
In the example above, the date is five days earlier (09/14) than the capture date window (09/19). If the time stamp data is invalid, the error is coming from the reporting Fortigate firewall device.
Update the Fortigate firmware to version 5.2.5/5.4 or later.