Project

General

Profile

Actions
Copy link

Support #3211

closed

negative flow age

Added by Peter Pan over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Community Ticket
Affected Versions:
4.1.4
Label:

Description

Hi,

Did anyone encountered negative flow age before?

Suricata is used to process some old pcaps spanning several months using the -r command line option. From eve.json, there were some event_type=flow entries where the end date (eg: 1 Jul 2019) is a few months before the start date (eg: 30 Sep 2019) and therefore, age is a very big negative number.

In addition, some of the related timestamps for individual traffic (eg: under DNS) were recorded as 30 Sep 2019 instead of the actual DNS traffic recorded in the pcap (eg: 1 Jul, 8 Jul, 15 Jul, etc). This occurred when some of the pcaps were processed more than once. So the first timestamp for a unique traffic would be recorded with the correct timestamp from the pcap, but the subsequent duplicated traffic is tagged with a timestamp suspected to be the timestamp when the duplicated pcap is being processed again.

I thought this might be due to processing of duplicate pcaps but could not replicate the problem even when the same pcaps were re-processed.

Thank you.

Actions
Copy link
 #1

Updated by Andreas Herz over 4 years ago

  • Assignee set to Community Ticket
  • Target version set to Support

I guess without a reproducible testcase that's rather hard to debug. Does it happen with the same pcaps from time to time or only one time?

Actions
Copy link
 #2

Updated by Andreas Herz over 4 years ago

  • Status changed from New to Feedback
Actions
Copy link
 #3

Updated by Peter Pan over 4 years ago

Andreas Herz wrote:

I guess without a reproducible testcase that's rather hard to debug. Does it happen with the same pcaps from time to time or only one time?

So far it had only happened twice on two different sets of pcaps on different days. In both cases, unable to reproduce the error after resetting the VM to re-process the pcaps.

Actions
Copy link
 #4

Updated by Andreas Herz over 3 years ago

  • Status changed from Feedback to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions
Copy link

Also available in: Atom PDF