Netflow v5/v9: Incorrect time calculation for first switched and last switched
Opened this issue · 0 comments
Deleted user commented
In /lib/logstash/codecs/netflow.rb the calculation of absolute timestamps for "first_switched" and "last_switched" is incorrect:
- Milliseconds are subtracted from microseconds without proper conversion
- Syntax error decreasing seconds
Solution:
Line 139 replace
micros = (flowset.unix_nsec / 1000) - (millis % 1000)
by
micros = (flowset.unix_nsec / 1000) - ((millis % 1000) * 1000)
Line 141 replace
seconds--
by
seconds -= 1
Line 265 replace
micros = 1000000 - (millis % 1000)
by
micros = 1000000 - ((millis % 1000) * 1000)