Detection of Network Flow Timestamp Reliability

  • Martin Žádnik
  • Erik Šabik
  • Václav Bartoš
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8508)


Network flow measurement and analysis are important parts of network management and security. Flow data analysis is a challenging task which is often rendered harder by pitfalls in a monitoring pipeline. In this paper we focus on timestamps since many analysis procedures utilize timestamps to reveal various characteristics of network traffic. Unfortunately, the timestamps are not always that reliable as it may seem. We propose an algorithm to estimate the percentage of correctly assigned timestamps to flow records with respect to the sequence of a request and a response flow. We simulate various timestamp failures and we evaluate the failures using the proposed algorithm. We demonstrate the usage of the algorithm in the use case of bidirectional flow orientation.


  1. 1.
    The mawi archive (2014),
  2. 2.
    Berthier, R., Cukier, M., Hiltunen, M., Kormann, D., Vesonder, G., Sheleheda, D.: Nfsight: netflow-based network awareness tool. In: Proceedings of the 24th International Conference on Large Installation System Administration, LISA 2010, pp. 1–8. USENIX Association, Berkeley (2010), Google Scholar
  3. 3.
    Claise, B.: Cisco Systems NetFlow Services Export Version 9. RFC 3954 (Informational) (October 2004),
  4. 4.
    Cunha, Í., Silveira, F., Oliveira, R., Teixeira, R., Diot, C.: Uncovering artifacts of flow measurement tools. In: Moon, S.B., Teixeira, R., Uhlig, S. (eds.) PAM 2009. LNCS, vol. 5448, pp. 187–196. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Haag, P.: Nfdump - netflow processing tools (2013),
  6. 6.
    Hofstede, R., Drago, I., Sperotto, A., Sadre, R., Pras, A.: Measurement artifacts in netFlow data. In: Roughan, M., Chang, R. (eds.) PAM 2013. LNCS, vol. 7799, pp. 1–10. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  7. 7.
    Hughes, E., Somayaji, A.: Towards network awareness. In: LISA, pp. 113–124. USENIX (2005),
  8. 8.
    Jiang, H., Dovrolis, C.: Passive estimation of tcp round-trip times. SIGCOMM Comput. Commun. Rev. 32(3), 75–88 (2002), CrossRefGoogle Scholar
  9. 9.
    Kogel, J.: One-way delay measurement based on flow data: Quantification and compensation of errors by exporter profiling. In: 2011 International Conference on Information Networking (ICOIN), pp. 25–30 (January 2011)Google Scholar
  10. 10.
    McPherson, S., Ortega, A.: Analysis of internet measurement systems for optimized anomaly detection system design. CoRR abs/0907.5233 (2009),
  11. 11.
    Minarik, P., Vykopal, J., Krmicek, V.: Improving host profiling with bidirectional flows. In: Proceedings of the 2009 International Conference on Computational Science and Engineering, CSE 2009, vol. 3, pp. 231–237. IEEE Computer Society, Washington, DC (2009), CrossRefGoogle Scholar
  12. 12.
    Trammell, B., Boschi, E.: Bidirectional Flow Export Using IP Flow Information Export (IPFIX). RFC 5103 (Proposed Standard) (January 2008),
  13. 13.
    Trammell, B., Tellenbach, B., Schatzmann, D., Burkhart, M.: Peeling away timing error in netFlow data. In: Spring, N., Riley, G.F. (eds.) PAM 2011. LNCS, vol. 6579, pp. 194–203. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© International Federation for Information Processing 2014

Authors and Affiliations

  • Martin Žádnik
    • 1
  • Erik Šabik
    • 1
  • Václav Bartoš
    • 1
  1. 1.CESNET, a. l. e.PragueCzech Republic

Personalised recommendations