[Nfdump-discuss] vSphere 5.1 distributed switch to nfcapd with IPFIX

David Walsh Mon, 06 May 2013 18:11:25 -0700

Hi,
     I have some vSphere 5.1 VDS's sending IPFIX net flow to our nfsen server.  
(nfsen v 1.3.5)


I am running nfdump Version: 1.6.9 with the IPFIX patch posted on this list on 
the 13/4/2013 by Peter.

I am receiving the net flow data and below is the output in raw form after I 
applied the patch. You will notice that "first" and "last" are set on 
1970-01-01 10:00:00. There is an up to date time in the last variable of the 
packet in "received at".

NFsen can read the data and it is correct (I compare it to data we pull via 
snmp) however NFsen /ndump are formatting the data with timestamps of 
1970-01-01 10:00:00 instead of the actual time.

I notice this has been raised on various sites but I have not seen a fix.  I 
don't mind testing some patches if they become available to fix up this 
timestamp issue.



# nfdump -M /opt/data/nfsen/profiles-data/live/netflow-vds-vsh -R 
2013/05/03/nfcapd.201305031040 -c 100 -o raw


Flow Record: 
  Flags        =              0x06 FLOW, Unsampled
  export sysid =                 2
  size         =                72
  first        =                 0 [1970-01-01 10:00:00]
  last         =                 0 [1970-01-01 10:00:00]
  msec_first   =                 0
  msec_last    =                 0
  src addr     =    110.175.94.222
  dst addr     =      192.168.64.6
  src port     =             58464
  dst port     =               443
  fwd status   =               157
  tcp flags    =              0x00 ......
  proto        =                 6
  (src)tos     =                 0
  (in)packets  =                 9
  (in)bytes    =              1500
  input        =              1678
  output       =              1799
  ip router    =         10.1.4.39
  received at  =     1367541600163 [2013-05-03 10:40:00.163]


Flow Record: 
  Flags        =              0x06 FLOW, Unsampled
  export sysid =                 2
  size         =                72
  first        =                 0 [1970-01-01 10:00:00]
  last         =                 0 [1970-01-01 10:00:00]
  msec_first   =                 0
  msec_last    =                 0
  src addr     =     101.163.67.76
  dst addr     =      192.168.64.6
  src port     =              2735
  dst port     =               443
  fwd status   =               255
  tcp flags    =              0x00 ......
  proto        =                 6
  (src)tos     =                 0
  (in)packets  =                 1
  (in)bytes    =                40
  input        =              1678
  output       =              1799
  ip router    =         10.1.4.39
  received at  =     1367541600163 [2013-05-03 10:40:00.163]

Kind Regards,
                          David
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

[Nfdump-discuss] vSphere 5.1 distributed switch to nfcapd with IPFIX

Reply via email to