Thanks for the update David. Could you please send me off list a packet trace -
your vsphere.pcap for further analysis.
Thanks
- Peter
On 13/11/13 4:15 AM, David Walsh wrote:
> Hi,
> VMware have sent me a patch to test on a system to see if the issue is
> fixed. I installed the patch on a low-traffic ESXi host and moved a network
> gateway to it so it would throw the relevant net flow at my collector.
>
> Wireshark dumps indicate that the correct date is being added to the
> “StartTime
> and EndTime fields” now. I’ve attached a screenshot from Wireshark. I
> captured
> the data with: tcpdump -n -i eth0 -s 1600 -w /tmp/vsphere.pcap 'port 2055’.
> I can also confirm that other dumps from other ESX hosts without the patch
> enter
> 1970 in those fields.
>
>
>
>
> However, when I view the dump with nfdump for that flow, it has the 1970
> dates
> in it for “first” and “last”.
>
>
> [root@nfsen ~]# nfdump -M /opt/data/nfsen/profiles-data/live/netflow-vds-vsh
> -R
> 2013/11/13/nfcapd.201311131100 -o raw | grep -A15 -B10 115.70.221.246
>
> Flow Record:
> Flags = 0x06 FLOW, Unsampled
> export sysid = 2
> size = 72
> first = 0 [1970-01-01 10:00:00]
> last = 0 [1970-01-01 10:00:00]
> msec_first = 0
> msec_last = 0
> src addr = X.X.X.X
> dst addr = 115.70.221.246
> src port = 80
> dst port = 13845
> fwd status = 66
> tcp flags = 0x00 ......
> proto = 6
> (src)tos = 0
> (in)packets = 4
> (in)bytes = 2515
> input = 10623
> output = 8127
> ip router = 10.1.4.39
> received at = 1384304530019 [2013-11-13 11:02:10.019]
>
>
> Does this mean that nfcapd/nfdump is not displaying the correct date in the
> first and last fields OR does it mean that the fields I see in the Wireshark
> dump, “StartTime and EndTime fields”, do not correlate to the “first” and
> “last”
> fields in the nfdump?
>
> Regards,
> David
>
>
>
> On 8 Nov 2013, at 1:15 pm, David Walsh <[email protected]
> <mailto:[email protected]>> wrote:
>
>> Hi,
>> Here is an update on this issue…..
>>
>> From VMware:
>>
>> "This is with regards to the vDS issue. Just to keep you updated that
>> engineering have isolated the code that seems to be causing the issue. We
>> are
>> working on a fix and I will share further updates as and when the same is
>> available”
>>
>> Hopefully it will be part of Update 2 of v5.1. I have not tested 5.5 yet.
>>
>> On 14 May 2013, at 10:59 am, David Walsh <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>>> FYI
>>>
>>> I have finally got VMware looking at this for me. I'll reply to the list
>>> when I get more information. I am providing them with the logs of my vDS.
>>>
>>> Cheers,
>>> David
>>>
>>> On 07/05/2013, at 10:44 AM, David Walsh <[email protected]
>>> <mailto:[email protected]>> wrote:
>>>
>>>> Hi,
>>>> I have some vSphere 5.1 VDS's sending IPFIX net flow to our nfsen
>>>> server.
>>>> (nfsen v 1.3.5)
>>>>
>>>> I am running nfdump Version: 1.6.9 with the IPFIX patch posted on this
>>>> list
>>>> on the 13/4/2013 by Peter.
>>>>
>>>> I am receiving the net flow data and below is the output in raw form after
>>>> I
>>>> applied the patch. You will notice that "first" and "last" are set on
>>>> 1970-01-01 10:00:00. There is an up to date time in the last variable of
>>>> the
>>>> packet in "received at".
>>>>
>>>> NFsen can read the data and it is correct (I compare it to data we pull
>>>> via
>>>> snmp) however NFsen /ndump are formatting the data with timestamps of
>>>> 1970-01-01 10:00:00 instead of the actual time.
>>>>
>>>> I notice this has been raised on various sites but I have not seen a fix.
>>>> I
>>>> don't mind testing some patches if they become available to fix up this
>>>> timestamp issue.
>>>>
>>>>
>>>>
>>>> # nfdump -M /opt/data/nfsen/profiles-data/live/netflow-vds-vsh -R
>>>> 2013/05/03/nfcapd.201305031040 -c 100 -o raw
>>>>
>>>>
>>>> Flow Record:
>>>> Flags = 0x06 FLOW, Unsampled
>>>> export sysid = 2
>>>> size = 72
>>>> first = 0 [1970-01-01 10:00:00]
>>>> last = 0 [1970-01-01 10:00:00]
>>>> msec_first = 0
>>>> msec_last = 0
>>>> src addr = 110.175.94.222
>>>> dst addr = 192.168.64.6
>>>> src port = 58464
>>>> dst port = 443
>>>> fwd status = 157
>>>> tcp flags = 0x00 ......
>>>> proto = 6
>>>> (src)tos = 0
>>>> (in)packets = 9
>>>> (in)bytes = 1500
>>>> input = 1678
>>>> output = 1799
>>>> ip router = 10.1.4.39
>>>> received at = 1367541600163 [2013-05-03 10:40:00.163]
>>>>
>>>>
>>>> Flow Record:
>>>> Flags = 0x06 FLOW, Unsampled
>>>> export sysid = 2
>>>> size = 72
>>>> first = 0 [1970-01-01 10:00:00]
>>>> last = 0 [1970-01-01 10:00:00]
>>>> msec_first = 0
>>>> msec_last = 0
>>>> src addr = 101.163.67.76
>>>> dst addr = 192.168.64.6
>>>> src port = 2735
>>>> dst port = 443
>>>> fwd status = 255
>>>> tcp flags = 0x00 ......
>>>> proto = 6
>>>> (src)tos = 0
>>>> (in)packets = 1
>>>> (in)bytes = 40
>>>> input = 1678
>>>> output = 1799
>>>> ip router = 10.1.4.39
>>>> received at = 1367541600163 [2013-05-03 10:40:00.163]
>>>>
>>>> Kind Regards,
>>>> David
>>>> ------------------------------------------------------------------------------
>>>> Learn Graph Databases - Download FREE O'Reilly Book
>>>> "Graph Databases" is the definitive new guide to graph databases and
>>>> their applications. This 200-page book is written by three acclaimed
>>>> leaders in the field. The early access version is available now.
>>>> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>>>> _______________________________________________
>>>> Nfdump-discuss mailing list
>>>> [email protected]
>>>> <mailto:[email protected]>
>>>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>>>
>>
>> ------------------------------------------------------------------------------
>> November Webinars for C, C++, Fortran Developers
>> Accelerate application performance with scalable programming models. Explore
>> techniques for threading, error checking, porting, and tuning. Get the most
>> from the latest Intel processors and coprocessors. See abstracts and register
>> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk_______________________________________________
>> Nfdump-discuss mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
>
>
> ------------------------------------------------------------------------------
> DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
> OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
> Free app hosting. Or install the open source package on any LAMP server.
> Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
> http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
