[Nfdump-discuss] vSphere 5.1 distributed switch to nfcapd with IPFIX

[David W. <da...@on...>]

Hi,
     I have some vSphere 5.1 VDS's sending IPFIX net flow to our nfsen server.  (nfsen v 1.3.5)

I am running nfdump Version: 1.6.9 with the IPFIX patch posted on this list on the 13/4/2013 by Peter.

I am receiving the net flow data and below is the output in raw form after I applied the patch. You will notice that "first" and "last" are set on 1970-01-01 10:00:00. There is an up to date time in the last variable of the packet in "received at".

NFsen can read the data and it is correct (I compare it to data we pull via snmp) however NFsen /ndump are formatting the data with timestamps of 1970-01-01 10:00:00 instead of the actual time.

I notice this has been raised on various sites but I have not seen a fix.  I don't mind testing some patches if they become available to fix up this timestamp issue.



# nfdump -M /opt/data/nfsen/profiles-data/live/netflow-vds-vsh -R 2013/05/03/nfcapd.201305031040 -c 100 -o raw


Flow Record: 
  Flags        =              0x06 FLOW, Unsampled
  export sysid =                 2
  size         =                72
  first        =                 0 [1970-01-01 10:00:00]
  last         =                 0 [1970-01-01 10:00:00]
  msec_first   =                 0
  msec_last    =                 0
  src addr     =    110.175.94.222
  dst addr     =      192.168.64.6
  src port     =             58464
  dst port     =               443
  fwd status   =               157
  tcp flags    =              0x00 ......
  proto        =                 6
  (src)tos     =                 0
  (in)packets  =                 9
  (in)bytes    =              1500
  input        =              1678
  output       =              1799
  ip router    =         10.1.4.39
  received at  =     1367541600163 [2013-05-03 10:40:00.163]


Flow Record: 
  Flags        =              0x06 FLOW, Unsampled
  export sysid =                 2
  size         =                72
  first        =                 0 [1970-01-01 10:00:00]
  last         =                 0 [1970-01-01 10:00:00]
  msec_first   =                 0
  msec_last    =                 0
  src addr     =     101.163.67.76
  dst addr     =      192.168.64.6
  src port     =              2735
  dst port     =               443
  fwd status   =               255
  tcp flags    =              0x00 ......
  proto        =                 6
  (src)tos     =                 0
  (in)packets  =                 1
  (in)bytes    =                40
  input        =              1678
  output       =              1799
  ip router    =         10.1.4.39
  received at  =     1367541600163 [2013-05-03 10:40:00.163]

Kind Regards,
                          David