0

I have a problem in "Date first seen" column in the result generated by nfdump. I have enabled netflow on an ESXi 5.5 to send netflow data to a netflow server. up to now everything is OK and I can capture netflow data with nfcapd with the following command: nfcapd -D -z -u netflow -p 9996 -n Esxi,192.168.20.54,/data/nfdump -S2 -e but the problem is that when I filter the traffic with nfdump (e.g. with nfdump -R nfdump5/2016/ -c 10) I see "1970-01-01 03:30:00.000" for "Date first seen" column in all entries!!! What should I do to get the right time stamps? Any help is appreciated.

Sinai
  • 620
  • 1
  • 14
  • 36

1 Answers1

0

The NetFlow header has a timestamp for the whole datagram; most likely, their export is using the "first seen" field as an offset from that. It's possible nfdump isn't correctly interpreting that field; I'd recommend having a look at the capture in Wireshark, which I've found to be pretty reliable in decoding NetFlow. That will also let you examine the flow records directly to see if the timestamps are really coming across that small, or are just being misinterpreted. Just remember that if you're capturing NetFlow v9 or IPFIX, you'll need to make sure that your capture includes a template datagram.

If the ESXi's NetFlow isn't exporting timestamps correctly, you can also look into monitoring using a small virtual machine running a software flow exporter (there are a number of free ones available - just Google "free flow exporter") with an interface in promiscuous mode.

John Murphy
  • 397
  • 3
  • 14
  • Thanks dear @John Murphy. Excuse me for the latency in reply. Honestly I have two ESXis. I am capturing netflow with nfcapd from both of them through different ports. When I filter data, one of them shows the timestamps correctly but the other one shows "1970-01-01 03:30:00.000" as the timestapm!! So I think its not a matter of nfdump. I think something is wrong with the ESXi configuration. So, is it necessary to install and check with a free flow exporter? – Sinai Jul 09 '16 at 06:37
  • I think you're right that there's something wrong with the config, so you probably don't need a software flow exporter (unless you don't want to spend the time debugging the ESXi). If I were in your shoes, I'd compare the two ESXi configs side-by-side, looking for differences. – John Murphy Jul 10 '16 at 15:53
  • I don't recall whether ESXi lets you specific "match" and "collect" fields, but that's where I would look first. Often the individual records will be "milliseconds since uptime" or "milliseconds since datagram timestamp", and if there isn't an uptime or datagram timestamp given, you'll get timestamps that look like you described (interpreted as "270 minutes since the UNIX epoch" instead of "270 minutes since device reboot") – John Murphy Jul 10 '16 at 15:56
  • Thank you @John. I think it is about the version of ESXi. I analyzed the captured netflow from 4 Esxi servers and the ones which are 5.5 send the timestamps right, but the ones which are version 5.1 send the timestamps wrong!! Now I am dealing with a new issue. I don't know is there a patch to add to the version 5.1 or I have to upgrade them to 5.5! – Sinai Jul 16 '16 at 11:58
  • I'm not sure, but it's worth looking for a patch. Here's another thing to try before upgrading: if you're currently sending NetFlow v9, try sending NetFlow v5 instead. That's a more stable format, and most implementations have fewer problems. The big downside is that it doesn't report IPv6 traffic. – John Murphy Jul 17 '16 at 13:04
  • I think it is impossible to select the version of NetFlow in ESXi!! Do you have any idea how I can do that? Thanks. – Sinai Jul 18 '16 at 11:23
  • I think you're right -- I found the documentation here, but there's no mention of NetFlow type. https://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.networking.doc/GUID-E19FECAD-8629-4E8A-B61C-1F1C16770B3B.html – John Murphy Jul 18 '16 at 12:58
  • I think it would be worth looking into an upgrade, since you know 5.5 works. – John Murphy Jul 18 '16 at 12:58
  • Thank you @John. Yeah I think that's the only way but a little bit risky one. Because we have a lot of VMs on our ESXi and an upgrade will not always go as you expect :D.But we have no other choice. – Sinai Jul 19 '16 at 03:49