I setup NetFlow on my vSphere 5.1 vDS but i have not been seeing anything in my Netflow Collectors which are the Splunk for NetFlow app and NFSEN/NFDUMP. I was just reading that with 5.1 it uses NetFlow version 10? is there a way to force it to use version 5 or 9? Most NetFlow collectors do not support version 10 so i find this rather strange and useless. If this is the case then my plans to gather NetFlow from my environment with the vDS internal traffic only option will not work.
I believe you're stuck with IPFIX (NetFlow v10) with VDS 5.1
The 5.0 used NetFlow version 5.
So if I just remove the 5.1 vDS then create a new 5.0.0 vDS and use that then I should be all set?
Correct: vDS v5 supports NetFlow and vDS v5.1 supports IPFIX.
I removed the 5.1.0 vDS from vCenter and then created a new 5.0.0 one. Now it still seems to be exporting IPFIX and not version 5 since my collectors are not picking it up. My NFSEN/NFDUMP collector is getting the NetFlow but the timestamps and other fields are all wrong. Maybe the NetFlow VMware is using is not formatted correctly? Either that or when you have an ESXi 5.1 host it will still use IPFIX with vDS version 5.0.0?
I caught your post since I'll soon be in a similar situation but I don't have an answer for you. I would recommend joining the nfdump mailing list, it's really low/focused traffic.
This is a BUG in vDS v5.1. The VMware vDS sets sysuptime to StartTime/EndTime field instead the absolute time.
And more, it sets StartTime/EndTime to the "flowStartSeconds/flowEndSeconds" field in seconds while nfcapd tries to read the flowStartMilliseconds/flowEndMilliseconds field as StartTime/EndTime. There's no happy medium. ;-(
In ESXi v5.5, VMware fixed these bugs. It reports flowStart(End)TimeMilliseconds which nfdump naturally able to accept.