VMware Cloud Community
markvm2
Enthusiast
Enthusiast

Does vDS 5.1 only use NetFlow version 10? Need version 5/9

I setup NetFlow on my vSphere 5.1 vDS but i have not been seeing anything in my Netflow Collectors which are the Splunk for NetFlow app and NFSEN/NFDUMP. I was just reading that with 5.1 it uses NetFlow version 10? is there a way to force it to use version 5 or 9? Most NetFlow collectors do not support version 10 so i find this rather strange and useless. If this is the case then my plans to gather NetFlow from my environment with the vDS internal traffic only option will not work.

Reply
0 Kudos
7 Replies
chriswahl
Virtuoso
Virtuoso

I believe you're stuck with IPFIX (NetFlow v10) with VDS 5.1

The 5.0 used NetFlow version 5.

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
Reply
0 Kudos
markvm2
Enthusiast
Enthusiast

So if I just remove the 5.1 vDS then create a new 5.0.0 vDS and use that then I should be all set?

Reply
0 Kudos
jakewilson
Contributor
Contributor

Correct: vDS v5 supports NetFlow and vDS v5.1 supports IPFIX.

Reply
0 Kudos
markvm2
Enthusiast
Enthusiast

I removed the 5.1.0 vDS from vCenter and then created a new 5.0.0 one. Now it still seems to be exporting IPFIX and not version 5 since my collectors are not picking it up. My NFSEN/NFDUMP collector is getting the NetFlow but the timestamps and other fields are all wrong. Maybe the NetFlow VMware is using is not formatted correctly? Either that or when you have an ESXi 5.1 host it will still use IPFIX with vDS version 5.0.0?

Reply
0 Kudos
kattrap
Contributor
Contributor

I caught your post since I'll soon be in a similar situation but I don't have an answer for you. I would recommend joining the nfdump mailing list, it's really low/focused traffic.

https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply
0 Kudos
shiouchi
Contributor
Contributor

This is a BUG in vDS v5.1. The VMware vDS sets sysuptime to StartTime/EndTime field instead the absolute time.

And more, it sets StartTime/EndTime to the "flowStartSeconds/flowEndSeconds" field in seconds while nfcapd tries to read the flowStartMilliseconds/flowEndMilliseconds field as StartTime/EndTime. There's no happy medium. ;-(

Reply
0 Kudos
shiouchi
Contributor
Contributor

In ESXi v5.5, VMware fixed these bugs. It reports flowStart(End)TimeMilliseconds which nfdump naturally able to accept.

Reply
0 Kudos