I capture some netflow generated from vDS5.1. It uses v10 protocol. When use wireshark to check the data flow sets, I found all the values for "StartTime" and "EndTime" are in 1970. According to spec, they should be the absolute time.
This is an example shows the dissecting result:
The hex values for StartTime is: 0x00012fd1 (the packet is taken today, Dec. 13, 2012
FlowSet Id: (Data) (256)
FlowSet Length: 56
SrcAddr: 10.8.1.16 (10.8.1.16)
DstAddr: 10.8.255.255 (10.8.255.255)
Enterprise Private entry: ((null)) Type 888: Value (hex bytes): 00 00 00 00
[Duration: 0.000000000 seconds]
StartTime: Jan 1, 1970 13:36:17.000000000 Pacific Standard Time
EndTime: Jan 1, 1970 13:36:17.000000000 Pacific Standard Time
Flow End Reason: Idle timeout (1)
Padding (2 bytes)
How do we know the actual time the data set was generated?
Unfortunately, we can not get the actual time. What is set in the StartTime/Endtime - the System Uptime.
In netflow v9 or earlier, there are "System Uptime" field and "UNIX Seconds" field in the header of a netflow record so that you can culculate the actual StartTime/EndTime with a sysuptime-relative StartTime/EndTime. But v10 header has no such field.
The StartTime/EndTime must contain the absolute time indeed, VMware made a mistake and it still be there.