IPFIX flows

Joel Bergstein jbergstein at riscnetworks.com
Wed Sep 11 10:08:43 EDT 2013 

Carter,

Thanks for your reply.  I’m fairly frustrated with VMware on this as they had support for v5 and v9 in 5.0 but removed it in 5.1 and will only output IPFIX now.

Unfortunately we really want to see the intra-host traffic, so we’re either looking at flow exports or port mirroring.  We are submitting a ticket with VMware regarding this issue as support for IPFIX is so limited.  I’m certain we’re not the only ones running into this.

Thanks,
Joel


From: Carter Bullard [mailto:carter at qosient.com]
Sent: Wednesday, September 11, 2013 9:55 AM
To: Joel Bergstein
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] IPFIX flows

Hey Joel,
Sorry Vmware messed you up.  You can run argus in those VMs or against the hypervisor, or below in the native OS, and get past that ????

If it was a simple mod to our Netflow V9 support then I would say sure, but with even the simplest things changing in IPFIX at what sems to be on a monthly basis, I believe it would be a huge drag on our  limited Argus resources.  Just as an example, they have full RFCs for just dealing with two additional experimental TCP control bits, and the change, for them, is non-trivial, which makesnit non-trivial for everybody.

But if we get some more demand, or money, then sure.... But if someone wants to take a shot at it, the Netflow V9 code would be a good start !!!

Carter

On Sep 10, 2013, at 4:46 PM, Joel Bergstein <jbergstein at riscnetworks.com<mailto:jbergstein at riscnetworks.com>> wrote:
All,

I have been looking at collecting netflow data from vSphere.  I’ve found that starting with 5.1, VMware no longer supports netflow v5 and will only send IPFIX packets.

The argus site requests an email from those interested in IPFIX data, thus this email.

Has there been much expressed interest in IPFIX?  What is the likelihood of this development moving forward?

Thanks,
Joel Bergstein

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130911/b779e74c/attachment.html>

More information about the argus mailing list