IPFIX flows

Joel Bergstein jbergstein at riscnetworks.com
Tue Feb 18 10:35:28 EST 2014 

Carter,

For the present we deploy a collection VM on each vSwitch and configure the vSwitch to allow promiscuity.  While this solution is not ideal in situations where inter-VM security is a concern, it does get the job done.  We then use racluster to aggregate as required.

We have not heard anything from VMware on reintroducing v5 or v9 support.  I have found (using nfdump) that they have a timestamp bug in their IPFIX implementation that makes that data useless to me even if we are able to collect it.

Thanks,
Joel

From: Carter Bullard [mailto:carter at qosient.com]
Sent: Tuesday, February 18, 2014 10:27 AM
To: Joel Bergstein
Cc: Argus
Subject: Re: [ARGUS] IPFIX flows

Hey Joel,
Did you ever find a solution for this problem ???
Carter

On Sep 11, 2013, at 10:08 AM, Joel Bergstein <jbergstein at riscnetworks.com<mailto:jbergstein at riscnetworks.com>> wrote:


Carter,

Thanks for your reply.  I'm fairly frustrated with VMware on this as they had support for v5 and v9 in 5.0 but removed it in 5.1 and will only output IPFIX now.

Unfortunately we really want to see the intra-host traffic, so we're either looking at flow exports or port mirroring.  We are submitting a ticket with VMware regarding this issue as support for IPFIX is so limited.  I'm certain we're not the only ones running into this.

Thanks,
Joel


From: Carter Bullard [mailto:carter at qosient.com]
Sent: Wednesday, September 11, 2013 9:55 AM
To: Joel Bergstein
Cc: argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] IPFIX flows

Hey Joel,
Sorry Vmware messed you up.  You can run argus in those VMs or against the hypervisor, or below in the native OS, and get past that ????

If it was a simple mod to our Netflow V9 support then I would say sure, but with even the simplest things changing in IPFIX at what sems to be on a monthly basis, I believe it would be a huge drag on our  limited Argus resources.  Just as an example, they have full RFCs for just dealing with two additional experimental TCP control bits, and the change, for them, is non-trivial, which makesnit non-trivial for everybody.

But if we get some more demand, or money, then sure.... But if someone wants to take a shot at it, the Netflow V9 code would be a good start !!!

Carter

On Sep 10, 2013, at 4:46 PM, Joel Bergstein <jbergstein at riscnetworks.com<mailto:jbergstein at riscnetworks.com>> wrote:
All,

I have been looking at collecting netflow data from vSphere.  I've found that starting with 5.1, VMware no longer supports netflow v5 and will only send IPFIX packets.

The argus site requests an email from those interested in IPFIX data, thus this email.

Has there been much expressed interest in IPFIX?  What is the likelihood of this development moving forward?

Thanks,
Joel Bergstein

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140218/29f9bf28/attachment.html>

More information about the argus mailing list