irino
commented
3 years ago I confirmed this behavior on wireshark 3.4.5. However I assume it is decoding bug on wireshark or any collector. NetFlow except version 10 a.k.a. IPFIX contains sysUpTime on their header. (Please check https://tools.ietf.org/html/rfc3954#section-5.1) IPFIX's header does not contain sysUpTime. (Please check https://tools.ietf.org/html/rfc7011#section-3.1)
softlfowd uses FIRST_SWITCHED (flowStartSysUpTime) and LAST_SWITCHED (flowEndSysUpTime) which are relative timestamp since sysUpTime. (Please Chack https://www.iana.org/assignments/ipfix/ipfix.xhtml) Softflowd sends Option Temaplate which contains systemInitTimeMilliseconds to calculate absolute time using combination of flowStartSysUpTime/flowEndSysUpTime and systemInitTimeMilliseconds. However wirehark does not calcurate absolute time from combination of flowStartSysUpTime/flowEndSysUpTime adn systemInitTimeMilliseconds.
You can use -A option as workaround. softflowd with -A option send absolute time.
natemccallum
When running ipfix mode I see a duration for first and last switched. I'm curious what the appropriate way to get a timestamp out of that is?
my command is
softflowd -i ens5 -n 10.181.43.199:2055 -L 3 -m 8192 -v 10 -P udp