We all know vRNI works on the Flow Data which it receives from the Datasources which we add.

What is flow/NetFlow/IPFIX?
The IPFIX (IP Flow Information Export) standard defines how IP flow information is to be formatted and transferred from an exporter (Datasources) to a collector (vRNI Collector/Proxy VM). IPFIX considers a flow to be any number of packets observed in a specific timeslot and sharing a number of properties like ‘same source, same destination, same protocol’.

Flow information hitting vRNI Poxy will be due to

  1. NSX IPFIX
  2. VDS IPFIX

By looking at the Flow data, we can get to know if the data coming from the ESXi Host is because of NSX IPFIX or VDS IPFIX.
For this, we need to implement the below steps

  1. Take putty session to vRNI Proxy VM using support user credentials
  2. Type ub & hit enter (You should now be in /home/ubuntu directory)
  3. Type cd /var/flows/vds/nfcapd & hit enter
  4. Type ~/build-target/nfdump/nfdump -N -q -r <nfcapd_file> & hit enter
self_post_nsxipfix
Screenshot from my Lab Setup. To view the enlarged image, visit https://ibb.co/Gpcysm9

 

Points to note 

  • You would wonder that timestamps are from the year 1970 & 2019. This can be ignored as these timestamps are not used in Data processing.
  • In the screenshot, towards the bottom, data is coming from the Hosts due to VDS IPFIX
  • In the screenshot, towards the right side, the highlighted field (1001 in the screenshot) is Firewall Rule ID.

Based on the above points we can confirm that we are getting flow data from Hosts, due to NSX IPFIX as well as VDS IPFIX.