Using softflowd with nfdump on ubuntu. All tcp flows are off by about 4294717.379 seconds. This is suspiciously similar to the size of an unsigned integer in milliseconds. Several google hits of people reporting this to the nfdump mailing lists and others, discussion there indicated that it wasn't a nfdump problem.
Turns out that this is because softflow is still mixing the first_switched and last_switched fields in netflow9 output. These have been corrected in the header, but the struct which they are actually written to is wrong. Patch attached. Confirmation of this bug can be obtained by examining a softflowd packet using wireshark's "CFLOW" decoder. If the packet includes the template then wireshark will show that the last_switched field is greater than the first_swtiched field. After applying the submitted patch, the fields are in the correct order.
Created attachment 1845 [details] Fixes bug by switching the order of first and last switched fields in the NF9_SOFTFLOWD_DATA_COMMON struct
nice work - thanks. I have applied the patch and it will be in softflowd-0.9.9.
using last build from http://www.mindrot.org/softflowd_snap/ (with applied bugfix) on ubuntu with nfcapd (1.6.1) and still getting bad timestamps with -v 5 and completely wrong result(wrong/no IP, wrong/no port,...) with -v 9.
I think nfdump on Ubuntu is broken. It seems to decode the first flow in a softflowd netflow 9 export packet correctly (and has correct timers), but subsequent ones are corrupt. It is probably failing to calculate an increment length correctly when skipping to the end of a flow. nfdump seems to decode v.5 flows correctly in all cases and has correct timestamps. Wireshark decodes the flows correctly and gives correct times for both v5 and v9 flows.
Move resolved bugs to CLOSED after 5.7 release