NetFlow

From DocWiki

(Difference between revisions)
Jump to: navigation, search
(NAM Module)
(NetFlow Child Pages)
(33 intermediate revisions not shown)
Line 1: Line 1:
-
<br>
+
<meta name="keywords" content="AVC, Application Visibility and Control, NetFlow" />  
-
<br>
+
 
 +
<br> <br>  
{| border="1" class="wikitable"
{| border="1" class="wikitable"
Line 7: Line 8:
|-
|-
| Welcome to '''NetFlow DocWiki'''.  
| Welcome to '''NetFlow DocWiki'''.  
-
Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and is the leader in IP traffic flow technology.
+
Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and is the leader in IP traffic flow technology. <br> NetFlow version 9, the latest Cisco IOS NetFlow innovation, is a flexible and extensible method to record network performance data. It is the basis of a new IETF standard. Cisco is currently working with a number of partners to provide customers with comprehensive solutions for NetFlow-based, planning, monitoring and billing.  
-
<br>
+
-
NetFlow version 9, the latest Cisco IOS NetFlow innovation, is a flexible and extensible method to record network performance data. It is the basis of a new IETF standard. Cisco is currently working with a number of partners to provide customers with comprehensive solutions for NetFlow-based, planning, monitoring and billing.
+
-
|}
+
-
<br>
 
-
<br>
 
-
 
-
 
-
!!!!!!!!! DRAFT !!!!!!!!!!!!
 
-
 
-
<br>
 
-
<br>
 
-
 
-
__TOC__
 
-
 
-
<br>
 
-
<br>
 
-
 
-
 
-
= NetFlow DocWiki Navigation =
 
-
 
-
*[http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html  NetFlow Version 9 Flow-Record Format]
 
-
*[[NetFlow:PfR | Performance Routing NetFlow]]
 
-
 
-
<br>
 
-
<br>
 
-
 
-
= Summary =
 
-
 
-
* IDs <128 : specific to Cisco and NetFlow v9
 
-
* IDs Range 128 - 32767 : allocated by IANA for IPFIX, in NetFlow v9 for parity
 
-
* IDs > 32768 : IPFIX Enterprise Specific
 
-
 
-
<br>
 
-
<br>
 
-
 
-
= Fields 1-128 (Specific to Cisco) =
 
-
 
-
<br>
 
-
<br>
 
-
 
-
{| border="1" cellpadding="1" cellspacing="1"
 
-
|-
 
-
! scope="col" bgcolor="#FFE0C8" | Field Type
 
-
! scope="col" bgcolor="#FFE0C8" | Value
 
-
! scope="col" bgcolor="#FFE0C8" | Len (bytes)
 
-
! scope="col" bgcolor="#FFE0C8" | Description
 
-
|-
 
-
| IN_BYTES
 
-
| 1
 
-
| N (default is 8)
 
-
| Incoming counter with length N x 8 bits for number of bytes associated with an IP  Flow.
 
-
|-
 
-
| IN_PKTS
 
-
| 2
 
-
| N (default is 8)
 
-
| Incoming counter with length N x 8 bits for the number of packets associated with an IP Flow
 
-
|-
 
-
| FLOWS
 
-
| 3
 
-
| N
 
-
| Number of flows that were aggregated; default for N is 4
 
-
|-
 
-
| PROTOCOL
 
-
| 4
 
-
| 1
 
-
| IP protocol byte
 
-
|-
 
-
| SRC_TOS
 
-
| 5
 
-
| 1
 
-
| Type of Service byte setting when entering incoming interface
 
-
|-
 
-
| TCP_FLAGS
 
-
| 6
 
-
| 1
 
-
| Cumulative of all the TCP flags seen for this flow
 
-
|-
 
-
| L4_SRC_PORT
 
-
| 7
 
-
| 2
 
-
| TCP/UDP source port number e.g. FTP, Telnet, or equivalent
 
-
|-
 
-
| IPV4_SRC_ADDR
 
-
| 8
 
-
| 4
 
-
| IPv4 source address
 
-
|-
 
-
| SRC_MASK
 
-
| 9
 
-
| 1
 
-
| The number of contiguous bits in the source address subnet mask i.e. the submask in slash notation
 
-
|-
 
-
| INPUT_SNMP
 
-
| 10
 
-
| N
 
-
| Input interface index; default for N is 4 but higher values could be used
 
-
|-
 
-
| L4_DST_PORT
 
-
| 11
 
-
| 2
 
-
| TCP/UDP destination port number e.g. FTP, Telnet, or equivalent
 
-
|-
 
-
| IPV4_DST_ADDR
 
-
| 12
 
-
| 4
 
-
| IPv4 destination address
 
-
|-
 
-
| DST_MASK
 
-
| 13
 
-
| 1
 
-
| The number of contiguous bits in the destination address subnet mask i.e. the submask in slash notation
 
-
|-
 
-
| OUTPUT_SNMP
 
-
| 14
 
-
| N
 
-
| Output interface index; default for N is 4 but higher values could be used
 
-
|-
 
-
| IPV4_NEXT_HOP
 
-
| 15
 
-
| 4
 
-
| IPv4 address of next-hop router
 
-
|-
 
-
| SRC_AS
 
-
| 16
 
-
| N (default is 2)
 
-
| Source BGP autonomous system number where N could be 2 or 4
 
-
|-
 
-
| DST_AS
 
-
| 17
 
-
| N (default is 2)
 
-
| Destination BGP autonomous system number where N could be 2 or 4
 
-
|-
 
-
| BGP_IPV4_NEXT_HOP
 
-
| 18
 
-
| 4
 
-
| Next-hop router's IP in the BGP domain
 
-
|-
 
-
| MUL_DST_PKTS
 
-
| 19
 
-
| N (default is 8)
 
-
| IP multicast outgoing packet counter with length N x 8 bits for packets associated with the IP Flow
 
-
|-
 
-
| MUL_DST_BYTES
 
-
| 20
 
-
| N (default is 8)
 
-
| IP multicast outgoing byte counter with length N x 8 bits for bytes associated with the IP Flow
 
-
|-
 
-
| LAST_SWITCHED
 
-
| 21
 
-
| 4
 
-
| System uptime at which the last packet of this flow was switched
 
-
|-
 
-
| FIRST_SWITCHED
 
-
| 22
 
-
| 4
 
-
| System uptime at which the first packet of this flow was switched
 
-
|-
 
-
| OUT_BYTES
 
-
| 23
 
-
| N (default is 8)
 
-
| Outgoing counter with length N x 8 bits for the number of bytes associated with an IP Flow
 
-
|-
 
-
| OUT_PKTS
 
-
| 24
 
-
| N (default is 8)
 
-
| Outgoing counter with length N x 8 bits for the number of packets associated with an IP Flow.
 
-
|-
 
-
| MIN_PKT_LNGTH
 
-
| 25
 
-
| 4
 
-
| Minimum IP packet length on incoming packets of the flow
 
-
|-
 
-
| MAX_PKT_LNGTH
 
-
| 26
 
-
| 4
 
-
| Maximum IP packet length on incoming packets of the flow
 
-
|-
 
-
| IPV6_SRC_ADDR
 
-
| 27
 
-
| 16
 
-
| IPv6 Source Address
 
-
|-
 
-
| IPV6_DST_ADDR
 
-
| 28
 
-
| 16
 
-
| IPv6 Destination Address
 
-
|-
 
-
| IPV6_SRC_MASK
 
-
| 29
 
-
| 1
 
-
| Length of the IPv6 source mask in contiguous bits
 
-
|-
 
-
| IPV6_DST_MASK
 
-
| 30
 
-
| 1
 
-
| Length of the IPv6 destination mask in contiguous bits
 
-
|-
 
-
| IPV6_FLOW_LABEL
 
-
| 31
 
-
| 4
 
-
| IPv6 flow label as per RFC 2460 definition
 
-
|-
 
-
| ICMP_TYPE_CODE
 
-
| 32
 
-
| 2
 
-
| Internet Control Message Protocol (ICMP) packet type; reported as ((ICMP Type * 256) + ICMP code)
 
-
|-
 
-
| MUL_IGMP_TYPE
 
-
| 33
 
-
| 1
 
-
| Internet Group Management Protocol (IGMP) packet type
 
-
|-
 
-
| SAMPLING_INTERVAL
 
-
| 34
 
-
| 4
 
-
| When using sampled NetFlow, the rate at which packets are sampled e.g. a value of 100 indicates that one of every 100 packets is sampled
 
-
|-
 
-
| SAMPLING_ALGORITHM
 
-
| 35
 
-
| 1
 
-
| The type of algorithm used for sampled NetFlow: 0x01 Deterministic Sampling ,0x02 Random Sampling
 
-
|-
 
-
| FLOW_ACTIVE_TIMEOUT
 
-
| 36
 
-
| 2
 
-
| Timeout value (in seconds) for active flow entries in the NetFlow cache
 
-
|-
 
-
| FLOW_INACTIVE_TIMEOUT
 
-
| 37
 
-
| 2
 
-
| Timeout value (in seconds) for inactive flow entries in the NetFlow cache
 
-
|-
 
-
| ENGINE_TYPE
 
-
| 38
 
-
| 1
 
-
| Type of flow switching engine: RP = 0, VIP/Linecard = 1
 
-
|-
 
-
| ENGINE_ID
 
-
| 39
 
-
| 1
 
-
| ID number of the flow switching engine
 
-
|-
 
-
| TOTAL_BYTES_EXP
 
-
| 40
 
-
| N (default is 8)
 
-
| Counter with length N x 8 bits for bytes for the number of bytes exported by the Observation Domain
 
-
|-
 
-
| TOTAL_PKTS_EXP
 
-
| 41
 
-
| N (default is 8)
 
-
| Counter with length N x 8 bits for bytes for the number of packets exported by the Observation Domain
 
-
|-
 
-
| TOTAL_FLOWS_EXP
 
-
| 42
 
-
| N (default is 8)
 
-
| Counter with length N x 8 bits for bytes for the number of flows exported by the Observation Domain
 
-
|-
 
-
| IPV4_ROUTER_SC
 
-
| 43
 
-
| 4
 
-
| The router shortcut address i.e. address of router bypassed by a switch (specific for Catalyst architecture)
 
-
|-
 
-
| IPV4_SRC_PREFIX
 
-
| 44
 
-
| 4
 
-
| IPv4 source address prefix (specific for Catalyst architecture)
 
-
|-
 
-
| IPV4_DST_PREFIX
 
-
| 45
 
-
| 4
 
-
| IPv4 destination address prefix  (specific for Catalyst architecture)
 
-
|-
 
-
| MPLS_TOP_LABEL_TYPE
 
-
| 46
 
-
| 1
 
-
| MPLS Top Label Type: 0x00 UNKNOWN 0x01 TE-MIDPT 0x02 ATOM 0x03 VPN 0x04 BGP 0x05 LDP
 
-
|-
 
-
| MPLS_TOP_LABEL_IP_ADDR
 
-
| 47
 
-
| 4
 
-
| Forwarding Equivalent Class corresponding to the MPLS Top Label
 
-
|-
 
-
| FLOW_SAMPLER_ID
 
-
| 48
 
-
| 1
 
-
| Identifier shown in "show flow-sampler"
 
-
|-
 
-
| FLOW_SAMPLER_MODE
 
-
| 49
 
-
| 1
 
-
| The type of algorithm used for sampling data: 0x02 random sampling. Use in connection with FLOW_SAMPLER_MODE
 
-
|-
 
-
| FLOW_SAMPLER_RANDOM_INTERVAL
 
-
| 50
 
-
| 4
 
-
| Packet interval at which to sample. Use in connection with FLOW_SAMPLER_MODE
 
-
|-
 
-
| MIN_TTL
 
-
| 52
 
-
| 1
 
-
| Minimum TTL on incoming packets of the flow
 
-
|-
 
-
| MAX_TTL
 
-
| 53
 
-
| 1
 
-
| Maximum TTL on incoming packets of the flow
 
-
|-
 
-
| IPV4_IDENT
 
-
| 54
 
-
| 4
 
-
| The IPv4 identification field
 
-
|-
 
-
| DST_TOS
 
-
| 55
 
-
| 1
 
-
| Type of Service byte setting when exiting outgoing interface
 
-
|-
 
-
| IN_SRC_MAC
 
-
| 56
 
-
| 6
 
-
| Incoming source MAC address
 
-
|-
 
-
| OUT_DST_MAC
 
-
| 57
 
-
| 6
 
-
| Outgoing destination MAC address
 
-
|-
 
-
| SRC_VLAN
 
-
| 58
 
-
| 2
 
-
| Virtual LAN identifier associated with ingress interface
 
-
|-
 
-
| DST_VLAN
 
-
| 59
 
-
| 2
 
-
| Virtual LAN identifier associated with egress interface
 
-
|-
 
-
| IP_PROTOCOL_VERSION
 
-
| 60
 
-
| 1
 
-
| Internet Protocol Version Set to 4 for IPv4, set to 6 for IPv6. If not present in the template, then version 4 is assumed.
 
-
|-
 
-
| DIRECTION
 
-
| 61
 
-
| 1
 
-
| Flow direction: 0 - ingress flow, 1 - egress flow
 
-
|-
 
-
| IPV6_NEXT_HOP
 
-
| 62
 
-
| 16
 
-
| IPv6 address of the next-hop router
 
-
|-
 
-
| BPG_IPV6_NEXT_HOP
 
-
| 63
 
-
| 16
 
-
| Next-hop router in the BGP domain
 
-
|-
 
-
| IPV6_OPTION_HEADERS
 
-
| 64
 
-
| 4
 
-
| Bit-encoded field identifying IPv6 option headers found in the flow
 
-
|-
 
-
| MPLS_LABEL_1
 
-
| 70
 
-
| 3
 
-
| MPLS label at position 1 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_2
 
-
| 71
 
-
| 3
 
-
| MPLS label at position 2 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_3
 
-
| 72
 
-
| 3
 
-
| MPLS label at position 3 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_4
 
-
| 73
 
-
| 3
 
-
| MPLS label at position 4 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_5
 
-
| 74
 
-
| 3
 
-
| MPLS label at position 5 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_6
 
-
| 75
 
-
| 3
 
-
| MPLS label at position 6 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_7
 
-
| 76
 
-
| 3
 
-
| MPLS label at position 7 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_8
 
-
| 77
 
-
| 3
 
-
| MPLS label at position 8 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_9
 
-
| 78
 
-
| 3
 
-
| MPLS label at position 9 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_10
 
-
| 79
 
-
| 3
 
-
| MPLS label at position 10 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| IN_DST_MAC
 
-
| 80
 
-
| 6
 
-
| Incoming destination MAC address
 
-
|-
 
-
| OUT_SRC_MAC
 
-
| 81
 
-
| 6
 
-
| Outgoing source MAC address
 
-
|-
 
-
| IF_NAME
 
-
| 82
 
-
| N (default specified in template)
 
-
| Shortened interface name e.g. "FE1/0"
 
-
|-
 
-
| IF_DESC
 
-
| 83
 
-
| N (default specified in template)
 
-
| Full interface name e.g. "'FastEthernet 1/0"
 
-
|-
 
-
| SAMPLER_NAME
 
-
| 84
 
-
| N (default specified in template)
 
-
| Name of the flow sampler
 
-
|-
 
-
| IN_PERMANENT_BYTES
 
-
| 85
 
-
| N (default is 8)
 
-
| Running byte counter for a permanent flow
 
-
|-
 
-
| IN_PERMANENT_PKTS
 
-
| 86
 
-
| N (default is 8)
 
-
| Running packet counter for a permanent flow
 
-
|-
 
-
| FRAGMENT_OFFSET
 
-
| 88
 
-
| 2
 
-
| The fragment-offset value from fragmented IP packets
 
-
|-
 
-
| FORWARDING STATUS
 
-
| 89
 
-
| 1
 
-
| Forwarding status. See note below.
 
-
|-
 
-
| MPLS_PAL_RD
 
-
| 90
 
-
| 8
 
-
| MPLS PAL Route Distinguisher.
 
-
|-
 
-
| MPLS_PREFIX_LEN
 
-
| 91
 
-
| 1
 
-
| Number of consecutive bits in the MPLS prefix length.
 
-
|-
 
-
| SRC_TRAFFIC_INDEX
 
-
| 92
 
-
| ?
 
-
| ?
 
-
|-
 
-
| DST_TRAFFIC_INDEX
 
-
| 93
 
-
| ?
 
-
| ?
 
-
|-
 
-
| APP_DESCRIPTION
 
-
| 94
 
-
| N
 
-
| Application description.
 
-
|-
 
-
| CLASSIFICATION TAG
 
-
| 95
 
-
| 1 + n
 
-
| 8 bits of engine ID, followed by n bits of classification.
 
-
|-
 
-
| CLASSIFICATION NAME
 
-
| 96
 
-
| N
 
-
| Name associated with a classification.
 
-
|-
 
-
| postipDiffServCodePoint
 
-
| 98
 
-
| 1
 
-
| The value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services Field, after modification.
 
-
|-
 
-
| replication factor
 
-
| 99
 
-
| 4
 
-
| Multicast replication factor.
 
-
|-
 
-
| layer2packetSectionOffset
 
-
| 102
 
-
| ?
 
-
| Layer 2 packet section offset. Potentially a generic offset.
 
-
|-
 
-
| layer2packetSectionSize
 
-
| 103
 
-
| ?
 
-
| Layer 2 packet section size. Potentially a generic size.
 
-
|-
 
-
| layer2packetSectionData
 
-
| 104
 
-
| ?
 
-
| Layer 2 packet section data.
 
-
|-
 
-
| subApplicationName
 
-
| 109
 
-
| ?
 
-
| Name of a sub app. See #109.
 
-
|-
 
-
| subApplicationDescr
 
-
| 110
 
-
| ?
 
-
| Descr of a sub app. See #109.
 
-
|-
 
-
| rangeEnd
 
-
| 111
 
-
| 8
 
-
| Range end for describing the parameters needed to interpret a field.
 
-
|-
 
-
|
 
-
|
 
-
|
 
-
|
 
-
|-
 
-
| Reserved
 
-
| 112 - 127
 
-
| ?
 
-
| Reserved for future use by Cisco
 
|}
|}
-
<br>
+
<br>  
-
<br>
+
-
= Fields > 32768 (Enterprise Specific Fields) =
+
*[[AVC:Home|AVC Home Page]]
-
<br>
+
<br>  
-
The values of the fields listed below are set for compatibility with IPFIX Enterprise Specific numbering.
+
== NetFlow Child Pages  ==
-
There's a difference between NFv9 and IPFIX IDs.
+
*[[NetFlow:IDs|NetFlow Element IDs]]
-
IPFIX fields consist of an E (Enterprise) bit, followed by a 15-bit ID.
+
*[[AVC-Export:PfR|Performance Routing NetFlow Page]]
-
If topmost bit = "E" then the Field Id is enterprise-specific versus IANA standard.
+
-
FNF treats this as a single 16-bit field ID.
+
<br><br>  
-
 
+
-
Example:
+
-
* "waas optimization segment" = IPFIX ID 9252 + enterprise ID 9 -> so the E bit is set.
+
-
* So in NFv9, this is 0x8000 + 9252 = 42020.
+
-
 
+
-
Although it looks different, it's exactly the same bits.
+
-
 
+
-
For simplicity we can consider this as a single 16 bit ID starting with 0x8001 or 32769.
+
-
 
+
-
<br>
+
-
<br>
+
-
 
+
-
== Service Control Solution ==
+
-
 
+
-
<br>
+
-
 
+
-
{| border="1" cellpadding="1" cellspacing="1"
+
-
|-
+
-
! scope="col" bgcolor="#FFE0C8" | Field Type
+
-
! scope="col" bgcolor="#FFE0C8" | Value
+
-
! scope="col" bgcolor="#FFE0C8" | Len (bytes)
+
-
! scope="col" bgcolor="#FFE0C8" | Description
+
-
|-
+
-
| scTag
+
-
| 32769
+
-
| 4
+
-
| A globally unique value which identifies the type of reporting record.
+
-
|-
+
-
| scTrafficProcessorId
+
-
| 32770
+
-
| 1
+
-
| Indicates which processing unit generated reporting record. Used for debug/troubleshooting.
+
-
|-
+
-
| scSourceIpSample
+
-
| 32771
+
-
| 1
+
-
| The last byte of the source IP of the network flow for which the application generated the report.
+
-
|-
+
-
| scDestinationIpSample
+
-
| 32772
+
-
| 1
+
-
| The last byte of the destination IP of the network flow for which the application generated the report.
+
-
|-
+
-
| scFlowContextId
+
-
| 32773
+
-
| 4
+
-
| The Flow context ID that the current flow is related to. Used for debug/troubleshooting.
+
-
|-
+
-
| scSubscriberId
+
-
| 32774
+
-
| 64
+
-
| The subscriber identification string, introduced through the subscriber management interfaces. For unknown subscriber this field may contain an empty string. The string may be padded with 0.
+
-
|-
+
-
| POLICY+id (was: scPackageId)
+
-
| 32775
+
-
| 2
+
-
| A numeric value used as an Identifier for the policy profile assigned to the reported entity. (was: “The ID of the policy package/profile assigned to the subscriber”.)
+
-
|-
+
-
| scServiceId
+
-
| 32776
+
-
| 4
+
-
| Indicates the service classification of the reported session
+
-
|-
+
-
| scProtocolId
+
-
| 32777
+
-
| 2
+
-
| This field contains the unique ID of the protocol associated with the reported session. For port-based protocols (for example, TCP port 666 for DOOM) and IP-protocol-based protocols (for example, IP protocol 1 for ICMP), the PROTOCOL_ID will be the TCP_GENERIC / UDP_GENERIC/ IP_PROTOCOL value, according to the specific base protocol of the transaction. For possible values see SCAS-BB Reference Guide.
+
-
|-
+
-
| scSkipppedSessions
+
-
| 32778
+
-
| 4
+
-
| The number of unreported sessions since the previous reporting record of this kind
+
-
|-
+
-
| scInitiatingSide
+
-
| 32779
+
-
| 1
+
-
| On which side of the SCE platform the initiator of the transaction resides: the subscriber side (0) or the network side (1).
+
-
|-
+
-
| scReportTime
+
-
| 32780
+
-
| 4
+
-
| Ending time stamp of this reporting record. The field is in UNIX time_t format, which is the number of seconds since midnight of 1 January 1970.
+
-
|-
+
-
| scTransactionDurationMillisec
+
-
| 32781
+
-
| 4
+
-
| Duration, in milliseconds, of the transaction reported in this reporting record.
+
-
|-
+
-
| scTimeFrame
+
-
| 32782
+
-
| 1
+
-
| The system supports time-dependent policies, by using different rules for different time frames. This field indicates the time frame during which the reporting record was generated. The field’s value can be in the range 0 to 3, indicating which of the four possible time frames was used.
+
-
|-
+
-
| scSessionUpstreamVolume
+
-
| 32783
+
-
| 4
+
-
| Upstream volume of the transaction, in bytes. The volume refers to the aggregated upstream volume on both links of all the flows bundled in the transaction.
+
-
|-
+
-
| scSessionDownstreamVolume
+
-
| 32784
+
-
| 4
+
-
| Downstream volume of the transaction, in bytes. The volume refers to the aggregated downstream volume on both links of all the flows bundled in the transaction.
+
-
|-
+
-
| scProtocolSignature
+
-
| 32785
+
-
| 4
+
-
| This field contains the ID of the protocol signature associated with this session. For possible values see SCAS-BB Reference Guide.
+
-
|-
+
-
| scZoneId
+
-
| 32786
+
-
| 4
+
-
| This field contains the ID of the zone associated with this session
+
-
|-
+
-
| scFlavorId
+
-
| 32787
+
-
| 4
+
-
| For protocol signatures that have flavors, this field contains the ID of the flavor associated with this session.
+
-
|-
+
-
| scFlowCloseMode
+
-
| 32788
+
-
| 1
+
-
| The reason for the end of flow.
+
-
|-
+
-
| scAccessString
+
-
| 32789
+
-
| 128, 256, 512, 1024
+
-
| A Layer 7 property, extracted from the transaction. The content of this field is record-specific and may include host name, server IP, server name, network name etc. (see Table 2-23 in SCAS-BB 3.0 Reference Guide)
+
-
|-
+
-
| scInfoString
+
-
| 32790
+
-
| 128, 256, 512, 1024
+
-
| A Layer 7 property, extracted from the transaction. The content of this field is record-specific and may include URL, sender, login name, group name etc. (see Table 2-23 in SCAS-BB 3.0 Reference Guide)
+
-
|-
+
-
| scClientPort
+
-
| 32791
+
-
| 2
+
-
| For TCP/UDP-based sessions, the port number of the client side (initiator) of the networking session. For non-TCP/UDP sessions, this field has the value zero (0).
+
-
|-
+
-
| scServerPort
+
-
| 32792
+
-
| 2
+
-
| For TCP/UDP-based sessions, this field contains the destination port number of the networking session. For non-TCP/UDP sessions, this field contains the IP protocol number of the session flow.
+
-
|-
+
-
| scSubscriberCounterId
+
-
| 32793
+
-
| 2
+
-
| Each service is mapped to a counter. There are 32 subscriber counters.
+
-
|-
+
-
| scServiceUsageCounterId
+
-
| 32794
+
-
| 2
+
-
| Each service is mapped to a counter. There are 32 counters in the subscriber scope
+
-
|-
+
-
| scBreachState
+
-
| 32795
+
-
| 1
+
-
| Indicates whether the subscriber's quota was breached: 0, if the quota was not breached and 1, if the quota was breached.
+
-
|-
+
-
| scReason
+
-
| 32796
+
-
| 1
+
-
| Reason for generation of reporting record: 0-period time pass, 1-subscriber logout, 2 - package switch, 3 - wraparound, 4 - end of aggregation period
+
-
|-
+
-
| scConfiguredDuration
+
-
| 32797
+
-
| 4
+
-
| Configured period, in seconds, between successive reporting records
+
-
|-
+
-
| scDuration
+
-
| 32798
+
-
| 4
+
-
| Indicates the number of seconds that have passed since the previous reporting record of this type
+
-
|-
+
-
| scEndTime
+
-
| 32799
+
-
| 4
+
-
| Ending time stamp of this reporting record. The field is in UNIX time_t format, which is the number of seconds since midnight of 1 January 1970
+
-
|-
+
-
| scUpstreamVolume
+
-
| 32800
+
-
| 4
+
-
| Aggregated upstream volume on both links of all sessions, in kilobytes, for the current reporting period
+
-
|-
+
-
| scDownstreamVolume
+
-
| 32801
+
-
| 4
+
-
| Aggregated downstream volume on both links of all sessions, in kilobytes, for the current reporting period.
+
-
|-
+
-
| scSessions
+
-
| 32802
+
-
| 2
+
-
| Aggregated number of sessions for the reported service, for the current reporting period.
+
-
|-
+
-
| scSeconds
+
-
| 32803
+
-
| 2
+
-
| Aggregated number of session seconds for the reported service, for the current reporting period.
+
-
|-
+
-
| scPackageCounterId
+
-
| 32804
+
-
| 2
+
-
| Each package is mapped to a counter and this field contains ID of this counter
+
-
|-
+
-
| scGeneratorId
+
-
| 32805
+
-
| 1
+
-
| A numeric value identifying the processor generating the reporting record.
+
-
|-
+
-
| scServiceGlobalCounterId
+
-
| 32806
+
-
| 2
+
-
| Each service is mapped to a counter and this field contains ID of this counter
+
-
|-
+
-
| scConcurrentSessions
+
-
| 32807
+
-
| 4
+
-
| Concurrent number of sessions using the reported service at this point in time.
+
-
|-
+
-
| scActiveSubscribers
+
-
| 32808
+
-
| 4
+
-
| Concurrent number of subscribers using the reported service at this point in time.
+
-
|-
+
-
| scTotalActiveSubscribers
+
-
| 32809
+
-
| 4
+
-
| Concurrent number of subscribers in the system at this point in time.
+
-
|-
+
-
| LINK_ID (was: scLinkId)
+
-
| 32810
+
-
| 1
+
-
| A numeric value associated with the reported network link. (was: “Possible values are 0 and 1 (referring to physical links 1 and 2 respectively).”)
+
-
|-
+
-
| scVirtualLinkId
+
-
| 32811
+
-
| 2
+
-
| A numeric value associated with the reported virtual network link. Possible values are TBD.
+
-
|-
+
-
| scVirtualLinkDirection
+
-
| 32812
+
-
| 1
+
-
| A numeric value indicating the reported virtual network link direction.
+
-
|-
+
-
| scAggregationObjectId
+
-
| 32813
+
-
| 2
+
-
| Externally assigned: 0 - offline subscriber, 1 - online subscriber. Used in Real Time Subscriber Usage RDR
+
-
|-
+
-
| scVendorId
+
-
| 32814
+
-
| 4
+
-
| The ITU-U vendor ID of the application. A value of 0xFFFFFFFF indicates that this field was not found in the traffic.
+
-
|-
+
-
| scUpstreamPacketLoss
+
-
| 32815
+
-
| 2
+
-
| The average fractional upstream packet loss for the session, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFF indicates that this field is undefined (no RTCP flows were opened).
+
-
|-
+
-
| scDownstreamPacketLoss
+
-
| 32816
+
-
| 2
+
-
| The average fractional downstream packet loss for the session, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFF indicates that this field is undefined (no RTCP flows were opened).
+
-
|-
+
-
| RESERVED1
+
-
| 32817
+
-
| N/A
+
-
| Reserved for SCE
+
-
|-
+
-
| RESERVED2
+
-
| 32818
+
-
| N/A
+
-
| Reserved for SCE
+
-
|-
+
-
| scAttackId
+
-
| 32819
+
-
| 4
+
-
| Unique attack ID.
+
-
|-
+
-
| scAttackIp
+
-
| 32820
+
-
| 4
+
-
| The IP address related to this attack.
+
-
|-
+
-
| scAttackOtherIp
+
-
| 32821
+
-
| 4
+
-
| The other IP address related to this attack if exists, 0xFFFFFFFF otherwise.
+
-
|-
+
-
| scAttackPortNumber
+
-
| 32822
+
-
| 2
+
-
| The port number related to this attack, if such exists (if this is an IP scan, for example), or 0xFFFF otherwise in case the info is not relevant (certain types of attacks).
+
-
|-
+
-
| scAttackType
+
-
| 32823
+
-
| 4
+
-
| Who attackIp belongs to: 0—Attacked, 1—Attacker
+
-
|-
+
-
| scAttackSide
+
-
| 32824
+
-
| 1
+
-
| The IP address side: 0—Subscriber, 1—Network.
+
-
|-
+
-
| scAttackIpProtocol
+
-
| 32825
+
-
| 1
+
-
| IP protocol type: 0—Other, 1—ICMP, 6—TCP, 17—UDP. For possible values see SCAS-BB Reference Guide.
+
-
|-
+
-
| scAttacks
+
-
| 32826
+
-
| 1
+
-
| The number of attacks in the current reporting period. Since this report is generated per attack, the value is 0 or 1.
+
-
|-
+
-
| scAttackMaliciousSessions
+
-
| 32827
+
-
| 4
+
-
| Aggregated number of sessions for the reported attack, for the current reporting period. If the SCE platform blocks the attack, this field takes the value 0xFFFFFFFF.
+
-
|-
+
-
| scUserAgent
+
-
| 32828
+
-
| 64
+
-
| The user agent field extracted from the HTTP transaction.
+
-
|-
+
-
| scHttpUrl
+
-
| 32829
+
-
| 64
+
-
| The URL extracted from the HTTP transaction.
+
-
|-
+
-
| scSipDomain
+
-
| 32830
+
-
| 64
+
-
| SIP: Domain name extracted from SIP header.
+
-
|-
+
-
| scSipUserAgent
+
-
| 32831
+
-
| 64
+
-
| SIP: User-Agent field extracted from SIP header.
+
-
|-
+
-
| scFlowStart
+
-
| 32832
+
-
| 4
+
-
| Flow start time.
+
-
|-
+
-
| scFlowType
+
-
| 32833
+
-
| 1
+
-
| 0—All Skype flows
+
-
1—Audio (SIP)
+
-
2—Video (SIP)
+
-
|-
+
-
| scSessionId
+
-
| 32834
+
-
| 4
+
-
| SIP: The flow-context ID of the control flow.
+
-
Skype: The flow-context ID of the flow.
+
-
|-
+
-
| scUpstreamJitter
+
-
| 32835
+
-
| 4
+
-
| SIP: The average upstream jitter for the session, taken from the RTCP flow: N/A (0xFFFFFFFF) if RTCP flow is missing.
+
-
Skype: N/A (0xFFFFFFFF).
+
-
|-
+
-
| scDownstreamJitter
+
-
| 32836
+
-
| 4
+
-
| SIP: The average downstream jitter for the session, taken from the RTCP flow: N/A (0xFFFFFFFF) if RTCP flow is missing.
+
-
Skype: N/A (0xFFFFFFFF).
+
-
|-
+
-
| scUpstreamPayloadType
+
-
| 32837
+
-
| 1
+
-
| SIP: The upstream RTP payload type for the session.
+
-
Skype: N/A (0xFF). A value of 0xFF indicates that this field was not available (no RTP flows were opened).
+
-
|-
+
-
| scDownstreamPayloadType
+
-
| 32838
+
-
| 1
+
-
| SIP: The downstream RTP payload type for the session.
+
-
Skype: N/A (0xFF). A value of 0xFF indicates that this field was not available (no RTP flows were opened).
+
-
|-
+
-
| scUpstreamAverageJitter
+
-
| 32839
+
-
| 4
+
-
| The average upstream jitter for the session in units of 1/65.535 millisecond, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFFFFFF indicates that this field is undefined (no RTCP flows were opened).
+
-
|-
+
-
| scDownstreamAverageJitter
+
-
| 32840
+
-
| 4
+
-
| The average downstream jitter for the session in units of 1/65.535 millisecond, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFFFFFF indicates that this field is undefined (no RTCP flows were opened).
+
-
|-
+
-
| scCallDestination
+
-
| 32841
+
-
| 64
+
-
| The Q931 Alias address of the session destination. A value of N/A indicates that this field was not found in the traffic.
+
-
|-
+
-
| scCallSource
+
-
| 32842
+
-
| 64
+
-
| The Q931 Alias address of the session source. A value of N/A indicates that this field was not found in the traffic.
+
-
|-
+
-
| scCallType
+
-
| 32843
+
-
| 1
+
-
| The call type (taken from H225 packet). A value of 0xFF indicates that this field is undefined (no RTP flows were opened).
+
-
|-
+
-
| scMediaChannels
+
-
| 32844
+
-
| 1
+
-
| The number of data flows that were opened during the session.
+
-
|-
+
-
| scBlockReason
+
-
| 32845
+
-
| 1
+
-
| Indicates the reason why this session was blocked. For possible values and their interpretation, see Block Reason, page 2-42 of the SCA BB Reference Guide
+
-
|-
+
-
| scBlockRdrCount
+
-
| 32846
+
-
| 4
+
-
| Total number of blocked flows reported so far (from the beginning of the current time frame).
+
-
|-
+
-
| scRedirected
+
-
| 32847
+
-
| 1
+
-
| Indicates whether the flow has been redirected after being blocked.
+
-
0—Not redirected
+
-
1—Redirected
+
-
|-
+
-
| RESERVED
+
-
| 32848 to 32999
+
-
| N/A
+
-
| Reserved for SCE
+
-
|}
+
-
 
+
-
<br>
+
-
<br>
+
-
 
+
-
== Performance Routing ==
+
-
 
+
-
<br>
+
-
 
+
-
Refer to: [[NetFlow:PfR | Performance Routing NetFlow]] for information regarding the use of the fields.
+
-
 
+
-
<br>
+
-
 
+
-
{| border="1" cellpadding="1" cellspacing="1"
+
-
|-
+
-
! scope="col" bgcolor="#FFE0C8" | Field Type
+
-
! scope="col" bgcolor="#FFE0C8" | Value
+
-
! scope="col" bgcolor="#FFE0C8" | Len (bytes)
+
-
! scope="col" bgcolor="#FFE0C8" | Description
+
-
|-
+
-
| IPV4_BR_ADDR
+
-
| 39000
+
-
| 4
+
-
| IPv4 border router (BR) address
+
-
|-
+
-
| PFR_STATUS
+
-
| 39001
+
-
| 2
+
-
| state code (state_type: 1 Byte, state_subtype: 1 Byte)
+
-
|-
+
-
| REASON_ID
+
-
| 39002
+
-
| 4
+
-
| reason ID
+
-
|-
+
-
| Threshold
+
-
| 39003
+
-
| 4
+
-
| policy threshold to which PfR thinks In-Policy
+
-
|-
+
-
| Priority
+
-
| 39004
+
-
| 2
+
-
| policy priority settings.
+
-
|-
+
-
| LongTermRTT
+
-
| 39006
+
-
| 4
+
-
| average round-trip-time for long-term period
+
-
|-
+
-
| BelowMOSPercentage
+
-
| 39007
+
-
| 4
+
-
| average percentage value below the MOS threshold
+
-
|-
+
-
| RSVPBandWidthPool
+
-
| 39008
+
-
| 8
+
-
| bandwidth pool reserved by RSVP
+
-
|-
+
-
| RollupCounter
+
-
| 39009
+
-
| 2
+
-
| rollup counter which is expired when it becomes zero.
+
-
|-
+
-
| BandWidthPercentage
+
-
| 39010
+
-
| 2
+
-
| bandwidth percentage against the maximum bandwidth
+
-
|-
+
-
| BandWidthFee
+
-
| 39011
+
-
| 4
+
-
| fee for a specific bandwidth
+
-
|-
+
-
| L4_SRC_PORT_MIN
+
-
| 39012
+
-
| 2
+
-
| TCP/UDP source minimum port number
+
-
|-
+
-
| L4_SRC_PORT_MAX
+
-
| 39013
+
-
| 2
+
-
| TCP/UDP source maximum port number (we will request a standard number to IANA later)
+
-
|-
+
-
| L4_DST_PORT_MIN
+
-
| 39014
+
-
| 2
+
-
| TCP/UDP destination minimum port number (we will request a standard number to IANA later)
+
-
|-
+
-
| L4_DST_PORT_MAX
+
-
| 39015
+
-
| 2
+
-
| TCP/UDP destination maximum port number (we will request a standard number to IANA later)
+
-
|-
+
-
| CAPACITY
+
-
| 39016
+
-
| 8
+
-
| Link capacity – egress link capacity (kbps)
+
-
|-
+
-
| INGRESS_BW
+
-
| 39017
+
-
| 8
+
-
| Current ingress bandwidth (kbps)
+
-
|-
+
-
| MAX_INGRESS_BW
+
-
| 39018
+
-
| 8
+
-
| Max ingress bandwidth (kbps)
+
-
|-
+
-
| EGRESS_BW
+
-
| 39019
+
-
| 8
+
-
| Current egress bandwidth (kbps)
+
-
|-
+
-
| MAX_EGRESS_BW
+
-
| 39020
+
-
| 8
+
-
| Max egress bandwidth (kbps)
+
-
|-
+
-
| INGRESS_ROLLUP_BW
+
-
| 39021
+
-
| 8
+
-
| Ingress rollup bandwidth (kbps)
+
-
|-
+
-
| EGRESS_ROLLUP_BW
+
-
| 39022
+
-
| 8
+
-
| Egress rollup bandwidth (kbps)
+
-
|-
+
-
| KTH_ROLLUP_BW
+
-
| 39023
+
-
| 8
+
-
|-
+
-
| LINK_GROUP_NAME
+
-
| 39024
+
-
| 48
+
-
| Link group name assigned to an external interface in the MC configuration
+
-
|-
+
-
| BGP_COMMUNITY
+
-
| 39025
+
-
| 4
+
-
| Used for ingress load-balancing using BGP
+
-
|-
+
-
| BGP_PREPEND
+
-
| 39026
+
-
| 1
+
-
| Used for ingress load-balancing using BGP
+
-
|-
+
-
| ENTRANCE_DOWNGRADE
+
-
| 39027
+
-
|
+
-
|
+
-
|-
+
-
| DISCARD_ROLLUP_COUNT
+
-
| 39028
+
-
| 2
+
-
|
+
-
|-
+
-
|}
+
-
 
+
-
<br>
+
-
<br>
+
-
 
+
-
 
+
-
 
+
-
 
+
-
 
+
-
== NAM Module ==
+
-
 
+
-
<br>
+
-
 
+
-
{| border="1" cellpadding="1" cellspacing="1"
+
-
|-
+
-
! scope="col" bgcolor="#FFE0C8" | Field Type
+
-
! scope="col" bgcolor="#FFE0C8" | Value
+
-
! scope="col" bgcolor="#FFE0C8" | Len (bytes)
+
-
! scope="col" bgcolor="#FFE0C8" | Description
+
-
|-
+
-
| namDataSrc
+
-
| 42001
+
-
| 4
+
-
| NAM’s assigned data source (port, NDE device, VLAN id, etc.), associated with NAM’s input ifIndex
+
-
|-
+
-
| srcSite
+
-
| 42002
+
-
| 4
+
-
| NAM’s assigned source site (aggregation of source hosts)
+
-
Site is a user–defined grouping of hosts (IP addresses) and (optionally) data-sources (logical channels of ingress traffic, i.e. observation points) according to one the following or similar supported definition methods, for example:
+
-
* Network Prefix(es)
+
-
* Network Prefix(es) + Set of Data Source(s)
+
-
* Network Prefix(es) + Set of Data Source(s) + Set of VLAN(s)
+
-
* WAAS data source
+
-
* NDE/CEF data source + interface(s)
+
-
|-
+
-
| dstSite
+
-
| 42003
+
-
| 4
+
-
| NAM’s assigned destination site (aggregation of destination hosts)
+
-
|-
+
-
| serverSite
+
-
| 42004
+
-
| 4
+
-
| NAM’s assigned server site for IAP metrics (can be both traffic source and destination)
+
-
|-
+
-
| clientSite
+
-
| 42005
+
-
| 4
+
-
| NAM’s assigned client site for IAP metrics (can be both traffic source and destination)
+
-
|-
+
-
| Unused
+
-
| 42006
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| serverIPv4Address
+
-
| 42007
+
-
| 4
+
-
| Server address (IPv4) in IAP metrics (can be both traffic source and destination)
+
-
|-
+
-
| clientIPv4Address
+
-
| 42008
+
-
| 4
+
-
| Client address (IPv4) in IAP metrics(can be both traffic source and destination)
+
-
|-
+
-
| Unused
+
-
| 42009
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| netEncap
+
-
| 42010
+
-
| 4
+
-
| Network protocol encapsulation enum
+
-
|-
+
-
| serverIPv6Address
+
-
| 42011
+
-
| 16
+
-
| Server address (IPv6) in IAP metrics (can be both traffic source and destination)
+
-
|-
+
-
| clientIPv6Address
+
-
| 42012
+
-
| 16
+
-
| Client address (IPv6) in IAP metrics (can be both traffic source and destination)
+
-
|-
+
-
| namSrcDeviceId
+
-
| 42013
+
-
| 4
+
-
| Internal index of the (traffic) source device
+
-
* NAM source device fields are keys in the exported flows
+
-
* NAM source device designate the network device sending the traffic to NAM
+
-
* NAM source device may or may not be a NetFlow observation point.
+
-
|-
+
-
| namSrcDeviceIPv4Address
+
-
| 42014
+
-
| 4
+
-
| See above
+
-
|-
+
-
| namSrcDeviceIPv6Address
+
-
| 42015
+
-
| 16
+
-
| See above
+
-
|-
+
-
| siteName
+
-
| 42016
+
-
| N
+
-
| Site name
+
-
|-
+
-
| siteDescription
+
-
| 42017
+
-
| N
+
-
| Site description
+
-
|-
+
-
| Unused
+
-
| 42018
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| Unused
+
-
| 42019
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| waasOptimizationSegment
+
-
| 42020
+
-
| 1
+
-
| WAAS optimization "segment" (Client LAN, Client WAN, Server WAN, Server LAN, or Passthrough)
+
-
|-
+
-
| waasPassThroughReason
+
-
| 42021
+
-
| 1
+
-
| PT_UNKNOWN 0
+
-
 
+
-
PTR indicated by SN
+
-
* PT_NO_PEER 1
+
-
* PT_RJCT_CAP 2
+
-
* PT_RJCT_RSRCS 3
+
-
* PT_RJCT_NO_LICENSE 4
+
-
* PT_APP_CONFIG 5
+
-
* PT_GLB_CONFIG 6
+
-
* PT_ASYMMETRIC 7
+
-
* PT_IN_PROGRESS 8
+
-
* PT_INTERMEDIATE 9
+
-
* PT_OVERLOAD 10
+
-
* PT_INT_ERROR 11
+
-
* PT_APP_OVERRIDE 12
+
-
* PT_SVR_BLACKLIST 13
+
-
* PT_AD_VER_MISMTCH 14
+
-
* PT_AD_AO_INCOMPAT 15
+
-
* PT_AD_AOIM_PROGRESS 16
+
-
* PT_DIRM_VER_MISMTCH 17
+
-
* PT_PEER_OVERRIDE 18
+
-
* PT_AD_OPT_PARSE_FAIL 19
+
-
* PT_AD_PT_SERIAL_MODE 20
+
-
* PT_SN_INTERCEPTION_ACL 21
+
-
* PT_IP_FRAG_UNSUPP_PEER 22
+
-
+
-
PTR collected by SC globally
+
-
* PT_CLUSTER_MEMBER 32
+
-
* PT_FLOW_QUERY_FAIL 33
+
-
* PT_FLOWSW_INT_ACL_DENY 34
+
-
+
-
PTR collected by SC per class
+
-
* PT_FLOWSW_PLCY 40
+
-
* PT_SNG_OVERLOAD 41
+
-
* PT_CLUSTER_DEGRADE 42
+
-
* PT_FLOW_LEARN_FAIL 43
+
-
+
-
PTR specific to Lhotse
+
-
* PT_ZBFW 56
+
-
* PT_RTSP_ALG 57
+
-
* PT_NON_WAN 58
+
-
|-
+
-
| initiatorPackets
+
-
| 42033
+
-
| 8
+
-
| Total packets sent by clients
+
-
|-
+
-
| responderPackets
+
-
| 42034
+
-
| 8
+
-
| Total packets sent by servers
+
-
|-
+
-
| retransOctets
+
-
| 42035
+
-
| 4
+
-
| Total octets retransmitted
+
-
|-
+
-
| retransPackets
+
-
| 42036
+
-
| 4
+
-
| Total IP packets retransmitted by Layer 4 (TCP/SCTP) or application
+
-
|-
+
-
| Unused
+
-
| 42037
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| Unused
+
-
| 42038
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| Unused
+
-
| 42039
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| transactionCountDelta
+
-
| 42040
+
-
| 4
+
-
| Number of transactions
+
-
Transaction is defined as a pair of an application-layer request from client and the associated response from server.  Each request/response consists of one or multiple packets carrying application data
+
-
|-
+
-
| sumTransactionTime
+
-
| 42041
+
-
| 4
+
-
| Sum of transaction time.
+
-
Divide by transactionCountDelta for AVG
+
-
|-
+
-
| maxTransactionTime
+
-
| 42042
+
-
| 4
+
-
| Maximal transaction time in msec
+
-
|-
+
-
| minTransactionTime
+
-
| 42043
+
-
| 4
+
-
| Minimal transaction time in msec
+
-
|-
+
-
| sumDataTransmissionTime
+
-
| 42044
+
-
| 4
+
-
| Sum of data transmission time in msec. Transmission is defined as the data transmission of the server response in a transaction
+
-
|-
+
-
| sumDataRetransmissionTime
+
-
| 42045
+
-
| 4
+
-
| Sum of data retransmission time in msec
+
-
|-
+
-
| Unused
+
-
| 42046
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| Unused
+
-
| 42047
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| Unused
+
-
| 42048
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| Unused
+
-
| 42049
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| newConnectionsCountDelta
+
-
| 42050
+
-
| 4
+
-
| Number of new connections (new sessions)
+
-
|-
+
-
| completedConnectionsCountDelta
+
-
| 42051
+
-
| 4
+
-
| Number of completed sessions
+
-
|-
+
-
| refusedConnectionsCountDelta
+
-
| 42052
+
-
| 4
+
-
| Number of refused sessions
+
-
|-
+
-
| unrespConnectionsCountDelta
+
-
| 42053
+
-
| 4
+
-
| Number of unresponsive sessions
+
-
|-
+
-
| sumSessionDuration
+
-
| 42054
+
-
| 4
+
-
| Total session duration in msec. 
+
-
Divide by completedConnectionsCountDelta for AVG
+
-
|-
+
-
| Unused
+
-
| 42055
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| Unused
+
-
| 42056
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| Unused
+
-
| 42057
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| Unused
+
-
| 42058
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| Unused
+
-
| 42059
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| numRespsCountDelta
+
-
| 42060
+
-
| 4
+
-
| Number of responses
+
-
|-
+
-
| numResps1CountDelta
+
-
| 42061
+
-
| 4
+
-
| Number of responses in bucket 1
+
-
|-
+
-
| numResps2CountDelta
+
-
| 42062
+
-
| 4
+
-
| Number of responses in bucket 2
+
-
|-
+
-
| numResps3CountDelta
+
-
| 42063
+
-
| 4
+
-
| Number of responses in bucket 3
+
-
|-
+
-
| numResps4CountDelta
+
-
| 42064
+
-
| 4
+
-
| Number of responses in bucket 4
+
-
|-
+
-
| numResps5CountDelta
+
-
| 42065
+
-
| 4
+
-
| Number of responses in bucket 5
+
-
|-
+
-
| numResps6CountDelta
+
-
| 42066
+
-
| 4
+
-
| Number of responses in bucket 6
+
-
|-
+
-
| numResps7CountDelta
+
-
| 42067
+
-
| 4
+
-
| Number of responses in bucket 7
+
-
|-
+
-
| numLateRespsCountDelta
+
-
| 42068
+
-
| 4
+
-
| Number of late responses
+
-
|-
+
-
| Unused
+
-
| 42069
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| Unused
+
-
| 42070
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| sumRespTime
+
-
| 42071
+
-
| 4
+
-
| Sum of response time in msec. 
+
-
Divide by numRespsCountDelta for AVG
+
-
|-
+
-
| maxRespTime
+
-
| 42072
+
-
| 4
+
-
| Maximal response time in msec
+
-
|-
+
-
| minRespTime
+
-
| 42073
+
-
| 4
+
-
| Minimal response time in msec
+
-
|-
+
-
| sumServerRespTime
+
-
| 42074
+
-
| 4
+
-
| Sum of application server response time in msec. 
+
-
Divide by numRespsCountDelta for AVG
+
-
|-
+
-
| maxServerRespTime
+
-
| 42075
+
-
| 4
+
-
| Maximal application server response time in msec
+
-
|-
+
-
| minServerRespTime
+
-
| 42076
+
-
| 4
+
-
| Minimal application server response time in msec
+
-
|-
+
-
| sumTotalRespTime
+
-
| 42077
+
-
| 4
+
-
| Sum of total response time in msec. 
+
-
Divide by numRespsCountDelta for AVG
+
-
|-
+
-
| maxTotalRespTime
+
-
| 42078
+
-
| 4
+
-
| Maximal total response time in msec
+
-
|-
+
-
| minTotalRespTime
+
-
| 42079
+
-
| 4
+
-
| Minimal total response time in msec
+
-
|-
+
-
| Unused
+
-
| 42080
+
-
| N/A
+
-
| Unused.
+
-
|-
+
-
| sumNwkTime
+
-
| 42081
+
-
| 4
+
-
| Sum of network delay times in msec. 
+
-
Divide by newConnectionsCountDelta for AVG
+
-
|-
+
-
| maxNwkTime
+
-
| 42082
+
-
| 4
+
-
| Maximal network time in msec
+
-
|-
+
-
| minNwkTime
+
-
| 42083
+
-
| 4
+
-
| Minimal network time in msec
+
-
|-
+
-
| sumClientNwkTime
+
-
| 42084
+
-
| 4
+
-
| Sum of client network times in msec. 
+
-
Divide by newConnectionsCountDelta for AVG
+
-
|-
+
-
| maxClientNwkTime
+
-
| 42085
+
-
| 4
+
-
| Maximal client network time in msec
+
-
|-
+
-
| minClientNwkTime
+
-
| 42086
+
-
| 4
+
-
| Minimal client network time in msec
+
-
|-
+
-
| sumServerNwkTime
+
-
| 42087
+
-
| 4
+
-
| Sum of server network times in msec. 
+
-
Divide by newConnectionsCountDelta for AVG
+
-
|-
+
-
| maxServerNwkTime
+
-
| 42088
+
-
| 4
+
-
| Minimal server network time in msec
+
-
|-
+
-
| minServerNwkTime
+
-
| 42089
+
-
| 4
+
-
| Maximal server network time in msec
+
-
|-
+
-
| numRoundtripsDeltaCount
+
-
| 42090
+
-
| 4
+
-
| Number of ACK ‘d roundtrips
+
-
|-
+
-
| sumRoundtripTime
+
-
| 42091
+
-
| 4
+
-
| Total ACK round trip time.
+
-
| Divide by numRoundtripsDeltaCount for AVG
+
-
|-
+
-
| Unused
+
-
| 42092 to 42100
+
-
| N/A
+
-
| Unused
+
-
|-
+
-
| rtpSsrc
+
-
| 42101
+
-
| 4
+
-
| RTP stream unique id given by sensor
+
-
|-
+
-
| rtpPayloadType
+
-
| 42102
+
-
| 1
+
-
| RTP stream payload type
+
-
(http://www.iana.org/assignments/rtp-parameters)
+
-
|-
+
-
| rtpCodec
+
-
| 42103
+
-
| 4
+
-
| RTP stream’s codec enum
+
-
|-
+
-
| Unused
+
-
| 42104 to 42111
+
-
| N/A
+
-
| Unused
+
-
|-
+
-
| rtpDuration
+
-
| 42112
+
-
| 4
+
-
| RTP stream’s duration (total) in sec
+
-
|-
+
-
| rtpAvgMos100
+
-
| 42113
+
-
| 4
+
-
| Average MOS value x100
+
-
|-
+
-
| Unused
+
-
| 42114
+
-
| N/A
+
-
| Unused
+
-
|-
+
-
| rtpWorstMos100
+
-
| 42115
+
-
| 4
+
-
| Worst MOS value x100 – for every measurement interval (***) the worst MOS score for 3 seconds granularity
+
-
|-
+
-
| rtpActualPacketLoss
+
-
| 42116
+
-
| 4
+
-
| Actual packet loss
+
-
|-
+
-
| rtpAdjPacketLoss
+
-
| 42117
+
-
| 4
+
-
| Adjusted packet loss
+
-
|-
+
-
| rtpJitter100
+
-
| 42118
+
-
| 4
+
-
| Stream Jitter value x100
+
-
|-
+
-
| rtpSoc
+
-
| 42119
+
-
| 4
+
-
| Seconds of concealment
+
-
|-
+
-
| rtpSsc
+
-
| 42120
+
-
| 4
+
-
| Seconds of severe concealment
+
-
|-
+
-
| rtpMaxPktLoss
+
-
| 42121
+
-
| 4
+
-
| Maximal consecutive packet loss
+
-
|-
+
-
| rtpPktToJitter100
+
-
| 42122
+
-
| 4
+
-
| Packet-to-packet jitter measure x100 peak to peak
+
-
| Interval for two consecutive packets
+
-
|-
+
-
| rtpMosQuality
+
-
| 42123
+
-
| 4
+
-
| MOS quality  – score as integer value 1,2,3,4
+
-
|-
+
-
| rtpConnCountTotal
+
-
| 42124
+
-
| 4
+
-
| Total connection count for the RTP stream
+
-
|-
+
-
| httpUriHits
+
-
| 42125
+
-
| Var-len
+
-
| Export URI and URI-Hits (URI:URI-HITS)
+
-
|-
+
-
| packetIntervalTimeHistogram
+
-
v42126
+
-
| ?
+
-
| A histogram of inter-packet-gaps (time between packets in milliseconds) made up of N x uint64_t.
+
-
|-
+
-
| packetIntervalTimeHistogramRevers
+
-
| 42127
+
-
| Var-len
+
-
| A histogram of inter-packet-gaps (time between packets in milliseconds), for packets in the reverse direction, made up of N x uint64_t.
+
-
|-
+
-
| queueIndex
+
-
| 42128
+
-
| 4
+
-
| Id of queue upon which packets were placed.
+
-
|-
+
-
| queueDrops
+
-
| 42129
+
-
| 8
+
-
| Number of packet drops on a particular queue.
+
-
|}
+
-
<br>
+
[[Category:AVC]] [[Category:NetFlow]]
-
<br>
+

Revision as of 09:32, 17 January 2013



NetFlow Home Page
Welcome to NetFlow DocWiki.

Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and is the leader in IP traffic flow technology.
NetFlow version 9, the latest Cisco IOS NetFlow innovation, is a flexible and extensible method to record network performance data. It is the basis of a new IETF standard. Cisco is currently working with a number of partners to provide customers with comprehensive solutions for NetFlow-based, planning, monitoring and billing.



NetFlow Child Pages



Rating: 0.0/5 (0 votes cast)

Personal tools