NetFlow

From DocWiki

(Difference between revisions)
Jump to: navigation, search
(Service Control Solution)
(NetFlow Child Pages)
(45 intermediate revisions not shown)
Line 1: Line 1:
-
<br>
+
<meta name="keywords" content="AVC, Application Visibility and Control, NetFlow" />  
-
<br>
+
 
 +
<br> <br>  
{| border="1" class="wikitable"
{| border="1" class="wikitable"
Line 7: Line 8:
|-
|-
| Welcome to '''NetFlow DocWiki'''.  
| Welcome to '''NetFlow DocWiki'''.  
-
Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and is the leader in IP traffic flow technology.
+
Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and is the leader in IP traffic flow technology. <br> NetFlow version 9, the latest Cisco IOS NetFlow innovation, is a flexible and extensible method to record network performance data. It is the basis of a new IETF standard. Cisco is currently working with a number of partners to provide customers with comprehensive solutions for NetFlow-based, planning, monitoring and billing.  
-
<br>
+
-
NetFlow version 9, the latest Cisco IOS NetFlow innovation, is a flexible and extensible method to record network performance data. It is the basis of a new IETF standard. Cisco is currently working with a number of partners to provide customers with comprehensive solutions for NetFlow-based, planning, monitoring and billing.
+
-
|}
+
-
<br>
 
-
<br>
 
-
 
-
 
-
!!!!!!!!! DRAFT !!!!!!!!!!!!
 
-
 
-
<br>
 
-
<br>
 
-
 
-
__TOC__
 
-
 
-
<br>
 
-
<br>
 
-
 
-
 
-
= NetFlow DocWiki Navigation =
 
-
 
-
*[http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html  NetFlow Version 9 Flow-Record Format]
 
-
*[[NetFlow:PfR | Performance Routing NetFlow]]
 
-
 
-
<br>
 
-
<br>
 
-
 
-
= Summary =
 
-
 
-
* IDs <128 : specific to Cisco and NetFlow v9
 
-
* IDs Range 128 - 32767 : allocated by IANA for IPFIX, in NetFlow v9 for parity
 
-
* IDs > 32768 : IPFIX Enterprise Specific
 
-
 
-
<br>
 
-
<br>
 
-
 
-
= Fields 1-128 (Specific to Cisco) =
 
-
 
-
<br>
 
-
<br>
 
-
 
-
{| width="800" border="1" cellpadding="1" cellspacing="1"
 
-
|-
 
-
! scope="col" bgcolor="#FFE0C8" | Field Type
 
-
! scope="col" bgcolor="#FFE0C8" | Value
 
-
! scope="col" bgcolor="#FFE0C8" | Len (bytes)
 
-
! scope="col" bgcolor="#FFE0C8" | Description
 
-
|-
 
-
| IN_BYTES
 
-
| 1
 
-
| N (default is 8)
 
-
| Incoming counter with length N x 8 bits for number of bytes associated with an IP  Flow.
 
-
|-
 
-
| IN_PKTS
 
-
| 2
 
-
| N (default is 8)
 
-
| Incoming counter with length N x 8 bits for the number of packets associated with an IP Flow
 
-
|-
 
-
| FLOWS
 
-
| 3
 
-
| N
 
-
| Number of flows that were aggregated; default for N is 4
 
-
|-
 
-
| PROTOCOL
 
-
| 4
 
-
| 1
 
-
| IP protocol byte
 
-
|-
 
-
| SRC_TOS
 
-
| 5
 
-
| 1
 
-
| Type of Service byte setting when entering incoming interface
 
-
|-
 
-
| TCP_FLAGS
 
-
| 6
 
-
| 1
 
-
| Cumulative of all the TCP flags seen for this flow
 
-
|-
 
-
| L4_SRC_PORT
 
-
| 7
 
-
| 2
 
-
| TCP/UDP source port number e.g. FTP, Telnet, or equivalent
 
-
|-
 
-
| IPV4_SRC_ADDR
 
-
| 8
 
-
| 4
 
-
| IPv4 source address
 
-
|-
 
-
| SRC_MASK
 
-
| 9
 
-
| 1
 
-
| The number of contiguous bits in the source address subnet mask i.e. the submask in slash notation
 
-
|-
 
-
| INPUT_SNMP
 
-
| 10
 
-
| N
 
-
| Input interface index; default for N is 4 but higher values could be used
 
-
|-
 
-
| L4_DST_PORT
 
-
| 11
 
-
| 2
 
-
| TCP/UDP destination port number e.g. FTP, Telnet, or equivalent
 
-
|-
 
-
| IPV4_DST_ADDR
 
-
| 12
 
-
| 4
 
-
| IPv4 destination address
 
-
|-
 
-
| DST_MASK
 
-
| 13
 
-
| 1
 
-
| The number of contiguous bits in the destination address subnet mask i.e. the submask in slash notation
 
-
|-
 
-
| OUTPUT_SNMP
 
-
| 14
 
-
| N
 
-
| Output interface index; default for N is 4 but higher values could be used
 
-
|-
 
-
| IPV4_NEXT_HOP
 
-
| 15
 
-
| 4
 
-
| IPv4 address of next-hop router
 
-
|-
 
-
| SRC_AS
 
-
| 16
 
-
| N (default is 2)
 
-
| Source BGP autonomous system number where N could be 2 or 4
 
-
|-
 
-
| DST_AS
 
-
| 17
 
-
| N (default is 2)
 
-
| Destination BGP autonomous system number where N could be 2 or 4
 
-
|-
 
-
| BGP_IPV4_NEXT_HOP
 
-
| 18
 
-
| 4
 
-
| Next-hop router's IP in the BGP domain
 
-
|-
 
-
| MUL_DST_PKTS
 
-
| 19
 
-
| N (default is 8)
 
-
| IP multicast outgoing packet counter with length N x 8 bits for packets associated with the IP Flow
 
-
|-
 
-
| MUL_DST_BYTES
 
-
| 20
 
-
| N (default is 8)
 
-
| IP multicast outgoing byte counter with length N x 8 bits for bytes associated with the IP Flow
 
-
|-
 
-
| LAST_SWITCHED
 
-
| 21
 
-
| 4
 
-
| System uptime at which the last packet of this flow was switched
 
-
|-
 
-
| FIRST_SWITCHED
 
-
| 22
 
-
| 4
 
-
| System uptime at which the first packet of this flow was switched
 
-
|-
 
-
| OUT_BYTES
 
-
| 23
 
-
| N (default is 8)
 
-
| Outgoing counter with length N x 8 bits for the number of bytes associated with an IP Flow
 
-
|-
 
-
| OUT_PKTS
 
-
| 24
 
-
| N (default is 8)
 
-
| Outgoing counter with length N x 8 bits for the number of packets associated with an IP Flow.
 
-
|-
 
-
| MIN_PKT_LNGTH
 
-
| 25
 
-
| 4
 
-
| Minimum IP packet length on incoming packets of the flow
 
-
|-
 
-
| MAX_PKT_LNGTH
 
-
| 26
 
-
| 4
 
-
| Maximum IP packet length on incoming packets of the flow
 
-
|-
 
-
| IPV6_SRC_ADDR
 
-
| 27
 
-
| 16
 
-
| IPv6 Source Address
 
-
|-
 
-
| IPV6_DST_ADDR
 
-
| 28
 
-
| 16
 
-
| IPv6 Destination Address
 
-
|-
 
-
| IPV6_SRC_MASK
 
-
| 29
 
-
| 1
 
-
| Length of the IPv6 source mask in contiguous bits
 
-
|-
 
-
| IPV6_DST_MASK
 
-
| 30
 
-
| 1
 
-
| Length of the IPv6 destination mask in contiguous bits
 
-
|-
 
-
| IPV6_FLOW_LABEL
 
-
| 31
 
-
| 4
 
-
| IPv6 flow label as per RFC 2460 definition
 
-
|-
 
-
| ICMP_TYPE_CODE
 
-
| 32
 
-
| 2
 
-
| Internet Control Message Protocol (ICMP) packet type; reported as ((ICMP Type * 256) + ICMP code)
 
-
|-
 
-
| MUL_IGMP_TYPE
 
-
| 33
 
-
| 1
 
-
| Internet Group Management Protocol (IGMP) packet type
 
-
|-
 
-
| SAMPLING_INTERVAL
 
-
| 34
 
-
| 4
 
-
| When using sampled NetFlow, the rate at which packets are sampled e.g. a value of 100 indicates that one of every 100 packets is sampled
 
-
|-
 
-
| SAMPLING_ALGORITHM
 
-
| 35
 
-
| 1
 
-
| The type of algorithm used for sampled NetFlow: 0x01 Deterministic Sampling ,0x02 Random Sampling
 
-
|-
 
-
| FLOW_ACTIVE_TIMEOUT
 
-
| 36
 
-
| 2
 
-
| Timeout value (in seconds) for active flow entries in the NetFlow cache
 
-
|-
 
-
| FLOW_INACTIVE_TIMEOUT
 
-
| 37
 
-
| 2
 
-
| Timeout value (in seconds) for inactive flow entries in the NetFlow cache
 
-
|-
 
-
| ENGINE_TYPE
 
-
| 38
 
-
| 1
 
-
| Type of flow switching engine: RP = 0, VIP/Linecard = 1
 
-
|-
 
-
| ENGINE_ID
 
-
| 39
 
-
| 1
 
-
| ID number of the flow switching engine
 
-
|-
 
-
| TOTAL_BYTES_EXP
 
-
| 40
 
-
| N (default is 8)
 
-
| Counter with length N x 8 bits for bytes for the number of bytes exported by the Observation Domain
 
-
|-
 
-
| TOTAL_PKTS_EXP
 
-
| 41
 
-
| N (default is 8)
 
-
| Counter with length N x 8 bits for bytes for the number of packets exported by the Observation Domain
 
-
|-
 
-
| TOTAL_FLOWS_EXP
 
-
| 42
 
-
| N (default is 8)
 
-
| Counter with length N x 8 bits for bytes for the number of flows exported by the Observation Domain
 
-
|-
 
-
| IPV4_ROUTER_SC
 
-
| 43
 
-
| 4
 
-
| The router shortcut address i.e. address of router bypassed by a switch (specific for Catalyst architecture)
 
-
|-
 
-
| IPV4_SRC_PREFIX
 
-
| 44
 
-
| 4
 
-
| IPv4 source address prefix (specific for Catalyst architecture)
 
-
|-
 
-
| IPV4_DST_PREFIX
 
-
| 45
 
-
| 4
 
-
| IPv4 destination address prefix  (specific for Catalyst architecture)
 
-
|-
 
-
| MPLS_TOP_LABEL_TYPE
 
-
| 46
 
-
| 1
 
-
| MPLS Top Label Type: 0x00 UNKNOWN 0x01 TE-MIDPT 0x02 ATOM 0x03 VPN 0x04 BGP 0x05 LDP
 
-
|-
 
-
| MPLS_TOP_LABEL_IP_ADDR
 
-
| 47
 
-
| 4
 
-
| Forwarding Equivalent Class corresponding to the MPLS Top Label
 
-
|-
 
-
| FLOW_SAMPLER_ID
 
-
| 48
 
-
| 1
 
-
| Identifier shown in "show flow-sampler"
 
-
|-
 
-
| FLOW_SAMPLER_MODE
 
-
| 49
 
-
| 1
 
-
| The type of algorithm used for sampling data: 0x02 random sampling. Use in connection with FLOW_SAMPLER_MODE
 
-
|-
 
-
| FLOW_SAMPLER_RANDOM_INTERVAL
 
-
| 50
 
-
| 4
 
-
| Packet interval at which to sample. Use in connection with FLOW_SAMPLER_MODE
 
-
|-
 
-
| MIN_TTL
 
-
| 52
 
-
| 1
 
-
| Minimum TTL on incoming packets of the flow
 
-
|-
 
-
| MAX_TTL
 
-
| 53
 
-
| 1
 
-
| Maximum TTL on incoming packets of the flow
 
-
|-
 
-
| IPV4_IDENT
 
-
| 54
 
-
| 4
 
-
| The IPv4 identification field
 
-
|-
 
-
| DST_TOS
 
-
| 55
 
-
| 1
 
-
| Type of Service byte setting when exiting outgoing interface
 
-
|-
 
-
| IN_SRC_MAC
 
-
| 56
 
-
| 6
 
-
| Incoming source MAC address
 
-
|-
 
-
| OUT_DST_MAC
 
-
| 57
 
-
| 6
 
-
| Outgoing destination MAC address
 
-
|-
 
-
| SRC_VLAN
 
-
| 58
 
-
| 2
 
-
| Virtual LAN identifier associated with ingress interface
 
-
|-
 
-
| DST_VLAN
 
-
| 59
 
-
| 2
 
-
| Virtual LAN identifier associated with egress interface
 
-
|-
 
-
| IP_PROTOCOL_VERSION
 
-
| 60
 
-
| 1
 
-
| Internet Protocol Version Set to 4 for IPv4, set to 6 for IPv6. If not present in the template, then version 4 is assumed.
 
-
|-
 
-
| DIRECTION
 
-
| 61
 
-
| 1
 
-
| Flow direction: 0 - ingress flow, 1 - egress flow
 
-
|-
 
-
| IPV6_NEXT_HOP
 
-
| 62
 
-
| 16
 
-
| IPv6 address of the next-hop router
 
-
|-
 
-
| BPG_IPV6_NEXT_HOP
 
-
| 63
 
-
| 16
 
-
| Next-hop router in the BGP domain
 
-
|-
 
-
| IPV6_OPTION_HEADERS
 
-
| 64
 
-
| 4
 
-
| Bit-encoded field identifying IPv6 option headers found in the flow
 
-
|-
 
-
| MPLS_LABEL_1
 
-
| 70
 
-
| 3
 
-
| MPLS label at position 1 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_2
 
-
| 71
 
-
| 3
 
-
| MPLS label at position 2 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_3
 
-
| 72
 
-
| 3
 
-
| MPLS label at position 3 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_4
 
-
| 73
 
-
| 3
 
-
| MPLS label at position 4 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_5
 
-
| 74
 
-
| 3
 
-
| MPLS label at position 5 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_6
 
-
| 75
 
-
| 3
 
-
| MPLS label at position 6 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_7
 
-
| 76
 
-
| 3
 
-
| MPLS label at position 7 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_8
 
-
| 77
 
-
| 3
 
-
| MPLS label at position 8 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_9
 
-
| 78
 
-
| 3
 
-
| MPLS label at position 9 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| MPLS_LABEL_10
 
-
| 79
 
-
| 3
 
-
| MPLS label at position 10 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
 
-
|-
 
-
| IN_DST_MAC
 
-
| 80
 
-
| 6
 
-
| Incoming destination MAC address
 
-
|-
 
-
| OUT_SRC_MAC
 
-
| 81
 
-
| 6
 
-
| Outgoing source MAC address
 
-
|-
 
-
| IF_NAME
 
-
| 82
 
-
| N (default specified in template)
 
-
| Shortened interface name e.g. "FE1/0"
 
-
|-
 
-
| IF_DESC
 
-
| 83
 
-
| N (default specified in template)
 
-
| Full interface name e.g. "'FastEthernet 1/0"
 
-
|-
 
-
| SAMPLER_NAME
 
-
| 84
 
-
| N (default specified in template)
 
-
| Name of the flow sampler
 
-
|-
 
-
| IN_PERMANENT_BYTES
 
-
| 85
 
-
| N (default is 8)
 
-
| Running byte counter for a permanent flow
 
-
|-
 
-
| IN_PERMANENT_PKTS
 
-
| 86
 
-
| N (default is 8)
 
-
| Running packet counter for a permanent flow
 
-
|-
 
-
| FRAGMENT_OFFSET
 
-
| 88
 
-
| 2
 
-
| The fragment-offset value from fragmented IP packets
 
-
|-
 
-
| FORWARDING STATUS
 
-
| 89
 
-
| 1
 
-
| Forwarding status. See note below.
 
-
|-
 
-
| MPLS_PAL_RD
 
-
| 90
 
-
| 8
 
-
| MPLS PAL Route Distinguisher.
 
-
|-
 
-
| MPLS_PREFIX_LEN
 
-
| 91
 
-
| 1
 
-
| Number of consecutive bits in the MPLS prefix length.
 
-
|-
 
-
| SRC_TRAFFIC_INDEX
 
-
| 92
 
-
| ?
 
-
| ?
 
-
|-
 
-
| DST_TRAFFIC_INDEX
 
-
| 93
 
-
| ?
 
-
| ?
 
-
|-
 
-
| APP_DESCRIPTION
 
-
| 94
 
-
| N
 
-
| Application description.
 
-
|-
 
-
| CLASSIFICATION TAG
 
-
| 95
 
-
| 1 + n
 
-
| 8 bits of engine ID, followed by n bits of classification.
 
-
|-
 
-
| CLASSIFICATION NAME
 
-
| 96
 
-
| N
 
-
| Name associated with a classification.
 
-
|-
 
-
| postipDiffServCodePoint
 
-
| 98
 
-
| 1
 
-
| The value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services Field, after modification.
 
-
|-
 
-
| replication factor
 
-
| 99
 
-
| 4
 
-
| Multicast replication factor.
 
-
|-
 
-
| layer2packetSectionOffset
 
-
| 102
 
-
| ?
 
-
| Layer 2 packet section offset. Potentially a generic offset.
 
-
|-
 
-
| layer2packetSectionSize
 
-
| 103
 
-
| ?
 
-
| Layer 2 packet section size. Potentially a generic size.
 
-
|-
 
-
| layer2packetSectionData
 
-
| 104
 
-
| ?
 
-
| Layer 2 packet section data.
 
-
|-
 
-
| subApplicationName
 
-
| 109
 
-
| ?
 
-
| Name of a sub app. See #109.
 
-
|-
 
-
| subApplicationDescr
 
-
| 110
 
-
| ?
 
-
| Descr of a sub app. See #109.
 
-
|-
 
-
| rangeEnd
 
-
| 111
 
-
| 8
 
-
| Range end for describing the parameters needed to interpret a field.
 
-
|-
 
-
|
 
-
|
 
-
|
 
-
|
 
-
|-
 
-
| Reserved
 
-
| 112 - 127
 
-
| ?
 
-
| Reserved for future use by Cisco
 
|}
|}
-
<br>
+
<br>  
-
<br>
+
-
= Fields > 32768 (Enterprise Specific Fields) =
+
*[[AVC:Home|AVC Home Page]]
-
<br>
+
<br>  
-
The values of the fields listed below are set for compatibility with IPFIX Enterprise Specific numbering. The IPFIX enterprise specific field encoding includes 1 Enterprise Specific bit + 15 bits of identifier, for simplicity we can consider this as a single 16 bit ID starting with 0x8001 or 32769.
+
== NetFlow Child Pages  ==
-
<br>
+
*[[NetFlow:IDs|NetFlow Element IDs]]
-
<br>
+
 +
<br><br>
-
 
+
[[Category:AVC]] [[Category:NetFlow]]
-
 
+
-
 
+
-
 
+
-
== Service Control Solution ==
+
-
 
+
-
<br>
+
-
 
+
-
{| width="800" border="1" cellpadding="1" cellspacing="1"
+
-
|-
+
-
! scope="col" bgcolor="#FFE0C8" | Field Type
+
-
! scope="col" bgcolor="#FFE0C8" | Value
+
-
! scope="col" bgcolor="#FFE0C8" | Len (bytes)
+
-
! scope="col" bgcolor="#FFE0C8" | Description
+
-
|-
+
-
| scTag
+
-
| 32769
+
-
| 4
+
-
| A globally unique value which identifies the type of reporting record.
+
-
|-
+
-
| scTrafficProcessorId
+
-
| 32770
+
-
| 1
+
-
| Indicates which processing unit generated reporting record. Used for debug/troubleshooting.
+
-
|-
+
-
| scSourceIpSample
+
-
| 32771
+
-
| 1
+
-
| The last byte of the source IP of the network flow for which the application generated the report.
+
-
|-
+
-
| scDestinationIpSample
+
-
| 32772
+
-
| 1
+
-
| The last byte of the destination IP of the network flow for which the application generated the report.
+
-
|-
+
-
| scFlowContextId
+
-
| 32773
+
-
| 4
+
-
| The Flow context ID that the current flow is related to. Used for debug/troubleshooting.
+
-
|-
+
-
| scSubscriberId
+
-
| 32774
+
-
| 64
+
-
| The subscriber identification string, introduced through the subscriber management interfaces. For unknown subscriber this field may contain an empty string. The string may be padded with 0.
+
-
|-
+
-
| POLICY+id (was: scPackageId)
+
-
| 32775
+
-
| 2
+
-
| A numeric value used as an Identifier for the policy profile assigned to the reported entity. (was: “The ID of the policy package/profile assigned to the subscriber”.)
+
-
|-
+
-
| scServiceId
+
-
| 32776
+
-
| 4
+
-
| Indicates the service classification of the reported session
+
-
|-
+
-
| scProtocolId
+
-
| 32777
+
-
| 2
+
-
| This field contains the unique ID of the protocol associated with the reported session. For port-based protocols (for example, TCP port 666 for DOOM) and IP-protocol-based protocols (for example, IP protocol 1 for ICMP), the PROTOCOL_ID will be the TCP_GENERIC / UDP_GENERIC/ IP_PROTOCOL value, according to the specific base protocol of the transaction. For possible values see SCAS-BB Reference Guide.
+
-
|-
+
-
| scSkipppedSessions
+
-
| 32778
+
-
| 4
+
-
| The number of unreported sessions since the previous reporting record of this kind
+
-
|-
+
-
| scInitiatingSide
+
-
| 32779
+
-
| 1
+
-
| On which side of the SCE platform the initiator of the transaction resides: the subscriber side (0) or the network side (1).
+
-
|-
+
-
| scReportTime
+
-
| 32780
+
-
| 4
+
-
| Ending time stamp of this reporting record. The field is in UNIX time_t format, which is the number of seconds since midnight of 1 January 1970.
+
-
|-
+
-
| scTransactionDurationMillisec
+
-
| 32781
+
-
| 4
+
-
| Duration, in milliseconds, of the transaction reported in this reporting record.
+
-
|-
+
-
| scTimeFrame
+
-
| 32782
+
-
| 1
+
-
| The system supports time-dependent policies, by using different rules for different time frames. This field indicates the time frame during which the reporting record was generated. The field’s value can be in the range 0 to 3, indicating which of the four possible time frames was used.
+
-
|-
+
-
| scSessionUpstreamVolume
+
-
| 32783
+
-
| 4
+
-
| Upstream volume of the transaction, in bytes. The volume refers to the aggregated upstream volume on both links of all the flows bundled in the transaction.
+
-
|-
+
-
| scSessionDownstreamVolume
+
-
| 32784
+
-
| 4
+
-
| Downstream volume of the transaction, in bytes. The volume refers to the aggregated downstream volume on both links of all the flows bundled in the transaction.
+
-
|-
+
-
| scProtocolSignature
+
-
| 32785
+
-
| 4
+
-
| This field contains the ID of the protocol signature associated with this session. For possible values see SCAS-BB Reference Guide.
+
-
|-
+
-
| scZoneId
+
-
| 32786
+
-
| 4
+
-
| This field contains the ID of the zone associated with this session
+
-
|-
+
-
| scFlavorId
+
-
| 32787
+
-
| 4
+
-
| For protocol signatures that have flavors, this field contains the ID of the flavor associated with this session.
+
-
|-
+
-
| scFlowCloseMode
+
-
| 32788
+
-
| 1
+
-
| The reason for the end of flow.
+
-
|-
+
-
| scAccessString
+
-
| 32789
+
-
| 128, 256, 512, 1024
+
-
| A Layer 7 property, extracted from the transaction. The content of this field is record-specific and may include host name, server IP, server name, network name etc. (see Table 2-23 in SCAS-BB 3.0 Reference Guide)
+
-
|-
+
-
| scInfoString
+
-
| 32790
+
-
| 128, 256, 512, 1024
+
-
| A Layer 7 property, extracted from the transaction. The content of this field is record-specific and may include URL, sender, login name, group name etc. (see Table 2-23 in SCAS-BB 3.0 Reference Guide)
+
-
|-
+
-
| scClientPort
+
-
| 32791
+
-
| 2
+
-
| For TCP/UDP-based sessions, the port number of the client side (initiator) of the networking session. For non-TCP/UDP sessions, this field has the value zero (0).
+
-
|-
+
-
| scServerPort
+
-
| 32792
+
-
| 2
+
-
| For TCP/UDP-based sessions, this field contains the destination port number of the networking session. For non-TCP/UDP sessions, this field contains the IP protocol number of the session flow.
+
-
|-
+
-
| scSubscriberCounterId
+
-
| 32793
+
-
| 2
+
-
| Each service is mapped to a counter. There are 32 subscriber counters.
+
-
|-
+
-
| scServiceUsageCounterId
+
-
| 32794
+
-
| 2
+
-
| Each service is mapped to a counter. There are 32 counters in the subscriber scope
+
-
|-
+
-
| scBreachState
+
-
| 32795
+
-
| 1
+
-
| Indicates whether the subscriber's quota was breached: 0, if the quota was not breached and 1, if the quota was breached.
+
-
|-
+
-
| scReason
+
-
| 32796
+
-
| 1
+
-
| Reason for generation of reporting record: 0-period time pass, 1-subscriber logout, 2 - package switch, 3 - wraparound, 4 - end of aggregation period
+
-
|-
+
-
| scConfiguredDuration
+
-
| 32797
+
-
| 4
+
-
| Configured period, in seconds, between successive reporting records
+
-
|-
+
-
| scDuration
+
-
| 32798
+
-
| 4
+
-
| Indicates the number of seconds that have passed since the previous reporting record of this type
+
-
|-
+
-
| scEndTime
+
-
| 32799
+
-
| 4
+
-
| Ending time stamp of this reporting record. The field is in UNIX time_t format, which is the number of seconds since midnight of 1 January 1970
+
-
|-
+
-
| scUpstreamVolume
+
-
| 32800
+
-
| 4
+
-
| Aggregated upstream volume on both links of all sessions, in kilobytes, for the current reporting period
+
-
|-
+
-
| scDownstreamVolume
+
-
| 32801
+
-
| 4
+
-
| Aggregated downstream volume on both links of all sessions, in kilobytes, for the current reporting period.
+
-
|-
+
-
| scSessions
+
-
| 32802
+
-
| 2
+
-
| Aggregated number of sessions for the reported service, for the current reporting period.
+
-
|-
+
-
| scSeconds
+
-
| 32803
+
-
| 2
+
-
| Aggregated number of session seconds for the reported service, for the current reporting period.
+
-
|-
+
-
| scPackageCounterId
+
-
| 32804
+
-
| 2
+
-
| Each package is mapped to a counter and this field contains ID of this counter
+
-
|-
+
-
| scGeneratorId
+
-
| 32805
+
-
| 1
+
-
| A numeric value identifying the processor generating the reporting record.
+
-
|-
+
-
| scServiceGlobalCounterId
+
-
| 32806
+
-
| 2
+
-
| Each service is mapped to a counter and this field contains ID of this counter
+
-
|-
+
-
| scConcurrentSessions
+
-
| 32807
+
-
| 4
+
-
| Concurrent number of sessions using the reported service at this point in time.
+
-
|-
+
-
| scActiveSubscribers
+
-
| 32808
+
-
| 4
+
-
| Concurrent number of subscribers using the reported service at this point in time.
+
-
|-
+
-
| scTotalActiveSubscribers
+
-
| 32809
+
-
| 4
+
-
| Concurrent number of subscribers in the system at this point in time.
+
-
|-
+
-
| LINK_ID (was: scLinkId) 32810
+
-
| 1
+
-
| A numeric value associated with the reported network link. (was: “Possible values are 0 and 1 (referring to physical links 1 and 2 respectively).”)
+
-
|-
+
-
| scVirtualLinkId
+
-
| 32811
+
-
| 2
+
-
| A numeric value associated with the reported virtual network link. Possible values are TBD.
+
-
|-
+
-
| scVirtualLinkDirection
+
-
| 32812
+
-
| 1
+
-
| A numeric value indicating the reported virtual network link direction.
+
-
|-
+
-
| scAggregationObjectId
+
-
| 32813
+
-
| 2
+
-
| Externally assigned: 0 - offline subscriber, 1 - online subscriber. Used in Real Time Subscriber Usage RDR
+
-
|-
+
-
| scVendorId
+
-
| 32814
+
-
| 4
+
-
| The ITU-U vendor ID of the application. A value of 0xFFFFFFFF indicates that this field was not found in the traffic.
+
-
|-
+
-
| scUpstreamPacketLoss
+
-
| 32815
+
-
| 2
+
-
| The average fractional upstream packet loss for the session, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFF indicates that this field is undefined (no RTCP flows were opened).
+
-
|-
+
-
| scDownstreamPacketLoss
+
-
| 32816
+
-
| 2
+
-
| The average fractional downstream packet loss for the session, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFF indicates that this field is undefined (no RTCP flows were opened).
+
-
|-
+
-
| RESERVED1
+
-
| 32817
+
-
| N/A
+
-
| Reserved for SCE
+
-
|-
+
-
| RESERVED2
+
-
| 32818
+
-
| N/A
+
-
| Reserved for SCE
+
-
|-
+
-
| scAttackId
+
-
| 32819
+
-
| 4
+
-
| Unique attack ID.
+
-
|-
+
-
| scAttackIp
+
-
| 32820
+
-
| 4
+
-
| The IP address related to this attack.
+
-
|-
+
-
| scAttackOtherIp
+
-
| 32821
+
-
| 4
+
-
| The other IP address related to this attack if exists, 0xFFFFFFFF otherwise.
+
-
|-
+
-
| scAttackPortNumber
+
-
| 32822
+
-
| 2
+
-
| The port number related to this attack, if such exists (if this is an IP scan, for example), or 0xFFFF otherwise in case the info is not relevant (certain types of attacks).
+
-
|-
+
-
| scAttackType
+
-
| 32823
+
-
| 4
+
-
| Who attackIp belongs to: 0—Attacked, 1—Attacker
+
-
|-
+
-
| scAttackSide
+
-
| 32824
+
-
| 1
+
-
| The IP address side: 0—Subscriber, 1—Network.
+
-
|-
+
-
| scAttackIpProtocol
+
-
| 32825
+
-
| 1
+
-
| IP protocol type: 0—Other, 1—ICMP, 6—TCP, 17—UDP. For possible values see SCAS-BB Reference Guide.
+
-
|-
+
-
| scAttacks
+
-
| 32826
+
-
| 1
+
-
| The number of attacks in the current reporting period. Since this report is generated per attack, the value is 0 or 1.
+
-
|-
+
-
| scAttackMaliciousSessions
+
-
| 32827
+
-
| 4
+
-
| Aggregated number of sessions for the reported attack, for the current reporting period. If the SCE platform blocks the attack, this field takes the value 0xFFFFFFFF.
+
-
|-
+
-
| scUserAgent
+
-
| 32828
+
-
| 64
+
-
| The user agent field extracted from the HTTP transaction.
+
-
|-
+
-
| scHttpUrl
+
-
| 32829
+
-
| 64
+
-
| The URL extracted from the HTTP transaction.
+
-
|-
+
-
| scSipDomain
+
-
| 32830
+
-
| 64
+
-
| SIP: Domain name extracted from SIP header.
+
-
|-
+
-
| scSipUserAgent
+
-
| 32831
+
-
| 64
+
-
| SIP: User-Agent field extracted from SIP header.
+
-
|-
+
-
| scFlowStart
+
-
| 32832
+
-
| 4
+
-
| Flow start time.
+
-
|-
+
-
| scFlowType
+
-
| 32833
+
-
| 1
+
-
| 0—All Skype flows
+
-
1—Audio (SIP)
+
-
2—Video (SIP)
+
-
|-
+
-
| scSessionId
+
-
| 32834
+
-
| 4
+
-
SIP: The flow-context ID of the control flow.
+
-
Skype: The flow-context ID of the flow.
+
-
|-
+
-
| scUpstreamJitter
+
-
| 32835
+
-
| 4
+
-
| SIP: The average upstream jitter for the session, taken from the RTCP flow: N/A (0xFFFFFFFF) if RTCP flow is missing.
+
-
Skype: N/A (0xFFFFFFFF).
+
-
|-
+
-
| scDownstreamJitter
+
-
| 32836
+
-
| 4
+
-
| SIP: The average downstream jitter for the session, taken from the RTCP flow: N/A (0xFFFFFFFF) if RTCP flow is missing.
+
-
Skype: N/A (0xFFFFFFFF).
+
-
|-
+
-
| scUpstreamPayloadType
+
-
| 32837
+
-
| 1
+
-
| SIP: The upstream RTP payload type for the session.
+
-
Skype: N/A (0xFF). A value of 0xFF indicates that this field was not available (no RTP flows were opened).
+
-
|-
+
-
| scDownstreamPayloadType
+
-
| 32838
+
-
| 1
+
-
| SIP: The downstream RTP payload type for the session.
+
-
Skype: N/A (0xFF). A value of 0xFF indicates that this field was not available (no RTP flows were opened).
+
-
|-
+
-
| scUpstreamAverageJitter
+
-
| 32839
+
-
| 4
+
-
| The average upstream jitter for the session in units of 1/65.535 millisecond, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFFFFFF indicates that this field is undefined (no RTCP flows were opened).
+
-
|-
+
-
| scDownstreamAverageJitter
+
-
| 32840
+
-
| 4
+
-
| The average downstream jitter for the session in units of 1/65.535 millisecond, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFFFFFF indicates that this field is undefined (no RTCP flows were opened).
+
-
|-
+
-
| scCallDestination
+
-
| 32841
+
-
| 64
+
-
| The Q931 Alias address of the session destination. A value of N/A indicates that this field was not found in the traffic.
+
-
|-
+
-
| scCallSource
+
-
| 32842
+
-
| 64
+
-
| The Q931 Alias address of the session source. A value of N/A indicates that this field was not found in the traffic.
+
-
|-
+
-
| scCallType
+
-
| 32843
+
-
| 1
+
-
| The call type (taken from H225 packet). A value of 0xFF indicates that this field is undefined (no RTP flows were opened).
+
-
|-
+
-
| scMediaChannels
+
-
| 32844
+
-
| 1
+
-
| The number of data flows that were opened during the session.
+
-
|-
+
-
| scBlockReason
+
-
| 32845
+
-
| 1
+
-
| Indicates the reason why this session was blocked. For possible values and their interpretation, see Block Reason, page 2-42 of the SCA BB Reference Guide
+
-
|-
+
-
| scBlockRdrCount
+
-
| 32846
+
-
| 4
+
-
| Total number of blocked flows reported so far (from the beginning of the current time frame).
+
-
|-
+
-
| scRedirected
+
-
| 32847
+
-
| 1
+
-
| Indicates whether the flow has been redirected after being blocked.
+
-
0—Not redirected
+
-
1—Redirected
+
-
|-
+
-
| RESERVED
+
-
| 32848 to 32999
+
-
| N/A
+
-
| Reserved for SCE
+
-
|}
+
-
 
+
-
<br>
+
-
<br>
+
-
 
+
-
== Performance Routing ==
+
-
 
+
-
<br>
+
-
 
+
-
Refer to: [[NetFlow:PfR | Performance Routing NetFlow]] for information regarding the use of the fields.
+
-
 
+
-
<br>
+
-
 
+
-
{| width="800" border="1" cellpadding="1" cellspacing="1"
+
-
|-
+
-
! scope="col" bgcolor="#FFE0C8" | Field Type
+
-
! scope="col" bgcolor="#FFE0C8" | Value
+
-
! scope="col" bgcolor="#FFE0C8" | Len (bytes)
+
-
! scope="col" bgcolor="#FFE0C8" | Description
+
-
|-
+
-
| IPV4_BR_ADDR
+
-
| 39000
+
-
| 4
+
-
| IPv4 border router (BR) address
+
-
|-
+
-
| PFR_STATUS
+
-
| 39001
+
-
| 2
+
-
| state code (state_type: 1 Byte, state_subtype: 1 Byte)
+
-
|-
+
-
| REASON_ID
+
-
| 39002
+
-
| 4
+
-
| reason ID
+
-
|-
+
-
| Threshold
+
-
| 39003
+
-
| 4
+
-
| policy threshold to which PfR thinks In-Policy
+
-
|-
+
-
| Priority
+
-
| 39004
+
-
| 2
+
-
| policy priority settings.
+
-
|-
+
-
| LongTermRTT
+
-
| 39006
+
-
| 4
+
-
| average round-trip-time for long-term period
+
-
|-
+
-
| BelowMOSPercentage
+
-
| 39007
+
-
| 4
+
-
| average percentage value below the MOS threshold
+
-
|-
+
-
| RSVPBandWidthPool
+
-
| 39008
+
-
| 8
+
-
| bandwidth pool reserved by RSVP
+
-
|-
+
-
| RollupCounter
+
-
| 39009
+
-
| 2
+
-
| rollup counter which is expired when it becomes zero.
+
-
|-
+
-
| BandWidthPercentage
+
-
| 39010
+
-
| 2
+
-
| bandwidth percentage against the maximum bandwidth
+
-
|-
+
-
| BandWidthFee
+
-
| 39011
+
-
| 4
+
-
| fee for a specific bandwidth
+
-
|-
+
-
| L4_SRC_PORT_MIN
+
-
| 39012
+
-
| 2
+
-
| TCP/UDP source minimum port number
+
-
|-
+
-
| L4_SRC_PORT_MAX
+
-
| 39013
+
-
| 2
+
-
| TCP/UDP source maximum port number (we will request a standard number to IANA later)
+
-
|-
+
-
| L4_DST_PORT_MIN
+
-
| 39014
+
-
| 2
+
-
| TCP/UDP destination minimum port number (we will request a standard number to IANA later)
+
-
|-
+
-
| L4_DST_PORT_MAX
+
-
| 39015
+
-
| 2
+
-
| TCP/UDP destination maximum port number (we will request a standard number to IANA later)
+
-
|-
+
-
| CAPACITY
+
-
| 39016
+
-
| 8
+
-
| Link capacity – egress link capacity (kbps)
+
-
|-
+
-
| INGRESS_BW
+
-
| 39017
+
-
| 8
+
-
| Current ingress bandwidth (kbps)
+
-
|-
+
-
| MAX_INGRESS_BW
+
-
| 39018
+
-
| 8
+
-
| Max ingress bandwidth (kbps)
+
-
|-
+
-
| EGRESS_BW
+
-
| 39019
+
-
| 8
+
-
| Current egress bandwidth (kbps)
+
-
|-
+
-
| MAX_EGRESS_BW
+
-
| 39020
+
-
| 8
+
-
| Max egress bandwidth (kbps)
+
-
|-
+
-
| INGRESS_ROLLUP_BW
+
-
| 39021
+
-
| 8
+
-
| Ingress rollup bandwidth (kbps)
+
-
|-
+
-
| EGRESS_ROLLUP_BW
+
-
| 39022
+
-
| 8
+
-
| Egress rollup bandwidth (kbps)
+
-
|-
+
-
| KTH_ROLLUP_BW
+
-
| 39023
+
-
| 8
+
-
|-
+
-
| LINK_GROUP_NAME
+
-
| 39024
+
-
| 48
+
-
| Link group name assigned to an external interface in the MC configuration
+
-
|-
+
-
| BGP_COMMUNITY
+
-
| 39025
+
-
| 4
+
-
| Used for ingress load-balancing using BGP
+
-
|-
+
-
| BGP_PREPEND
+
-
| 39026
+
-
| 1
+
-
| Used for ingress load-balancing using BGP
+
-
|-
+
-
| ENTRANCE_DOWNGRADE
+
-
| 39027
+
-
|
+
-
|
+
-
|-
+
-
| DISCARD_ROLLUP_COUNT
+
-
| 39028
+
-
| 2
+
-
|
+
-
|-
+
-
|}
+
-
 
+
-
<br>
+
-
<br>
+

Revision as of 23:26, 28 February 2013



NetFlow Home Page
Welcome to NetFlow DocWiki.

Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and is the leader in IP traffic flow technology.
NetFlow version 9, the latest Cisco IOS NetFlow innovation, is a flexible and extensible method to record network performance data. It is the basis of a new IETF standard. Cisco is currently working with a number of partners to provide customers with comprehensive solutions for NetFlow-based, planning, monitoring and billing.



NetFlow Child Pages



Rating: 0.0/5 (0 votes cast)

Personal tools