NetFlow

From DocWiki

Revision as of 09:43, 19 June 2012 by Jbarozet (Talk | contribs)
Jump to: navigation, search



NetFlow Home Page
Welcome to NetFlow DocWiki.

Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and is the leader in IP traffic flow technology.
NetFlow version 9, the latest Cisco IOS NetFlow innovation, is a flexible and extensible method to record network performance data. It is the basis of a new IETF standard. Cisco is currently working with a number of partners to provide customers with comprehensive solutions for NetFlow-based, planning, monitoring and billing.




!!!!!!!!! DRAFT !!!!!!!!!!!!



Contents





NetFlow DocWiki Navigation



Summary

  • IDs <128 : specific to Cisco and NetFlow v9
  • IDs Range 128 - 32767 : allocated by IANA for IPFIX, in NetFlow v9 for parity
  • IDs > 32768 : IPFIX Enterprise Specific



Fields 1-128 (Specific to Cisco)



Field Type Value Len (bytes) Description
IN_BYTES 1 N (default is 8) Incoming counter with length N x 8 bits for number of bytes associated with an IP Flow.
IN_PKTS 2 N (default is 8) Incoming counter with length N x 8 bits for the number of packets associated with an IP Flow
FLOWS 3 N Number of flows that were aggregated; default for N is 4
PROTOCOL 4 1 IP protocol byte
SRC_TOS 5 1 Type of Service byte setting when entering incoming interface
TCP_FLAGS 6 1 Cumulative of all the TCP flags seen for this flow
L4_SRC_PORT 7 2 TCP/UDP source port number e.g. FTP, Telnet, or equivalent
IPV4_SRC_ADDR 8 4 IPv4 source address
SRC_MASK 9 1 The number of contiguous bits in the source address subnet mask i.e. the submask in slash notation
INPUT_SNMP 10 N Input interface index; default for N is 4 but higher values could be used
L4_DST_PORT 11 2 TCP/UDP destination port number e.g. FTP, Telnet, or equivalent
IPV4_DST_ADDR 12 4 IPv4 destination address
DST_MASK 13 1 The number of contiguous bits in the destination address subnet mask i.e. the submask in slash notation
OUTPUT_SNMP 14 N Output interface index; default for N is 4 but higher values could be used
IPV4_NEXT_HOP 15 4 IPv4 address of next-hop router
SRC_AS 16 N (default is 2) Source BGP autonomous system number where N could be 2 or 4
DST_AS 17 N (default is 2) Destination BGP autonomous system number where N could be 2 or 4
BGP_IPV4_NEXT_HOP 18 4 Next-hop router's IP in the BGP domain
MUL_DST_PKTS 19 N (default is 8) IP multicast outgoing packet counter with length N x 8 bits for packets associated with the IP Flow
MUL_DST_BYTES 20 N (default is 8) IP multicast outgoing byte counter with length N x 8 bits for bytes associated with the IP Flow
LAST_SWITCHED 21 4 System uptime at which the last packet of this flow was switched
FIRST_SWITCHED 22 4 System uptime at which the first packet of this flow was switched
OUT_BYTES 23 N (default is 8) Outgoing counter with length N x 8 bits for the number of bytes associated with an IP Flow
OUT_PKTS 24 N (default is 8) Outgoing counter with length N x 8 bits for the number of packets associated with an IP Flow.
MIN_PKT_LNGTH 25 4 Minimum IP packet length on incoming packets of the flow
MAX_PKT_LNGTH 26 4 Maximum IP packet length on incoming packets of the flow
IPV6_SRC_ADDR 27 16 IPv6 Source Address
IPV6_DST_ADDR 28 16 IPv6 Destination Address
IPV6_SRC_MASK 29 1 Length of the IPv6 source mask in contiguous bits
IPV6_DST_MASK 30 1 Length of the IPv6 destination mask in contiguous bits
IPV6_FLOW_LABEL 31 4 IPv6 flow label as per RFC 2460 definition
ICMP_TYPE_CODE 32 2 Internet Control Message Protocol (ICMP) packet type; reported as ((ICMP Type * 256) + ICMP code)
MUL_IGMP_TYPE 33 1 Internet Group Management Protocol (IGMP) packet type
SAMPLING_INTERVAL 34 4 When using sampled NetFlow, the rate at which packets are sampled e.g. a value of 100 indicates that one of every 100 packets is sampled
SAMPLING_ALGORITHM 35 1 The type of algorithm used for sampled NetFlow: 0x01 Deterministic Sampling ,0x02 Random Sampling
FLOW_ACTIVE_TIMEOUT 36 2 Timeout value (in seconds) for active flow entries in the NetFlow cache
FLOW_INACTIVE_TIMEOUT 37 2 Timeout value (in seconds) for inactive flow entries in the NetFlow cache
ENGINE_TYPE 38 1 Type of flow switching engine: RP = 0, VIP/Linecard = 1
ENGINE_ID 39 1 ID number of the flow switching engine
TOTAL_BYTES_EXP 40 N (default is 8) Counter with length N x 8 bits for bytes for the number of bytes exported by the Observation Domain
TOTAL_PKTS_EXP 41 N (default is 8) Counter with length N x 8 bits for bytes for the number of packets exported by the Observation Domain
TOTAL_FLOWS_EXP 42 N (default is 8) Counter with length N x 8 bits for bytes for the number of flows exported by the Observation Domain
IPV4_ROUTER_SC 43 4 The router shortcut address i.e. address of router bypassed by a switch (specific for Catalyst architecture)
IPV4_SRC_PREFIX 44 4 IPv4 source address prefix (specific for Catalyst architecture)
IPV4_DST_PREFIX 45 4 IPv4 destination address prefix (specific for Catalyst architecture)
MPLS_TOP_LABEL_TYPE 46 1 MPLS Top Label Type: 0x00 UNKNOWN 0x01 TE-MIDPT 0x02 ATOM 0x03 VPN 0x04 BGP 0x05 LDP
MPLS_TOP_LABEL_IP_ADDR 47 4 Forwarding Equivalent Class corresponding to the MPLS Top Label
FLOW_SAMPLER_ID 48 1 Identifier shown in "show flow-sampler"
FLOW_SAMPLER_MODE 49 1 The type of algorithm used for sampling data: 0x02 random sampling. Use in connection with FLOW_SAMPLER_MODE
FLOW_SAMPLER_RANDOM_INTERVAL 50 4 Packet interval at which to sample. Use in connection with FLOW_SAMPLER_MODE
MIN_TTL 52 1 Minimum TTL on incoming packets of the flow
MAX_TTL 53 1 Maximum TTL on incoming packets of the flow
IPV4_IDENT 54 4 The IPv4 identification field
DST_TOS 55 1 Type of Service byte setting when exiting outgoing interface
IN_SRC_MAC 56 6 Incoming source MAC address
OUT_DST_MAC 57 6 Outgoing destination MAC address
SRC_VLAN 58 2 Virtual LAN identifier associated with ingress interface
DST_VLAN 59 2 Virtual LAN identifier associated with egress interface
IP_PROTOCOL_VERSION 60 1 Internet Protocol Version Set to 4 for IPv4, set to 6 for IPv6. If not present in the template, then version 4 is assumed.
DIRECTION 61 1 Flow direction: 0 - ingress flow, 1 - egress flow
IPV6_NEXT_HOP 62 16 IPv6 address of the next-hop router
BPG_IPV6_NEXT_HOP 63 16 Next-hop router in the BGP domain
IPV6_OPTION_HEADERS 64 4 Bit-encoded field identifying IPv6 option headers found in the flow
MPLS_LABEL_1 70 3 MPLS label at position 1 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_2 71 3 MPLS label at position 2 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_3 72 3 MPLS label at position 3 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_4 73 3 MPLS label at position 4 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_5 74 3 MPLS label at position 5 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_6 75 3 MPLS label at position 6 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_7 76 3 MPLS label at position 7 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_8 77 3 MPLS label at position 8 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_9 78 3 MPLS label at position 9 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_10 79 3 MPLS label at position 10 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
IN_DST_MAC 80 6 Incoming destination MAC address
OUT_SRC_MAC 81 6 Outgoing source MAC address
IF_NAME 82 N (default specified in template) Shortened interface name e.g. "FE1/0"
IF_DESC 83 N (default specified in template) Full interface name e.g. "'FastEthernet 1/0"
SAMPLER_NAME 84 N (default specified in template) Name of the flow sampler
IN_PERMANENT_BYTES 85 N (default is 8) Running byte counter for a permanent flow
IN_PERMANENT_PKTS 86 N (default is 8) Running packet counter for a permanent flow
FRAGMENT_OFFSET 88 2 The fragment-offset value from fragmented IP packets
FORWARDING STATUS 89 1 Forwarding status. See note below.
MPLS_PAL_RD 90 8 MPLS PAL Route Distinguisher.
MPLS_PREFIX_LEN 91 1 Number of consecutive bits in the MPLS prefix length.
SRC_TRAFFIC_INDEX 92  ?  ?
DST_TRAFFIC_INDEX 93  ?  ?
APP_DESCRIPTION 94 N Application description.
CLASSIFICATION TAG 95 1 + n 8 bits of engine ID, followed by n bits of classification.
CLASSIFICATION NAME 96 N Name associated with a classification.
postipDiffServCodePoint 98 1 The value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services Field, after modification.
replication factor 99 4 Multicast replication factor.
layer2packetSectionOffset 102  ? Layer 2 packet section offset. Potentially a generic offset.
layer2packetSectionSize 103  ? Layer 2 packet section size. Potentially a generic size.
layer2packetSectionData 104  ? Layer 2 packet section data.
subApplicationName 109  ? Name of a sub app. See #109.
subApplicationDescr 110  ? Descr of a sub app. See #109.
rangeEnd 111 8 Range end for describing the parameters needed to interpret a field.
Reserved 112 - 127  ? Reserved for future use by Cisco



Fields > 32768 (Enterprise Specific Fields)


The values of the fields listed below are set for compatibility with IPFIX Enterprise Specific numbering. The IPFIX enterprise specific field encoding includes 1 Enterprise Specific bit + 15 bits of identifier, for simplicity we can consider this as a single 16 bit ID starting with 0x8001 or 32769.




General



Performance Routing


Refer to: Performance Routing NetFlow for information regarding the use of the fields.


Field Type Value Len (bytes) Description
IPV4_BR_ADDR 39000 4 IPv4 border router (BR) address
PFR_STATUS 39001 2 state code (state_type: 1 Byte, state_subtype: 1 Byte)
REASON_ID 39002 4 reason ID
Threshold 39003 4 policy threshold to which PfR thinks In-Policy
Priority 39004 2 policy priority settings.
LongTermRTT 39006 4 average round-trip-time for long-term period
BelowMOSPercentage 39007 4 average percentage value below the MOS threshold
RSVPBandWidthPool 39008 8 bandwidth pool reserved by RSVP
RollupCounter 39009 2 rollup counter which is expired when it becomes zero.
BandWidthPercentage 39010 2 bandwidth percentage against the maximum bandwidth
BandWidthFee 39011 4 fee for a specific bandwidth
L4_SRC_PORT_MIN 39012 2 TCP/UDP source minimum port number
L4_SRC_PORT_MAX 39013 2 TCP/UDP source maximum port number (we will request a standard number to IANA later)
L4_DST_PORT_MIN 39014 2 TCP/UDP destination minimum port number (we will request a standard number to IANA later)
L4_DST_PORT_MAX 39015 2 TCP/UDP destination maximum port number (we will request a standard number to IANA later)
CAPACITY 39016 8 Link capacity – egress link capacity (kbps)
INGRESS_BW 39017 8 Current ingress bandwidth (kbps)
MAX_INGRESS_BW 39018 8 Max ingress bandwidth (kbps)
EGRESS_BW 39019 8 Current egress bandwidth (kbps)
MAX_EGRESS_BW 39020 8 Max egress bandwidth (kbps)
INGRESS_ROLLUP_BW 39021 8 Ingress rollup bandwidth (kbps)
EGRESS_ROLLUP_BW 39022 8 Egress rollup bandwidth (kbps)
KTH_ROLLUP_BW 39023 8
LINK_GROUP_NAME 39024 48 Link group name assigned to an external interface in the MC configuration
BGP_COMMUNITY 39025 4 Used for ingress load-balancing using BGP
BGP_PREPEND 39026 1 Used for ingress load-balancing using BGP
ENTRANCE_DOWNGRADE 39027
DISCARD_ROLLUP_COUNT 39028 2



Rating: 0.0/5 (0 votes cast)

Personal tools