NetFlow

From DocWiki

Revision as of 09:42, 2 July 2012 by Jbarozet (Talk | contribs)
Jump to: navigation, search



NetFlow Home Page
Welcome to NetFlow DocWiki.

Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and is the leader in IP traffic flow technology.
NetFlow version 9, the latest Cisco IOS NetFlow innovation, is a flexible and extensible method to record network performance data. It is the basis of a new IETF standard. Cisco is currently working with a number of partners to provide customers with comprehensive solutions for NetFlow-based, planning, monitoring and billing.




!!!!!!!!! DRAFT !!!!!!!!!!!!



Contents





NetFlow DocWiki Navigation



Summary

  • IDs <128 : specific to Cisco and NetFlow v9
  • IDs Range 128 - 32767 : allocated by IANA for IPFIX, in NetFlow v9 for parity
  • IDs > 32768 : IPFIX Enterprise Specific



Fields 1-128 (Specific to Cisco)



Also see: IPFix Information Elements.



Value Field Type Len (bytes) Description Semantics Status
IN_BYTES 1 unsigned64 Incoming counter with length N x 8 bits for number of bytes associated with an IP Flow. (Default N=8) current
IN_PKTS 2 unsigned64 Incoming counter with length N x 8 bits for the number of packets associated with an IP Flow. (Default N=8) current
FLOWS 3 unsigned32 [TBD] Number of flows that were aggregated. (Default 4 bytes). current
PROTOCOL 4 unsigned8 IP protocol byte current
SRC_TOS 5 unsigned8 Type of Service byte setting when entering incoming interface current
TCP_FLAGS 6 unsigned8 Cumulative of all the TCP flags seen for this flow current
L4_SRC_PORT 7 unsigned16 TCP/UDP source port number e.g. FTP, Telnet, or equivalent current
IPV4_SRC_ADDR 8 ipv4Address IPv4 source address current
SRC_MASK 9 unsigned8 The number of contiguous bits in the source address subnet mask i.e. the submask in slash notation current
INPUT_SNMP 10 unsigned32 Input interface index; default is 4 bytes but higher values could be used current
L4_DST_PORT 11 unsigned16 TCP/UDP destination port number e.g. FTP, Telnet, or equivalent current
IPV4_DST_ADDR 12 ipv4Address IPv4 destination address current
DST_MASK 13 unsigned8 The number of contiguous bits in the destination address subnet mask i.e. the submask in slash notation current
OUTPUT_SNMP 14 unsigned32 Output interface index; default is 4 bytes but higher values could be used current
IPV4_NEXT_HOP 15 ipv4Address IPv4 address of next-hop router current
SRC_AS 16 unsigned16 Source BGP autonomous system number where length could be 2 or 4 current
DST_AS 17 unsigned16 Destination BGP autonomous system number where length could be 2 or 4 current
BGP_IPV4_NEXT_HOP 18 ipv4Address Next-hop router's IP in the BGP domain current
MUL_DST_PKTS 19 unsigned64 IP multicast outgoing packet counter with length N x 8 bits for packets associated with the IP Flow current
MUL_DST_BYTES 20 unsigned64 IP multicast outgoing byte counter with length N x 8 bits for bytes associated with the IP Flow current
LAST_SWITCHED 21 unsigned32 System uptime at which the last packet of this flow was switched current
FIRST_SWITCHED 22 unsigned32 System uptime at which the first packet of this flow was switched current
OUT_BYTES 23 unsigned64 Outgoing counter with length N x 8 bits for the number of bytes associated with an IP Flow current
OUT_PKTS 24 unsigned64 Outgoing counter with length N x 8 bits for the number of packets associated with an IP Flow. current
MIN_PKT_LNGTH 25 unsigned64 Minimum IP packet length on incoming packets of the flow current
MAX_PKT_LNGTH 26 unsigned64 Maximum IP packet length on incoming packets of the flow current
IPV6_SRC_ADDR 27 ipv6Address IPv6 Source Address current
IPV6_DST_ADDR 28 ipv6Address IPv6 Destination Address current
IPV6_SRC_MASK 29 unsigned8 Length of the IPv6 source mask in contiguous bits current
IPV6_DST_MASK 30 unsigned8 Length of the IPv6 destination mask in contiguous bits current
IPV6_FLOW_LABEL 31 unsigned32 IPv6 flow label as per RFC 2460 definition current
ICMP_TYPE_CODE 32 unsigned16 Internet Control Message Protocol (ICMP) packet type; reported as ((ICMP Type * 256) + ICMP code) current
MUL_IGMP_TYPE 33 unsigned8 Internet Group Management Protocol (IGMP) packet type current
SAMPLING_INTERVAL 34 unsigned32 When using sampled NetFlow, the rate at which packets are sampled e.g. a value of 100 indicates that one of every 100 packets is sampled current
SAMPLING_ALGORITHM 35 unsigned8 The type of algorithm used for sampled NetFlow: 0x01 Deterministic Sampling ,0x02 Random Sampling current
FLOW_ACTIVE_TIMEOUT 36 unsigned16 Timeout value (in seconds) for active flow entries in the NetFlow cache current
FLOW_INACTIVE_TIMEOUT 37 unsigned16 Timeout value (in seconds) for inactive flow entries in the NetFlow cache current
ENGINE_TYPE 38 unsigned8 Type of flow switching engine: RP = 0, VIP/Linecard = 1 current
ENGINE_ID 39 unsigned8 ID number of the flow switching engine current
TOTAL_BYTES_EXP 40 unsigned64 Counter with length N x 8 bits for bytes for the number of bytes exported by the Observation Domain current
TOTAL_PKTS_EXP 41 unsigned64 Counter with length N x 8 bits for bytes for the number of packets exported by the Observation Domain current
TOTAL_FLOWS_EXP 42 unsigned64 Counter with length N x 8 bits for bytes for the number of flows exported by the Observation Domain current
IPV4_ROUTER_SC 43 ipv4Address The router shortcut address i.e. address of router bypassed by a switch (specific for Catalyst architecture) current
IPV4_SRC_PREFIX 44 ipv4Address IPv4 source address prefix. This is a platform-specific field for Catalyst 5000/Catalyst 6000 family. It is used to store the address of a router that is being shortcut when performing MultiLayer Switching. current
IPV4_DST_PREFIX 45 ipv4Address IPv4 destination address prefix. (specific for Catalyst architecture). current
MPLS_TOP_LABEL_TYPE 46 unsigned8 MPLS Top Label Type: 0x00 UNKNOWN 0x01 TE-MIDPT 0x02 ATOM 0x03 VPN 0x04 BGP 0x05 LDP current
MPLS_TOP_LABEL_IP_ADDR 47 ipv4Address Forwarding Equivalent Class corresponding to the MPLS Top Label current
FLOW_SAMPLER_ID 48 unsigned8 Identifier shown in "show flow-sampler" current
FLOW_SAMPLER_MODE 49 unsigned8 The type of algorithm used for sampling data: 0x02 random sampling. Use in connection with FLOW_SAMPLER_MODE current
FLOW_SAMPLER_RANDOM_INTERVAL 50 unsigned32 Packet interval at which to sample. Use in connection with FLOW_SAMPLER_MODE current
classId 51 unsigned8 Deprecated in favour of 302 selectorId. Characterizes the traffic class, i.e. QoS treatment. current (aspirational: deprecated)
MIN_TTL 52 unsigned8 Minimum TTL on incoming packets of the flow current
MAX_TTL 53 unsigned8 Maximum TTL on incoming packets of the flow current
IPV4_IDENT 54 ipv4Address The IPv4 identification field current
DST_TOS 55 unsigned8 Type of Service byte setting when exiting outgoing interface current
IN_SRC_MAC 56 macAddress Incoming source MAC address current
OUT_DST_MAC 57 macAddress Outgoing destination MAC address current
SRC_VLAN 58 unsigned16 Virtual LAN identifier associated with ingress interface current
DST_VLAN 59 unsigned16 Virtual LAN identifier associated with egress interface current
IP_PROTOCOL_VERSION 60 unsigned8 Internet Protocol Version Set to 4 for IPv4, set to 6 for IPv6. If not present in the template, then version 4 is assumed. current
DIRECTION 61 unsigned8 Flow direction: 0 - ingress flow, 1 - egress flow current
IPV6_NEXT_HOP 62 ipv6Address IPv6 address of the next-hop router current
BPG_IPV6_NEXT_HOP 63 ipv6Address Next-hop router in the BGP domain current
IPV6_OPTION_HEADERS 64 unsigned32 Bit-encoded field identifying IPv6 option headers found in the flow current
PACKET_LOSS 65 unsigned32 OER: Packet loss can be estimated by tracking the highest TCP sequence number detected for a TCP flow current
UNREACHABILITY 66 unsigned32 OER: Number of unsuccessful TCP connection attempts/flows for a prefix.

TCP syn timeout is used to track unreachability of a host.

current
LATENCY, DELAY_SUM 67 unsigned32 OER: Average delay for TCP flows within a prefix. Latency is the time between TCP SYN and TCP ACK. Notice that the TCP SYN and TCP ACK both flow in the same direction. current
DATA_POINTS 68 unsigned32 OER: Number of delay samples collected for a prefix. This is used for calculating average delay to reach a prefix. current
VARIANCE [TBD - Check this one - In tNF, this field is named "NF_V9_FIELD_OER_APPL_ID". In FNF, it's "FLOW_FIELD_VARIANCE".] 69 N OER: Delay variance. Reserved field for second phase of OER current
MPLS_LABEL_1 70 unsigned24 MPLS label at position 1 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. current
MPLS_LABEL_2 71 unsigned24 MPLS label at position 2 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. current
MPLS_LABEL_3 72 unsigned24 MPLS label at position 3 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. current
MPLS_LABEL_4 73 unsigned24 MPLS label at position 4 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. current
MPLS_LABEL_5 74 unsigned24 MPLS label at position 5 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. current
MPLS_LABEL_6 75 unsigned24 MPLS label at position 6 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. current
MPLS_LABEL_7 76 unsigned24 MPLS label at position 7 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. current
MPLS_LABEL_8 77 unsigned24 MPLS label at position 8 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. current
MPLS_LABEL_9 78 unsigned24 MPLS label at position 9 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. current
MPLS_LABEL_10 79 unsigned24 MPLS label at position 10 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. current
IN_DST_MAC 80 macAddress Incoming destination MAC address current
OUT_SRC_MAC 81 macAddress Outgoing source MAC address current
IF_NAME 82 string Shortened interface name e.g. "FE1/0". (Default length specified in template) current
IF_DESC 83 string Full interface name e.g. "'FastEthernet 1/0". (Default length specified in template) current
SAMPLER_NAME 84 string Name of the flow sampler current
IN_PERMANENT_BYTES 85 unsigned64 Running byte counter for a permanent flow current
IN_PERMANENT_PKTS 86 unsigned64 Running packet counter for a permanent flow current
FRAGMENT_OFFSET 88 unsigned16 The fragment-offset value from fragmented IP packets current
FORWARDING STATUS 89 unsigned8 Forwarding status. [TBD] current
MPLS_PAL_RD 90 octetArray MPLS PAL Route Distinguisher. current
MPLS_PREFIX_LEN 91 unsigned8 Number of consecutive bits in the MPLS prefix length. current
SRC_TRAFFIC_INDEX 92 unsigned32 BGP Policy Accounting Source Traffic Index. current
DST_TRAFFIC_INDEX 93 unsigned32 BGP Policy Accounting Destination Traffic Index current
applicationDescription 94 string Application description. current
applicationId 95 octetArray
 1. 8 bits of Classification Engine ID. The
    Classification Engine can be considered as a
    specific registry for application assignments.
 2. m bits of Selector ID. The Selector ID length varies
    depending on the Classification Engine ID.
      Classification Engine ID
    
       A unique identifier for the engine which determined the
       Selector ID.  Thus the Classification Engine ID defines
       the context for the Selector ID.
    
       Selector ID
    
       A unique identifier of the application for a specific
       Classification Engine ID.  Note that the Selector ID
       length varies depending on the Classification Engine ID.
    
       The Selector ID term is in sync with the selectorId
       Information Element, specified in the PSAMP Protocol
       

Example: PfR

  • 1 byte: Classification Engine Id = 17
  • 1 byte: Type
    • Passive Update (1)
    • Passive Performance (2),
    • Active Update (3)
    • Active Performance (4)
    • Traffic Class Event (5)
  • 4 bytes: Traffic Class Identifier
identifier current
applicationName 96 string Specifies the name of an application (Not currently used by NBAR). current
postipDiffServCodePoint 98 unsigned8 The value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services Field, after modification. current
replication factor 99 unsigned32 Multicast replication factor. current
className 100 string Deprecated in favor of 335 selectorName.

Traffic Class Name, associated with the classId Information Element.

deprecated
classificationEngineId 101 unsigned8 A unique identifier for the engine which determined the
Selector ID.  Thus the Classification Engine ID defines
the context for the Selector ID. The Classification
Engine can be considered as a specific registry for
application assignments.
identifier current
layer2packetSectionOffset 102 unsigned16 Layer 2 packet section offset. Potentially a generic offset. quantity current
layer2packetSectionSize 103 unsigned16 Layer 2 packet section size. Potentially a generic size. quantity current
layer2packetSectionData 104 octetArray Layer 2 packet section data. current
subApplicationName 109 string [TBD] Name of a sub app. See #109. current
subApplicationDescr 110 string [TBD] Descr of a sub app. See #109. current
rangeEnd 111 unsigned64 Range end for describing the parameters needed to interpret a field. current
Reserved 112 - 127  ? Reserved for future use by Cisco



Fields > 32768 (Enterprise Specific Fields)


The values of the fields listed below are set for compatibility with IPFIX Enterprise Specific numbering.

There's a difference between NFv9 and IPFIX IDs. IPFIX fields consist of an E (Enterprise) bit, followed by a 15-bit ID. If topmost bit = "E" then the Field Id is enterprise-specific versus IANA standard.

FNF treats this as a single 16-bit field ID.

Example:

  • "waas optimization segment" = IPFIX ID 9252 + enterprise ID 9 -> so the E bit is set.
  • So in NFv9, this is 0x8000 + 9252 = 42020.

Although it looks different, it's exactly the same bits.

For simplicity we can consider this as a single 16 bit ID starting with 0x8001 or 32769.



Service Control Solution


Field Type Value Len (bytes) Description
scTag 32769 4 A globally unique value which identifies the type of reporting record.
scTrafficProcessorId 32770 1 Indicates which processing unit generated reporting record. Used for debug/troubleshooting.
scSourceIpSample 32771 1 The last byte of the source IP of the network flow for which the application generated the report.
scDestinationIpSample 32772 1 The last byte of the destination IP of the network flow for which the application generated the report.
scFlowContextId 32773 4 The Flow context ID that the current flow is related to. Used for debug/troubleshooting.
scSubscriberId 32774 64 The subscriber identification string, introduced through the subscriber management interfaces. For unknown subscriber this field may contain an empty string. The string may be padded with 0.
POLICY+id (was: scPackageId) 32775 2 A numeric value used as an Identifier for the policy profile assigned to the reported entity. (was: “The ID of the policy package/profile assigned to the subscriber”.)
scServiceId 32776 4 Indicates the service classification of the reported session
scProtocolId 32777 2 This field contains the unique ID of the protocol associated with the reported session. For port-based protocols (for example, TCP port 666 for DOOM) and IP-protocol-based protocols (for example, IP protocol 1 for ICMP), the PROTOCOL_ID will be the TCP_GENERIC / UDP_GENERIC/ IP_PROTOCOL value, according to the specific base protocol of the transaction. For possible values see SCAS-BB Reference Guide.
scSkipppedSessions 32778 4 The number of unreported sessions since the previous reporting record of this kind
scInitiatingSide 32779 1 On which side of the SCE platform the initiator of the transaction resides: the subscriber side (0) or the network side (1).
scReportTime 32780 4 Ending time stamp of this reporting record. The field is in UNIX time_t format, which is the number of seconds since midnight of 1 January 1970.
scTransactionDurationMillisec 32781 4 Duration, in milliseconds, of the transaction reported in this reporting record.
scTimeFrame 32782 1 The system supports time-dependent policies, by using different rules for different time frames. This field indicates the time frame during which the reporting record was generated. The field’s value can be in the range 0 to 3, indicating which of the four possible time frames was used.
scSessionUpstreamVolume 32783 4 Upstream volume of the transaction, in bytes. The volume refers to the aggregated upstream volume on both links of all the flows bundled in the transaction.
scSessionDownstreamVolume 32784 4 Downstream volume of the transaction, in bytes. The volume refers to the aggregated downstream volume on both links of all the flows bundled in the transaction.
scProtocolSignature 32785 4 This field contains the ID of the protocol signature associated with this session. For possible values see SCAS-BB Reference Guide.
scZoneId 32786 4 This field contains the ID of the zone associated with this session
scFlavorId 32787 4 For protocol signatures that have flavors, this field contains the ID of the flavor associated with this session.
scFlowCloseMode 32788 1 The reason for the end of flow.
scAccessString 32789 128, 256, 512, 1024 A Layer 7 property, extracted from the transaction. The content of this field is record-specific and may include host name, server IP, server name, network name etc. (see Table 2-23 in SCAS-BB 3.0 Reference Guide)
scInfoString 32790 128, 256, 512, 1024 A Layer 7 property, extracted from the transaction. The content of this field is record-specific and may include URL, sender, login name, group name etc. (see Table 2-23 in SCAS-BB 3.0 Reference Guide)
scClientPort 32791 2 For TCP/UDP-based sessions, the port number of the client side (initiator) of the networking session. For non-TCP/UDP sessions, this field has the value zero (0).
scServerPort 32792 2 For TCP/UDP-based sessions, this field contains the destination port number of the networking session. For non-TCP/UDP sessions, this field contains the IP protocol number of the session flow.
scSubscriberCounterId 32793 2 Each service is mapped to a counter. There are 32 subscriber counters.
scServiceUsageCounterId 32794 2 Each service is mapped to a counter. There are 32 counters in the subscriber scope
scBreachState 32795 1 Indicates whether the subscriber's quota was breached: 0, if the quota was not breached and 1, if the quota was breached.
scReason 32796 1 Reason for generation of reporting record: 0-period time pass, 1-subscriber logout, 2 - package switch, 3 - wraparound, 4 - end of aggregation period
scConfiguredDuration 32797 4 Configured period, in seconds, between successive reporting records
scDuration 32798 4 Indicates the number of seconds that have passed since the previous reporting record of this type
scEndTime 32799 4 Ending time stamp of this reporting record. The field is in UNIX time_t format, which is the number of seconds since midnight of 1 January 1970
scUpstreamVolume 32800 4 Aggregated upstream volume on both links of all sessions, in kilobytes, for the current reporting period
scDownstreamVolume 32801 4 Aggregated downstream volume on both links of all sessions, in kilobytes, for the current reporting period.
scSessions 32802 2 Aggregated number of sessions for the reported service, for the current reporting period.
scSeconds 32803 2 Aggregated number of session seconds for the reported service, for the current reporting period.
scPackageCounterId 32804 2 Each package is mapped to a counter and this field contains ID of this counter
scGeneratorId 32805 1 A numeric value identifying the processor generating the reporting record.
scServiceGlobalCounterId 32806 2 Each service is mapped to a counter and this field contains ID of this counter
scConcurrentSessions 32807 4 Concurrent number of sessions using the reported service at this point in time.
scActiveSubscribers 32808 4 Concurrent number of subscribers using the reported service at this point in time.
scTotalActiveSubscribers 32809 4 Concurrent number of subscribers in the system at this point in time.
LINK_ID (was: scLinkId) 32810 1 A numeric value associated with the reported network link. (was: “Possible values are 0 and 1 (referring to physical links 1 and 2 respectively).”)
scVirtualLinkId 32811 2 A numeric value associated with the reported virtual network link. Possible values are TBD.
scVirtualLinkDirection 32812 1 A numeric value indicating the reported virtual network link direction.
scAggregationObjectId 32813 2 Externally assigned: 0 - offline subscriber, 1 - online subscriber. Used in Real Time Subscriber Usage RDR
scVendorId 32814 4 The ITU-U vendor ID of the application. A value of 0xFFFFFFFF indicates that this field was not found in the traffic.
scUpstreamPacketLoss 32815 2 The average fractional upstream packet loss for the session, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFF indicates that this field is undefined (no RTCP flows were opened).
scDownstreamPacketLoss 32816 2 The average fractional downstream packet loss for the session, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFF indicates that this field is undefined (no RTCP flows were opened).
RESERVED1 32817 N/A Reserved for SCE
RESERVED2 32818 N/A Reserved for SCE
scAttackId 32819 4 Unique attack ID.
scAttackIp 32820 4 The IP address related to this attack.
scAttackOtherIp 32821 4 The other IP address related to this attack if exists, 0xFFFFFFFF otherwise.
scAttackPortNumber 32822 2 The port number related to this attack, if such exists (if this is an IP scan, for example), or 0xFFFF otherwise in case the info is not relevant (certain types of attacks).
scAttackType 32823 4 Who attackIp belongs to: 0—Attacked, 1—Attacker
scAttackSide 32824 1 The IP address side: 0—Subscriber, 1—Network.
scAttackIpProtocol 32825 1 IP protocol type: 0—Other, 1—ICMP, 6—TCP, 17—UDP. For possible values see SCAS-BB Reference Guide.
scAttacks 32826 1 The number of attacks in the current reporting period. Since this report is generated per attack, the value is 0 or 1.
scAttackMaliciousSessions 32827 4 Aggregated number of sessions for the reported attack, for the current reporting period. If the SCE platform blocks the attack, this field takes the value 0xFFFFFFFF.
scUserAgent 32828 64 The user agent field extracted from the HTTP transaction.
scHttpUrl 32829 64 The URL extracted from the HTTP transaction.
scSipDomain 32830 64 SIP: Domain name extracted from SIP header.
scSipUserAgent 32831 64 SIP: User-Agent field extracted from SIP header.
scFlowStart 32832 4 Flow start time.
scFlowType 32833 1 0—All Skype flows

1—Audio (SIP) 2—Video (SIP)

scSessionId 32834 4 SIP: The flow-context ID of the control flow.

Skype: The flow-context ID of the flow.

scUpstreamJitter 32835 4 SIP: The average upstream jitter for the session, taken from the RTCP flow: N/A (0xFFFFFFFF) if RTCP flow is missing.

Skype: N/A (0xFFFFFFFF).

scDownstreamJitter 32836 4 SIP: The average downstream jitter for the session, taken from the RTCP flow: N/A (0xFFFFFFFF) if RTCP flow is missing.

Skype: N/A (0xFFFFFFFF).

scUpstreamPayloadType 32837 1 SIP: The upstream RTP payload type for the session.

Skype: N/A (0xFF). A value of 0xFF indicates that this field was not available (no RTP flows were opened).

scDownstreamPayloadType 32838 1 SIP: The downstream RTP payload type for the session.

Skype: N/A (0xFF). A value of 0xFF indicates that this field was not available (no RTP flows were opened).

scUpstreamAverageJitter 32839 4 The average upstream jitter for the session in units of 1/65.535 millisecond, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFFFFFF indicates that this field is undefined (no RTCP flows were opened).
scDownstreamAverageJitter 32840 4 The average downstream jitter for the session in units of 1/65.535 millisecond, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFFFFFF indicates that this field is undefined (no RTCP flows were opened).
scCallDestination 32841 64 The Q931 Alias address of the session destination. A value of N/A indicates that this field was not found in the traffic.
scCallSource 32842 64 The Q931 Alias address of the session source. A value of N/A indicates that this field was not found in the traffic.
scCallType 32843 1 The call type (taken from H225 packet). A value of 0xFF indicates that this field is undefined (no RTP flows were opened).
scMediaChannels 32844 1 The number of data flows that were opened during the session.
scBlockReason 32845 1 Indicates the reason why this session was blocked. For possible values and their interpretation, see Block Reason, page 2-42 of the SCA BB Reference Guide
scBlockRdrCount 32846 4 Total number of blocked flows reported so far (from the beginning of the current time frame).
scRedirected 32847 1 Indicates whether the flow has been redirected after being blocked.

0—Not redirected 1—Redirected

RESERVED 32848 to 32999 N/A Reserved for SCE



Performance Routing


Refer to: Performance Routing NetFlow for information regarding the use of the fields.


Field Type Value Len (bytes) Description
IPV4_BR_ADDR 39000 4 IPv4 border router (BR) address
PFR_STATUS 39001 2 state code (state_type: 1 Byte, state_subtype: 1 Byte)
REASON_ID 39002 4 reason ID
Threshold 39003 4 policy threshold to which PfR thinks In-Policy
Priority 39004 2 policy priority settings.
LongTermRTT 39006 4 average round-trip-time for long-term period
BelowMOSPercentage 39007 4 average percentage value below the MOS threshold
RSVPBandWidthPool 39008 8 bandwidth pool reserved by RSVP
RollupCounter 39009 2 rollup counter which is expired when it becomes zero.
BandWidthPercentage 39010 2 bandwidth percentage against the maximum bandwidth
BandWidthFee 39011 4 fee for a specific bandwidth
L4_SRC_PORT_MIN 39012 2 TCP/UDP source minimum port number
L4_SRC_PORT_MAX 39013 2 TCP/UDP source maximum port number (we will request a standard number to IANA later)
L4_DST_PORT_MIN 39014 2 TCP/UDP destination minimum port number (we will request a standard number to IANA later)
L4_DST_PORT_MAX 39015 2 TCP/UDP destination maximum port number (we will request a standard number to IANA later)
CAPACITY 39016 8 Link capacity – egress link capacity (kbps)
INGRESS_BW 39017 8 Current ingress bandwidth (kbps)
MAX_INGRESS_BW 39018 8 Max ingress bandwidth (kbps)
EGRESS_BW 39019 8 Current egress bandwidth (kbps)
MAX_EGRESS_BW 39020 8 Max egress bandwidth (kbps)
INGRESS_ROLLUP_BW 39021 8 Ingress rollup bandwidth (kbps)
EGRESS_ROLLUP_BW 39022 8 Egress rollup bandwidth (kbps)
KTH_ROLLUP_BW 39023 8
LINK_GROUP_NAME 39024 48 Link group name assigned to an external interface in the MC configuration
BGP_COMMUNITY 39025 4 Used for ingress load-balancing using BGP
BGP_PREPEND 39026 1 Used for ingress load-balancing using BGP
ENTRANCE_DOWNGRADE 39027
DISCARD_ROLLUP_COUNT 39028 2





NAM Module


Field Type Value Len (bytes) Description
namDataSrc 42001 4 NAM’s assigned data source (port, NDE device, VLAN id, etc.), associated with NAM’s input ifIndex
srcSite 42002 4 NAM’s assigned source site (aggregation of source hosts)

Site is a user–defined grouping of hosts (IP addresses) and (optionally) data-sources (logical channels of ingress traffic, i.e. observation points) according to one the following or similar supported definition methods, for example:

  • Network Prefix(es)
  • Network Prefix(es) + Set of Data Source(s)
  • Network Prefix(es) + Set of Data Source(s) + Set of VLAN(s)
  • WAAS data source
  • NDE/CEF data source + interface(s)
dstSite 42003 4 NAM’s assigned destination site (aggregation of destination hosts)
serverSite 42004 4 NAM’s assigned server site for IAP metrics (can be both traffic source and destination)
clientSite 42005 4 NAM’s assigned client site for IAP metrics (can be both traffic source and destination)
Unused 42006 N/A Unused.
serverIPv4Address 42007 4 Server address (IPv4) in IAP metrics (can be both traffic source and destination)
clientIPv4Address 42008 4 Client address (IPv4) in IAP metrics(can be both traffic source and destination)
Unused 42009 N/A Unused.
netEncap 42010 4 Network protocol encapsulation enum
serverIPv6Address 42011 16 Server address (IPv6) in IAP metrics (can be both traffic source and destination)
clientIPv6Address 42012 16 Client address (IPv6) in IAP metrics (can be both traffic source and destination)
namSrcDeviceId 42013 4 Internal index of the (traffic) source device
  • NAM source device fields are keys in the exported flows
  • NAM source device designate the network device sending the traffic to NAM
  • NAM source device may or may not be a NetFlow observation point.
namSrcDeviceIPv4Address 42014 4 See above
namSrcDeviceIPv6Address 42015 16 See above
siteName 42016 N Site name
siteDescription 42017 N Site description
Unused 42018 N/A Unused.
Unused 42019 N/A Unused.
waasOptimizationSegment 42020 1 WAAS optimization "segment" (Client LAN, Client WAN, Server WAN, Server LAN, or Passthrough)
waasPassThroughReason 42021 1 PT_UNKNOWN 0

PTR indicated by SN

  • PT_NO_PEER 1
  • PT_RJCT_CAP 2
  • PT_RJCT_RSRCS 3
  • PT_RJCT_NO_LICENSE 4
  • PT_APP_CONFIG 5
  • PT_GLB_CONFIG 6
  • PT_ASYMMETRIC 7
  • PT_IN_PROGRESS 8
  • PT_INTERMEDIATE 9
  • PT_OVERLOAD 10
  • PT_INT_ERROR 11
  • PT_APP_OVERRIDE 12
  • PT_SVR_BLACKLIST 13
  • PT_AD_VER_MISMTCH 14
  • PT_AD_AO_INCOMPAT 15
  • PT_AD_AOIM_PROGRESS 16
  • PT_DIRM_VER_MISMTCH 17
  • PT_PEER_OVERRIDE 18
  • PT_AD_OPT_PARSE_FAIL 19
  • PT_AD_PT_SERIAL_MODE 20
  • PT_SN_INTERCEPTION_ACL 21
  • PT_IP_FRAG_UNSUPP_PEER 22

PTR collected by SC globally

  • PT_CLUSTER_MEMBER 32
  • PT_FLOW_QUERY_FAIL 33
  • PT_FLOWSW_INT_ACL_DENY 34

PTR collected by SC per class

  • PT_FLOWSW_PLCY 40
  • PT_SNG_OVERLOAD 41
  • PT_CLUSTER_DEGRADE 42
  • PT_FLOW_LEARN_FAIL 43

PTR specific to Lhotse

  • PT_ZBFW 56
  • PT_RTSP_ALG 57
  • PT_NON_WAN 58
initiatorPackets 42033 8 Total packets sent by clients
responderPackets 42034 8 Total packets sent by servers
retransOctets 42035 4 Total octets retransmitted
retransPackets 42036 4 Total IP packets retransmitted by Layer 4 (TCP/SCTP) or application
Unused 42037 N/A Unused.
Unused 42038 N/A Unused.
Unused 42039 N/A Unused.
transactionCountDelta 42040 4 Number of transactions

Transaction is defined as a pair of an application-layer request from client and the associated response from server. Each request/response consists of one or multiple packets carrying application data

sumTransactionTime 42041 4 Sum of transaction time.

Divide by transactionCountDelta for AVG

maxTransactionTime 42042 4 Maximal transaction time in msec
minTransactionTime 42043 4 Minimal transaction time in msec
sumDataTransmissionTime 42044 4 Sum of data transmission time in msec. Transmission is defined as the data transmission of the server response in a transaction
sumDataRetransmissionTime 42045 4 Sum of data retransmission time in msec
Unused 42046 N/A Unused.
Unused 42047 N/A Unused.
Unused 42048 N/A Unused.
Unused 42049 N/A Unused.
newConnectionsCountDelta 42050 4 Number of new connections (new sessions)
completedConnectionsCountDelta 42051 4 Number of completed sessions
refusedConnectionsCountDelta 42052 4 Number of refused sessions
unrespConnectionsCountDelta 42053 4 Number of unresponsive sessions
sumSessionDuration 42054 4 Total session duration in msec.

Divide by completedConnectionsCountDelta for AVG

Unused 42055 N/A Unused.
Unused 42056 N/A Unused.
Unused 42057 N/A Unused.
Unused 42058 N/A Unused.
Unused 42059 N/A Unused.
numRespsCountDelta 42060 4 Number of responses
numResps1CountDelta 42061 4 Number of responses in bucket 1
numResps2CountDelta 42062 4 Number of responses in bucket 2
numResps3CountDelta 42063 4 Number of responses in bucket 3
numResps4CountDelta 42064 4 Number of responses in bucket 4
numResps5CountDelta 42065 4 Number of responses in bucket 5
numResps6CountDelta 42066 4 Number of responses in bucket 6
numResps7CountDelta 42067 4 Number of responses in bucket 7
numLateRespsCountDelta 42068 4 Number of late responses
Unused 42069 N/A Unused.
Unused 42070 N/A Unused.
sumRespTime 42071 4 Sum of response time in msec.

Divide by numRespsCountDelta for AVG

maxRespTime 42072 4 Maximal response time in msec
minRespTime 42073 4 Minimal response time in msec
sumServerRespTime 42074 4 Sum of application server response time in msec.

Divide by numRespsCountDelta for AVG

maxServerRespTime 42075 4 Maximal application server response time in msec
minServerRespTime 42076 4 Minimal application server response time in msec
sumTotalRespTime 42077 4 Sum of total response time in msec.

Divide by numRespsCountDelta for AVG

maxTotalRespTime 42078 4 Maximal total response time in msec
minTotalRespTime 42079 4 Minimal total response time in msec
Unused 42080 N/A Unused.
sumNwkTime 42081 4 Sum of network delay times in msec.

Divide by newConnectionsCountDelta for AVG

maxNwkTime 42082 4 Maximal network time in msec
minNwkTime 42083 4 Minimal network time in msec
sumClientNwkTime 42084 4 Sum of client network times in msec.

Divide by newConnectionsCountDelta for AVG

maxClientNwkTime 42085 4 Maximal client network time in msec
minClientNwkTime 42086 4 Minimal client network time in msec
sumServerNwkTime 42087 4 Sum of server network times in msec.

Divide by newConnectionsCountDelta for AVG

maxServerNwkTime 42088 4 Minimal server network time in msec
minServerNwkTime 42089 4 Maximal server network time in msec
numRoundtripsDeltaCount 42090 4 Number of ACK ‘d roundtrips
sumRoundtripTime 42091 4 Total ACK round trip time.

Divide by numRoundtripsDeltaCount for AVG

Unused 42092 to 42100 N/A Unused
rtpSsrc 42101 4 RTP stream unique id given by sensor
rtpPayloadType 42102 1 RTP stream payload type

(http://www.iana.org/assignments/rtp-parameters)

rtpCodec 42103 4 RTP stream’s codec enum
Unused 42104 to 42111 N/A Unused
rtpDuration 42112 4 RTP stream’s duration (total) in sec
rtpAvgMos100 42113 4 Average MOS value x100
Unused 42114 N/A Unused
rtpWorstMos100 42115 4 Worst MOS value x100 – for every measurement interval (***) the worst MOS score for 3 seconds granularity
rtpActualPacketLoss 42116 4 Actual packet loss
rtpAdjPacketLoss 42117 4 Adjusted packet loss
rtpJitter100 42118 4 Stream Jitter value x100
rtpSoc 42119 4 Seconds of concealment
rtpSsc 42120 4 Seconds of severe concealment
rtpMaxPktLoss 42121 4 Maximal consecutive packet loss
rtpPktToJitter100 42122 4 Packet-to-packet jitter measure x100 peak to peak

Interval for two consecutive packets

rtpMosQuality 42123 4 MOS quality – score as integer value 1,2,3,4
rtpConnCountTotal 42124 4 Total connection count for the RTP stream
httpUriHits 42125 Var-len Export URI and URI-Hits (URI:URI-HITS)
packetIntervalTimeHistogram 42126  ? A histogram of inter-packet-gaps (time between packets in milliseconds) made up of N x uint64_t.
packetIntervalTimeHistogramRevers 42127 Var-len A histogram of inter-packet-gaps (time between packets in milliseconds), for packets in the reverse direction, made up of N x uint64_t.
queueIndex 42128 4 Id of queue upon which packets were placed.
queueDrops 42129 8 Number of packet drops on a particular queue.



Rating: 0.0/5 (0 votes cast)

Personal tools