Table Of Contents
NetFlow Export Datagram Formats
Versions 1, 5, 7 and 8
Version 9
NetFlow Export Datagram Formats
NetFlow exports flow information in UDP datagrams in one of five formats:
•Version 1
•Version 5
•Version 7
•Version 8
•Version 9
Version 1 (V1) is the original format supported in the initial NetFlow releases.Version 5 (V5) is an enhancement that adds Border Gateway Protocol (BGP) autonomous system information and flow sequence numbers.Version 7 (V7) is an enhancement that exclusively supports NetFlow with Cisco Catalyst 5000 series switches equipped with a NetFlow feature card (NFFC). V7 is not compatible with Cisco routers.Version 8 (V8) is an enhancement that adds router-based aggregation schemes. Version 9 is an enhancement to support different technologies such as Multicast, Internet Protocol Security (IPSec), and Multi Protocol Label Switching (MPLS). Version 9 is not compatible with previous versions of CNS NetFlow Collection Engine.
Versions 2, 3, 4, and 6 either were not released or are not supported by CNS NetFlow Collection Engine.
This appendix describes these formats in the following sections:
–Versions 1, 5, 7 and 8
–Version 9
Versions 1, 5, 7 and 8
In Versions 1, 5, and 7, the datagram consists of a header and one or more flow records. The first field of the header contains the version number of the export datagram. Typically, a receiving application that accepts any of the format versions allocates a buffer large enough for the largest possible datagram from any of the format versions and then uses the header to determine how to interpret the datagram. The second field in the header contains the number of records in the datagram and should be used to search through the records.
All fields described in the format version tables are in network byte order.
•Table B-1 and Table B-2 describe the V1 header and flow record format, respectively
•Table B-3 and Table B-4 describe the V5 header and flow record format, respectively
•Table B-5 and Table B-6 describe the V7 header and flow record format, respectively
•Table B-7 describes the V8 header format
•Table B-8 describes the Byte #22 Aggregation |Scheme headers
•Table B-9 describes the V8 RouterAS flow record format
•Table B-10 describes the V8 RouterProtoPort flow record
•Table B-11 describes the V8 RouterDstPrefix flow record
•Table B-12 describes the RouterSrcPrefix flow record
•Table B-13 describes the RouterPrefix flow record format
•Table B-14 describes the TosAS flow record format
•Table B-15 describes the TosProtoPort flow record format
•Table B-16 describes the PrePortProtocol flow record format
•Table B-17 describes the TosSrcPrefix flow record format
•Table B-18 describes the TosDstPrefix flow record format
•Table B-19 describes the TosPrefix flow record format
•Table B-20 describes the DestOnly flow record format
•Table B-21 describes the SrcDst flow record format
•Table B-22 describes the FullFlow flow record format.
Note V8 data consists of header information that follows the same format as the other versions. However, the V8 flow record formats are separated based on the aggregation schemes that support router-based aggregation. Instead of one flow record table, you see five tables that describe the V8 flow record format for each individual aggregation scheme.
We recommend that receiving applications perform a sanity check on datagrams to ensure that the datagrams are from a valid NetFlow source. You should first check the size of the datagram to verify that it is at least long enough to contain the version and count fields. You should next verify that the version is valid (1, 5, 7, or 8) and that the number of received bytes is enough for the header and count flow records (using the appropriate version).
Because NetFlow export uses UDP to send export datagrams, it is possible for datagrams to be lost. To determine whether flow export information has been lost, Version 5, Version 7, and Version 8 headers contain a flow sequence number. The sequence number is equal to the sequence number of the previous datagram plus the number of flows in the previous datagram. After receiving a new datagram, the receiving application can subtract the expected sequence number from the sequence number in the header to derive the number of missed flows.
Datagram format Version 8 offers five router-based aggregation schemes allowing you to summarize CNS NetFlow Collection Engine export data on the router before the data is exported to the CNS NetFlow Collection Engine. The result is lower bandwidth requirements and reduced platform requirements for NetFlow data collection devices.
Router-based aggregation enables on-router aggregation by maintaining one or more extra NetFlow caches with different combinations of fields that determine which traditional flows are grouped together. These extra caches are called aggregation caches. As flows expire from the main flow cache, they are added to each enabled aggregation cache. The normal flow ager process runs on each active aggregation cache the same way it runs on the main cache. On-demand aging is also supported.
Table B-1 describes the V1 header format.
Table B-1 Version 1 Header Format
Bytes
|
Contents
|
Description
|
0-1 |
version |
NetFlow export format version number |
2-3 |
count |
Number of flows exported in this packet (1-24) |
4-7 |
SysUptime |
Current time in milliseconds since the export device booted |
8-11 |
unix_secs |
Current count of seconds since 0000 UTC 1970 |
12-15 |
unix_nsecs |
Residual nanoseconds since 0000 UTC 1970 |
Table B-2 describes the V1 flow record format.
Table B-2 Version 1 Flow Record Format
Bytes
|
Contents
|
Description
|
0-3 |
srcaddr |
Source IP address |
4-7 |
dstaddr |
Destination IP address |
8-11 |
nexthop |
IP address of next hop router |
12-13 |
input |
SNMP index of input interface |
14-15 |
output |
SNMP index of output interface |
16-19 |
dPkts |
Packets in the flow |
20-23 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
24-27 |
First |
SysUptime at start of flow |
28-31 |
Last |
SysUptime at the time the last packet of the flow was received |
32-33 |
srcport |
TCP/UDP source port number or equivalent |
34-35 |
dstport |
TCP/UDP destination port number or equivalent |
36-37 |
pad1 |
Unused (zero) bytes |
38 |
prot |
IP protocol type (for example, TCP = 6; UDP = 17) |
39 |
tos |
IP type of service (ToS) |
40 |
flags |
Cumulative OR of TCP flags |
41-43 |
pad1, pad2, pad3 |
Unused (zero) bytes |
44-47 |
reserved |
Unused (zero) bytes |
Table B-3 describes the V5 header format.
Table B-3 Version 5 Header Format
Bytes
|
Contents
|
Description
|
0-1 |
version |
NetFlow export format version number |
2-3 |
count |
Number of flows exported in this packet (1-30) |
4-7 |
SysUptime |
Current time in milliseconds since the export device booted |
8-11 |
unix_secs |
Current count of seconds since 0000 UTC 1970 |
12-15 |
unix_nsecs |
Residual nanoseconds since 0000 UTC 1970 |
16-19 |
flow_sequence |
Sequence counter of total flows seen |
20 |
engine_type |
Type of flow-switching engine |
21 |
engine_id |
Slot number of the flow-switching engine |
22-23 |
sampling_interval |
First two bits hold the sampling mode; remaining 14 bits hold value of sampling interval |
Table B-4 describe the V5 flow record format.
Table B-4 Version 5 Flow Record Format
Bytes
|
Contents
|
Description
|
0-3 |
srcaddr |
Source IP address |
4-7 |
dstaddr |
Destination IP address |
8-11 |
nexthop |
IP address of next hop router |
12-13 |
input |
SNMP index of input interface |
14-15 |
output |
SNMP index of output interface |
16-19 |
dPkts |
Packets in the flow |
20-23 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
24-27 |
First |
SysUptime at start of flow |
28-31 |
Last |
SysUptime at the time the last packet of the flow was received |
32-33 |
srcport |
TCP/UDP source port number or equivalent |
34-35 |
dstport |
TCP/UDP destination port number or equivalent |
36 |
pad1 |
Unused (zero) bytes |
37 |
tcp_flags |
Cumulative OR of TCP flags |
38 |
prot |
IP protocol type (for example, TCP = 6; UDP = 17) |
39 |
tos |
IP type of service (ToS) |
40-41 |
src_as |
Autonomous system number of the source, either origin or peer |
42-43 |
dst_as |
Autonomous system number of the destination, either origin or peer |
44 |
src_mask |
Source address prefix mask bits |
45 |
dst_mask |
Destination address prefix mask bits |
46-47 |
pad2 |
Unused (zero) bytes |
Table B-5 describes the V7 header format.
Table B-5 Version 7 (Catalyst 5000) Header Format
Bytes
|
Contents
|
Description
|
0-1 |
version |
NetFlow export format version number |
2-3 |
count |
Number of flows exported in this flow frame (protocol data unit, or PDU) |
4-7 |
SysUptime |
Current time in milliseconds since the export device booted |
8-11 |
unix_secs |
Current seconds since 0000 UTC 1970 |
12-15 |
unix_nsecs |
Residual nanoseconds since 0000 UTC 1970 |
16-19 |
flow_sequence |
Sequence counter of total flows seen |
20-23 |
reserved |
Unused (zero) bytes |
Table B-6 describe the V7 flow record format.
Table B-6 Version 7 (Catalyst 5000) Flow Record Format
Bytes
|
Contents
|
Description
|
0-3 |
srcaddr |
Source IP address; in case of destination-only flows, set to zero. |
4-7 |
dstaddr |
Destination IP address. |
8-11 |
nexthop |
Next hop router; always set to zero. |
12-13 |
input |
SNMP index of input interface; always set to zero. |
14-15 |
output |
SNMP index of output interface. |
16-19 |
dPkts |
Packets in the flow. |
20-23 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow. |
24-27 |
First |
SysUptime, in milliseconds, at start of flow. |
28-31 |
Last |
SysUptime, in milliseconds, at the time the last packet of the flow was received. |
32-33 |
srcport |
TCP/UDP source port number; set to zero if flow mask is destination-only or source-destination. |
34-35 |
dstport |
TCP/UDP destination port number; set to zero if flow mask is destination-only or source-destination. |
36 |
flags |
Flags indicating, among other things, what flow fields are invalid. |
37 |
tcp_flags |
TCP flags; always set to zero. |
38 |
prot |
IP protocol type (for example, TCP = 6; UDP = 17); set to zero if flow mask is destination-only or source-destination. |
39 |
tos |
IP type of service; switch sets it to the ToS of the first packet of the flow. |
40-41 |
src_as |
Source autonomous system number, either origin or peer; always set to zero. |
42-43 |
dst_as |
Destination autonomous system number, either origin or peer; always set to zero. |
44 |
src_mask |
Source address prefix mask; always set to zero. |
45 |
dst_mask |
Destination address prefix mask; always set to zero. |
46-47 |
flags |
Flags indicating, among other things, what flows are invalid. |
48-51 |
router_sc |
IP address of the router that is bypassed by the Catalyst 5000 series switch. This is the same address the router uses when it sends NetFlow export packets. This IP address is propagated to all switches bypassing the router through the FCP protocol. |
Table B-7 describes the V8 header format.
Note Version 7 AS information is not supported in current implementations of the Catalyst 5000 series switch.
Table B-7 Version 8 Header Format
Bytes
|
Contents
|
Description
|
0-1 |
version |
NetFlow export format version number. |
2-3 |
count |
Number of flows exported in this flow frame (protocol data unit, or PDU). |
4-7 |
SysUptime |
Current time in milliseconds since the export device booted. |
8-11 |
unix_secs |
Current seconds since 0000 UTC 1970. |
12-15 |
unix_nsecs |
Residual nanoseconds since 0000 UTC 1970. |
16-19 |
flow_sequence |
Sequence counter of total flows seen. |
20 |
engine_type |
Type of flow switching engine. |
21 |
engine_id |
ID number of the flow switching engine. |
22 |
aggregation |
Aggregation scheme being used (see Table B-8). |
23 |
agg_version |
Version of the aggregation export. This value should always be 2. |
24-27 |
reserved |
Unused (zero) bytes. |
Table B-8 describes the Byte #22 Aggregation Scheme field.
Table B-8 Byte #22 Aggregation Scheme Field
Aggregation Scheme
|
Aggregation ID
|
AS |
1 |
Protocol-Port |
2 |
Source-Prefix |
3 |
Destination-Prefix |
4 |
Prefix |
5 |
Destination |
6 |
Source-Destination |
7 |
Full-Flow |
8 |
AS-TOS |
9 |
Protocol-Port-TOS |
10 |
Source-Prefix-TOS |
11 |
Destination-Prefix-TOS |
12 |
Prefix-TOS |
13 |
Prefix-Port |
14 |
Table B-9 describes the V8 RouterAS flow record format.
Table B-9 Version 8 RouterAS Flow Record Format
Bytes
|
Contents
|
Description
|
0-3 |
flows |
Number of flows |
4-7 |
dPkts |
Packets in the flow |
8-11 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
12-15 |
First |
SysUptime, in seconds, at start of flow |
16-19 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
20-21 |
src_as |
Source autonomous system number, either origin or peer; always set to zero |
22-23 |
dst_as |
Destination autonomous system number, either origin or peer; always set to zero |
24-25 |
input |
SNMP index of input interface; always set to zero |
26-27 |
output |
SNMP index of output interface |
Table B-10 describes the V8 RouterProtoPort flow record.
Table B-10 Version 8 RouterProtoPort Flow Record Format
Bytes
|
Contents
|
Description
|
0-3 |
flows |
Number of flows |
4-7 |
dPkts |
Packets in the flow |
8-11 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
12-15 |
First |
SysUptime, in seconds, at start of flow |
16-19 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
20 |
prot |
IP protocol type (for example, TCP = 6; UDP = 17); set to zero if flow mask is destination-only or source-destination |
21 |
pad |
Unused (zero) bytes |
22-23 |
reserved |
Unused (zero) bytes |
24-25 |
srcport |
TCP/UDP source port number; set to zero if flow mask is destination-only or source-destination |
26-27 |
dstport |
TCP/UDP destination port number; set to zero if flow mask is destination-only or source-destination |
Table B-11 describes the V8 RouterDstPrefix flow record.
Table B-11 Version 8 RouterDstPrefix Flow Record Format
Bytes
|
Contents
|
Description
|
0-3 |
flows |
Number of flows |
4-7 |
dPkts |
Packets in the flow |
8-11 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
12-15 |
First |
SysUptime, in seconds, at start of flow |
16-19 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
20-23 |
dst_prefix |
Destination IP address prefix |
24 |
dst_mask |
Destination address prefix mask; always set to zero |
25 |
pad |
Unused (zero) bytes |
26-27 |
dst_as |
Destination autonomous system number, either origin or peer; always set to zero |
28-29 |
output |
SNMP index of output interface |
30-31 |
reserved |
Unused (zero) bytes |
Table B-12 describes the RouterSrcPrefix flow record.
Table B-12 Version 8 RouterSrcPrefix Flow Record Format
Bytes
|
Contents
|
Description
|
0-3 |
flows |
Number of flows |
4-7 |
dPkts |
Packets in the flow |
8-11 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
12-15 |
First |
SysUptime, in seconds, at start of flow |
16-19 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
20-23 |
src_prefix |
Source IP address prefix |
24 |
src_mask |
Source address prefix mask; always set to zero |
25 |
pad |
Unused (zero) bytes |
26-27 |
src_as |
Source autonomous system number, either origin or peer; always set to zero |
28-29 |
input |
SNMP index of input interface; always set to zero |
30-31 |
reserved |
Unused (zero) bytes |
Table B-13 describes the RouterPrefix flow record format.
Table B-13 Version 8 RouterPrefix Flow Record Format
Bytes
|
Contents
|
Description
|
0-3 |
flows |
Number of flows |
4-7 |
dPkts |
Packets in the flow |
8-11 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
12-15 |
First |
SysUptime, in seconds, at start of flow |
16-19 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
20-23 |
src_prefix |
Source IP address prefix |
24-27 |
dst_prefix |
Destination IP address prefix |
28 |
dst_mask |
Source address prefix mask; always set to zero |
29 |
src_mask |
Destination address prefix mask; always set to zero |
30-31 |
reserved |
Unused (zero) bytes |
32-33 |
src_as |
Source autonomous system number, either origin or peer; always set to zero |
34-35 |
dst_as |
Destination autonomous system number, either origin or peer; always set to zero |
36-37 |
input |
SNMP index of input interface; always set to zero |
38-39 |
output |
SNMP index of output interface |
Table B-14 describes the TosAS flow record format.
Table B-14 Version 8 TosAS Record Format
Bytes
|
Contents
|
Description
|
0-3 |
flows |
Number of flows |
4-7 |
dPkts |
Packets in the flow |
8-11 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
12-15 |
First |
SysUptime, in seconds, at start of flow |
16-19 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
20-21 |
src_as |
Source autonomous system number, either origin or peer; always set to zero |
22-23 |
dst_as |
Destination autonomous system number, either origin or peer; always set to zero |
24-25 |
input |
SNMP index of input interface; always set to zero |
26-27 |
output |
SNMP index of output interface |
28 |
tos |
Type of service |
29 |
pad |
Unused (zero) bytes |
30-31 |
reserved |
Unused (zero) bytes |
Table B-15 describes the TosProtoPort flow record format.
Table B-15 Version 8 TosProtoPort Record Format
Bytes
|
Contents
|
Description
|
0-3 |
flows |
Number of flows |
4-7 |
dPkts |
Packets in the flow |
8-11 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
12-15 |
First |
SysUptime, in seconds, at start of flow |
16-19 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
20 |
prot |
IP protocol type (for example, TCP = 6; UDP = 17); set to zero if flow mask is destination-only or source-destination |
21 |
Tos |
IP Type of Service |
22-23 |
reserved |
Unused (zero) bytes |
24-25 |
srcport |
TCP/UDP source port number; set to zero if flow mask is destination-only or source-destination |
26-27 |
dstport |
TCP/UDP destination port number; set to zero if flow mask is destination-only or source-destination |
28-29 |
input |
SNMP index of input interface |
30-31 |
output |
SNMP index of output interface |
Table B-16 describes the PrePortProtocol flow record format.
Table B-16 Version 8 PrePortProtocol Record Format
Bytes
|
Contents
|
Description
|
0-3 |
flows |
Number of flows |
4-7 |
dpkts |
Packets in the flow |
8-11 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
12-15 |
First |
SysUptime, in seconds, at start of flow |
16-19 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
20-23 |
src_prefix |
Source IP address prefix |
24-27 |
dst_prefix |
Destination IP address prefix |
28 |
dst_mask |
Destination address prefix mask |
29 |
src_mask |
Source address prefix mask |
30 |
Tos |
IP Type of Service |
31 |
prot |
IP protocol type (for example, TCP = 6; UDP = 17); set to zero if flow mask is destination-only or source-destination |
32-33 |
srcport |
TCP/UDP source port number; set to zero if flow mask is destination-only or source-destination |
34-35 |
dstport |
TCP/UDP destination port number; set to zero if flow mask is destination-only or source-destination |
36-37 |
input |
SNMP index of input interface |
38-39 |
output |
SNMP index of output interface |
Table B-17 describes the TosSrcPrefix flow record format.
Table B-17 Version 8 TosSrcPrefix Record Format
Bytes
|
Contents
|
Description
|
0-3 |
flows |
Number of flows |
4-7 |
dPkts |
Packets in the flow |
8-11 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
12-15 |
First |
SysUptime, in seconds, at start of flow |
16-19 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
20-23 |
src_prefix |
Source IP address prefix |
24 |
src_mask |
Source address prefix mask |
25 |
Tos |
IP Type of Service |
26-27 |
src_as |
Source autonomous system number, either origin or peer |
28-29 |
input |
SNMP index of input interface |
30-31 |
reserved |
Reserved for future use |
Table B-18 describes the TosDstPrefix flow record format.
Table B-18 Version 8 TosDstPrefix Record Format
Bytes
|
Contents
|
Description
|
0-3 |
flows |
Number of flows |
4-7 |
dPkts |
Packets in the flow |
8-11 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
12-15 |
First |
SysUptime, in seconds, at start of flow |
16-19 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
20-23 |
dst_prefix |
Destination IP address prefix |
24 |
dst_mask |
Destination address prefix mask |
25 |
Tos |
IP Type of Service |
26-27 |
dst_as |
Destination autonomous system number, either origin or peer |
28-29 |
output |
SNMP index of output interface |
30-31 |
reserved |
Unused (zero) bytes |
Table B-19 describes the TosPrefix flow record format.
Table B-19 Version 8 TosPrefix Record Format
Bytes
|
Contents
|
Description
|
0-3 |
flows |
Number of flows |
4-7 |
dPkts |
Packets in the flow |
8-11 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
12-15 |
First |
SysUptime, in seconds, at start of flow |
16-19 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
20-23 |
src_prefix |
Source IP address prefix |
24-27 |
dst_prefix |
Destination IP address prefix |
28 |
dst_mask |
Destination address prefix mask |
29 |
src_mask |
Source address prefix mask |
30 |
Tos |
IP Type of Service |
31 |
pad |
Unused (zero) bytes |
32-33 |
src_as |
Source autonomous system number, either origin or peer |
34-35 |
dst_as |
Destination autonomous system number, either origin or peer |
36-37 |
input |
SNMP index of input interface |
38-39 |
output |
SNMP index of output interface |
Table B-20 describes the DestOnly flow record format.
Note This flow statistic record is only used in Catalyst 6000 Series DestOnly aggregation.
Table B-20 Version 8 DestOnly Record Format
Bytes
|
Contents
|
Description
|
0-3 |
dstaddr |
Destination IP address |
4-7 |
dPkts |
Packets in the flow |
8-11 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
12-15 |
First |
SysUptime, in seconds, at start of flow |
16-19 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
20-21 |
Output |
SNMP index of output interface |
22 |
Tos |
IP Type of Service |
23 |
marked_tos |
Type of Service of the packets that exceeded the contract |
24-27 |
extraPkts |
Packets that exceed the contract |
28-31 |
router_sc |
IP address of the router that is bypassed by the Catalyst 5000 series switch. This is the same address the router uses when it sends NetFlow export packets. This IP address is propagated to all switches bypassing the router through the FCP protocol. |
Table B-21 describes the SrcDst flow record format.
Note This flow statistic record is used in Catalyst 6000 Series only SrcDst aggregation.
Table B-21 Version 8 SrcDst Record Format
Bytes
|
Contents
|
Description
|
0-3 |
dstaddr |
Destination IP address |
4-7 |
srcaddr |
Source IP address; in case of destination-only flows, set to zero |
8-11 |
dPkts |
Packets in the flow |
12-15 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
16-19 |
First |
SysUptime, in seconds, at start of flow |
20-23 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
24-25 |
Output |
SNMP index of output interface |
26-27 |
Input |
SNMP index of input interface |
28 |
Tos |
IP Type of Service |
29 |
marked_tos |
Type of Service of the packets that exceeded the contract |
30-31 |
reserved |
Unused (zero) bytes |
32-35 |
extraPkts |
Packets that exceed the contract |
36-39 |
router_sc |
IP address of the router that is bypassed by the Catalyst 5000 series switch. This is the same address the router uses when it sends NetFlow export packets. This IP address is propagated to all switches bypassing the router through the FCP protocol. |
Table B-22 describes the FullFlow flow record format.
Note This flow statistic record is used in Catalyst 6000 Series only FullFlow aggregation.
Table B-22 Version 8 FullFlow Record Format
Bytes
|
Contents
|
Description
|
0-3 |
dstaddr |
Destination IP address |
4-7 |
srcaddr |
Source IP address; in case of destination-only flows, set to zero |
8-9 |
dstport |
TCP/UDP destination port number; set to zero if flow mask is destination-only or source-destination |
10-11 |
srcport |
TCP/UDP source port number; set to zero if flow mask is destination-only or source-destination |
12-15 |
dPkts |
Packets in the flow |
16-19 |
dOctets |
Total number of Layer 3 bytes in the packets of the flow |
20-23 |
First |
SysUptime, in seconds, at start of flow |
24-27 |
Last |
SysUptime, in seconds, at the time the last packet of the flow was received |
28-29 |
Output |
SNMP index of output interface |
30-31 |
Input |
SNMP index of input interface |
32 |
Tos |
IP Type of Service |
33 |
prot |
IP protocol type (for example, TCP = 6; UDP = 17); set to zero if flow mask is destination-only or source-destination |
34 |
marked_tos |
Type of Service of the packets that exceeded the contract |
35 |
pad |
Unused (zero) bytes |
36-39 |
extraPkts |
Packets that exceed the contract |
40-43 |
router_sc |
IP address of the router that is bypassed by the Catalyst 5000 series switch. This is the same address the router uses when it sends NetFlow export packets. This IP address is propagated to all switches bypassing the router through the FCP protocol. |
Version 9
The distinguishing feature of the NetFlow Version 9 format is that it is template based. Templates provide an extensible design to the record format, a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format.
This section includes the following:
•Table B-23 describes Version 9 export packet
•Table B-24 describes Version 9 header format
•Table B-25 describes Version 9 template FlowSet format
•Table B-26 describes Version 9 field types
•Table B-27 describes Version 9 data FlowSet format
•Table B-28 describes Version 9 option template format
Packet Layout
The NetFlow Version 9 record format consists of a packet header followed by at least one or more template or data FlowSets. A template FlowSet provides a description of the fields that will be present in future data FlowSets. These data FlowSets may occur later within the same export packet or in subsequent export packets.
Template and data FlowSets can be intermingled within a single export packet, as illustrated in Table B-23.
Table B-23 Version 9 Export Packet
Packet Header |
Template FlowSet |
Data FlowSet |
Data FlowSet |
.................. |
Template FlowSet |
Data FlowSet |
Packet Header Format
The format of the NetFlow Version 9 packet header remains relatively unchanged from that of previous versions. Table B-24 describes the Version 9 header format.
Table B-24 Version 9 Header Format
Bytes
|
Field Name
|
Description
|
0-1 |
version |
NetFlow export format version number; for Version 9 this value is 0x0009. |
2-3 |
count |
Number of flow sets exported in this packet, both template and data (1-30). |
4-7 |
SysUptime |
Current time in milliseconds since the export device booted. |
8-11 |
unix_secs |
Current count of seconds since 0000 UTC 1970. |
12-15 |
package_sequence |
Sequence counter of all export packets sent by the export device. Note: This is a change from the Version 5 and Version 8 headers, where this number represented "total flows." |
16-19 |
source_id |
A 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. |
Template FlowSet Format
One of the key elements in the new Version 9 format is the template FlowSet. Templates greatly enhance the flexibility of the NetFlow record format, because they allow a NetFlow collector or display application to process NetFlow data without necessarily knowing the format of the data in advance. Templates are used to describe the type and length of individual fields within subsequent NetFlow data records that match a template ID.
Example B-1 Template FlowSet Format
Table B-25 describes the Version 9 Template FlowSet format.
Table B-25 Version 9 Template FlowSet Format
Field Name
|
Description
|
FlowSet ID |
Distinguishes template records from data records. A template record always has a FlowSet ID in the range of 0-255. |
Length |
Refers to the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs, the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet. Length is expressed in type/length/value (TLV) format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet. |
Template ID |
As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template ID. Templates that define data record formats begin numbering at 256, because 0-255 are reserved for FlowSet IDs. |
Field Count |
The number of fields in this template record. Because a template FlowSet may contain multiple template records, this field allows the parser to determine the end of the current template record and the start of the next. |
Field Type |
Numeric value that represents the type of the field. The possible values of the field type are vendor specific. Cisco supplied values are consistent across all platforms that support NetFlow Version 9. The currently defined field types are detailed in Table B-26. |
Field Length |
The length of the Field Type field, in bytes. |
Note the following:
•Template IDs are consistent across a router reboot. Template IDs should change only if the configuration of NetFlow on the export device changes.
•Templates periodically expire if they are not refreshed. Templates can be refreshed in two ways. A template can be resent every N number of export packets. A template can also be sent on a timer, so that it is refreshed every N number of minutes. Both options are user configurable.
Table B-26 describes the Version 9 field types.
Table B-26 Version 9 Field Type Definitions
Field Type
|
Value
|
Length in bytes
|
Description
|
IN_BYTES |
1 |
N |
Incoming counter with length N x 8 bits for number of bytes associated with an IP Flow. Default: 4. |
IN_PKTS |
2 |
N |
Incoming counter with length N x 8 bits for the number of packets associated with an IP Flow. Default: 4. |
FLOWS |
3 |
N |
Number of flows that were aggregated. Default: 4. |
PROTOCOL |
4 |
1 |
IP protocol byte. |
SRC_TOS |
5 |
1 |
Type of Service byte setting when entering incoming interface. |
TCP_FLAGS |
6 |
1 |
Cumulative of all TCP flags seen for this flow. |
L4_SRC_PORT |
7 |
2 |
TCP/UDP source port number. For example, FTP, Telnet, or equivalent. |
IPV4_SRC_ADDR |
8 |
4 |
IPv4 source address. |
SRC_MASK |
9 |
1 |
The number of contiguous bits in the source address subnet mask. For example, the submask in slash notation. |
INPUT_SNMP |
10 |
N |
Input interface index. Default: 2 but higher values can be used. |
L4_DST_PORT |
11 |
2 |
TCP/UDP destination port number. For example, FTP, Telnet, or equivalent. |
IPV4_DST_HOP |
12 |
4 |
IPv4 destination address. |
DST_MASK |
13 |
1 |
The number of contiguous bits in the destination address subnet mask, that is the submask in slash notation. |
OUTPUT_SNMP |
14 |
N |
Output interface index. Default: 2 but higher values can be used. |
IPV4_NEXT_HOP |
15 |
4 |
IPv4 address of next-hop router. |
SRC_AS |
16 |
N |
Source BGP autonomous system number where N could be 2 or 4. Default: 2. |
DST_AS |
17 |
N |
Destination BGP autonomous system number where N could be 2 or 4. Default: 2. |
BGP_IPV4_NEXT_HOP |
18 |
4 |
Next-hop router's IP in the BGP domain. |
MUL_DST_PKTS |
19 |
N |
IP multicast outgoing packet counter with length N x 8 bits for packets associated with the IP Flow. Default: 4. |
MUL_DST_BYTES |
20 |
N |
IP multicast outgoing byte counter with length N x 8 bits for bytes associated with the IP Flow. Default: 4. |
LAST_SWITCHED |
21 |
4 |
System uptime at which the last packet of this flow was switched. |
FIRST_SWITCHED |
22 |
4 |
System uptime at which the first packet of this flow was switched. |
OUT_BYTES |
23 |
N |
Outgoing counter with length N x 8 bits for the number of bytes associated with an IP Flow. Default: 4. |
OUT_PKTS |
24 |
N |
Outgoing counter with length N x 8 bits for the number of packets associated with an IP Flow. Default: 4. |
MIN_PKT_LNGTH |
25 |
2 |
Minimum IP packet length on incoming packets of the flow. |
MAX_PKT_LNGTH |
26 |
2 |
Maximum IP packet length on incoming packets of the flow. |
IPV6_SRC_ADDR |
27 |
16 |
IPv6 Source Address. |
IPV6_DST_ADDR |
28 |
16 |
IPv6 Destination Address. |
IPV6_SRC_MASK |
29 |
1 |
Length of the IPv6 source mask in contiguous bits. |
IPV6_DST_MASK |
30 |
1 |
Length of the IPv6 destination mask in contiguous bits. |
IPV6_FLOW_LABEL |
31 |
3 |
IPv6 flow label as per RFC 2460 definition. |
ICMP_TYPE |
32 |
2 |
Internet Control Message Protocol (ICMP) packet type; reported as ((ICMP Type * 256) + ICMP code.) |
MUL_IGMP_TYPE |
33 |
1 |
Internet Group Management Protocol (IGMP) packet type. |
SAMPLING_INTERVAL |
34 |
4 |
When using sampled NetFlow, the rate at which packets are sampled. For example, a value of 100 indicates that one of every 100 packets is sampled |
SAMPLING_ALGORITHM |
35 |
1 |
The type of algorithm used for sampled NetFlow: 0x01 Deterministic Sampling, 0x02 Random Sampling. |
FLOW_ACTIVE_TIMEOUT |
36 |
2 |
Timeout value (in seconds) for active flow entries in the NetFlow cache. |
FLOW_INACTIVE_TIMEOUT |
37 |
2 |
Timeout value (in seconds) for inactive flow entries in the NetFlow cache. |
ENGINE_TYPE |
38 |
1 |
Type of flow switching engine: RP = 0, VIP/Linecard = 1. |
ENGINE_ID |
39 |
1 |
ID number of the flow switching engine. |
TOTAL_BYTES_EXP |
40 |
N |
Counter with length N x 8 bits for bytes for the number of bytes exported by the Observation Domain. Default: 4. |
TOTAL_PKTS_EXP |
41 |
N |
Counter with length N x 8 bits for bytes for the number of packets exported by the Observation Domain. Default: 4. |
TOTAL_FLOWS_EXP |
42 |
N |
Counter with length N x 8 bits for bytes for the number of flows exported by the Observation Domain. Default: 4. |
* Vendor Proprietary* |
43 |
|
|
IPV4_SRC_PREFIX |
44 |
4 |
IPv4 source address prefix (specific for Catalyst architecture). |
IPV4_DST_PREFIX |
45 |
4 |
IPv4 destination address prefix (specific for Catalyst architecture). |
MPLS_TOP_LABEL_TYPE |
46 |
1 |
MPLS Top Label Type: 0x00 UNKNOWN 0x01 TE-MIDPT 0x02 ATOM 0x03 VPN 0x04 BGP 0x05 LDP. |
MPLS_TOP_LABEL_IP_ADDR |
47 |
4 |
Forwarding Equivalent Class corresponding to the MPLS Top Label. |
FLOW_SAMPLER_ID |
48 |
1 |
Identifier shown in show flow-sampler. |
FLOW_SAMPLER_MODE |
49 |
1 |
The type of algorithm used for sampling data: 0x02 random sampling. Use in connection with FLOW_SAMPLER_MODE. |
FLOW_SAMPLER_RANDOM_ INTERVAL |
50 |
4 |
Packet interval at which to sample. Use in connection with FLOW_SAMPLER_MODE. |
* Vendor Proprietary* |
51 |
|
|
MIN_TTL |
52 |
1 |
Minimum TTL on incoming packets of the flow. |
MAX_TTL |
53 |
1 |
Maximum TTL on incoming packets of the flow. |
IPV4_IDENT |
54 |
2 |
The IP v4 identification field. |
DST_TOS |
55 |
1 |
Type of Service byte setting when exiting outgoing interface. |
IN_SRC_MAC |
56 |
6 |
Incoming source MAC address. |
OUT_DST_MAC |
57 |
6 |
Outgoing destination MAC address. |
SRC_VLAN |
58 |
2 |
Virtual LAN identifier associated with ingress interface. |
DST_VLAN |
59 |
2 |
Virtual LAN identifier associated with egress interface. |
IP_PROTOCOL_VERSION |
60 |
1 |
Internet Protocol Version Set to 4 for IPv4, set to 6 for IPv6. If not present in the template, then version 4 is assumed. |
DIRECTION |
61 |
1 |
Flow direction: 0 - ingress flow, 1 - egress flow. |
IPV6_NEXT_HOP |
62 |
16 |
IPv6 address of the next-hop router. |
BPG_IPV6_NEXT_HOP |
63 |
16 |
Next-hop router in the BGP domain. |
IPV6_OPTION_HEADERS |
64 |
4 |
Bit-encoded field identifying IPv6 option headers found in the flow. |
* Vendor Proprietary* |
65 |
|
|
* Vendor Proprietary* |
66 |
|
|
* Vendor Proprietary* |
67 |
|
|
* Vendor Proprietary* |
68 |
|
|
* Vendor Proprietary* |
69 |
|
|
MPLS_LABEL_1 |
70 |
3 |
MPLS label at position 1 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. |
MPLS_LABEL_2 |
71 |
3 |
MPLS label at position 2 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. |
MPLS_LABEL_3 |
72 |
3 |
MPLS label at position 3 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. |
MPLS_LABEL_4 |
73 |
3 |
MPLS label at position 4 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. |
MPLS_LABEL_5 |
74 |
3 |
MPLS label at position 5 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. |
MPLS_LABEL_6 |
75 |
3 |
MPLS label at position 6 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. |
MPLS_LABEL_7 |
76 |
3 |
MPLS label at position 7 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. |
MPLS_LABEL_8 |
77 |
3 |
MPLS label at position 8 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. |
MPLS_LABEL_9 |
78 |
3 |
MPLS label at position 9 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. |
MPLS_LABEL_10 |
79 |
3 |
MPLS label at position 10 in the stack. This comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit. |
IN_DST_MAC |
80 |
6 |
Incoming destination MAC address |
OUT_SRC_MAC |
81 |
6 |
Outgoing source MAC address |
IF_NAME |
82 |
N |
Shortened interface name. For example, FE1/0. Default specified in template. |
IF_DESC |
83 |
N |
Full interface name. For example, FastEthernet 1/0. Default specified in template. |
SAMPLER_NAME |
84 |
N |
Name of the flow sampler. Default specified in template. |
IN_ PERMANENT _BYTES |
85 |
N |
Running byte counter for a permanent flow. Default specified in template. |
IN_ PERMANENT _PKTS |
86 |
N |
Running packet counter for a permanent flow. Default: 4. |
* Vendor Proprietary* |
87 |
|
|
FRAGMENT_OFFSET |
88 |
2 |
The fragment-offset value from fragmented IP packets |
FORWARDING STATUS |
89 |
1 |
Forwarding status with values: –Unknown 0 –Normal forwarding 1, –Forward fragmented 2 –Drop 16 –Drop ACL Deny 17 –Drop ACL drop 18 –Drop Unroutable 19 –Drop Adjacency 20 –Drop Fragmentation & DF set 21 –Drop Bad header checksum 22 –Drop Bad total Length 23 –Drop Bad Header Length 24 –Drop bad TTL 25 –Drop Policer 26 –Drop WRED 27 –Drop RPF 28 –Drop For us 29 –Drop Bad output interface 30 –Drop Hardware 31 –Terminate 128 –Terminate Punt Adjacency 129 –Terminate Incomplete Adjacency 130 –Terminate For us 131 |
Data FlowSet Format
The following is an example of the Data FlowSet format.
Example B-2 Data FlowSet Format
Table B-27 describes the Version 9 Data FlowSet format.
Table B-27 Version 9 Data FlowSet Format
Field Name
|
Description
|
FlowSet ID = Template ID |
A FlowSet ID precedes each group of records within a Version 9 data FlowSet. The FlowSet ID maps to a (previously received) template ID. The collector and display applications should use the FlowSet ID to map the appropriate type and length to any field values that follow. |
Length |
The length of the data FlowSet. Length is expressed in TLV format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of any included data records. |
Record N - Field N |
The remainder of the Version 9 data FlowSet is a collection of field values. The type and length of the fields have been previously defined in the template record referenced by the FlowSet ID/template ID. |
Padding |
Should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the Length field will include those padding bits. |
When interpreting the NetFlow Version 9 data FlowSet format, note that the fields cannot be parsed without a corresponding template ID. If a data FlowSet that does not have an appropriate template ID is received, the record should be discarded.
Options Template Format
One additional record type is very important within the NetFlow Version 9 specification: an options template (and its corresponding options data record). Rather than supplying information about IP flows, options are used to supply "meta-data" about the NetFlow process itself. The format of the options template is detailed in Example B-1.
Example B-3 Options Template Format
Table B-28 describes the Version 9 options template format.
Table B-28 Version 9 Options Template Format
Field Name
|
Description
|
FlowSet ID = 1 |
Used to distinguish template records from data records. A template record always has a FlowSet ID of 1. A data record always has a nonzero FlowSet ID which is greater than 255. |
Length |
The total length of this FlowSet. Because an individual template FlowSet can contain multiple template IDs, the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet. Length is expressed in TLV format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet. |
Template ID |
As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template ID. The Template ID is greater than 255. Template IDs inferior to 255 are reserved. |
Option Scope Length |
The length in bytes of any scope fields contained in this options template (the use of scope is described below). |
Options Length |
The length (in bytes) of any Options field definitions contained in this options template. |
Scope Field 1 Type |
The relevant portion of the NetFlow process to which the options record refers. Currently defined values follow: •0x0001 System •0x0002 Interface •0x0003 Line Card •0x0004 NetFlow Cache •0x0005 Template For example, sampled NetFlow can be implemented on a per-interface basis, so if the options record were reporting on how sampling is configured, the scope for the report would be 0x0002 (interface). |
Scope Field 1 Length |
The length (in bytes) of the Scope field, as it would appear in an options record. |
Option Field 1 Type |
Represents the type of the field that appears in the options record. Possible values are detailed in Table B-26. |
Option Field 1 Length |
The length (in bytes) of the field, as it would appear in an options record. |
Padding |
Should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the Length field will include those padding bits. |