User Guide for the Cisco NetFlow Generation Appliance
Reference Information
Downloads: This chapterpdf (PDF - 508.0KB) The complete bookPDF (PDF - 1.16MB) | Feedback

Software Field Description Tables

Table Of Contents

Software Field Description Tables


Software Field Description Tables


The window field description tables for the following are included in this section:

"Flow Record Match and Collect Field Descriptions"

"Configure Filter Window Fields"

"Configure Records Window Fields"

"Configure Collector Window Fields"

"Configure Exporter Window Fields"

"Configure Monitor Window Fields"

"Application ID Collect Field Information"

Table B-1 lists the match and collect field descriptions for IPv4, IPv6, and Layer 2 flow records in the user interface, as well as the CLI.

Table B-1 Flow Record Match and Collect Field Descriptions 

Match Fields (keys of the flow record)
GUI and CLI
IPv4
IPv6
Layer 2

CoS

X

X

X

Ethertype

X

X

X

Input SNMP Interface

X

X

X

IP Protocol

X

X

 

IPv4 Destination Address

X

   

IPv4 Source Address

X

   

IPv4 TOS

X

   

IPv4 TTL

X

   

IPv6 Destination Address

 

X

 

IPv6 Hop Limit

 

X

 

IPv6 Source Address

 

X

 

IPv6 Traffic Class

 

X

 

Layer 4 Destination Port

X

X

 

Layer 4 Source Port

X

X

 

MAC Destination Address

X

X

X

MAC Source Address

X

X

X

MPLS Label

X

X

X

Output SNMP Interface

X

X

X

VLAN ID

X

X

X

Collect Fields
 

Application ID1

X

X

X

Byte Count

X

X

X

First Timestamp

X

X

X

Flow Label

 

X

 

IPv4 ICMP Code

X

   

IPv4 ICMP Type

X

   

IPv6 ICMP Code

 

X

 

IPv6 ICMP Type

 

X

 

Last Timestamp

X

X

X

Network Encapsulation

X

X

X

Packet Count

X

X

X

TCP Header Flags

X

X

X

1 See Table B-7 for a list of Application ID values.


Table B-2 lists the field descriptions for the Configure Filter window.

Table B-2 Configure Filter Window Fields 

Field 1
Description

Application ID

Application ID [0]. See Table B-7 for a list of values.

CoS

802.1q priority field value [0-7].

Description

Provide a description for the flow filter.

Destination IP Address

Destination IP address, or address/prefix value. Either an IPv4 or IPv6 address can be typed into this field.

Destination Layer 4 Ports

Layer 4 destination port number [0-65535].

Destination MAC Address

Destination MAC address or MAC address/prefix (for example: EE:EE:EE:EE:EE:EE or EE:EE:EE:EE:EE:EE/xx).

Ethertype

Ethertype value [0x0000-0xFFFF/0000-FFFF].

Input SNMP If-Index

Input SNMP If-Index value [0-2147483647].

IP Protocol

IP protocol number [0-255].

IPv4 ICMP Code

ICMP code for IPv4 [0-255].

IPv4 ICMP Type

ICMP type for IPv4 [0-255].

IPv6 Flow Label

Flow label value for IPv6 traffic [0-1048575].

IPv6 ICMP Code

ICMP code for IPv6 [0-255].

IPv6 ICMP Type

ICMP type for IPv6 [0-255].

MPLS Label

Top-most MPLS label [0-1048575].

Name

Enter a unique name to identify this filter configuration. Use up to 63 alpha-numeric characters.

Network Encapsulation

Network encapsulation value [1-7].

Output SNMP If-Index

Output SNMP If-Index value [0-2147483647].

Source IP Address

Source IP address, or address/prefix value. Either an IPv4 or IPv6 address can be typed into this field.

Source Layer 4 Ports

Layer 4 source port number [0-65535].

Source MAC Address

Source MAC address or MAC address/prefix (for example: EE:EE:EE:EE:EE:EE or EE:EE:EE:EE:EE:EE/xx).

TCP Header Flags

TCP flags [0-255].

TOS

Type of Service for IPv4 traffic [0-255].

TTL

Time to Live for IPv4 traffic [0-255].

VLAN ID

VLAN identifier [0-4095].

1 In general, filtering on address (IPv4, IPv6, or MAC) supports address mask. Other non-address field filtering supports a comma-separated list of single and value ranges (e.g 1, 3, 9-12).


Table B-3 lists the field descriptions for the Configure Records window.

Table B-3 Configure Records Window Fields 

Field
Field Description

Name

Enter a unique name to identify this configuration. Use up to 63 alpha-numeric characters.

Description

Enter information about this record.

Type

IPv4

IPv6

Layer 2

Match Fields

CoS

CoS

CoS

Ethertype

Ethertype

Ethertype

Input SNMP Interface

Input SNMP Interface

Input SNMP Interface

IP Protocol

IP Protocol

MAC Destination Address

IPv4 Destination Address

IPv6 Destination Address

MAC Source Address

IPv4 Source Address

IPv6 Hop Limit

MPLS Label

IPv4 TOS

IPv6 Source Address

Output SNMP Interface

IPv4 TTL

IPv6 Traffic Class

VLAN ID

Layer 4 Destination Port

Layer 4 Destination Port

 

Layer 4 Source Port

Layer 4 Source Port

MAC Destination Address

MAC Destination Address

MAC Source Address

MAC Source Address

MPLS Label

MPLS Label

Output SNMP Interface

Output SNMP Interface

VLAN ID

VLAN ID

Collect Fields

Application ID

Application ID

Application ID

Byte Count

Byte Count

Byte Count

First Timestamp

First Timestamp

First Timestamp

IPv4 ICMP Code

Flow Label

Last Timestamp

IPv4 ICMP Type

IPv6 ICMP Code

Network Encapsulation

Last Timestamp

IPv6 ICMP Type

Packet Count

Network Encapsulation

Last Timestamp

Packet Count

Network Encapsulation

TCP Header Flag

Packet Count

TCP Header Flag


Table B-4 lists the field descriptions for the Configure Collector window.

Table B-4 Configure Collector Window Fields 

Field
Field Description

Name

A unique name to identify this configuration. Use up to 63 alpha-numeric characters.

Description

Provide unique description.

IP Address

IPv4 address of NetFlow collector. Cannot use a domain name.

UDP Port

UDP port at which the NetFlow collector device is receiving NetFlow packets from Cisco NGA.

DSCP

The Differentiated Services CodePoint (DSCP) priority value that Cisco NGA uses when it sends flow records to this collector. This value is related to the quality of service (QOS) policy in use on your network. The default value is 0 and in most cases will not need to be changed.


Table B-5 lists the field descriptions for the Configure Exporter window.

Table B-5 Configure Exporter Window Fields 

Field
Field Description

Name

Enter a unique name to identify this configuration. Use up to 63 alpha-numeric characters.

Description

Up to 120 character description.

NetFlow Version

V5, V9, or IPFIX

Timeout

Template/Options

Configures how often data templates and options templates will be sent to the collectors. For more information about data and options templates, see the NetFlow Version 9 Flow-Record Format white paper.

Policy

Select multi-destination or round-robin policy.

Export Filters

Select one or more filters that you have already created to be applied to this exporter. Exporter filters selected at this level apply to all collectors in the exporter.

Collector Name

Collector name that you have defined using the steps outlined in Configure Collectors.

Filter

Select filter or filters to be applied to this particular collector only. Filters specified here at the destination are only applicable if you have selected the policy multi-destination.

Weight

If a round-robin policy has been chosen to load balance among a group of multiple collectors, this parameter specifies the weight of this individual collector among the group. The number you enter here is the number of NetFlow packets that will be sent to this collector before moving on to start sending to the next collector. For example, if two collectors are associated with this exporter using a round-robin policy, and the weight of collector A is 3 and the weight of collector B is 1, then 3 NetFlow packets will be sent to collector A for every 1 packet that is sent to collector B.


Table B-6 lists the field descriptions for the Configure Monitor window.

Table B-6 Configure Monitor Window Fields 

Field
Field Description

Name

Enter a unique name to identify this configuration. Use up to 63 alpha-numeric characters.

Description

Enter any information to identify this monitor.

Export Name

Enter the exporter name to which this monitor is associated.

Data Port

Select the data ports on which raw network traffic enter into this monitor.

Tunnel Mode

Select either inner or outer tunnel mode. The default value is inner (which is desired in most cases). This parameter determines which IP addresses are used for flows which are tunneled. For example, when there is more than one IP layer present in the packets, such as IPv6 encapsulated within IPv4.

Cache Type

Select either standard or permanent cache type. The default value is standard (which is desired in most cases). For a standard flow cache, flows expire from the cache according to the setting of the inactive timeout. For a permanent cache, flows never expire from the cache once they are created. This mode is only recommended for deployments where very few flows are expected and you want to ensure that those flows are never flushed from the cache. This is a very rare deployment scenario.

Cache Size (%)

Enter the cache size for this flow monitor as a percentage of the total cache memory available for the entire Cisco NGA. In many cases, only one flow monitor is activated, and in those cases the value should be set to 100%. If more than one flow monitor is activated, then you may want to choose to customize the memory resources used for each monitor. The default value is 25%, which provides enough storage for at least 16 million simultaneous flows.

Cache Timeout (sec) Active/Inactive

Enter the values for the active timeout and inactive timeout (in seconds). The inactive timeout determines when a flow will be flushed from the cache when packets are no longer observed. The active timeout determines how often the appliance exports records for continuously active flows.

Record Name

When you configure an exporter for V9 or IPFIX, at least one record is required. You can select up to three records, one of each type (IPv4, IPv6, Layer2). When an IPv4 packet is received by the monitor, it is matched with the IPv4 record if one has been configured; otherwise it is matched to a Layer2 record. If no Layer2 record has been configured, the packet is dropped. When an IPv6 packet is received by the monitor, it is matched with the IPv6 record if one has been configured; otherwise it is matched to a Layer2 record. If no Layer2 record has been configured, the packet is dropped. When a packet is received by the monitor that is neither IPv4 nor IPv6, it is matched to the Layer2 record. If no Layer2 record has been configured, it is dropped. Any packets dropped cause a counter to increment which can be shown using the CLI command show cache statistics cumulative <monitor-name>. It appears on the row labeled Packets Dropped (no record). For more information, refer to the Command Reference Guide for Cisco NetFlow Generation Appliance.


Table B-7 lists the possible Application ID and Name details for the Application ID Collect field.

Table B-7 Application ID Collect Field Information 

Application ID
Application Name

16777217

icmp

16777218

igmp

16777219

ggp

16777220

ip4inip

16777222

tcp

16777224

egp

16777225

igp

16777232

chaos

16777233

udp

16777238

xns-idp

16777243

rdp

16777244

irtp

16777245

iso-tp4

16777246

netblt

16777249

dccp

16777251

idpr

16777254

idpr-cmtp

16777257

ipv6inip

16777258

sdrp

16777259

ipv6-route

16777260

ipv6-frag

16777261

idrp

16777262

rsvp

16777263

gre

16777264

dsr

16777266

esp

16777267

ah

16777270

narp

16777271

mobile

16777274

ipv6-icmp

16777275

ipv6-nonxt

16777276

ipv6-opts

16777296

iso-ip

16777299

vines

16777304

eigrp

16777305

ospfigp

16777308

mtp

16777309

ax-25

16777310

ipip

16777311

micpa

16777313

etherip

16777314

encap

16777318

pnni

16777319

pim

16777324

ipcomp

16777328

vrrp

16777348

sctp

16777349

fc

16777350

rsvp-e2e-ignore

16777351

mobility-header

16777352

udplite

16777353

mpls-in-ip

16777354

manet

16777355

hip

16777356

shim6

50331655

echo

50331657

discard

50331659

systat

50331661

daytime

50331665

qotd

50331667

chargen

50331668

ftp-data

50331669

ftp

50331670

ssh

50331671

telnet

50331673

smtp

50331685

time

50331686

rap

50331688

rlp

50331690

nameserver

50331691

nicname

50331697

tacacs

50331698

re-mail-ck

50331700

xns-time

50331701

dns

50331702

xns-ch

50331703

isi-gl

50331704

xns-auth

50331706

xns-mail

50331711

whois++

50331713

tacacs-ds

50331714

sql*net

50331715

bootps

50331716

bootpc

50331717

tftp

50331718

gopher

50331727

finger

50331728

http

50331736

kerberos

50331740

npp

50331742

objcall

50331749

hostname

50331750

iso-tsap

50331752

acr-nema

50331753

cso

50331757

pop2

50331758

pop3

50331759

sunrpc

50331761

auth

50331763

sftp

50331765

uucp-path

50331766

sqlserv

50331767

nntp

50331771

ntp

50331776

gss-xlicen

50331777

pwdgen

50331778

cisco-fna

50331779

cisco-tna

50331780

cisco-sys

50331782

ingres-net

50331783

epmap

50331791

imap

50331794

iso-tp0

50331795

iso-tp0

50331798

sql-net

50331800

bftp

50331801

sgmp

50331804

sqlsrv

50331806

pcmail-srv

50331808

sgmp-traps

50331809

snmp

50331810

snmptrap

50331811

cmip-man

50331812

cmip-agent

50331813

xns-courier

50331818

print-srv

50331821

xyplex-mux

50331825

xdmcp

50331826

nextstep

50331827

bgp

50331833

remote-kis

50331834

remote-kis

50331842

irc

50331847

smux

50331849

at-rtmp

50331850

at-nbp

50331852

at-echo

50331854

at-zis

50331857

qmtp

50331858.50

z39.50

50331861

ipx

50331865

dbase

50331866

mpp

50331868

imap3

50331912

bgmp

50331967

ptp

50332001

ndsauth

50332019

clearcase

50332037

ldap

50332044

netware-ip

50332055

timbuktu

50332075

svrloc

50332082

mobileip-agent

50332083

mobilip-mn

50332091

https

50332092

snpp

50332106

appleqtc

50332112

kpasswd

50332117

rcp

50332144

pim-rp-disc

50332148

isakmp

50332150

asa-appl-proto

50332160

exec

50332161

login

50332162

cmd

50332163

printer

50332164

videotex

50332165

talk

50332166

ntalk

50332167

utime

50332168

router

50332169

ripng

50332171

ibm-db2

50332172

ncp

50332173

timed

50332188

uucp

50332191

klogin

50332192

kshell

50332194

dhcpv6-client

50332195

dhcpv6-server

50332196

afpovertcp

50332202

rtsp

50332211

nntps

50332212

9pfs

50332221

banyan-vip

50332235

submission

50332262

sshell

50332279

ipp

50332284

ldaps

50332287

msdp

50332294

ldp

50332302

aodv

50332314

doom

50332322

acap

50332331

corba-iiop

50332332

corba-iiop-ssl

50332346

olsr

50332348

epp

50332349

lmp

50332353

agentx

50332359

cisco-tdp

50332377

netviewdm

50332397

kerberos-adm

50332398

kerberos-iv

50332402

tell

50332477

pkix-3-ca-ra

50332508

iscsi

50332521

rsync

50332558

kink

50332637

ftps-data

50332638

ftps

50332640

telnets

50332641

imaps

50332642

ircs

50332643

pop3s

50332700

ddt

50332728

socks

50332747

rmiregistry

50332831

llsurfup-http

50332832

llsurfup-https

50332842

openvpn

50332862

kazaa

50332915

epc

50332948

h323hostcallsc

50332992

icap

50333000

lotusnote

50333065

timbuktu-srv

50333081

ms-sql-s

50333082

ms-sql-m

50333137

dmdocbroker

50333142

ica

50333146

sybase-sqlany

50333160

wins

50333173

orasrv

50333195

laplink

50333206

xingmpeg

50333252

icabrowser

50333275

t128-gateway

50333325

groupwise

50333349

l2tp

50333366

h323gatedisc

50333367

h323gatestat

50333368

h323hostcall

50333371

pptp

50333389

cisco-net-mgmt

50333393

remote-winsock

50333396

oracle-em1

50333403

ms-streaming

50333449

msmq

50333460

radius

50333461

radius

50333511

msnp

50333548

ssdp

50333571

pkt-krb-ipsec

50333620

intersys-cache

50333621

dcap

50333626

unisql

50333633

hsrp

50333641

cisco-snmp-tcp-port

50333645

gdp-port

50333646

x25-svc-port

50333647

cisco-ident-port

50333648

cisco-sccp

50333689

interbase

50333697

nfs

50333713

dlsrpn

50333715

dlswpn

50333754

mzap

50333771

gtp-control

50333800

gtp-user

50333838

tivoconnect

50333868

netiq

50333870

ethernet_ip

50333894

pc-mta-addrmap

50333961

iapp

50334030

ms-olap3

50334031

ms-olap4

50334049

cvspserver

50334052

iec-104

50334075

mgcp-gateway

50334140

groove

50334160

citrixima

50334161

citrixadmin

50334192

novell-zen

50334235

masc

50334246

citriximaclient

50334276

dict

50334375

mgcp-callagent

50334423

smpp

50334535

wlccp

50334552

m2ua

50334553

m3ua

50334592

megaco-h248

50334615

ssc-agent

50334662

broker_service

50334664

notify_srvr

50334666

srvc_registry

50334667

resource_mgr

50334698

gds_db

50334778

icpv2

50334793

csi-lfap

50334853

isns

50334873

fcip

50334912

ccmail

50334916

msft-gc

50334917

msft-gc-ssl

50334931

net-assistant

50334936

cops

50334954

mysql

50335000

ssql

50335005

adtech-test

50335020

tip2

50335034

gprs-data

50335037

ms-wbt-server

50335044

printer_agent

50335068

ifcp

50335126

stun

50335131

slim-devices

50335151

lsp-ping

50335192

teredo

50335198

ssmpp

50335213

m2pa

50335280

distcc

50335307

apple-sasl

50335361

tftps

50335432

bfd-control

50335511

asap

50335516

diameter

50335969

rwhois

50336148

ipsec-nat-t

50336217

iax

50336387

ipfix

50336388

ipfixs

50336547

radmin-port

50336650

rfe

50336708

sip

50336709

sip-tls

50336714

stanag-5066

50336798

atmp

50336838

aol

50336870

xmpp-client

50336894

capwap-control

50336895

capwap-data

50336917

xmpp-server

50337080

postgresql

50337279

pcanywheredata

50337280

pcanywherestat

50337326

rrac

50337361

proshare

50337377

openmail

50337548

vnc

50337635

wbem

50337648

x11

50337771

backup-express

50337991

sflow

50337994

gnutella

50338313

ircu

50338648

afs3

50338921

oma-rlp

50338923

oma-ulp

50338924

oma-ilp

50339275

soap-http

50339296

cuseeme

50339748

xprint-server

50339764

cp-cluster

50340091

pcsync-https

50340092

pcsync-http

50340736

sqlexec

50340748

up-bdl.-detester

50340848

wap-wsp

50340849

wap-wsp-wtp

50340850

wap-wsp-s

50340851

wap-wsp-wtp-s

50340852

wap-vcard

50340853

wap-vcal

50340854

wap-vcard-s

50340855

wap-vcal-s

50341523

sapv1

50341548

iua

50341648

ndmp

50341728

amanda

50341936

blocks

50345649

sua

50348032

connected

50351648

dnp

50353493

webphone

50357648

quake

50357909

ezmeeting

50364416

filenet

50379456

bacnet

201326593

ipv4

201326594

arp

201326595

ipv6

201326596

ether2

201326597

llc

201326598

snap

201326600

chaosnet

201326601

wol

201326603

vecho

201326604

dec

201326605

mop

201326606

drp

201326607

lat

201326608

dec-diag

201326609

lavc

201326610

apollo

201326611

rarp

201326612

dstp

201326613

atalk

201326614

aarp

201326615

vlan

201326616

mac-ctrl

201326617

ppp

201326618

gsmp

201326619

mpls

201326620

pppoe

201326621

ans

201326622

3gpp2-a10

201326623

eapol

201326624

hyperscsi

201326625

aoe

201326626

802-1ad

201326627

ieee-802a

201326628

erspan

201326629

rsn-preauth

201326630

tipc

201326631

lldp

201326632

lltd

201326633

802-1ah

201326634

cfm

201326635

fcoe

201326636

sia

201326637

loopback

201326638

sna-th

201326639

stp

201326640

netbeui

201326641

osi

201326642

cisco-snap

201326643

tagswitch

201326644

vsi

201326645

pagp

201326646

cipc

201326647

sstb

201326648

cstb

201326649

l2rly

201326650

udld

201326651

rbcp

201326652

cdp

201326653

cgmp

201326654

vtp

201326655

disl

201326656

ieee-slow-protocols

201326657

mac-sec

201326658

boardwalk

201326659

mdshdr

201326660

goose

201326661

ieee802-15-4

218103808

unclassified

218103809

unknown

218103834

netbios

218103849

syslog

218103855

novadigm

218103869

rtp

218103874

rtcp

218103875

edonkey

218103876

winmx

218103877

bittorrent

218103878

directconnect

218103885

yahoo-messenger

218103886

mapi

218103888

cifs

218103892

sap

218103918

tzsp

218104064

biff

218104065

who

218104066

asf-rmcp

218104073

hotline

218104074

manolito

218104075

soulseek

218104076

napster

218104077

icq

218104078

uma

218104079

quake3

218104140

dce-rpc

218104141

smtps

218104142

mtp3

218104143

sccp

218104144

tup

218104145

isup

218104146

isup-b

218104147

isup-s

218104148

alcap

218104149

bicc

218104150

h245

218104151

portmapper

218104152

rstat

218104153

nis

218104154

mount

218104155

rwall

218104156

yppasswd

218104157

spray

218104158

nlm

218104159

bootparams

218104160

ypxfr

218104161

nfsacl

218104162

nfsauth

218104163

nisplus

218104164

nisplus-cb

218104165

ms-exch-nspi

218104166

ms-frs

218104167

ms-frsapi

218104168

ms-ad-rep

218104169

ms-rfr

218104171

wccp

218104172

quake2

218104173

netflow

218104174

cisco-q931-backhaul

218104175

sametime

218104176

saa-rtr

218104177

cisco-callmanager

218104178

vt-advantage

218104179

3gpp2-a11

218104180

imode

218104181

openft

218104182

zebra

218104183

netsync

218104184

ajp13

218104185

tpcp

218104186

lwapp

218104187

synergy

218104188

lwres

218104189

oicq

218104190

commvault

218104191

ibm-tsm

218104192

legato-networker

218104193

legato-replistor

218104194

veritas-backupexec

218104195

veritas-netbackup

218104196

ms-netmeeting

218104197

vocaltec

218104198

siebel

218104199

apple-ichat

218104200

grouper

218104201

laplink-sharedirect

218104202

qnext

218104203

altiris-carboncopy

218104204

controlit

218104205

danware-netop

218104206

remote-anything

218104207

vmware-vmconsole

218104208

ms-content-repl-srv

218104209

netapp-snapmirror

218104210

pervasive-sql

218104211

liquid-audio

218104212

bmc-patrol

218104213

hp-openview

218104214

ibm-tivoli

218104215

landesk

218104216

netopia-netoctopus

218104217

flowmonitor

218104218

double-take

218104219

netlogon