Cisco IOS® NetFlow services provide network administrators with access to information concerning IP flows within their data networks. Exported NetFlow data can be used for a variety of purposes, including network management and planning, enterprise accounting, and departmental chargebacks, Internet Service pPovider (ISP) billing, data warehousing, combating Denial of Service (DoS) attacks, and data mining for marketing purposes.
The basic output of NetFlow is a flow record. Several different formats for flow records have evolved as NetFlow has matured. The most recent evolution of the NetFlow flow-record format is known as Version 9. The distinguishing feature of the NetFlow Version 9 format is that it is template based. Templates provide an extensible design to the record format, a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format. Using templates provides several key benefits:
• Third-party business partners who produce applications that provide collector or display services for NetFlow will not be required to recompile their applications each time a new NetFlow feature is added; instead, they may be able to use an external data file that documents the known template formats
• New features can be added to NetFlow more quickly, without breaking current implementations
• NetFlow is "future-proofed" against new or developing protocols, because the Version 9 format can be adapted to provide support for them
Terminology Used in This Document
One of the difficulties in describing the NetFlow Version 9 packet format occurs because many distinctly different, but similar-sounding, terms are used to describe portions of the NetFlow output. To eliminate any confusion, these terms are described below:
• Export packet-Built by a device (for example, a router) with NetFlow services enabled, this type of packet is addressed to another device (for example, a NetFlow collector). This other device processes the packet (parses, aggregates, and stores information on IP flows).
• Packet header-the first part of an export packet, the packet header provides basic information about the packet, such as the NetFlow version, number of records contained within the packet, and sequence numbering, enabling lost packets to be detected.
• FlowSet-following the packet header, an export packet contains information that must be parsed and interpreted by the collector device. A FlowSet is a generic term for a collection of records that follow the packet header in an export packet. There are two different types of FlowSets: template and data. An export packet contains one or more FlowSets, and both template and data FlowSets can be mixed within the same export packet.
• Template FlowSet-a template FlowSet is a collection of one or more template records that have been grouped together in an export packet.
• Template record-a template record is used to define the format of subsequent data records that may be received in current or future export packets. It is important to note that a template record within an export packet does not necessarily indicate the format of data records within that same packet. A collector application must cache any template records received, and then parse any data records it encounters by locating the appropriate template record within the cache.
• Template ID-the template ID is a unique number that distinguishes this template record from all other template records produced by the same export device. A collector application that is receiving export packets from several devices should be aware that uniqueness is not guaranteed across export devices. Thus, the collector should also cache the address of the export device that produced the template ID in order to enforce uniqueness.
• Data FlowSet-a data FlowSet is a collection of one or more data records that have been grouped together in an export packet.
• Data record-A data record provides information about an IP flow that exists on the device that produced an export packet. Each group of data records (that is, each data FlowSet) references a previously transmitted template ID, which can be used to parse the data contained within the records.
• Options template-an options template is a special type of template record used to communicate the format of data related to the NetFlow process.
• Options data record-the options data record is a special type of data record (based on an options template) with a reserved template ID that provides information about the NetFlow process itself.
NetFlow Version 9 Packet Layout
The NetFlow Version 9 record format consists of a packet header followed by at least one or more template or data FlowSets. A template FlowSet provides a description of the fields that will be present in future data FlowSets. These data FlowSets may occur later within the same export packet or in subsequent export packets.
Template and data FlowSets can be intermingled within a single export packet, as illustrated in Table 1.
Table 1. NetFlow Version 9 Export Packet
Packet Header
Template FlowSet
Data FlowSet
Data FlowSet
............
Template FlowSet
Data FlowSet
The possible combinations that can occur in an export packet follow:
• An export packet that consists of interleaved template and data FlowSets-A collector device should not assume that the template IDs defined in such a packet have any specific relationship to the data FlowSets within the same packet. The collector must always cache any received templates, and examine the template cache to determine the appropriate template ID to interpret a data record.
• An export packet consisting entirely of data FlowSets-after the appropriate template IDs have been defined and transmitted to the collector device, most of the export packets will consist solely of data FlowSets.
• An export packet consisting entirely of template FlowSets-although this case is the exception, it is possible to receive packets containing only template records. Ordinarily, templates are "piggybacked" onto data FlowSets. However, in some instances only templates are sent. When a router first boots up or reboots, it attempts to synchronize with the collector device as quickly as possible. The router may send template FlowSets at an accelerated rate so that the collector device has sufficient information to interpret any subsequent data FlowSets. Also, template records have a limited lifetime, and they must be periodically refreshed. If the refresh interval for a template occurs and there is no appropriate data FlowSet that needs to be sent to the collector device, an export packet consisting solely of template FlowSets is sent.
The format of both template and data FlowSets is discussed later in this document.
NetFlow Version 9 Packet Header Format
The format of the NetFlow Version 9 packet header remains relatively unchanged from previous versions. It is based on the NetFlow Version 5 packet header and is illustrated in Table 2. Table 3 gives field descriptions.
Table 2. NetFlow Version 9 Packet Header Format
0
1
2
3
4
5
6
7
8
9
1 0
1 1
1 2
1 3
1 4
1 5
1 6
1 7
1 8
1 9
2 0
2 1
2 2
2 3
2 4
2 5
2 6
2 7
2 8
2 9
3 0
3 1
Version
Count
System Uptime
UNIX Seconds
Package Sequence
Source ID
Table 3. NetFlow Version 9 Packet Header Field Descriptions
Field Name
Value
Version
The version of NetFlow records exported in this packet; for Version 9, this value is 0x0009
Count
Number of FlowSet records (both template and data) contained within this packet
System Uptime
Time in milliseconds since this device was first booted
UNIX Seconds
Seconds since 0000 Coordinated Universal Time (UTC) 1970
Sequence Number
Incremental sequence counter of all export packets sent by this export device; this value is cumulative, and it can be used to identify whether any export packets have been missed
Note: This is a change from the NetFlow Version 5 and Version 8 headers, where this number represented "total flows."
Source ID
The Source ID field is a 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers). The format of this field is vendor specific. In the Cisco implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device. Collector devices should use the combination of the source IP address plus the Source ID field to associate an incoming NetFlow export packet with a unique instance of NetFlow on a particular device.
Other values that existed in the NetFlow Version 5 and Version 8 packet headers (such as sampling interval and aggregation scheme) are sent in a reserved "options" data record. The format of the options template and options data record is discussed later in this document.
NetFlow Version 9 Template FlowSet Format
One of the key elements in the new NetFlow Version 9 format is the template FlowSet. Templates greatly enhance the flexibility of the NetFlow record format, because they allow a NetFlow collector or display application to process NetFlow data without necessarily knowing the format of the data in advance. Templates are used to describe the type and length of individual fields within a NetFlow data record that match a template ID.
The format of the template FlowSet is described in Table 4, and the field descriptions are given in Table 5.
Table 4. NetFlow Version 9 Template FlowSet Format
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
FlowSet ID = 0
Length
Template ID
Field Count
Field 1 Type
Field 1 Length
Field 2 Type
Field 2 Length
.
.
.
Field N Type
Field N Length
Template ID
Field Count
Field 1 Type
Field 1 Length
Field 2 Type
Field 2 Length
.
.
.
Field N Type
Field N Length
Table 5. NetFlow Version 9 Template FlowSet Field Descriptions
Field Name
Value
FlowSet ID
The FlowSet ID is used to distinguish template records from data records. A template record always has a FlowSet ID in the range of 0-255. Currently, the template record that describes flow fields has a FlowSet ID of zero and the template record that describes option fields (described below) has a FlowSet ID of 1. A data record always has a nonzero FlowSet ID greater than 255.
Length
Length refers to the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs (as illustrated above), the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.
Length is expressed in Type/Length/Value (TLV) format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet.
Template ID
As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template ID.
Templates that define data record formats begin numbering at 256 since 0-255 are reserved for FlowSet IDs.
Field Count
This field gives the number of fields in this template record. Because a template FlowSet may contain multiple template records, this field allows the parser to determine the end of the current template record and the start of the next.
Field Type
This numeric value represents the type of the field. The possible values of the field type are vendor specific. Cisco supplied values are consistent across all platforms that support NetFlow Version 9.
At the time of the initial release of the NetFlow Version 9 code (and after any subsequent changes that could add new field-type definitions), Cisco provides a file that defines the known field types and their lengths.
The currently defined field types are detailed in Table 6.
Field Length
This number gives the length of the above-defined field, in bytes.
Note the following:
• Template IDs are not consistent across a router reboot. Template IDs should change only if the configuration of NetFlow on the export device changes.
• Templates periodically expire if they are not refreshed. Templates can be refreshed in two ways. A template can be resent every N number of export packets. A template can also be sent on a timer, so that it is refreshed every N number of minutes. Both options are user configurable.
Table 6. NetFlow Version 9 Field Type Definitions
Field Type
Value
Length (bytes)
Description
IN_BYTES
1
N (default is 4)
Incoming counter with length N x 8 bits for number of bytes associated with an IP Flow.
IN_PKTS
2
N (default is 4)
Incoming counter with length N x 8 bits for the number of packets associated with an IP Flow
FLOWS
3
N
Number of flows that were aggregated; default for N is 4
PROTOCOL
4
1
IP protocol byte
SRC_TOS
5
1
Type of Service byte setting when entering incoming interface
TCP_FLAGS
6
1
Cumulative of all the TCP flags seen for this flow
L4_SRC_PORT
7
2
TCP/UDP source port number ie : FTP, Telnet, or equivalent
IPV4_SRC_ADDR
8
4
IPv4 source address
SRC_MASK
9
1
The number of contiguous bits in the source address subnet mask ie: the submask in slash notation
INPUT_SNMP
10
N
Input interface index; default for N is 2 but higher values could be used
L4_DST_PORT
11
2
TCP/UDP destination port number ie: FTP, Telnet, or equivalent
IPV4_DST_ADDR
12
4
IPv4 destination address
DST_MASK
13
1
The number of contiguous bits in the destination address subnet mask ie: the submask in slash notation
OUTPUT_SNMP
14
N
Output interface index; default for N is 2 but higher values could be used
IPV4_NEXT_HOP
15
4
IPv4 address of next-hop router
SRC_AS
16
N (default is 2)
Source BGP autonomous system number where N could be 2 or 4
DST_AS
17
N (default is 2)
Destination BGP autonomous system number where N could be 2 or 4
BGP_IPV4_NEXT_HOP
18
4
Next-hop router's IP in the BGP domain
MUL_DST_PKTS
19
N (default is 4)
IP multicast outgoing packet counter with length N x 8 bits for packets associated with the IP Flow
MUL_DST_BYTES
20
N (default is 4)
IP multicast outgoing byte counter with length N x 8 bits for bytes associated with the IP Flow
LAST_SWITCHED
21
4
System uptime at which the last packet of this flow was switched
FIRST_SWITCHED
22
4
System uptime at which the first packet of this flow was switched
OUT_BYTES
23
N (default is 4)
Outgoing counter with length N x 8 bits for the number of bytes associated with an IP Flow
OUT_PKTS
24
N (default is 4)
Outgoing counter with length N x 8 bits for the number of packets associated with an IP Flow.
MIN_PKT_LNGTH
25
2
Minimum IP packet length on incoming packets of the flow
MAX_PKT_LNGTH
26
2
Maximum IP packet length on incoming packets of the flow
IPV6_SRC_ADDR
27
16
IPv6 Source Address
IPV6_DST_ADDR
28
16
IPv6 Destination Address
IPV6_SRC_MASK
29
1
Length of the IPv6 source mask in contiguous bits
IPV6_DST_MASK
30
1
Length of the IPv6 destination mask in contiguous bits
IPV6_FLOW_LABEL
31
3
IPv6 flow label as per RFC 2460 definition
ICMP_TYPE
32
2
Internet Control Message Protocol (ICMP) packet type; reported as ((ICMP Type*256) + ICMP code)
MUL_IGMP_TYPE
33
1
Internet Group Management Protocol (IGMP) packet type
SAMPLING_INTERVAL
34
4
When using sampled NetFlow, the rate at which packets are sampled ie: a value of 100 indicates that one of every 100 packets is sampled
SAMPLING_ALGORITHM
35
1
The type of algorithm used for sampled NetFlow: 0x01 Deterministic Sampling ,0x02 Random Sampling
FLOW_ACTIVE_TIMEOUT
36
2
Timeout value (in seconds) for active flow entries in the NetFlow cache
FLOW_INACTIVE_TIMEOUT
37
2
Timeout value (in seconds) for inactive flow entries in the NetFlow cache
ENGINE_TYPE
38
1
Type of flow switching engine: RP = 0, VIP/Linecard = 1
ENGINE_ID
39
1
ID number of the flow switching engine
TOTAL_BYTES_EXP
40
N (default is 4)
Counter with length N x 8 bits for bytes for the number of bytes exported by the Observation Domain
TOTAL_PKTS_EXP
41
N (default is 4)
Counter with length N x 8 bits for bytes for the number of packets exported by the Observation Domain
TOTAL_FLOWS_EXP
42
N (default is 4)
Counter with length N x 8 bits for bytes for the number of flows exported by the Observation Domain
*Vendor Proprietary*
43
IPV4_SRC_PREFIX
44
4
IPv4 source address prefix (specific for Catalyst architecture)
IPV4_DST_PREFIX
45
4
IPv4 destination address prefix (specific for Catalyst architecture)
MPLS_TOP_LABEL_TYPE
46
1
MPLS Top Label Type: 0x00 UNKNOWN 0x01 TE-MIDPT 0x02 ATOM 0x03 VPN 0x04 BGP 0x05 LDP
MPLS_TOP_LABEL_IP_ADDR
47
4
Forwarding Equivalent Class corresponding to the MPLS Top Label
