Caligare home |
What's Netflow |
Netflow export format
NetFlow exports data flow information in UDP datagrams in one of following formats:
Version 1 (V1) is the original format supported in the initial NetFlow releases.
Version 5 (V5) is an enhancement that adds Border Gateway Protocol (BGP) autonomous system information and flow sequence numbers.
Version 6 (V6) is similar to version 7. This version is not used in the new IOS releases.
Version 7 (V7) is an enhancement that exclusively supports NetFlow with Cisco Catalyst 5000 series switches equipped with a NetFlow feature card (NFFC). V7 is not compatible with Cisco routers.
Version 8 (V8) is an enhancement that adds router-based aggregation schemes.
Version 9 is an enhancement to support different technologies such as Multicast, Internet Protocol Security (IPSec), and Multi Protocol Label Switching (MPLS).
Versions 2, 3 and 4 either were not released.
In Versions 1, 5, 6, and 7, the datagram consists of a header and one or more flow records. The first field of the header contains the version number of the export datagram. Typically, a receiving application that accepts any of the format versions allocates a buffer large enough for the largest possible datagram from any of the format versions and then uses the header to determine how to interpret the datagram. The second field in the header contains the number of records in the datagram and should be used to search through the records.
We recommend that receiving applications perform a sanity check on datagrams to ensure that the datagrams are from a valid NetFlow source. You should first check the size of the datagram to verify that it is at least long enough to contain the version and count fields. You should next verify that the version is valid (1, 5, 6, 7, or 8) and that the number of received bytes is enough for the header and count flow records (using the appropriate version).
Because NetFlow export uses UDP to send export datagrams, it is possible for datagrams to be lost. To determine whether flow export information has been lost, Version 5, 6, 7, and Version 8 headers contain a flow sequence number. The sequence number is equal to the sequence number of the previous datagram plus the number of flows in the previous datagram. After receiving a new datagram, the receiving application can subtract the expected sequence number from the sequence number in the header to derive the number of missed flows.
Datagram format Version 8 offers five router-based aggregation schemes allowing you to summarize export data on the router before the data is exported to the collector. The result is lower bandwidth requirements and reduced platform requirements for NetFlow data collection devices. Router-based aggregation enables on-router aggregation by maintaining one or more extra NetFlow caches with different combinations of fields that determine which traditional flows are grouped together. These extra caches are called aggregation caches. As flows expire from the main flow cache, they are added to each enabled aggregation cache. The normal flow ager process runs on each active aggregation cache the same way it runs on the main cache. On-demand aging is also supported.
(c) 2003-2006 Caligare s.r.o.
Last-modified: May 10 2006