Caligare home |
What's Netflow |
Formats |
RFC |
Configuration |
Applications |
Links |
Netflow Forum
Netflow packet Version 8 (V8)
version 1 |
version 5 |
version 6 |
version 7 |
version 8 |
version 9
Flow header format
| Bytes | Contents | Description |
|---|
| 0-1 | version | NetFlow export format version number |
| 2-3 | count | Number of flows exported in this packet (1-30) |
| 4-7 | sys_uptime | Current time in milliseconds since the export device booted |
| 8-11 | unix_secs | Current count of seconds since 0000 UTC 1970 |
| 12-15 | unix_nsecs | Residual nanoseconds since 0000 UTC 1970 |
| 16-19 | flow_sequence | Sequence counter of total flows seen |
| 20 | engine_type | Type of flow switching engine |
| 21 | engine_id | ID number of the flow switching engine |
| 22 | aggregation | Aggregation method being used |
| 23 | agg_version | Version of the aggregation export |
| 24-27 | reserved | Unused (zero) bytes |
Router AS Flow Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | flows | Number of flows |
| 4-7 | dPkts | Packets in the flow |
| 8-11 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 12-15 | first | SysUptime, in seconds, at start of flow |
| 16-19 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 20-21 | src_as | Source autonomous system number, either origin or peer; always set to zero |
| 22-23 | dst_as | Destination autonomous system number, either origin or peer; always set to zero |
| 24-25 | input | SNMP index of input interface; always set to zero |
| 26-27 | output | SNMP index of output interface |
Router ProtoPort Flow Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | flows | Number of flows |
| 4-7 | dPkts | Packets in the flow |
| 8-11 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 12-15 | first | SysUptime, in seconds, at start of flow |
| 16-19 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 20 | prot | IP protocol type (for example, TCP = 6; UDP = 17); set to zero if flow mask is destination-only or source-destination |
| 21 | pad | Unused (zero) bytes |
| 22-23 | reserved | Unused (zero) bytes |
| 24-25 | srcport | TCP/UDP source port number; set to zero if flow mask is destination-only or source-destination |
| 26-27 | dstport | TCP/UDP destination port number; set to zero if flow mask is destination-only or source-destination |
Router DstPrefix Flow Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | flows | Number of flows |
| 4-7 | dPkts | Packets in the flow |
| 8-11 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 12-15 | first | SysUptime, in seconds, at start of flow |
| 16-19 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 20-23 | dst_prefix | Destination IP address prefix |
| 24 | dst_mask | Destination address prefix mask; always set to zero |
| 25 | pad | Unused (zero) bytes |
| 26-27 | dst_as | Destination autonomous system number, either origin or peer; always set to zero |
| 28-29 | output | SNMP index of output interface |
| 30-31 | reserved | Unused (zero) bytes |
Router SrcPrefix Flow Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | flows | Number of flows |
| 4-7 | dPkts | Packets in the flow |
| 8-11 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 12-15 | first | SysUptime, in seconds, at start of flow |
| 16-19 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 20-23 | src_prefix | Source IP address prefix |
| 24 | src_mask | Source address prefix mask; always set to zero |
| 25 | pad | Unused (zero) bytes |
| 26-27 | src_as | Source autonomous system number, either origin or peer; always set to zero |
| 28-29 | input | SNMP index of input interface; always set to zero |
| 30-31 | reserved | Unused (zero) bytes |
Router Prefix Flow Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | flows | Number of flows |
| 4-7 | dPkts | Packets in the flow |
| 8-11 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 12-15 | first | SysUptime, in seconds, at start of flow |
| 16-19 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 20-23 | src_prefix | Source IP address prefix |
| 24-27 | dst_prefix | Destination IP address prefix |
| 28 | dst_mask | Source address prefix mask; always set to zero |
| 29 | src_mask | Destination address prefix mask; always set to zero |
| 30-31 | reserved | Unused (zero) bytes |
| 32-33 | src_as | Source autonomous system number, either origin or peer; always set to zero |
| 34-35 | dst_as | Destination autonomous system number, either origin or peer; always set to zero |
| 36-37 | input | SNMP index of input interface; always set to zero |
| 38-39 | output | SNMP index of output interface |
TosAS Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | flows | Number of flows |
| 4-7 | dPkts | Packets in the flow |
| 8-11 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 12-15 | first | SysUptime, in seconds, at start of flow |
| 16-19 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 20-21 | src_as | Source autonomous system number, either origin or peer; always set to zero |
| 22-23 | dst_as | Destination autonomous system number, either origin or peer; always set to zero |
| 24-25 | input | SNMP index of input interface; always set to zero |
| 26-27 | output | SNMP index of output interface |
| 28 | tos | Type of service |
| 29 | pad | Unused (zero) bytes |
| 30-31 | reserved | Unused (zero) bytes |
TosProtoPort Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | flows | Number of flows |
| 4-7 | dPkts | Packets in the flow |
| 8-11 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 12-15 | first | SysUptime, in seconds, at start of flow |
| 16-19 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 20 | prot | IP protocol type (for example, TCP = 6; UDP = 17); set to zero if flow mask is destination-only or source-destination |
| 21 | tos | IP Type of Service |
| 22-23 | reserved | Unused (zero) bytes |
| 24-25 | srcport | TCP/UDP source port number; set to zero if flow mask is destination-only or source-destination |
| 26-27 | dstport | TCP/UDP destination port number; set to zero if flow mask is destination-only or source-destination |
| 28-29 | input | SNMP index of input interface |
| 30-31 | output | SNMP index of output interface |
PrePortProtocol Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | flows | Number of flows |
| 4-7 | dpkts | Packets in the flow |
| 8-11 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 12-15 | first | SysUptime, in seconds, at start of flow |
| 16-19 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 20-23 | src_prefix | Source IP address prefix |
| 24-27 | dst_prefix | Destination IP address prefix |
| 28 | dst_mask | Destination address prefix mask |
| 29 | src_mask | Source address prefix mask |
| 30 | tos | IP Type of Service |
| 31 | prot | IP protocol type (for example, TCP = 6; UDP = 17); set to zero if flow mask is destination-only or source-destination |
| 32-33 | srcport | TCP/UDP source port number; set to zero if flow mask is destination-only or source-destination |
| 34-35 | dstport | TCP/UDP destination port number; set to zero if flow mask is destination-only or source-destination |
| 36-37 | input | SNMP index of input interface |
| 38-39 | output | SNMP index of output interface |
TosSrcPrefix Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | flows | Number of flows |
| 4-7 | dPkts | Packets in the flow |
| 8-11 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 12-15 | first | SysUptime, in seconds, at start of flow |
| 16-19 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 20-23 | src_prefix | Source IP address prefix |
| 24 | src_mask | Source address prefix mask |
| 25 | tos | IP Type of Service |
| 26-27 | src_as | Source autonomous system number, either origin or peer |
| 28-29 | input | SNMP index of input interface |
| 30-31 | reserved | Reserved for future use |
TosDstPrefix Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | flows | Number of flows |
| 4-7 | dPkts | Packets in the flow |
| 8-11 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 12-15 | first | SysUptime, in seconds, at start of flow |
| 16-19 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 20-23 | dst_prefix | Destination IP address prefix |
| 24 | dst_mask | Destination address prefix mask |
| 25 | tos | IP Type of Service |
| 26-27 | dst_as | Destination autonomous system number, either origin or peer |
| 28-29 | output | SNMP index of output interface |
| 30-31 | reserved | Unused (zero) bytes |
TosPrefix Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | flows | Number of flows |
| 4-7 | dPkts | Packets in the flow |
| 8-11 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 12-15 | first | SysUptime, in seconds, at start of flow |
| 16-19 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 20-23 | src_prefix | Source IP address prefix |
| 24-27 | dst_prefix | Destination IP address prefix |
| 28 | dst_mask | Destination address prefix mask |
| 29 | src_mask | Source address prefix mask |
| 30 | tos | IP Type of Service |
| 31 | pad | Unused (zero) bytes |
| 32-33 | src_as | Source autonomous system number, either origin or peer |
| 34-35 | dst_as | Destination autonomous system number, either origin or peer |
| 36-37 | input | SNMP index of input interface |
| 38-39 | output | SNMP index of output interface |
DestOnly Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | dstaddr | Destination IP address |
| 4-7 | dPkts | Packets in the flow |
| 8-11 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 12-15 | first | SysUptime, in seconds, at start of flow |
| 16-19 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 20-21 | output | SNMP index of output interface |
| 22 | tos | IP Type of Service |
| 23 | marked_tos | Type of Service of the packets that exceeded the contract |
| 24-27 | extraPkts | Packets that exceed the contract |
| 28-31 | router_sc | IP address of the router that is bypassed by the Catalyst 5000 series
switch. This is the same address the router uses when it sends
NetFlow export packets. This IP address is propagated to all
switches bypassing the router through the FCP protocol. |
SrcDst Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | dstaddr | Destination IP address |
| 4-7 | srcaddr | Source IP address; in case of destination-only flows, set to zero |
| 8-11 | dPkts | Packets in the flow |
| 12-15 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 16-19 | first | SysUptime, in seconds, at start of flow |
| 20-23 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 24-25 | output | SNMP index of output interface |
| 26-27 | input | SNMP index of input interface |
| 28 | tos | IP Type of Service |
| 29 | marked_tos | Type of Service of the packets that exceeded the contract |
| 30-31 | reserved | Unused (zero) bytes |
| 32-35 | extraPkts | Packets that exceed the contract |
| 36-39 | router_sc | IP address of the router that is bypassed by the Catalyst 5000 series
switch. This is the same address the router uses when it sends
NetFlow export packets. This IP address is propagated to all
switches bypassing the router through the FCP protocol. |
FullFlow Record Format
| Bytes | Contents | Description |
|---|
| 0-3 | dstaddr | Destination IP address |
| 4-7 | srcaddr | Source IP address; in case of destination-only flows, set to zero |
| 8-9 | dstport | TCP/UDP destination port number; set to zero if flow mask is destination-only or source-destination |
| 10-11 | srcport | TCP/UDP source port number; set to zero if flow mask is destination-only or source-destination |
| 12-15 | dPkts | Packets in the flow |
| 16-19 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 20-23 | first | SysUptime, in seconds, at start of flow |
| 24-27 | last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 28-29 | output | SNMP index of output interface |
| 30-31 | input | SNMP index of input interface |
| 32 | tos | IP Type of Service |
| 33 | prot | IP protocol type (for example, TCP = 6; UDP = 17); set to zero if flow mask is destination-only or source-destination |
| 34 | marked_tos | Type of Service of the packets that exceeded the contract |
| 35 | pad | Unused (zero) bytes |
| 36-39 | extraPkts | Packets that exceed the contract |
| 40-43 | router_sc | IP address of the router that is bypassed by the Catalyst 5000 series
switch. This is the same address the router uses when it sends
NetFlow export packets. This IP address is propagated to all
switches bypassing the router through the FCP protocol. |
(c) 2003-2006 Caligare s.r.o.
http://www.caligare.com
Last-modified: May 10 2006
|