The distinguishing feature of the NetFlow Version 9 format is that it
is template based. Templates provide an extensible design to the record format,
a feature that should allow future enhancements to NetFlow services without
requiring concurrent changes to the basic flow-record format.
The NetFlow Version 9 record format consists of a packet header followed
by at least one or more template or data FlowSets. A template FlowSet
provides a description of the fields that will be present in future data
FlowSets. These data FlowSets may occur later within the same export
packet or in subsequent export packets.
One of the key elements in the new Version 9 format is the template FlowSet.
Templates greatly enhance the flexibility of the NetFlow record format,
because they allow a NetFlow collector or display application to process
NetFlow data without necessarily knowing the format of the data in advance.
Templates are used to describe the type and length of individual fields
within subsequent NetFlow data records that match a template ID.
| Field Type | Value | Length (bytes) | Description |
|---|
| IN_BYTES | 1 | N (default is 4) | Incoming counter with length N x 8 bits
for number of bytes associated with an IP Flow. |
| IN_PKTS | 2 | N (default is 4) | Incoming counter with length N x 8 bits
for the number of packets associated with an IP Flow |
| FLOWS | 3 | N | Number of flows that were aggregated; default for N is 4 |
| PROTOCOL | 4 | 1 | IP protocol byte |
| SRC_TOS | 5 | 1 | Type of Service byte setting when entering incoming interface |
| TCP_FLAGS | 6 | 1 | Cumulative of all the TCP flags seen for this flow |
| L4_SRC_PORT | 7 | 2 | TCP/UDP source port number e.g. FTP, Telnet, or equivalent |
| IPV4_SRC_ADDR | 8 | 4 | IPv4 source address |
| SRC_MASK | 9 | 1 | The number of contiguous bits in the source address subnet mask i.e. the
submask in slash notation |
| INPUT_SNMP | 10 | N | Input interface index; default for N is 2 but higher values could
be used |
| L4_DST_PORT | 11 | 2 | TCP/UDP destination port number e.g. FTP, Telnet, or equivalent |
| IPV4_DST_ADDR | 12 | 4 | IPv4 destination address |
| DST_MASK | 13 | 1 | The number of contiguous bits in the destination address subnet mask
i.e. the submask in slash notation |
| OUTPUT_SNMP | 14 | N | Output interface index; default for N is 2 but higher values could
be used |
| IPV4_NEXT_HOP | 15 | 4 | IPv4 address of next-hop router |
| SRC_AS | 16 | N (default is 2) | Source BGP autonomous system number where N could be 2 or 4 |
| DST_AS | 17 | N (default is 2) | Destination BGP autonomous system number where N could be 2 or 4 |
| BGP_IPV4_NEXT_HOP | 18 | 4 | Next-hop router's IP in the BGP domain |
| MUL_DST_PKTS | 19 | N (default is 4) | IP multicast outgoing packet counter with length
N x 8 bits for packets associated with the IP Flow |
| MUL_DST_BYTES | 20 | N (default is 4) | IP multicast outgoing byte counter with length
N x 8 bits for bytes associated with the IP Flow |
| LAST_SWITCHED | 21 | 4 | System uptime at which the last packet of this flow was switched |
| FIRST_SWITCHED | 22 | 4 | System uptime at which the first packet of this flow was switched |
| OUT_BYTES | 23 | N (default is 4) | Outgoing counter with length N x 8 bits for the number
of bytes associated with an IP Flow |
| OUT_PKTS | 24 | N (default is 4) | Outgoing counter with length N x 8 bits for the number
of packets associated with an IP Flow. |
| MIN_PKT_LNGTH | 25 | 2 | Minimum IP packet length on incoming packets of the flow |
| MAX_PKT_LNGTH | 26 | 2 | Maximum IP packet length on incoming packets of the flow |
| IPV6_SRC_ADDR | 27 | 16 | IPv6 Source Address |
| IPV6_DST_ADDR | 28 | 16 | IPv6 Destination Address |
| IPV6_SRC_MASK | 29 | 1 | Length of the IPv6 source mask in contiguous bits |
| IPV6_DST_MASK | 30 | 1 | Length of the IPv6 destination mask in contiguous bits |
| IPV6_FLOW_LABEL | 31 | 3 | IPv6 flow label as per RFC 2460 definition |
| ICMP_TYPE | 32 | 2 | Internet Control Message Protocol (ICMP) packet type; reported
as ((ICMP Type * 256) + ICMP code) |
| MUL_IGMP_TYPE | 33 | 1 | Internet Group Management Protocol (IGMP) packet type |
| SAMPLING_INTERVAL | 34 | 4 | When using sampled NetFlow, the rate at which packets
are sampled e.g. a value of 100 indicates that one of every 100 packets is sampled |
| SAMPLING_ALGORITHM | 35 | 1 | The type of algorithm used for sampled NetFlow: 0x01
Deterministic Sampling ,0x02 Random Sampling |
| FLOW_ACTIVE_TIMEOUT | 36 | 2 | Timeout value (in seconds) for active flow entries in
the NetFlow cache |
| FLOW_INACTIVE_TIMEOUT | 37 | 2 | Timeout value (in seconds) for inactive flow entries in
the NetFlow cache |
| ENGINE_TYPE | 38 | 1 | Type of flow switching engine: RP = 0, VIP/Linecard = 1 |
| ENGINE_ID | 39 | 1 | ID number of the flow switching engine |
| TOTAL_BYTES_EXP | 40 | N (default is 4) | Counter with length N x 8 bits for bytes for
the number of bytes exported by the Observation Domain |
| TOTAL_PKTS_EXP | 41 | N (default is 4) | Counter with length N x 8 bits for bytes for
the number of packets exported by the Observation Domain |
| TOTAL_FLOWS_EXP | 42 | N (default is 4) | Counter with length N x 8 bits for bytes for
the number of flows exported by the Observation Domain |
| * Vendor Proprietary* | 43 | | |
| IPV4_SRC_PREFIX | 44 | 4 | IPv4 source address prefix (specific for Catalyst architecture) |
| IPV4_DST_PREFIX | 45 | 4 | IPv4 destination address prefix (specific for Catalyst architecture) |
| MPLS_TOP_LABEL_TYPE | 46 | 1 | MPLS Top Label Type: 0x00 UNKNOWN 0x01 TE-MIDPT
0x02 ATOM 0x03 VPN 0x04 BGP 0x05 LDP |
| MPLS_TOP_LABEL_IP_ADDR | 47 | 4 | Forwarding Equivalent Class corresponding to
the MPLS Top Label |
| FLOW_SAMPLER_ID | 48 | 1 | Identifier shown in "show flow-sampler" |
| FLOW_SAMPLER_MODE | 49 | 1 | The type of algorithm used for sampling data: 0x02
random sampling. Use in connection with FLOW_SAMPLER_MODE |
| FLOW_SAMPLER_RANDOM_INTERVAL | 50 | 4 | Packet interval at which to sample. Use in
connection with FLOW_SAMPLER_MODE |
| * Vendor Proprietary* | 51 | | |
| MIN_TTL | 52 | 1 | Minimum TTL on incoming packets of the flow |
| MAX_TTL | 53 | 1 | Maximum TTL on incoming packets of the flow |
| IPV4_IDENT | 54 | 2 | The IP v4 identification field |
| DST_TOS | 55 | 1 | Type of Service byte setting when exiting outgoing interface |
| IN_SRC_MAC | 56 | 6 | Incoming source MAC address |
| OUT_DST_MAC | 57 | 6 | Outgoing destination MAC address |
| SRC_VLAN | 58 | 2 | Virtual LAN identifier associated with ingress interface |
| DST_VLAN | 59 | 2 | Virtual LAN identifier associated with egress interface |
| IP_PROTOCOL_VERSION | 60 | 1 | Internet Protocol Version Set to 4 for IPv4, set to 6
for IPv6. If not present in the template, then version 4 is assumed. |
| DIRECTION | 61 | 1 | Flow direction: 0 - ingress flow, 1 - egress flow |
| IPV6_NEXT_HOP | 62 | 16 | IPv6 address of the next-hop router |
| BPG_IPV6_NEXT_HOP | 63 | 16 | Next-hop router in the BGP domain |
| IPV6_OPTION_HEADERS | 64 | 4 | Bit-encoded field identifying IPv6 option headers
found in the flow |
| * Vendor Proprietary* | 65 | | |
| * Vendor Proprietary* | 66 | | |
| * Vendor Proprietary* | 67 | | |
| * Vendor Proprietary* | 68 | | |
| * Vendor Proprietary* | 69 | | |
| MPLS_LABEL_1 | 70 | 3 | MPLS label at position 1 in the stack |
| MPLS_LABEL_2 | 71 | 3 | MPLS label at position 2 in the stack |
| MPLS_LABEL_3 | 72 | 3 | MPLS label at position 3 in the stack |
| MPLS_LABEL_4 | 73 | 3 | MPLS label at position 4 in the stack |
| MPLS_LABEL_5 | 74 | 3 | MPLS label at position 5 in the stack |
| MPLS_LABEL_6 | 75 | 3 | MPLS label at position 6 in the stack |
| MPLS_LABEL_7 | 76 | 3 | MPLS label at position 7 in the stack |
| MPLS_LABEL_8 | 77 | 3 | MPLS label at position 8 in the stack |
| MPLS_LABEL_9 | 78 | 3 | MPLS label at position 9 in the stack |
| MPLS_LABEL_10 | 79 | 3 | MPLS label at position 10 in the stack |
| IN_DST_MAC | 80 | 6 | Incoming destination MAC address |
| OUT_SRC_MAC | 81 | 6 | Outgoing source MAC address |
| IF_NAME | 82 | N (default specified in template) | Shortened interface name e.g. "FE1/0" |
| IF_DESC | 83 | N (default specified in template) | Full interface name e.g. "FastEthernet 1/0" |
| SAMPLER_NAME | 84 | N (default specified in template) | Name of the flow sampler |
| IN_PERMANENT_BYTES | 85 | N (default is 4) | Running byte counter for a permanent flow |
| IN_PERMANENT_PKTS | 86 | N (default is 4) | Running packet counter for a permanent flow |
| * Vendor Proprietary* | 87 | | |
When extensibility is required, the new field types will be added to the list. The new field
types have to be updated on the Exporter and Collector but the NetFlow export format would
remain unchanged.
In some cases the size of a field type is fixed by definition, for example PROTOCOL, or
IPV4_SRC_ADDR. However, in other cases they are defined as a variant type. This improves the
memory efficiency in the collector and reduces the network bandwidth requirement between the
Exporter and the Collector. As an example, in the case IN_BYTES, on an access router it might
be sufficient to use a 32 bit counter (N = 4), whilst on a core router a 64 bit counter (N = 8)
would be required.
All counters and counter-like objects are unsigned integers of size N * 8 bits.
When interpreting the NetFlow Version 9 data FlowSet format, note that the fields cannot
be parsed without a corresponding template ID. If a data FlowSet that does not have an
appropriate template ID is received, the record should be discarded.
One additional record type is very important within the NetFlow Version 9 specification:
an options template (and its corresponding options data record). Rather than supplying
information about IP flows, options are used to supply "meta-data" about the NetFlow
process itself. The format of the options template is detailed below.
| Field | Description |
|---|
| flowset_id = 1 |
The flowset_id is used to distinguish template records from data records. A template record
always has a flowset_id of 1. A data record always has a nonzero flowset_id which is greater
than 255.
|
| length |
This field gives the total length of this FlowSet. Because an individual template FlowSet may
contain multiple template IDs, the length value should be used to determine the position of
the next FlowSet record, which could be either a template or a data FlowSet.
Length is expressed in TLV format, meaning that the value includes the bytes used for the
flowset_id and the length bytes themselves, as well as the combined lengths of all template
records included in this FlowSet.
|
| template_id |
As a router generates different template FlowSets to match the type of NetFlow data it will
be exporting, each template is given a unique ID. This uniqueness is local to the router that
generated the template_id. The template_id is greater than 255. Template IDs inferior to 255
are reserved.
|
| option_scope_length |
This field gives the length in bytes of any scope fields contained in this options template
(the use of scope is described below).
|
| options_length |
This field gives the length (in bytes) of any Options field definitions contained in this
options template.
|
| scope_field_N_type |
This field gives the relevant portion of the NetFlow process to which the options record
refers. Currently defined values follow:
- 0x0001 System
- 0x0002 Interface
- 0x0003 Line Card
- 0x0004 NetFlow Cache
- 0x0005 Template
For example, sampled NetFlow can be implemented on a per-interface basis, so if the options
record were reporting on how sampling is configured, the scope for the report would be
0x0002 (interface).
|
| scope_field_N_length |
This field gives the length (in bytes) of the Scope field, as it would appear in an options record.
|
| option_field_N_type |
This numeric value represents the type of the field that appears in the options record.
Possible values are detailed in template flow set format (above).
|
| option_field_N_length |
This number is the length (in bytes) of the field, as it would appear in an options record.
|
| padding |
Padding should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay
attention that the length field will include those padding bits.
|