|
|
NetFlow exports flow information in UDP datagrams in one of three formats:
The Version 1 format was the original format supported in the initial NetFlow releases. The Version 5 format is a later enhancement that added Border Gateway Protocol (BGP) autonomous system information and flow sequence numbers. The Version 7 format is a still later enhancement that added NetFlow switching support for Cisco Catalyst 5000 series switches equipped with a NetFlow feature card (NFFC). Versions 2 through 4 and Version 6 were either not released or are not supported by FlowCollector.
In all three versions, the datagram consists of a header and one or more flow records. The first field of the header contains the version number of the export datagram. Typically, a receiving application that accepts any of the format versions allocates a buffer large enough for the largest possible datagram from any of the format versions and then uses the header to determine how to interpret the datagram. The second field in the header contains the number of records in the datagram and should be used to index through the records.
All fields in the three format versions are in network byte order. Table B-1 and Table B-2 describe the Version 1 header and flow record format, respectively. Table B-3 and Table B-4 describe the Version 5 header and flow record format, respectively. Table B-5 and Table B-6 describe the Version 7 header and flow record format, respectively.
Cisco recommends that receiving applications perform a "sanity check" on datagrams to ensure that the datagrams are from a valid NetFlow source. You should first check the size of the datagram to verify that it is at least long enough to contain the version and count fields. You should next verify that the version is valid (1, 5, or 7) and that the number of received bytes is enough for the header and count flow records (using the appropriate version).
Because NetFlow export uses UDP to send export datagrams, it is possible for datagrams to be lost. To determine whether flow export information has been lost, the Version 5 and Version 7 headers contain a flow sequence number. The sequence number is equal to the sequence number of the previous datagram plus the number of flows in the previous datagram. After receiving a new datagram, the receiving application can subtract the expected sequence number from the sequence number in the header to derive the number of missed flows.
| Bytes | Contents | Description |
|---|---|---|
| 0-1 | version | NetFlow export format version number |
| 2-3 | count | Number of flows exported in this packet (1-24) |
| 4-7 | SysUptime | Current time in milliseconds since the export device booted |
| 8-11 | unix_secs | Current count of seconds since 0000 UTC 1970 |
| 12-16 | unix_nsecs | Residual nanoseconds since 0000 UTC 1970 |
| Bytes | Contents | Description |
|---|---|---|
| 0-3 | srcaddr | Source IP address |
| 4-7 | dstaddr | Destination IP address |
| 8-11 | nexthop | IP address of next hop router |
| 12-13 | input | SNMP index of input interface |
| 14-15 | output | SNMP index of output interface |
| 16-19 | dPkts | Packets in the flow |
| 20-23 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 24-27 | First | SysUptime at start of flow |
| 28-31 | Last | SysUptime at the time the last packet of the flow was received |
| 32-33 | srcport | TCP/UDP source port number or equivalent |
| 34-35 | dstport | TCP/UDP destination port number or equivalent |
| 36-37 | pad1 | Unused (zero) bytes |
| 38 | prot | IP protocol type (for example, TCP=6; UDP=17) |
| 39 | tos | IP type of service (ToS) |
| 40 | flags | Cumulative OR of TCP flags |
| 41-43 | pad1, pad2, pad3 | Unused (zero) bytes |
| 44-48 | reserved | Unused (zero) bytes |
| Bytes | Contents | Description |
|---|---|---|
| 0-1 | version | NetFlow export format version number |
| 2-3 | count | Number of flows exported in this packet (1-30) |
| 4-7 | SysUptime | Current time in milliseconds since the export device booted |
| 8-11 | unix_secs | Current count of seconds since 0000 UTC 1970 |
| 12-15 | unix_nsecs | Residual nanoseconds since 0000 UTC 1970 |
| 16-19 | flow_sequence | Sequence counter of total flows seen |
| 20 | engine_type | Type of flow-switching engine |
| 21 | engine_id | Slot number of the flow-switching engine |
| 22-23 | reserved | Unused (zero) bytes |
| Bytes | Contents | Description |
|---|---|---|
| 0-3 | srcaddr | Source IP address |
| 4-7 | dstaddr | Destination IP address |
| 8-11 | nexthop | IP address of next hop router |
| 12-13 | input | SNMP index of input interface |
| 14-15 | output | SNMP index of output interface |
| 16-19 | dPkts | Packets in the flow |
| 20-23 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 24-27 | First | SysUptime at start of flow |
| 28-31 | Last | SysUptime at the time the last packet of the flow was received |
| 32-33 | srcport | TCP/UDP source port number or equivalent |
| 34-35 | dstport | TCP/UDP destination port number or equivalent |
| 36 | pad1 | Unused (zero) bytes |
| 37 | tcp_flags | Cumulative OR of TCP flags |
| 38 | prot | IP protocol type (for example, TCP=6; UDP=17) |
| 39 | tos | IP type of service (ToS) |
| 40-41 | src_as | Autonomous system number of the source, either origin or peer |
| 42-43 | dst_as | Autonomous system number of the destination, either origin or peer |
| 44 | src_mask | Source address prefix mask bits |
| 45 | dst_mask | Destination address prefix mask bits |
| 46-47 | pad2 | Unused (zero) bytes |
| Bytes | Contents | Description |
|---|---|---|
| 0-1 | version | NetFlow export format version number |
| 2-3 | count | Number of flows exported in this flow frame (protocol data unit, or PDU) |
| 4-7 | SysUptime | Current time in milliseconds since the export device booted |
| 8-11 | unix_secs | Current seconds since 0000 UTC 1970 |
| 12-15 | unix_nsecs | Residual nanoseconds since 0000 UTC 1970 |
| 16-19 | flow_sequence | Sequence counter of total flows seen |
| 20-23 | reserved | Unused (zero) bytes |
| Bytes | Contents | Description |
|---|---|---|
| 0-3 | srcaddr | Source IP address; in case of destination-only flows, set to zero |
| 4-7 | dstaddr | Destination IP address |
| 8-11 | nexthop | Next hop router; always set to zero |
| 12-13 | input | SNMP index of input interface; always set to zero |
| 14-15 | output | SNMP index of output interface |
| 16-19 | dPkts | Packets in the flow |
| 20-23 | dOctets | Total number of Layer 3 bytes in the packets of the flow |
| 24-27 | First | SysUptime, in seconds, at start of flow |
| 28-31 | Last | SysUptime, in seconds, at the time the last packet of the flow was received |
| 32-33 | srcport | TCP/UDP source port number; set to zero if flow mask is destination-only or source-destination |
| 34-35 | dstport | TCP/UDP destination port number; set to zero if flow mask is destination-only or source-destination |
| 36 | flags | Flags indicating, among other things, what flow fields are invalid |
| 37 | tcp_flags | TCP flags; always set to zero |
| 38 | prot | IP protocol type (for example, TCP=6; UDP=17); set to zero if flow mask is destination-only or source-destination |
| 39 | tos | IP type of service; switch sets it to the ToS of the first packet of the flow |
| 40-41 | src_as | Source autonomous system number, either origin or peer; always set to zero |
| 42-43 | dst_as | Destination autonomous system number, either origin or peer; always set to zero |
| 44 | src_mask | Source address prefix mask; always set to zero |
| 45 | dst_mask | Destination address prefix mask; always set to zero |
| 46-47 | flags | Flags indicating, among other things, what flows are invalid |
| 48-51 | router_sc | IP address of the router that is short-cut by the Catalyst 5000 series switch. This is the same address the router uses when it sends NetFlow export packets. This IP address is propagated to all switches shortcutting the router through the FCP protocol. |
|
|