documentsn.com

A P P E N D I XANetFlow Field Types and Database FormatsIntroductionThis chapter describes the fields contained in NetFlow records (NFR). It also details the formats andfield contents of NetFlow Records data tables: NetFlow Field Types, page A-1 Database Tables: Formats and Field Contents, page A-8NetFlow Field TypesThe following sections detail the different types of NetFlow fields: NetFlow Field Types for RPT USAGE NF Table, page A-1 NetFlow Field Types for RPT TRANSACTION NF, page A-3 NetFlow Field Types for RPT GLB USAGE NF Table:, page A-5 NetFlow Field Types for CONF TZ OFFSET NF Table, page A-6 NetFlow Field Types for NF INI VALUES Table, page A-6NetFlow Field Types for RPT USAGE NF TableUsage Records are records of the different type of applications running over a specificinterface. The operator can use Usage records to monitor how much bandwidth the different applications use. The Usage Records show this application usage over a specific timeperiod, the peak and average usages, and usage for a specific application type.Table A-1 describes NetFlow Field Types for RPT USAGE NF Table:Table A-1Summary of NetFlow Field Types for RPT USAGE NF TableField NameValueTypeDescriptiontime stamp-TIMESTAMPDB Insertion timestamp valuehead time stamp-INT32Packet timestamp from ASR1KCisco Application Visibility and Control Collection Manager User GuideOL-24187-04A-1

Appendix A NetFlow Field Types and Database FormatsNetFlow Field Types for RPT USAGE NF TableTable A-1Summary of NetFlow Field Types for RPT USAGE NF TableField NameValueTypeDescriptionhead source id-INT32Contains the IP address of the CiscoASR1K platform that generated theNFRclass id51UINT32Reserved for future use.application id95INT32The unique id for applicationingressInterface10UINT32The index of the IP interface wherepackets of this Flow are beingreceived.egressInterface14UINT32The index of the IP interface wherepackets of this Flow are being sent.flowDirection61UINT8The direction of the Flow observed atthe Observation Point. There areonly two UINT32The relative timestamp of the firstpacket of this Flow. It indicates thenumber of milliseconds since the last(re-)initialization of the IPFIXDevice (sysUpTime).flowEndSysUpTime21UINT32The relative timestamp of the lastpacket of this Flow. It indicates thenumber of milliseconds since the last(re-)initialization of the IPFIXDevice (sysUpTime)packetDeltaCount2UINT64The number of incoming packetssince the previous report (if any) forthis Flow at the Observation Point.in bytes3UINT64Total number bytes received sincethe previous report (if any) for thisFlow at the Observation Point.connectionCountNew278UINT 32This information element counts thenumber of TCP or UDP connectionswhich were opened during theobservation period. The observationperiod may be specified by the flowstart and end timestamps.connectionSumDuration279UINT64This information element aggregatesthe total time in seconds for all of theTCP or UDP connections which werein use during the observation period.For example if there are 5 concurrentconnections each for 10 seconds, thevalue would be 50 s.Cisco Application Visibility and Control Collection Manager User GuideA-2OL-24187-04

Appendix A NetFlow Field Types and Database FormatsNetFlow Field Types for RPT TRANSACTION NFTable A-1Summary of NetFlow Field Types for RPT USAGE NF TableField NameValueTypeDescriptioningressVRFID234UINT32A unique identifier of the VRFnamewhere the packets of this flow arebeing received. This identifier isunique per Metering ProcessipVersion60UINT8The IP version field in the IP packetheader.NetFlow Field Types for RPT TRANSACTION NFA transaction is a set of logical exchanges between endpoints. There is normally one transaction withina flow. The Transaction Record monitors the traffic at transaction levels. Transaction Records provide adetailed analysis of the traffic flows, including extracted Layer 7 fields. Due to the high load oftransactions these records are sample or filtered. Transaction Records are bound to the input and outputdirections of the network side interfaces. These Transaction Records allow the system to capture eachunidirectional flow once.Table A-2 describes NetFlow Field Types for RPT TRANSACTION NF Table:Table A-2NetFlow Field Types for RPT TRANSACTION NFField NameValueTypeDescriptiontime stamp-TIMESTAMPDB Insertion timestamp valuehead time stamp-INT32Packet timestamp from ASR1Khead src id-INT32Contains the IP address of theCisco ASR1K platform thatgenerated the NFRconn tx id280UINT64A unique ID for the transactionapplication id95INT32The unique id for applicationingressInterface10UINT32The index of the IP interfacewhere packets of this Flow arebeing received.egressInterface14UINT32The index of the IP interfacewhere packets of this Flow arebeing sent.flowDirection61UINT8The direction of the Flowobserved at the ObservationPoint. There are only two UINT32The relative timestamp of thefirst packet of this Flow. Itindicates the number ofmilliseconds since the last(re-)initialization of the IPFIXDevice (sysUpTime).Cisco Application Visibility and Control Collection Manager User GuideOL-24187-04A-3

Appendix A NetFlow Field Types and Database FormatsNetFlow Field Types for RPT TRANSACTION NFTable A-2NetFlow Field Types for RPT TRANSACTION NFField NameValueTypeDescriptionflowEndSysUpTime 21UINT32The relative timestamp of thelast packet of this Flow. Itindicates the number ofmilliseconds since the last(re-)initialization of the IPFIXDevice (sysUpTime)packetDeltaCount2UINT 64The number of incoming packetssince the previous report (if any)for this Flow at the ObservationPoint.in bytes3UINT64Total number bytes receivedsince the previous report (if any)for this Flow at the ObservationPoint.src ipv4 addr8UINT32The IPv4 source address in the IPpacket header.src port7UINT16The source port identifier in thetransport header.dst ipv4 addr12UINT32The IPv4 destination address inthe IP packet header.dst port11UINT16The destination port identifier inthe transport header.protocol id4UINT8The value of the protocol numberin the IP packet header.flow id48UINT64Reserved for future use.flow end reason136UINT8The reason for Flow termination.biflow direction239UINT8A description of the directionassignment method used toassign the Biflow Source andDestination.ingressVRFID234UINT32A unique identifier of theVRFname where the packets ofthis flow are being received.This identifier is unique perMetering ProcessipVersion60UINT8The IP version field in the IPpacket header.sourceIPv6Address27UINT32The IPv6 source address in the IPpacket header.destinationIPv6Address28UINT32The IPv6 destination address inthe IP packet header.Cisco Application Visibility and Control Collection Manager User GuideA-4OL-24187-04

Appendix A NetFlow Field Types and Database FormatsNetFlow Field Types for RPT GLB USAGE NF Table:NetFlow Field Types for RPT GLB USAGE NF Table:Global usage records are the records of many applications running over an interface. You can usethem to monitor the total traffic over the network, monitor the usage of all the applications over aspecific time period, or monitor the peak and average usages of all the applications over an interface.Table A-3 describes NetFlow Field Types for RPT GLB USAGE NF Table:Table A-3NetFlow Field Types for RPT GLB USAGE NF TableField NameValueTypeDescriptiontime stamp-TIMESTAMPDB Insertion timestamp valuehead time stamp-INT32Packet timestamp from ASR1Khead source id-INT32Contains the IP address of theCisco ASR1K platform thatgenerated the NFRclass id51UINT32Reserved for future use.ingressInterface10UINT32The index of the IP interfacewhere packets of this Flow arebeing received.egressInterface14UINT32The index of the IP interfacewhere packets of this Flow arebeing sent.flowDirection61UINT8The direction of the Flowobserved at the ObservationPoint. There are only two UINT32The relative timestamp of thefirst packet of this Flow. Itindicates the number ofmilliseconds since the last(re-)initialization of the IPFIXDevice (sysUpTime).flowEndSysUpTime 21UINT32The relative timestamp of thelast packet of this Flow. Itindicates the number ofmilliseconds since the last(re-)initialization of the IPFIXDevice (sysUpTime)packetDeltaCount2UINT 64The number of incoming packetssince the previous report (if any)for this Flow at the ObservationPoint.in bytes3UINT64Total number bytes receivedsince the previous report (if any)for this Flow at the ObservationPoint.Cisco Application Visibility and Control Collection Manager User GuideOL-24187-04A-5

Appendix A NetFlow Field Types and Database FormatsNetFlow Field Types for CONF TZ OFFSET NF TableNetFlow Field Types for RPT GLB USAGE NF TableTable A-3Field 2This information element countsthe number of TCP or UDPconnections which were openedduring the observation period.The observation period may bespecified by the flow start andend timestamps.connectionSumDura 279tionUINT 64This information elementaggregates the total time inseconds for all of the TCP orUDP connections which were inuse during the observationperiod. For example if there are 5concurrent connections each for10 seconds, the value would be50 s.ingressVRFID234UINT32An unique identifier of theVRFname where the packets ofthis flow are being received. Thisidentifier is unique per MeteringProcess.ipVersion60UINT8The IP version field in the IPpacket header.NetFlow Field Types for CONF TZ OFFSET NF TableTable A-4 describes NetFlow Field Types for CONF TZ OFFSET NF Table:Table A-4NetFlow Field Types for CONF TZ OFFSET NF TableField NameTypeDescriptiontime stampTIMESTAMPDB insertion timestamp valueoffset minINT16Offset value in minutesNetFlow Field Types for NF INI VALUES TableTable A-5 describes NetFlow Field Types for NF INI VALUES Table:Cisco Application Visibility and Control Collection Manager User GuideA-6OL-24187-04

Appendix A NetFlow Field Types and Database FormatsNetFlow Field Types for NF INI VALUES Table:Table A-5NetFlow Field Types for NF INI VALUES TableField NameTypeDescriptiontime stampTIMESTAMPDB insertion timestamp valuenf ipSTRINGIdentification of the ASR1Kplatform where these valueswere applied.value typeINT16Key Name/Value family type.The possible values are:5 -Source address 32-bit / dottednotation101 - Input interface ID / InputInterface Name102 - Input interface ID / InputInterface Description103 - Output interface ID /Output Interface Name104 - Output interface ID /Output Interface Description111 -Application ID /Application Name112 -Application ID /Application Description114 - Application ID / CategoryName115 - Application ID / Sub Category Name116 - Application ID /Application Group117 - Application ID / Attribute:p2p-technology118 - Application ID / Attribute:tunnel119- Application ID / Attribute:encrypted131 - Sampler ID / Sampler Infovalue keySTRINGKey name.For example: Gold, SilvervalueINT32Numeric reference.Cisco Application Visibility and Control Collection Manager User GuideOL-24187-04A-7