This is like TLV formatting, except the values recur in groups (records), so rather than repeat the type and length for each group, they appear once in the template, and then the values appear (data records), saving space.
NETFLOW PACKET EXAMPLEEdit
On the right side, there is a example of NetFlow packet (Version 9). NetFlow mainly has five different versions including V1, V5, V7, V8 and V9.
PART 1: Header
a. Version: Version number
Version 9 is 0x0009
b. Count: Number of FlowSet records in this packet.
In this example, the value is 4 (should be 4 FlowSet), which indicates that only two FlowSets are showed and other two don't draw on this figure.
c. System Uptime: Runtime since this device was first booted (ms)
d. UNIX Second: Seconds since 0000 Coordinated Universal Time (UTC) 1970
e. Package Sequence: The number of export packets sent by this export device and it is cumulative
f. Source ID: It is a 32-bit value and unique in order to distinguish all flows
PART 2: Template FlowSet
a. Flow Set ID: An unique Flow Set ID (range of 0-255)
b. Length: The total length of this FlowSet
c. Template ID: An unique Template ID
d. Field Count: The number of fields in this template record.
In this example, 5 means there are five fields showed below
Field 1: IPv4_SRC_ADDR: IPv4 source address (Value=8, Length=4)
Field 2: IPv4_DST_ADDR: IPv4 destination address (Value=12, Length=4)
Field 3: IPv4_NEXT_HOP: IPv4 address of next-hop router (Value=15, Length=4)
Field 4: PKTS_32: Incoming counter with length 32*8 bits for the number of packets associated with an IP Flow
Field 5: BYTES_32: Incoming counter with length 32*8 bits for number of bytes associated with an IP Flow
PART 3: Data FlowSet
a. Flow Set ID = Template ID: It maps to a template ID because the data should match template FlowSet
b. Length: In this example, length is 64 bytes (3*(5*4)+4=64, 3 is the number of connections, 5 is each data length, 4 FlowSets each connections, 4 is the ID and length field)
The rest of numbers are parameter values corresponding each parameter type and length that are defined at Template FlowSet.
Systems usually take a 5-tuple flow as the criterion of Flow record classification including source&destination addresses, source&destination ports and protocol types.
- Net Flow Example :
- Figure Preview
- In this Figure we will be understanding the working of Net Flow protocol, by using the example of NetFlow version 9 Export Packet.
- Understanding of this example concludes following facts:
Cisco IOS NetFlow Version 9 Flow-Record Format, Cisco, February 2007