NetFlow Overview: What is a NetFlow Template Flowset?

Posted in Netflow Traffic Analysis on February 20th, 2013 by Joanne
NetFlow Overview: What is a NetFlow Template Flowset?

In Part 3 of the NetFlow Overview series, I will be discussing the NetFlow Template Flowset.  In Part 1 I covered NetFlow basics, and then Scott addressed NetFlow Packet headers in Part 2 of this series.

The following definitions are taken from Cisco’s NetFlow Version 9 Flow-Record Format whitepaper.

• Export packet-Built by a device (for example, a router) with NetFlow services enabled, this type of packet is addressed to another device (for example, a NetFlow collector). This other device processes the packet (parses, aggregates, and stores information on IP flows).

• Packet header-the first part of an export packet, the packet header provides basic information about the packet, such as the NetFlow version, number of records contained within the packet, and sequence numbering, enabling lost packets to be detected.

• FlowSet-following the packet header, an export packet contains information that must be parsed and interpreted by the collector device. A FlowSet is a generic term for a collection of records that follow the packet header in an export packet. There are two different types of FlowSets: template and data. An export packet contains one or more FlowSets, and both template and data FlowSets can be mixed within the same export packet.

• Template FlowSet-a template FlowSet is a collection of one or more template records that have been grouped together in an export packet.

• Template record-a template record is used to define the format of subsequent data records that may be received in current or future export packets. It is important to note that a template record within an export packet does not necessarily indicate the format of data records within that same packet. A collector application must cache any template records received, and then parse any data records it encounters by locating the appropriate template record within the cache.

• Template ID-the template ID is a unique number that distinguishes this template record from all other template records produced by the same export device. A collector application that is receiving export packets from several devices should be aware that uniqueness is not guaranteed across export devices. Thus, the collector should also cache the address of the export device that produced the template ID in order to enforce uniqueness.

 

NetFlow Version 9 Export Packet

NetFlow v9 Export Packet format

 

NetFlow v9 Template FlowSet Format

NetFlow v9 Template FlowSet format

 

NetFlow v9 Template FlowSet Field Descriptions

NetFlow v9 Template FlowSet Field Descriptions

 

Note the following:

• Template IDs are not consistent across a router reboot. Template IDs should change only if the configuration of NetFlow on the export device changes.

• Templates periodically expire if they are not refreshed. Templates can be refreshed in two ways. A template can be resent every N number of export packets. A template can also be sent on a timer, so that it is refreshed every N number of minutes. Both options are user configurable.

 

Sample Template FlowSet Data

FlowSet Data packet capture

 

Need help with your NetFlow configurations or need an Advanced NetFlow Monitoring solution?  Please contact us for any of your Network Traffic monitoring needs.

Coming up next is Part 4 of the NetFlow v9 Overview series, with Scott defining the NetFlow v9 Data FlowSet.

 


Joanne Ghidoni
Sr. Solutions Engineer

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.
Tags: , , , ,

2 Responses to “NetFlow Overview: What is a NetFlow Template Flowset?”

  1. Paul Aitken Says:

    Templates tell the collector what information is being exported by the device.

    NFv1 through NFv8 have fixed formats which cannot be changed or added to, so no new information can be exported by these formats. eg, these can’t export IPv6 or any new metrics such as jitter or application (DPI).

    Whereas the NFv9 and IPFIX template mechanism is extensible: the exporter simply sends a template containing the new fields, which tells the collector exactly what information the device will be be exporting.

    Templates contain a list of { type, length } pairs to describe each field that’ll be exported. These might say “a 32-bit IPv4 address”, or “a 16-bit source-port”, or “a 30 byte interface name”.

    Data records contain values which correspond exactly to the definitions in the corresponding template.

  2. Joanne Ghidoni Says:

    Thank you very much, Paul, for expanding upon my blog. The additional information that you have provided has added much value to my blog.

Leave a Reply