I had a customer this week asking me about the NF_F_EVENT_TIME_MSEC field which is kicked out in the bidirectional NetFlow exported by the Cisco ASA.  He couldn’t see it in FlowView of Scrutinizer NetFlow Analyzer.  Flow View allows you to see all fields exported by the NetFlow Template.  Boy did I chase my tail looking into this one. 

Remember, we support both NetFlow v9 and IPFIX.  Because they are so similar we decided to use the IPFIX field names to save data when there are conflicts or inconsistencies in the naming conventions.

When there is a conflict we use the names from the IANA IPFIX standard rather than the Cisco NetFlow field names.  We only use NF_* or other Cisco names when no standard name exists.

If you ever use FlowView, you will notice that there are column names containing “time” in FlowView for the ASA. There are two columns: intervalTime (the time we write the flow. A column we manufacture.) and observationTimeMiliseconds (time offset of flow as exported from the device).

 

The observationTimeMilliseconds column is the NF_F_EVENT_TIME_MSEC value. Our NetFlow Collector labels it observationTimeMilliseconds because of what I stated above (i.e. IPFIX is the standard).

The two elements in question are just different names for the same thing (this should always be the case).  They are actually epochs, but in milliseconds.

323 NF_F_EVENT_TIME_MSEC
The time that the event occurred, which comes from IPFIX. Use 324 for
time in microseconds, and 325 for time in nanoseconds. Time has been
counted as milliseconds since 0000 UTC January 1, 1970.

323 observationTimeMilliseconds
This Information Element specifies the absolute time in milliseconds of
an observation.

I hope this helps. I believe best at netflow and sFlow tools for network traffic analysis should be leaning toward standards based solutions. With IPFIX, Cisco is pretty much leading the charge anyway.

Michael Patterson
Scrutinizer Product Manager
Tags: Best at NetFlow, ipfix, NetFlow Collector, Network Traffic Analysis, NF_F_EVENT_TIME_MSEC, observationTimeMilliseconds, sFlow tools

This entry was posted on Saturday, March 20th, 2010 at 8:33 pm and is filed under NetFlow Analyzer, Network Traffic Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.