Flexible NetFlow’s Template FlowSet

Posted in NetFlow, NetFlow Analyzer, Network Traffic Analysis, Network Traffic Monitor, Scrutinizer on April 14th, 2010 by Jo-G
Flexible NetFlow's Template FlowSet
Buffer

Expanding upon my last blog, “Cisco’s Flexible NetFlow and LEGO Blocks“, this week I’d like to show the application of FNF’s Template FlowSet configuration in your netflow collection.

Referencing Cisco Systems “NetFlow Version 9 Flow-Record Format” whitepaper, skipping to Table 6 – NetFlow Version 9 Field Type Definitions, there is a list of the fields available to build your NetFlow v9 Template FlowSet.

In the packet capture displayed below, FlowSet 1, Template Id 257, lists the fields included in the Template FlowSet. One of the fields included in this Template FlowSet is LAST_SWITCHED (21), with 21 being the value for that field. The value is an important field, as it is unique to that Field Type.

Why is the value important?  In Scrutinizer, my personal favorite NetFlow collector, we translate the Field Type to a more readable field name using that value.

For example, look at the following screenshot of the Flow View report from Scrutinizer.

We are looking at Flow Template ID 1012 (as shown in the browser tab), with the following fields:

  • intervalTime
  • flowDirection translated from DIRECTION (61)
  • ingressInterface translated from INPUT_SNMP (10)
  • interfaceDescription translated from IF_DESC (83)
  • interfaceName translated from IF_NAME (82)
  • systemScope

This is an excellent example of how you can get more than just NetFlow data from the NetFlow v9 Flexible NetFlow templates. This example provides the interface information. In a case where you do not have access to SNMP on the router, you can still get the interface name and description with the appropriate NetFlow configuration on the router.

As you prepare to configure NetFlow on your routers, check for NetFlow v9 support. Flexible NetFlow is just that – flexible! And provides even more detail to your NetFlow traffic monitoring than you ever thought possible.

- Joanne

Tags: , , , , , , , ,

This entry was posted on Wednesday, April 14th, 2010 at 12:26 pm and is filed under NetFlow, NetFlow Analyzer, Network Traffic Analysis, Network Traffic Monitor, Scrutinizer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Flexible NetFlow’s Template FlowSet”

  1. NetFlow Analysis and the Top Ten IOS Services You Should Be Using Now! - NetFlow & sFlow Network Monitoring - Systrax Says:
    May 14th, 2010 at 1:05 pm

    [...] based on standard v5 or v9 formats using the Pre-Defined Flow records or you can set up your own User-defined FlowSet to do such things as getting Interface Names, MAC addresses and VLAN IDS, and much more. You even [...]

  2. What is NetFlow? - NetFlow & sFlow Network Monitoring - Systrax Says:
    July 21st, 2010 at 11:06 am

    [...] v9 brings us Flexible NetFlow packets (FNF), which opens the door even wider to dig deep into what is happening on your network [...]

  3. 10 reasons to use Flexible NetFlow - NetFlow & sFlow Network Monitoring - Systrax Says:
    September 15th, 2010 at 10:55 am

    [...] Option Templates – although you can do this in NetFlow v9, FnF is taking it to another level.  You can export the interface names (e.g. ifName, ifAlias, ifDesc, etc.) using NetFlow and no longer rely on SNMP. [...]

Leave a Reply

CAPTCHA Image
*