In Part 3 of the NetFlow Overview series, I will be discussing the NetFlow Template Flowset. In Part 1 I covered NetFlow basics, and then Scott addressed NetFlow Packet headers in Part 2 of this series.
The following definitions are taken from Cisco’s NetFlow Version 9 Flow-Record Format whitepaper.
• Export packet-Built by a device (for example, a router) with NetFlow services enabled, this type of packet is addressed to another device (for example, a NetFlow collector). This other device processes the packet (parses, aggregates, and stores information on IP flows).
• Packet header-the first part of an export packet, the packet header provides basic information about the packet, such as the NetFlow version, number of records contained within the packet, and sequence numbering, enabling lost packets to be detected.
• FlowSet-following the packet header, an export packet contains information that must be parsed and interpreted by the collector device. A FlowSet is a generic term for a collection of records that follow the packet header in an export packet. There are two different types of FlowSets: template and data. An export packet contains one or more FlowSets, and both template and data FlowSets can be mixed within the same export packet.
• Template FlowSet-a template FlowSet is a collection of one or more template records that have been grouped together in an export packet.
• Template record-a template record is used to define the format of subsequent data records that may be received in current or future export packets. It is important to note that a template record within an export packet does not necessarily indicate the format of data records within that same packet. A collector application must cache any template records received, and then parse any data records it encounters by locating the appropriate template record within the cache.
• Template ID-the template ID is a unique number that distinguishes this template record from all other template records produced by the same export device. A collector application that is receiving export packets from several devices should be aware that uniqueness is not guaranteed across export devices. Thus, the collector should also cache the address of the export device that produced the template ID in order to enforce uniqueness.
NetFlow Version 9 Export Packet
NetFlow v9 Template FlowSet Format
NetFlow v9 Template FlowSet Field Descriptions
Note the following:
• Template IDs are not consistent across a router reboot. Template IDs should change only if the configuration of NetFlow on the export device changes.
• Templates periodically expire if they are not refreshed. Templates can be refreshed in two ways. A template can be resent every N number of export packets. A template can also be sent on a timer, so that it is refreshed every N number of minutes. Both options are user configurable.
Sample Template FlowSet Data
Need help with your NetFlow configurations or need an Advanced NetFlow Monitoring solution? Please contact us for any of your Network Traffic monitoring needs.
Coming up next is Part 4 of the NetFlow v9 Overview series, with Scott defining the NetFlow v9 Data FlowSet.
