I had a customer this week asking me about the NF_F_EVENT_TIME_MSEC field which is kicked out in the bidirectional NetFlow exported by the Cisco ASA.  He couldn’t see it in FlowView of Scrutinizer NetFlow Analyzer.  Flow View allows you to see all fields exported by the NetFlow Template.  Boy did I chase my tail looking into this one. 

Remember, we support both NetFlow v9 and IPFIX.  Because they are so similar we decided to use the IPFIX field names to save data when there are conflicts or inconsistencies in the naming conventions.

When there is a conflict we use the names from the IANA IPFIX standard rather than the Cisco NetFlow field names.  We only use NF_* or other Cisco names when no standard name exists.

If you ever use FlowView, you will notice that there are column names containing “time” in FlowView for the ASA. There are two columns: intervalTime (the time we write the flow. A column we manufacture.) and observationTimeMiliseconds (time offset of flow as exported from the device).

The observationTimeMilliseconds column is the NF_F_EVENT_TIME_MSEC value. Our NetFlow Collector labels it observationTimeMilliseconds because of what I stated above (i.e. IPFIX is the standard).

The two elements in question are just different names for the same thing (this should always be the case).  They are actually epochs, but in milliseconds.

323 NF_F_EVENT_TIME_MSEC
The time that the event occurred, which comes from IPFIX. Use 324 for
time in microseconds, and 325 for time in nanoseconds. Time has been
counted as milliseconds since 0000 UTC January 1, 1970.

323 observationTimeMilliseconds
This Information Element specifies the absolute time in milliseconds of
an observation.

I hope this helps. I believe best at netflow and sFlow tools for network traffic analysis should be leaning toward standards based solutions. With IPFIX, Cisco is pretty much leading the charge anyway.

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Leave a Reply