I had a customer this week asking me about the NF_F_EVENT_TIME_MSEC field which is kicked out in the bidirectional NetFlow exported by the Cisco ASA. He couldn’t see it in FlowView of Scrutinizer NetFlow Analyzer. Flow View allows you to see all fields exported by the NetFlow Template. Boy did I chase my tail looking into this one.
Remember, we support both NetFlow v9 and IPFIX. Because they are so similar we decided to use the IPFIX field names to save data when there are conflicts or inconsistencies in the naming conventions.
If you ever use FlowView, you will notice that there are column names containing “time” in FlowView for the ASA. There are two columns: intervalTime (the time we write the flow. A column we manufacture.) and observationTimeMiliseconds (time offset of flow as exported from the device).
The observationTimeMilliseconds column is the NF_F_EVENT_TIME_MSEC value. Our NetFlow Collector labels it observationTimeMilliseconds because of what I stated above (i.e. IPFIX is the standard).
The two elements in question are just different names for the same thing (this should always be the case). They are actually epochs, but in milliseconds.
The time that the event occurred, which comes from IPFIX. Use 324 for
time in microseconds, and 325 for time in nanoseconds. Time has been
counted as milliseconds since 0000 UTC January 1, 1970.
This Information Element specifies the absolute time in milliseconds of
I hope this helps. I believe best at netflow and sFlow tools for network traffic analysis should be leaning toward standards based solutions. With IPFIX, Cisco is pretty much leading the charge anyway.