The distinguishing feature of the NetFlow Version 9 format is that it is template based. Templates provide an extensible design to the record format, a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format.
The NetFlow Version 9 record format consists of a packet header followed by at least one or more template or data FlowSets. A template FlowSet provides a description of the fields that will be present in future data FlowSets. These data FlowSets may occur later within the same export packet or in subsequent export packets.
Flow Header Format
|0-1||version||NetFlow export format version number|
|2-3||count||Number of flow sets exported in this packet, both template and data (1-30).|
|4-7||sys_uptime||Current time in milliseconds since the export device booted.|
|8-11||unix_secs||Current count of seconds since 0000 UTC 1970.|
|12-15||package_sequence||Sequence counter of all export packets sent by the export device. Note: This is a change from the Version 5 and Version 8 headers, where this number represented �total flows.�|
|16-19||source_id||A 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers). The format of this field is vendor specific. In Cisco's implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device. Collector devices should use the combination of the source IP address plus the Source ID field to associate an incoming NetFlow export packet with a unique instance of NetFlow on a particular device.|
Template FlowSet Format
One of the key elements in the new Version 9 format is the template FlowSet. Templates greatly enhance the flexibility of the NetFlow record format, because they allow a NetFlow collector or display application to process NetFlow data without necessarily knowing the format of the data in advance. Templates are used to describe the type and length of individual fields within subsequent NetFlow data records that match a template ID.
|flowset_id = 0|
|flowset_id||The flowset_id is used to distinguish template records from data records. A template record always has a flowset_id in the range of 0-255. Currently template record that describes flow fields has a flowset_id of zero and the template record that describes option fields (described below) has a flowset_id of 1. A data record always has a nonzero flowset_id greater than 255.|
|length||Length refers to the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs (as illustrated above), the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.
Length is expressed in type/length/value (TLV) format, meaning that the value includes the bytes used for the flowset_id and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet.
|template_id||As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template_id.
Templates that define data record formats begin numbering at 256 since 0-255 are reserved for FlowSet IDs.
|field_count||This field gives the number of fields in this template record. Because a template FlowSet may contain multiple template records, this field allows the parser to determine the end of the current template record and the start of the next.|
|field_type||This numeric value represents the type of the field. The possible values of the field type are vendor specific. Cisco supplied values are consistent across all platforms that support NetFlow Version 9.
At the time of the initial release of the NetFlow Version 9 code (and after any subsequent changes that could add new field-type definitions), Cisco provides a file that defines the known field types and their lengths.
The currently defined field types are detailed below.
|field_length||This number gives the length of the above-defined field, in bytes.|
Template IDs are not consistent across a router reboot. Template IDs should change only if the configuration of NetFlow on the export device changes.
Templates periodically expire if they are not refreshed. Templates can be refreshed in two ways. A template can be resent every N number of export packets. A template can also be sent on a timer, so that it is refreshed every N number of minutes. Both options are user configurable.
|Field Type||Value||Length (bytes)||Description|
|IN_BYTES||1||N (default is 4)||Incoming counter with length N x 8 bits for number of bytes associated with an IP Flow.|
|IN_PKTS||2||N (default is 4)||Incoming counter with length N x 8 bits for the number of packets associated with an IP Flow|
|FLOWS||3||N||Number of flows that were aggregated; default for N is 4|
|PROTOCOL||4||1||IP protocol byte|
|SRC_TOS||5||1||Type of Service byte setting when entering incoming interface|
|TCP_FLAGS||6||1||Cumulative of all the TCP flags seen for this flow|
|L4_SRC_PORT||7||2||TCP/UDP source port number e.g. FTP, Telnet, or equivalent|
|IPV4_SRC_ADDR||8||4||IPv4 source address|
|SRC_MASK||9||1||The number of contiguous bits in the source address subnet mask i.e. the submask in slash notation|
|INPUT_SNMP||10||N||Input interface index; default for N is 2 but higher values could be used|
|L4_DST_PORT||11||2||TCP/UDP destination port number e.g. FTP, Telnet, or equivalent|
|IPV4_DST_ADDR||12||4||IPv4 destination address|
|DST_MASK||13||1||The number of contiguous bits in the destination address subnet mask i.e. the submask in slash notation|
|OUTPUT_SNMP||14||N||Output interface index; default for N is 2 but higher values could be used|
|IPV4_NEXT_HOP||15||4||IPv4 address of next-hop router|
|SRC_AS||16||N (default is 2)||Source BGP autonomous system number where N could be 2 or 4|
|DST_AS||17||N (default is 2)||Destination BGP autonomous system number where N could be 2 or 4|
|BGP_IPV4_NEXT_HOP||18||4||Next-hop router's IP in the BGP domain|
|MUL_DST_PKTS||19||N (default is 4)||IP multicast outgoing packet counter with length N x 8 bits for packets associated with the IP Flow|
|MUL_DST_BYTES||20||N (default is 4)||IP multicast outgoing byte counter with length N x 8 bits for bytes associated with the IP Flow|
|LAST_SWITCHED||21||4||System uptime at which the last packet of this flow was switched|
|FIRST_SWITCHED||22||4||System uptime at which the first packet of this flow was switched|
|OUT_BYTES||23||N (default is 4)||Outgoing counter with length N x 8 bits for the number of bytes associated with an IP Flow|
|OUT_PKTS||24||N (default is 4)||Outgoing counter with length N x 8 bits for the number of packets associated with an IP Flow.|
|MIN_PKT_LNGTH||25||2||Minimum IP packet length on incoming packets of the flow|
|MAX_PKT_LNGTH||26||2||Maximum IP packet length on incoming packets of the flow|
|IPV6_SRC_ADDR||27||16||IPv6 Source Address|
|IPV6_DST_ADDR||28||16||IPv6 Destination Address|
|IPV6_SRC_MASK||29||1||Length of the IPv6 source mask in contiguous bits|
|IPV6_DST_MASK||30||1||Length of the IPv6 destination mask in contiguous bits|
|IPV6_FLOW_LABEL||31||3||IPv6 flow label as per RFC 2460 definition|
|ICMP_TYPE||32||2||Internet Control Message Protocol (ICMP) packet type; reported as ((ICMP Type * 256) + ICMP code)|
|MUL_IGMP_TYPE||33||1||Internet Group Management Protocol (IGMP) packet type|
|SAMPLING_INTERVAL||34||4||When using sampled NetFlow, the rate at which packets are sampled e.g. a value of 100 indicates that one of every 100 packets is sampled|
|SAMPLING_ALGORITHM||35||1||The type of algorithm used for sampled NetFlow: 0x01 Deterministic Sampling ,0x02 Random Sampling|
|FLOW_ACTIVE_TIMEOUT||36||2||Timeout value (in seconds) for active flow entries in the NetFlow cache|
|FLOW_INACTIVE_TIMEOUT||37||2||Timeout value (in seconds) for inactive flow entries in the NetFlow cache|
|ENGINE_TYPE||38||1||Type of flow switching engine: RP = 0, VIP/Linecard = 1|
|ENGINE_ID||39||1||ID number of the flow switching engine|
|TOTAL_BYTES_EXP||40||N (default is 4)||Counter with length N x 8 bits for bytes for the number of bytes exported by the Observation Domain|
|TOTAL_PKTS_EXP||41||N (default is 4)||Counter with length N x 8 bits for bytes for the number of packets exported by the Observation Domain|
|TOTAL_FLOWS_EXP||42||N (default is 4)||Counter with length N x 8 bits for bytes for the number of flows exported by the Observation Domain|
|* Vendor Proprietary*||43|
|IPV4_SRC_PREFIX||44||4||IPv4 source address prefix (specific for Catalyst architecture)|
|IPV4_DST_PREFIX||45||4||IPv4 destination address prefix (specific for Catalyst architecture)|
|MPLS_TOP_LABEL_TYPE||46||1||MPLS Top Label Type: 0x00 UNKNOWN 0x01 TE-MIDPT 0x02 ATOM 0x03 VPN 0x04 BGP 0x05 LDP|
|MPLS_TOP_LABEL_IP_ADDR||47||4||Forwarding Equivalent Class corresponding to the MPLS Top Label|
|FLOW_SAMPLER_ID||48||1||Identifier shown in "show flow-sampler"|
|FLOW_SAMPLER_MODE||49||1||The type of algorithm used for sampling data: 0x02 random sampling. Use in connection with FLOW_SAMPLER_MODE|
|FLOW_SAMPLER_RANDOM_INTERVAL||50||4||Packet interval at which to sample. Use in connection with FLOW_SAMPLER_MODE|
|* Vendor Proprietary*||51|
|MIN_TTL||52||1||Minimum TTL on incoming packets of the flow|
|MAX_TTL||53||1||Maximum TTL on incoming packets of the flow|
|IPV4_IDENT||54||2||The IP v4 identification field|
|DST_TOS||55||1||Type of Service byte setting when exiting outgoing interface|
|IN_SRC_MAC||56||6||Incoming source MAC address|
|OUT_DST_MAC||57||6||Outgoing destination MAC address|
|SRC_VLAN||58||2||Virtual LAN identifier associated with ingress interface|
|DST_VLAN||59||2||Virtual LAN identifier associated with egress interface|
|IP_PROTOCOL_VERSION||60||1||Internet Protocol Version Set to 4 for IPv4, set to 6 for IPv6. If not present in the template, then version 4 is assumed.|
|DIRECTION||61||1||Flow direction: 0 - ingress flow, 1 - egress flow|
|IPV6_NEXT_HOP||62||16||IPv6 address of the next-hop router|
|BPG_IPV6_NEXT_HOP||63||16||Next-hop router in the BGP domain|
|IPV6_OPTION_HEADERS||64||4||Bit-encoded field identifying IPv6 option headers found in the flow|
|* Vendor Proprietary*||65|
|* Vendor Proprietary*||66|
|* Vendor Proprietary*||67|
|* Vendor Proprietary*||68|
|* Vendor Proprietary*||69|
|MPLS_LABEL_1||70||3||MPLS label at position 1 in the stack|
|MPLS_LABEL_2||71||3||MPLS label at position 2 in the stack|
|MPLS_LABEL_3||72||3||MPLS label at position 3 in the stack|
|MPLS_LABEL_4||73||3||MPLS label at position 4 in the stack|
|MPLS_LABEL_5||74||3||MPLS label at position 5 in the stack|
|MPLS_LABEL_6||75||3||MPLS label at position 6 in the stack|
|MPLS_LABEL_7||76||3||MPLS label at position 7 in the stack|
|MPLS_LABEL_8||77||3||MPLS label at position 8 in the stack|
|MPLS_LABEL_9||78||3||MPLS label at position 9 in the stack|
|MPLS_LABEL_10||79||3||MPLS label at position 10 in the stack|
|IN_DST_MAC||80||6||Incoming destination MAC address|
|OUT_SRC_MAC||81||6||Outgoing source MAC address|
|IF_NAME||82||N (default specified in template)||Shortened interface name e.g. "FE1/0"|
|IF_DESC||83||N (default specified in template)||Full interface name e.g. "FastEthernet 1/0"|
|SAMPLER_NAME||84||N (default specified in template)||Name of the flow sampler|
|IN_PERMANENT_BYTES||85||N (default is 4)||Running byte counter for a permanent flow|
|IN_PERMANENT_PKTS||86||N (default is 4)||Running packet counter for a permanent flow|
|* Vendor Proprietary*||87|
In some cases the size of a field type is fixed by definition, for example PROTOCOL, or IPV4_SRC_ADDR. However, in other cases they are defined as a variant type. This improves the memory efficiency in the collector and reduces the network bandwidth requirement between the Exporter and the Collector. As an example, in the case IN_BYTES, on an access router it might be sufficient to use a 32 bit counter (N = 4), whilst on a core router a 64 bit counter (N = 8) would be required.
All counters and counter-like objects are unsigned integers of size N * 8 bits.
Data FlowSet Format
|flowset_id = template_id (>255)|
|flowset_id||A FlowSet ID precedes each group of records within a NetFlow Version 9 data FlowSet. The FlowSet ID maps to a (previously received) template_id. The collector and display applications should use the flowset_id to map the appropriate type and length to any field values that follow.|
|length||This field gives the length of the data FlowSet.
Length is expressed in TLV format, meaning that the value includes the bytes used for the flowset_id and the length bytes themselves, as well as the combined lengths of any included data records.
|record_N—field_M||The remainder of the Version 9 data FlowSet is a collection of field values. The type and length of the fields have been previously defined in the template record referenced by the flowset_id/template_id.|
|padding||Padding should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the length field will include those padding bits.|
When interpreting the NetFlow Version 9 data FlowSet format, note that the fields cannot be parsed without a corresponding template ID. If a data FlowSet that does not have an appropriate template ID is received, the record should be discarded.
Options Template Format
One additional record type is very important within the NetFlow Version 9 specification: an options template (and its corresponding options data record). Rather than supplying information about IP flows, options are used to supply “meta-data” about the NetFlow process itself. The format of the options template is detailed below.
|flowset_id = 1|
|flowset_id = 1||The flowset_id is used to distinguish template records from data records. A template record always has a flowset_id of 1. A data record always has a nonzero flowset_id which is greater than 255.|
|length||This field gives the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs, the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.
Length is expressed in TLV format, meaning that the value includes the bytes used for the flowset_id and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet.
|template_id||As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template_id. The template_id is greater than 255. Template IDs inferior to 255 are reserved.|
|option_scope_length||This field gives the length in bytes of any scope fields contained in this options template (the use of scope is described below).|
|options_length||This field gives the length (in bytes) of any Options field definitions contained in this options template.|
|scope_field_N_type||This field gives the relevant portion of the NetFlow process to which the options record refers. Currently defined values follow:
0x0003 Line Card
0x0004 NetFlow Cache
For example, sampled NetFlow can be implemented on a per-interface basis, so if the options record were reporting on how sampling is configured, the scope for the report would be 0x0002 (interface).
|scope_field_N_length||This field gives the length (in bytes) of the Scope field, as it would appear in an options record.|
|option_field_N_type||This numeric value represents the type of the field that appears in the options record. Possible values are detailed in template flow set format (above).|
|option_field_N_length||This number is the length (in bytes) of the field, as it would appear in an options record.|
|padding||Padding should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the length field will include those padding bits.|