Cisco Application VisibilityOL-24187-04

A

P P E N D I X A NetFlow Field Types and Database Formats

IntroductionThis chapter describes the fields contained in NetFlow records (NFR). It also details the formats and field contents of NetFlow Records data tables:

• NetFlow Field Types, page A-1

• Database Tables: Formats and Field Contents, page A-8

NetFlow Field TypesThe following sections detail the different types of NetFlow fields:

• NetFlow Field Types for RPT_USAGE_NF Table, page A-1

• NetFlow Field Types for RPT_TRANSACTION_NF, page A-3

• NetFlow Field Types for RPT_GLB_USAGE_NF Table:, page A-5

• NetFlow Field Types for CONF_TZ_OFFSET_NF Table, page A-6

• NetFlow Field Types for NF_INI_VALUES Table, page A-6

NetFlow Field Types for RPT_USAGE_NF TableUsage Records are records of the different type of applications running over a specific interface. The operator can use Usage records to monitor how much bandwidth the differ-ent applications use. The Usage Records show this application usage over a specific time period, the peak and average usages, and usage for a specific application type.

Table A-1 describes NetFlow Field Types for RPT_USAGE_NF Table:

Table A-1 Summary of NetFlow Field Types for RPT_USAGE_NF Table

Field Name Value Type Description

time_stamp - TIMESTAMP DB Insertion timestamp value

head_time_stamp - INT32 Packet timestamp from ASR1K

A-1 and Control Collection Manager User Guide

Appendix A NetFlow Field Types and Database Formats NetFlow Field Types for RPT_USAGE_NF Table

head_source_id - INT32 Contains the IP address of the Cisco ASR1K platform that generated the NFR

class_id 51 UINT32 Reserved for future use.

application_id 95 INT32 The unique id for application

ingressInterface 10 UINT32 The index of the IP interface where packets of this Flow are being received.

egressInterface 14 UINT32 The index of the IP interface where packets of this Flow are being sent.

flowDirection 61 UINT8 The direction of the Flow observed at the Observation Point. There are only two values defined(Ingress/Egress).

flowStartSysUpTime 22 UINT32 The relative timestamp of the first packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime).

flowEndSysUpTime 21 UINT32 The relative timestamp of the last packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime)

packetDeltaCount 2 UINT64 The number of incoming packets since the previous report (if any) for this Flow at the Observation Point.

in_bytes 3 UINT64 Total number bytes received since the previous report (if any) for this Flow at the Observation Point.

connectionCountNew 278 UINT 32 This information element counts the number of TCP or UDP connections which were opened during the observation period. The observation period may be specified by the flow start and end timestamps.

connectionSumDuration 279 UINT64 This information element aggregates the total time in seconds for all of the TCP or UDP connections which were in use during the observation period. For example if there are 5 concurrent connections each for 10 seconds, the value would be 50 s.

Table A-1 Summary of NetFlow Field Types for RPT_USAGE_NF Table

Field Name Value Type Description

A-2Cisco Application Visibility and Control Collection Manager User Guide

OL-24187-04

Appendix A NetFlow Field Types and Database Formats NetFlow Field Types for RPT_TRANSACTION_NF

NetFlow Field Types for RPT_TRANSACTION_NF A transaction is a set of logical exchanges between endpoints. There is normally one transaction within a flow. The Transaction Record monitors the traffic at transaction levels. Transaction Records provide a detailed analysis of the traffic flows, including extracted Layer 7 fields. Due to the high load of transactions these records are sample or filtered. Transaction Records are bound to the input and output directions of the network side interfaces. These Transaction Records allow the system to capture each unidirectional flow once.

Table A-2 describes NetFlow Field Types for RPT_TRANSACTION_NF Table:

ingressVRFID 234 UINT32 A unique identifier of the VRFname where the packets of this flow are being received. This identifier is unique per Metering Process

ipVersion 60 UINT8 The IP version field in the IP packet header.

Table A-1 Summary of NetFlow Field Types for RPT_USAGE_NF Table

Field Name Value Type Description

Table A-2 NetFlow Field Types for RPT_TRANSACTION_NF

Field Name Value Type Description

time_stamp - TIMESTAMP DB Insertion timestamp value

head_time_stamp - INT32 Packet timestamp from ASR1K

head_src_id - INT32 Contains the IP address of the Cisco ASR1K platform that generated the NFR

conn_tx_id 280 UINT64 A unique ID for the transaction

application_id 95 INT32 The unique id for application

ingressInterface 10 UINT32 The index of the IP interface where packets of this Flow are being received.

egressInterface 14 UINT32 The index of the IP interface where packets of this Flow are being sent.

flowDirection 61 UINT8 The direction of the Flow observed at the Observation Point. There are only two values defined(Ingress/Egress).

flowStartSysUpTime

22 UINT32 The relative timestamp of the first packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime).

A-3Cisco Application Visibility and Control Collection Manager User Guide

OL-24187-04

Appendix A NetFlow Field Types and Database Formats NetFlow Field Types for RPT_TRANSACTION_NF

flowEndSysUpTime 21 UINT32 The relative timestamp of the last packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime)

packetDeltaCount 2 UINT 64 The number of incoming packets since the previous report (if any) for this Flow at the Observation Point.

in_bytes 3 UINT64 Total number bytes received since the previous report (if any) for this Flow at the Observation Point.

src_ipv4_addr 8 UINT32 The IPv4 source address in the IP packet header.

src_port 7 UINT16 The source port identifier in the transport header.

dst_ipv4_addr 12 UINT32 The IPv4 destination address in the IP packet header.

dst_port 11 UINT16 The destination port identifier in the transport header.

protocol_id 4 UINT8 The value of the protocol number in the IP packet header.

flow_id 48 UINT64 Reserved for future use.

flow_end_reason 136 UINT8 The reason for Flow termination.

biflow_direction 239 UINT8 A description of the direction assignment method used to assign the Biflow Source and Destination.

ingressVRFID 234 UINT32 A unique identifier of the VRFname where the packets of this flow are being received. This identifier is unique per Metering Process

ipVersion 60 UINT8 The IP version field in the IP packet header.

sourceIPv6Address 27 UINT32 The IPv6 source address in the IP packet header.

destinationIPv6Address

28 UINT32 The IPv6 destination address in the IP packet header.

Table A-2 NetFlow Field Types for RPT_TRANSACTION_NF

Field Name Value Type Description

A-4Cisco Application Visibility and Control Collection Manager User Guide

OL-24187-04

Appendix A NetFlow Field Types and Database Formats NetFlow Field Types for RPT_GLB_USAGE_NF Table:

NetFlow Field Types for RPT_GLB_USAGE_NF Table:Global usage records are the records of many applications running over an interface. You can use them to monitor the total traffic over the network, monitor the usage of all the applications over a specific time period, or monitor the peak and average usages of all the applications over an interface.

Table A-3 describes NetFlow Field Types for RPT_GLB_USAGE_NF Table:

Table A-3 NetFlow Field Types for RPT_GLB_USAGE_NF Table

Field Name Value Type Description

time_stamp - TIMESTAMP DB Insertion timestamp value

head_time_stamp - INT32 Packet timestamp from ASR1K

head_source_id - INT32 Contains the IP address of the Cisco ASR1K platform that generated the NFR

class_id 51 UINT32 Reserved for future use.

ingressInterface 10 UINT32 The index of the IP interface where packets of this Flow are being received.

egressInterface 14 UINT32 The index of the IP interface where packets of this Flow are being sent.

flowDirection 61 UINT8 The direction of the Flow observed at the Observation Point. There are only two values defined(Ingress/Egress).

flowStartSysUpTime

22 UINT32 The relative timestamp of the first packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime).

flowEndSysUpTime 21 UINT32 The relative timestamp of the last packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime)

packetDeltaCount 2 UINT 64 The number of incoming packets since the previous report (if any) for this Flow at the Observation Point.

in_bytes 3 UINT64 Total number bytes received since the previous report (if any) for this Flow at the Observation Point.

A-5Cisco Application Visibility and Control Collection Manager User Guide

OL-24187-04

Appendix A NetFlow Field Types and Database Formats NetFlow Field Types for CONF_TZ_OFFSET_NF Table

NetFlow Field Types for CONF_TZ_OFFSET_NF TableTable A-4 describes NetFlow Field Types for CONF_TZ_OFFSET_NF Table:

NetFlow Field Types for NF_INI_VALUES TableTable A-5 describes NetFlow Field Types for NF_INI_VALUES Table:

connectionCountNew

278 UINT32 This information element counts the number of TCP or UDP connections which were opened during the observation period. The observation period may be specified by the flow start and end timestamps.

connectionSumDuration

279 UINT 64 This information element aggregates the total time in seconds for all of the TCP or UDP connections which were in use during the observation period. For example if there are 5 concurrent connections each for 10 seconds, the value would be 50 s.

ingressVRFID 234 UINT32 An unique identifier of the VRFname where the packets of this flow are being received. This identifier is unique per Metering Process.

ipVersion 60 UINT8 The IP version field in the IP packet header.

Table A-3 NetFlow Field Types for RPT_GLB_USAGE_NF Table

Field Name Value Type Description

Table A-4 NetFlow Field Types for CONF_TZ_OFFSET_NF Table

Field Name Type Description

time_stamp TIMESTAMP DB insertion timestamp value

offset_min INT16 Offset value in minutes

A-6Cisco Application Visibility and Control Collection Manager User Guide

OL-24187-04

Appendix A NetFlow Field Types and Database Formats NetFlow Field Types for NF_INI_VALUES Table

:

Table A-5 NetFlow Field Types for NF_INI_VALUES Table

Field Name Type Description

time_stamp TIMESTAMP DB insertion timestamp value

nf_ip STRING Identification of the ASR1K platform where these values were applied.

value_type INT16 Key Name/Value family type. The possible values are:

5 -Source address 32-bit / dotted notation

101 - Input interface ID / Input Interface Name

102 - Input interface ID / Input Interface Description

103 - Output interface ID / Output Interface Name

104 - Output interface ID / Output Interface Description

111 -Application ID / Application Name

112 -Application ID / Application Description

114 - Application ID / Category Name

115 - Application ID / Sub - Category Name

116 - Application ID / Application Group

117 - Application ID / Attribute: p2p-technology

118 - Application ID / Attribute: tunnel

119- Application ID / Attribute: encrypted

131 - Sampler ID / Sampler Info

value_key STRING Key name.

For example: Gold, Silver

value INT32 Numeric reference.

A-7Cisco Application Visibility and Control Collection Manager User Guide

OL-24187-04

Appendix A NetFlow Field Types and Database Formats Database Tables: Formats and Field Contents

Database Tables: Formats and Field ContentsEach NFR is sent to the Cisco Collection Manager. On the Collection Manager, adapters convert the NFRs and store them in database tables. This section details these tables and their columns (field names and types).

The following sections detail the different types of database tables:

• Table CONF_TZ_OFFSET_NF, page A-8

• NetFlow Field Types for RPT_USAGE_NF Table, page A-9

• NetFlow Field Types for RPT_TRANSACTION_NF Table, page A-9

• Columns of Table RPT_GLB_USAGE_NF, page A-10

• NetFlow Field Types for NF_INI_VALUES Table, page A-11

Table CONF_TZ_OFFSET_NF Database table CONF_TZ_OFFSET_NF contains the time-zone offset in minutes for the clock of each Cisco Series ASR 1000 Series router as configured by the select-sce-tz.sh script.

Table Table A-6 lists the columns of table CONF_TZ_OFFSET_NF.

Table A-6 CONF_TZ_OFFSET_NF Table Columns

Field Name Type

TIME_STAMP TIMESTAMP

OFFSET_MIN INT16

A-8Cisco Application Visibility and Control Collection Manager User Guide

OL-24187-04

Appendix A NetFlow Field Types and Database Formats NetFlow Field Types for RPT_USAGE_NF Table

NetFlow Field Types for RPT_USAGE_NF Table

NetFlow Field Types for RPT_TRANSACTION_NF Table

Table A-7 RPT_USAGE_NF Table Field Types

Field Name Type

TIME_STAMP TIMESTAMP

NF_HEAD_TIME_STAMP INT32

NF_HEAD_SOURCE_ID INT32

NF_CLASS_ID UINT32

NF_APPLICATION_ID INT32

NF_INGRESS_IF UINT32

NF_EGRESS_IF UINT32

NF_FLOW_DIRECTION UINT8

NF_FLOW_START_SYSUP_TIME UINT32

NF_FLOW_END_SYSUP_TIME UINT32

NF_IN_PKTS UINT64

NF_IN_BYTES UINT64

NF_CONNECTION_COUNT_NEW UINT 32

NF_CONN_SUM_DURATION UINT64

NF_INGRESS_VRF_ID UINT32

NF_IP_VERSION UINT8

Table A-8 RPT_TRANSACTION_NF Table Field Types

Field Name Type

TIME_STAMP TIMESTAMP

NF_HEAD_TIME_STAMP INT32

NF_HEAD_SRC_ID INT32

NF_CONN_TX_ID UINT64

NF_INGRESS_IF UINT32

NF_EGRESS_IF UINT32

NF_FLOW_DIRECTION UINT8

NF_FLOW_START_SYSUP_TIME UINT32

NF_FLOW_END_SYSUP_TIME UINT32

NF_IN_PKTS UINT64

NF_IN_BYTES UINT64

NF_SRC_IPV4_ADDR UINT32

NF_SRC_PORT UINT16

A-9Cisco Application Visibility and Control Collection Manager User Guide

OL-24187-04

Appendix A NetFlow Field Types and Database Formats Columns of Table RPT_GLB_USAGE_NF

Columns of Table RPT_GLB_USAGE_NF

NF_DST_IPV4_ADDR UINT32

NF_DST_PORT UINT16

NF_PROTOCOL_ID UINT8

NF_FLOW_ID UINT64

NF_FLOW_END_REASON UINT8

NF_BIFLOW_DIRECTION UINT8

NF_INGRESS_VRF_ID UINT32

NF_IP_VERSION UINT8

NF_SRC_IPV6_ADDR STRING

NF_DST_IPV6_ADDR STRING

Table A-9 RPT_GLB_USAGE_NF Table Columns

Field Name Type

TIME_STAMP TIMESTAMP

NF_HEAD_TIME_STAMP INT32

NF_HEAD_SOURCE_ID INT32

NF_APPLICATION_ID INT32

NF_INGRESS_IF UINT32

NF_EGRESS_IF UINT32

NF_FLOW_DIRECTION UINT8

NF_FLOW_START_SYSUP_TIME UINT32

NF_FLOW_END_SYSUP_TIME UINT32

NF_IN_PKTS UINT64

NF_IN_BYTES UINT64

NF_CONNECTION_COUNT_NEW UINT 32

NF_CONN_SUM_DURATION UINT64

NF_INGRESS_VRF_ID UINT32

NF_IP_VERSION UINT8

Table A-8 RPT_TRANSACTION_NF Table Field Types

Field Name Type

A-10Cisco Application Visibility and Control Collection Manager User Guide

OL-24187-04

Appendix A NetFlow Field Types and Database Formats NetFlow Field Types for NF_INI_VALUES Table

NetFlow Field Types for NF_INI_VALUES TableTable A-10 NF_INI_VALUES Table NetFlow Field Types

Field Name Type

TIME_STAMP TIMESTAMP

NF_IP STRING

VALUE_TYPE INT16

VALUE_KEY STRING

VALUE INT32

A-11Cisco Application Visibility and Control Collection Manager User Guide

OL-24187-04

Appendix A NetFlow Field Types and Database Formats NetFlow Field Types for NF_INI_VALUES Table

A-12Cisco Application Visibility and Control Collection Manager User Guide

OL-24187-04