Caligare home | What's Netflow | Formats | RFC | Configuration | Applications | Links | Netflow Forum

Netflow packet Version 9 (V9)

version 1 | version 5 | version 6 | version 7 | version 8 | version 9

The distinguishing feature of the NetFlow Version 9 format is that it is template based. Templates provide an extensible design to the record format, a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format.

Packet Layout

The NetFlow Version 9 record format consists of a packet header followed by at least one or more template or data FlowSets. A template FlowSet provides a description of the fields that will be present in future data FlowSets. These data FlowSets may occur later within the same export packet or in subsequent export packets.

Export packet

Packet Header
Template FlowSet
Data FlowSet
Data FlowSet
...
Template FlowSet
Data FlowSet
...

Flow header format

BytesContentsDescription
0-1versionNetFlow export format version number
2-3countNumber of flow sets exported in this packet, both template and data (1-30).
4-7sys_uptimeCurrent time in milliseconds since the export device booted.
8-11unix_secsCurrent count of seconds since 0000 UTC 1970.
12-15package_sequenceSequence counter of all export packets sent by the export device. Note: This is a change from the Version 5 and Version 8 headers, where this number represented “total flows.”
16-19source_idA 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers). The format of this field is vendor specific. In Cisco's implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device. Collector devices should use the combination of the source IP address plus the Source ID field to associate an incoming NetFlow export packet with a unique instance of NetFlow on a particular device.

Template FlowSet Format

One of the key elements in the new Version 9 format is the template FlowSet. Templates greatly enhance the flexibility of the NetFlow record format, because they allow a NetFlow collector or display application to process NetFlow data without necessarily knowing the format of the data in advance. Templates are used to describe the type and length of individual fields within subsequent NetFlow data records that match a template ID.

bit 0-15
flowset_id = 0
length
template_id
field_count
field_1_type
field_1_length
field_2_type
field_2_length
field_3_type
field_3_length
...
field_N_type
field_N_length
template_id
field_count
field_1_type
field_1_length
...
field_N_type
field_N_length


FieldDescription
flowset_id The flowset_id is used to distinguish template records from data records. A template record always has a flowset_id in the range of 0-255. Currently template record that describes flow fields has a flowset_id of zero and the template record that describes option fields (described below) has a flowset_id of 1. A data record always has a nonzero flowset_id greater than 255.
length Length refers to the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs (as illustrated above), the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.
Length is expressed in type/length/value (TLV) format, meaning that the value includes the bytes used for the flowset_id and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet.
template_id As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template_id.
Templates that define data record formats begin numbering at 256 since 0-255 are reserved for FlowSet IDs.
field_count This field gives the number of fields in this template record. Because a template FlowSet may contain multiple template records, this field allows the parser to determine the end of the current template record and the start of the next.
field_type This numeric value represents the type of the field. The possible values of the field type are vendor specific. Cisco supplied values are consistent across all platforms that support NetFlow Version 9.
At the time of the initial release of the NetFlow Version 9 code (and after any subsequent changes that could add new field-type definitions), Cisco provides a file that defines the known field types and their lengths.
The currently defined field types are detailed below.
field_length This number gives the length of the above-defined field, in bytes.

Note the following:

  • Template IDs are not consistent across a router reboot. Template IDs should change only if the configuration of NetFlow on the export device changes.
  • Templates periodically expire if they are not refreshed. Templates can be refreshed in two ways. A template can be resent every N number of export packets. A template can also be sent on a timer, so that it is refreshed every N number of minutes. Both options are user configurable.
Field TypeValueLength (bytes)Description
IN_BYTES1N (default is 4)Incoming counter with length N x 8 bits for number of bytes associated with an IP Flow.
IN_PKTS2N (default is 4)Incoming counter with length N x 8 bits for the number of packets associated with an IP Flow
FLOWS3NNumber of flows that were aggregated; default for N is 4
PROTOCOL41IP protocol byte
SRC_TOS51Type of Service byte setting when entering incoming interface
TCP_FLAGS61Cumulative of all the TCP flags seen for this flow
L4_SRC_PORT72TCP/UDP source port number e.g. FTP, Telnet, or equivalent
IPV4_SRC_ADDR84IPv4 source address
SRC_MASK91The number of contiguous bits in the source address subnet mask i.e. the submask in slash notation
INPUT_SNMP10NInput interface index; default for N is 2 but higher values could be used
L4_DST_PORT112TCP/UDP destination port number e.g. FTP, Telnet, or equivalent
IPV4_DST_ADDR124IPv4 destination address
DST_MASK131The number of contiguous bits in the destination address subnet mask i.e. the submask in slash notation
OUTPUT_SNMP14NOutput interface index; default for N is 2 but higher values could be used
IPV4_NEXT_HOP154IPv4 address of next-hop router
SRC_AS16N (default is 2)Source BGP autonomous system number where N could be 2 or 4
DST_AS17N (default is 2)Destination BGP autonomous system number where N could be 2 or 4
BGP_IPV4_NEXT_HOP184Next-hop router's IP in the BGP domain
MUL_DST_PKTS19N (default is 4)IP multicast outgoing packet counter with length N x 8 bits for packets associated with the IP Flow
MUL_DST_BYTES20N (default is 4)IP multicast outgoing byte counter with length N x 8 bits for bytes associated with the IP Flow
LAST_SWITCHED214System uptime at which the last packet of this flow was switched
FIRST_SWITCHED224System uptime at which the first packet of this flow was switched
OUT_BYTES23N (default is 4)Outgoing counter with length N x 8 bits for the number of bytes associated with an IP Flow
OUT_PKTS24N (default is 4)Outgoing counter with length N x 8 bits for the number of packets associated with an IP Flow.
MIN_PKT_LNGTH252Minimum IP packet length on incoming packets of the flow
MAX_PKT_LNGTH262Maximum IP packet length on incoming packets of the flow
IPV6_SRC_ADDR2716IPv6 Source Address
IPV6_DST_ADDR2816IPv6 Destination Address
IPV6_SRC_MASK291Length of the IPv6 source mask in contiguous bits
IPV6_DST_MASK301Length of the IPv6 destination mask in contiguous bits
IPV6_FLOW_LABEL313IPv6 flow label as per RFC 2460 definition
ICMP_TYPE322Internet Control Message Protocol (ICMP) packet type; reported as ((ICMP Type * 256) + ICMP code)
MUL_IGMP_TYPE331Internet Group Management Protocol (IGMP) packet type
SAMPLING_INTERVAL344When using sampled NetFlow, the rate at which packets are sampled e.g. a value of 100 indicates that one of every 100 packets is sampled
SAMPLING_ALGORITHM351The type of algorithm used for sampled NetFlow: 0x01 Deterministic Sampling ,0x02 Random Sampling
FLOW_ACTIVE_TIMEOUT362Timeout value (in seconds) for active flow entries in the NetFlow cache
FLOW_INACTIVE_TIMEOUT372Timeout value (in seconds) for inactive flow entries in the NetFlow cache
ENGINE_TYPE381Type of flow switching engine: RP = 0, VIP/Linecard = 1
ENGINE_ID391ID number of the flow switching engine
TOTAL_BYTES_EXP40N (default is 4)Counter with length N x 8 bits for bytes for the number of bytes exported by the Observation Domain
TOTAL_PKTS_EXP41N (default is 4)Counter with length N x 8 bits for bytes for the number of packets exported by the Observation Domain
TOTAL_FLOWS_EXP42N (default is 4)Counter with length N x 8 bits for bytes for the number of flows exported by the Observation Domain
* Vendor Proprietary*43  
IPV4_SRC_PREFIX444IPv4 source address prefix (specific for Catalyst architecture)
IPV4_DST_PREFIX454IPv4 destination address prefix (specific for Catalyst architecture)
MPLS_TOP_LABEL_TYPE461MPLS Top Label Type: 0x00 UNKNOWN 0x01 TE-MIDPT 0x02 ATOM 0x03 VPN 0x04 BGP 0x05 LDP
MPLS_TOP_LABEL_IP_ADDR474Forwarding Equivalent Class corresponding to the MPLS Top Label
FLOW_SAMPLER_ID481Identifier shown in "show flow-sampler"
FLOW_SAMPLER_MODE491The type of algorithm used for sampling data: 0x02 random sampling. Use in connection with FLOW_SAMPLER_MODE
FLOW_SAMPLER_RANDOM_INTERVAL504Packet interval at which to sample. Use in connection with FLOW_SAMPLER_MODE
* Vendor Proprietary*51  
MIN_TTL521Minimum TTL on incoming packets of the flow
MAX_TTL531Maximum TTL on incoming packets of the flow
IPV4_IDENT542The IP v4 identification field
DST_TOS551Type of Service byte setting when exiting outgoing interface
IN_SRC_MAC566Incoming source MAC address
OUT_DST_MAC576Outgoing destination MAC address
SRC_VLAN582Virtual LAN identifier associated with ingress interface
DST_VLAN592Virtual LAN identifier associated with egress interface
IP_PROTOCOL_VERSION601Internet Protocol Version Set to 4 for IPv4, set to 6 for IPv6. If not present in the template, then version 4 is assumed.
DIRECTION611Flow direction: 0 - ingress flow, 1 - egress flow
IPV6_NEXT_HOP6216IPv6 address of the next-hop router
BPG_IPV6_NEXT_HOP6316Next-hop router in the BGP domain
IPV6_OPTION_HEADERS644Bit-encoded field identifying IPv6 option headers found in the flow
* Vendor Proprietary*65  
* Vendor Proprietary*66  
* Vendor Proprietary*67  
* Vendor Proprietary*68  
* Vendor Proprietary*69  
MPLS_LABEL_1703MPLS label at position 1 in the stack
MPLS_LABEL_2713MPLS label at position 2 in the stack
MPLS_LABEL_3723MPLS label at position 3 in the stack
MPLS_LABEL_4733MPLS label at position 4 in the stack
MPLS_LABEL_5743MPLS label at position 5 in the stack
MPLS_LABEL_6753MPLS label at position 6 in the stack
MPLS_LABEL_7763MPLS label at position 7 in the stack
MPLS_LABEL_8773MPLS label at position 8 in the stack
MPLS_LABEL_9783MPLS label at position 9 in the stack
MPLS_LABEL_10793MPLS label at position 10 in the stack
IN_DST_MAC806Incoming destination MAC address
OUT_SRC_MAC816Outgoing source MAC address
IF_NAME82N (default specified in template)Shortened interface name e.g. "FE1/0"
IF_DESC83N (default specified in template)Full interface name e.g. "FastEthernet 1/0"
SAMPLER_NAME84N (default specified in template)Name of the flow sampler
IN_PERMANENT_BYTES85N (default is 4)Running byte counter for a permanent flow
IN_PERMANENT_PKTS86N (default is 4)Running packet counter for a permanent flow
* Vendor Proprietary*87  

When extensibility is required, the new field types will be added to the list. The new field types have to be updated on the Exporter and Collector but the NetFlow export format would remain unchanged.

In some cases the size of a field type is fixed by definition, for example PROTOCOL, or IPV4_SRC_ADDR. However, in other cases they are defined as a variant type. This improves the memory efficiency in the collector and reduces the network bandwidth requirement between the Exporter and the Collector. As an example, in the case IN_BYTES, on an access router it might be sufficient to use a 32 bit counter (N = 4), whilst on a core router a 64 bit counter (N = 8) would be required.

All counters and counter-like objects are unsigned integers of size N * 8 bits.

Data FlowSet Format

bit 0-15
flowset_id = template_id (>255)
length
record_1-field_1_value
record_1-field_2_value
record_1-field_3_value
...
record_1-field_M_value
record_2-field_1_value
record_2-field_2_value
record_2-field_3_value
...
record_2-field_M_value
...
record_N-field_M_value
padding


FieldDescription
flowset_id A FlowSet ID precedes each group of records within a NetFlow Version 9 data FlowSet. The FlowSet ID maps to a (previously received) template_id. The collector and display applications should use the flowset_id to map the appropriate type and length to any field values that follow.
length This field gives the length of the data FlowSet.
Length is expressed in TLV format, meaning that the value includes the bytes used for the flowset_id and the length bytes themselves, as well as the combined lengths of any included data records.
record_N—field_M The remainder of the Version 9 data FlowSet is a collection of field values. The type and length of the fields have been previously defined in the template record referenced by the flowset_id/template_id.
padding Padding should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the length field will include those padding bits.

When interpreting the NetFlow Version 9 data FlowSet format, note that the fields cannot be parsed without a corresponding template ID. If a data FlowSet that does not have an appropriate template ID is received, the record should be discarded.

Options Template Format

One additional record type is very important within the NetFlow Version 9 specification: an options template (and its corresponding options data record). Rather than supplying information about IP flows, options are used to supply "meta-data" about the NetFlow process itself. The format of the options template is detailed below.

bit 0-15
flowset_id = 1
length
template_id
option_scope_length
option_length
scope_field_1_type
scope_field_1_length
...
scope_field_N_length
option_field_1_type
option_field_1_length
...
option_field_N_length
padding


FieldDescription
flowset_id = 1 The flowset_id is used to distinguish template records from data records. A template record always has a flowset_id of 1. A data record always has a nonzero flowset_id which is greater than 255.
length This field gives the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs, the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.
Length is expressed in TLV format, meaning that the value includes the bytes used for the flowset_id and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet.
template_id As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template_id. The template_id is greater than 255. Template IDs inferior to 255 are reserved.
option_scope_length This field gives the length in bytes of any scope fields contained in this options template (the use of scope is described below).
options_length This field gives the length (in bytes) of any Options field definitions contained in this options template.
scope_field_N_type This field gives the relevant portion of the NetFlow process to which the options record refers. Currently defined values follow:
  • 0x0001 System
  • 0x0002 Interface
  • 0x0003 Line Card
  • 0x0004 NetFlow Cache
  • 0x0005 Template
For example, sampled NetFlow can be implemented on a per-interface basis, so if the options record were reporting on how sampling is configured, the scope for the report would be 0x0002 (interface).
scope_field_N_length This field gives the length (in bytes) of the Scope field, as it would appear in an options record.
option_field_N_type This numeric value represents the type of the field that appears in the options record. Possible values are detailed in template flow set format (above).
option_field_N_length This number is the length (in bytes) of the field, as it would appear in an options record.
padding Padding should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the length field will include those padding bits.


Source: www.cisco.com


(c) 2003-2006 Caligare s.r.o.
http://www.caligare.com
Last-modified: May 10 2006