draft-bclaise-netflow-9
Internet Draft
Expiration: December 2002 B. Claise
Document: draft-bclaise-netflow-9-00.txt Cisco Systems
Category: Informational June 2002
Cisco Systems NetFlow Services Export Version 9
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts. Internet-Drafts are draft documents valid for a maximum of
six months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet- Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
Cisco Systems NetFlow Services provide network administrators with
access to information concerning IP Flows within their data networks.
Exported NetFlow Services data can be used for a variety of purposes,
including network management and planning, accounting, and
departmental chargebacks, Internet Service Provider billing, data
warehousing, and data mining for marketing purposes.
This paper discusses the most recent evolution of the NetFlow flow
export format, which is known as Version 9. The distinguishing
feature of the NetFlow Version 9 format compared to previous formats,
is that it is template based. Templates (collection of fields along
with the description and structure) provide a flexible and extensible
design to the record format. These two features that allow future
enhancements to NetFlow services without requiring concurrent changes
to the basic flow-record format and minimize the consumed export
bandwidth
Claise Expires - December 2002 [Page 1]
� Cisco Systems NetFlow Services Export Version 9 June 2002
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC 2119.
Table of Contents
1. Introduction...................................................2
1.1 Overview...................................................2
1.2 Applications...............................................3
2. Terminology used...............................................5
3. NetFlow High Level Picture on the Exporter.....................8
3.1 The NetFlow Process on the Exporter........................8
3.2 Flow Expiration............................................8
3.3 Transport Protocol.........................................9
4. Packet Layout..................................................9
5. Export Packet Format..........................................10
5.1 Header Format.............................................10
5.2 Template FlowSet Format...................................12
5.3 Data FlowSet Format.......................................13
6. Options.......................................................15
6.1 Options Template FlowSet..................................15
6.2 Options Data FlowSet......................................17
7. Templates Management..........................................19
8. Field Type Definitions........................................20
9. The Collector's side..........................................23
10. Examples.....................................................23
10.1 Packet Header Example....................................24
10.2 Template FlowSet Example.................................24
10.3 Data FlowSet Example.....................................25
10.4 Option Template FlowSet Example..........................26
10.5 Option Data FlowSet Example..............................27
11. References...................................................28
12. Contributors.................................................28
13. Acknowledgments..............................................28
14. Authors Addresses............................................28
1. Introduction
1.1 Overview
The NetFlow services data can be used for a variety of purposes. A
non-exhaustive list can be found in the next section. This paper
discusses the most recent evolution of the NetFlow flow-record
format, which is known as Version 9. The distinguishing feature of
Claise Informational [Page 2]
� Cisco Systems NetFlow Services Export Version 9 June 2002
the NetFlow Version 9 format compared to previous formats, is that
it is template based. Template is a collection of fields along with
the description of their structure and semantics.
This approach gives the following advantages:
- The template mechanism is flexible in the sense that only the
required fields from the IP Flows are exported to the NetFlow
Collector. This helps achieve bandwidth savings on exported flow
data and possible memory savings at exporter and collector.
Sending the required information only can reduce the network load
also.
- Using the template mechanism, new fields can be added to NetFlow
export records without changing the structure of export record
format. With the previous NetFlow versions, without this template-
based mechanism, supporting a new field in the Flow Record implied
a new version of the export protocol format and a new version of
the NetFlow Collector supporting the parsing of this new export
protocol format.
- Templates which are sent to the Collector contains the
structural information about the exported Flow Records fields. So,
even if the Collector does not understand the semantics of
new fields, it can still interpret the Flow Record.
1.2 Applications
NetFlow Data enables several key customer applications:
Accounting and billing
NetFlow Services data provides fine-grained metering (for example,
Flow data includes details such as IP addresses, packet and byte
counts, timestamps, Type of Service (TOS), application ports and
so on) for highly flexible and detailed resource usage accounting.
Internet Service Providers (ISP) may use this information to migrate
away from single fee, flat-rate billing to more flexible charging
mechanisms based on time-of-day, bandwidth usage, application usage,
quality of service, and so on. Enterprise customers may use the
information for departmental chargeback or cost allocation for
resource usage.
Claise Informational [Page 3]
� Cisco Systems NetFlow Services Export Version 9 June 2002
Network planning
NetFlow Services data captured in long-term observations allows to
track and anticipate network growth and plan upgrades with
additional routing devices, ports, or higher-bandwidth interfaces.
NetFlow data optimize both strategic network planning (such as who
to peer with, backbone upgrade planning, and routing policy
planning) as well as tactical network engineering decisions (such as
upgrading the router capacity or the link capacity) to minimize the
total cost of network operations while maximizing network
performance, capacity, and reliability.
Peering agreements
NetFlow Services data provides ISP peering partners the ability to
measure the volume and characteristics of traffic exchanged with
other ISP peers.
Traffic engineering
NetFlow Services data provides autonomous system (AS) traffic
engineering details for an AS. You can use NetFlow-captured traffic
data to understand traffic trends by source destination. This data
can be used to help in network optimization for load balancing
traffic across alternate paths or by forwarding traffic to a
preferred route.
Network monitoring
NetFlow Services data enables extensive near real-time network
monitoring capabilities. You can use NetFlow Flow data analysis to
display traffic patterns associated with individual routing devices
and switches as well as on a network-wide basis (providing aggregate
traffic or application-based views) to provide proactive problem
detection, efficient troubleshooting, and rapid problem resolution.
Application monitoring and profiling
NetFlow Services data enables content and service providers the
ability to view detailed, time-based application usage over a
network. This information allows to plan and allocate network and
application resources (such as Web server sizing and location) to
responsively meet customer demands. Measure NetFlow traffic data for
characterizing IP resources for IP address distribution per region
(continent or country) or traffic breakdown per protocol or
application Voice over IP (VoIP), web hosting, gaming, and
multimedia).
Claise Informational [Page 4]
� Cisco Systems NetFlow Services Export Version 9 June 2002
User monitoring and profiling
NetFlow Services data enables to gain detailed understanding of
customer/user usage of network and application resources. This
information may then be used to efficiently plan and allocate
access, backbone, and application resources as well as to detect and
resolve potential security and policy violations.
Volume usage-based billing
NetFlow Services traffic data can be measured to build a flexible
usage-based billing to your users. For example, you can identify
users by the destination prefix.
Security analysis
NetFlow Services data provides details on source and destination
addresses, the start time of Flows, and application ports. NetFlow
data measured from a routing device can be used to analyze your
network security and identify attacks.
NetFlow data warehousing and mining
NetFlow data (or derived information) can be warehoused for later
retrieval and analysis to support proactive marketing and customer
service programs (for example, to determine which applications and
services are being used by internal and external users and target
them for improved service, advertising, and so on). This is
especially useful for ISPs because NetFlow Services data enables
them to create great depth in their service packaging.
2. Terminology used
Various terms used in this document are described below:
IP Flow or Flow
A Flow is defined as a set of IP packets passing an Observation
Point in the network during a certain time interval. All packets
belonging to a particular Flow have a set of common properties
derived from the data contained in the packet and from the packet
treatment at the Observation Point.
Flow Record
A Flow Record provides information about an IP Flow that exists on
the Exporter. The Flow Records are commonly referred to NetFlow
Services data or NetFlow data.
Claise Informational [Page 5]
� Cisco Systems NetFlow Services Export Version 9 June 2002
Exporter
A device (for example, a router) with NetFlow services enabled. The
exporter monitors packets entering an observation point and creates
flows out of these packets. The information from these flows are
exported in the form of Flow Records to the collector.
NetFlow Collector
The NetFlow Collector receives Flow Records from one or more
Exporters. It processes the received export packet, i.e. parses,
stores the Flow Record information. The flow records may be
optionally aggregated before storing into the hard disk.
Observation Point
The Observation Point is a location in the network where IP packets
can be observed. Typical examples: one or a set of interfaces of the
exporter. The Observation Point is part of an Observation Domain.
Observation Domain:
The set of Observation Points which is the largest aggregatable set
of Flow information at the Exporter is termed as an Observation
Domain. The Observation Domain presents itself a unique ID to the
Collector for identifying the Export Packets generated by it.
Example: The Observation Domain could be a router line-card,
composed of several interfaces with each interface being an
Observation Point.
Export Packet
A packet built by an Exporter whose destination is the NetFlow
Collector.
Export Packet:
+--------+------------------------------------------------------+
| Packet | +-----------------+ +------------------+ +---------+ |
| Header | | FlowSet | | FlowSet | | FlowSet | |
| | +-----------------+ +------------------+ +---------+ |
+--------+------------------------------------------------------+
Packet Header
The first part of an Export Packet, which provides basic information
about the packet, such as the NetFlow version, number of records
contained within the packet, and sequence numbering.
Claise Informational [Page 6]
� Cisco Systems NetFlow Services Export Version 9 June 2002
FlowSet
Following the Packet Header, an Export Packet contains information
that MUST be parsed and interpreted by the Collector device. FlowSet
is a generic term for a collection of records which have similar
structure. Packet Header is followed by one or more FlowSets.
There are three different types of FlowSets: Template FlowSet, Data
FlowSet and Option FlowSet. An Export Packet contains one or more
FlowSets, and the three FlowSet types can be mixed within the same
Export Packet.
Template Record
A Template Record is used to define the structure and interpretation
of fields in a data record. Data records that corresponds to a
template MAY appear in the same and/or subsequent Export Packets.
The template information is not necessarily carried in every Export
Packet. As such the NetFlow Collector MUST store the "Template
Record" in order to interpret the corresponding data records that
are received in the subsequent data packets.
Template FlowSet
A Template FlowSet is a collection of one or more Template Records
which have been grouped together in an Export Packet.
Template ID
A unique number that distinguishes this Template Record from all
other Template Records produced by the same Exporter. A Collector
that is receiving Export Packets from several devices MUST be aware
that uniqueness of Template ID is not guaranteed across Exporters.
Thus, the Collector MUST also store the address of the Exporter that
produced the Template ID, in order to enforce uniqueness.
Data FlowSet
A Data FlowSet is a collection of one or more Flow Records that have
been grouped together in an Export Packet. A Data FlowSet contains
records that belong to the same Template ID. Each Data FlowSet will
reference a previously transmitted Template ID, which can be used to
parse the data contained within the Flow Records.
Options Template
A template that describes the format of the Flow measurement
parameters (like the sampling algorithm, sampling interval) done at
the Exporter. Option Templates are identified by a well-known
Template ID.
Claise Informational [Page 7]
� Cisco Systems NetFlow Services Export Version 9 June 2002
Options Data Record
The data record that contains values of the Flow measurement
parameters corresponding to an Option Template.
FlowSet ID
The FlowSet ID is used to distinguish the different FlowSet Types:
Template, Option and Data. FlowSet ID between 0 and 255 are
reserved.
The Template FlowSet has a FlowSet ID equals to 0.
The Option Template FlowSet has a FlowSet ID equals to 1.
The Data FlowSets have a FlowSet ID greater than 255.
3. NetFlow High Level Picture on the Exporter
3.1 The NetFlow Process on the Exporter
The description of the NetFlow Process (sampled NetFlow, full
NetFlow or aggregation), i.e. the way that Flows are deduced from
the observed IP packets is out of the scope of this document.
3.2 Flow Expiration
A Flow is considered to be inactive if no packets of this Flow has
been observed at the Observation Point for a given timeout interval.
The Flow can be exported under the following conditions:
1. If the Exporter can deduce the end of a Flow, the Exporter
SHOULD export the Flow Records when the end of the Flow is
detected. For example: Flow generated by TCP [3] type of
traffic where the FIN or RST bits indicate the end of the Flow
2. If the Flow has been inactive for a certain period of time. This
inactivity timeout SHOULD be configurable. For example: Flow
generated by UDP [2] type of traffic.
3. For long lasting Flows, the Exporter SHOULD export the Flow
Records on regular basis, in order to report the Flow Records
periodic accounting information to the Collector on regular
basis. This activity timeout SHOULD be configurable
4. If the Exporter experiences internal constraints, a Flow MAY be
prematurely expired (example: counters wrapping or low memory)
Claise Informational [Page 8]
� Cisco Systems NetFlow Services Export Version 9 June 2002
3.3 Transport Protocol
To achieve efficiency in terms of processing at the Exporter while
handling high volume of export, Flow Records are grouped together
into UDP [2] datagrams for export to the Collector. Nevertheless
NetFlow Version 9 has been designed to be transport protocol
independent. Hence, it can also operate over congestion aware
protocols like TCP [3] or SCTP [4].
Note that the Exporter has the possibility to export to multiple
Collectors.
4. Packet Layout
An Export Package consist of a Packet Header followed by one or
More FlowSets. The FlowSets can be any of the possible types:
Template, Data or Option.
Export Packet:
+--------+------------------------------------------+
| | +----------+ +---------+ +---------+ |
| Packet | | Template | | Data | | Option | |
| Header | | FlowSet | | FlowSet | | FlowSet | ... |
| | +----------+ +---------+ +---------+ |
+--------+------------------------------------------+
The possible combinations that can occur in an Export Packet are:
- An Export Packet that consists of interleaved Template and Data
FlowSets.
Export Packet:
+--------+-------------------------------------------------------+
| | +----------+ +---------+ +----------+ +---------+ |
| Packet | | Template | | Data | ... | Template | | Data | |
| Header | | FlowSet | | FlowSet | ... | FlowSet | | FlowSet | |
| | +----------+ +---------+ +----------+ +---------+ |
+--------+-------------------------------------------------------+
- An Export Packet consisting entirely of Data FlowSets. Once the
appropriate Template IDs have been defined and transmitted to the
Claise Informational [Page 9]
� Cisco Systems NetFlow Services Export Version 9 June 2002
Collector device, the majority of Export Packets will consist solely
of Data FlowSets.
Export Packet:
+--------+----------------------------------------------+
| | +---------+ +---------+ +---------+ |
| Packet | | Data | ... | Data | ... | Data | |
| Header | | FlowSet | ... | FlowSet | ... | FlowSet | |
| | +---------+ +---------+ +---------+ |
+--------+----------------------------------------------+
- An Export Packet consisting entirely of Template FlowSets. The
Exporter MAY transmit a packet containing Template FlowSets only,
ahead of time to help ensure that the Collector has the correct
template information before receiving the first data FlowSet.
Export Packet:
+--------+-------------------------------------------------+
| | +----------+ +----------+ +----------+ |
| Packet | | Template | ... | Template | ... | Template | |
| Header | | FlowSet | ... | FlowSet | ... | FlowSet | |
| | +----------+ +----------+ +----------+ |
+--------+-------------------------------------------------+
A Template FlowSet provides a description of the fields that will be
present in future Data FlowSets. These Data FlowSets MAY occur
later within the same Export Packet or in subsequent Export Packets.
The format of both Template and Data FlowSets will be discussed
later in this document.
5. Export Packet Format
5.1 Header Format
Note that the Packet Header format has been kept similar to the one
Developed by the different versions of NetFlow defined by Cisco
Systems, for backward compatibility.
This is also the reason why the version field is 9 with this
version.
Claise Informational [Page 10]
� Cisco Systems NetFlow Services Export Version 9 June 2002
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version Number | Count |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| sysUpTime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Unix Secs |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Packet Header Field Descriptions
Version
The version of Flow Record format exported in this
packet.
For this current version, this value will be 0x0009
Count
Count is total number of records in the Export Packet
where the record(s) are the record(s) in the Option
Flowset and the record(s) in the Template FlowSet or the
record(s) in the Data Flowset
SysUpTime
Time in milliseconds since this device was first booted.
Refer to [1].
Unix Secs
Seconds since 0000 UTC 1970.
Sequence Number
Incremental sequence counter of all Export Packets sent
from the current Observation Domain by the Exporter. This
value will be cumulative, and can be used to identify
whether any Export Packets have been missed.
Claise Informational [Page 11]
� Cisco Systems NetFlow Services Export Version 9 June 2002
Source ID
The Source ID field is a 32-bit value that characterizes
the Observation Domain. Collectors SHOULD use the
combination of the source IP address and the Source ID
field to separate different export streams originating
from the same Exporter.
5.2 Template FlowSet Format
One of the key elements in the NetFlow format is the Template
FlowSet. Templates greatly enhance the flexibility of the Flow
Record format, because they allow a Collector to process Flow
Records without necessarily knowing the interpretation of all the
data in the Flow Record.
The format of the Template FlowSet is described below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| FlowSet ID = 0 | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Template ID 1 | Field Count |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Field Type 1 | Field Length 1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Field Type 2 | Field Length 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... | ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Field Type N | Field Length N |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Template ID 2 | Field Count |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Field Type 1 | Field Length 1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Field Type 2 | Field Length 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... | ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Field Type M | Field Length M |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Claise Informational [Page 12]
� Cisco Systems NetFlow Services Export Version 9 June 2002
Template FlowSet Field Descriptions
FlowSet ID
The FlowSet ID is 0 in the case of Template FlowSet
Length
Total length of this FlowSet. Since an individual Template
FlowSet MAY contain multiple Template Records, the Length
value MUST be used to determine the position of the next
FlowSet Record, which could be any type of FlowSet.
Length is expressed like the "length" field in Type Length
Value (TLV) format which is the sum total of lengths of
FlowSet ID, Length itself and all Template Records within
this FlowSet Template ID.
Template ID
As a router generates different Template FlowSets to match
the type of data it will be exporting, each individual
Template is given a unique ID. This uniqueness is local to
the Observation Domain that generated the Template ID.
Template IDs 0-255 are reserved for FlowSet IDs. Templates
that define Data Record formats begin numbering at 256.
Field Count
Number of fields in this Template Record. Since a Template
FlowSet usually contain multiple Template Records, this
field allows the Collector to determine the end of the
current Template Record and the start of the next.
Field Type
A numeric value that represents the type of the field. Refer
to the Field Type Definitions section.
Field Length
The length of the above-defined field, in bytes. Refer to
The Field Type Definitions section.
5.3 Data FlowSet Format
The format of the Data FlowSet is described below:
Claise Informational [Page 13]
� Cisco Systems NetFlow Services Export Version 9 June 2002
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| FlowSet ID = Template ID | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Record 1 - Field Value 1 | Record 1 - Field Value 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Record 1 - Field Value 3 | ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Record 2 - Field Value 1 | Record 2 - Field Value 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Record 2 - Field Value 3 | ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Record 3 - Field Value 1 | ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Data FlowSet Field Descriptions
FlowSet ID = Template ID
Each group of records within a Data FlowSet will be preceded
by a FlowSet ID. The FlowSet ID maps to a (previously
generated) Template ID. The Collector MUST use the FlowSet
ID to map the appropriate type and length to any field
values that follow.
Length
The length of the Data FlowSet.
Length is expressed like the "length" field in TLV format
which is the sum total of lengths of FlowSet ID, Length
itself, all Template Records within this FlowSet Template ID
and the padding bytes (if present).
Record N - Field Value N
The remainder of the Data FlowSet is a collection of Flow
Records each containing a set of field types and values. The
Type and Length of the fields have been previously defined
in the Template Record referenced by the FlowSet ID/Template
ID.
Claise Informational [Page 14]
� Cisco Systems NetFlow Services Export Version 9 June 2002
Padding
Padding SHOULD be inserted to align the end of the FlowSet
on a 32 bit boundary. Pay attention that the Length field
will include those padding bits.
The important part in interpreting the Data FlowSet format is
to understand that the fields cannot be parsed without a
corresponding Template ID.
6. Options
6.1 Options Template FlowSet
The Options Template (and its corresponding Options Data Record) are
used to supply information about the NetFlow Process configuration
or NetFlow Process specific data, rather than supplying information
about IP Flows.
For example, the sample rate of a specific interface, if sampling is
supported, along with the sampling method used.
The format of the Options Template FlowSet is detailed below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| FlowSet ID = 1 | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Template ID | Option Scope Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Length | Scope 1 Field Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Scope 1 Field Length | ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Scope N Field Length | Option 1 Field Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option 1 Field Length | ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option N Field Length | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Claise Informational [Page 15]
� Cisco Systems NetFlow Services Export Version 9 June 2002
Options Template Field Definitions
FlowSet ID = 1
FlowSet ID of 1 is reserved for Option Template
Length
Total length of this FlowSet. Since an individual Option
Template MAY contain multiple Template IDs, the Length value
MUST be used to determine the position of the next FlowSet
record, which could be either a Template FlowSet or Data
FlowSet.
Length is expressed like the "length" field in TLV format
which is the sum total of lengths of FlowSet ID, Length
itself and all Template Records within this FlowSet Template
ID.
Template ID
Template ID is greater than 255.
The Template ID inferior to 255 are reserved.
Option Scope Length
The length in bytes of any Scope fields contained in this
Options Template (The use of "Scope" is described below).
Options Length
The length (in bytes) of any options field definitions
contained in this Options Template.
Scope 1 Field Type
The relevant portion of the Exporter/NetFlow Process to
which the Options Record refers. Currently defined values
are:
0x0001 System
0x0002 Interface
0x0003 Line Card
0x0004 Cache
0x0005 Template
For example, the NetFlow Process can be implemented on a
per-interface basis, so if the Options record were reporting
on how the NetFlow Process is configured, the SCOPE for the
report would be 0x0002 (Interface). The associated Interface
ID would then be carried in the associated Option Data
FlowSet.
Claise Informational [Page 16]
� Cisco Systems NetFlow Services Export Version 9 June 2002
Scope 1 Field Length
The length (in bytes) of the scope field, as it would appear
in an Options Record.
Option 1 Field Type
A numeric value that represents the type of the field that
will appear in the Options record. Refer to the Field Type
Definitions section.
Option 1 Field Length
The length (in bytes) of the field, as it would appear in an
Options Record.
Padding
Padding SHOULD be inserted to align the end of the FlowSet
on a 32 bit boundary. Pay attention that the Length field
will include those padding bits.
6.2 Options Data FlowSet
The Option Data records are sent in Data FlowSets, on a regular
Basis, but not with every single Flow Record. How frequently these
Option Data Records are exported is configurable. See the Templates
Management section for more details.
The Options Data format is described below:
Claise Informational [Page 17]
� Cisco Systems NetFlow Services Export Version 9 June 2002
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| FlowSet ID = Template ID | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Record 1 - Scope 1 Value |Record 1 - Option Field 1 Value|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Record 1 - Option Field 2 Value| ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Record 2 - Scope 1 Value |Record 2 - Option Field 1 Value|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Record 2 - Option Field 2 Value| ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Record 3 - Scope 1 Value |Record 3 - Option Field 1 Value|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Record 3 - Option Field 2 Value| ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Options Data FlowSet Field Descriptions
FlowSet ID = Template ID
Each group of records within an Option Data FlowSet will be
preceded by a FlowSet ID. The FlowSet ID maps to a
(previously generated) Template ID. The Collector MUST use
the FlowSet ID to map the appropriate type and length to any
field values that follow.
Length
The length of the Option Data FlowSet.
Length is expressed like the "length" field in TLV format
which is the sum total of lengths of FlowSet ID, Length
itself, all Template Records within this FlowSet Template ID
and the padding bytes (if present).
Record N - Option Field N Value
The remainder of the Option Data FlowSet is a collection of
Flow Records each containing a set of field types and
values. The Type and Length of the fields have been
previously defined in the Option Template Record referenced
by the FlowSet ID/Template ID.
Claise Informational [Page 18]
� Cisco Systems NetFlow Services Export Version 9 June 2002
Padding
Padding SHOULD be inserted to align the end of the FlowSet
on a 32 bit boundary. Pay attention that the Length field
will include those padding bits.
The important part in interpreting the Options Data FlowSet format
is to understand that the fields cannot be parsed without a
corresponding Template ID.
7. Templates Management
The Template IDs must remain constant at least from one re-
Initialization of the NetFlow Process to the next ôre-
initializationö.
If the Exporter or the NetFlow Process reinitializes itself, all
information about Templates will be lost. New Template IDs MUST be
recreated. Template IDs are thus not guaranteed to be consistent
across an exporter or NetFlow Process restart.
If a Template FlowSet (or Option Template FlowSet) is contained in
an export packet, it will apply to all Data FlowSets (or to all
Option Data FlowSet) in the export packet (and all subsequent
packets), regardless of the FlowSets order in the export packet.
When a new template is configured on the exporter, it will always
generate a new Template ID. According to the same principles, if the
template configuration is changed, then the current Template ID is
abandoned and not reused anymore until the next exporter
reinitilization. A new Template ID MUST be assigned to this new
Template, in order to avoid any confusion on the Collector.
If a configured template configured on the exporter is deleted,
and re-configured with exactly the same parameters, the same
Template ID COULD be reused.
The Exporter sends the Template FlowSet and Option Template FlowSet
under the following conditions:
1. On an Exporter or NetFlow Process restart, the Exporter MUST NOT
send any Data Flowset without having the corresponding Template
Flowset and the required Option Template Flowset sent out in a
previous packet or in the same packet. It MAY transmit this
Claise Informational [Page 19]
� Cisco Systems NetFlow Services Export Version 9 June 2002
Template FlowSet and Option Template FlowSet, without any Data
FlowSets, ahead of time to help ensuring that the Collector will
have the correct template information before receiving the first
data.
2. On the NetFlow Process configuration changes, i.e. whenever a
new Template is created, the exporter SHOULD send the
incremental changes at an accelerated rate. Again, it MAY
transmit this Template FlowSet and Option Template FlowSet,
without any data, ahead of time to help ensure that the
Collector will have the correct template information before
receiving the first data.
3. On a regular basis, the Exporter MUST send all the Template
FlowSets to refresh the exporter. Keep in mind that the Template
IDs have a limited lifetime and MUST be periodically refreshed.
Two ways are possible:
* every N number of export packets.
* on regular basis, so every N number of minutes.
Both options MUST be user configurable.
When one of these expiry condition is met, the Exporter MUST
send the Template FlowSet and Option Template FlowSet without
waiting for the next Data FlowSet, i.e. without waiting for the
next expired Flow.
8. Field Type Definitions
The table below describes all the field type definitions that an
exporter MAY support. The fields are a selection of Packet Header
fields, lookup results (for example the AS numbers or the subnet
masks), properties of the packet itself like length.
Field Type Value Length Description
(bytes)
counter with length
IN_BYTES 1 N N x 8 bits for bytes
associated with an IP Flow
counter with length
IN_PKTS 2 N N x 8 bits for packets
associated with an IP Flow
Claise Informational [Page 20]
� Cisco Systems NetFlow Services Export Version 9 June 2002
FLOWS 3 4 Number of Flows
that were aggregated
PROT 4 1 IP protocol byte
TOS 5 1 Type of service byte
TCP_FLAGS 6 1 TCP Flags (cumulative OR
of TCP flags)
TCP/UDP source port number
L4_SRC_PORT 7 2 (e.g., FTP, Telnet,
etc... ,or equivalent)
IP_SRC_ADDR 8 N Source IP Address
IPv4 have N=4
IPv6 have N=16
SRC_MASK 9 1 source route mask bits
INPUT_SNMP 10 2 Input interface index
TCP/UDP destination port
L4_DST_PORT 11 2 number (e.g., FTP, Telnet,
etc... ,or equivalent)
IP_DST_ADDR 12 N Destination IP Address
IPv4 have N=4
IPv6 have N=16
DST_MASK 13 1 destination route mask bits
OUTPUT_SNMP 14 2 Output interface index
IP_NEXT_HOP 15 N Next hop router's IP
address
IPv4 have N=4
IPv6 have N=16
SRC_AS 16 4 Source BGP Autonomous
System number
Claise Informational [Page 21]
� Cisco Systems NetFlow Services Export Version 9 June 2002
DST_AS 17 4 Destination BGP Autonomous
System number
BGP_NEXT_HOP 18 N Next-hop router's IP
in the BGP domain
IPv4 have N=4
IPv6 have N=16
MUL_DPKTS 19 4 Packet count for IP
multicast
MUL_DOCTETS 20 4 Octet (byte) count for IP
multicast
SysUptime at which the
LAST_SWITCHED 21 4 last packet of this Flow
was switched
SysUptime at which the
FIRST_SWITCHED 22 4 first packet of this Flow
was switched
PKTS 24 8 64-bit counter for packets
associated with an IP Flow
TOTAL_BYTES_EXP 40 4 Number of Bytes exported by
the Observation Domain
TOTAL_EXP_PKTS_SENT 41 4 Number of Packets exported
by the Observation Domain
TOTAL_FLOWS_EXP 42 4 Number of Flows exported by
the Observation Domain
The value field is an numeric identifier for the field type.
When extensibility will be needed (when new technologies will
require some new field types), the new field types will be added to
the list. The new field types file will simply have to updated on
the Collector. Anyway, the NetFlow export format will remain
unchanged. Refer to the latest documentation at http://www.cisco.com
for the newly updated list.
Claise Informational [Page 22]
� Cisco Systems NetFlow Services Export Version 9 June 2002
9. The Collector's side
The Collector will receive template definitions from the Exporter,
normally before receiving Flow Records. The Flow Records can then be
decoded and stored locally on the devices. In case the template
definitions have not been received at the time a Flow Record is
received, the Collector SHOULD keep the Flow Record for later decode
once the template definitions will be received. A Collector device
MUST NOT assume that the Data FlowSet and the associated Template
IDs are exported in the same Export Packet.
The Collector MUST NOT assume that one and only one Template FlowSet
is present in an Export Packet; in rare circumstances, the Export
Packet MAY contain several Template FlowSets.
Templates live only for a certain timeframe. The lifetime of a
Template SHOULD be deducted on the Collector based upon the time
where the last Template FlowSet was received from the Exporter. The
collector MUST NOT attempt to decode the Flow Records with an
expired Template.
Hence, the Collector SHOULD maintain a similar list:
<Exporter, Observation Domain, Template ID, Template Def, Last
Received>
If a new Template definition is received (for example in case of an
Exporter restart) it SHOULD immediately override the existing
definition.
Keep in mind that the Template IDs are unique per Exporter and per
Observation Domain.
10. Examples
Let's take the example of an Export Packet composed of a Template
FlowSet, of a Data FlowSet (composed of 3 Flow Records), of one
Option Template and of one Option Data FlowSet (composed of 2
Records)
Claise Informational [Page 23]
� Cisco Systems NetFlow Services Export Version 9 June 2002
Export Packet:
+--------+---------------------------------------. . .
| | +--------------+ +------------------+
| Packet | | Template | | Data |
| Header | | FlowSet | | FlowSet | . . .
| | | (1 Template) | | (3 Flow Records) |
| | +--------------+ +------------------+
+--------+---------------------------------------. . .
. . .+-------------------------------------------+
+------------------+ +------------------+ |
| Option | | Option | |
. . .| Template FlowSet | | Data FlowSet | |
| (1 Template) | | (2 Records) | |
+------------------+ +------------------+ |
. . .-------------------------------------------+
10.1 Packet Header Example
The Packet Header is composed of:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version = 0x0009 | Count = 7 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| sysUpTime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Unix Secs |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
10.2 Template FlowSet Example
We want to report the following Field Types:
- The source IP address (IPV4), so the length is 4
- The destination IP address (IPV4), so the length is 4
- The Next Hop IP address (IPV4), so the length is 4
Claise Informational [Page 24]
� Cisco Systems NetFlow Services Export Version 9 June 2002
- The number of bytes of the flow
- The number of packet of the flow
So the Template FlowSet will be composed of:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| FlowSet ID = 0 | Length = 28 bytes |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Template ID 256 | Field Count = 5 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IP_SRC_ADDR = 0x0008 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IP_DST_ADDR = 0x000C | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IP_NEXT_HOP = 0x000F | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IN_PKTS = 0x0002 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IN_BYTES = 0x0001 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
10.3 Data FlowSet Example
In this example, we are reporting the following 3 Flow records:
Src IP addr. | Dst IP addr. | Next Hop addr. | Packet | Bytes
| Number | Number
198.168.1.12 | 10.5.12.254 | 192.168.1.1 | 5009 | 5344385
192.168.1.27 | 10.5.12.23 | 192.168.1.1 | 748 | 388934
192.168.1.56 | 10.5.12.65 | 192.168.1.1 | 5 | 6534
Claise Informational [Page 25]
� Cisco Systems NetFlow Services Export Version 9 June 2002
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| FlowSet ID = 256 | Length = 64 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 198.168.1.12 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 10.5.12.254 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 192.168.1.1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 5009 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 5344385 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 192.168.1.27 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 10.5.12.23 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 192.168.1.1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 748 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 388934 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 192.168.1.56 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 10.5.12.65 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 192.168.1.1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 5 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 6534 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Note that padding was not necessary in this specific example.
10.4 Option Template FlowSet Example
Per Line Card (the exporter being composed of 2 Line Cards), we want
to report the following Field Types:
- The total number of export packets
Claise Informational [Page 26]
� Cisco Systems NetFlow Services Export Version 9 June 2002
- The total number of exported flows
The format of the Options Template FlowSet is detailed below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| FlowSet ID = 1 | Length = 24 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Template ID 257 | Option Scope Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Length = 8 | Scope 1 Field Type = 0x0003 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Scope 1 Field Length = 2 | TOTAL_EXP_PKTS_SENT = 41 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Field Length = 4 | TOTAL_FLOWS_EXP = 42 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Field Length = 4 | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
10.5 Option Data FlowSet Example
In this example, we are reporting the following 2 records:
Line Card ID | Export Packet| Export Flow
Line Card 1 | 345 | 10201
Line Card 2 | 690 | 20402
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| FlowSet ID = 257 | Length = 14 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 1 | 345 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 10201 | 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2 | 690 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 20402 | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Claise Informational [Page 27]
� Cisco Systems NetFlow Services Export Version 9 June 2002
11. References
[1] "Management Information Base for Version 2 of the Simple
Network Management Protocol (SNMPv2)", RFC 1907, January 1996
[2] "User Datagram Protocol", RFC 768, August 1980
[3] "TRANSMISSION CONTROL PROTOCOL DARPA INTERNET PROGRAM PROTOCOL
SPECIFICATION", RFC 793, September 1981
[4] "Stream Control Transmission Protocol", RFC 2960, October 2000
12. Contributors
This document was written as a joint work between Vamsidhar Valluri
<vvalluri@cisco.com>, Martin Djernaes <djernaes@cisco.com> and Ganesh
Sadasivan <gsadasiv@cisco.com>.
13. Acknowledgments
I would like to thank Pritam Shah for the good technical feedback.
14. Author Addresses
Benoit Claise
Cisco Systems
De Kleetlaan 6a b1
1831 Diegem
Belgium
Phone: +32 2 704 5622
Email: bclaise@cisco.com
Claise Informational [Page 28]
�