Internet Draft Expiration: December 2002 B. Claise Document: draft-bclaise-netflow-9-00.txt Cisco Systems Category: Informational June 2002 Cisco Systems NetFlow Services Export Version 9 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract Cisco Systems NetFlow Services provide network administrators with access to information concerning IP Flows within their data networks. Exported NetFlow Services data can be used for a variety of purposes, including network management and planning, accounting, and departmental chargebacks, Internet Service Provider billing, data warehousing, and data mining for marketing purposes. This paper discusses the most recent evolution of the NetFlow flow export format, which is known as Version 9. The distinguishing feature of the NetFlow Version 9 format compared to previous formats, is that it is template based. Templates (collection of fields along with the description and structure) provide a flexible and extensible design to the record format. These two features that allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format and minimize the consumed export bandwidth Claise Expires - December 2002 [Page 1] Cisco Systems NetFlow Services Export Version 9 June 2002 Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. Table of Contents 1. Introduction...................................................2 1.1 Overview...................................................2 1.2 Applications...............................................3 2. Terminology used...............................................5 3. NetFlow High Level Picture on the Exporter.....................8 3.1 The NetFlow Process on the Exporter........................8 3.2 Flow Expiration............................................8 3.3 Transport Protocol.........................................9 4. Packet Layout..................................................9 5. Export Packet Format..........................................10 5.1 Header Format.............................................10 5.2 Template FlowSet Format...................................12 5.3 Data FlowSet Format.......................................13 6. Options.......................................................15 6.1 Options Template FlowSet..................................15 6.2 Options Data FlowSet......................................17 7. Templates Management..........................................19 8. Field Type Definitions........................................20 9. The Collector's side..........................................23 10. Examples.....................................................23 10.1 Packet Header Example....................................24 10.2 Template FlowSet Example.................................24 10.3 Data FlowSet Example.....................................25 10.4 Option Template FlowSet Example..........................26 10.5 Option Data FlowSet Example..............................27 11. References...................................................28 12. Contributors.................................................28 13. Acknowledgments..............................................28 14. Authors Addresses............................................28 1. Introduction 1.1 Overview The NetFlow services data can be used for a variety of purposes. A non-exhaustive list can be found in the next section. This paper discusses the most recent evolution of the NetFlow flow-record format, which is known as Version 9. The distinguishing feature of Claise Informational [Page 2] Cisco Systems NetFlow Services Export Version 9 June 2002 the NetFlow Version 9 format compared to previous formats, is that it is template based. Template is a collection of fields along with the description of their structure and semantics. This approach gives the following advantages: - The template mechanism is flexible in the sense that only the required fields from the IP Flows are exported to the NetFlow Collector. This helps achieve bandwidth savings on exported flow data and possible memory savings at exporter and collector. Sending the required information only can reduce the network load also. - Using the template mechanism, new fields can be added to NetFlow export records without changing the structure of export record format. With the previous NetFlow versions, without this template- based mechanism, supporting a new field in the Flow Record implied a new version of the export protocol format and a new version of the NetFlow Collector supporting the parsing of this new export protocol format. - Templates which are sent to the Collector contains the structural information about the exported Flow Records fields. So, even if the Collector does not understand the semantics of new fields, it can still interpret the Flow Record. 1.2 Applications NetFlow Data enables several key customer applications: Accounting and billing NetFlow Services data provides fine-grained metering (for example, Flow data includes details such as IP addresses, packet and byte counts, timestamps, Type of Service (TOS), application ports and so on) for highly flexible and detailed resource usage accounting. Internet Service Providers (ISP) may use this information to migrate away from single fee, flat-rate billing to more flexible charging mechanisms based on time-of-day, bandwidth usage, application usage, quality of service, and so on. Enterprise customers may use the information for departmental chargeback or cost allocation for resource usage. Claise Informational [Page 3] Cisco Systems NetFlow Services Export Version 9 June 2002 Network planning NetFlow Services data captured in long-term observations allows to track and anticipate network growth and plan upgrades with additional routing devices, ports, or higher-bandwidth interfaces. NetFlow data optimize both strategic network planning (such as who to peer with, backbone upgrade planning, and routing policy planning) as well as tactical network engineering decisions (such as upgrading the router capacity or the link capacity) to minimize the total cost of network operations while maximizing network performance, capacity, and reliability. Peering agreements NetFlow Services data provides ISP peering partners the ability to measure the volume and characteristics of traffic exchanged with other ISP peers. Traffic engineering NetFlow Services data provides autonomous system (AS) traffic engineering details for an AS. You can use NetFlow-captured traffic data to understand traffic trends by source destination. This data can be used to help in network optimization for load balancing traffic across alternate paths or by forwarding traffic to a preferred route. Network monitoring NetFlow Services data enables extensive near real-time network monitoring capabilities. You can use NetFlow Flow data analysis to display traffic patterns associated with individual routing devices and switches as well as on a network-wide basis (providing aggregate traffic or application-based views) to provide proactive problem detection, efficient troubleshooting, and rapid problem resolution. Application monitoring and profiling NetFlow Services data enables content and service providers the ability to view detailed, time-based application usage over a network. This information allows to plan and allocate network and application resources (such as Web server sizing and location) to responsively meet customer demands. Measure NetFlow traffic data for characterizing IP resources for IP address distribution per region (continent or country) or traffic breakdown per protocol or application Voice over IP (VoIP), web hosting, gaming, and multimedia). Claise Informational [Page 4] Cisco Systems NetFlow Services Export Version 9 June 2002 User monitoring and profiling NetFlow Services data enables to gain detailed understanding of customer/user usage of network and application resources. This information may then be used to efficiently plan and allocate access, backbone, and application resources as well as to detect and resolve potential security and policy violations. Volume usage-based billing NetFlow Services traffic data can be measured to build a flexible usage-based billing to your users. For example, you can identify users by the destination prefix. Security analysis NetFlow Services data provides details on source and destination addresses, the start time of Flows, and application ports. NetFlow data measured from a routing device can be used to analyze your network security and identify attacks. NetFlow data warehousing and mining NetFlow data (or derived information) can be warehoused for later retrieval and analysis to support proactive marketing and customer service programs (for example, to determine which applications and services are being used by internal and external users and target them for improved service, advertising, and so on). This is especially useful for ISPs because NetFlow Services data enables them to create great depth in their service packaging. 2. Terminology used Various terms used in this document are described below: IP Flow or Flow A Flow is defined as a set of IP packets passing an Observation Point in the network during a certain time interval. All packets belonging to a particular Flow have a set of common properties derived from the data contained in the packet and from the packet treatment at the Observation Point. Flow Record A Flow Record provides information about an IP Flow that exists on the Exporter. The Flow Records are commonly referred to NetFlow Services data or NetFlow data. Claise Informational [Page 5] Cisco Systems NetFlow Services Export Version 9 June 2002 Exporter A device (for example, a router) with NetFlow services enabled. The exporter monitors packets entering an observation point and creates flows out of these packets. The information from these flows are exported in the form of Flow Records to the collector. NetFlow Collector The NetFlow Collector receives Flow Records from one or more Exporters. It processes the received export packet, i.e. parses, stores the Flow Record information. The flow records may be optionally aggregated before storing into the hard disk. Observation Point The Observation Point is a location in the network where IP packets can be observed. Typical examples: one or a set of interfaces of the exporter. The Observation Point is part of an Observation Domain. Observation Domain: The set of Observation Points which is the largest aggregatable set of Flow information at the Exporter is termed as an Observation Domain. The Observation Domain presents itself a unique ID to the Collector for identifying the Export Packets generated by it. Example: The Observation Domain could be a router line-card, composed of several interfaces with each interface being an Observation Point. Export Packet A packet built by an Exporter whose destination is the NetFlow Collector. Export Packet: +--------+------------------------------------------------------+ | Packet | +-----------------+ +------------------+ +---------+ | | Header | | FlowSet | | FlowSet | | FlowSet | | | | +-----------------+ +------------------+ +---------+ | +--------+------------------------------------------------------+ Packet Header The first part of an Export Packet, which provides basic information about the packet, such as the NetFlow version, number of records contained within the packet, and sequence numbering. Claise Informational [Page 6] Cisco Systems NetFlow Services Export Version 9 June 2002 FlowSet Following the Packet Header, an Export Packet contains information that MUST be parsed and interpreted by the Collector device. FlowSet is a generic term for a collection of records which have similar structure. Packet Header is followed by one or more FlowSets. There are three different types of FlowSets: Template FlowSet, Data FlowSet and Option FlowSet. An Export Packet contains one or more FlowSets, and the three FlowSet types can be mixed within the same Export Packet. Template Record A Template Record is used to define the structure and interpretation of fields in a data record. Data records that corresponds to a template MAY appear in the same and/or subsequent Export Packets. The template information is not necessarily carried in every Export Packet. As such the NetFlow Collector MUST store the "Template Record" in order to interpret the corresponding data records that are received in the subsequent data packets. Template FlowSet A Template FlowSet is a collection of one or more Template Records which have been grouped together in an Export Packet. Template ID A unique number that distinguishes this Template Record from all other Template Records produced by the same Exporter. A Collector that is receiving Export Packets from several devices MUST be aware that uniqueness of Template ID is not guaranteed across Exporters. Thus, the Collector MUST also store the address of the Exporter that produced the Template ID, in order to enforce uniqueness. Data FlowSet A Data FlowSet is a collection of one or more Flow Records that have been grouped together in an Export Packet. A Data FlowSet contains records that belong to the same Template ID. Each Data FlowSet will reference a previously transmitted Template ID, which can be used to parse the data contained within the Flow Records. Options Template A template that describes the format of the Flow measurement parameters (like the sampling algorithm, sampling interval) done at the Exporter. Option Templates are identified by a well-known Template ID. Claise Informational [Page 7] Cisco Systems NetFlow Services Export Version 9 June 2002 Options Data Record The data record that contains values of the Flow measurement parameters corresponding to an Option Template. FlowSet ID The FlowSet ID is used to distinguish the different FlowSet Types: Template, Option and Data. FlowSet ID between 0 and 255 are reserved. The Template FlowSet has a FlowSet ID equals to 0. The Option Template FlowSet has a FlowSet ID equals to 1. The Data FlowSets have a FlowSet ID greater than 255. 3. NetFlow High Level Picture on the Exporter 3.1 The NetFlow Process on the Exporter The description of the NetFlow Process (sampled NetFlow, full NetFlow or aggregation), i.e. the way that Flows are deduced from the observed IP packets is out of the scope of this document. 3.2 Flow Expiration A Flow is considered to be inactive if no packets of this Flow has been observed at the Observation Point for a given timeout interval. The Flow can be exported under the following conditions: 1. If the Exporter can deduce the end of a Flow, the Exporter SHOULD export the Flow Records when the end of the Flow is detected. For example: Flow generated by TCP [3] type of traffic where the FIN or RST bits indicate the end of the Flow 2. If the Flow has been inactive for a certain period of time. This inactivity timeout SHOULD be configurable. For example: Flow generated by UDP [2] type of traffic. 3. For long lasting Flows, the Exporter SHOULD export the Flow Records on regular basis, in order to report the Flow Records periodic accounting information to the Collector on regular basis. This activity timeout SHOULD be configurable 4. If the Exporter experiences internal constraints, a Flow MAY be prematurely expired (example: counters wrapping or low memory) Claise Informational [Page 8] Cisco Systems NetFlow Services Export Version 9 June 2002 3.3 Transport Protocol To achieve efficiency in terms of processing at the Exporter while handling high volume of export, Flow Records are grouped together into UDP [2] datagrams for export to the Collector. Nevertheless NetFlow Version 9 has been designed to be transport protocol independent. Hence, it can also operate over congestion aware protocols like TCP [3] or SCTP [4]. Note that the Exporter has the possibility to export to multiple Collectors. 4. Packet Layout An Export Package consist of a Packet Header followed by one or More FlowSets. The FlowSets can be any of the possible types: Template, Data or Option. Export Packet: +--------+------------------------------------------+ | | +----------+ +---------+ +---------+ | | Packet | | Template | | Data | | Option | | | Header | | FlowSet | | FlowSet | | FlowSet | ... | | | +----------+ +---------+ +---------+ | +--------+------------------------------------------+ The possible combinations that can occur in an Export Packet are: - An Export Packet that consists of interleaved Template and Data FlowSets. Export Packet: +--------+-------------------------------------------------------+ | | +----------+ +---------+ +----------+ +---------+ | | Packet | | Template | | Data | ... | Template | | Data | | | Header | | FlowSet | | FlowSet | ... | FlowSet | | FlowSet | | | | +----------+ +---------+ +----------+ +---------+ | +--------+-------------------------------------------------------+ - An Export Packet consisting entirely of Data FlowSets. Once the appropriate Template IDs have been defined and transmitted to the Claise Informational [Page 9] Cisco Systems NetFlow Services Export Version 9 June 2002 Collector device, the majority of Export Packets will consist solely of Data FlowSets. Export Packet: +--------+----------------------------------------------+ | | +---------+ +---------+ +---------+ | | Packet | | Data | ... | Data | ... | Data | | | Header | | FlowSet | ... | FlowSet | ... | FlowSet | | | | +---------+ +---------+ +---------+ | +--------+----------------------------------------------+ - An Export Packet consisting entirely of Template FlowSets. The Exporter MAY transmit a packet containing Template FlowSets only, ahead of time to help ensure that the Collector has the correct template information before receiving the first data FlowSet. Export Packet: +--------+-------------------------------------------------+ | | +----------+ +----------+ +----------+ | | Packet | | Template | ... | Template | ... | Template | | | Header | | FlowSet | ... | FlowSet | ... | FlowSet | | | | +----------+ +----------+ +----------+ | +--------+-------------------------------------------------+ A Template FlowSet provides a description of the fields that will be present in future Data FlowSets. These Data FlowSets MAY occur later within the same Export Packet or in subsequent Export Packets. The format of both Template and Data FlowSets will be discussed later in this document. 5. Export Packet Format 5.1 Header Format Note that the Packet Header format has been kept similar to the one Developed by the different versions of NetFlow defined by Cisco Systems, for backward compatibility. This is also the reason why the version field is 9 with this version. Claise Informational [Page 10] Cisco Systems NetFlow Services Export Version 9 June 2002 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version Number | Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sysUpTime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Unix Secs | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Packet Header Field Descriptions Version The version of Flow Record format exported in this packet. For this current version, this value will be 0x0009 Count Count is total number of records in the Export Packet where the record(s) are the record(s) in the Option Flowset and the record(s) in the Template FlowSet or the record(s) in the Data Flowset SysUpTime Time in milliseconds since this device was first booted. Refer to [1]. Unix Secs Seconds since 0000 UTC 1970. Sequence Number Incremental sequence counter of all Export Packets sent from the current Observation Domain by the Exporter. This value will be cumulative, and can be used to identify whether any Export Packets have been missed. Claise Informational [Page 11] Cisco Systems NetFlow Services Export Version 9 June 2002 Source ID The Source ID field is a 32-bit value that characterizes the Observation Domain. Collectors SHOULD use the combination of the source IP address and the Source ID field to separate different export streams originating from the same Exporter. 5.2 Template FlowSet Format One of the key elements in the NetFlow format is the Template FlowSet. Templates greatly enhance the flexibility of the Flow Record format, because they allow a Collector to process Flow Records without necessarily knowing the interpretation of all the data in the Flow Record. The format of the Template FlowSet is described below: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 0 | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID 1 | Field Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type 1 | Field Length 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type 2 | Field Length 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type N | Field Length N | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID 2 | Field Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type 1 | Field Length 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type 2 | Field Length 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type M | Field Length M | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Claise Informational [Page 12] Cisco Systems NetFlow Services Export Version 9 June 2002 Template FlowSet Field Descriptions FlowSet ID The FlowSet ID is 0 in the case of Template FlowSet Length Total length of this FlowSet. Since an individual Template FlowSet MAY contain multiple Template Records, the Length value MUST be used to determine the position of the next FlowSet Record, which could be any type of FlowSet. Length is expressed like the "length" field in Type Length Value (TLV) format which is the sum total of lengths of FlowSet ID, Length itself and all Template Records within this FlowSet Template ID. Template ID As a router generates different Template FlowSets to match the type of data it will be exporting, each individual Template is given a unique ID. This uniqueness is local to the Observation Domain that generated the Template ID. Template IDs 0-255 are reserved for FlowSet IDs. Templates that define Data Record formats begin numbering at 256. Field Count Number of fields in this Template Record. Since a Template FlowSet usually contain multiple Template Records, this field allows the Collector to determine the end of the current Template Record and the start of the next. Field Type A numeric value that represents the type of the field. Refer to the Field Type Definitions section. Field Length The length of the above-defined field, in bytes. Refer to The Field Type Definitions section. 5.3 Data FlowSet Format The format of the Data FlowSet is described below: Claise Informational [Page 13] Cisco Systems NetFlow Services Export Version 9 June 2002 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = Template ID | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 1 - Field Value 1 | Record 1 - Field Value 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 1 - Field Value 3 | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 2 - Field Value 1 | Record 2 - Field Value 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 2 - Field Value 3 | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 3 - Field Value 1 | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Data FlowSet Field Descriptions FlowSet ID = Template ID Each group of records within a Data FlowSet will be preceded by a FlowSet ID. The FlowSet ID maps to a (previously generated) Template ID. The Collector MUST use the FlowSet ID to map the appropriate type and length to any field values that follow. Length The length of the Data FlowSet. Length is expressed like the "length" field in TLV format which is the sum total of lengths of FlowSet ID, Length itself, all Template Records within this FlowSet Template ID and the padding bytes (if present). Record N - Field Value N The remainder of the Data FlowSet is a collection of Flow Records each containing a set of field types and values. The Type and Length of the fields have been previously defined in the Template Record referenced by the FlowSet ID/Template ID. Claise Informational [Page 14] Cisco Systems NetFlow Services Export Version 9 June 2002 Padding Padding SHOULD be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the Length field will include those padding bits. The important part in interpreting the Data FlowSet format is to understand that the fields cannot be parsed without a corresponding Template ID. 6. Options 6.1 Options Template FlowSet The Options Template (and its corresponding Options Data Record) are used to supply information about the NetFlow Process configuration or NetFlow Process specific data, rather than supplying information about IP Flows. For example, the sample rate of a specific interface, if sampling is supported, along with the sampling method used. The format of the Options Template FlowSet is detailed below: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 1 | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID | Option Scope Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Length | Scope 1 Field Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope 1 Field Length | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope N Field Length | Option 1 Field Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option 1 Field Length | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option N Field Length | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Claise Informational [Page 15] Cisco Systems NetFlow Services Export Version 9 June 2002 Options Template Field Definitions FlowSet ID = 1 FlowSet ID of 1 is reserved for Option Template Length Total length of this FlowSet. Since an individual Option Template MAY contain multiple Template IDs, the Length value MUST be used to determine the position of the next FlowSet record, which could be either a Template FlowSet or Data FlowSet. Length is expressed like the "length" field in TLV format which is the sum total of lengths of FlowSet ID, Length itself and all Template Records within this FlowSet Template ID. Template ID Template ID is greater than 255. The Template ID inferior to 255 are reserved. Option Scope Length The length in bytes of any Scope fields contained in this Options Template (The use of "Scope" is described below). Options Length The length (in bytes) of any options field definitions contained in this Options Template. Scope 1 Field Type The relevant portion of the Exporter/NetFlow Process to which the Options Record refers. Currently defined values are: 0x0001 System 0x0002 Interface 0x0003 Line Card 0x0004 Cache 0x0005 Template For example, the NetFlow Process can be implemented on a per-interface basis, so if the Options record were reporting on how the NetFlow Process is configured, the SCOPE for the report would be 0x0002 (Interface). The associated Interface ID would then be carried in the associated Option Data FlowSet. Claise Informational [Page 16] Cisco Systems NetFlow Services Export Version 9 June 2002 Scope 1 Field Length The length (in bytes) of the scope field, as it would appear in an Options Record. Option 1 Field Type A numeric value that represents the type of the field that will appear in the Options record. Refer to the Field Type Definitions section. Option 1 Field Length The length (in bytes) of the field, as it would appear in an Options Record. Padding Padding SHOULD be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the Length field will include those padding bits. 6.2 Options Data FlowSet The Option Data records are sent in Data FlowSets, on a regular Basis, but not with every single Flow Record. How frequently these Option Data Records are exported is configurable. See the Templates Management section for more details. The Options Data format is described below: Claise Informational [Page 17] Cisco Systems NetFlow Services Export Version 9 June 2002 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = Template ID | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 1 - Scope 1 Value |Record 1 - Option Field 1 Value| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Record 1 - Option Field 2 Value| ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 2 - Scope 1 Value |Record 2 - Option Field 1 Value| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Record 2 - Option Field 2 Value| ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 3 - Scope 1 Value |Record 3 - Option Field 1 Value| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Record 3 - Option Field 2 Value| ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Options Data FlowSet Field Descriptions FlowSet ID = Template ID Each group of records within an Option Data FlowSet will be preceded by a FlowSet ID. The FlowSet ID maps to a (previously generated) Template ID. The Collector MUST use the FlowSet ID to map the appropriate type and length to any field values that follow. Length The length of the Option Data FlowSet. Length is expressed like the "length" field in TLV format which is the sum total of lengths of FlowSet ID, Length itself, all Template Records within this FlowSet Template ID and the padding bytes (if present). Record N - Option Field N Value The remainder of the Option Data FlowSet is a collection of Flow Records each containing a set of field types and values. The Type and Length of the fields have been previously defined in the Option Template Record referenced by the FlowSet ID/Template ID. Claise Informational [Page 18] Cisco Systems NetFlow Services Export Version 9 June 2002 Padding Padding SHOULD be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the Length field will include those padding bits. The important part in interpreting the Options Data FlowSet format is to understand that the fields cannot be parsed without a corresponding Template ID. 7. Templates Management The Template IDs must remain constant at least from one re- Initialization of the NetFlow Process to the next ôre- initializationö. If the Exporter or the NetFlow Process reinitializes itself, all information about Templates will be lost. New Template IDs MUST be recreated. Template IDs are thus not guaranteed to be consistent across an exporter or NetFlow Process restart. If a Template FlowSet (or Option Template FlowSet) is contained in an export packet, it will apply to all Data FlowSets (or to all Option Data FlowSet) in the export packet (and all subsequent packets), regardless of the FlowSets order in the export packet. When a new template is configured on the exporter, it will always generate a new Template ID. According to the same principles, if the template configuration is changed, then the current Template ID is abandoned and not reused anymore until the next exporter reinitilization. A new Template ID MUST be assigned to this new Template, in order to avoid any confusion on the Collector. If a configured template configured on the exporter is deleted, and re-configured with exactly the same parameters, the same Template ID COULD be reused. The Exporter sends the Template FlowSet and Option Template FlowSet under the following conditions: 1. On an Exporter or NetFlow Process restart, the Exporter MUST NOT send any Data Flowset without having the corresponding Template Flowset and the required Option Template Flowset sent out in a previous packet or in the same packet. It MAY transmit this Claise Informational [Page 19] Cisco Systems NetFlow Services Export Version 9 June 2002 Template FlowSet and Option Template FlowSet, without any Data FlowSets, ahead of time to help ensuring that the Collector will have the correct template information before receiving the first data. 2. On the NetFlow Process configuration changes, i.e. whenever a new Template is created, the exporter SHOULD send the incremental changes at an accelerated rate. Again, it MAY transmit this Template FlowSet and Option Template FlowSet, without any data, ahead of time to help ensure that the Collector will have the correct template information before receiving the first data. 3. On a regular basis, the Exporter MUST send all the Template FlowSets to refresh the exporter. Keep in mind that the Template IDs have a limited lifetime and MUST be periodically refreshed. Two ways are possible: * every N number of export packets. * on regular basis, so every N number of minutes. Both options MUST be user configurable. When one of these expiry condition is met, the Exporter MUST send the Template FlowSet and Option Template FlowSet without waiting for the next Data FlowSet, i.e. without waiting for the next expired Flow. 8. Field Type Definitions The table below describes all the field type definitions that an exporter MAY support. The fields are a selection of Packet Header fields, lookup results (for example the AS numbers or the subnet masks), properties of the packet itself like length. Field Type Value Length Description (bytes) counter with length IN_BYTES 1 N N x 8 bits for bytes associated with an IP Flow counter with length IN_PKTS 2 N N x 8 bits for packets associated with an IP Flow Claise Informational [Page 20] Cisco Systems NetFlow Services Export Version 9 June 2002 FLOWS 3 4 Number of Flows that were aggregated PROT 4 1 IP protocol byte TOS 5 1 Type of service byte TCP_FLAGS 6 1 TCP Flags (cumulative OR of TCP flags) TCP/UDP source port number L4_SRC_PORT 7 2 (e.g., FTP, Telnet, etc... ,or equivalent) IP_SRC_ADDR 8 N Source IP Address IPv4 have N=4 IPv6 have N=16 SRC_MASK 9 1 source route mask bits INPUT_SNMP 10 2 Input interface index TCP/UDP destination port L4_DST_PORT 11 2 number (e.g., FTP, Telnet, etc... ,or equivalent) IP_DST_ADDR 12 N Destination IP Address IPv4 have N=4 IPv6 have N=16 DST_MASK 13 1 destination route mask bits OUTPUT_SNMP 14 2 Output interface index IP_NEXT_HOP 15 N Next hop router's IP address IPv4 have N=4 IPv6 have N=16 SRC_AS 16 4 Source BGP Autonomous System number Claise Informational [Page 21] Cisco Systems NetFlow Services Export Version 9 June 2002 DST_AS 17 4 Destination BGP Autonomous System number BGP_NEXT_HOP 18 N Next-hop router's IP in the BGP domain IPv4 have N=4 IPv6 have N=16 MUL_DPKTS 19 4 Packet count for IP multicast MUL_DOCTETS 20 4 Octet (byte) count for IP multicast SysUptime at which the LAST_SWITCHED 21 4 last packet of this Flow was switched SysUptime at which the FIRST_SWITCHED 22 4 first packet of this Flow was switched PKTS 24 8 64-bit counter for packets associated with an IP Flow TOTAL_BYTES_EXP 40 4 Number of Bytes exported by the Observation Domain TOTAL_EXP_PKTS_SENT 41 4 Number of Packets exported by the Observation Domain TOTAL_FLOWS_EXP 42 4 Number of Flows exported by the Observation Domain The value field is an numeric identifier for the field type. When extensibility will be needed (when new technologies will require some new field types), the new field types will be added to the list. The new field types file will simply have to updated on the Collector. Anyway, the NetFlow export format will remain unchanged. Refer to the latest documentation at http://www.cisco.com for the newly updated list. Claise Informational [Page 22] Cisco Systems NetFlow Services Export Version 9 June 2002 9. The Collector's side The Collector will receive template definitions from the Exporter, normally before receiving Flow Records. The Flow Records can then be decoded and stored locally on the devices. In case the template definitions have not been received at the time a Flow Record is received, the Collector SHOULD keep the Flow Record for later decode once the template definitions will be received. A Collector device MUST NOT assume that the Data FlowSet and the associated Template IDs are exported in the same Export Packet. The Collector MUST NOT assume that one and only one Template FlowSet is present in an Export Packet; in rare circumstances, the Export Packet MAY contain several Template FlowSets. Templates live only for a certain timeframe. The lifetime of a Template SHOULD be deducted on the Collector based upon the time where the last Template FlowSet was received from the Exporter. The collector MUST NOT attempt to decode the Flow Records with an expired Template. Hence, the Collector SHOULD maintain a similar list: If a new Template definition is received (for example in case of an Exporter restart) it SHOULD immediately override the existing definition. Keep in mind that the Template IDs are unique per Exporter and per Observation Domain. 10. Examples Let's take the example of an Export Packet composed of a Template FlowSet, of a Data FlowSet (composed of 3 Flow Records), of one Option Template and of one Option Data FlowSet (composed of 2 Records) Claise Informational [Page 23] Cisco Systems NetFlow Services Export Version 9 June 2002 Export Packet: +--------+---------------------------------------. . . | | +--------------+ +------------------+ | Packet | | Template | | Data | | Header | | FlowSet | | FlowSet | . . . | | | (1 Template) | | (3 Flow Records) | | | +--------------+ +------------------+ +--------+---------------------------------------. . . . . .+-------------------------------------------+ +------------------+ +------------------+ | | Option | | Option | | . . .| Template FlowSet | | Data FlowSet | | | (1 Template) | | (2 Records) | | +------------------+ +------------------+ | . . .-------------------------------------------+ 10.1 Packet Header Example The Packet Header is composed of: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version = 0x0009 | Count = 7 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sysUpTime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Unix Secs | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 10.2 Template FlowSet Example We want to report the following Field Types: - The source IP address (IPV4), so the length is 4 - The destination IP address (IPV4), so the length is 4 - The Next Hop IP address (IPV4), so the length is 4 Claise Informational [Page 24] Cisco Systems NetFlow Services Export Version 9 June 2002 - The number of bytes of the flow - The number of packet of the flow So the Template FlowSet will be composed of: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 0 | Length = 28 bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID 256 | Field Count = 5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP_SRC_ADDR = 0x0008 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP_DST_ADDR = 0x000C | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP_NEXT_HOP = 0x000F | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IN_PKTS = 0x0002 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IN_BYTES = 0x0001 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 10.3 Data FlowSet Example In this example, we are reporting the following 3 Flow records: Src IP addr. | Dst IP addr. | Next Hop addr. | Packet | Bytes | Number | Number 198.168.1.12 | 10.5.12.254 | 192.168.1.1 | 5009 | 5344385 192.168.1.27 | 10.5.12.23 | 192.168.1.1 | 748 | 388934 192.168.1.56 | 10.5.12.65 | 192.168.1.1 | 5 | 6534 Claise Informational [Page 25] Cisco Systems NetFlow Services Export Version 9 June 2002 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 256 | Length = 64 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 198.168.1.12 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 10.5.12.254 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 5009 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 5344385 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.27 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 10.5.12.23 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 748 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 388934 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.56 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 10.5.12.65 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 6534 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Note that padding was not necessary in this specific example. 10.4 Option Template FlowSet Example Per Line Card (the exporter being composed of 2 Line Cards), we want to report the following Field Types: - The total number of export packets Claise Informational [Page 26] Cisco Systems NetFlow Services Export Version 9 June 2002 - The total number of exported flows The format of the Options Template FlowSet is detailed below: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 1 | Length = 24 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID 257 | Option Scope Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Length = 8 | Scope 1 Field Type = 0x0003 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope 1 Field Length = 2 | TOTAL_EXP_PKTS_SENT = 41 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 4 | TOTAL_FLOWS_EXP = 42 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 4 | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 10.5 Option Data FlowSet Example In this example, we are reporting the following 2 records: Line Card ID | Export Packet| Export Flow Line Card 1 | 345 | 10201 Line Card 2 | 690 | 20402 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 257 | Length = 14 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1 | 345 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 10201 | 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 2 | 690 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 20402 | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Claise Informational [Page 27] Cisco Systems NetFlow Services Export Version 9 June 2002 11. References [1] "Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1907, January 1996 [2] "User Datagram Protocol", RFC 768, August 1980 [3] "TRANSMISSION CONTROL PROTOCOL DARPA INTERNET PROGRAM PROTOCOL SPECIFICATION", RFC 793, September 1981 [4] "Stream Control Transmission Protocol", RFC 2960, October 2000 12. Contributors This document was written as a joint work between Vamsidhar Valluri , Martin Djernaes and Ganesh Sadasivan . 13. Acknowledgments I would like to thank Pritam Shah for the good technical feedback. 14. Author Addresses Benoit Claise Cisco Systems De Kleetlaan 6a b1 1831 Diegem Belgium Phone: +32 2 704 5622 Email: bclaise@cisco.com Claise Informational [Page 28]