Shulou(Shulou.com)06/03 Report--

Sharp tool for Network Traffic Analysis-Visual Network-netflow [1]-basic principles

Sharp tool for Network Traffic Analysis-Visual Network-netflow [2]-Cisco NetFlow working principle introduction and configuration

Sharp tool for Network Traffic Analysis-Visual Network-netflow [3]-difference between netflow version 5 and version 9

Sharp tool for Network Traffic Analysis-Visual Network-netflow [4]-introduction to receiver nfdump

Sharp tool for Network Traffic Analysis-Visual Network-data Collector fprobe under netflow [5]-linux

Sharp tool for Network Traffic Analysis-Visual Network-netflow [6]-Design of Traffic Monitoring Architecture for production Network

Fprobe parameter-e

Fprobe parameter-n-k

Note: the data comes from the official website of Cisco.

Version 5:

Https://www.cisco.com/c/en/us/td/docs/net_mgmt/netflow_collection_engine/3-6/user/guide/format.html#wp1006108

Version 9:

Https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html

The following is a summary of key points. If there is a problem with the format, please visit the official website directly.

Version 5Version 5 Header FormatBytesContentsDescription0-1versionNetFlow export format version number2-3countNumber of flows exported in this packet (1-30) 4-7SysUptimeCurrent time in milliseconds since the export device booted8-11unix_secsCurrent count of seconds since 0000 UTC 197012-15unix_nsecsResidual nanoseconds since 0000 UTC 197016-19flow_sequenceSequence counter of total flows seen20engine_typeType of flow-switching engine21engine_idSlot number of the flow-switching engine22-23sampling_intervalFirst two bits hold the sampling mode Remaining 14 bits hold value of sampling intervalVersion 5 Flow Record FormatBytesContentsDescription0-3srcaddrSource IP address4-7dstaddrDestination IP address8-11nexthopIP address of nexthop router12-13inputSNMP index of input interface14-15outputSNMP index of output interface16-19dPktsPackets in the flow20-23dOctetsTotal number of Layer 3 bytes in the packets of the flow24-27FirstSysUptime at start of flow28-31LastSysUptime at the time the last packet of the flow was received32-33srcportTCP/UDP source port number or equivalent34-35dstportTCP/UDP destination port number or equivalent36pad1Unused (zero) bytes37tcp_flagsCumulative OR of TCP flags38protIP protocol type (for example, TCP = 6 UDP = 17) 39tosIP type of service (ToS) 40-41src_asAutonomous system number of the source, either origin or peer42-43dst_asAutonomous system number of the destination, either origin or peer44src_maskSource address prefix mask bits45dst_maskDestination address prefix mask bits46-47pad2Unused (zero) bytesVersion 9Version 9 Header FormatField NameValueVersionThe version of NetFlow records exported in this packet; for Version 9, this value is 0x0009CountNumber of FlowSet records (both template and data) contained within this packetSystem UptimeTime in milliseconds since this device was first bootedUNIX SecondsSeconds since 0000 Coordinated Universal Time (UTC) 1970Sequence NumberIncremental sequence counter of all export packets sent by this export device This value is cumulative, and it can be used to identify whether any export packets have been missedNote: This is a change from the NetFlow Version 5 and Version 8 headers, where this number represented "total flows." Source IDThe Source ID field is a 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers) The format of this field is vendor specific. In the Cisco implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device. Collector devices should use the combination of the source IP address plus the Source ID field to associate an incoming NetFlow export packet with a unique instance of NetFlow on a particular device.Version 9 Template FlowSet Field DescriptionsField NameValueFlowSet IDThe FlowSet ID is used to distinguish template records from data records. A template record always has a FlowSet ID in the range of 0-255. Currently, the template record that describes flow fields has a FlowSet ID of zero and the template record that describes option fields (described below) has a FlowSet ID of 1. A data record always has a nonzero FlowSet ID greater than 255.LengthLength refers to the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs (as illustrated above), the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.Length is expressed in Type/Length/Value (TLV) format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet.Template IDAs a router generates different template FlowSets to match the type of NetFlow data it will be exporting Each template is given a unique ID. This uniqueness is local to the router that generated the template ID.Templates that define data record formats begin numbering at 256 since 0-255 are reserved for FlowSet IDs.Field CountThis field gives the number of fields in this template record. Because a template FlowSet may contain multiple template records, this field allows the parser to determine the end of the current template record and the start of the next.Field TypeThis numeric value represents the type of the field. The possible values of the field type are vendor specific. Cisco supplied values are consistent across all platforms that support NetFlow Version 9.At the time of the initial release of the NetFlow Version 9 code (and after any subsequent changes that could add new field-type definitions), Cisco provides a file that defines the known field types and their lengths.The currently defined field types are detailed in Table 6.Field LengthThis number gives the length of the above-defined field, in bytes.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.