netflow v9 字段含义

from:https://www.ibm.com/docs/en/npi/1.1.0?topic=formats-v9-field-type-definitions

IBM的格式定义:

V9 field type definitions

When extensibility is required, the new field types can be added to the list. The new field types must be updated on the Exporter and Collector but the NetFlow export format remains unchanged.

Field Type
Value
Length (bytes)
Description
IN_BYTES 1 N (default is 4) Incoming counter with length N x 8 bits for number of bytes associated with an IP Flow.
IN_PKTS 2 N (default is 4) Incoming counter with length N x 8 bits for the number of packets that are associated with an IP Flow
FLOWS 3 N Number of flows that are aggregated; default for N is 4
PROTOCOL 4 1 IP protocol byte
SRC_TOS 5 1 Type of Service byte setting when there is an incoming interface
TCP_FLAGS 6 1 Cumulative of all the TCP flags seen for this flow
L4_SRC_PORT 7 2 TCP/UDP source port number. That is, FTP, Telnet, or equivalent
IPV4_SRC_ADDR 8 4 IPv4 source address
SRC_MASK 9 1 The number of contiguous bits in the source address subnet mask. That is, the submask in slash notation
INPUT_SNMP 10 N Input interface index; default for N is 2 but higher values might be used
L4_DST_PORT 11 2 TCP/UDP destination port number. That is, FTP, Telnet, or equivalent
IPV4_DST_ADDR 12 4 IPv4 destination address
DST_MASK 13 1 The number of contiguous bits in the destination address subnet mask. That is, the submask in slash notation.
OUTPUT_SNMP 14 N Output interface index; default for N is 2 but higher values might be used
IPV4_NEXT_HOP 15 4 IPv4 address of next-hop router
SRC_AS 16 N (default is 2) Source BGP autonomous system number where N might be 2 or 4
DST_AS 17 N (default is 2) Destination BGP autonomous system number where N might be 2 or 4
BGP_IPV4_NEXT_HOP 18 4 Next-hop router's IP in the BGP domain
MUL_DST_PKTS 19 N (default is 4) IP multicast outgoing packet counter with length N x 8 bits for packets that are associated with the IP Flow
MUL_DST_BYTES 20 N (default is 4) IP multicast outgoing byte counter with length N x 8 bits for bytes associated with the IP Flow
LAST_SWITCHED 21 4 System uptime at which the last packet of this flow was switched
FIRST_SWITCHED 22 4 System uptime at which the first packet of this flow was switched
OUT_BYTES 23 N (default is 4) Outgoing counter with length N x 8 bits for the number of bytes associated with an IP Flow
OUT_PKTS 24 N (default is 4) Outgoing counter with length N x 8 bits for the number of packets that are associated with an IP Flow.
MIN_PKT_LNGTH 25 2 Minimum IP packet length on incoming packets of the flow
MAX_PKT_LNGTH 26 2 Maximum IP packet length on incoming packets of the flow
IPV6_SRC_ADDR 27 16 IPv6 Source Address
IPV6_DST_ADDR 28 16 IPv6 Destination Address
IPV6_SRC_MASK 29 1 Length of the IPv6 source mask in contiguous bits
IPV6_DST_MASK 30 1 Length of the IPv6 destination mask in contiguous bits
IPV6_FLOW_LABEL 31 3 IPv6 flow label as in RFC 2460 definition
ICMP_TYPE 32 2 Internet Control Message Protocol (ICMP) packet type; reported as ((ICMP Type*256) + ICMP code)
MUL_IGMP_TYPE 33 1 Internet Group Management Protocol (IGMP) packet type
SAMPLING_INTERVAL 34 4 During the use of sampled NetFlow, the rate at which packets are sampled. That is, a value of 100 indicates that one of every 100 packets is sampled
SAMPLING_ALGORITHM 35 1 The type of algorithm that is used for sampled NetFlow: 0x01 Deterministic Sampling, 0x02 Random Sampling
FLOW_ACTIVE_TIMEOUT 36 2 Timeout value (in seconds) for active flow entries in the NetFlow cache
FLOW_INACTIVE_TIMEOUT 37 2 Timeout value (in seconds) for inactive flow entries in the NetFlow cache
ENGINE_TYPE 38 1 Type of flow switching engine: RP = 0, VIP/Linecard = 1
ENGINE_ID 39 1 ID number of the flow switching engine
TOTAL_BYTES_EXP 40 N (default is 4) Counter with length N x 8 bits for bytes for the number of bytes exported by the Observation Domain
TOTAL_PKTS_EXP 41 N (default is 4) Counter with length N x 8 bits for bytes for the number of packets that are exported by the Observation Domain
TOTAL_FLOWS_EXP 42 N (default is 4) Counter with length N x 8 bits for bytes for the number of flows that are exported by the Observation Domain
*Vendor Proprietary* 43    
IPV4_SRC_PREFIX 44 4 IPv4 source address prefix (specific for Catalyst architecture)
IPV4_DST_PREFIX 45 4 IPv4 destination address prefix (specific for Catalyst architecture)
MPLS_TOP_LABEL_TYPE 46 1 MPLS Top Label Type: 0x00 UNKNOWN 0x01 TE-MIDPT 0x02 ATOM 0x03 VPN 0x04 BGP 0x05 LDP
MPLS_TOP_LABEL_IP_ADDR 47 4 Forwarding Equivalent Class corresponding to the MPLS Top Label
FLOW_SAMPLER_ID 48 1 Identifier that is shown in "show flow-sampler"
FLOW_SAMPLER_MODE 49 1 The type of algorithm that is used for sampling data: 0x02 random sampling. Use with FLOW_SAMPLER_MODE
FLOW_SAMPLER_RANDOM_INTERVAL 50 4 Packet interval at which to sample. Use with FLOW_SAMPLER_MODE
*Vendor Proprietary* 51    
MIN_TTL 52 1 Minimum TTL on incoming packets of the flow
MAX_TTL 53 1 Maximum TTL on incoming packets of the flow
IPV4_IDENT 54 2 The IP v4 that identifies field
DST_TOS 55 1 Type of Service byte setting when exiting outgoing interface
IN_SRC_MAC 56 6 Incoming source MAC address
OUT_DST_MAC 57 6 Outgoing destination MAC address
SRC_VLAN 58 2 Virtual LAN identifier that is associated with ingress interface
DST_VLAN 59 2 Virtual LAN identifier that is associated with egress interface
IP_PROTOCOL_VERSION 60 1 Internet Protocol version is set to 4 for IPv4, and set to 6 for IPv6. If not present in the template, then version 4 is assumed.
DIRECTION 61 1 Flow direction: 0 - ingress flow, 1 - egress flow
IPV6_NEXT_HOP 62 16 IPv6 address of the next-hop router
BPG_IPV6_NEXT_HOP 63 16 Next-hop router in the BGP domain
IPV6_OPTION_HEADERS 64 4 Bit-encoded field that identifies IPv6 option headers found in the flow
Vendor Proprietary 65    
Vendor Proprietary 66
Vendor Proprietary 67
Vendor Proprietary 68
Vendor Proprietary 69
MPLS_LABEL_1 70 3 MPLS label at position 1 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_2 71 3 MPLS label at position 2 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_3 72 3 MPLS label at position 3 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_4 73 3 MPLS label at position 4 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_5 74 3 MPLS label at position 5 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_6 75 3 MPLS label at position 6 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_7 76 3 MPLS label at position 7 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_8 77 3 MPLS label at position 8 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_9 78 3 MPLS label at position 9 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
MPLS_LABEL_10 79 3 MPLS label at position 10 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
IN_DST_MAC 80 6 Incoming destination MAC address
OUT_SRC_MAC 81 6 Outgoing source MAC address
IF_NAME 82 N Shortened interface name, FE1/0
(default that is specified in template)
IF_DESC 83 N (default that is specified in template) Full interface name, FastEthernet 1/0
SAMPLER_NAME 84 N (default that is specified in template) Name of the flow sampler
IN_ PERMANENT _BYTES 85 N (default is 4) Running byte counter for a permanent flow
IN_ PERMANENT _PKTS 86 N (default is 4) Running packet counter for a permanent flow
* Vendor Proprietary* 87    
FRAGMENT_OFFSET 88 2 The fragment-offset value from fragmented IP packets
FORWARDING STATUS 89 1

Forwarding status is encoded on 1 byte with the 2 left bits giving the status and the 6 remaining bits giving the reason code.

Forwarding status

 

Status is either unknown (00), Forwarded (10), Dropped (10) or Consumed (11). List of forwarding status values with their meanings:
  • Unknown
    • 0
  • Forwarded
    • Unknown 64
    • Forwarded Fragmented 65
    • Forwarded not Fragmented 66
  • Dropped
    • Unknown 128
    • Drop ACL Deny 129
    • Drop ACL drop 130
    • Drop Unroutable 131
    • Drop Adjacency 132
    • Drop Fragmentation and DF set 133
    • Drop Bad header checksum 134
    • Drop Bad total Length 135
    • Drop Bad Header Length 136
    • Drop bad TTL 137
    • Drop Policer 138
    • Drop WRED 139
    • Drop RPF 140
    • Drop For us 141
    • Drop Bad output interface 142
    • Drop Hardware 143
  • Consumed
    • Unknown 192
    • Terminate Punt Adjacency 193
    • Terminate Incomplete Adjacency 194
    • Terminate For us 195
MPLS PAL RD 90 8 (array) MPLS PAL Route Distinguisher.
MPLS PREFIX LEN 91 1 Number of consecutive bits in the MPLS prefix length.
SRC TRAFFIC INDEX 92 4 BGP Policy Accounting Source Traffic Index
DST TRAFFIC INDEX 93 4 BGP Policy Accounting Destination Traffic Index
APPLICATION DESCRIPTION 94 N Application description.
APPLICATION TAG 95 1+n 8 bits of engine ID, followed by n bits of classification.
APPLICATION NAME 96 N Name that is associated with a classification.
postipDiffServCodePoint 98 1 The value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services field after modification.
replication factor 99 4 Multicast replication factor.
DEPRECATED 100 N DEPRECATED
layer2packetSectionOffset 102   Layer 2 packet section offset. Potentially a generic offset.
layer2packetSectionSize 103   Layer 2 packet section size. Potentially a generic size.
layer2packetSectionData 104   Layer 2 packet section data.
  105 - 127   Reserved for future use by cisco

Related information

 

huawei 格式:

信息元位置

信息元名称

信息元ID

信息元描述

1

version

BIGINT

记录大数据平台支持的netflow大字段标记。初始1。后续如新增字段一个,可变为2。

2

srcaddr

STRING

源地址

3

dstaddr

STRING

目的地址    

4

dpkts

INT

包数  

5

doctets

BIGINT

字节数  

6

firsttime

BIGINT

初始时间

7

lasttime

BIGINT

终止时间 

8

srcport

INT

源端口

9

dstport

INT

目的端口

10

tcpflags

STRING

TCP标识位 

11

protocol

STRING

协议类型

12

tos

STRING

服务类型这两个是基于报文的,我们基于会话分析flow,无法获取这两个字段。

13

srcmask

STRING

源子网掩码 

14

dstmask

STRING

目的子网掩码

15

appname

STRING

应用名称(Name associated with a classification)

16

direction

INT

流方向。(Flow direction: 0 - ingress flow, 1 - egress flow)

17

flownum

INT

聚合流的个数

18

srcprefix

STRING

源前缀

示例:10.10.0.0

19

dstprefix

STRING

目的前缀

示例:10.10.0.0

20

templateid

INT

和数据记录模板匹配的ID

21

SrcArea

STRING

源区域

22

DestArea

STRING

目的区域

23

SrcIPUser

STRING

SrcIP对应用户信息

24

DestIPUser

STRING

DestIP对应用户信息

25

SrcGeographyLocationCountryOrRegion

STRING

源IP所在国家或地区

26

SrcGeographyLocationCity

STRING

源IP所在城市

27

SrcGeographyLocationLongitude

STRING

源IP所在经度

28

SrcGeographyLocationLatitude

STRING

源IP所在纬度

29

DestGeographyLocationCountryOrRegion

STRING

目的IP所在国家或地区

30

DestGeographyLocationCity

STRING

目的IP所在城市

31

DestGeographyLocationLongitude

STRING

目的IP对应经度

32

DestGeographyLocationLatitude

STRING

目的IP对应纬度

33

SrcHostUniqueID

STRING

DHCP源主机唯一标识

34

DstHostUniqueID

STRING

DHCP目的主机唯一标识

35

SamplingInterval

INT

NetFlow采样比

36

flowprobeFlag

STRING

流探针标识

37

indpkts

STRING

备用5

38

outdpkts

STRING

备用6

39

indoctets

STRING

备用7

40

outdoctets

STRING

备用8

41

TenantID

STRING

租户ID

42

TenantName

STRING

租户名称

43

StandBy11

STRING

备用11

44

StandBy12

STRING

备用12

45

StandBy13

STRING

备用13

46

StandBy14

STRING

备用14

47

StandBy15

STRING

备用15

48

StandBy16

STRING

备用16

49

StandBy17

STRING

备用17

50

StandBy18

STRING

备用18

51

StandBy19

STRING

备用19

52

StandBy20

STRING

备用20

举例说明:netflow前面几个字段如下:

1

172.18.2.11
170.170.64.18
4(包数)
265
1627625920
1627625920
3306(源端口)
4705(目的端口)
27(tcp标志位)

最后一个标志位,27对应的2进制为00011011,表示有4个包(syn、ack、fin。。。)。可以看到是按照同一个方向进行统计的。如下图所示(合并了一个???):

 

 

posted @ 2021-09-07 10:26  bonelee  阅读(1070)  评论(0编辑  收藏  举报