Configuring fields to be exported in NetFlow version 9

When configuring NetFlow version 9 you should specify which fields are to be exported: If spurious fields are exported, they will be ignored by the NAM Probe NetFlow collector, though they will affect performance, as they will generate additional traffic.

The following table shows which NetFlow version 9 fields need to be configured for export so that NAM NetFlow analysis functions correctly.

Caution:

If a flow has no DIRECTION field exported, the assumption is that it is an ingress record. Therefore, if both ingress and egress records are being sent, you need to make sure that the DIRECTION field is exported, else the data count performed by NAM will be doubled.

Supported NetFlow v9 fields

Field Type ID Processing by NAM Length Description
IN_BYTES 1 Yes Length not fixed; default is 4. Incoming counter with length IN_BYTES x 8 bits for number of bytes associated with an IP Flow.
IN_PKTS 2 Yes Length not fixed; default is 4. Incoming counter with length IN_PKTS x 8 bits for the number of packets associated with an IP Flow.
PROTOCOL 4 Yes 1 IP protocol byte.
SRC_TOS 5 Yes 1 Type of Service byte setting when entering incoming interface.
TCP_FLAGS 6 Yes 1 Cumulative of all the TCP flags seen for this flow.
L4_SRC_PORT 7 Yes 2 TCP/UDP source port number (for example, FTP, Telnet, or equivalent).
IPV4_SRC_ADDR 8 Yes If both IPV4 and IPV6 are present only IPV4 is reported. 4 IPv4 source address.
INPUT_SNMP 10 Yes Default length is 2 but higher values could be used. Input interface index.
L4_DST_PORT 11 Yes 2 TCP/UDP destination port number e.g. FTP, Telnet, or equivalent.
IPV4_DST_ADDR 12 Yes If both IPV4 and IPV6 are present only IPV4 is reported. 4 IPv4 destination address.
OUTPUT_SNMP 14 Yes Default length is 2 but higher values could be used. Output interface index.
IPV6_SRC_ADDR 27 Yes If both IPV4 and IPV6 are present only IPV4 is reported. 16 IPv6 Source Address.
IPV6_DST_ADDR 28 Yes If both IPV4 and IPV6 are present only IPV4 is reported. 16 IPv6 Destination Address.
SAMPLING_INTERVAL 34 Yes If not specified, 1 is assumed. 4 When using sampled NetFlow, the rate at which packets are sampled e.g. a value of 100 indicates that one of every 100 packets is sampled.
DIRECTION 61 Yes If not specified ingress flows are assumed. 1 Flow direction: 0 - ingress flow, 1 - egress flow.
SUM_RT 42704 Yes Configurable. Vendor dependent. 4 The time taken by an application to respond to a request. It is also called Application Delay (AD) or Application Response Time.