Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series. This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.
Today's topic is the NetFlow v9 Data FlowSet.
The Data FlowSet is a collection of one or more data records that have been grouped together in an export packet. Data records provide information about an IP flow that exists on the device that produced an export packet. Each group of data records (that is, each data FlowSet) references a previously transmitted template ID, which can be used to parse the data contained within the records.
NetFlow v9 Data FlowSet Format
FlowSet ID = Template ID
A FlowSet ID precedes each group of records within a NetFlow Version 9 data FlowSet. The FlowSet ID maps to a (previously received) template ID. The collector and display applications should use the FlowSet ID to map the appropriate type and length to any field values that follow.
This field gives the length of the data FlowSet.
Length is expressed in TLV format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of any included data records.
Record N - Field N
The remainder of the Version 9 data FlowSet is a collection of field values. The type and length of the fields have been previously defined in the template record referenced by the FlowSet ID/template ID.
Padding should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the Length field will include those padding bits.
When interpreting the NetFlow Version 9 data FlowSet format, note that the fields cannot be parsed without a corresponding template ID. If a data FlowSet that does not have an appropriate template ID is received, the record should be discarded.
Sample Data FlowSet:
Portions of this document are excerpted from Cisco, “Cisco NetFlow Version 9 Flow-Record Format". Available at NetFlow Version 9 Flow-Record Format [IP Application Services] - Cisco Systems
Part 1 - NetFlow Overview
Part 2 - NetFlow v9 Packet Header
Part 3 - NetFlow v9 Template FlowSet
Part 5 - NetFlow v9 Options Template
Part 6 - Supported Cisco Models
Part 7 - SolarWinds NetFlow Traffic Analyzer
Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo.