Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.

 

Today's topic is the NetFlow v9 Packet Header.


The NetFlow Packet Header provides basic information about the packet such as the NetFlow version, number of records contained within the packet, and sequence numbering, so that lost packets can be detected. All NetFlow packets begin with version-dependent header that contains at least these fields:

 

  • Version number (v5, v8, v9, v10)
  • Sequence number to detect loss and duplication
  • Timestamps at the moment of export, as system uptime or absolute time.
  • Number of records (v5 or v8) or list of templates and records (v9)

 

The NetFlow Version 9 record format consists of a packet header followed by at least one or more template or data FlowSets. The combination of packet header, and one or more template and data FlowSets is called an Export Packet. Built by a device (for example, a router) with NetFlow services enabled, this type of packet is addressed to another device (for example, a NetFlow collector). This other device processes the packet (parses, aggregates, and stores information on IP flows) .

 

NetFlow v9 Export Packet.png

 

NetFlow v9 Packet Header Format

 

NetFlow v9 Packet Header.png

 

Nomenclature

Version

The version of NetFlow records exported in this packet; for Version 9, this value is 0x0009

Count

Number of FlowSet records (both template and data) contained within this packet

System Uptime

Time in milliseconds since this device was first booted

UNIX Seconds

Seconds since 0000 Coordinated Universal Time (UTC) 1970

Sequence Number

Incremental sequence counter of all export packets sent by this export device; this value is cumulative, and it can be used to identify whether any export packets have been missed

Note: This is a change from the NetFlow Version 5 and Version 8 headers, where this number represented "total flows."

Source ID

The Source ID field is a 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers). The format of this field is vendor specific. In the Cisco implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device. Collector devices should use the combination of the source IP address plus the Source ID field to associate an incoming NetFlow export packet with a unique instance of NetFlow on a particular device.

 

Sample Packet Header Data

 

NetFlow v9 Sample Packet Header Data.png

 

 

Part 1:  NetFlow Overview

Part 3 - NetFlow v9 Template FlowSet

Part 4 - NetFlow v9 Data FlowSet

Part 5 - NetFlow v9 Options Template

Part 6 - Supported Cisco Models

Part 7 - SolarWinds NetFlow Traffic Analyzer

 

Portions of this document are excerpted from Cisco, “NetFlow Version 9 Flow Record Format”. Available at http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html

 

 

Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo, or, view this video:  How to Configure NetFlow on Cisco Routers.

 

 

NTA_Netflow_WP.png