Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series. This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.
Today topic is NetFlow v9 Template FlowSet
Following the packet header, the FlowSet is an export packet containing information that must be parsed and interpreted by the collector device. A FlowSet is a generic term for a collection of records that follow the packet header in an export packet.
There are two different types of FlowSets: template and data. An export packet contains one or more FlowSets, and both template and data FlowSets can be mixed within the same export packet.
- Template FlowSet is a collection of one or more template records that have been grouped together in an export packet. Templates greatly enhance the flexibility of the NetFlow record format, because they allow a NetFlow collector or display application to process NetFlow data without necessarily knowing the format of the data in advance. Templates are used to describe the type and length of individual fields within a NetFlow data record that match a template ID.
- Template Record is used to define the format of subsequent data records that may be received in current or future export packets. It is important to note that a template record within an export packet does not necessarily indicate the format of data records within that same packet. A collector application must cache any template records received, and then parse any data records it encounters by locating the appropriate template record within the cache.
- Template ID is a unique number that distinguishes this template record from all other template records produced by the same export device. A collector application that is receiving export packets from several devices should be aware that uniqueness is not guaranteed across export devices. Thus, the collector should also cache the address of the export device that produced the template ID in order to enforce uniqueness.
NetFlow v9 Template FlowSet Format
The FlowSet ID is used to distinguish template records from data records. A template record always has a FlowSet ID in the range of 0-255. Currently, the template record that describes flow fields has a FlowSet ID of zero and the template record that describes option fields (described below) has a FlowSet ID of 1. A data record always has a nonzero FlowSet ID greater than 255.
Length refers to the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs (as illustrated above), the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.
Length is expressed in Type/Length/Value (TLV) format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet.
As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template ID.
Templates that define data record formats begin numbering at 256 since 0-255 are reserved for FlowSet IDs.
This field gives the number of fields in this template record. Because a template FlowSet may contain multiple template records, this field allows the parser to determine the end of the current template record and the start of the next.
This numeric value represents the type of the field. The possible values of the field type are vendor specific. Cisco supplied values are consistent across all platforms that support NetFlow Version 9.
At the time of the initial release of the NetFlow Version 9 code (and after any subsequent changes that could add new field-type definitions), Cisco provides a file that defines the known field types and their lengths.
The currently defined field types are detailed in Table 6.
This number gives the length of the above-defined field, in bytes.
- Template IDs are not consistent across a router reboot. Template IDs should change only if the configuration of NetFlow on the export device changes.
- Templates periodically expire if they are not refreshed. Templates can be refreshed in two ways.
- A template can be resent every N number of export packets.
- A template can also be sent on a timer, so that it is refreshed every N number of minutes. Both options are user configurable.
Sample Template FlowSet Data
Portions of this document are excerpted from Cisco, “Cisco NetFlow Version 9 Flow-Record Format". Available at NetFlow Version 9 Flow-Record Format [IP Application Services] - Cisco Systems
Part 1 - NetFlow Overview
Part 2 - NetFlow v9 Packet Header
Part 4 - NetFlow v9 Data FlowSet
Part 5 - NetFlow v9 Options Template
Part 6 - Supported Cisco Models
Part 7 - SolarWinds NetFlow Traffic Analyzer
Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo.