Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.


Today's topic is the NetFlow v9 Options Template.


The Options Template is a special type of template record used to communicate the format of data related to the NetFlow process.

 

NetFlow v9 Options Template.png

 

The Options Data Record is a special type of data record (based on an options template) with a reserved template ID that, rather than supplying information about IP flows, is used to supply "meta-data" about the NetFlow process itself.

 

NetFlow v9 Options Data Record.png

 

Nomenclature

FlowSet ID = 1

The FlowSet ID is used to distinguish template records from data records. A template record always has a FlowSet ID of 1. A data record always has a nonzero FlowSet ID which is greater than 255.

Length

This field gives the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs, the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.

Length is expressed in TLV format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet.

Template ID

As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template ID. The Template ID is greater than 255. Template IDs inferior to 255 are reserved.

Option Scope Length

This field gives the length in bytes of any scope fields contained in this options template (the use of scope is described below).

Options Length

This field gives the length (in bytes) of any Options field definitions contained in this options template.

Scope Field 1 Type

This field gives the relevant portion of the NetFlow process to which the options record refers. Currently defined values follow:

  • 0x0001 System
  • 0x0002 Interface
  • 0x0003 Line Card
  • 0x0004 NetFlow Cache
  • 0x0005 Template

For example, sampled NetFlow can be implemented on a per-interface basis, so if the options record was reporting on how sampling is configured, the scope for the report would be 0x0002 (interface).

Scope Field 1 Length

This field gives the length (in bytes) of the Scope field, as it would appear in an options record.

Option Field 1 Type

This numeric value represents the type of the field that appears in the options record. Possible values are detailed in Table 6 above.

Option Field 1 Length

This number is the length (in bytes) of the field, as it would appear in an options record.

Padding

Padding should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the Length field will include those padding bits.

 

 

NetFlow v9 Sample Options Template Data.png

 

 

 

Portions of this document are excerpted from Cisco, “Cisco NetFlow Version 9 Flow-Record Format".  Available at NetFlow Version 9 Flow-Record Format  [IP Application Services] - Cisco Systems

 

Part 1 - NetFlow Overview

Part 2 - NetFlow v9 Packet Header

Part 3 - NetFlow v9 Template FlowSet

Part 4 - NetFlow v9 Data FlowSet

Part 6 - Supported Cisco Models

Part 7 - SolarWinds NetFlow Traffic Analyzer

 

Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo.

 

 

NTA_Netflow_WP.png