This is an old revision of the document!
netflow control can be changed by next setting:
netflow_full_collector_type=1
где
0 - export netflow5 ( default )
1 - export UDP ipfix
2 - export TCP ipfix
Export template for IPFIX format (Netflow v10)
| № | Size | Type | IANA | Description | netflow9 analogy |
|---|---|---|---|---|---|
| 1 | 8 | int64 | 0 | octetDeltaCount | IN_BYTES |
| 2 | 8 | int64 | 0 | packetDeltaCount | IN_PKTS |
| 4 | 1 | int8 | 0 | protocolIdentifier | PROTOCOL |
| 5 | 1 | int8 | 0 | ipClassOfService | TOS |
| 7 | 2 | int16 | 0 | sourceTransportPort | L4_SRC_PORT |
| 8 | 4 | int32 | 0 | sourceIPv4Address | IPV4_SRC_ADDR |
| 11 | 2 | int16 | 0 | destinationTransportPort | L4_DST_PORT |
| 12 | 4 | int32 | 0 | destinationIPv4Address | IPV4_DST_ADDR |
| 16 | 4 | int32 | 0 | bgpSourceAsNumber | SRC_AS |
| 17 | 4 | int32 | 0 | bgpDestinationAsNumber | DST_AS |
| 152 | 8 | int64 | 0 | FlowStartMillisecond | |
| 153 | 8 | int64 | 0 | FlowEndMillisecond | |
| 10 | 2 | int16 | 0 | INPUT_SNMP | ingressInterface |
| 14 | 2 | int16 | 0 | OUTPUT_SNMP | egressInterface |
| 60 | 1 | int8 | 0 | ipVersion | IP_PROTOCOL_VERSION |
| 2000 | 8 | int64 | 43823 | SESSION ID | |
| 2001 | - | string | 43823 | HTTP HOST или CN HTTPS | |
| 2002 | 2 | int16 | 43823 | DPI PROTOCOL | |
| 2003 | - | string | 43823 | LOGIN (Radius UserName) | |
| 225 | 4 | int32 | 0 | postNATsourceIPv4Address | |
| 227 | 2 | int16 | 0 | postNAPTsourceTransportPort |
IPFIX export pattern for IPv6 differs just by absence of sourceIPv4Address, destinationIPv4Address, postNATsourceIPv4Address, postNAPTsourceTransportPort fields and by availability of the following fields
| № | Number of bytes | Data type | IANA | Description | Netflow9 analogue |
|---|---|---|---|---|---|
| 27 | 16 | int128 | 0 | sourceIPv6Address | IPV6_SRC_ADDR |
| 28 | 16 | int128 | 0 | destinationIPv6Address | IPV6_DST_ADDR |
Using this format allows to generate a report on the visiting site traffic, on the subscribers with dinamically assigned addresses and to link session and volume data with metadata transmitted within the session.
Supplied nfsen is limited by Netflow 5 fields only. For nfdump/nfsen netflow5 is reconended, because of compact format.
For extended information in IPFIX format can be used any universal IPFIX collector, for instance - CESNET ipfixcol or our utility IPFIX Receiver