• netflow v9 字段含义


    from:https://www.ibm.com/docs/en/npi/1.1.0?topic=formats-v9-field-type-definitions

    IBM的格式定义:

    V9 field type definitions

    When extensibility is required, the new field types can be added to the list. The new field types must be updated on the Exporter and Collector but the NetFlow export format remains unchanged.

    Field Type
    Value
    Length (bytes)
    Description
    IN_BYTES 1 N (default is 4) Incoming counter with length N x 8 bits for number of bytes associated with an IP Flow.
    IN_PKTS 2 N (default is 4) Incoming counter with length N x 8 bits for the number of packets that are associated with an IP Flow
    FLOWS 3 N Number of flows that are aggregated; default for N is 4
    PROTOCOL 4 1 IP protocol byte
    SRC_TOS 5 1 Type of Service byte setting when there is an incoming interface
    TCP_FLAGS 6 1 Cumulative of all the TCP flags seen for this flow
    L4_SRC_PORT 7 2 TCP/UDP source port number. That is, FTP, Telnet, or equivalent
    IPV4_SRC_ADDR 8 4 IPv4 source address
    SRC_MASK 9 1 The number of contiguous bits in the source address subnet mask. That is, the submask in slash notation
    INPUT_SNMP 10 N Input interface index; default for N is 2 but higher values might be used
    L4_DST_PORT 11 2 TCP/UDP destination port number. That is, FTP, Telnet, or equivalent
    IPV4_DST_ADDR 12 4 IPv4 destination address
    DST_MASK 13 1 The number of contiguous bits in the destination address subnet mask. That is, the submask in slash notation.
    OUTPUT_SNMP 14 N Output interface index; default for N is 2 but higher values might be used
    IPV4_NEXT_HOP 15 4 IPv4 address of next-hop router
    SRC_AS 16 N (default is 2) Source BGP autonomous system number where N might be 2 or 4
    DST_AS 17 N (default is 2) Destination BGP autonomous system number where N might be 2 or 4
    BGP_IPV4_NEXT_HOP 18 4 Next-hop router's IP in the BGP domain
    MUL_DST_PKTS 19 N (default is 4) IP multicast outgoing packet counter with length N x 8 bits for packets that are associated with the IP Flow
    MUL_DST_BYTES 20 N (default is 4) IP multicast outgoing byte counter with length N x 8 bits for bytes associated with the IP Flow
    LAST_SWITCHED 21 4 System uptime at which the last packet of this flow was switched
    FIRST_SWITCHED 22 4 System uptime at which the first packet of this flow was switched
    OUT_BYTES 23 N (default is 4) Outgoing counter with length N x 8 bits for the number of bytes associated with an IP Flow
    OUT_PKTS 24 N (default is 4) Outgoing counter with length N x 8 bits for the number of packets that are associated with an IP Flow.
    MIN_PKT_LNGTH 25 2 Minimum IP packet length on incoming packets of the flow
    MAX_PKT_LNGTH 26 2 Maximum IP packet length on incoming packets of the flow
    IPV6_SRC_ADDR 27 16 IPv6 Source Address
    IPV6_DST_ADDR 28 16 IPv6 Destination Address
    IPV6_SRC_MASK 29 1 Length of the IPv6 source mask in contiguous bits
    IPV6_DST_MASK 30 1 Length of the IPv6 destination mask in contiguous bits
    IPV6_FLOW_LABEL 31 3 IPv6 flow label as in RFC 2460 definition
    ICMP_TYPE 32 2 Internet Control Message Protocol (ICMP) packet type; reported as ((ICMP Type*256) + ICMP code)
    MUL_IGMP_TYPE 33 1 Internet Group Management Protocol (IGMP) packet type
    SAMPLING_INTERVAL 34 4 During the use of sampled NetFlow, the rate at which packets are sampled. That is, a value of 100 indicates that one of every 100 packets is sampled
    SAMPLING_ALGORITHM 35 1 The type of algorithm that is used for sampled NetFlow: 0x01 Deterministic Sampling, 0x02 Random Sampling
    FLOW_ACTIVE_TIMEOUT 36 2 Timeout value (in seconds) for active flow entries in the NetFlow cache
    FLOW_INACTIVE_TIMEOUT 37 2 Timeout value (in seconds) for inactive flow entries in the NetFlow cache
    ENGINE_TYPE 38 1 Type of flow switching engine: RP = 0, VIP/Linecard = 1
    ENGINE_ID 39 1 ID number of the flow switching engine
    TOTAL_BYTES_EXP 40 N (default is 4) Counter with length N x 8 bits for bytes for the number of bytes exported by the Observation Domain
    TOTAL_PKTS_EXP 41 N (default is 4) Counter with length N x 8 bits for bytes for the number of packets that are exported by the Observation Domain
    TOTAL_FLOWS_EXP 42 N (default is 4) Counter with length N x 8 bits for bytes for the number of flows that are exported by the Observation Domain
    *Vendor Proprietary* 43    
    IPV4_SRC_PREFIX 44 4 IPv4 source address prefix (specific for Catalyst architecture)
    IPV4_DST_PREFIX 45 4 IPv4 destination address prefix (specific for Catalyst architecture)
    MPLS_TOP_LABEL_TYPE 46 1 MPLS Top Label Type: 0x00 UNKNOWN 0x01 TE-MIDPT 0x02 ATOM 0x03 VPN 0x04 BGP 0x05 LDP
    MPLS_TOP_LABEL_IP_ADDR 47 4 Forwarding Equivalent Class corresponding to the MPLS Top Label
    FLOW_SAMPLER_ID 48 1 Identifier that is shown in "show flow-sampler"
    FLOW_SAMPLER_MODE 49 1 The type of algorithm that is used for sampling data: 0x02 random sampling. Use with FLOW_SAMPLER_MODE
    FLOW_SAMPLER_RANDOM_INTERVAL 50 4 Packet interval at which to sample. Use with FLOW_SAMPLER_MODE
    *Vendor Proprietary* 51    
    MIN_TTL 52 1 Minimum TTL on incoming packets of the flow
    MAX_TTL 53 1 Maximum TTL on incoming packets of the flow
    IPV4_IDENT 54 2 The IP v4 that identifies field
    DST_TOS 55 1 Type of Service byte setting when exiting outgoing interface
    IN_SRC_MAC 56 6 Incoming source MAC address
    OUT_DST_MAC 57 6 Outgoing destination MAC address
    SRC_VLAN 58 2 Virtual LAN identifier that is associated with ingress interface
    DST_VLAN 59 2 Virtual LAN identifier that is associated with egress interface
    IP_PROTOCOL_VERSION 60 1 Internet Protocol version is set to 4 for IPv4, and set to 6 for IPv6. If not present in the template, then version 4 is assumed.
    DIRECTION 61 1 Flow direction: 0 - ingress flow, 1 - egress flow
    IPV6_NEXT_HOP 62 16 IPv6 address of the next-hop router
    BPG_IPV6_NEXT_HOP 63 16 Next-hop router in the BGP domain
    IPV6_OPTION_HEADERS 64 4 Bit-encoded field that identifies IPv6 option headers found in the flow
    Vendor Proprietary 65    
    Vendor Proprietary 66
    Vendor Proprietary 67
    Vendor Proprietary 68
    Vendor Proprietary 69
    MPLS_LABEL_1 70 3 MPLS label at position 1 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
    MPLS_LABEL_2 71 3 MPLS label at position 2 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
    MPLS_LABEL_3 72 3 MPLS label at position 3 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
    MPLS_LABEL_4 73 3 MPLS label at position 4 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
    MPLS_LABEL_5 74 3 MPLS label at position 5 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
    MPLS_LABEL_6 75 3 MPLS label at position 6 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
    MPLS_LABEL_7 76 3 MPLS label at position 7 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
    MPLS_LABEL_8 77 3 MPLS label at position 8 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
    MPLS_LABEL_9 78 3 MPLS label at position 9 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
    MPLS_LABEL_10 79 3 MPLS label at position 10 in the stack. It comprises 20 bits of MPLS label, 3 EXP (experimental) bits and 1 S (end-of-stack) bit.
    IN_DST_MAC 80 6 Incoming destination MAC address
    OUT_SRC_MAC 81 6 Outgoing source MAC address
    IF_NAME 82 N Shortened interface name, FE1/0
    (default that is specified in template)
    IF_DESC 83 N (default that is specified in template) Full interface name, FastEthernet 1/0
    SAMPLER_NAME 84 N (default that is specified in template) Name of the flow sampler
    IN_ PERMANENT _BYTES 85 N (default is 4) Running byte counter for a permanent flow
    IN_ PERMANENT _PKTS 86 N (default is 4) Running packet counter for a permanent flow
    * Vendor Proprietary* 87    
    FRAGMENT_OFFSET 88 2 The fragment-offset value from fragmented IP packets
    FORWARDING STATUS 89 1

    Forwarding status is encoded on 1 byte with the 2 left bits giving the status and the 6 remaining bits giving the reason code.

    Forwarding status
    Status is either unknown (00), Forwarded (10), Dropped (10) or Consumed (11). List of forwarding status values with their meanings:
    • Unknown
      • 0
    • Forwarded
      • Unknown 64
      • Forwarded Fragmented 65
      • Forwarded not Fragmented 66
    • Dropped
      • Unknown 128
      • Drop ACL Deny 129
      • Drop ACL drop 130
      • Drop Unroutable 131
      • Drop Adjacency 132
      • Drop Fragmentation and DF set 133
      • Drop Bad header checksum 134
      • Drop Bad total Length 135
      • Drop Bad Header Length 136
      • Drop bad TTL 137
      • Drop Policer 138
      • Drop WRED 139
      • Drop RPF 140
      • Drop For us 141
      • Drop Bad output interface 142
      • Drop Hardware 143
    • Consumed
      • Unknown 192
      • Terminate Punt Adjacency 193
      • Terminate Incomplete Adjacency 194
      • Terminate For us 195
    MPLS PAL RD 90 8 (array) MPLS PAL Route Distinguisher.
    MPLS PREFIX LEN 91 1 Number of consecutive bits in the MPLS prefix length.
    SRC TRAFFIC INDEX 92 4 BGP Policy Accounting Source Traffic Index
    DST TRAFFIC INDEX 93 4 BGP Policy Accounting Destination Traffic Index
    APPLICATION DESCRIPTION 94 N Application description.
    APPLICATION TAG 95 1+n 8 bits of engine ID, followed by n bits of classification.
    APPLICATION NAME 96 N Name that is associated with a classification.
    postipDiffServCodePoint 98 1 The value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services field after modification.
    replication factor 99 4 Multicast replication factor.
    DEPRECATED 100 N DEPRECATED
    layer2packetSectionOffset 102   Layer 2 packet section offset. Potentially a generic offset.
    layer2packetSectionSize 103   Layer 2 packet section size. Potentially a generic size.
    layer2packetSectionData 104   Layer 2 packet section data.
      105 - 127   Reserved for future use by cisco

    Related information

    huawei 格式:

    信息元位置

    信息元名称

    信息元ID

    信息元描述

    1

    version

    BIGINT

    记录大数据平台支持的netflow大字段标记。初始1。后续如新增字段一个,可变为2。

    2

    srcaddr

    STRING

    源地址

    3

    dstaddr

    STRING

    目的地址    

    4

    dpkts

    INT

    包数  

    5

    doctets

    BIGINT

    字节数  

    6

    firsttime

    BIGINT

    初始时间

    7

    lasttime

    BIGINT

    终止时间 

    8

    srcport

    INT

    源端口

    9

    dstport

    INT

    目的端口

    10

    tcpflags

    STRING

    TCP标识位 

    11

    protocol

    STRING

    协议类型

    12

    tos

    STRING

    服务类型这两个是基于报文的,我们基于会话分析flow,无法获取这两个字段。

    13

    srcmask

    STRING

    源子网掩码 

    14

    dstmask

    STRING

    目的子网掩码

    15

    appname

    STRING

    应用名称(Name associated with a classification)

    16

    direction

    INT

    流方向。(Flow direction: 0 - ingress flow, 1 - egress flow)

    17

    flownum

    INT

    聚合流的个数

    18

    srcprefix

    STRING

    源前缀

    示例:10.10.0.0

    19

    dstprefix

    STRING

    目的前缀

    示例:10.10.0.0

    20

    templateid

    INT

    和数据记录模板匹配的ID

    21

    SrcArea

    STRING

    源区域

    22

    DestArea

    STRING

    目的区域

    23

    SrcIPUser

    STRING

    SrcIP对应用户信息

    24

    DestIPUser

    STRING

    DestIP对应用户信息

    25

    SrcGeographyLocationCountryOrRegion

    STRING

    源IP所在国家或地区

    26

    SrcGeographyLocationCity

    STRING

    源IP所在城市

    27

    SrcGeographyLocationLongitude

    STRING

    源IP所在经度

    28

    SrcGeographyLocationLatitude

    STRING

    源IP所在纬度

    29

    DestGeographyLocationCountryOrRegion

    STRING

    目的IP所在国家或地区

    30

    DestGeographyLocationCity

    STRING

    目的IP所在城市

    31

    DestGeographyLocationLongitude

    STRING

    目的IP对应经度

    32

    DestGeographyLocationLatitude

    STRING

    目的IP对应纬度

    33

    SrcHostUniqueID

    STRING

    DHCP源主机唯一标识

    34

    DstHostUniqueID

    STRING

    DHCP目的主机唯一标识

    35

    SamplingInterval

    INT

    NetFlow采样比

    36

    flowprobeFlag

    STRING

    流探针标识

    37

    indpkts

    STRING

    备用5

    38

    outdpkts

    STRING

    备用6

    39

    indoctets

    STRING

    备用7

    40

    outdoctets

    STRING

    备用8

    41

    TenantID

    STRING

    租户ID

    42

    TenantName

    STRING

    租户名称

    43

    StandBy11

    STRING

    备用11

    44

    StandBy12

    STRING

    备用12

    45

    StandBy13

    STRING

    备用13

    46

    StandBy14

    STRING

    备用14

    47

    StandBy15

    STRING

    备用15

    48

    StandBy16

    STRING

    备用16

    49

    StandBy17

    STRING

    备用17

    50

    StandBy18

    STRING

    备用18

    51

    StandBy19

    STRING

    备用19

    52

    StandBy20

    STRING

    备用20

    举例说明:netflow前面几个字段如下:

    1

    172.18.2.11
    170.170.64.18
    4(包数)
    265
    1627625920
    1627625920
    3306(源端口)
    4705(目的端口)
    27(tcp标志位)

    最后一个标志位,27对应的2进制为00011011,表示有4个包(syn、ack、fin。。。)。可以看到是按照同一个方向进行统计的。如下图所示(合并了一个???):

  • 相关阅读:
    MySQL的索引
    Linux 恢复rm -rf命令所删除的达梦数据文件
    史上最全Oracle文件损坏处理办法(附实验步骤)
    【2020-MOOC-浙江大学-陈越、何钦铭-数据结构】树(第四周的笔记和编程作业)
    你以为运维就是修电脑?大错特错!盘点一个高级运维的一天
    ElasticSearch中的_source和store:既生瑜何生亮
    为什么你不想学习?只想玩?人是如何一步一步废掉的
    【程序员日记】快乐的一周嘛(第8期)(财富、快乐、技术)
    【2020-MOOC-浙江大学-陈越、何钦铭-数据结构】树(第三周的笔记和编程作业)
    SqlBulkCopy 批量插入
  • 原文地址:https://www.cnblogs.com/bonelee/p/15237044.html
Copyright © 2020-2023  润新知