cflowd Version 5 Formats and Fields

A detailed explanation of cflowd version 5 packet formats and fields is shown in the following figures and tables:

• Figure 11, "cflowd Version 5 Packet Header Format" on page 111
• Table 15, "cflowd Export Version 5 Packet Header Fields"
• Figure 12, "cflowd Version 5 Flow-Export Flow Header Format" on page 112
• Table 16, "cflowd Export Version 5 Flow-Export Flow Header Fields"

Figure 11: cflowd Version 5 Packet Header Format

Table 15: cflowd Export Version 5 Packet Header Fields

Field	Description	Comments
Version	5	-
Count	The number of records in the Protocol Data Unit (PDU) or packet	-
sysUptime	Current time elapsed in milliseconds since the router started	-
UNIX seconds	Current seconds since 0000 UTC 1970	NTP synchronized time; the clock on each services PIC is autonomous (200 - 400 msec jitter) across PICs in a chassis
UNIX nanoseconds	Residual nanoseconds since 0000 UTC 1970	See Comments above for UNIX Seconds
Flow sequence number	Sequence number of total flows received	-
Engine type	User-configured 8-bit value	Also known as VIP type on other vendors' equipment
Engine ID	User-configured 8-bit value	-

Figure 12: cflowd Version 5 Flow-Export Flow Header Format

Table 16: cflowd Export Version 5 Flow-Export Flow Header Fields

Field	Description	Comments
Source IP address	Source IP address of the flow	-
Destination IP address	Destination IP address of the flow	-
Next-hop IP address	IP address of the router where flows are forwarded	Set to zero; not implemented currently
Input ifIndex	SNMP index value for the input interface where the router receives flows	JUNOS Release 5.7—Dynamically inserted, but overridden by manual configuration JUNOS Release 5.5—Manually set JUNOS Release 5.4—Set to zero
Output ifIndex	SNMP index value for the output interface where the router forwards flows	JUNOS Release 5.7—Dynamically inserted, but overridden by manual configuration JUNOS Release 5.5—Manually set JUNOS Release 5.4—Set to zero
Packets	Total number of packets received in a flow	-
Bytes	Total number of bytes received in a flow	-
Start time of flow	System up time in seconds at the start of the flow	System up time for the services PIC accepting flows
End time of flow	System up time in seconds at the end of the flow	System up time for the services PIC accepting flows
Source port	Source application port	-
Destination port	Destination application port	The ICMP type is placed in the high-order byte and the ICMP type code is placed in the low-order byte of this field (see Note on page "In the two-byte destination port field of the cflowd export version 5 flow-export flow format, the following information can be derived:")
TCP flags	TCP flags set in the flow	-
IP protocol	IP protocol number	-
TOS	IP type of service	-
Source AS	AS number of the source address	JUNOS Release 5.7—Dynamically inserted if AS information is available
Destination AS	AS number of the destination address	JUNOS Release 5.7—Dynamically inserted if AS information is available
Source mask length	Source address network mask length	Set to zero; not implemented currently
Dest. mask length	Destination address network mask length	Set to zero; not implemented currently
Padding	Bytes available to ensure a minimum packet length

Useful formulas for cflowd are:

• start flow timestamp absolute = unixTime x 1000 - (sysUptime - start flow timestamp)
• end flow timestamp absolute = unixTime x 1000 - (sysUptime - end flow timestamp)
  
  

  In the two-byte destination port field of the cflowd export version 5 flow-export flow format, the following information can be derived: High-order byte—ICMP type Low-order byte—ICMP type code For example, if the ICMP type is 3 (00000011 in binary) and the ICMP type code is network unreachable (Type Code 0, or 00000000 in binary), the resulting destination port field value is 00000011 00000000 (768 in decimal). For more information on ICMP type and type code, see RFC 792 at http://www.ietf.org.