[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Flow Monitoring Output Formats

When you implement passive flow monitoring and active flow monitoring, you should be familiar with flow monitoring formats and fields. Version 5 and version 8 export data into specified fields. Version 9 exports data into templates.

The flow monitoring station monitors the traffic flow and exports the data in flow format to an external server. The JUNOS software collects information about the following fields:

Detailed descriptions of the formats are available as follows:

Version 5 Formats and Fields

A detailed explanation of version 5 packet formats and fields is shown in the following figures and tables:

Figure 49: Version 5 Packet Header Format

Image g003132.gif

Table 37: Export Version 5 Packet Header Fields

Field

Description

Comments

Version

5

Count

The number of records in the Protocol Data Unit (PDU) or packet

sysUptime

Current time elapsed, in milliseconds, since the routing platform started

UNIX seconds

Current seconds since 0000 UTC 1970

NTP synchronized time; the clock on each services PIC is autonomous (200–400 msec jitter) across PICs in a chassis

UNIX nanoseconds

Residual nanoseconds since 0000 UTC 1970

See Comments above for UNIX seconds

Flow sequence number

Sequence number of total flows received

Engine type

User-configured 8-bit value

Also known as VIP type on other vendors’ equipment

Engine ID

User-configured 8-bit value

 

Figure 50: Version 5 Flow-Export Flow Header Format

Image g003133.gif

Table 38: Export Version 5 Flow-Export Flow Header Fields

Field

Description

Comments

Source IP address

Source IP address of the flow

Destination IP address

Destination IP address of the flow

Next-hop IP address

IP address of the routing platform where flows are forwarded

Input ifIndex

SNMP index value for the input interface where the routing platform receives flows

JUNOS Release 5.7 and later—Dynamically inserted, but overridden by manual configuration

JUNOS Release 5.5—Manually set

JUNOS Release 5.4—Set to zero

Output ifIndex

SNMP index value for the output interface where the routing platform forwards flows

JUNOS Release 5.7 and later—Dynamically inserted, but overridden by manual configuration

JUNOS Release 5.5—Manually set

JUNOS Release 5.4—Set to zero

Packets

Total number of packets received in a flow

Bytes

Total number of bytes received in a flow

Start time of flow

System up time, in seconds, at the start of the flow

System up time for the services PIC accepting flows

End time of flow

System up time, in seconds, at the end of the flow

System up time for the services PIC accepting flows

Source port

Source application port

Destination port

Destination application port

The ICMP type is placed in the high-order byte and the ICMP type code is placed in the low-order byte of this field.

TCP flags

TCP flags set in the flow

IP protocol

IP protocol number

TOS

IP type of service

Source AS

AS number of the source address

JUNOS Release 5.7 and later—Dynamically inserted if AS information is available

Destination AS

AS number of the destination address

JUNOS Release 5.7 and later—Dynamically inserted if AS information is available

Source mask length

Source address network mask length

Dest. mask length

Destination address network mask length

Padding

Bytes available to ensure a minimum packet length

Useful formulas for flow monitoring are:

For example, if the ICMP type is 3 (00000011 in binary) and the ICMP type code is network unreachable (Type Code 0, or 00000000 in binary), the resulting destination port field value is 00000011 00000000 (768 in decimal).

For more information on ICMP type and type code, see RFC 792 at http://www.ietf.org.

Version 8 Formats and Fields

A detailed explanation of version 8 packet formats and fields is shown as follows:

Figure 51: Version 8 Template Flow Format

Image g003076.gifImage g003076.gif

Table 39: Version 8 Flow Template Fields

Field

Description

Version

8

Count

The number of records in the protocol data unit (PDU) or packet

sysUptime

Current time elapsed, in milliseconds, since the routing platform started

UNIX seconds

Current seconds since 0000 UTC 1970

UNIX nanoseconds

Residual nanoseconds since 0000 UTC 1970

Flow sequence number

Sequence counter of total flows received

Engine type

Type of flow switching engine

Engine ID

ID number of the flow switching engine

Aggregation method

Aggregation method used

Aggregation version

Version of the aggregation export

Reserved

Empty field reserved for future usage

Figure 52: Version 8 AS Aggregation Flow Entry Format

Image g003077.gif

Table 40: Version 8 AS Aggregation Flow Entry Fields

Field

Description

Flows

Total number of flows

Packets

Total number of packets received in a flow

Bytes

Total number of bytes received in a flow

Start time of flow

System up time, in seconds, at the start of the flow

End time of flow

System up time, in seconds, at the end of the flow

Source AS

AS number of the source address

Destination AS

AS number of the destination address

Input interface

SNMP index value for the input interface where the routing platform receives flows

Output interface

SNMP index value for the output interface where the routing platform forwards flows

Figure 53: Version 8 Protocol/Port Aggregation Flow Entry Format

Image g003078.gif

Table 41: Version 8 Protocol/Port Aggregation Flow Entry Fields

Field

Description

Flows

Total number of flows

Packets

Total number of packets received in a flow

Bytes

Total number of bytes received in a flow

Start time of flow

System up time, in seconds, at the start of the flow

End time of flow

System up time, in seconds, at the end of the flow

IP protocol

IP protocol number

Padding

Bytes available to ensure a minimum packet length

Reserved

Empty field reserved for future usage

Source port

Source application port

Destination port

Destination application port

Figure 54: Version 8 Prefix Aggregation Flow Entry Format

Image g003079.gifImage g003079.gif

Table 42: Version 8 Prefix Aggregation Flow Entry Fields

Field

Description

Flows

Total number of flows

Packets

Total number of packets received in a flow

Bytes

Total number of bytes received in a flow

Start time of flow

System up time, in seconds, at the start of the flow

End time of flow

System up time, in seconds, at the end of the flow

Source prefix

Source IP address prefix

Destination prefix

Destination IP address prefix

Source mask length

Source address network mask length

Dest. mask length

Destination address network mask length

Reserved

Empty field reserved for future usage

Source AS

AS number of the source address

Destination AS

AS number of the destination address

Input interface

SNMP index value for the input interface where the routing platform receives flows

Output interface

SNMP index value for the output interface where the routing platform forwards flows

Figure 55: Version 8 Source Prefix Aggregation Flow Entry Format

Image g003080.gif

Table 43: Version 8 Source Prefix Aggregation Flow Entry Fields

Field

Description

Flows

Total number of flows

Packets

Total number of packets received in a flow

Bytes

Total number of bytes received in a flow

Start time of flow

System up time, in seconds, at the start of the flow

End time of flow

System up time, in seconds, at the end of the flow

Source prefix

Source IP address prefix

Source mask length

Source address network mask length

Padding

Bytes available to ensure a minimum packet length

Source AS

AS number of the source address

Input interface

SNMP index value for the input interface where the routing platform receives flows

Reserved

Empty field reserved for future usage

Figure 56: Version 8 Destination Prefix Aggregation Flow Entry Format

Image g003081.gif

Table 44: Version 8 Destination Prefix Aggregation Flow Entry Fields

Field

Description

Flows

Total number of flows

Packets

Total number of packets received in a flow

Bytes

Total number of bytes received in a flow

Start time of flow

System up time, in seconds, at the start of the flow

End time of flow

System up time, in seconds, at the end of the flow

Destination prefix

Destination IP address prefix

Dest. mask length

Destination address network mask length

Padding

Bytes available to ensure a minimum packet length

Destination AS

AS number of the destination address

Output interface

SNMP index value for the output interface where the routing platform forwards flows

Reserved

Empty field reserved for future usage

For more information about version 5 and version 8 packet formats and fields, see http://www.caida.org.

Version 9 Formats and Fields

A detailed explanation of active flow monitoring version 9 packet formats and fields is shown as follows:

The JUNOS software supports the following version 9 template formats:

Table 45: Flow Monitoring Version 9 Template Formats

Template

Fields

IPV4

Flow selectors:

  • Source and destination IP address
  • Source and destination address prefix mask lengths
  • Source and destination port numbers
  • IP protocol and IP type of service
  • ICMP type

Flow nonselectors:

  • TCP flags
  • Input and output SNMP
  • Input bytes
  • Input packets
  • Start time
  • End time

MPLS

Flow selectors:

  • MPLS label 1
  • MPLS label 2
  • MPLS label 3

Flow nonselectors:

  • Input and output SNMP
  • Input bytes
  • Input packets
  • Start time
  • End time

MPLS_IPV4

Flow selectors:

  • MPLS label 1
  • MPLS label 2
  • MPLS label 3

Flow nonselectors:

  • Input and output SNMP
  • Input bytes
  • Input packets
  • Start time
  • End time

Figure 57: Version 9 Flow Header Format

Image g016785.gif

Table 46: Version 9 Flow Header Fields

Field

Description

Version

9

Count

Total number of records in the protocol data unit (PDU) or packet. This number includes all of the options FlowSet records, template FlowSet records, and data FlowSet records.

sysUptime

Current time elapsed, in milliseconds, since the routing platform started

UNIX seconds

Current seconds since 0000 UTC 1970

Flow sequence number

Sequence counter of total flows received

Source ID

32-bit value that identifies the data exporter. Version 9 uses the integrated field diagnostics (IFD) SNMP index of the PIC or device that is exporting the data flow. This field is equivalent to engine type and engine ID fields found in versions 5 and 8.

Figure 58: Version 9 Template FlowSet Format

Image g016786.gif

Table 47: Version 9 Template FlowSet Fields

Field

Description

FlowSet ID

FlowSet type. FlowSet ID 0 is reserved for the Template FlowSet.

Length

FlowSet length. Individual template FlowSets might contain multiple template records, which means that the length of template FlowSets varies.

Template ID

Unique template ID assigned to each newly generated template. Templates numbered 256 and higher define data formats. Templates numbered 0 through 255 define FlowSet IDs.

Field Count

Fields in the template record. This field allows the collector to determine the end of the current template record and the start of the next.

Field Type

Field type. These are defined in Table 48.

Field Length

Length, in bytes, of the corresponding field type.

Table 48: Field Type Definitions Supported in the JUNOS Software

Field Type

Description

1

IN_BYTES: The number of bytes associated with an IP flow. By default, the length is 4 bytes.

2

IN_PKTS: The number of packets associated with an IP flow. By default, the length is 4 packets.

4

PROTOCOL: The IP protocol byte.

5

TOS: The type of service byte setting of an incoming packet.

6

TCP_FLAGS: The cumulative TCP flags associated with a flow.

7

L4_SRC_PORT: The TCP/UDP source port.

8

IPv4_SRC_ADDR: The IPv4 source address.

9

SRC_MASK: The number of contiguous bits in the source subnet mask.

10

INPUT_SNMP: The IFD SNMP input interface index. By default, the length is 2.

11

L4_DST_PORT: The TCP/UDP destination port number.

12

IPV4_DST_ADDR: The IPv4 destination address.

13

DST_MASK: The number of contiguous bits in the destination subnet mask.

14

OUTPUT_SNMP: The IFD SNMP output interface index. By default, the length is 2.

21

LAST_SWITCHED: The uptime of the device (in milliseconds) at which the last packet of the flow was switched.

22

FIRST_SWITCHED: The uptime of the device (in milliseconds) at which the first packet of the flow was switched.

32

ICMP_TYPE: The ICMP type.

34

SAMPLING_INTERVAL: The rate at which packets are sampled. As an example, a rate of 100 means that one packet is sampled for every 100 packets in the data flow.

35

SAMPLING_ALGORITHM: The type of algorithm being used. Ox01 indicates deterministic sampling and 0x02 indicates random sampling.

70

MPLS_LABEL_1:The first MPLS label in the stack.

71

MPLS_LABEL_2: The second MPLS label in the stack.

72

MPLS_LABEL_3: The third MPLS label in the stack.

Figure 59: Version 9 Data FlowSet Format

Image g016787.gif

Table 49: Version 9 Data FlowSet Format

Field

Description

FlowSet ID = Template ID

Data FlowSet that associated with a FlowSet ID. The FlowSet ID maps to a previously generated template ID. The flow collector must use the FlowSet ID to find the corresponding template record and decode the flow records from the FlowSet.

Length

FlowSet length. Data FlowSets are fixed in length.

Record Number - Field Value Number

Flow data records, each containing a set of field values. The template record identified by the FlowSet ID dictates the type and length of the field values.

Padding

Bytes (in zeros) that the exporter inserts so that the subsequent FlowSet starts at a 4-byte aligned boundary.

Figure 60: Version 9 Options Template Format

Image g016788.gif

Table 50: Version 9 Options Template Format

Field

Description

FlowSet ID

FlowSet type. FlowSet ID 1 is reserved for the options template.

Length

FlowSet length. Option template FlowSets are fixed in length.

Template ID

Template ID of the options template. Options template values are greater than 255.

Option Scope Length

Length, in bytes, of any scope field definition that is part of the options template record.

Scope 1 Field Type

Relevant process. The JUNOS software supports the system process (1).

Scope 1 Field Length

Length, in bytes, of the option field.

Padding

Bytes the exporter inserts so that the subsequent FlowSet starts at a 4-byte aligned boundary.

Figure 61: Active Flow Monitoring Version 9 Options Data Record Format

Image g016789.gif

Table 51: Active Flow Monitoring Version 9 Options Data Record Format

Field

Description

FlowSet ID = Template ID

ID that precedes each options data flow record. The FlowSet ID maps to a previously generated template ID. The collector must use the FlowSet ID to find the corresponding template record and decode the options data flow records from the FlowSet.

Length

FlowSet length. Option FlowSets are fixed in length.

Number of Flow Data Records

Remainder of the options data FlowSet is a collection of flow data records, each containing a set of field values. The template record identified by the FlowSet ID dictates the type and length of the field values.

Padding

Bytes (in zeros) the exporter inserts so that the subsequent FlowSet starts at a 4-byte aligned boundary.

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]