Collecting Traffic Sampling Output in a File
You configure traffic sampling results to a file in the /var/tmp directory. To collect the sampled packets in a file, include the file statement at the [edit forwarding-options sampling output] hierarchy level:
To configure the period of time before an active flow is exported, include the flow-active-timeout statement at the [edit forwarding-options sampling output family (inet | inet6 | mpls)] hierarchy level:
To configure the period of time before a flow is considered inactive, include the flow-inactive-timeout statement at the [edit forwarding-options sampling output] hierarchy level:
To configure the interface that sends out monitored information, include the interface statement at the [edit forwarding-options sampling output] hierarchy level:
This feature is not supported with the version 9 template format. You must send traffic flows collected using version 9 to a server. For more information see Collecting Traffic Sampling Output in the Cisco Systems NetFlow Services Export Version 9 Format.
Traffic Sampling Output Format
Traffic sampling output is saved to an ASCII text file. The following is an example of the traffic sampling output that is saved to a file in the /var/tmp directory. Each line in the output file contains information for one sampled packet. You can optionally display a timestamp for each line.
The column headers are repeated after each group of 1000 packets.
# Apr 7 15:48:50
Time Dest Src Dest Src Proto TOS Pkt Intf IP TCP
addr addr port port len num frag flags
Apr 7 15:48:54 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0
Apr 7 15:48:55 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0
Apr 7 15:48:56 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0
Apr 7 15:48:57 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0
Apr 7 15:48:58 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0The output contains the following fields:
Time—Time at which the packet was received (displayed only if you include the stamp statement in the configuration)
Dest addr—Destination IP address in the packet
Src addr—Source IP address in the packet
Dest port—Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port for the destination address
Src port—TCP or UDP port for the source address
Proto—Packet’s protocol type
TOS—Contents of the type-of-service (ToS) field in the IP header
Pkt len—Length of the sampled packet, in bytes
Intf num—Unique number that identifies the sampled logical interface
IP frag—IP fragment number, if applicable
TCP flags—Any TCP flags found in the IP header
To set the timestamp option for the file my-sample, enter the following:
Whenever you toggle the timestamp option, a new header is included in the file. If you set the stamp option, the Time field is displayed.
# Apr 7 15:48:50 # Time Dest Src Dest Src Proto TOS Pkt Intf IP TCP # addr addr port port len num frag flags # Feb 1 20:31:21 # Dest Src Dest Src Proto TOS Pkt Intf IP TCP # addr addr port port len num frag flags