Flow Monitoring Version 5 Format Output Fields

A detailed explanation of version 5 packet formats and fields is shown in the following figures and tables:

Figure 1
Table 1
Figure 2
Table 2

Figure 1: Version 5 Packet Header Format version 5 packet header showing fields: Version, Count, sysUptime, UNIX seconds, UNIX nanoseconds, Flow sequence number, Engine type, Engine ID, and Reserved.

version 5 packet header showing fields: Version, Count, sysUptime, UNIX seconds, UNIX nanoseconds, Flow sequence number, Engine type, Engine ID, and Reserved.

Table 1: Export Version 5 Packet Header Fields
Field	Description	Comments
`Version`	5	–
`Count`	The number of records in the Protocol Data Unit (PDU) or packet	–
`sysUptime`	Current time elapsed, in milliseconds, since the router started	–
`UNIX seconds`	Current seconds since 0000 UTC 1970	NTP synchronized time; the clock on each services PIC is autonomous (200–400 msec jitter) across PICs in a chassis
`UNIX nanoseconds`	Residual nanoseconds since 0000 UTC 1970	See Comments above for UNIX seconds
`Flow sequence number`	Sequence number of total flows received	–
`Engine type`	User-configured 8-bit value	Also known as VIP type on other vendors’ equipment
`Engine ID`	User-configured 8-bit value	–

Figure 2: Version 5 Flow-Export Flow Header Format Version 5 record structure for network monitoring; fields include source/destination IP, ports, packet count, and protocol type.

Version 5 record structure for network monitoring; fields include source/destination IP, ports, packet count, and protocol type.

Table 2: Export Version 5 Flow-Export Flow Header Fields
Field	Description	Comments
`Source IP address`	Source IP address of the flow	–
`Destination IP address`	Destination IP address of the flow	–
`Next-hop IP address`	IP address of the router where flows are forwarded	–
`Input ifIndex`	SNMP index value for the input interface where the router receives flows	Dynamically inserted, but overridden by manual configuration
`Output ifIndex`	SNMP index value for the output interface where the router forwards flows	Dynamically inserted, but overridden by manual configuration
`Packets`	Total number of packets received in a flow	–
`Bytes`	Total number of bytes received in a flow	–
`Start time of flow`	System up time, in seconds, at the start of the flow	System up time for the services PIC accepting flows
`End time of flow`	System up time, in seconds, at the end of the flow	System up time for the services PIC accepting flows
`Source port`	Source application port	–
`Destination port`	Destination application port	The ICMP type is placed in the high-order byte and the ICMP type code is placed in the low-order byte of this field
`TCP flags`	TCP flags set in the flow	–
`IP protocol`	IP protocol number	–
`TOS`	IP type of service	–
`Source AS`	AS number of the source address	Dynamically inserted if AS information is available
`Destination AS`	AS number of the destination address	Dynamically inserted if AS information is available
`Source mask length`	Source address network mask length	–
`Dest. mask length`	Destination address network mask length	–
`Padding`	Bytes available to ensure a minimum packet length	–

Useful formulas for flow monitoring are:

start flow timestamp absolute = unixTime x 1000 – (sysUptime – start flow timestamp)
end flow timestamp absolute = unixTime x 1000 – (sysUptime – end flow timestamp)

Note:
In the 2-byte destination port field of the export version 5 flow-export flow format, the following information can be derived:
High-order byte—ICMP type
Low-order byte—ICMP type code

For example, if the ICMP type is 3 (00000011 in binary) and the ICMP type code is network unreachable (Type Code 0, or 00000000 in binary), the resulting destination port field value is 00000011 00000000 (768 in decimal).

For more information on ICMP type and type code, see RFC 792 at https://www.ietf.org.