Understanding Exporting IPFIX Flow Data Records to a Log Collector Using an MX Series Router or NFX250
The IPFIX protocol enables you to access IP flow information on MX Series Routers or an NFX250 device. The IPFIX collection process receives the flow information traversing through multiple network elements within the data network in a consistent, identical manner of representation and communication of traffic flows from the network elements to the collection point. An IPFIX device hosts at least one exporting process, which transmits flow records to collecting processes. A collector is a device that performs the collecting processes and an exporter is a device that performs the transfer to data to a collector. An IPFIX message consists of a message header followed by one or more Sets. The Sets can be any of the possible three types: Data Set, Template Set, or Options Template Set. Flow monitoring version 10 (IPFIX) message formats are very similar to version 9 message patterns.
The message header contains the following fields:
Version—Version of the flow record format exported in this message. The value of this field is 0x000a.
Length—Total length of the IPFIX message, measured in octets, including the header and Sets fields.
Export Time—Time, in seconds, since midnight Coordinated Universal Time (UTC) of January 1, 1970, at which the IPFIX message header leaves the exporter.
-
Sequence Number—Incremental sequence counter with a value of 2^32 (2 raised to the power of 32) of all IPFIX data records sent from the current Observation Domain by the exporting process. Template and Options Template records do not increase the Sequence Number attribute.
Observation Domain ID—A 32-bit identifier of the Observation Domain that is locally unique to the exporter.
One of the essential elements in the IPFIX record format is the Template Flow Set record. Templates vastly enhance the flexibility of the Flow Record format because they allow the collector to process Flow Records without necessarily knowing the interpretation of all the data in the Flow Record. A Template Record contains any combination of Internet Assigned Numbers Authority (IANA)-assigned and/or enterprise-specific information element identifiers.
The format of the Template Record signifies a template record header and one or more Field Specifier attributes. The Template Flow Set record contains the following fields:
Enterprise bit—This is the first bit of the Field Specifier. If this bit is zero, the Information Element Identifier identifies an IETF-specified Information Element, and the four-octet Enterprise Number field must not be present. If this bit is one, the Information Element identifier identifies an enterprise-specific Information Element, and the Enterprise Number field must be present.
Information Element identifier—An Information Element is a protocol and encoding-independent description of an attribute that can appear in an IPFIX Record. It is a numeric value that represents the type of Information Element.
Field Length—Length of the corresponding encoded Information Element, in octets. The value 65535 is reserved for variable-length Information Elements.
Enterprise Number—IANA enterprise number of the authority defining the Information Element identifier in this Template Record.
The Data Records are sent in Data Sets. The Data Record field consists only of a Set Header and one or more Field Values. The Template ID to which the Field Values belong is encoded in the Set Header field "Set ID" ("Set ID" = "Template ID"). Interpretation of the Data Record format can be done only if the Template Record corresponding to the Template ID is available at the collecting procedure. Field Values do not necessarily have a length of 16 bits and are encoded according to their data type specified.