Mapping Between Field Values for Version 9 Flow Templates and Logs Exported From an MX-Series Router or NFX250
The following table describes different field IDs or values for flow monitoring logs generated for NAT events in version 9 flow record formats and the events that correspond to the field values:
Field ID |
Name |
Size (Bytes) |
Description |
---|---|---|---|
8 |
ipv4 src address |
4 |
IPv4 source address |
225 |
natInsideGlobalAddress |
4 |
It reports a modified value caused by a NAT middlebox (forwarding class and loss priority) represents function after the packet passed the Observation Point. |
12 |
ipv4 destination address |
4 |
IPv4 destination address |
226 |
natOutsideGlobalAddress |
4 |
It reports a modified value caused by a NAT middlebox function after the packet passed the Observation Point. |
7 |
transport source-port |
2 |
TCP/UDP source port |
227 |
postNAPTSourceTransportPort |
2 |
It reports a modified value caused by a Network Address Port Translation (NAPT) middlebox function after the packet passed the Observation Point. |
11 |
transport destination-port |
2 |
TCP/UDP destination port |
228 |
postNAPTDestinationTransportPort |
2 |
It reports a modified value caused by a Network Address Port Translation (NAPT) middlebox function after the packet passed the Observation Point. |
234 |
ingressVRFID |
4 |
Unique identifier of the VRF name where the packets of this flow are being received. This identifier is unique per Metering Process. |
235 |
egressVRFID |
4 |
Unique identifier of the VRF name where the packets of this flow are being sent. This identifier is unique per Metering Process. |
4 |
Ip protocol |
1 |
IP protocol byte |
229 |
natOriginatingAddressRealm |
1 |
Indicates whether the session was created because traffic originated in the private or public address realm. postNATSourceIPv4Address, postNATDestinationIPv4Address, postNAPTSourceTransportPort, and postNAPTDestinationTransportPort are qualified with the address realm in perspective. The allowed values are: Private: 1 Public: 2 |
230 |
natEvent |
1 |
Indicates a NAT event. The allowed values are: 1 - Create event. 2 - Delete event. 3 - Pool exhausted. A Create event is generated when a NAT translation is created, whether dynamically or statically. A Delete event is generated when a NAT translation is deleted. |
1 |
inBytes |
N |
Incoming counter with length N x 8 bits for the number of bytes associated with an IP Flow. By default N is 4 |
2 |
inPkts |
N |
Incoming counter with length N x 8 bits for the number of packets associated with an IP Flow. By default N is 4 |
323 |
observationTimeMilliseconds |
8 |
Specifies the absolute time in milliseconds of an observation that represents a time value in units of milliseconds based on coordinated universal time (UTC). The choice of an epoch, for example, 00:00 UTC, January 1, 1970, is left to corresponding encoding specifications for this type. Leap seconds are excluded. Note that transformation of values might be required between different encodings if different epoch values are used. |
27 |
sourceIPv6Address |
16 |
IPv6 source address |
284 |
natPoolName |
64 |
NAT resource pool name |
361 |
portRangeStart |
2 |
The port number identifying the start of a range of ports. A value of zero indicates that the range start is not specified, ie the range is defined in some other way. |
362 |
portRangeEnd |
2 |
The port number identifying the end of a range of ports. A value of zero indicates that the range end is not specified, and the range is defined in some other way. |
363 |
portRangeStepSize |
2 |
The step size in a port range. The default step size is 1, which indicates contiguous ports. A value of zero indicates that the step size is not specified, and the range is defined in some other way. |
364 |
portRangeNumPorts |
2 |
The number of ports in a port range. A value of zero indicates that the number of ports is not specified, and the range is defined in some other way. |
Consider a sample scenario of a NAT address creation event. Based on the fields in the preceding table, for translations that are not available (such as natOutsideGlobalAddress) is set to 0. Ingress and Egress VRF of the flow can be made available. Also, natEvent is equal to 1 (create). The inBytes field is assumed to be 0 or number of bytes of the incoming packet and the inPkts field is either 0 or 1 because it is the first packet into the system when translation happens. The observationTimeMilliseconds field denotes the time when this address translation creation is recorded.
For a NAT address deletion event, for translations that are not available (such as natOutsideGlobalAddress) is set to 0. Ingress and Egress VRF of the flow can be made available. Also, natEvent is equal to 2 (create). The inBytes field denotes the number of bytes for this flow in both the forward or upward, the value of the inPkts field denotes the number of packets for this flow in both the upward and backward directions. observationTimeMilliseconds is the time when this deletion of translation is recorded.
When the NAT pool is exhausted and no further addresses are remaining for allocation, for translations that are not available (such as natOutsideGlobalAddress) is set to 0. Ingress and Egress VRF of the flow can be made available. Also, the natEvent field is set to 3 (Pool exhausted). All resource failures are combined as a single event. The inBytes field is assumed to be 0 or number of bytes of the incoming packet and the inPkts field is either 0 or 1 because it is the first packet into the system when translation happens. The value of the observationTimeMilliseconds field is the time when this failed translation is recorded.