Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Mapping Between Field Values for Version 9 Flow Templates and Logs Exported From an MX-Series Router or NFX250

The following table describes different field IDs or values for flow monitoring logs generated for NAT events in version 9 flow record formats and the events that correspond to the field values:

Field ID

Name

Size (Bytes)

Description

8

ipv4 src address

4

IPv4 source address

225

natInsideGlobalAddress

4

It reports a modified value caused by a NAT middlebox (forwarding class and loss priority) represents function after the packet passed the Observation Point.

12

ipv4 destination address

4

IPv4 destination address

226

natOutsideGlobalAddress

4

It reports a modified value caused by a NAT middlebox function after the packet passed the Observation Point.

7

transport source-port

2

TCP/UDP source port

227

postNAPTSourceTransportPort

2

It reports a modified value caused by a Network Address Port Translation (NAPT) middlebox function after the packet passed the Observation Point.

11

transport destination-port

2

TCP/UDP destination port

228

postNAPTDestinationTransportPort

2

It reports a modified value caused by a Network Address Port Translation (NAPT) middlebox function after the packet passed the Observation Point.

234

ingressVRFID

4

Unique identifier of the VRF name where the packets of this flow are being received. This identifier is unique per Metering Process.

235

egressVRFID

4

Unique identifier of the VRF name where the packets of this flow are being sent. This identifier is unique per Metering Process.

4

Ip protocol

1

IP protocol byte

229

natOriginatingAddressRealm

1

Indicates whether the session was created because traffic originated in the private or public address realm. postNATSourceIPv4Address, postNATDestinationIPv4Address, postNAPTSourceTransportPort, and postNAPTDestinationTransportPort are qualified with the address realm in perspective. The allowed values are: Private: 1 Public: 2

230

natEvent

1

Indicates a NAT event. The allowed values are: 1 - Create event. 2 - Delete event. 3 - Pool exhausted. A Create event is generated when a NAT translation is created, whether dynamically or statically. A Delete event is generated when a NAT translation is deleted.

1

inBytes

N

Incoming counter with length N x 8 bits for the number of bytes associated with an IP Flow. By default N is 4

2

inPkts

N

Incoming counter with length N x 8 bits for the number of packets associated with an IP Flow. By default N is 4

323

observationTimeMilliseconds

8

Specifies the absolute time in milliseconds of an observation that represents a time value in units of milliseconds based on coordinated universal time (UTC). The choice of an epoch, for example, 00:00 UTC, January 1, 1970, is left to corresponding encoding specifications for this type. Leap seconds are excluded. Note that transformation of values might be required between different encodings if different epoch values are used.

27

sourceIPv6Address

16

IPv6 source address

284

natPoolName

64

NAT resource pool name

361

portRangeStart

2

The port number identifying the start of a range of ports. A value of zero indicates that the range start is not specified, ie the range is defined in some other way.

362

portRangeEnd

2

The port number identifying the end of a range of ports. A value of zero indicates that the range end is not specified, and the range is defined in some other way.

363

portRangeStepSize

2

The step size in a port range. The default step size is 1, which indicates contiguous ports. A value of zero indicates that the step size is not specified, and the range is defined in some other way.

364

portRangeNumPorts

2

The number of ports in a port range. A value of zero indicates that the number of ports is not specified, and the range is defined in some other way.

Consider a sample scenario of a NAT address creation event. Based on the fields in the preceding table, for translations that are not available (such as natOutsideGlobalAddress) is set to 0. Ingress and Egress VRF of the flow can be made available. Also, natEvent is equal to 1 (create). The inBytes field is assumed to be 0 or number of bytes of the incoming packet and the inPkts field is either 0 or 1 because it is the first packet into the system when translation happens. The observationTimeMilliseconds field denotes the time when this address translation creation is recorded.

For a NAT address deletion event, for translations that are not available (such as natOutsideGlobalAddress) is set to 0. Ingress and Egress VRF of the flow can be made available. Also, natEvent is equal to 2 (create). The inBytes field denotes the number of bytes for this flow in both the forward or upward, the value of the inPkts field denotes the number of packets for this flow in both the upward and backward directions. observationTimeMilliseconds is the time when this deletion of translation is recorded.

When the NAT pool is exhausted and no further addresses are remaining for allocation, for translations that are not available (such as natOutsideGlobalAddress) is set to 0. Ingress and Egress VRF of the flow can be made available. Also, the natEvent field is set to 3 (Pool exhausted). All resource failures are combined as a single event. The inBytes field is assumed to be 0 or number of bytes of the incoming packet and the inPkts field is either 0 or 1 because it is the first packet into the system when translation happens. The value of the observationTimeMilliseconds field is the time when this failed translation is recorded.