The ListenNetFlow Processor supports receiving NetFlow Export Packets over UDP for the following versions of NetFlow:
The Cisco NetFlow Export Diagram Format describes the protocol structure for NetFlow Versions 1 and 5.
RFC 3954 defines the protocol structure for NetFlow Version 9.
The Internet Assigned Numbers Authority maintains a registry of IP Flow Information Export Entities based on RFC 7012. The IPFIX Information Elements defined in the registry include field names and data types that support decoding NetFlow Record Fields.
The ListenNetFlow Processor reads binary NetFlow Export Packets and transforms the information into a standard schema for record-oriented processing.
The NetFlow Record Schema contains both standard fields and template-based fields to support representing NetFlow Records using a common structure.
The NetFlow Record Schema consists of the following Record Fields with corresponding Data Types:
| Field Name | Data Type | Description |
|---|---|---|
| exporterAddress | STRING | Internet Protocol Address of NetFlow Exporter |
| exporterPort | INT | UDP Port Number of NetFlow Exporter |
| exporterUptime | LONG | System uptime duration in milliseconds of NetFlow Exporter |
| exported | TIMESTAMP | Date and time when the NetFlow Exporter sent the packet record |
| packetVersion | INT | NetFlow Packet Version |
| packetSequenceNumber | LONG | NetFlow Packet Sequence Number |
| packetSourceId | LONG | NetFlow Packet Source Identifier |
| flowSetId | INT | NetFlow Record FlowSet Identifier |
| dataRecordType | ENUM | NetFlow Record Data Type either FLOW or OPTIONS |
| collected | TIMESTAMP | Date and time when the NetFlow Collector processed the packet record |
| fields | MAP | Map of NetFlow Record Fields defined according to Flow Templates |
The fields element contains one or more NetFlow Record Fields with field names defined according to the IPFIX Information Elements registry regardless of NetFlow protocol version.
The fields element values can be different types depending on the data type defined for decoding in the IPFIX Information Elements registry. The ListenNetFlow Processor converts Internet Protocol Addresses to standard string representations and converts Media Access Control Addresses to hexadecimal strings with semicolon separators between octets.
NetFlow Version 9 uses templates that define how to decode NetFlow Records. NetFlow Version 9 supports both FLOW and OPTIONS Data Record Types.
Options Data Records contain information about the NetFlow Exporter. Standard NetFlow Data Records contain information about Internet Protocol communication.
NetFlow Version 9 Records use Packet Header and Data Record elements to create records according to the NetFlow Record Schema.
A NetFlow Version 9 Data Record can have the following Record Schema elements defined as follows:
| Field Name | Field Value |
|---|---|
| exporterAddress | 127.0.0.1 |
| exporterPort | 50000 |
| exporterUptime | 3000 |
| exported | 2000-01-01T00:00:00Z |
| packetVersion | 9 |
| packetSequenceNumber | 32 |
| packetSourceId | 0 |
| flowSetId | 256 |
| dataRecordType | FLOW |
| collected | 2000-01-01T00:00:00Z |
NetFlow Version 5 uses a standard Flow Record structure defined in Table B-4 of the NetFlow Export Datagram Format. NetFlow Version 5 produces FLOW Data Record Types.
NetFlow Version 5 does not use templates and does not support the concept of an observation domain source identifier, so the Processor sets the following fields to 0 when creating NetFlow Records.
A NetFlow Version 5 Data Record can have the following Record Schema elements defined as follows:
| Field Name | Field Value |
|---|---|
| exporterAddress | 127.0.0.1 |
| exporterPort | 50000 |
| exporterUptime | 3000 |
| exported | 2000-01-01T00:00:00Z |
| packetVersion | 5 |
| packetSequenceNumber | 32 |
| packetSourceId | 0 |
| flowSetId | 0 |
| dataRecordType | FLOW |
| collected | 2000-01-01T00:00:00Z |
A NetFlow Version 5 Data Record will have a standard set of elements in the fields element based on the NetFlow Version 5 specification.
A NetFlow Version 5 fields element will be serialized as follows:
| Field Name | Field Value | Data Type |
|---|---|---|
| sourceIPv4Address | 127.0.0.1 | STRING |
| destinationIPv4Address | 127.0.0.2 | STRING |
| ipNextHopIPv4Address | 127.0.0.3 | STRING |
| ingressInterface | 1 | INT |
| egressInterface | 2 | INT |
| packetDeltaCount | 1 | LONG |
| octetDeltaCount | 64 | LONG |
| flowStartSysUpTime | 3600 | LONG |
| flowEndSysUpTime | 3600 | LONG |
| sourceTransportPort | 50000 | INT |
| destinationTransportPort | 443 | INT |
| tcpControlBits | 16 | INT |
| protocolIdentifier | 6 | INT |
| ipClassOfService | 0 | INT |
| bgpSourceAsNumber | 0 | INT |
| bgpDestinationAsNumber | 0 | INT |
| sourceIPv4PrefixLength | 32 | INT |
| destinationIPv4PrefixLength | 0 | INT |
NetFlow Version 1 uses a standard Flow Record structure defined in Table B-2 of the NetFlow Export Datagram Format. NetFlow Version 1 produces FLOW Data Record Types.
NetFlow Version 1 does not use templates and does not support the concept of an observation domain source identifier or sequence number, so the Processor sets the following fields to 0 when creating NetFlow Records.
A NetFlow Version 1 Data Record can have the following Record Schema elements defined as follows:
| Field Name | Field Value |
|---|---|
| exporterAddress | 127.0.0.1 |
| exporterPort | 50000 |
| exporterUptime | 3000 |
| exported | 2000-01-01T00:00:00Z |
| packetVersion | 1 |
| packetSequenceNumber | 0 |
| packetSourceId | 0 |
| flowSetId | 0 |
| dataRecordType | FLOW |
| collected | 2000-01-01T00:00:00Z |
A NetFlow Version 1 Data Record will have a standard set of elements in the fields element based on the NetFlow Version 1 specification.
A NetFlow Version 1 fields element will be serialized as follows:
| Field Name | Field Value | Data Type |
|---|---|---|
| sourceIPv4Address | 127.0.0.1 | STRING |
| destinationIPv4Address | 127.0.0.2 | STRING |
| ipNextHopIPv4Address | 127.0.0.3 | STRING |
| ingressInterface | 1 | INT |
| egressInterface | 2 | INT |
| packetDeltaCount | 1 | LONG |
| octetDeltaCount | 64 | LONG |
| flowStartSysUpTime | 3600 | LONG |
| flowEndSysUpTime | 3600 | LONG |
| sourceTransportPort | 50000 | INT |
| destinationTransportPort | 443 | INT |
| protocolIdentifier | 6 | INT |
| ipClassOfService | 0 | INT |
| tcpControlBits | 16 | INT |