NetFlow 9 Generated Records
NetFlow 9 records are generated based on the Record Generation Mode that you select for the NetFlow 9 stage properties. You can include "interpreted" or processed values, raw data, or both in NetFlow 9 records.
NetFlow 9 records can include the following fields:
| NetFlow 9 Field Name | Description | Included... |
|---|---|---|
| flowKind | Indicates the type of flow to be processed:
|
In all NetFlow 9 records. |
| values | A map field with field names and values as processed by the stage based on the template specified in the packet header. | In NetFlow 9 records when you configure the Record Generation Mode property to include “interpreted” data in the record. |
| packetHeader | A map field containing information about the packet. Typically includes information such as the source ID and the number of records in the packet. | In all NetFlow 9 records. |
| rawValues | A map field with the fields defined by the associated template and the raw, unprocessed, bytes for those fields. | In NetFlow 9 records when you configure the Record Generation Mode property to include raw data in the record. |
Sample Raw and Interpreted Record
When you set the Record Generation Mode property to Raw and Interpreted Data, the
resulting record includes all of the possible NetFlow 9 fields, as
follows:
{
"flowKind" : "FLOWSET",
"values" : {
"ICMP_TYPE" : 0,
"L4_DST_PORT" : 9995,
"TCP_FLAGS" : 0,
"L4_SRC_PORT" : 52767,
"INPUT_SNMP" : 0,
"FIRST_SWITCHED" : 86400042,
"PROTOCOL" : 17,
"IN_BYTES" : 34964,
"OUTPUT_SNMP" : 0,
"LAST_SWITCHED" : 86940154,
"IPV4_SRC_ADDR" : "127.0.0.1",
"SRC_AS" : 0,
"IN_PKTS" : 29,
"IPV4_DST_ADDR" : "127.0.0.1",
"DST_AS" : 0,
"SRC_TOS" : 0,
"FORWARDING_STATUS" : 0
},
"packetHeader" : {
"flowRecordCount" : 8,
"sourceIdRaw" : "AAAAAQ==",
"version" : 9,
"sequenceNumber" : 0,
"unixSeconds" : 1503002821,
"sourceId" : 1,
"sysUptimeMs" : 0
},
"rawValues" : {
"OUTPUT_SNMP" : "AAA=",
"IN_BYTES" : "AACIlA==",
"LAST_SWITCHED" : "BS6Z+g==",
"IPV4_SRC_ADDR" : "fwAAAQ==",
"SRC_AS" : "AAA=",
"IPV4_DST_ADDR" : "fwAAAQ==",
"IN_PKTS" : "AAAAHQ==",
"DST_AS" : "AAA=",
"FORWARDING_STATUS" : "AA==",
"SRC_TOS" : "AA==",
"ICMP_TYPE" : "AAA=",
"TCP_FLAGS" : "AA==",
"L4_DST_PORT" : "Jws=",
"L4_SRC_PORT" : "zh8=",
"INPUT_SNMP" : "AAA=",
"FIRST_SWITCHED" : "BSZcKg==",
"PROTOCOL" : "EQ=="
}
}Sample Interpreted Record
When you set the Record Generation Mode property to Interpreted Only, the resulting
record omits the rawValues field from the record, as follows:
{
"flowKind" : "FLOWSET",
"values" : {
"ICMP_TYPE" : 0,
"L4_DST_PORT" : 9995,
"TCP_FLAGS" : 0,
"L4_SRC_PORT" : 52767,
"INPUT_SNMP" : 0,
"FIRST_SWITCHED" : 86400042,
"PROTOCOL" : 17,
"IN_BYTES" : 34964,
"OUTPUT_SNMP" : 0,
"LAST_SWITCHED" : 86940154,
"IPV4_SRC_ADDR" : "127.0.0.1",
"SRC_AS" : 0,
"IN_PKTS" : 29,
"IPV4_DST_ADDR" : "127.0.0.1",
"DST_AS" : 0,
"SRC_TOS" : 0,
"FORWARDING_STATUS" : 0
},
"packetHeader" : {
"flowRecordCount" : 8,
"sourceIdRaw" : "AAAAAQ==",
"version" : 9,
"sequenceNumber" : 0,
"unixSeconds" : 1503002821,
"sourceId" : 1,
"sysUptimeMs" : 0
},
}Sample Raw Record
When you set the Record Generation Mode property to Raw Only, the resulting record
omits the values field that contains processed data, as follows:
{
"flowKind" : "FLOWSET",
"packetHeader" : {
"flowRecordCount" : 8,
"sourceIdRaw" : "AAAAAQ==",
"version" : 9,
"sequenceNumber" : 0,
"unixSeconds" : 1503002821,
"sourceId" : 1,
"sysUptimeMs" : 0
},
"rawValues" : {
"OUTPUT_SNMP" : "AAA=",
"IN_BYTES" : "AACIlA==",
"LAST_SWITCHED" : "BS6Z+g==",
"IPV4_SRC_ADDR" : "fwAAAQ==",
"SRC_AS" : "AAA=",
"IPV4_DST_ADDR" : "fwAAAQ==",
"IN_PKTS" : "AAAAHQ==",
"DST_AS" : "AAA=",
"FORWARDING_STATUS" : "AA==",
"SRC_TOS" : "AA==",
"ICMP_TYPE" : "AAA=",
"TCP_FLAGS" : "AA==",
"L4_DST_PORT" : "Jws=",
"L4_SRC_PORT" : "zh8=",
"INPUT_SNMP" : "AAA=",
"FIRST_SWITCHED" : "BSZcKg==",
"PROTOCOL" : "EQ=="
}
}