Supported Element Types for NetFlow Integrator Element Mapping

This section outlines the element types (v5, v9, and v10) supported by the AMX application for element mapping from the ingest NetFlow/IPFIX flow records to JSON on the following platforms. These elements are predefined and cannot be configured:

■   VMware ESXi
■   VMware NSX-T

Elements

Description 1

Supported for NetFlow v5

Supported for NetFlow v9

Supported for NetFlow v10/IPFIX

type

Type of flow message

ü

ü

ü

sampler_address

Address of the device that generated the packet

ü

ü

ü

sampling_rate

Sampling rate of the flow

ü

ü

ü

export_time_ns

Export time in Nano seconds

ü

ü

ü

time_received_ns

Timestamp in nanoseconds of when the message was received

ü

ü

ü

sequence_num

Sequence number of the flow packet

ü

ü

ü

source_id

An identifier that uniquely identifies the flow source. For IPFIX it refers to the observation domain ID.

û

ü

ü

etype

Ethernet type (0x86dd for IPv6...)

ü

ü

ü

src_addr

Source address (IP)

NetFlow v5 - IPv4 only
NetFlow v9 - IPV4_SRC_ADDR(8), IPV6_SRC_ADDR(27)
NetFlow v10/IPFIX - sourceIPv4Address(8), sourceIPv6Address(27)

ü

ü

ü

dst_addr

Destination address (IP)

NetFlow v5 - IPv4 only
NetFlow v9 - IPV4_DST_ADDR (12), IPV6_DST_ADDR (28)
NetFlow v10/IPFIX - destinationIPv4Address(12), destinationIPv6Address(28)

ü

ü

ü

ip_tos

IP Type of Service

NetFlow v5 – tos
NetFlow v9 - SRC_TOS (5)
NetFlow v10/IPFIX - ipClassOfService (5)

ü

ü

ü

ip_dscp

Differentiated Services Code Point

ipDiffServCodePoint (195)

û

ü

ü

ip_precedence

The value of the IP Precedence

ipPrecedence (196)

û

ü

ü

proto

Protocol (UDP, TCP, ICMP...)

NetFlow v5 – proto
NetFlow v9 - PROTOCOL (4)
NetFlow v10/IPFIX - protocolIdentifier (4)

ü

ü

ü

ip_ttl_max

Maximum TTL value observed for packets of the flow

NetFlow v9 - MAX_TTL (53)
NetFlow v10/IPFIX - maximumTTL (53)

û

ü

ü

src_port

Source port (when UDP/TCP/SCTP)

NetFlow v5 – srcport
NetFlow v9 - L4_SRC_PORT (7)
NetFlow v10/IPFIX - sourceTransportPort (7)

ü

ü

ü

dst_port

Destination port (when UDP/TCP/SCTP)

NetFlow v5 – dstport
NetFlow v9 - L4_DST_PORT (11)
NetFlow v10/IPFIX - destinationTransportPort (11)

ü

ü

ü

bytes

Number of bytes in a flow

NetFlow v5 – dOctets
NetFlow v9 - IN_BYTES (1), OUT_BYTES (23)
NetFlow v10/IPFIX - octetDeltaCount (1), postOctetDeltaCount (23)

ü

ü

ü

packets

Number of packets in a flow

NetFlow v5 – dPkts
NetFlow v9 - IN_PKTS (2), OUT_PKTS (24)
NetFlow v10/IPFIX - packetDeltaCount (2), postPacketDeltaCount (24)

ü

ü

ü

bytes_total

Running byte counter for a permanent flow

NetFlow v9 - IN_PERMANENT_BYTES (85)
NetFlow v10/IPFIX - octetTotalCount(85)

û

ü

ü

packets_total

Running packet counter for a permanent flow

NetFlow v9 - IN_PERMANENT_PKTS (86)
NetFlow v10/IPFIX - packetTotalCount(86)

û

ü

ü

flow_direction

Flow direction

NetFlow v9 - DIRECTION (61)
NetFlow v10/IPFIX - flowDirection(61)

û

ü

ü

in_if

Input interface

NetFlow v5 – input
NetFlow v9 - INPUT_SNMP (10)
NetFlow v10/IPFIX - ingressInterface (10)

ü

ü

ü

out_if

Output interface

NetFlow v5 – output
NetFlow v9 - OUTPUT_SNMP (14)
NetFlow v10/IPFIX - egressInterface (14)

ü

ü

ü

time_flow_start_ns

Time the flow started in nanoseconds. Refer to Important Notes.

NetFlow v5 – System uptime and first
NetFlow v9 - System uptime and FIRST_SWITCHED (22)
NetFlow v10 - flowStartXXX (150, 152, 154, 156)

ü

ü

ü

time_flow_end_ns

Time the flow ended in nanoseconds. Refer to Important Notes.

NetFlow v5 – System uptime and last
NetFlow v9 - System uptime and LAST_SWITCHED (21)
NetFlow v10/IPFIX - flowEndXXX (151, 153, 155, 157)

ü

ü

ü

tcp_flags

TCP flags

NetFlow v5 – tcp_flags
NetFlow v9 - TCP_FLAGS (6)
NetFlow v10/IPFIX - tcpControlBits (6)

ü

ü

ü

ip_length_min

Minimum IP packet length

NetFlow v9 - MIN_PKT_LNGTH (25)
NetFlow v10/IPFIX - minimumIpTotalLength (25)

û

ü

ü

ip_length_max

Maximum IP packet length

NetFlow v9 - MAX_PKT_LNGTH (26)
NetFlow v10/IPFIX - maximumIpTotalLength (26)

û

ü

ü

next_hop

Nexthop IP address

NetFlow v5 – nexthop
NetFlow v9 - IPV4_NEXT_HOP (15), IPV6_NEXT_HOP (62)
NetFlow v10/IPFIX - ipNextHopIPv4Address (15), ipNextHopIPv6Address (62)

ü

ü

ü

ipv4_next_hop

Nexthop IPv4 address

NetFlow v9 - IPV4_NEXT_HOP (15)
NetFlow v10/IPFIX - ipNextHopIPv4Address (15)

û

ü

ü

ipv6_next_hop

Nexthop IPv6 address

NetFlow v9 - IPV6_NEXT_HOP (62)
NetFlow v10/IPFIX - ipNextHopIPv6Address (62)

û

ü

ü

flow_id

An identifier of a flow that is unique within an Observation Domain

NetFlow v9 - flowId (148)
NetFlow v10/IPFIX - flowId (148)

û

ü

ü

firewall_event

Indicates a firewall event. Allowed values are listed in the firewall Event registry.

firewallEvent(233)

û

ü

ü

icmp_type

Type of the ICMP message

NetFlow v9 - ICMP_TYPE (32)
NetFlow v10/IPFIX - icmpTypeXXX (176, 178), icmpTypeCodeXXX (32, 139)

û

ü

ü

icmp_code

Code of the ICMP message

NetFlow v9 - ICMP_TYPE (32)
NetFlow v10/IPFIX - icmpCodeXXX (177, 179) icmpTypeCodeXXX (32, 139)

û

ü

ü

flow_end_reason

The reason for flow termination. Values are listed in the flowEndReason registry.

û

ü

ü

application_id

Specifies an Application ID

NetFlow v9 - APPLICATION TAG (95)
NetFlow v10/IPFIX - applicationId (95)

û

ü

ü

application_description

Specifies the description of an application

NetFlow v9 - APPLICATION DESCRIPTION (94)
NetFlow v10/IPFIX - applicationDescription (94)

û

ü

ü

application_name

Specifies the name of an application

NetFlow v9 - APPLICATION NAME (96)
NetFlow v10/IPFIX - applicationName (96)

û

ü

ü

tcp_window_size

The window field in the TCP header

tcpWindowsSize (186)

û

ü

ü

viptela_vpn_id

Private enterprise number for vIPtela Inc. (41916)

û

û

ü

Important Notes

■   NetFlow v9 and v5 Timestamps:
o   The NetFlow header contains system uptime (in seconds) and an export timestamp.
o   Flow start time is derived using the following formula:
•   Flow_Start = Export Timestamp - System Uptime + First_Switched
o   Flow end time is derived using the following formula:
•   Flow_End = Export Timestamp - System Uptime + Last_Switched
o   The calculated start and end time are converted into nanoseconds.
o   Unsupported attributes such as flow start/end in milliseconds, microseconds, or nanoseconds will be ignored. Instead, the export timestamp is used as both the flow start and end times, which are then converted to nanoseconds.
■   NetFlow v10/IPFIX Timestamps:
o   NetFlow v10/IPFIX directly incorporates timestamps without the need for system uptime.
o   Even if Flow start and end timestamps are available in seconds, milliseconds, microseconds, or nanoseconds, they are always converted to nanoseconds for output.
■   Missing Flow Start/End Attributes - For records that do not include flow start or end attributes, AMX automatically assigns both values to the export timestamp.

The image below explains how flow start and end times are calculated using system uptime, export timestamp and flow switch times.