Network Working Group B. Claise, Ed. Request for Comments: 3954 Cisco Systems Category: Informational October 2004
Network Working Group B. Claise, Ed. Request for Comments: 3954 Cisco Systems Category: Informational October 2004
Cisco Systems NetFlow Services Export Version 9
Cisco Systems NetFlow服务导出版本9
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2004).
版权所有(C)互联网协会(2004年)。
IESG Note
IESG注释
This RFC documents the NetFlow services export protocol Version 9 as it was when submitted to the IETF as a basis for further work in the IPFIX WG.
本RFC记录了NetFlow服务导出协议第9版,该版本在提交给IETF时是作为IPFIX工作组进一步工作的基础的。
This RFC itself is not a candidate for any level of Internet Standard. The IETF disclaims any knowledge of the fitness of this RFC for any purpose, and in particular notes that it has not had complete IETF review for such things as security, congestion control, or inappropriate interaction with deployed protocols. The RFC Editor has chosen to publish this document at its discretion.
该RFC本身不是任何级别的互联网标准的候选标准。IETF不承认本RFC适用于任何目的的任何知识,并特别指出,IETF尚未对安全性、拥塞控制或与已部署协议的不当交互等事项进行完整的IETF审查。RFC编辑已自行决定发布本文件。
Abstract
摘要
This document specifies the data export format for version 9 of Cisco Systems' NetFlow services, for use by implementations on the network elements and/or matching collector programs. The version 9 export format uses templates to provide access to observations of IP packet flows in a flexible and extensible manner. A template defines a collection of fields, with corresponding descriptions of structure and semantics.
本文件规定了Cisco Systems NetFlow services第9版的数据导出格式,供网元和/或匹配收集器程序上的实现使用。版本9导出格式使用模板以灵活和可扩展的方式提供对IP数据包流的观察。模板定义了一组字段,以及相应的结构和语义描述。
Table of Contents
目录
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Terminology Summary Table . . . . . . . . . . . . . . . 6 3. NetFlow High-Level Picture on the Exporter. . . . . . . . . . 6 3.1. The NetFlow Process on the Exporter . . . . . . . . . . 6 3.2. Flow Expiration . . . . . . . . . . . . . . . . . . . . 7
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Terminology Summary Table . . . . . . . . . . . . . . . 6 3. NetFlow High-Level Picture on the Exporter. . . . . . . . . . 6 3.1. The NetFlow Process on the Exporter . . . . . . . . . . 6 3.2. Flow Expiration . . . . . . . . . . . . . . . . . . . . 7
3.3. Transport Protocol. . . . . . . . . . . . . . . . . . . 7 4. Packet Layout . . . . . . . . . . . . . . . . . . . . . . . . 8 5. Export Packet Format. . . . . . . . . . . . . . . . . . . . . 9 5.1. Header Format . . . . . . . . . . . . . . . . . . . . . 9 5.2. Template FlowSet Format . . . . . . . . . . . . . . . . 11 5.3. Data FlowSet Format . . . . . . . . . . . . . . . . . . 13 6. Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 6.1. Options Template FlowSet Format . . . . . . . . . . . . 14 6.2. Options Data Record Format. . . . . . . . . . . . . . . 16 7. Template Management . . . . . . . . . . . . . . . . . . . . . 17 8. Field Type Definitions. . . . . . . . . . . . . . . . . . . . 18 9. The Collector Side. . . . . . . . . . . . . . . . . . . . . . 25 10. Security Considerations . . . . . . . . . . . . . . . . . . . 26 10.1. Disclosure of Flow Information Data . . . . . . . . . . 26 10.2. Forgery of Flow Records or Template Records . . . . . . 26 10.3. Attacks on the NetFlow Collector. . . . . . . . . . . . 27 11. Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . 27 11.1. Packet Header Example . . . . . . . . . . . . . . . . . 28 11.2. Template FlowSet Example. . . . . . . . . . . . . . . . 28 11.3. Data FlowSet Example. . . . . . . . . . . . . . . . . . 29 11.4. Options Template FlowSet Example. . . . . . . . . . . . 30 11.5. Data FlowSet with Options Data Records Example. . . . . 30 12. References. . . . . . . . . . . . . . . . . . . . . . . . . . 31 12.1. Normative References. . . . . . . . . . . . . . . . . . 31 12.2. Informative References. . . . . . . . . . . . . . . . . 31 13. Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 15. Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . 32 16. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 33
3.3. Transport Protocol. . . . . . . . . . . . . . . . . . . 7 4. Packet Layout . . . . . . . . . . . . . . . . . . . . . . . . 8 5. Export Packet Format. . . . . . . . . . . . . . . . . . . . . 9 5.1. Header Format . . . . . . . . . . . . . . . . . . . . . 9 5.2. Template FlowSet Format . . . . . . . . . . . . . . . . 11 5.3. Data FlowSet Format . . . . . . . . . . . . . . . . . . 13 6. Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 6.1. Options Template FlowSet Format . . . . . . . . . . . . 14 6.2. Options Data Record Format. . . . . . . . . . . . . . . 16 7. Template Management . . . . . . . . . . . . . . . . . . . . . 17 8. Field Type Definitions. . . . . . . . . . . . . . . . . . . . 18 9. The Collector Side. . . . . . . . . . . . . . . . . . . . . . 25 10. Security Considerations . . . . . . . . . . . . . . . . . . . 26 10.1. Disclosure of Flow Information Data . . . . . . . . . . 26 10.2. Forgery of Flow Records or Template Records . . . . . . 26 10.3. Attacks on the NetFlow Collector. . . . . . . . . . . . 27 11. Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . 27 11.1. Packet Header Example . . . . . . . . . . . . . . . . . 28 11.2. Template FlowSet Example. . . . . . . . . . . . . . . . 28 11.3. Data FlowSet Example. . . . . . . . . . . . . . . . . . 29 11.4. Options Template FlowSet Example. . . . . . . . . . . . 30 11.5. Data FlowSet with Options Data Records Example. . . . . 30 12. References. . . . . . . . . . . . . . . . . . . . . . . . . . 31 12.1. Normative References. . . . . . . . . . . . . . . . . . 31 12.2. Informative References. . . . . . . . . . . . . . . . . 31 13. Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 15. Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . 32 16. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 33
Cisco Systems' NetFlow services provide network administrators with access to IP flow information from their data networks. Network elements (routers and switches) gather flow data and export it to collectors. The collected data provides fine-grained metering for highly flexible and detailed resource usage accounting.
Cisco Systems的NetFlow服务为网络管理员提供从其数据网络访问IP流信息的权限。网络元件(路由器和交换机)收集流量数据并将其导出到采集器。收集的数据提供了细粒度的计量,以实现高度灵活和详细的资源使用计费。
A flow is defined as a unidirectional sequence of packets with some common properties that pass through a network device. These collected flows are exported to an external device, the NetFlow collector. Network flows are highly granular; for example, flow records include details such as IP addresses, packet and byte counts, timestamps, Type of Service (ToS), application ports, input and output interfaces, etc.
流被定义为具有一些公共属性的数据包的单向序列,这些数据包通过网络设备。这些收集的流将导出到外部设备NetFlow collector。网络流是高度细粒度的;例如,流记录包括诸如IP地址、数据包和字节计数、时间戳、服务类型(ToS)、应用程序端口、输入和输出接口等详细信息。
Exported NetFlow data is used for a variety of purposes, including enterprise accounting and departmental chargebacks, ISP billing, data
导出的NetFlow数据用于多种用途,包括企业会计和部门退单、ISP计费、数据传输
warehousing, network monitoring, capacity planning, application monitoring and profiling, user monitoring and profiling, security analysis, and data mining for marketing purposes.
仓储、网络监控、容量规划、应用程序监控和分析、用户监控和分析、安全分析以及用于营销目的的数据挖掘。
This document specifies NetFlow version 9. It describes the implementation specifications both from network element and NetFlow collector points of view. These specifications should help the deployment of NetFlow version 9 across different platforms and different vendors by limiting the interoperability risks. The NetFlow export format version 9 uses templates to provide access to observations of IP packet flows in a flexible and extensible manner.
本文档指定NetFlow版本9。它从网元和NetFlow收集器的角度描述了实现规范。通过限制互操作性风险,这些规范应有助于在不同平台和不同供应商之间部署NetFlow版本9。NetFlow导出格式版本9使用模板以灵活和可扩展的方式提供对IP数据包流的观察。
A template defines a collection of fields, with corresponding descriptions of structure and semantics.
模板定义了一组字段,以及相应的结构和语义描述。
The template-based approach provides the following advantages:
基于模板的方法具有以下优点:
- New fields can be added to NetFlow flow records without changing the structure of the export record format. With previous NetFlow versions, adding a new field in the flow record implied a new version of the export protocol format and a new version of the NetFlow collector that supported the parsing of the new export protocol format.
- 可以将新字段添加到NetFlow流记录中,而无需更改导出记录格式的结构。对于以前的NetFlow版本,在流记录中添加新字段意味着导出协议格式的新版本和支持解析新导出协议格式的NetFlow收集器的新版本。
- Templates that are sent to the NetFlow collector contain the structural information about the exported flow record fields; therefore, if the NetFlow collector does not understand the semantics of new fields, it can still interpret the flow record.
- 发送到NetFlow收集器的模板包含有关导出的流记录字段的结构信息;因此,如果NetFlow收集器不理解新字段的语义,它仍然可以解释流记录。
- Because the template mechanism is flexible, it allows the export of only the required fields from the flows to the NetFlow collector. This helps to reduce the exported flow data volume and provides possible memory savings for the exporter and NetFlow collector. Sending only the required information can also reduce network load.
- 由于模板机制是灵活的,因此它只允许将所需字段从流导出到NetFlow收集器。这有助于减少导出的流数据量,并为导出器和NetFlow收集器节省内存。仅发送所需信息也可以减少网络负载。
The IETF IPFIX Working Group (IP Flow Information eXport) is developing a new protocol, based on the version 9 of Cisco Systems' NetFlow services. Some enhancements in different domains (congestion aware transport protocol, built-in security, etc... ) have been incorporated in this new IPFIX protocol. Refer to the IPFIX Working Group documents for more details.
IETF IPFIX工作组(IP流信息导出)正在基于Cisco Systems的NetFlow服务版本9开发一个新协议。这个新的IPFIX协议包含了不同领域的一些增强功能(拥塞感知传输协议、内置安全性等)。有关更多详细信息,请参阅IPFIX工作组文件。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14、RFC 2119[RFC2119]中的说明进行解释。
Various terms used in this document are described in this section. Note that the terminology summary table in Section 2.1 gives a quick overview of the relationships between some of the different terms defined.
本节介绍了本文件中使用的各种术语。请注意,第2.1节中的术语汇总表快速概述了定义的一些不同术语之间的关系。
Observation Point An Observation Point is a location in the network where IP packets can be observed; for example, one or a set of interfaces on a network device like a router. Every Observation Point is associated with an Observation Domain.
观察点观察点是网络中可以观察到IP数据包的位置;例如,网络设备(如路由器)上的一个或一组接口。每个观测点都与一个观测域相关联。
Observation Domain The set of Observation Points that is the largest aggregatable set of flow information at the network device with NetFlow services enabled is termed an Observation Domain. For example, a router line card composed of several interfaces with each interface being an Observation Point.
观测域在启用NetFlow服务的网络设备上,作为最大可聚合流量信息集的观测点集被称为观测域。例如,路由器线路卡由几个接口组成,每个接口都是一个观察点。
IP Flow or Flow An IP Flow, also called a Flow, is defined as a set of IP packets passing an Observation Point in the network during a certain time interval. All packets that belong to a particular Flow have a set of common properties derived from the data contained in the packet and from the packet treatment at the Observation Point.
IP流也称为流,定义为在一定时间间隔内通过网络中观察点的一组IP数据包。属于特定流的所有数据包都具有一组公共属性,这些属性是从数据包中包含的数据和观察点处的数据包处理中派生出来的。
Flow Record A Flow Record provides information about an IP Flow observed at an Observation Point. In this document, the Flow Data Records are also referred to as NetFlow services data and NetFlow data.
流量记录流量记录提供有关在观测点观察到的IP流量的信息。在本文档中,流数据记录也称为NetFlow服务数据和NetFlow数据。
Exporter A device (for example, a router) with the NetFlow services enabled, the Exporter monitors packets entering an Observation Point and creates Flows from these packets. The information from these Flows is exported in the form of Flow Records to the NetFlow Collector.
导出器启用NetFlow服务的设备(例如路由器),导出器监视进入观察点的数据包,并从这些数据包创建数据流。来自这些流的信息以流记录的形式导出到NetFlow收集器。
NetFlow Collector The NetFlow Collector receives Flow Records from one or more Exporters. It processes the received Export Packet(s); that is, it parses and stores the Flow Record information. Flow Records can be optionally aggregated before being stored on the hard disk. The NetFlow Collector is also referred to as the Collector in this document.
NetFlow收集器NetFlow收集器从一个或多个导出器接收流记录。它处理接收到的导出包;也就是说,它解析并存储流记录信息。在将流记录存储到硬盘上之前,可以选择聚合流记录。NetFlow收集器在本文档中也称为收集器。
Export Packet An Export Packet is a packet originating at the Exporter that carries the Flow Records of this Exporter and whose destination is the NetFlow Collector.
导出数据包导出数据包是源于导出器的数据包,它携带该导出器的流记录,目的地是NetFlow收集器。
Packet Header The Packet Header is the first part of an Export Packet. The Packet Header provides basic information about the packet such as the NetFlow version, number of records contained within the packet, and sequence numbering.
数据包头数据包头是导出数据包的第一部分。数据包头提供有关数据包的基本信息,如NetFlow版本、数据包中包含的记录数和序列号。
Template Record A Template Record defines the structure and interpretation of fields in a Flow Data Record.
模板记录模板记录定义流量数据记录中字段的结构和解释。
Flow Data Record A Flow Data Record is a data record that contains values of the Flow parameters corresponding to a Template Record.
流量数据记录流量数据记录是包含与模板记录对应的流量参数值的数据记录。
Options Template Record An Options Template Record defines the structure and interpretation of fields in an Options Data Record, including defining the scope within which the Options Data Record is relevant.
选项模板记录选项模板记录定义选项数据记录中字段的结构和解释,包括定义与选项数据记录相关的范围。
Options Data Record The data record that contains values and scope information of the Flow measurement parameters, corresponding to an Options Template Record.
选项数据记录包含流量测量参数值和范围信息的数据记录,对应于选项模板记录。
FlowSet FlowSet is a generic term for a collection of Flow Records that have a similar structure. In an Export Packet, one or more FlowSets follow the Packet Header. There are three different types of FlowSets: Template FlowSet, Options Template FlowSet, and Data FlowSet.
FlowSet FlowSet是具有类似结构的流记录集合的通用术语。在导出包中,一个或多个流集跟随包头。有三种不同类型的流集:模板流集、选项模板流集和数据流集。
Template FlowSet A Template FlowSet is one or more Template Records that have been grouped together in an Export Packet.
模板流集模板流集是在导出数据包中分组在一起的一个或多个模板记录。
Options Template FlowSet An Options Template FlowSet is one or more Options Template Records that have been grouped together in an Export Packet.
选项模板流集选项模板流集是在导出数据包中分组在一起的一个或多个选项模板记录。
Data FlowSet A Data FlowSet is one or more records, of the same type, that are grouped together in an Export Packet. Each record is either a Flow Data Record or an Options Data Record previously defined by a Template Record or an Options Template Record.
数据流集数据流集是在导出数据包中分组在一起的一个或多个相同类型的记录。每个记录都是以前由模板记录或选项模板记录定义的流数据记录或选项数据记录。
+------------------+---------------------------------------------+ | | Contents | | +--------------------+------------------------+ | FlowSet | Template Record | Data Record | +------------------+--------------------+------------------------+ | | | Flow Data Record(s) | | Data FlowSet | / | or | | | | Options Data Record(s) | +------------------+--------------------+------------------------+ | Template FlowSet | Template Record(s) | / | +------------------+--------------------+------------------------+ | Options Template | Options Template | / | | FlowSet | Record(s) | | +------------------+--------------------+------------------------+
+------------------+---------------------------------------------+ | | Contents | | +--------------------+------------------------+ | FlowSet | Template Record | Data Record | +------------------+--------------------+------------------------+ | | | Flow Data Record(s) | | Data FlowSet | / | or | | | | Options Data Record(s) | +------------------+--------------------+------------------------+ | Template FlowSet | Template Record(s) | / | +------------------+--------------------+------------------------+ | Options Template | Options Template | / | | FlowSet | Record(s) | | +------------------+--------------------+------------------------+
A Data FlowSet is composed of an Options Data Record(s) or Flow Data Record(s). No Template Record is included. A Template Record defines the Flow Data Record, and an Options Template Record defines the Options Data Record.
数据流集由选项数据记录或流数据记录组成。不包括模板记录。模板记录定义流数据记录,选项模板记录定义选项数据记录。
A Template FlowSet is composed of Template Record(s). No Flow or Options Data Record is included.
模板流集由模板记录组成。不包括流量或选项数据记录。
An Options Template FlowSet is composed of Options Template Record(s). No Flow or Options Data Record is included.
选项模板流集由选项模板记录组成。不包括流量或选项数据记录。
The NetFlow process on the Exporter is responsible for the creation of Flows from the observed IP packets. The details of this process are beyond the scope of this document.
导出器上的NetFlow进程负责从观察到的IP数据包创建流。此过程的细节超出了本文件的范围。
A Flow is considered to be inactive if no packets belonging to the Flow have been observed at the Observation Point for a given timeout. If any packet is seen within the timeout, the flow is considered an active flow. A Flow can be exported under the following conditions:
如果在给定的超时时间内,在观察点未观察到属于该流的数据包,则认为该流处于非活动状态。如果在超时时间内看到任何数据包,则该流被视为活动流。可以在以下条件下导出流:
1. If the Exporter can detect the end of a Flow. For example, if the FIN or RST bit is detected in a TCP [RFC793] connection, the Flow Record is exported.
1. 如果导出器可以检测到流的结束。例如,如果在TCP[RFC793]连接中检测到FIN或RST位,则将导出流记录。
2. If the Flow has been inactive for a certain period of time. This inactivity timeout SHOULD be configurable at the Exporter, with a minimum value of 0 for an immediate expiration.
2. 如果流在一段时间内处于非活动状态。此非活动超时应在导出器上配置,最小值为0表示立即过期。
3. For long-lasting Flows, the Exporter SHOULD export the Flow Records on a regular basis. This timeout SHOULD be configurable at the Exporter.
3. 对于长期流动,出口商应定期导出流动记录。此超时应可在导出器上配置。
4. If the Exporter experiences internal constraints, a Flow MAY be forced to expire prematurely; for example, counters wrapping or low memory.
4. 如果出口商遇到内部约束,则流量可能会被迫提前到期;例如,计数器包装或内存不足。
To achieve efficiency in terms of processing at the Exporter while handling high volumes of Export Packets, the NetFlow Export Packets are encapsulated into UDP [RFC768] datagrams for export to the NetFlow Collector. However, NetFlow version 9 has been designed to be transport protocol independent. Hence, it can also operate over congestion-aware protocols such as SCTP [RFC2960].
为了在处理大量导出数据包的同时提高导出器的处理效率,NetFlow导出数据包被封装到UDP[RFC768]数据报中,以导出到NetFlow收集器。但是,NetFlow版本9被设计为独立于传输协议。因此,它还可以在诸如SCTP[RFC2960]之类的拥塞感知协议上运行。
Note that the Exporter can export to multiple Collectors, using independent transport protocols.
请注意,导出器可以使用独立的传输协议导出到多个收集器。
UDP [RFC768] is a non congestion-aware protocol, so when deploying NetFlow version 9 in a congestion-sensitive environment, make the connection between Exporter and NetFlow Collector through a dedicated link. This ensures that any burstiness in the NetFlow traffic affects only this dedicated link. When the NetFlow Collector can not be placed within a one-hop distance from the Exporter or when the export path from the Exporter to the NetFlow Collector can not be exclusively used for the NetFlow Export Packets, the export path should be designed so that it can always sustain the maximum burstiness of NetFlow traffic from the Exporter. Note that the congestion can occur on the Exporter in case the export path speed is too low.
UDP[RFC768]是一种非拥塞感知协议,因此在拥塞敏感环境中部署NetFlow版本9时,通过专用链路在导出器和NetFlow收集器之间建立连接。这确保了NetFlow流量中的任何突发性只影响此专用链路。当NetFlow收集器不能放置在与导出器的一跳距离内,或者当从导出器到NetFlow收集器的导出路径不能专门用于NetFlow导出数据包时,导出路径的设计应确保其始终能够承受来自导出器的NetFlow流量的最大突发性。请注意,如果导出路径速度过低,导出器上可能会发生拥塞。
An Export Packet consists of a Packet Header followed by one or more FlowSets. The FlowSets can be any of the possible three types: Template, Data, or Options Template.
导出数据包由数据包头和一个或多个流集组成。流程集可以是三种类型中的任意一种:模板、数据或选项模板。
+--------+-------------------------------------------+ | | +----------+ +---------+ +----------+ | | Packet | | Template | | Data | | Options | | | Header | | FlowSet | | FlowSet | | Template | ... | | | | | | | | FlowSet | | | | +----------+ +---------+ +----------+ | +--------+-------------------------------------------+ Export Packet
+--------+-------------------------------------------+ | | +----------+ +---------+ +----------+ | | Packet | | Template | | Data | | Options | | | Header | | FlowSet | | FlowSet | | Template | ... | | | | | | | | FlowSet | | | | +----------+ +---------+ +----------+ | +--------+-------------------------------------------+ Export Packet
A FlowSet ID is used to distinguish the different types of FlowSets. FlowSet IDs lower than 256 are reserved for special FlowSets, such as the Template FlowSet (ID 0) and the Options Template FlowSet (ID 1). The Data FlowSets have a FlowSet ID greater than 255.
流集ID用于区分不同类型的流集。低于256的流集ID保留用于特殊流集,例如模板流集(ID 0)和选项模板流集(ID 1)。数据流集的流集ID大于255。
The format of the Template, Data, and Options Template FlowSets will be discussed later in this document. The Exporter MUST code all binary integers of the Packet Header and the different FlowSets in network byte order (also known as the big-endian byte ordering).
本文档稍后将讨论模板、数据和选项模板流集的格式。导出器必须以网络字节顺序(也称为big-endian字节顺序)对数据包头和不同流集的所有二进制整数进行编码。
Following are some examples of export packets:
以下是导出数据包的一些示例:
1. An Export Packet consisting of interleaved Template, Data, and Options Template FlowSets. Example: a newly created Template is exported as soon as possible. So if there is already an Export Packet with a Data FlowSet that is being prepared for export, the Template and Option FlowSets are also interleaved with this information, subject to availability of space.
1. 由交叉模板、数据和选项模板流集组成的导出数据包。示例:新创建的模板将尽快导出。因此,如果已经有一个带有准备导出的数据流集的导出数据包,那么模板和选项流集也会根据空间的可用性与该信息交错。
Export Packet: +--------+--------------------------------------------------------+ | | +----------+ +---------+ +-----------+ +---------+ | | Packet | | Template | | Data | | Options | | Data | | | Header | | FlowSet | | FlowSet | ... | Template | | FlowSet | | | | | | | | | FlowSet | | | | | | +----------+ +---------+ +-----------+ +---------+ | +--------+--------------------------------------------------------+
Export Packet: +--------+--------------------------------------------------------+ | | +----------+ +---------+ +-----------+ +---------+ | | Packet | | Template | | Data | | Options | | Data | | | Header | | FlowSet | | FlowSet | ... | Template | | FlowSet | | | | | | | | | FlowSet | | | | | | +----------+ +---------+ +-----------+ +---------+ | +--------+--------------------------------------------------------+
2. An Export Packet consisting entirely of Data FlowSets. Example: after the appropriate Template Records have been defined and transmitted to the NetFlow Collector device, the majority of Export Packets consists solely of Data FlowSets.
2. 完全由数据流集组成的导出包。示例:定义适当的模板记录并将其传输到NetFlow Collector设备后,大多数导出数据包仅由数据流集组成。
Export Packet: +--------+----------------------------------------------+ | | +---------+ +---------+ +---------+ | | Packet | | Data | ... | Data | ... | Data | | | Header | | FlowSet | ... | FlowSet | ... | FlowSet | | | | +---------+ +---------+ +---------+ | +--------+----------------------------------------------+
Export Packet: +--------+----------------------------------------------+ | | +---------+ +---------+ +---------+ | | Packet | | Data | ... | Data | ... | Data | | | Header | | FlowSet | ... | FlowSet | ... | FlowSet | | | | +---------+ +---------+ +---------+ | +--------+----------------------------------------------+
3. An Export Packet consisting entirely of Template and Options Template FlowSets. Example: the Exporter MAY transmit a packet containing Template and Options Template FlowSets periodically to help ensure that the NetFlow Collector has the correct Template Records and Options Template Records when the corresponding Flow Data records are received.
3. 完全由模板和选项模板流集组成的导出数据包。示例:导出器可以定期发送包含模板和选项模板流集的数据包,以帮助确保在收到相应的流数据记录时,NetFlow收集器具有正确的模板记录和选项模板记录。
Export Packet: +--------+-------------------------------------------------+ | | +----------+ +----------+ +----------+ | | Packet | | Template | | Template | | Options | | | Header | | FlowSet | ... | FlowSet | ... | Template | | | | | | | | | FlowSet | | | | +----------+ +----------+ +----------+ | +--------+-------------------------------------------------+
Export Packet: +--------+-------------------------------------------------+ | | +----------+ +----------+ +----------+ | | Packet | | Template | | Template | | Options | | | Header | | FlowSet | ... | FlowSet | ... | Template | | | | | | | | | FlowSet | | | | +----------+ +----------+ +----------+ | +--------+-------------------------------------------------+
The Packet Header format is specified as:
数据包头格式指定为:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version Number | Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sysUpTime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | UNIX Secs | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version Number | Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sysUpTime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | UNIX Secs | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Packet Header Field Descriptions
包头字段描述
Version Version of Flow Record format exported in this packet. The value of this field is 9 for the current version.
此数据包中导出的流记录格式的版本。对于当前版本,此字段的值为9。
Count The total number of records in the Export Packet, which is the sum of Options FlowSet records, Template FlowSet records, and Data FlowSet records.
计算导出数据包中的记录总数,它是选项流集记录、模板流集记录和数据流集记录的总和。
sysUpTime Time in milliseconds since this device was first booted.
此设备首次启动后的系统正常运行时间(毫秒)。
UNIX Secs Time in seconds since 0000 UTC 1970, at which the Export Packet leaves the Exporter.
UNIX秒自UTC 1970年0000起的时间(秒),此时导出数据包离开导出器。
Sequence Number Incremental sequence counter of all Export Packets sent from the current Observation Domain by the Exporter. This value MUST be cumulative, and SHOULD be used by the Collector to identify whether any Export Packets have been missed.
导出器从当前观察域发送的所有导出数据包的序列号增量序列计数器。此值必须是累积的,收集器应使用该值来标识是否丢失了任何导出数据包。
Source ID A 32-bit value that identifies the Exporter Observation Domain. NetFlow Collectors SHOULD use the combination of the source IP address and the Source ID field to separate different export streams originating from the same Exporter.
Source ID标识导出器观察域的32位值。NetFlow收集器应使用源IP地址和源ID字段的组合来分离来自同一导出器的不同导出流。
One of the essential elements in the NetFlow format is the Template FlowSet. Templates greatly enhance the flexibility of the Flow Record format because they allow the NetFlow Collector to process Flow Records without necessarily knowing the interpretation of all the data in the Flow Record. The format of the Template FlowSet is as follows:
NetFlow格式中的一个基本元素是模板流集。模板极大地增强了流记录格式的灵活性,因为它们允许NetFlow收集器处理流记录,而不必知道流记录中所有数据的解释。模板流集的格式如下:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 0 | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID 256 | Field Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type 1 | Field Length 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type 2 | Field Length 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type N | Field Length N | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID 257 | Field Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type 1 | Field Length 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type 2 | Field Length 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type M | Field Length M | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID K | Field Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 0 | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID 256 | Field Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type 1 | Field Length 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type 2 | Field Length 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type N | Field Length N | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID 257 | Field Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type 1 | Field Length 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type 2 | Field Length 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Type M | Field Length M | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID K | Field Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Template FlowSet Field Descriptions
模板流集字段描述
FlowSet ID FlowSet ID value of 0 is reserved for the Template FlowSet.
流集ID为0的流集ID值是为模板流集保留的。
Length Total length of this FlowSet. Because an individual Template FlowSet MAY contain multiple Template Records, the Length value MUST be used to determine the position of the next FlowSet record, which could be any type of FlowSet. Length is the sum of the lengths of the FlowSet ID, the Length itself, and all Template Records within this FlowSet.
长度此流集的总长度。由于单个模板流集可能包含多个模板记录,因此必须使用长度值来确定下一个流集记录的位置,该记录可以是任何类型的流集。长度是流集ID的长度、长度本身以及此流集中所有模板记录的总和。
Template ID Each of the newly generated Template Records is given a unique Template ID. This uniqueness is local to the Observation Domain that generated the Template ID. Template IDs 0-255 are reserved for Template FlowSets, Options FlowSets, and other reserved FlowSets yet to be created. Template IDs of Data FlowSets are numbered from 256 to 65535.
模板ID每个新生成的模板记录都有一个唯一的模板ID。此唯一性是生成模板ID的观察域的本地唯一性。模板ID 0-255保留用于模板流集、选项流集和其他尚未创建的保留流集。数据流集的模板ID编号从256到65535。
Field Count Number of fields in this Template Record. Because a Template FlowSet usually contains multiple Template Records, this field allows the Collector to determine the end of the current Template Record and the start of the next.
字段计数此模板记录中的字段数。由于模板流集通常包含多个模板记录,因此此字段允许收集器确定当前模板记录的结束和下一个模板记录的开始。
Field Type A numeric value that represents the type of the field. Refer to the "Field Type Definitions" section.
字段类型表示字段类型的数值。请参阅“字段类型定义”部分。
Field Length The length of the corresponding Field Type, in bytes. Refer to the "Field Type Definitions" section.
字段长度对应字段类型的长度,以字节为单位。请参阅“字段类型定义”部分。
The format of the Data FlowSet is as follows:
数据流集的格式如下所示:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = Template ID | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 1 - Field Value 1 | Record 1 - Field Value 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 1 - Field Value 3 | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 2 - Field Value 1 | Record 2 - Field Value 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 2 - Field Value 3 | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 3 - Field Value 1 | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = Template ID | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 1 - Field Value 1 | Record 1 - Field Value 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 1 - Field Value 3 | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 2 - Field Value 1 | Record 2 - Field Value 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 2 - Field Value 3 | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 3 - Field Value 1 | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Data FlowSet Field Descriptions
数据流集字段描述
FlowSet ID = Template ID Each Data FlowSet is associated with a FlowSet ID. The FlowSet ID maps to a (previously generated) Template ID. The Collector MUST use the FlowSet ID to find the corresponding Template Record and decode the Flow Records from the FlowSet.
FlowSet ID=模板ID每个数据流集都与一个流集ID关联。流集ID映射到一个(以前生成的)模板ID。收集器必须使用流集ID查找相应的模板记录,并从流集中解码流记录。
Length The length of this FlowSet. Length is the sum of the lengths of the FlowSet ID, Length itself, all Flow Records within this FlowSet, and the padding bytes, if any.
长度此流集的长度。Length是流集ID的长度、长度本身、此流集中的所有流记录以及填充字节(如果有)的总和。
Record N - Field Value M The remainder of the Data FlowSet is a collection of Flow Data Record(s), each containing a set of field values. The Type and Length of the fields have been previously defined in the Template Record referenced by the FlowSet ID or Template ID.
记录N-字段值M数据流集的其余部分是一组流数据记录,每个记录包含一组字段值。字段的类型和长度先前已在流集ID或模板ID引用的模板记录中定义。
Padding The Exporter SHOULD insert some padding bytes so that the subsequent FlowSet starts at a 4-byte aligned boundary. It is important to note that the Length field includes the padding bytes. Padding SHOULD be using zeros.
填充导出器应插入一些填充字节,以便后续流集从4字节对齐的边界开始。请务必注意,长度字段包括填充字节。填充应使用零。
Interpretation of the Data FlowSet format can be done only if the Template FlowSet corresponding to the Template ID is available at the Collector.
只有当与模板ID对应的模板流集在收集器中可用时,才能解释数据流集格式。
The Options Template Record (and its corresponding Options Data Record) is used to supply information about the NetFlow process configuration or NetFlow process specific data, rather than supplying information about IP Flows.
选项模板记录(及其相应的选项数据记录)用于提供有关NetFlow进程配置或NetFlow进程特定数据的信息,而不是提供有关IP流的信息。
For example, the Options Template FlowSet can report the sample rate of a specific interface, if sampling is supported, along with the sampling method used.
例如,如果支持采样,选项模板流集可以报告特定接口的采样率以及使用的采样方法。
The format of the Options Template FlowSet follows.
选项模板流集的格式如下。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 1 | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID | Option Scope Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Length | Scope 1 Field Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope 1 Field Length | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope N Field Length | Option 1 Field Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option 1 Field Length | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option M Field Length | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 1 | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID | Option Scope Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Length | Scope 1 Field Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope 1 Field Length | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope N Field Length | Option 1 Field Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option 1 Field Length | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option M Field Length | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Options Template FlowSet Field Definitions
选项模板流集字段定义
FlowSet ID = 1 A FlowSet ID value of 1 is reserved for the Options Template.
流程集ID=1为选项模板保留的流程集ID值为1。
Length Total length of this FlowSet. Each Options Template FlowSet MAY contain multiple Options Template Records. Thus, the Length value MUST be used to determine the position of the next FlowSet record, which could be either a Template FlowSet or Data FlowSet.
长度此流集的总长度。每个选项模板流集可以包含多个选项模板记录。因此,必须使用长度值来确定下一个流集记录的位置,该记录可以是模板流集或数据流集。
Length is the sum of the lengths of the FlowSet ID, the Length itself, and all Options Template Records within this FlowSet Template ID.
长度是流集ID的长度、长度本身以及此流集模板ID中的所有选项模板记录的总和。
Template ID Template ID of this Options Template. This value is greater than 255.
模板ID此选项模板的模板ID。此值大于255。
Option Scope Length The length in bytes of any Scope field definition contained in the Options Template Record (The use of "Scope" is described below).
Option Scope Length选项模板记录中包含的任何范围字段定义的长度(以字节为单位)(下文介绍了“范围”的用法)。
Option Length The length (in bytes) of any options field definitions contained in this Options Template Record.
Option Length此选项模板记录中包含的任何选项字段定义的长度(以字节为单位)。
Scope 1 Field Type The relevant portion of the Exporter/NetFlow process to which the Options Template Record refers. Currently defined values are: 1 System 2 Interface 3 Line Card 4 Cache 5 Template For example, the NetFlow process can be implemented on a per-interface basis, so if the Options Template Record were reporting on how the NetFlow process is configured, the Scope for the report would be 2 (interface). The associated interface ID would then be carried in the associated Options Data FlowSet. The Scope can be limited further by listing multiple scopes that all must match at the same time. Note that the Scope fields always precede the Option fields.
范围1字段类型选项模板记录引用的导出器/NetFlow流程的相关部分。当前定义的值为:1 System 2 Interface 3 Line Card 4 Cache 5 Template例如,NetFlow流程可以在每个接口的基础上实施,因此如果选项模板记录报告NetFlow流程的配置方式,则报告的范围为2(接口)。然后,关联的接口ID将携带在关联的选项数据流集中。通过列出多个必须同时匹配的范围,可以进一步限制范围。请注意,范围字段始终位于选项字段之前。
Scope 1 Field Length The length (in bytes) of the Scope field, as it would appear in an Options Data Record.
范围1字段长度范围字段的长度(以字节为单位),如选项数据记录中所示。
Option 1 Field Type A numeric value that represents the type of field that would appear in the Options Template Record. Refer to the Field Type Definitions section.
选项1字段类型表示将出现在选项模板记录中的字段类型的数值。请参阅“字段类型定义”部分。
Option 1 Field Length The length (in bytes) of the Option field.
选项1字段长度选项字段的长度(以字节为单位)。
Padding The Exporter SHOULD insert some padding bytes so that the subsequent FlowSet starts at a 4-byte aligned boundary. It is important to note that the Length field includes the padding bytes. Padding SHOULD be using zeros.
填充导出器应插入一些填充字节,以便后续流集从4字节对齐的边界开始。请务必注意,长度字段包括填充字节。填充应使用零。
The Options Data Records are sent in Data FlowSets, on a regular basis, but not with every Flow Data Record. How frequently these Options Data Records are exported is configurable. See the "Templates Management" section for more details.
选项数据记录定期以数据流集的形式发送,但不是与每个流数据记录一起发送。这些选项数据记录导出的频率是可配置的。有关更多详细信息,请参阅“模板管理”部分。
The format of the Data FlowSet containing Options Data Records follows.
包含选项数据记录的数据流集格式如下。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = Template ID | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 1 - Scope 1 Value |Record 1 - Option Field 1 Value| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Record 1 - Option Field 2 Value| ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 2 - Scope 1 Value |Record 2 - Option Field 1 Value| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Record 2 - Option Field 2 Value| ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 3 - Scope 1 Value |Record 3 - Option Field 1 Value| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Record 3 - Option Field 2 Value| ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = Template ID | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 1 - Scope 1 Value |Record 1 - Option Field 1 Value| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Record 1 - Option Field 2 Value| ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 2 - Scope 1 Value |Record 2 - Option Field 1 Value| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Record 2 - Option Field 2 Value| ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record 3 - Scope 1 Value |Record 3 - Option Field 1 Value| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Record 3 - Option Field 2 Value| ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Options Data Records of the Data FlowSet Field Descriptions
数据流集字段描述的选项数据记录
FlowSet ID = Template ID A FlowSet ID precedes each group of Options Data Records within a Data FlowSet. The FlowSet ID maps to a previously generated Template ID corresponding to this Options Template Record. The Collector MUST use the FlowSet ID to map the appropriate type and length to any field values that follow.
FlowSet ID=模板ID数据流集中的每组选项数据记录前面都有一个流集ID。流集ID映射到与此选项模板记录对应的先前生成的模板ID。收集器必须使用流集ID将适当的类型和长度映射到后面的任何字段值。
Length The length of this FlowSet. Length is the sum of the lengths of the FlowSet ID, Length itself, all the Options Data Records within this FlowSet, and the padding bytes, if any.
长度此流集的长度。Length是流集ID的长度、长度本身、此流集中的所有选项数据记录以及填充字节(如果有)的总和。
Record N - Option Field M Value The remainder of the Data FlowSet is a collection of Flow Records, each containing a set of scope and field values. The type and length of the fields were previously defined in the Options Template Record referenced by the FlowSet ID or Template ID.
记录N-选项字段M值数据流集的其余部分是流记录的集合,每个记录包含一组范围和字段值。字段的类型和长度先前在由流集ID或模板ID引用的选项模板记录中定义。
Padding The Exporter SHOULD insert some padding bytes so that the subsequent FlowSet starts at a 4-byte aligned boundary. It is important to note that the Length field includes the padding bytes. Padding SHOULD be using zeros.
填充导出器应插入一些填充字节,以便后续流集从4字节对齐的边界开始。请务必注意,长度字段包括填充字节。填充应使用零。
The Data FlowSet format can be interpreted only if the Options Template FlowSet corresponding to the Template ID is available at the Collector.
只有当与模板ID对应的选项模板流集在收集器中可用时,才能解释数据流集格式。
Flow Data records that correspond to a Template Record MAY appear in the same and/or subsequent Export Packets. The Template Record is not necessarily carried in every Export Packet. As such, the NetFlow Collector MUST store the Template Record to interpret the corresponding Flow Data Records that are received in subsequent data packets.
与模板记录相对应的流数据记录可能出现在相同和/或后续导出数据包中。模板记录不一定包含在每个导出数据包中。因此,NetFlow收集器必须存储模板记录,以解释在后续数据包中接收的相应流数据记录。
A NetFlow Collector that receives Export Packets from several Observation Domains from the same Exporter MUST be aware that the uniqueness of the Template ID is not guaranteed across Observation Domains.
从同一导出器接收来自多个观察域的导出数据包的NetFlow收集器必须知道,不能保证模板ID在观察域之间的唯一性。
The Template IDs must remain constant for the life of the NetFlow process on the Exporter. If the Exporter or the NetFlow process restarts for any reason, all information about Templates will be lost and new Template IDs will be created. Template IDs are thus not guaranteed to be consistent across an Exporter or NetFlow process restart.
在导出器上的NetFlow进程的生命周期内,模板ID必须保持不变。如果导出器或NetFlow进程因任何原因重新启动,则有关模板的所有信息都将丢失,并将创建新的模板ID。因此,无法保证模板ID在导出程序或NetFlow进程重启期间保持一致。
A newly created Template record is assigned an unused Template ID from the Exporter. If the template configuration is changed, the current Template ID is abandoned and SHOULD NOT be reused until the
新创建的模板记录将从导出器中分配一个未使用的模板ID。如果更改了模板配置,则当前模板ID将被放弃,并且在
NetFlow process or Exporter restarts. If a Collector should receive a new definition for an already existing Template ID, it MUST discard the previous template definition and use the new one.
NetFlow进程或导出器重新启动。如果收集器应接收已存在模板ID的新定义,则必须放弃以前的模板定义并使用新定义。
If a configured Template Record on the Exporter is deleted, and re-configured with exactly the same parameters, the same Template ID COULD be reused.
如果删除导出器上已配置的模板记录,并使用完全相同的参数重新配置,则可以重用相同的模板ID。
The Exporter sends the Template FlowSet and Options Template FlowSet under the following conditions:
导出器在以下条件下发送模板流集和选项模板流集:
1. After a NetFlow process restarts, the Exporter MUST NOT send any Data FlowSet without sending the corresponding Template FlowSet and the required Options Template FlowSet in a previous packet or including it in the same Export Packet. It MAY transmit the Template FlowSet and Options Template FlowSet, without any Data FlowSets, in advance to help ensure that the Collector will have the correct Template Record before receiving the first Flow or Options Data Record.
1. NetFlow进程重新启动后,导出器在未发送前一个数据包中的相应模板流集和所需选项模板流集或将其包含在同一导出数据包中之前,不得发送任何数据流集。它可以预先发送模板流集和选项模板流集,而不发送任何数据流集,以帮助确保收集器在接收第一条流或选项数据记录之前拥有正确的模板记录。
2. In the event of configuration changes, the Exporter SHOULD send the new template definitions at an accelerated rate. In such a case, it MAY transmit the changed Template Record(s) and Options Template Record(s), without any data, in advance to help ensure that the Collector will have the correct template information before receiving the first data.
2. 如果配置发生更改,导出器应加快发送新的模板定义。在这种情况下,它可以在没有任何数据的情况下提前发送更改的模板记录和选项模板记录,以帮助确保收集器在接收第一个数据之前具有正确的模板信息。
3. On a regular basis, the Exporter MUST send all the Template Records and Options Template Records to refresh the Collector. Template IDs have a limited lifetime at the Collector and MUST be periodically refreshed. Two approaches are taken to make sure that Templates get refreshed at the Collector: * Every N number of Export Packets. * On a time basis, so every N number of minutes. Both options MUST be configurable by the user on the Exporter. When one of these expiry conditions is met, the Exporter MUST send the Template FlowSet and Options Template.
3. 导出器必须定期发送所有模板记录和选项模板记录以刷新收集器。模板ID在收集器中的生存期有限,必须定期刷新。采取两种方法确保模板在收集器上刷新:*每N个导出数据包。*以时间为基础,所以每N分钟。用户必须在导出器上配置这两个选项。当满足其中一个到期条件时,导出器必须发送模板流集和选项模板。
4. In the event of a clock configuration change on the Exporter, the Exporter SHOULD send the template definitions at an accelerated rate.
4. 如果导出器上的时钟配置发生更改,则导出器应加快发送模板定义。
The following table describes all the field type definitions that an Exporter MAY support. The fields are a selection of Packet Header fields, lookup results (for example, the autonomous system numbers or the subnet masks), and properties of the packet such as length.
下表介绍了导出器可能支持的所有字段类型定义。这些字段是数据包头字段、查找结果(例如,自治系统编号或子网掩码)和数据包属性(例如长度)的选择。
Field Type Value Length Description (bytes)
字段类型值长度描述(字节)
Incoming counter with length N x 8 bits for the IN_BYTES 1 N number of bytes associated with an IP Flow. By default N is 4
长度为N x 8位的传入计数器,用于与IP流相关联的IN_字节数1 N字节数。默认情况下,N是4
Incoming counter with length N x 8 bits for the IN_PKTS 2 N number of packets associated with an IP Flow. By default N is 4
长度为N x 8位的传入计数器,用于与IP流关联的2 N个数据包的输入。默认情况下,N是4
FLOWS 3 N Number of Flows that were aggregated; by default N is 4
流量3 N聚合的流量数量;默认情况下,N是4
PROTOCOL 4 1 IP protocol byte
协议4 1 IP协议字节
Type of service byte TOS 5 1 setting when entering the incoming interface
进入输入接口时服务字节TOS 5 1设置的类型
TCP flags; cumulative of TCP_FLAGS 6 1 all the TCP flags seen in this Flow
TCP标志;TCP_标志的累积6 1此流中看到的所有TCP标志
TCP/UDP source port number L4_SRC_PORT 7 2 (for example, FTP, Telnet, or equivalent)
TCP/UDP源端口号L4\U SRC\U端口7 2(例如,FTP、Telnet或等效端口)
IPV4_SRC_ADDR 8 4 IPv4 source address
IPV4\u SRC\u ADDR 8 4 IPV4源地址
The number of contiguous bits in the source subnet SRC_MASK 9 1 mask (i.e., the mask in slash notation)
源子网SRC_掩码9 1掩码(即斜杠表示法中的掩码)中的连续位数
Input interface index. INPUT_SNMP 10 N By default N is 2, but higher values can be used
输入接口索引。默认情况下,N为2,但可以使用更高的值
TCP/UDP destination port L4_DST_PORT 11 2 number (for example, FTP, Telnet, or equivalent)
TCP/UDP目标端口L4_DST_端口11 2号(例如,FTP、Telnet或等效端口)
IPV4_DST_ADDR 12 4 IPv4 destination address
IPV4地址12 4 IPV4目标地址
The number of contiguous bits in the destination DST_MASK 13 1 subnet mask (i.e., the mask in slash notation)
目标DST_掩码13 1子网掩码(即斜杠表示法中的掩码)中的连续位数
Output interface index.
输出接口索引。
OUTPUT_SNMP 14 N By default N is 2, but higher values can be used
输出\u SNMP 14 N默认情况下,N为2,但可以使用更高的值
IPV4_NEXT_HOP 15 4 IPv4 address of the next-hop router
IPV4\u下一跳15 4下一跳路由器的IPV4地址
Source BGP autonomous SRC_AS 16 N system number where N could be 2 or 4. By default N is 2
源BGP自治SRC_为16 N系统编号,其中N可以是2或4。默认情况下,N为2
Destination BGP autonomous DST_AS 17 N system number where N could be 2 or 4. By default N is 2
目标BGP自治DST_为17 N系统号,其中N可以是2或4。默认情况下,N为2
BGP_IPV4_NEXT_HOP 18 4 Next-hop router's IP address in the BGP domain
BGP_IPV4_下一跳18 4下一跳路由器在BGP域中的IP地址
IP multicast outgoing packet counter with length MUL_DST_PKTS 19 N N x 8 bits for packets associated with the IP Flow. By default N is 4
IP多播传出数据包计数器,长度为19 N x 8位,用于与IP流关联的数据包。默认情况下,N是4
IP multicast outgoing Octet (byte) counter with length N x 8 bits for the MUL_DST_BYTES 20 N number of bytes associated with the IP Flow. By default N is 4
IP多播传出八位字节(字节)计数器,长度为N x 8位,用于多个DST字节20 N与IP流关联的字节数。默认情况下,N是4
sysUptime in msec at which LAST_SWITCHED 21 4 the last packet of this Flow was switched
系统正常运行时间,以毫秒为单位,在该时间段内,最后一个_交换21 4该流的最后一个数据包
sysUptime in msec at which FIRST_SWITCHED 22 4 the first packet of this Flow was switched
系统正常运行时间(毫秒),在该时间段内,第一个_交换22 4该流的第一个数据包
Outgoing counter with length N x 8 bits for the OUT_BYTES 23 N number of bytes associated with an IP Flow. By default N is 4
输出计数器,长度为N x 8位,用于输出字节,与IP流相关的字节数为23 N。默认情况下,N是4
Outgoing counter with length N x 8 bits for the OUT_PKTS 24 N number of packets associated with an IP Flow. By default N is 4
长度为N x 8位的传出计数器,用于与IP流关联的24 N个数据包的输出。默认情况下,N是4
IPV6_SRC_ADDR 27 16 IPv6 source address
IPV6\u SRC\u ADDR 27 16 IPV6源地址
IPV6_DST_ADDR 28 16 IPv6 destination address
IPV6_DST_地址28 16 IPV6目标地址
IPV6_SRC_MASK 29 1 Length of the IPv6 source mask in contiguous bits
IPV6_SRC_掩码29 1 IPV6源掩码的长度(以连续位为单位)
Length of the IPv6 IPV6_DST_MASK 30 1 destination mask in contiguous bits
IPv6 DST掩码30 1目标掩码的长度(以连续位为单位)
IPV6_FLOW_LABEL 31 3 IPv6 flow label as per RFC 2460 definition
IPV6\u流量\u标签31 3符合RFC 2460定义的IPV6流量标签
Internet Control Message ICMP_TYPE 32 2 Protocol (ICMP) packet type; reported as ICMP Type * 256 + ICMP code
互联网控制信息ICMP_类型32 2协议(ICMP)数据包类型;报告为ICMP类型*256+ICMP代码
MUL_IGMP_TYPE 33 1 Internet Group Management Protocol (IGMP) packet type
MUL_IGMP_类型33 1互联网组管理协议(IGMP)数据包类型
When using sampled NetFlow, the rate at which packets SAMPLING_INTERVAL 34 4 are sampled; for example, a value of 100 indicates that one of every hundred packets is sampled
当使用抽样网络流时,分组抽样间隔344被抽样的速率;例如,值100表示每100个数据包中有一个被采样
For sampled NetFlow platform-wide: SAMPLING_ALGORITHM 35 1 0x01 deterministic sampling 0x02 random sampling Use in connection with SAMPLING_INTERVAL
对于采样NetFlow平台范围:采样\u算法35 1 0x01确定性采样0x02与采样\u间隔相关的随机采样使用
Timeout value (in seconds)
超时值(秒)
FLOW_ACTIVE_TIMEOUT 36 2 for active flow entries in the NetFlow cache
NetFlow缓存中活动流项的流\u活动\u超时36 2
Timeout value (in seconds) FLOW_INACTIVE_TIMEOUT 37 2 for inactive Flow entries in the NetFlow cache
NetFlow缓存中非活动流项的超时值(秒)FLOW_INACTIVE_Timeout 37 2
Type of Flow switching ENGINE_TYPE 38 1 engine (route processor, linecard, etc...)
流量切换引擎类型\u 38 1型引擎(路由处理器、线路卡等)
ENGINE_ID 39 1 ID number of the Flow switching engine
发动机识别号39 1流量切换发动机的识别号
Counter with length N x 8 bits for the number TOTAL_BYTES_EXP 40 N of bytes exported by the Observation Domain. By default N is 4
长度为N x 8位的计数器,用于观察域导出的总字节数\u EXP 40 N字节。默认情况下,N是4
Counter with length N x 8 bits for the number TOTAL_PKTS_EXP 41 N of packets exported by the Observation Domain. By default N is 4
长度为N x 8位的计数器,用于观察域导出的数据包的总数\u PKTS\u EXP 41 N。默认情况下,N是4
Counter with length N x 8 bits for the number TOTAL_FLOWS_EXP 42 N of Flows exported by the Observation Domain. By default N is 4
长度为N x 8位的计数器,用于观察域导出的流的总数\u EXP 42 N。默认情况下,N是4
MPLS_TOP_LABEL_TYPE 46 1 MPLS Top Label Type: 0x00 UNKNOWN 0x01 TE-MIDPT 0x02 ATOM 0x03 VPN 0x04 BGP 0x05 LDP
MPLS顶部标签类型46 1 MPLS顶部标签类型:0x00未知0x01 TE-MIDPT 0x02原子0x03 VPN 0x04 BGP 0x05 LDP
Forwarding Equivalent Class MPLS_TOP_LABEL_IP_ADDR 47 4 corresponding to the MPLS Top Label
转发与MPLS顶部标签对应的等效类MPLS顶部标签IP地址47 4
FLOW_SAMPLER_ID 48 1 Identifier shown in "show flow-sampler"
“显示流量采样器”中显示的流量采样器ID 48 1标识符
The type of algorithm used for sampling data: FLOW_SAMPLER_MODE 49 1 0x02 random sampling Use in connection with FLOW_SAMPLER_MODE Packet interval at which to FLOW_SAMPLER_RANDOM_INTERVAL 50 4 sample. Use in connection with FLOW_SAMPLER_MODE
用于采样数据的算法类型:FLOW_SAMPLER_MODE 49 1 0x02随机采样与FLOW_SAMPLER_MODE数据包间隔结合使用,在该间隔下FLOW_SAMPLER_random_interval 50 4采样。与流量采样器模式结合使用
Type of Service byte DST_TOS 55 1 setting when exiting outgoing interface
退出传出接口时服务字节DST_TOS 55 1设置的类型
SRC_MAC 56 6 Source MAC Address
SRC_MAC 56 6源MAC地址
DST_MAC 57 6 Destination MAC Address
DST_MAC 57 6目标MAC地址
Virtual LAN identifier
虚拟局域网标识符
SRC_VLAN 58 2 associated with ingress interface
SRC_VLAN 58 2与入口接口关联
Virtual LAN identifier DST_VLAN 59 2 associated with egress interface
与出口接口关联的虚拟LAN标识符DST_VLAN 59 2
Internet Protocol Version Set to 4 for IPv4, set to 6 IP_PROTOCOL_VERSION 60 1 for IPv6. If not present in the template, then version 4 is assumed
对于IPv4,Internet协议版本设置为4;对于IPv6,Internet协议版本设置为6 IP_60 1。如果模板中不存在,则假定版本4
Flow direction: DIRECTION 61 1 0 - ingress flow 1 - egress flow
流向:方向61 1 0-入口流1-出口流
IPV6_NEXT_HOP 62 16 IPv6 address of the next-hop router
IPV6\u下一跳62 16下一跳路由器的IPV6地址
BGP_IPV6_NEXT_HOP 63 16 Next-hop router in the BGP domain
BGP_IPV6_下一跳63 16 BGP域中的下一跳路由器
Bit-encoded field IPV6_OPTION_HEADERS 64 4 identifying IPv6 option headers found in the flow
位编码字段IPV6\u OPTION\u标头64 4标识流中找到的IPV6选项标头
MPLS_LABEL_1 70 3 MPLS label at position 1 in the stack
MPLS_标签\u 1 70 3 MPLS标签位于堆栈中的位置1
MPLS_LABEL_2 71 3 MPLS label at position 2 in the stack
MPLS_标签_2 71 3 MPLS标签位于堆栈中的位置2
MPLS_LABEL_3 72 3 MPLS label at position 3 in the stack
MPLS_标签\u 3 72 3 MPLS标签位于堆栈中的位置3
MPLS_LABEL_4 73 3 MPLS label at position 4 in the stack
MPLS_标签\u 4 73 3堆栈中位置4处的MPLS标签
MPLS_LABEL_5 74 3 MPLS label at position 5 in the stack
MPLS_标签_5 74堆栈中位置5处的3个MPLS标签
MPLS_LABEL_6 75 3 MPLS label at position 6 in the stack
MPLS_标签_6 75堆栈中位置6处的3个MPLS标签
MPLS_LABEL_7 76 3 MPLS label at position 7 in the stack
MPLS_标签_7 76堆栈中位置7处的3个MPLS标签
MPLS_LABEL_8 77 3 MPLS label at position 8 in the stack
MPLS_标签\u 8 77 3 MPLS标签位于堆栈中的位置8
MPLS_LABEL_9 78 3 MPLS label at position 9 in the stack
MPLS_标签\u 9 78堆栈中位置9处的3个MPLS标签
MPLS_LABEL_10 79 3 MPLS label at position 10 in the stack
MPLS_标签\u 10 79堆栈中位置10处的3个MPLS标签
The value field is a numeric identifier for the field type. The following value fields are reserved for proprietary field types: 25, 26, 43 to 45, 51 to 54, and 65 to 69.
值字段是字段类型的数字标识符。以下值字段是为专有字段类型保留的:25、26、43到45、51到54和65到69。
When extensibility is required, the new field types will be added to the list. The new field types have to be updated on the Exporter and Collector but the NetFlow export format would remain unchanged. Refer to the latest documentation at http://www.cisco.com for the newly updated list.
当需要扩展性时,新字段类型将添加到列表中。导出器和收集器上的新字段类型必须更新,但NetFlow导出格式将保持不变。请参阅位于的最新文档http://www.cisco.com 查看最新更新的列表。
In some cases the size of a field type is fixed by definition, for example PROTOCOL, or IPV4_SRC_ADDR. However in other cases they are defined as a variant type. This improves the memory efficiency in the collector and reduces the network bandwidth requirement between the Exporter and the Collector. As an example, in the case IN_BYTES, on an access router it might be sufficient to use a 32 bit counter (N = 4), whilst on a core router a 64 bit counter (N = 8) would be required.
在某些情况下,字段类型的大小是由定义固定的,例如协议或IPV4\u SRC\u ADDR。但在其他情况下,它们被定义为变体类型。这提高了采集器中的内存效率,并降低了导出器和采集器之间的网络带宽需求。例如,在以字节为单位的情况下,在接入路由器上使用32位计数器(N=4)就足够了,而在核心路由器上则需要64位计数器(N=8)。
All counters and counter-like objects are unsigned integers of size N * 8 bits.
所有计数器和类计数器对象都是大小为N*8位的无符号整数。
The Collector receives Template Records from the Exporter, normally before receiving Flow Data Records (or Options Data Records). The Flow Data Records (or Options Data Records) can then be decoded and stored locally on the devices. If the Template Records have not been received at the time Flow Data Records (or Options Data Records) are received, the Collector SHOULD store the Flow Data Records (or Options Data Records) and decode them after the Template Records are received. A Collector device MUST NOT assume that the Data FlowSet and the associated Template FlowSet (or Options Template FlowSet) are exported in the same Export Packet.
收集器通常在接收流数据记录(或选项数据记录)之前从导出器接收模板记录。然后,可以对流量数据记录(或选项数据记录)进行解码,并将其本地存储在设备上。如果在收到流数据记录(或选项数据记录)时未收到模板记录,则收集器应存储流数据记录(或选项数据记录),并在收到模板记录后对其进行解码。收集器设备不得假定数据流集和关联的模板流集(或选项模板流集)在同一导出数据包中导出。
The Collector MUST NOT assume that one and only one Template FlowSet is present in an Export Packet.
收集器不得假设导出数据包中存在一个且只有一个模板流集。
The life of a template at the Collector is limited to a fixed refresh timeout. Templates not refreshed from the Exporter within the timeout are expired at the Collector. The Collector MUST NOT attempt to decode the Flow or Options Data Records with an expired Template. At any given time the Collector SHOULD maintain the following for all the current Template Records and Options Template Records: Exporter, Observation Domain, Template ID, Template Definition, Last Received.
收集器中模板的生命周期仅限于固定的刷新超时。在超时时间内未从导出器刷新的模板在收集器处过期。收集器不得尝试对模板过期的流或选项数据记录进行解码。在任何给定时间,催收员都应为所有当前模板记录和选项模板记录维护以下内容:导出器、观察域、模板ID、模板定义、上次接收。
Note that the Observation Domain is identified by the Source ID field from the Export Packet.
请注意,观察域由导出数据包中的源ID字段标识。
In the event of a clock configuration change on the Exporter, the Collector SHOULD discard all Template Records and Options Template Records associated with that Exporter, in order for Collector to learn the new set of fields: Exporter, Observation Domain, Template ID, Template Definition, Last Received.
如果导出器上的时钟配置发生更改,收集器应丢弃与该导出器关联的所有模板记录和选项模板记录,以便收集器了解新的字段集:导出器、观察域、模板ID、模板定义、上次接收。
Template IDs are unique per Exporter and per Observation Domain.
每个导出器和每个观察域的模板ID都是唯一的。
If the Collector receives a new Template Record (for example, in the case of an Exporter restart) it MUST immediately override the existing Template Record.
如果收集器收到新模板记录(例如,在导出器重新启动的情况下),它必须立即覆盖现有模板记录。
Finally, note that the Collector MUST accept padding in the Data FlowSet and Options Template FlowSet, which means for the Flow Data Records, the Options Data Records and the Template Records. Refer to the terminology summary table in Section 2.1.
最后,请注意,收集器必须接受数据流集和选项模板流集中的填充,这意味着流数据记录、选项数据记录和模板记录的填充。请参阅第2.1节中的术语汇总表。
The NetFlow version 9 protocol was designed with the expectation that the Exporter and Collector would remain within a single private network. However the NetFlow version 9 protocol might be used to transport Flow Records over the public Internet which exposes the Flow Records to a number of security risks. For example an attacker might capture, modify or insert Export Packets. There is therefore a risk that IP Flow information might be captured or forged, or that attacks might be directed at the NetFlow Collector.
NetFlow版本9协议的设计预期导出器和收集器将保留在单个专用网络中。但是,NetFlow版本9协议可能用于通过公共Internet传输流记录,这会使流记录面临许多安全风险。例如,攻击者可能捕获、修改或插入导出数据包。因此,IP流信息可能被捕获或伪造,或者攻击可能针对NetFlow收集器。
The designers of NetFlow Version 9 did not impose any confidentiality, integrity or authentication requirements on the protocol because this reduced the efficiency of the implementation and it was believed at the time that the majority of deployments would confine the Flow Records to private networks, with the Collector(s) and Exporter(s) in close proximity.
NetFlow版本9的设计者没有对协议施加任何保密性、完整性或身份验证要求,因为这降低了实施的效率,并且当时认为大多数部署都会将流记录限制在专用网络中,收集器和导出器近在咫尺。
The IPFIX protocol (IP Flow Information eXport), which has chosen the NetFlow version 9 protocol as the base protocol, addresses the security considerations discussed in this section. See the security section of IPFIX requirement draft [RFC3917] for more information.
IPFIX协议(IP流信息导出)选择NetFlow版本9协议作为基本协议,解决了本节讨论的安全问题。有关更多信息,请参阅IPFIX需求草案[RFC3917]的安全部分。
Because the NetFlow Version 9 Export Packets are not encrypted, the observation of Flow Records can give an attacker information about the active flows in the network, communication endpoints and traffic patterns. This information can be used both to spy on user behavior and to plan and conceal future attacks.
由于NetFlow版本9导出数据包未加密,因此观察流记录可以向攻击者提供有关网络中活动流、通信端点和流量模式的信息。这些信息既可用于监视用户行为,也可用于计划和隐藏未来的攻击。
The information that an attacker could derive from the interception of Flow Records depends on the Flow definition. For example, a Flow Record containing the source and destination IP addresses might reveal privacy sensitive information regarding the end user's activities, whilst a Flow Record only containing the source and destination IP network would be less revealing.
攻击者可以从截取流记录中获得的信息取决于流定义。例如,包含源IP地址和目标IP地址的流记录可能会显示有关最终用户活动的隐私敏感信息,而仅包含源IP网络和目标IP网络的流记录则不太容易显示。
If Flow Records are used in accounting and/or security applications, there may be a strong incentive to forge exported Flow Records (for example to defraud the service provider, or to prevent the detection of an attack). This can be done either by altering the Flow Records on the path between the Observer and the Collector, or by injecting forged Flow Records that pretend to be originated by the Exporter.
如果在会计和/或安全应用程序中使用流记录,则可能存在伪造导出流记录的强烈动机(例如欺诈服务提供商,或防止检测到攻击)。这可以通过改变观察者和收集器之间路径上的流记录来实现,也可以通过注入伪造的流记录来实现,这些伪造的流记录假装是导出者创建的。
An attacker could forge Templates and/or Options Templates and thereby try to confuse the NetFlow Collector, rendering it unable to decode the Export Packets.
攻击者可以伪造模板和/或选项模板,从而试图混淆NetFlow收集器,使其无法解码导出数据包。
Denial of service attacks on the NetFlow Collector can consume so many resources from the machine that, the Collector is unable to capture or decode some NetFlow Export Packets. Such hazards are not explicitly addressed by the NetFlow Version 9 protocol, although the normal methods used to protect a server from a DoS attack will mitigate the problem.
对NetFlow收集器的拒绝服务攻击会消耗机器上的大量资源,以致收集器无法捕获或解码某些NetFlow导出数据包。NetFlow版本9协议并未明确解决此类危险,尽管用于保护服务器免受DoS攻击的常规方法可以缓解该问题。
Let us consider the example of an Export Packet composed of a Template FlowSet, a Data FlowSet (which contains three Flow Data Records), an Options Template FlowSet, and a Data FlowSet (which contains two Options Data Records).
让我们考虑由模板流程集、数据流集(包含三个流数据记录)、选项模板流集和数据流集(包含两个选项数据记录)组成的导出包的示例。
Export Packet:
导出数据包:
+--------+---------------------------------------------. . . | | +--------------+ +-----------------------+ | Packet | | Template | | Data | | Header | | FlowSet | | FlowSet | . . . | | | (1 Template) | | (3 Flow Data Records) | | | +--------------+ +-----------------------+ +--------+---------------------------------------------. . .
+--------+---------------------------------------------. . . | | +--------------+ +-----------------------+ | Packet | | Template | | Data | | Header | | FlowSet | | FlowSet | . . . | | | (1 Template) | | (3 Flow Data Records) | | | +--------------+ +-----------------------+ +--------+---------------------------------------------. . .
. . .+-------------------------------------------------+ +------------------+ +--------------------------+ | | Options | | Data | | . . .| Template FlowSet | | FlowSet | | | (1 Template) | | (2 Options Data Records) | | +------------------+ +--------------------------+ | . . .--------------------------------------------------+
. . .+-------------------------------------------------+ +------------------+ +--------------------------+ | | Options | | Data | | . . .| Template FlowSet | | FlowSet | | | (1 Template) | | (2 Options Data Records) | | +------------------+ +--------------------------+ | . . .--------------------------------------------------+
The Packet Header is composed of:
数据包报头由以下部分组成:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version = 9 | Count = 7 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sysUpTime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | UNIX Secs | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version = 9 | Count = 7 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sysUpTime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | UNIX Secs | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
We want to report the following Field Types: - The source IP address (IPv4), so the length is 4 - The destination IP address (IPv4), so the length is 4 - The next-hop IP address (IPv4), so the length is 4 - The number of bytes of the Flow - The number of packets of the Flow
我们要报告以下字段类型:-源IP地址(IPv4),长度为4-目标IP地址(IPv4),长度为4-下一跳IP地址(IPv4),长度为4-流的字节数-流的数据包数
Therefore, the Template FlowSet is composed of the following:
因此,模板流集由以下部分组成:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 0 | Length = 28 bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID 256 | Field Count = 5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP_SRC_ADDR = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP_DST_ADDR = 12 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP_NEXT_HOP = 15 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IN_PKTS = 2 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IN_BYTES = 1 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 0 | Length = 28 bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID 256 | Field Count = 5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP_SRC_ADDR = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP_DST_ADDR = 12 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP_NEXT_HOP = 15 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IN_PKTS = 2 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IN_BYTES = 1 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
In this example, we report the following three Flow Records:
在本例中,我们报告以下三个流记录:
Src IP addr. | Dst IP addr. | Next Hop addr. | Packet | Bytes | | | Number | Number --------------------------------------------------------------- 198.168.1.12 | 10.5.12.254 | 192.168.1.1 | 5009 | 5344385 192.168.1.27 | 10.5.12.23 | 192.168.1.1 | 748 | 388934 192.168.1.56 | 10.5.12.65 | 192.168.1.1 | 5 | 6534
Src IP addr. | Dst IP addr. | Next Hop addr. | Packet | Bytes | | | Number | Number --------------------------------------------------------------- 198.168.1.12 | 10.5.12.254 | 192.168.1.1 | 5009 | 5344385 192.168.1.27 | 10.5.12.23 | 192.168.1.1 | 748 | 388934 192.168.1.56 | 10.5.12.65 | 192.168.1.1 | 5 | 6534
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 256 | Length = 64 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 198.168.1.12 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 10.5.12.254 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 5009 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 5344385 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.27 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 10.5.12.23 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 748 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 388934 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.56 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 10.5.12.65 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 6534 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 256 | Length = 64 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 198.168.1.12 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 10.5.12.254 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 5009 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 5344385 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.27 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 10.5.12.23 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 748 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 388934 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.56 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 10.5.12.65 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.168.1.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 6534 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Note that padding was not necessary in this example.
请注意,在本例中不需要填充。
Per line card (the Exporter is composed of two line cards), we want to report the following Field Types: - Total number of Export Packets - Total number of exported Flows
每个线路卡(导出器由两个线路卡组成),我们要报告以下字段类型:-导出数据包总数-导出流总数
The format of the Options Template FlowSet is as follows:
选项模板流集的格式如下:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 1 | Length = 24 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID 257 | Option Scope Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Length = 8 | Scope 1 Field Type = 3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope 1 Field Length = 2 | TOTAL_EXP_PKTS_SENT = 41 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 2 | TOTAL_FLOWS_EXP = 42 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 2 | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 1 | Length = 24 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID 257 | Option Scope Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Length = 8 | Scope 1 Field Type = 3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope 1 Field Length = 2 | TOTAL_EXP_PKTS_SENT = 41 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 2 | TOTAL_FLOWS_EXP = 42 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 2 | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
In this example, we report the following two records:
在本例中,我们报告以下两条记录:
Line Card ID | Export Packet| Export Flow ------------------------------------------ Line Card 1 | 345 | 10201 Line Card 2 | 690 | 20402
Line Card ID | Export Packet| Export Flow ------------------------------------------ Line Card 1 | 345 | 10201 Line Card 2 | 690 | 20402
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 257 | Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1 | 345 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 10201 | 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 690 | 20402 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FlowSet ID = 257 | Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1 | 345 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 10201 | 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 690 | 20402 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August 1980.
[RFC768]Postel,J.,“用户数据报协议”,STD 6,RFC 768,1980年8月。
[RFC793] Postel, J., "Transmission Control Protocol", STD 7, RFC 793, September 1981.
[RFC793]Postel,J.,“传输控制协议”,标准7,RFC 793,1981年9月。
[RFC2960] Stewart, R., Xie, Q., Morneault, K., Sharp, C., Schwarzbauer, H., Taylor, T., Rytina, I., Kalla, M., Zhang, L., and V. Paxson, "Stream Control Transmission Protocol", RFC 2960, October 2000.
[RFC2960]Stewart,R.,Xie,Q.,Morneault,K.,Sharp,C.,Schwarzbauer,H.,Taylor,T.,Rytina,I.,Kalla,M.,Zhang,L.,和V.Paxson,“流控制传输协议”,RFC 29602000年10月。
[RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, "Requirements for IP Flow Information Export (IPFIX)", RFC 3917, October 2004.
[RFC3917]Quitek,J.,Zseby,T.,Claise,B.,和S.Zander,“IP流信息导出(IPFIX)的要求”,RFC 39172004年10月。
This document was jointly written by Vamsidhar Valluri, Martin Djernaes, Ganesh Sadasivan, and Benoit Claise.
本文件由瓦姆西达尔·瓦卢里、马丁·杰尔内斯、加内什·萨达西万和贝诺伊特·克莱斯共同撰写。
I would like to thank Pritam Shah, Paul Kohler, Dmitri Bouianovski, and Stewart Bryant for their valuable technical feedback.
我要感谢Pritam Shah、Paul Kohler、Dmitri Bouianovski和Stewart Bryant提供了宝贵的技术反馈。
Benoit Claise (Editor) Cisco Systems De Kleetlaan 6a b1 1831 Diegem Belgium
Benoit Claise(编辑)Cisco Systems De Kleetlaan 6a b1 1831 Diegem比利时
Phone: +32 2 704 5622 EMail: bclaise@cisco.com
Phone: +32 2 704 5622 EMail: bclaise@cisco.com
Ganesh Sadasivan Cisco Systems, Inc. 3750 Cisco Way San Jose, CA 95134 USA
Ganesh Sadasivan Cisco Systems,Inc.美国加利福尼亚州圣何塞市思科大道3750号,邮编95134
Phone: +1 408 527-0251 EMail: gsadasiv@cisco.com
Phone: +1 408 527-0251 EMail: gsadasiv@cisco.com
Vamsi Valluri Cisco Systems, Inc. 510 McCarthy Blvd. San Jose, CA 95035 USA
Vamsi Valluri Cisco Systems,Inc.麦卡锡大道510号。美国加利福尼亚州圣何塞95035
Phone: +1 408 525-1835 EMail: vvalluri@cisco.com
Phone: +1 408 525-1835 EMail: vvalluri@cisco.com
Martin Djernaes Cisco Systems, Inc. 510 McCarthy Blvd. San Jose, CA 95035 USA
Martin Djernaes思科系统公司,位于麦卡锡大道510号。美国加利福尼亚州圣何塞95035
Phone: +1 408 853-1676 EMail: djernaes@cisco.com
Phone: +1 408 853-1676 EMail: djernaes@cisco.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2004).
版权所有(C)互联网协会(2004年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and at www.rfc-editor.org, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78和www.rfc-editor.org中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the ISOC's procedures with respect to rights in ISOC Documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关ISOC文件中权利的ISOC程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。