Difference between revisions of "Flow Record Fields"
From Observer GigaFlow Support | VIAVI Solutions Inc.
| (19 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
| − | customerid integer | + | [[Category:Database]] |
| − | device numeric(39,0) | + | [[Category:Scripts]] |
| − | engineid integer | + | All GigaFlow flow records contain 29 fields or table columns. In the '''myipfix''' database associated with the GigaFlow installation, the '''netflow''' tables contain all flow records. These are: |
| − | srcadd numeric(39,0) | + | |
| − | dstadd numeric(39,0) | + | {| class="wikitable" style="text-align: left;" |
| − | nexthop numeric(39,0) | + | |'''Record Field''' |
| − | inif integer | + | |'''Type''' |
| − | outif integer | + | |'''Description''' |
| − | pkts bigint | + | |- |
| − | bytes bigint | + | |customerid |
| − | firstseen bigint | + | |integer |
| − | duration bigint | + | |The traffic group source identifier |
| − | srcport integer | + | |- |
| − | dstport integer | + | |device |
| − | flags integer | + | |numeric(39,0) |
| − | proto integer | + | |The numeric IPV6 address of the device sending us the flowsyslog records |
| − | tos integer | + | |- |
| − | appid integer | + | | engineid |
| − | srcas integer | + | | integer |
| − | dstas integer | + | | Used to store the traffic group destination identifier |
| − | userid text COLLATE pg_catalog."default" | + | |- |
| − | userdomain text COLLATE pg_catalog."default" | + | | srcadd |
| − | srcmac bigint | + | | numeric(39,0) |
| − | dstmac bigint | + | | Store the numeric IPV6 address of the source for the traffic in this record |
| − | postureid integer | + | |- |
| − | + | | dstadd | |
| − | + | | numeric(39,0) | |
| − | + | | Store the numeric IPV6 address of the destination for the traffic in this record | |
| − | + | |- | |
| + | | nexthop | ||
| + | | numeric(39,0) | ||
| + | | Store the numeric IPV6 address of the nexthop for the traffic in this record | ||
| + | |- | ||
| + | | inif | ||
| + | | integer | ||
| + | | SNMP ifindex of the input interface that seen the traffic for this flow | ||
| + | |- | ||
| + | | outif | ||
| + | | integer | ||
| + | | SNMP ifindex of the output interface that seen the traffic for this flow | ||
| + | |- | ||
| + | | pkts | ||
| + | | bigint | ||
| + | | Number of packets transmitted in this flow | ||
| + | |- | ||
| + | | bytes | ||
| + | | bigint | ||
| + | | Number of octetsbytes transmitted in this flow | ||
| + | |- | ||
| + | | firstseen | ||
| + | | bigint | ||
| + | | Millisecond timestamp of when this flow started | ||
| + | |- | ||
| + | | duration | ||
| + | | bigint | ||
| + | | Millisecond duration of this flow | ||
| + | |- | ||
| + | | srcport | ||
| + | | integer | ||
| + | | Source port number for traffic in this flow record | ||
| + | |- | ||
| + | | dstport | ||
| + | | integer | ||
| + | | Destination port number for traffic in this flow record | ||
| + | |- | ||
| + | | flags | ||
| + | | integer | ||
| + | | TCP Flags as an Integer value | ||
| + | |- | ||
| + | | proto | ||
| + | | integer | ||
| + | | IP Protocol number for this flow record | ||
| + | |- | ||
| + | | tos | ||
| + | | integer | ||
| + | | IP TOSCOS value for this flow record | ||
| + | |- | ||
| + | | appid | ||
| + | | integer | ||
| + | | Flowsec assigned application id, out of this box this would be the lowest of srcdst port number | ||
| + | |- | ||
| + | | srcas | ||
| + | | integer | ||
| + | | Source AS number used for this flow | ||
| + | |- | ||
| + | | dstas | ||
| + | | integer | ||
| + | | Destination AS number used for this flow | ||
| + | |- | ||
| + | | userid | ||
| + | | text | ||
| + | | COLLATE pg_catalog."default" User ID for this flow, may be as sent or inferred from other sources | ||
| + | |- | ||
| + | | userdomain | ||
| + | | text | ||
| + | | COLLATE pg_catalog."default" User Domain for this flow, may be as sent or inferred from other sources | ||
| + | |- | ||
| + | | srcmac | ||
| + | | bigint | ||
| + | | Source MAC address (java long value), either as supplied or inferred from other sources | ||
| + | |- | ||
| + | | dstmac | ||
| + | | bigint | ||
| + | | Destination MAC address (java long value), either as supplied or inferred from other sources | ||
| + | |- | ||
| + | | postureid | ||
| + | | integer | ||
| + | | Marking to indicate this flow is of interest (due to blacklist or profiling problems) | ||
| + | |- | ||
| + | | spare | ||
| + | | integer | ||
| + | | Used to store the first packet response value. -1=unset, -2=no response in scope | ||
| + | |- | ||
| + | | url | ||
| + | | text | ||
| + | | COLLATE pg_catalog."default" Free for text field we use for things like applcation names (which will soon be moved to fwextcode) or URL data | ||
| + | |- | ||
| + | | fwextcode | ||
| + | | integer | ||
| + | | Additional field used to identify traffic (from Cisco NSEL) | ||
| + | |- | ||
| + | | fwevent | ||
| + | | integer | ||
| + | | Additional field used to identify events(from Cisco NSEL) | ||
| + | |} | ||
Latest revision as of 11:52, 23 November 2018
All GigaFlow flow records contain 29 fields or table columns. In the myipfix database associated with the GigaFlow installation, the netflow tables contain all flow records. These are:
| Record Field | Type | Description |
| customerid | integer | The traffic group source identifier |
| device | numeric(39,0) | The numeric IPV6 address of the device sending us the flowsyslog records |
| engineid | integer | Used to store the traffic group destination identifier |
| srcadd | numeric(39,0) | Store the numeric IPV6 address of the source for the traffic in this record |
| dstadd | numeric(39,0) | Store the numeric IPV6 address of the destination for the traffic in this record |
| nexthop | numeric(39,0) | Store the numeric IPV6 address of the nexthop for the traffic in this record |
| inif | integer | SNMP ifindex of the input interface that seen the traffic for this flow |
| outif | integer | SNMP ifindex of the output interface that seen the traffic for this flow |
| pkts | bigint | Number of packets transmitted in this flow |
| bytes | bigint | Number of octetsbytes transmitted in this flow |
| firstseen | bigint | Millisecond timestamp of when this flow started |
| duration | bigint | Millisecond duration of this flow |
| srcport | integer | Source port number for traffic in this flow record |
| dstport | integer | Destination port number for traffic in this flow record |
| flags | integer | TCP Flags as an Integer value |
| proto | integer | IP Protocol number for this flow record |
| tos | integer | IP TOSCOS value for this flow record |
| appid | integer | Flowsec assigned application id, out of this box this would be the lowest of srcdst port number |
| srcas | integer | Source AS number used for this flow |
| dstas | integer | Destination AS number used for this flow |
| userid | text | COLLATE pg_catalog."default" User ID for this flow, may be as sent or inferred from other sources |
| userdomain | text | COLLATE pg_catalog."default" User Domain for this flow, may be as sent or inferred from other sources |
| srcmac | bigint | Source MAC address (java long value), either as supplied or inferred from other sources |
| dstmac | bigint | Destination MAC address (java long value), either as supplied or inferred from other sources |
| postureid | integer | Marking to indicate this flow is of interest (due to blacklist or profiling problems) |
| spare | integer | Used to store the first packet response value. -1=unset, -2=no response in scope |
| url | text | COLLATE pg_catalog."default" Free for text field we use for things like applcation names (which will soon be moved to fwextcode) or URL data |
| fwextcode | integer | Additional field used to identify traffic (from Cisco NSEL) |
| fwevent | integer | Additional field used to identify events(from Cisco NSEL) |
