Difference between revisions of "Flow Record Fields"
From Observer GigaFlow Support | VIAVI Solutions Inc.
| (14 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | [[Category:Database]] | |
| − | + | [[Category:Scripts]] | |
| − | + | All GigaFlow flow records contain 29 fields or table columns. In the '''myipfix''' database associated with the GigaFlow installation, the '''netflow''' tables contain all flow records. These are: | |
| − | + | ||
| − | numeric(39,0) | + | {| class="wikitable" style="text-align: left;" |
| − | + | |'''Record Field''' | |
| − | + | |'''Type''' | |
| − | + | |'''Description''' | |
| − | + | |- | |
| − | + | |customerid | |
| − | + | |integer | |
| − | + | |The traffic group source identifier | |
| − | + | |- | |
| − | + | |device | |
| − | + | |numeric(39,0) | |
| − | + | |The numeric IPV6 address of the device sending us the flowsyslog records | |
| − | + | |- | |
| − | + | | engineid | |
| − | + | | integer | |
| − | + | | Used to store the traffic group destination identifier | |
| − | + | |- | |
| − | + | | srcadd | |
| − | + | | numeric(39,0) | |
| − | + | | Store the numeric IPV6 address of the source for the traffic in this record | |
| − | + | |- | |
| − | + | | dstadd | |
| − | + | | numeric(39,0) | |
| − | + | | Store the numeric IPV6 address of the destination for the traffic in this record | |
| − | + | |- | |
| − | + | | nexthop | |
| − | + | | numeric(39,0) | |
| − | + | | Store the numeric IPV6 address of the nexthop for the traffic in this record | |
| − | + | |- | |
| − | + | | inif | |
| + | | integer | ||
| + | | SNMP ifindex of the input interface that seen the traffic for this flow | ||
| + | |- | ||
| + | | outif | ||
| + | | integer | ||
| + | | SNMP ifindex of the output interface that seen the traffic for this flow | ||
| + | |- | ||
| + | | pkts | ||
| + | | bigint | ||
| + | | Number of packets transmitted in this flow | ||
| + | |- | ||
| + | | bytes | ||
| + | | bigint | ||
| + | | Number of octetsbytes transmitted in this flow | ||
| + | |- | ||
| + | | firstseen | ||
| + | | bigint | ||
| + | | Millisecond timestamp of when this flow started | ||
| + | |- | ||
| + | | duration | ||
| + | | bigint | ||
| + | | Millisecond duration of this flow | ||
| + | |- | ||
| + | | srcport | ||
| + | | integer | ||
| + | | Source port number for traffic in this flow record | ||
| + | |- | ||
| + | | dstport | ||
| + | | integer | ||
| + | | Destination port number for traffic in this flow record | ||
| + | |- | ||
| + | | flags | ||
| + | | integer | ||
| + | | TCP Flags as an Integer value | ||
| + | |- | ||
| + | | proto | ||
| + | | integer | ||
| + | | IP Protocol number for this flow record | ||
| + | |- | ||
| + | | tos | ||
| + | | integer | ||
| + | | IP TOSCOS value for this flow record | ||
| + | |- | ||
| + | | appid | ||
| + | | integer | ||
| + | | Flowsec assigned application id, out of this box this would be the lowest of srcdst port number | ||
| + | |- | ||
| + | | srcas | ||
| + | | integer | ||
| + | | Source AS number used for this flow | ||
| + | |- | ||
| + | | dstas | ||
| + | | integer | ||
| + | | Destination AS number used for this flow | ||
| + | |- | ||
| + | | userid | ||
| + | | text | ||
| + | | COLLATE pg_catalog."default" User ID for this flow, may be as sent or inferred from other sources | ||
| + | |- | ||
| + | | userdomain | ||
| + | | text | ||
| + | | COLLATE pg_catalog."default" User Domain for this flow, may be as sent or inferred from other sources | ||
| + | |- | ||
| + | | srcmac | ||
| + | | bigint | ||
| + | | Source MAC address (java long value), either as supplied or inferred from other sources | ||
| + | |- | ||
| + | | dstmac | ||
| + | | bigint | ||
| + | | Destination MAC address (java long value), either as supplied or inferred from other sources | ||
| + | |- | ||
| + | | postureid | ||
| + | | integer | ||
| + | | Marking to indicate this flow is of interest (due to blacklist or profiling problems) | ||
| + | |- | ||
| + | | spare | ||
| + | | integer | ||
| + | | Used to store the first packet response value. -1=unset, -2=no response in scope | ||
| + | |- | ||
| + | | url | ||
| + | | text | ||
| + | | COLLATE pg_catalog."default" Free for text field we use for things like applcation names (which will soon be moved to fwextcode) or URL data | ||
| + | |- | ||
| + | | fwextcode | ||
| + | | integer | ||
| + | | Additional field used to identify traffic (from Cisco NSEL) | ||
| + | |- | ||
| + | | fwevent | ||
| + | | integer | ||
| + | | Additional field used to identify events(from Cisco NSEL) | ||
| + | |} | ||
Latest revision as of 11:52, 23 November 2018
All GigaFlow flow records contain 29 fields or table columns. In the myipfix database associated with the GigaFlow installation, the netflow tables contain all flow records. These are:
| Record Field | Type | Description |
| customerid | integer | The traffic group source identifier |
| device | numeric(39,0) | The numeric IPV6 address of the device sending us the flowsyslog records |
| engineid | integer | Used to store the traffic group destination identifier |
| srcadd | numeric(39,0) | Store the numeric IPV6 address of the source for the traffic in this record |
| dstadd | numeric(39,0) | Store the numeric IPV6 address of the destination for the traffic in this record |
| nexthop | numeric(39,0) | Store the numeric IPV6 address of the nexthop for the traffic in this record |
| inif | integer | SNMP ifindex of the input interface that seen the traffic for this flow |
| outif | integer | SNMP ifindex of the output interface that seen the traffic for this flow |
| pkts | bigint | Number of packets transmitted in this flow |
| bytes | bigint | Number of octetsbytes transmitted in this flow |
| firstseen | bigint | Millisecond timestamp of when this flow started |
| duration | bigint | Millisecond duration of this flow |
| srcport | integer | Source port number for traffic in this flow record |
| dstport | integer | Destination port number for traffic in this flow record |
| flags | integer | TCP Flags as an Integer value |
| proto | integer | IP Protocol number for this flow record |
| tos | integer | IP TOSCOS value for this flow record |
| appid | integer | Flowsec assigned application id, out of this box this would be the lowest of srcdst port number |
| srcas | integer | Source AS number used for this flow |
| dstas | integer | Destination AS number used for this flow |
| userid | text | COLLATE pg_catalog."default" User ID for this flow, may be as sent or inferred from other sources |
| userdomain | text | COLLATE pg_catalog."default" User Domain for this flow, may be as sent or inferred from other sources |
| srcmac | bigint | Source MAC address (java long value), either as supplied or inferred from other sources |
| dstmac | bigint | Destination MAC address (java long value), either as supplied or inferred from other sources |
| postureid | integer | Marking to indicate this flow is of interest (due to blacklist or profiling problems) |
| spare | integer | Used to store the first packet response value. -1=unset, -2=no response in scope |
| url | text | COLLATE pg_catalog."default" Free for text field we use for things like applcation names (which will soon be moved to fwextcode) or URL data |
| fwextcode | integer | Additional field used to identify traffic (from Cisco NSEL) |
| fwevent | integer | Additional field used to identify events(from Cisco NSEL) |
