Difference between revisions of "Flow Record Fields"
From Observer GigaFlow Support | VIAVI Solutions Inc.
Kevin Wilkie (Talk | contribs) |
|||
(21 intermediate revisions by one user not shown) | |||
Line 1: | Line 1: | ||
− | customerid integer | + | [[Category:Database]] |
− | + | [[Category:Scripts]] | |
− | + | All GigaFlow flow records contain 29 fields or table columns. In the '''myipfix''' database associated with the GigaFlow installation, the '''netflow''' tables contain all flow records. These are: | |
− | + | ||
− | + | {| class="wikitable" style="text-align: left;" | |
− | + | |'''Record Field''' | |
− | + | |'''Type''' | |
− | + | |'''Description''' | |
− | + | |- | |
− | + | |customerid | |
− | + | |integer | |
− | + | |The traffic group source identifier | |
− | + | |- | |
− | + | |device | |
− | + | |numeric(39,0) | |
− | + | |The numeric IPV6 address of the device sending us the flowsyslog records | |
− | + | |- | |
− | + | | engineid | |
− | + | | integer | |
− | + | | Used to store the traffic group destination identifier | |
− | + | |- | |
− | + | | srcadd | |
− | + | | numeric(39,0) | |
− | + | | Store the numeric IPV6 address of the source for the traffic in this record | |
− | + | |- | |
− | + | | dstadd | |
− | + | | numeric(39,0) | |
− | + | | Store the numeric IPV6 address of the destination for the traffic in this record | |
− | + | |- | |
+ | | nexthop | ||
+ | | numeric(39,0) | ||
+ | | Store the numeric IPV6 address of the nexthop for the traffic in this record | ||
+ | |- | ||
+ | | inif | ||
+ | | integer | ||
+ | | SNMP ifindex of the input interface that seen the traffic for this flow | ||
+ | |- | ||
+ | | outif | ||
+ | | integer | ||
+ | | SNMP ifindex of the output interface that seen the traffic for this flow | ||
+ | |- | ||
+ | | pkts | ||
+ | | bigint | ||
+ | | Number of packets transmitted in this flow | ||
+ | |- | ||
+ | | bytes | ||
+ | | bigint | ||
+ | | Number of octetsbytes transmitted in this flow | ||
+ | |- | ||
+ | | firstseen | ||
+ | | bigint | ||
+ | | Millisecond timestamp of when this flow started | ||
+ | |- | ||
+ | | duration | ||
+ | | bigint | ||
+ | | Millisecond duration of this flow | ||
+ | |- | ||
+ | | srcport | ||
+ | | integer | ||
+ | | Source port number for traffic in this flow record | ||
+ | |- | ||
+ | | dstport | ||
+ | | integer | ||
+ | | Destination port number for traffic in this flow record | ||
+ | |- | ||
+ | | flags | ||
+ | | integer | ||
+ | | TCP Flags as an Integer value | ||
+ | |- | ||
+ | | proto | ||
+ | | integer | ||
+ | | IP Protocol number for this flow record | ||
+ | |- | ||
+ | | tos | ||
+ | | integer | ||
+ | | IP TOSCOS value for this flow record | ||
+ | |- | ||
+ | | appid | ||
+ | | integer | ||
+ | | Flowsec assigned application id, out of this box this would be the lowest of srcdst port number | ||
+ | |- | ||
+ | | srcas | ||
+ | | integer | ||
+ | | Source AS number used for this flow | ||
+ | |- | ||
+ | | dstas | ||
+ | | integer | ||
+ | | Destination AS number used for this flow | ||
+ | |- | ||
+ | | userid | ||
+ | | text | ||
+ | | COLLATE pg_catalog."default" User ID for this flow, may be as sent or inferred from other sources | ||
+ | |- | ||
+ | | userdomain | ||
+ | | text | ||
+ | | COLLATE pg_catalog."default" User Domain for this flow, may be as sent or inferred from other sources | ||
+ | |- | ||
+ | | srcmac | ||
+ | | bigint | ||
+ | | Source MAC address (java long value), either as supplied or inferred from other sources | ||
+ | |- | ||
+ | | dstmac | ||
+ | | bigint | ||
+ | | Destination MAC address (java long value), either as supplied or inferred from other sources | ||
+ | |- | ||
+ | | postureid | ||
+ | | integer | ||
+ | | Marking to indicate this flow is of interest (due to blacklist or profiling problems) | ||
+ | |- | ||
+ | | spare | ||
+ | | integer | ||
+ | | Used to store the first packet response value. -1=unset, -2=no response in scope | ||
+ | |- | ||
+ | | url | ||
+ | | text | ||
+ | | COLLATE pg_catalog."default" Free for text field we use for things like applcation names (which will soon be moved to fwextcode) or URL data | ||
+ | |- | ||
+ | | fwextcode | ||
+ | | integer | ||
+ | | Additional field used to identify traffic (from Cisco NSEL) | ||
+ | |- | ||
+ | | fwevent | ||
+ | | integer | ||
+ | | Additional field used to identify events(from Cisco NSEL) | ||
+ | |} |
Latest revision as of 11:52, 23 November 2018
All GigaFlow flow records contain 29 fields or table columns. In the myipfix database associated with the GigaFlow installation, the netflow tables contain all flow records. These are:
Record Field | Type | Description |
customerid | integer | The traffic group source identifier |
device | numeric(39,0) | The numeric IPV6 address of the device sending us the flowsyslog records |
engineid | integer | Used to store the traffic group destination identifier |
srcadd | numeric(39,0) | Store the numeric IPV6 address of the source for the traffic in this record |
dstadd | numeric(39,0) | Store the numeric IPV6 address of the destination for the traffic in this record |
nexthop | numeric(39,0) | Store the numeric IPV6 address of the nexthop for the traffic in this record |
inif | integer | SNMP ifindex of the input interface that seen the traffic for this flow |
outif | integer | SNMP ifindex of the output interface that seen the traffic for this flow |
pkts | bigint | Number of packets transmitted in this flow |
bytes | bigint | Number of octetsbytes transmitted in this flow |
firstseen | bigint | Millisecond timestamp of when this flow started |
duration | bigint | Millisecond duration of this flow |
srcport | integer | Source port number for traffic in this flow record |
dstport | integer | Destination port number for traffic in this flow record |
flags | integer | TCP Flags as an Integer value |
proto | integer | IP Protocol number for this flow record |
tos | integer | IP TOSCOS value for this flow record |
appid | integer | Flowsec assigned application id, out of this box this would be the lowest of srcdst port number |
srcas | integer | Source AS number used for this flow |
dstas | integer | Destination AS number used for this flow |
userid | text | COLLATE pg_catalog."default" User ID for this flow, may be as sent or inferred from other sources |
userdomain | text | COLLATE pg_catalog."default" User Domain for this flow, may be as sent or inferred from other sources |
srcmac | bigint | Source MAC address (java long value), either as supplied or inferred from other sources |
dstmac | bigint | Destination MAC address (java long value), either as supplied or inferred from other sources |
postureid | integer | Marking to indicate this flow is of interest (due to blacklist or profiling problems) |
spare | integer | Used to store the first packet response value. -1=unset, -2=no response in scope |
url | text | COLLATE pg_catalog."default" Free for text field we use for things like applcation names (which will soon be moved to fwextcode) or URL data |
fwextcode | integer | Additional field used to identify traffic (from Cisco NSEL) |
fwevent | integer | Additional field used to identify events(from Cisco NSEL) |