Skip to content

Example Netflow Traffic

Jump to bottom
Alexander Zivny-Hartig edited this page Aug 7, 2023 · 1 revision

Example Netflow Traffic

As an aid to helping the software being developed and fine-tuning the parser example netflow traffic can be replayed. How to replay traffic can be found in the Development Setup page. This page documents the different kinds of traffic that can be replayed and with which settings they were generated.

NetflowV9

The data for NetflowV9 was generated on a Cisco Catalyst 2960-XR Series switch.

The record used is named RECORD1 and collects the following information:

flow record RECORD1:
  Description:        User defined
  No. of users:       0
  Total field space:  77 bytes
  Fields:
    match ipv4 protocol
    match ipv4 source address
    match ipv4 destination address
    match ipv6 protocol
    match ipv6 source address
    match ipv6 destination address
    match transport source-port
    match transport destination-port
    collect interface input
    collect flow sampler
    collect counter bytes long
    collect counter packets long
    collect timestamp sys-uptime first
    collect timestamp sys-uptime last

A flow exporter EXPORTER1 was also defined:

Flow Exporter EXPORTER1:
  Description:              User defined
  Export protocol:          NetFlow Version 9
  Transport Configuration:
    Destination IP address: 192.168.0.150
    Source IP address:      192.168.0.120
    Transport Protocol:     UDP
    Destination Port:       2055
    Source Port:            51001
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Not Used
  Options Configuration:
    interface-table (timeout 600 seconds)
    exporter-stats (timeout 600 seconds)
    sampler-table (timeout 600 seconds)

The monitor MONITOR1 is configured:

Flow Monitor MONITOR1:
  Description:       User defined
  Flow Record:       RECORD1
  Flow Exporter:     EXPORTER1 (inactive)
  Cache:
    Type:              normal
    Status:            not allocated
    Size:              16640 entries / 0 bytes
    Inactive Timeout:  30 secs
    Active Timeout:    60 secs
    Update Timeout:    1800 secs
  Stats:
    protocol distribution (inactive)

The sampler used SAMPLER1 matches 1 out-of every 32 packets randomly:

Sampler SAMPLER1:
  ID:             1
  export ID:      0
  Description:    User defined
  Type:           random
  Rate:           1 out of 32
  Samples:        0
  Requests:       0
  Users (0):

The flow is configured on the G2/0/1 interface (going to the gateway):

Interface GigabitEthernet2/0/1
  FNF:  monitor:          MONITOR1
        direction:        Input
        traffic(ip):      sampler SAMPLER1
Clone this wiki locally