NetFlow v9 , v10 , and IPFIX use a template based architecture. This allows for flexibility in the metrics that are reported per flow. Each metric has a special Template ID and position as reported in special Template Packets sent periodically.
The following fields are supported by Trisul Network Analytics.
| Field Name | Description | |
|---|---|---|
| IN_BYTES | traffic metric | |
| IN_PKTS | traffic metric | |
| FLOWS | traffic metric | |
| PROTOCOL | L4 protocol | |
| SRC_TOS | Type of Service byte setting when entering ingress interface | |
| TCP_FLAGS | TCP Flags ORed | |
| L4_SRC_PORT | source tcp/udp port | |
| IPV4_SRC_ADDR | source address IPv4 | |
| SRC_MASK | source address mask based on routing table | |
| INPUT_SNMP | input interface | |
| L4_DST_PORT | dest tcp/udp port | |
| IPV4_DST_ADDR | dest IPv4 address | |
| DST_MASK | dest IP mask | |
| OUTPUT_SNMP | output interface | |
| IPV4_NEXT_HOP | ||
| SRC_AS | BGP AS of source | |
| DST_AS | BGP AS of destination | |
| BGP_IPV4_NEXT_HOP | ||
| MUL_DST_PKTS | traffic metric multicast | |
| MUL_DST_BYTES | traffic metric | |
| LAST_SWITCHED | start timestamp | |
| FIRST_SWITCHED | last timestamp | |
| OUT_BYTES | traffic metric | |
| OUT_PKTS | traffic metric | |
| MIN_PKT_LNGTH | ||
| MAX_PKT_LNGTH | ||
| IPV6_SRC_ADDR | IPv6 address | |
| IPV6_DST_ADDR | IPv6 dest address | |
| IPV6_SRC_MASK | IPv6 src mask | |
| IPV6_DST_MASK | IPv6 dest mask | |
| ICMP_TYPE | ICMP Type - eg ECHO | |
| FLOW_SAMPLER_RANDOM_INTERVAL | handle sampling | |
| SAMPLING_INTERVAL | handle sampling | |
| DST_TOS | Type of Service byte setting when exiting egress interface | |
| IN_SRC_MAC | MAC address | |
| OUT_DST_MAC | MAC address | |
| SRC_VLAN | ingress port VLAN | |
| DST_VLAN | egress port VLAN | |
| IP_PROTOCOL_VERSION | v4 or v6 | |
| DIRECTION | ingress/egress | |
| IPV6_NEXT_HOP | ||
| BPG_IPV6_NEXT_HOP | ||
| IF_NAME | Interface name | |
| IF_DESC | Interface description | |
| SAMPLER_NAME | ||
| IN_PERMANENT_BYTES | traffic metric | |
| IN_PERMANENT_PKTS | traffic metric | |
| NBARapplicationDesc | NBAR app description | |
| NBARapplicationId | NBAR app id | |
| NBARapplicationName | NBAR app name | |
| DSCP_CODE_POINT | DSCP (QoS) | |
| VRF_ID | VRF ID - can create separate tenant per VRF | |
| postNATsource | NAT | |
| postNATdestination | NAT | |
| postNATSourceIPv4Port | NAT | |
| postNATDestIPv4Port | NAT | |
| applicationcategory | NBAR App category | |
| applicationsubcategory | NBAR Aoo Subcategory | |
| applicationgroup | ||
| applicationHTTPhost | HTTP Host | |
| PALOALTO APPID | vendor specific AppID | |
| PALOALTO USERID | vendor specific UserID |