Netflow Rfc

Network Working Group B. Claise, Ed.

Request for Comments: 3954 Cisco Systems

Category: Informational October 2004

Cisco Systems NetFlow Services Export Version 9

Status of this Memo

This memo provides information for the Internet community. It does

not specify an Internet standard of any kind. Distribution of this

memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2004).

IESG Note

This RFC documents the NetFlow services export protocol Version 9 as

it was when submitted to the IETF as a basis for further work in the

IPFIX WG.

This RFC itself is not a candidate for any level of Internet

Standard. The IETF disclaims any knowledge of the fitness of this

RFC for any purpose, and in particular notes that it has not had

complete IETF review for such things as security, congestion control,

or inappropriate interaction with deployed protocols. The RFC Editor

has chosen to publish this document at its discretion.

Abstract

This document specifies the data export format for version 9 of Cisco

Systems' NetFlow services, for use by implementations on the network

elements and/or matching collector programs. The version 9 export

format uses templates to provide access to observations of IP packet

flows in a flexible and extensible manner. A template defines a

collection of fields, with corresponding descriptions of structure

and semantics.

Table of Contents

1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 2

2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1. Terminology Summary Table . . . . . . . . . . . . . . . 6

3. NetFlow High-Level Picture on the Exporter. . . . . . . . . . 6

3.1. The NetFlow Process on the Exporter . . . . . . . . . . 6

3.2. Flow Expiration . . . . . . . . . . . . . . . . . . . . 7

Claise Informational [Page 1]

RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004

3.3. Transport Protocol. . . . . . . . . . . . . . . . . . . 7

4. Packet Layout . . . . . . . . . . . . . . . . . . . . . . . . 8

5. Export Packet Format. . . . . . . . . . . . . . . . . . . . . 9

5.1. Header Format . . . . . . . . . . . . . . . . . . . . . 9

5.2. Template FlowSet Format . . . . . . . . . . . . . . . . 11

5.3. Data FlowSet Format . . . . . . . . . . . . . . . . . . 13

6. Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

6.1. Options Template FlowSet Format . . . . . . . . . . . . 14

6.2. Options Data Record Format. . . . . . . . . . . . . . . 16

7. Template Management . . . . . . . . . . . . . . . . . . . . . 17

8. Field Type Definitions. . . . . . . . . . . . . . . . . . . . 18

9. The Collector Side. . . . . . . . . . . . . . . . . . . . . . 25

10. Security Considerations . . . . . . . . . . . . . . . . . . . 26

10.1. Disclosure of Flow Information Data . . . . . . . . . . 26

10.2. Forgery of Flow Records or Template Records . . . . . . 26

10.3. Attacks on the NetFlow Collector. . . . . . . . . . . . 27

11. Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . 27

11.1. Packet Header Example . . . . . . . . . . . . . . . . . 28

11.2. Template FlowSet Example. . . . . . . . . . . . . . . . 28

11.3. Data FlowSet Example. . . . . . . . . . . . . . . . . . 29

11.4. Options Template FlowSet Example. . . . . . . . . . . . 30

11.5. Data FlowSet with Options Data Records Example. . . . . 30

12. References. . . . . . . . . . . . . . . . . . . . . . . . . . 31

12.1. Normative References. . . . . . . . . . . . . . . . . . 31

12.2. Informative References. . . . . . . . . . . . . . . . . 31

13. Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31

15. Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . 32

16. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 33

1. Introduction

...