IPFIX Monitoring – Which Field Indicates Bytes?

ipfixmonitoringnetflow

In netflow there are in_bytes and in_pkts fields. What are the equivalent values in IPFIX?

I'm shipping IPFIX data with softflowd and I'm getting these fields:

destinationIPv4Address
destinationTransportPort
egressInterface
flowEndMilliseconds
flowStartMilliseconds
icmpTypeCodeIPv4
ingressInterface
ipClassOfService
ipVersion
octetDeltaCount
packetDeltaCount
protocolIdentifier
sourceIPv4Address
sourceTransportPort
tcpControlBits
version
vlanId

Is octetDeltaCount and packetDeltaCount the equivalent of in_bytes and in_pkts?

Best Answer

IPFIX is defined in RFC 7011, Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information. Much of what you do or do not have in your records is up to the specific implementation. Your application is off-topic, but if you look at Appendix A. IPFIX Encoding Examples, it will give you some example templates, and the meanings of the fields for those templates. For example:

A.2. Template Set Examples

A.2.1. Template Set Using IANA Information Elements

We want to report the following Information Elements:

IPv4 source IP address: sourceIPv4Address [IANA-IPFIX], with a length of 4 octets

IPv4 destination IP address: destinationIPv4Address [IANA-IPFIX], with a length of 4 octets

Next-hop IP address (IPv4): ipNextHopIPv4Address [IANA-IPFIX], with a length of 4 octets

Number of packets of the Flow: packetDeltaCount [IANA-IPFIX], with a length of 4 octets

Number of octets of the Flow: octetDeltaCount [IANA-IPFIX], with a length of 4 octets

Therefore, the Template Set will be composed of the following:
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |         Set ID = 2            |      Length = 28 octets       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |       Template ID 256         |       Field Count = 5         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |0|    sourceIPv4Address = 8    |       Field Length = 4        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |0| destinationIPv4Address = 12 |       Field Length = 4        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |0|  ipNextHopIPv4Address = 15  |       Field Length = 4        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |0|    packetDeltaCount = 2     |       Field Length = 4        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |0|    octetDeltaCount = 1      |       Field Length = 4        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Related Solutions

Not receiving netflow v9, v5 works – Juniper SRX

You've got two out of the three necessary sections listed, and they look OK. There's a third section needed "forwarding-options" that tells the Juniper whether and how to sample packets to generate flow (something you didn't need for v5). You're also going to need to tell the Juniper which interfaces to monitor flow on. The command to monitor ingress packets will look something like this:

set interfaces ge-0/0/14 unit 0 family inet sampling input

I wrote a blog post a while back that goes through setting up NetFlow v9 (technically, J-Flow) on Juniper SRX here, which I think you'll find useful.

One other thing to mention: I've seen issues in the past where routers won't actually send flow records to multiple sources. If the v5 stream is still active, I'd try turning that off to see if the v9 picks up.

(Edited to add: it's also always worth spending time checking firewalls and connectivity before doing any kind of serious heavy lifting. You've probably already done that, but it never hurts to bring that up...)

Netflow – Netflow vs Sampled Netflow

For traffic analysis sampled netflow is often used, because 1:1 sampling (or non-sampled) netflow can be quite a burden on both the router sending the flow data and on the flow receiver. Most setups I've seen use a sampling rate varying from 1:100 upto 1:4000 (depending on the size of the network and the amount of traffic pushed), and they're perfectly able to do traffic anomaly analysis (DDoS detection) or even customer usage billing with that.

Best Answer

Related Solutions

Not receiving netflow v9, v5 works – Juniper SRX

Netflow – Netflow vs Sampled Netflow

Related Topic