Supported NetFlow Fields
Table 1: NetFlow Fields
The following table provides information about the NetFlow fields given by the Data Exporter:
| Name | Description | Type |
|---|---|---|
| Flow_id | Flow Identifier | int64 |
| Start_active_usec | Start time | int64 |
| Last_active_usec | Last active time | int64 |
| ExtFlowHost client | Attributes and flow statistics for the ExtFlowHost client (See table 2 below) | -- |
| ExtFlowHost server | Attribute and flow statistics for the ExtFlowHost server (See table 2 below) | -- |
| Service_port | Well-known service port | int32 |
| Protocol | Protocol | int32 |
| Flow_sensor_app_id | Flow Sensor Application ID | int32 |
| Nbar_app_id | Network Based Application Recognition (NBAR) application ID | int32 |
| Palo_alto_app_id | Palo Alto application ID | string |
| Username | Username | string |
| Vlan_id | The Virtual Local Area Network (VLAN) ID | int32 |
| Mpls_label | Multiprotocol Label Switching (MPLS) label | int32 |
| Connections | Number of connections | int32 |
| Sequence_num | Flow sequence number in export order | int64 |
| IPAddress fc_ip | Flow Collector IP | int64 |
| ExtFlowExporter | See table 3 below | -- |
| Encrypted Traffic Analytics (ETA) Fields | See table 4 below | -- |
Table 2: ExtFlowHost Fields
The following table provides information about the fields within the ExtFlowHost client and server:
| Name | Description | Type |
|---|---|---|
| IPAddress ip | IP address of host endpoint | int64 |
| port | Port used with TCP or UDP | int32 |
| IPAddress xlate_ip | Translated IP Address | int64 |
| xlate_port | Translated port with TCP or UDP | int32 |
| MacAddress mac | MAC address | int64 |
| asn | Autonomous System Number | int32 |
| Bytes payload_ex | Field to store extra payload | array of byts |
| Group_list | List of group IDs | int32 |
| Num_bytes | Number of bytes sourced | int64 |
| Num_packets | Number of packets sourced | int64 |
Table 3: ExtFlowExporter Fields
The following table provides information about the ExtFlowExporter fields:
| Name | Description | Type |
|---|---|---|
| ExtFlowExporter exporters | List of exporters | int64 |
| IPAddress ip | IP Address | int64 |
| interface | Interface number | int32 |
Table 4: Encrypted Traffic Analytics (ETA) Fields
The following table provides information about ETA fields, if you have ETA enabled routers and switches:
| Name | Description |
|---|---|
| Selected Ciper Suite | List of up to N cipher suites offered by the client, or selected by the server in a TLS flow |
| Initial Data Packet (IDP) | Content of the first packet of ETA flow that contains actual payload data, starting at the beginning of the IP header |
| Byte Distribution (BD) | Frequency of occurrence for each byte value or (range of values) in the first N bytes of application payload for a flow |
| TLS Version | TLS version number observed in the TLS Hello message for a flow |
| TLS Session ID | Session ID value observed (if any) in the TLS Hello message for a flow |
| Sequence of Packet Lengths and Times (SPLT) | Length of each packet’s application payload for the first several packets of a flow, along with the interarrival times of those packets |