1

I am confused about the range of field IDs that are supported in netflow v9. I am getting varied data from online sources from 79, 127, 128.

I got the above information from

  1. (79) - NetFlow v9 has a set of 79 field types defined, whereas IPFIX has the same 79, for backwards compatibility, but then goes all the way from there up to 238. (https://www.ittsystems.com/netflow-vs-ipfix/)
  2. (87) - https://www.plixer.com/support/netflow-v9/
  3. (127) - There are 1 to 127 fields listed here https://www.ibm.com/support/knowledgecenter/en/SSCVHB_1.1.0/collector/cnpi_collector_v9_fiels_types.html.
  4. (128) - Values 0-127: NFv9-compatible https://www.iana.org/assignments/ipfix/ipfix.xhtml

A customer using cisco ASA said netflow-v9 supports field 233 (FW_EVENT) and wanted to check if our flow format supports that.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/15-mt/sec-data-zbf-15-mt-book/sec-data-zbf-log.pdf

My question:

  1. As a developer, What range of fields (numbers) can I use in netflow-v9?
  2. Can I use anything above 128? How is cisco doing this?
Kingkong Jnr
  • 1,128
  • 4
  • 18
  • 29

1 Answers1

1

Cisco Netflow V9 and IPFIX are largely the same and differ only in minor details. Both represent the field ID ('Field Type' if NFV9 and 'Field Specifier') with a 16 bit field. All 16 bit values (65536) may be considered valid.

The original NFV9 RFC gave specifications of the first 79 values, and states that Cisco website will provide provide more details. Quote:

When extensibility is required, the new field types will be added to the list. The new field types have to be updated on the Exporter and Collector but the NetFlow export format would remain unchanged. Refer to the latest documentation at http://www.cisco.com for the newly updated list.

The Cisco website provides specifications for field IDs up to 128 and then states that field IDs 128 to 32768 match those in the IANA IPFIX field registry.

The IANA IPFIX registry currently lists specifications of approximately 500 fields.

The definition of the IPFIX Field Specifier provides that values with the top 'Enterprise' bit set (values 32768 and greater) are 'enterprise-specific' and the authority for the specifications of those will be given the following Enterprise number.

From a pragmatic point of view, in the case of Netflow V9, you are unlikely to see values greater than 500 in flow records.

If none of the approx 500 fields already defined in the IANA IPIFX registry meet your use case, you can submit new field specifications for consideration.

Community
  • 1
  • 1
NickBroon
  • 367
  • 3
  • 13