NXLog Legacy Documentation

NetFlow (xm_netflow)

This module provides a parser for NetFlow payloads collected over UDP using im_udp. It supports the following NetFlow protocol versions: v1, v5, v7, v9, and IPFIX.

To examine the supported platforms, see the list of installer packages in the Available Modules chapter.
This module only supports parsing NetFlow data received as UDP datagrams and does not support TCP or SCTP.
xm_netflow uses the IP address of the exporter device to distinguish between different devices so that templates with the same name would not conflict.

The module exports an input parser which can be referenced in the UDP input instance with the InputType directive:

InputType netflow

This input reader function parses the payload and extracts NetFlow-specific fields.

Configuration

The xm_netflow module accepts the following directives in addition to the common module directives.

Optional directives

IpfixElementDefinition

The optional IpfixElementDefinition directive specifies the names and element types of a private element definition. This directive may be specified more than once if multiple private element definitions need to be loaded. It is often convenient to group the private element definitions into one or more separate configuration files that are included within the module definition.

The format of an IpfixElementDefinition is:

  IpfixElementDefinition '<PEN Name>,<PEN>,<Element Name>,<Element ID>,<Element Type>'

Where:

<Pen Name> is a text string representing the organization defining the private element.

<PEN> is the 32-bit integer Identifier of the organization defining the private element.

<Element Name> is a text string naming the private element.

<Element ID>, is the 16-bit integer Identifier of the private element.

<Element Type> is one of: [octetArray, unsigned8, unsigned16, unsigned32, unsigned64, signed8, signed16, signed32, signed64, float32, float64, boolean, macAddress, string, dateTimeSeconds, dateTimeMilliseconds, dateTimeMicroseconds, dateTimeNanoseconds, ipv4Address, ipv6Address, basicList, subTemplateList, subTemplateMultiList].

<PEN Name> and <Element Name> must comply with the naming rules of regular NXLog Fields.

Fields

The following fields are used by xm_netflow.

$raw_event (type: string)

A list of event fields in key-value pairs.

$AbsoluteError (type: string)

The maximum possible measurement error of the reported value for a given Information Element. From IPFIX flow records only.

$AnonymizationFlags (type: integer)

A flag word describing specialized modifications to the anonymization policy in effect for the anonymization technique applied to a referenced Information Element within a referenced Template. From IPFIX flow records only.

$AnonymizationTechnique (type: integer)

A description of the anonymization technique applied to a referenced Information Element within a referenced Template. From IPFIX flow records only.

$ApplicationCategoryName (type: string)

An attribute that provides a first level categorization for each Application ID. From IPFIX flow records only.

$ApplicationDescription (type: string)

The description of an application. From IPFIX flow records only.

$ApplicationGroupName (type: string)

An attribute that groups multiple Application IDs that belong to the same networking application. From IPFIX flow records only.

$ApplicationId (type: binary)

An Application ID per RFC 6759. From IPFIX flow records only.

$ApplicationName (type: string)

The name of an application. From IPFIX flow records only.

$ApplicationSubCategoryName (type: string)

An attribute that provides a second level categorization for each Application ID. From IPFIX flow records only.

$ASA84event (type: integer)

The high-level event code (ASA NSEL 8.4 compatibility). From NetFlow v9 flow records only.

$ASA_84XlateDestPort (type: integer)

The post NATT destination transport port (ASA NSEL 8.4 compatibility). From NetFlow v9 flow records only.

$ASA_84XlateSourcePort (type: integer)

The post NATT source transport port (ASA NSEL 8.4 compatibility). From NetFlow v9 flow records only.

$ASA_Bytes (type: integer)

A running byte counter for a permanent flow (ASA NSEL). From NetFlow v9 flow records only.

$ASA_EgressACL (type: binary)

The output ACL that permitted or denied a flow (ASA NSEL). From NetFlow v9 flow records only.

$ASA_FlowDeltaBytes (type: integer)

The delta number of bytes from source to destination (ASA NSEL). From NetFlow v9 flow records only.

$ASA_ICMPCodeV6 (type: integer)

The ICMP IPv6 code value (ASA NSEL). From NetFlow v9 flow records only.

$ASA_ICMPTypeV6 (type: integer)

The ICMP IPv6 type value (ASA NSEL). From NetFlow v9 flow records only.

$ASA_IngressACL (type: binary)

The input ACL that permitted or denied the flow (ASA NSEL). From NetFlow v9 flow records only.

$ASA_RevFlowDeltaBytes (type: integer)

The delta number of bytes from destination to source (ASA NSEL). From NetFlow v9 flow records only.

$ASA_UserName20 (type: string)

The AAA username (ASA NSEL). From NetFlow v9 flow records only.

$ASA_UserName65 (type: string)

The AAA username of maximum permitted size (ASA NSEL). From NetFlow v9 flow records only.

$ASA_V4XlateDestAddr (type: ipaddr)

The post NAT destination IPv4 address (ASR 1000 NEL or ASA NSEL 8.4 compatibility). From NetFlow v9 flow records only.

$ASA_V4XlateSourceAddr (type: ipaddr)

The post NAT source IPv4 address (ASR 1000 NEL or ASA NSEL 8.4 compatibility). From NetFlow v9 flow records only.

$ASA_V6XlateDestAddr (type: ipaddr)

The post NAT destination IPv6 address (ASA NSEL). From NetFlow v9 flow records only.

$ASA_V6XlateSourceAddr (type: ipaddr)

The post NAT source IPv6 address (ASA NSEL). From NetFlow v9 flow records only.

$ASA_XlateDestPort (type: integer)

The post NATT destination transport port (ASR 1000 NEL). From NetFlow v9 flow records only.

$ASA_XlateSourcePort (type: integer)

The post NATT source transport port (ASR 1000 NEL). From NetFlow v9 flow records only.

$ASAconnID (type: integer)

An identifier of a unique flow for the device (ASA NSEL). From NetFlow v9 flow records only.

$ASAevent (type: integer)

The high-level event code (ASA NSEL). From NetFlow v9 flow records only.

$ASAeventTime (type: datetime)

The time the event occurred in milliseconds (ASA NSEL). From NetFlow v9 flow records only.

$ASAextEvent (type: integer)

The extended event code (ASA NSEL). From NetFlow v9 flow records only.

$BasicList (type: string)

Specifies a generic Information Element with a basicList abstract data type. From IPFIX flow records only.

$BgpDestinationAsNumber (type: integer)

The autonomous system (AS) number of the destination IP address. From IPFIX flow records only.

$BgpNextAdjacentAsNumber (type: integer)

The autonomous system (AS) number of the first AS in the AS path to the destination IP address. From IPFIX flow records only.

$BGPNextAutonomousSystem (type: integer)

The autonomous system (AS) number of the first AS in the AS path to the destination IP address. From NetFlow v9 flow records only.

$BgpNextHopIPv4Address (type: ipaddr)

The IPv4 address of the next (adjacent) BGP hop. From IPFIX flow records only.

$BgpNextHopIPv6Address (type: ipaddr)

The IPv6 address of the next (adjacent) BGP hop. From IPFIX flow records only.

$BgpPrevAdjacentAsNumber (type: integer)

The autonomous system (AS) number of the last AS in the AS path from the source IP address. From IPFIX flow records only.

$BGPPrevAutonomousSystem (type: integer)

The autonomous system (AS) number of the last AS in the AS path from the source IP address. From NetFlow v9 flow records only.

$BgpSourceAsNumber (type: integer)

The autonomous system (AS) number of the source IP address. From IPFIX flow records only.

$BgpValidityState (type: integer)

Describes the "validity state" of the BGP route correspondent source or destination IP address. From IPFIX flow records only.

$BiflowDirection (type: integer)

A description of the direction assignment method used to assign the Biflow Source and Destination. From IPFIX flow records only.

$Bytes (type: integer)

The total number of layer 3 bytes in the packets of the flow. From NetFlow v1/v5/v7 flow records only.

$ClassId (type: integer)

The traffic class ID (deprecated in favor of $SelectorId). From IPFIX flow records only.

$ClassificationEngineId (type: integer)

A unique identifier for the engine that determined the Selector ID. From IPFIX flow records only.

$ClassName (type: string)

The Traffic Class Name (deprecated in favor of $SelectorName). From IPFIX flow records only.

$CollectionTimeMilliseconds (type: datetime)

The absolute timestamp at which data within the scope was received by a Collecting Process. From IPFIX flow records only.

$CollectorCertificate (type: binary)

The full X.509 certificate, encoded in ASN.1 DER format, used by the Collector when IPFIX Messages were transmitted using TLS or DTLS. From IPFIX flow records only.

$CollectorIPv4Address (type: ipaddr)

An IPv4 address to which the Exporting Process sends Flow information. From IPFIX flow records only.

$CollectorIPv6Address (type: ipaddr)

An IPv6 address to which the Exporting Process sends Flow information. From IPFIX flow records only.

$CollectorTransportPort (type: integer)

The destination port identifier to which the Exporting Process sends Flow information. From IPFIX flow records only.

$CommonPropertiesId (type: integer)

An identifier of a set of common properties that is unique per Observation Domain and Transport Session. From IPFIX flow records only.

$ConfidenceLevel (type: string)

Specifies the confidence level. From IPFIX flow records only.

$ConnectionSumDurationSeconds (type: integer)

The total time in seconds for all of the TCP or UDP connections which were in use during the observation period. From IPFIX flow records only.

$ConnectionTransactionId (type: integer)

Identifies a transaction within a connection. From IPFIX flow records only.

$CumulativeTCPFlags (type: integer)

A cumulative OR of the TCP flags. From NetFlow v1/v5/v7 flow records only.

$DataLinkFrameSection (type: binary)

A series of octets from the data link frame of a selected frame. From IPFIX flow records only.

$DataLinkFrameSize (type: integer)

Specifies the length of the selected data link frame. From IPFIX flow records only.

$DataLinkFrameType (type: integer)

Specifies the type of the selected data link frame. From IPFIX flow records only.

$DataRecordsReliability (type: boolean)

The export reliability of Data Records, within this SCTP stream, for the element(s) in the Options Template scope. From IPFIX flow records only.

$DeltaFlowCount (type: integer)

The conservative count of Original Flows contributing to this Aggregated Flow. From IPFIX flow records only.

$DestAddrPrefixMaskBits (type: integer)

The destination address prefix mask bits. From NetFlow v5/v7 flow records only.

$DestAutonomousSystem (type: integer)

The autonomous system (AS) number of the destination. From NetFlow v5/v7/v9 flow records only.

$DestinationIPv4Address (type: ipaddr)

The IPv4 destination address in the IP packet header. From IPFIX flow records only.

$DestinationIPv4Prefix (type: ipaddr)

The IPv4 destination address prefix. From IPFIX flow records only.

$DestinationIPv4PrefixLength (type: integer)

The number of contiguous bits that are relevant in the destination IPv4 Prefix Information Element. From IPFIX flow records only.

$DestinationIPv6Address (type: ipaddr)

The IPv6 destination address in the IP packet header. From IPFIX flow records only.

$DestinationIPv6Prefix (type: ipaddr)

The IPv6 destination address prefix. From IPFIX flow records only.

$DestinationIPv6PrefixLength (type: integer)

The number of contiguous bits that are relevant in the destination IPv6 Prefix Information Element. From IPFIX flow records only.

$DestinationMacAddress (type: string)

The IEEE 802 destination MAC address field. From IPFIX flow records only.

$DestinationTransportPort (type: integer)

The destination port identifier in the transport header. From IPFIX flow records only.

$DestIpAddress (type: ipaddr)

The destination IP address. From NetFlow v1/v5/v7 flow records only.

$DestIPv4Address (type: ipaddr)

The IPv4 destination address. From NetFlow v9 flow records only.

$DestIPv6Address (type: ipaddr)

The IPv6 destination address. From NetFlow v9 flow records only.

$DestPort (type: integer)

The TCP/UDP destination port number (or equivalent). From NetFlow v1/v5/v7/v9 flow records only.

$DestTypeOfService (type: integer)

The Type of Service (ToS) byte setting when exiting the outgoing interface. From NetFlow v9 flow records only.

$DestV4Mask (type: integer)

The number of contiguous bits in the destination address subnet mask (the sub-mask in slash notation). From NetFlow v9 flow records only.

$DestV6Mask (type: integer)

The length of the IPv6 destination mask in contiguous bits. From NetFlow v9 flow records only.

$DestVlan (type: integer)

The virtual LAN identifier associated with the egress interface. From NetFlow v9 flow records only.

$DigestHashValue (type: integer)

The value from the digest hash function. From IPFIX flow records only.

$Direction (type: integer)

The flow direction. From NetFlow v9 flow records only.

$DistinctCountOfDestinationIPAddress (type: integer)

The count of distinct destination IP address values for Original Flows contributing to this Aggregated Flow, without regard to IP version. From IPFIX flow records only.

$DistinctCountOfDestinationIPv4Address (type: integer)

The count of distinct destination IPv4 address values for Original Flows contributing to this Aggregated Flow. From IPFIX flow records only.

$DistinctCountOfDestinationIPv6Address (type: integer)

The count of distinct destination IPv6 address values for Original Flows contributing to this Aggregated Flow. From IPFIX flow records only.

$DistinctCountOfSourceIPAddress (type: integer)

The count of distinct source IP address values for Original Flows contributing to this Aggregated Flow, without regard to IP version. From IPFIX flow records only.

$DistinctCountOfSourceIPv4Address (type: integer)

The count of distinct source IPv4 address values for Original Flows contributing to this Aggregated Flow. From IPFIX flow records only.

$DistinctCountOfSourceIPv6Address (type: integer)

The count of distinct source IPv6 address values for Original Flows contributing to this Aggregated Flow. From IPFIX flow records only.

$Dot1qCustomerDEI (type: boolean)

In case of a QinQ frame, this represents the inner tag’s Drop Eligible Indicator (DEI) field; in case of an IEEE 802.1ad frame it represents the DEI field of the C-TAG. From IPFIX flow records only.

$Dot1qCustomerDestinationMacAddress (type: string)

The value of the Encapsulated Customer Destination Address (C-DA) portion of the Backbone Service Instance Tag (I-TAG) Tag Control Information (TCI) field of an Ethernet frame as described in IEEE 802.1Q. From IPFIX flow records only.

$Dot1qCustomerPriority (type: integer)

This value represents the 3-bit Priority Code Point (PCP) portion of the Customer VLAN Tag (C-TAG) Tag Control Information (TCI) field as described in IEEE 802.1Q. From IPFIX flow records only.

$Dot1qCustomerSourceMacAddress (type: string)

The value of the Encapsulated Customer Source Address (C-SA) portion of the Backbone Service Instance Tag (I-TAG) Tag Control Information (TCI) field of an Ethernet frame as described in IEEE 802.1Q. From IPFIX flow records only.

$Dot1qCustomerVlanId (type: integer)

This value represents the Customer VLAN identifier in the Customer VLAN Tag (C-TAG) Tag Control Information (TCI) field as described in IEEE 802.1Q. From IPFIX flow records only.

$Dot1qDEI (type: boolean)

The value of the 1-bit Drop Eligible Indicator (DEI) field of the VLAN tag as described in 802.1Q-2011 subclause 9.6. From IPFIX flow records only.

$Dot1qPriority (type: integer)

The value of the 3-bit User Priority portion of the Tag Control Information field of an Ethernet frame. From IPFIX flow records only.

$Dot1qServiceInstanceId (type: integer)

The value of the 24-bit Backbone Service Instance Identifier (I-SID) portion of the Backbone Service Instance Tag (I-TAG) Tag Control Information (TCI) field of an Ethernet frame as described in IEEE 802.1Q. From IPFIX flow records only.

$Dot1qServiceInstancePriority (type: integer)

The value of the 3-bit Backbone Service Instance Priority Code Point (I-PCP) portion of the Backbone Service Instance Tag (I-TAG) Tag Control Information (TCI) field of an Ethernet frame as described in IEEE 802.1Q. From IPFIX flow records only.

$Dot1qServiceInstanceTag (type: binary)

Represents the Backbone Service Instance Tag (I-TAG) Tag Control Information (TCI) field of an Ethernet frame as described in IEEE 802.1Q. From IPFIX flow records only.

$Dot1qVlanId (type: integer)

The value of the 12-bit VLAN Identifier portion of the Tag Control Information field of an Ethernet frame. From IPFIX flow records only.

$DroppedLayer2OctetDeltaCount (type: integer)

The number of layer 2 octets since the previous report (if any) in packets of this Flow dropped by packet treatment. From IPFIX flow records only.

$DroppedLayer2OctetTotalCount (type: integer)

The total number of octets in observed layer 2 packets (including the layer 2 header) that were dropped by packet treatment since the (re-)initialization of the Metering Process. From IPFIX flow records only.

$DroppedOctetDeltaCount (type: integer)

The number of octets since the previous report (if any) in packets of this Flow dropped by packet treatment. From IPFIX flow records only.

$DroppedOctetTotalCount (type: integer)

The total number of octets in this Flow dropped by packet treatment since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$DroppedPacketDeltaCount (type: integer)

The number of packets since the previous report (if any) of this Flow dropped by packet treatment. From IPFIX flow records only.

$DroppedPacketTotalCount (type: integer)

The number of packets of this Flow dropped by packet treatment since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$DstTrafficIndex (type: integer)

The BGP Policy Accounting Destination Traffic Index. From IPFIX flow records only.

$DuplicateTemplate (type: string)

The contents of a duplicate record. From IPFIX flow records only.

$EgressBroadcastPacketTotalCount (type: integer)

The total number of outgoing broadcast packets metered at the Observation Point since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$EgressInterface (type: integer)

The index of the IP interface where packets of this Flow are being sent. From IPFIX flow records only.

$EgressInterfaceType (type: integer)

The type of interface where packets of this Flow are being sent. From IPFIX flow records only.

$EgressPhysicalInterface (type: integer)

The index of a networking device’s physical interface where packets of this flow are being sent. From IPFIX flow records only.

$EgressUnicastPacketTotalCount (type: integer)

The total number of outgoing unicast packets metered at the Observation Point since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$EgressVRFID (type: integer)

A unique identifier of the VRFname where the packets of this flow are being sent. From IPFIX flow records only.

$ElementX (type: binary)

An element with an unrecognised elementID of X, where X is an integer. From IPFIX flow records only.

$EncryptedTechnology (type: string)

Specifies if the Application ID is an encrypted networking protocol. From IPFIX flow records only.

$EngineId (type: integer)

The ID number of the flow switching engine (deprecated in IPFIX). From NetFlow v9 and IPFIX flow records only.

$EngineType (type: integer)

The type of flow switching engine in a router/switch. From NetFlow v9 and IPFIX flow records only.

$EthernetHeaderLength (type: integer)

The difference between the length of an Ethernet frame (minus the FCS) and the length of its MAC Client Data section (including any padding) as defined in section 3.1 of IEEE 802-3.2005. From IPFIX flow records only.

$EthernetPayloadLength (type: integer)

The length of the MAC Client Data section (including any padding) of a frame as defined in section 3.1 of IEEE 802-3.2005. From IPFIX flow records only.

$EthernetTotalLength (type: integer)

The total length of the Ethernet frame (excluding the Preamble, SFD, Extension, and FCS fields) as described in section 3.1 of IEEE 802-3.2005. From IPFIX flow records only.

$EthernetType (type: integer)

The Ethernet type field of an Ethernet frame that identifies the MAC client protocol carried in the payload as defined in paragraph 1.4.349 of IEEE 802-3.2005. From IPFIX flow records only.

$ExportedFlowRecordTotalCount (type: integer)

The total number of Flow Records that the Exporting Process has sent as Data Records since the Exporting Process (re-)initialization to a particular Collecting Process. From IPFIX flow records only.

$ExportedMessageTotalCount (type: integer)

The total number of IPFIX Messages that the Exporting Process has sent since the Exporting Process (re-)initialization to a particular Collecting Process. From IPFIX flow records only.

$ExportedOctetTotalCount (type: integer)

The total number of octets that the Exporting Process has sent since the Exporting Process (re-)initialization to a particular Collecting Process. From IPFIX flow records only.

$ExporterCertificate (type: binary)

The full X.509 certificate, encoded in ASN.1 DER format, used by the Collector when IPFIX Messages were transmitted using TLS or DTLS. From IPFIX flow records only.

$ExporterIPv4Address (type: ipaddr)

The IPv4 address used by the Exporting Process. From IPFIX flow records only.

$ExporterIPv6Address (type: ipaddr)

The IPv6 address used by the Exporting Process. From IPFIX flow records only.

$ExporterTransportPort (type: integer)

The source port identifier from which the Exporting Process sends Flow information. From IPFIX flow records only.

$ExportingProcessId (type: integer)

An identifier of an Exporting Process that is unique per IPFIX Device. From IPFIX flow records only.

$ExportInterface (type: integer)

The index of the interface from which IPFIX Messages sent by the Exporting Process to a Collector leave the IPFIX Device. From IPFIX flow records only.

$ExportProtocolVersion (type: integer)

The protocol version used by the Exporting Process for sending Flow information. From IPFIX flow records only.

$ExportSctpStreamId (type: integer)

The value of the SCTP Stream Identifier used by the Exporting Process for exporting IPFIX Message data. From IPFIX flow records only.

$ExportTime (type: datetime)

The export time, in seconds since the epoch UTC. From the NetFlow v1/v5/v7/v9 and IPFIX flow header.

$ExportTransportProtocol (type: integer)

The value of the protocol number used by the Exporting Process for sending Flow information. From IPFIX flow records only.

$FirewallEvent (type: integer)

Indicates a firewall event. From IPFIX flow records only.

$Flags (type: integer)

Flags indicating, among other things, what flows are invalid. From NetFlow v7 flow records only.

$FlagsAndSamplerId (type: integer)

Flow flags and the value of the sampler ID combined (deprecated). From IPFIX flow records only.

$FlowActiveTimeout (type: integer)

The number of seconds after which an active Flow is timed out, even if there is still a continuous flow of packets. From IPFIX flow records only.

$FlowDirection (type: integer)

The direction of the Flow observed at the Observation Point. From IPFIX flow records only.

$FlowDurationMicroseconds (type: integer)

The difference in time between the first observed packet of this Flow and the last observed packet of this Flow, microseconds. From IPFIX flow records only.

$FlowDurationMilliseconds (type: integer)

The difference in time between the first observed packet of this Flow and the last observed packet of this Flow, milliseconds. From IPFIX flow records only.

$FlowEnd (type: datetime)

The system uptime when the last packet of this flow was switched. For IPFIX, the absolute timestamp of the last packet of this Flow. From NetFlow v1/v5/v7/v9 and IPFIX flow records.

$FlowEndDeltaMicroseconds (type: datetime)

A relative timestamp only valid within the scope of a single IPFIX Message, containing the negative time offset of the last observed packet of this Flow relative to the export time specified in the IPFIX Message Header. From IPFIX flow records only.

$FlowEndReason (type: integer)

The reason for Flow termination. From IPFIX flow records only.

$FlowEndSysUpTime (type: datetime)

The relative timestamp of the last packet of this Flow. From IPFIX flow records only.

$FlowId (type: integer)

An identifier of a Flow that is unique within an Observation Domain. From IPFIX flow records only.

$FlowIdleTimeout (type: integer)

A Flow is considered to be timed out if no packets belonging to the Flow have been observed for the number of seconds specified by this field. From IPFIX flow records only.

$FlowKeyIndicator (type: integer)

A set of bit fields used for marking the Information Elements of a Data Record that serve as Flow key. From IPFIX flow records only.

$FlowLabelIPv6 (type: integer)

The value of the IPv6 Flow Label field in the IP packet header. From IPFIX flow records only.

$Flows (type: integer)

Number of flows that were aggregated. From NetFlow v9 flow records only.

$FlowSamplingTimeInterval (type: integer)

Specifies the time interval in microseconds during which all arriving Flows are sampled. From IPFIX flow records only.

$FlowSamplingTimeSpacing (type: integer)

Specifies the time interval in microseconds between two $FlowSamplingTimeIntervals. From IPFIX flow records only.

$FlowSelectedFlowDeltaCount (type: integer)

Specifies the number of Flows that were selected in the Intermediate Flow Selection Process since the last report. From IPFIX flow records only.

$FlowSelectedOctetDeltaCount (type: integer)

Specifies the volume in octets of all Flows that were selected in the Intermediate Flow Selection Process since the previous report. From IPFIX flow records only.

$FlowSelectedPacketDeltaCount (type: integer)

Specifies the volume in packets of all Flows that were selected in the Intermediate Flow Selection Process since the previous report. From IPFIX flow records only.

$FlowSelectorAlgorithm (type: integer)

Identifies the Intermediate Flow Selection Process technique that is applied by the Intermediate Flow Selection Process. From IPFIX flow records only.

$FlowStart (type: datetime)

The system uptime when the first packet of this flow was switched. For IPFIX, the absolute timestamp of the first packet of this Flow. From NetFlow v1/v5/v7/v9 and IPFIX flow records.

$FlowStartDeltaMicroseconds (type: datetime)

A relative timestamp only valid within the scope of a single IPFIX Message, containing the negative time offset of the first observed packet of this Flow relative to the export time specified in the IPFIX Message Header. From IPFIX flow records only.

$FlowStartSysUpTime (type: datetime)

The relative timestamp of the first packet of this Flow. From IPFIX flow records only.

$FNF_ICMPCode (type: integer)

The ICMP code value (ASA NSEL). From NetFlow v9 flow records only.

$FNF_ICMPType (type: integer)

The ICMP type value (ASA NSEL). From NetFlow v9 flow records only.

$ForwardingStatus (type: integer)

The forwarding status of the flow and any attached reasons. From NetFlow v9 and IPFIX flow records only.

$FragmentFlags (type: integer)

The fragmentation properties indicated by flags in the IPv4 packet header or the IPv6 Fragment header. From IPFIX flow records only.

$FragmentIdentification (type: integer)

The value of the Identification field in the IPv4 packet header or in the IPv6 Fragment header. From IPFIX flow records only.

$FragmentOffset (type: integer)

The value of the IP frament offset field in the IPv4 packet header or the IPv6 Fragment header. From IPFIX flow records only.

$GreKey (type: integer)

The GRE key, which is used for identifying an individual traffic flow within a tunnel. From IPFIX flow records only.

$HashDigestOutput (type: boolean)

A boolean value, TRUE if the output from this hash Selector has been configured to be included in the packet report as a packet digest. From IPFIX flow records only.

$HashFlowDomain (type: integer)

Specifies the Information Elements that are used by the Hash-based Flow Selector as the Hash Domain. From IPFIX flow records only.

$HashInitialiserValue (type: integer)

Specifies the initializer value to the hash function. From IPFIX flow records only.

$HashIPPayloadOffset (type: integer)

The IP payload offset used by a Hash-based Selection Selector. From IPFIX flow records only.

$HashIPPayloadSize (type: integer)

The IP payload size used by a Hash-based Selection Selector. From IPFIX flow records only.

$HashOutputRangeMax (type: integer)

The value for the end of a hash function’s potential output range. From IPFIX flow records only.

$HashOutputRangeMin (type: integer)

The value for the beginning of a hash function’s potential output range. From IPFIX flow records only.

$HashSelectedRangeMax (type: integer)

The value for the end of a hash function’s selected range. From IPFIX flow records only.

$HashSelectedRangeMin (type: integer)

The value for the beginning of a hash function’s selected range. From IPFIX flow records only.

$IcmpCodeIPv4 (type: integer)

The code of the IPv4 ICMP message. From IPFIX flow records only.

$IcmpCodeIPv6 (type: integer)

The code of the IPv6 ICMP message. From IPFIX flow records only.

$IcmpTypeCodeIPv4 (type: integer)

The type and code of the IPv4 ICMP message, reported as ((ICMP type × 256) + ICMP code). From IPFIX flow records only.

$IcmpTypeCodeIPv6 (type: integer)

The type and code of the IPv6 ICMP message, reported as ((ICMP type × 256) + ICMP code). From IPFIX flow records only.

$IcmpTypeIPv4 (type: integer)

The type of the IPv4 ICMP message. From IPFIX flow records only.

$IcmpTypeIPv6 (type: integer)

The type of the IPv6 ICMP message. From IPFIX flow records only.

$IgmpType (type: integer)

The type field of the IGMP message. From IPFIX flow records only.

$IgnoredDataRecordTotalCount (type: integer)

The total number of received Data Records that the Intermediate Process did not process since the (re-)initialization of the Intermediate Process. From IPFIX flow records only.

$IgnoredLayer2FrameTotalCount (type: integer)

The total number of observed layer 2 frames that the Metering Process did not process since the (re-)initialization of the Metering Process. From IPFIX flow records only.

$IgnoredLayer2OctetTotalCount (type: integer)

The total number of octets in observed layer 2 packets (including the layer 2 header) that were generated by the Metering Process and dropped by the Metering Process or by the Exporting Process instead of being sent to the Collecting Process. From IPFIX flow records only.

$IgnoredOctetTotalCount (type: integer)

The total number of octets in observed IP packets (including the IP header) that the Metering Process did not process since the (re-)initialization of the Metering Process. From IPFIX flow records only.

$IgnoredPacketTotalCount (type: integer)

The total number of observed IP packets that the Metering Process did not process since the (re-)initialization of the Metering Process. From IPFIX flow records only.

$InBytes (type: integer)

The number of incoming bytes associated with an IP Flow. From NetFlow v9 flow records only.

$InDestMac (type: string)

The incoming destination MAC address. From NetFlow v9 flow records only.

$InformationElementDataType (type: integer)

A description of the abstract data type of an IPFIX information element. From IPFIX flow records only.

$InformationElementDescription (type: string)

A UTF-8 encoded Unicode string containing a human-readable description of an Information Element. From IPFIX flow records only.

$InformationElementId (type: integer)

The ID of another Information Element. From IPFIX flow records only.

$InformationElementIndex (type: integer)

A zero-based index of an Information Element referenced by $InformationElementId within a Template referenced by $TemplateId, used to disambiguate scope for templates containing multiple identical Information Elements. From IPFIX flow records only.

$InformationElementName (type: string)

A UTF-8 encoded Unicode string containing the name of an Information Element. From IPFIX flow records only.

$InformationElementRangeBegin (type: integer)

The inclusive low end of the range of acceptable values for an Information Element. From IPFIX flow records only.

$InformationElementRangeEnd (type: integer)

The inclusive high end of the range of acceptable values for an Information Element. From IPFIX flow records only.

$InformationElementSemantics (type: integer)

A description of the semantics of an IPFIX Information Element. From IPFIX flow records only.

$InformationElementUnits (type: integer)

A description of the units of an IPFIX Information Element. From IPFIX flow records only.

$IngressBroadcastPacketTotalCount (type: integer)

The total number of incoming broadcast packets metered at the Observation Point since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$IngressInterface (type: integer)

The index of the IP interface where packets of this Flow are being received. From IPFIX flow records only.

$IngressInterfaceType (type: integer)

The type of interface where packets of this Flow are being received. From IPFIX flow records only.

$IngressMulticastPacketTotalCount (type: integer)

The total number of incoming multicast packets metered at the Observation Point since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$IngressPhysicalInterface (type: integer)

The index of a networking device’s physical interface where packets of this flow are being received. From IPFIX flow records only.

$IngressUnicastPacketTotalCount (type: integer)

The total number of incoming unicast packets metered at the Observation Point since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$IngressVRFID (type: integer)

A unique identifier of the VRFname where the packets of this flow are being received. From IPFIX flow records only.

$InitiatorOctets (type: integer)

The total number of layer 4 payload bytes in a flow from the initiator. From IPFIX flow records only.

$InitiatorPackets (type: integer)

The total number of layer 4 packets in a flow from the initiator. From IPFIX flow records only.

$InPackets (type: integer)

The number of incoming packets associated with an IP Flow. From NetFlow v9 flow records only.

$InputIfaceSNMPIndex (type: integer)

The SNMP index of the input interface. From NetFlow v1/v5/v7 flow records only.

$inputSNMPIface (type: integer)

The input interface index. From NetFlow v9 flow records only.

$InSourceMac (type: string)

The incoming source MAC address. From NetFlow v9 flow records only.

$InterfaceDescription (type: string)

The description of an interface. From IPFIX flow records only.

$InterfaceName (type: string)

A short name uniquely describing the interface. From IPFIX flow records only.

$IntermediateProcessId (type: integer)

An identifier of an Intermediate Process that is unique per IPFIX Device. From IPFIX flow records only.

$IpAddressOfRouter (type: ipaddr)

The IP address of the router that is bypassed by the Catalyst 5000 series switch (the same address the router uses when it sends NetFlow export packets). From NetFlow v7 flow records only.

$IpClassOfService (type: integer)

The value of the TOS field in the IPv4 packet header or the value of the Traffic Class field in the IPv6 packet header. From IPFIX flow records only.

$IpDiffServCodePoint (type: integer)

The value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services field. From IPFIX flow records only.

$IpHeaderLength (type: integer)

The length of the IP header. From IPFIX flow records only.

$IpHeaderPacketSection (type: binary)

A series of octets from the IP header of a sampled packet. From IPFIX flow records only.

$IpNextHopIPv4Address (type: ipaddr)

The IPv4 address of the next IPv4 hop. From IPFIX flow records only.

$IpNextHopIPv6Address (type: ipaddr)

The IPv6 address of the next IPv6 hop. From IPFIX flow records only.

$IpPayloadLength (type: integer)

The effective length of the IP payload. From IPFIX flow records only.

$IpPayloadPacketSection (type: binary)

A series of octets from the IP payload of a sampled packet. From IPFIX flow records only.

$IpPrecedence (type: integer)

The value of the IP Precedence. From IPFIX flow records only.

$IPSecSPI (type: integer)

The IPSec Security Parameters Index (SPI). From IPFIX flow records only.

$IpTotalLength (type: integer)

The total length of the IP packet. From IPFIX flow records only.

$IpTTL (type: integer)

The value of the Time to Live (TTL) field in the IPv4 packet header or the value of the Hop Limit field in the IPv6 packet header. From IPFIX flow records only.

$Ipv4IHL (type: integer)

The value of the Internet Header Length (IHL) field in the IPv4 header. From IPFIX flow records only.

$Ipv4Options (type: integer)

The IPv4 options in packets of this Flow. From IPFIX flow records only.

$Ipv4RouterSc (type: ipaddr)

The address of a router that is being shortcut when performing MultiLayer Switching, for the Catalyst 5000/6000 family platforms (deprecated). From IPFIX flow records only.

$Ipv6ExtensionHeaders (type: integer)

The IPv6 extension headers observed in packets of this Flow. From IPFIX flow records only.

$IpVersion (type: integer)

The IP version field in the IP packet header. From IPFIX flow records only.

$IsMulticast (type: integer)

The value of all bits of the octet if the IP destination address is not a reserved multicast address. From IPFIX flow records only.

$Layer2FrameDeltaCount (type: integer)

The number of incoming layer 2 frames since the previous report (if any) for this Flow at the Observation Point. From IPFIX flow records only.

$Layer2FrameTotalCount (type: integer)

The total number of incoming layer 2 frames for this Flow at the Observation Point since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$Layer2OctetDeltaCount (type: integer)

The number of layer 2 octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. From IPFIX flow records only.

$Layer2OctetDeltaSumOfSquares (type: integer)

The sum of the squared numbers of layer 2 octets per incoming packet since the previous report (if any) for this Flow at the Observation Point. From IPFIX flow records only.

$Layer2OctetTotalCount (type: integer)

The total number of layer 2 octets in incoming packets for this Flow at the Observation Point since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$Layer2OctetTotalSumOfSquares (type: integer)

The total sum of the squared numbers of layer 2 octets in incoming packets for this Flow at the Observation Point since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$Layer2packetSectionData (type: binary)

The layer 2 packet section data (deprecated in favor of $DataLinkFrameSection). From IPFIX flow records only.

$Layer2packetSectionOffset (type: integer)

The layer 2 packet section offset (deprecated in favor of $SectionOffset). From IPFIX flow records only.

$Layer2packetSectionSize (type: integer)

The layer 2 packet section size (deprecated in favor of $DataLinkFrameSize). From IPFIX flow records only.

$Layer2SegmentId (type: integer)

The identifier of a layer 2 network segment in an overlay network. From IPFIX flow records only.

$LineCardId (type: integer)

An identifier of a line card that is unique per IPFIX Device hosting an Observation Point. From IPFIX flow records only.

$LowerCILimit (type: string)

Specifies the lower limit of a confidence interval. From IPFIX flow records only.

$MaxExportSeconds (type: datetime)

The absolute Export Time of the latest IPFIX Message within the scope. From IPFIX flow records only.

$MaxFlowEndMicroseconds (type: datetime)

The latest absolute timestamp of the last packet within any Flow within the scope, rounded up to the microsecond if necessary. From IPFIX flow records only.

$MaxFlowEndMilliseconds (type: datetime)

The latest absolute timestamp of the last packet within any Flow within the scope, rounded up to the millisecond if necessary. From IPFIX flow records only.

$MaxFlowEndNanoseconds (type: datetime)

The latest absolute timestamp of the last packet within any Flow within the scope. From IPFIX flow records only.

$MaxFlowEndSeconds (type: datetime)

The latest absolute timestamp of the last packet within any Flow within the scope, rounded up to the second if necessary. From IPFIX flow records only.

$MaximumIpTotalLength (type: integer)

The length of the largest packet observed for this Flow. From IPFIX flow records only.

$MaximumLayer2TotalLength (type: integer)

The layer 2 length of the largest packet observed for this Flow. From IPFIX flow records only.

$MaximumTTL (type: integer)

The maximum TTL value observed for any packet in the Flow. From IPFIX flow records only.

$MessageMD5Checksum (type: binary)

The MD5 checksum of the IPFIX Message containing this record. From IPFIX flow records only.

$MessageScope (type: integer)

The presence of this Information Element as scope in an Options Template signifies that the options described by the Template apply to the IPFIX Message that contains them. From IPFIX flow records only.

$MeteringProcessId (type: integer)

An identifier of a Metering Process that is unique per IPFIX Device. From IPFIX flow records only.

$MetroEvcId (type: string)

The EVC Service Attribute which uniquely identifies the Ethernet Virtual Connection (EVC) within a Metro Ethernet Network, as defined in section 6.2 of MEF 10.1. From IPFIX flow records only.

$MetroEvcType (type: integer)

The 3-bit EVC Service Attribute which identifies the type of service provided by an EVC. From IPFIX flow records only.

$MinExportSeconds (type: datetime)

The absolute Export Time of the earliest IPFIX Message within the scope. From IPFIX flow records only.

$MinFlowStartMicroseconds (type: datetime)

The earliest absolute timestamp of the first packet within any Flow within the scope, rounded down to the microsecond if necessary. From IPFIX flow records only.

$MinFlowStartMilliseconds (type: datetime)

The earliest absolute timestamp of the first packet within any Flow within the scope, rounded down to the millisecond if necessary. From IPFIX flow records only.

$MinFlowStartNanoseconds (type: datetime)

The earliest absolute timestamp of the first packet within any Flow within the scope. From IPFIX flow records only.

$MinFlowStartSeconds (type: datetime)

The earliest absolute timestamp of the first packet within any Flow within the scope. From IPFIX flow records only.

$MinimumIpTotalLength (type: integer)

The length of the smallest packet observed for this Flow. From IPFIX flow records only.

$MinimumLayer2TotalLength (type: integer)

The layer 2 length of the smallest packet observed for this Flow. From IPFIX flow records only.

$MinimumTTL (type: integer)

The minimum TTL value observed for any packet in the Flow. From IPFIX flow records only.

$MonitoringIntervalEndMilliSeconds (type: datetime)

The absolute timestamp at which the monitoring interval ended. From IPFIX flow records only.

$MonitoringIntervalStartMilliSeconds (type: datetime)

The absolute timestamp at which the monitoring interval started. From IPFIX flow records only.

$MplsLabel1 (type: integer)

The MPLS label at position 1 in the stack. From NetFlow v9 flow records only.

$MplsLabel10 (type: integer)

The MPLS label at position 10 in the stack. From NetFlow v9 flow records only.

$MplsLabel2 (type: integer)

The MPLS label at position 2 in the stack. From NetFlow v9 flow records only.

$MplsLabel3 (type: integer)

The MPLS label at position 3 in the stack. From NetFlow v9 flow records only.

$MplsLabel4 (type: integer)

The MPLS label at position 4 in the stack. From NetFlow v9 flow records only.

$MplsLabel5 (type: integer)

The MPLS label at position 5 in the stack. From NetFlow v9 flow records only.

$MplsLabel6 (type: integer)

The MPLS label at position 6 in the stack. From NetFlow v9 flow records only.

$MplsLabel7 (type: integer)

The MPLS label at position 7 in the stack. From NetFlow v9 flow records only.

$MplsLabel8 (type: integer)

The MPLS label at position 8 in the stack. From NetFlow v9 flow records only.

$MplsLabel9 (type: integer)

The MPLS label at position 9 in the stack. From NetFlow v9 flow records only.

$MplsLabelStackDepth (type: integer)

The number of labels in the MPLS label stack. From IPFIX flow records only.

$MplsLabelStackLength (type: integer)

The length of the MPLS label stack in units of octets. From IPFIX flow records only.

$MplsLabelStackSection (type: binary)

A series of octets from the MPLS label stack of a sampled packet. From IPFIX flow records only.

$MplsLabelStackSection10 (type: binary)

The Label, Exp, and S fields from the label stack entry that was pushed immediately before the label stack entry that would be reported by $MplsLabelStackSection9. From IPFIX flow records only.

$MplsLabelStackSection2 (type: binary)

The Label, Exp, and S fields from the label stack entry that was pushed immediately before the label stack entry that would be reported by $MplsTopLabelStackSection. From IPFIX flow records only.

$MplsLabelStackSection3 (type: binary)

The Label, Exp, and S fields from the label stack entry that was pushed immediately before the label stack entry that would be reported by $MplsLabelStackSection2. From IPFIX flow records only.

$MplsLabelStackSection4 (type: binary)

The Label, Exp, and S fields from the label stack entry that was pushed immediately before the label stack entry that would be reported by $MplsLabelStackSection3. From IPFIX flow records only.

$MplsLabelStackSection5 (type: binary)

The Label, Exp, and S fields from the label stack entry that was pushed immediately before the label stack entry that would be reported by $MplsLabelStackSection4. From IPFIX flow records only.

$MplsLabelStackSection6 (type: binary)

The Label, Exp, and S fields from the label stack entry that was pushed immediately before the label stack entry that would be reported by $MplsLabelStackSection5. From IPFIX flow records only.

$MplsLabelStackSection7 (type: binary)

The Label, Exp, and S fields from the label stack entry that was pushed immediately before the label stack entry that would be reported by $MplsLabelStackSection6. From IPFIX flow records only.

$MplsLabelStackSection8 (type: binary)

The Label, Exp, and S fields from the label stack entry that was pushed immediately before the label stack entry that would be reported by $MplsLabelStackSection7. From IPFIX flow records only.

$MplsLabelStackSection9 (type: binary)

The Label, Exp, and S fields from the label stack entry that was pushed immediately before the label stack entry that would be reported by $MplsLabelStackSection8. From IPFIX flow records only.

$MplsPayloadLength (type: integer)

The size of the MPLS packet without the label stack. From IPFIX flow records only.

$MplsPayloadPacketSection (type: binary)

A series of octets from the MPLS payload of a sampled packet. From IPFIX flow records only.

$MplsTopLabelExp (type: integer)

The Exp field from the top MPLS label stack entry (the last label that was pushed). From IPFIX flow records only.

$MplsTopLabelIPv4Address (type: ipaddr)

The IPv4 address of the system that the MPLS top label will cause this Flow to be forwarded to. From IPFIX flow records only.

$MplsTopLabelIPv6Address (type: ipaddr)

The IPv6 address of the system that the MPLS top label will cause this Flow to be forwarded to. From IPFIX flow records only.

$MplsTopLabelPrefixLength (type: integer)

The prefix length of the subnet of the mplsTopLabelIPv4Address that the MPLS top label will cause the Flow to be forwarded to. From IPFIX flow records only.

$MplsTopLabelStackSection (type: binary)

The Label, Exp, and S fields from the top MPLS label stack entry (from the last label that was pushed). From IPFIX flow records only.

$MplsTopLabelTTL (type: integer)

The TTL field from the top MPLS label stack entry (the last label that was pushed). From IPFIX flow records only.

$MplsTopLabelType (type: integer)

The control protocol that allocated the top-of-stack label. From IPFIX flow records only.

$MplsVpnRouteDistinguisher (type: binary)

The value of the VPN route distinguisher of a corresponding entry in a VPN routing and forwarding table. From IPFIX flow records only.

$MulticastReplicationFactor (type: integer)

The amount of multicast replication that is applied to a traffic stream. From IPFIX flow records only.

$NAT_PortBlockEnd (type: integer)

The NAT port block range end port (ASR 1000 NEL). From NetFlow v9 flow records only.

$NAT_PortBlockSize (type: integer)

The NAT port block size (ASR 1000 NEL). From NetFlow v9 flow records only.

$NAT_PortBlockStart (type: integer)

The NAT port block range start port (ASR 1000 NEL). From NetFlow v9 flow records only.

$NAT_PortStepSize (type: integer)

The NAT port step size (ASR 1000 NEL). From NetFlow v9 flow records only.

$NATEgressVRFID (type: integer)

The egress NAT VRF ID (ASR 1000 NEL). From NetFlow v9 flow records only.

$NatEvent (type: integer)

The NAT event (ASR 1000 NEL). From NetFlow v9 and IPFIX flow records only.

$NATIngressVRFID (type: integer)

The ingress NAT VRF ID (ASR 1000 NEL). From NetFlow v9 flow records only.

$NatOriginatingAddressRealm (type: integer)

Indicates whether the session was created because traffic originated in the private or public address realm. From IPFIX flow records only.

$NatPoolId (type: integer)

The locally unique identifier of a NAT pool. From IPFIX flow records only.

$NatPoolName (type: string)

The name of a NAT pool identified by a $NatPoolId. From IPFIX flow records only.

$NatType (type: integer)

The type of NAT treatment. From IPFIX flow records only.

$NewConnectionDeltaCount (type: integer)

The number of TCP or UDP connections which were opened during the observation period. From IPFIX flow records only.

$NextHeaderIPv6 (type: integer)

The value of the Next Header field of the IPv6 header. From IPFIX flow records only.

$NextHopIpAddress (type: ipaddr)

The IP address of the next-hop router. From NetFlow v1/v5/v7 flow records only.

$NextHopIPv4Address (type: ipaddr)

The IPv4 address of next-hop router. From NetFlow v9 flow records only.

$NextHopIPv4BGP (type: ipaddr)

The next-hop router’s IPv4 address in the BGP domain. From NetFlow v9 flow records only.

$NextHopIPv6Address (type: ipaddr)

The IPv6 address of the next-hop router. From NetFlow v9 flow records only.

$NextHopIPv6BGP (type: ipaddr)

The next-hop router’s IPv6 address in the BGP domain. From NetFlow v9 flow records only.

$NotSentFlowTotalCount (type: integer)

The total number of Flow Records that were generated by the Metering Process and dropped by the Metering Process or Exporting Process instead of being sent to the Collecting Process. From IPFIX flow records only.

$NotSentLayer2OctetTotalCount (type: integer)

The total number of octets in observed layer 2 packets (including the layer 2 header) that the Metering Process did not process since the (re-)initialization of the Metering Process. From IPFIX flow records only.

$NotSentOctetTotalCount (type: integer)

The total number of octets in packets in Flow Records that were generated by the Metering Process and dropped by the Metering Process or by the Exporting Process instead of being sent to the Collecting Process. From IPFIX flow records only.

$NotSentPacketTotalCount (type: integer)

The total number of packets in Flow Records that were generated by the Metering Process and dropped by the Metering Process or by the Exporting Process instead of being sent to the Collecting Process. From IPFIX flow records only.

$NPROBE_ApplLatSec (type: integer)

The NPROBE application latency, microseconds. From NetFlow v9 flow records only.

$NPROBE_ApplLatUsec (type: integer)

The NPROBE application latency, seconds. From NetFlow v9 flow records only.

$NPROBE_ClientLatSec (type: integer)

The NPROBE client latency, microseconds. From NetFlow v9 flow records only.

$NPROBE_ClientLatUsec (type: integer)

The NPROBE client latency, seconds. From NetFlow v9 flow records only.

$NPROBE_ServerLatSec (type: integer)

The NPROBE server latency, microseconds. From NetFlow v9 flow records only.

$NPROBE_ServerLatUsec (type: integer)

The NPROBE server latency, seconds. From NetFlow v9 flow records only.

$ObservationDomainId (type: integer)

An identifier of an Observation Domain that is locally unique to an Exporting Process. From IPFIX flow records only.

$ObservationDomainName (type: string)

The name of an observation domain identified by an $ObservationDomainId. From IPFIX flow records only.

$ObservationPointId (type: integer)

An identifier of an Observation Point that is unique per Observation Domain. From IPFIX flow records only.

$ObservationPointType (type: integer)

The type of observation point. From IPFIX flow records only.

$ObservationTimeMicroseconds (type: datetime)

The absolute time in microseconds of an observation. From IPFIX flow records only.

$ObservationTimeMilliseconds (type: datetime)

The absolute time in milliseconds of an observation. From IPFIX flow records only.

$ObservationTimeNanoseconds (type: datetime)

The absolute time in nanoseconds of an observation. From IPFIX flow records only.

$ObservationTimeSeconds (type: datetime)

The absolute time in seconds of an observation. From IPFIX flow records only.

$ObservedFlowTotalCount (type: integer)

The total number of Flows observed in the Observation Domain since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$OctetDeltaCount (type: integer)

The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. From IPFIX flow records only.

$OctetDeltaSumOfSquares (type: integer)

The sum of the squared numbers of octets per incoming packet since the previous report (if any) for this Flow at the Observation Point. From IPFIX flow records only.

$OctetTotalCount (type: integer)

The total number of octets in incoming packets for this Flow at the Observation Point since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$OctetTotalSumOfSquares (type: integer)

The total sum of the squared numbers of octets in incoming packets for this Flow at the Observation Point since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$OpaqueOctets (type: binary)

Encapsulated non-IPFIX data in an IPFIX Message stream. From IPFIX flow records only.

$OriginalExporterIPv4Address (type: ipaddr)

The IPv4 address used by the Exporting Process on an Original Exporter, as seen by the Collecting Process on an IPFIX Mediator. From IPFIX flow records only.

$OriginalExporterIPv6Address (type: ipaddr)

The IPv6 address used by the Exporting Process on an Original Exporter, as seen by the Collecting Process on an IPFIX Mediator. From IPFIX flow records only.

$OriginalFlowsCompleted (type: integer)

The conservative count of Original Flows whose last packet is represented within this Aggregated Flow. From IPFIX flow records only.

$OriginalFlowsInitiated (type: integer)

The conservative count of Original Flows whose first packet is represented within this Aggregated Flow. From IPFIX flow records only.

$OriginalFlowsPresent (type: integer)

The non-conservative count of Original Flows contributing to this Aggregated Flow. From IPFIX flow records only.

$OriginalObservationDomainId (type: integer)

The Observation Domain ID reported by the Exporting Process on an Original Exporter, as seen by the Collecting Process on an IPFIX Mediator. From IPFIX flow records only.

$OutBytes (type: integer)

The number of outgoing bytes associated with an IP Flow. From NetFlow v9 flow records only.

$OutDestMac (type: string)

The outgoing destination MAC address. From NetFlow v9 flow records only.

$OutPackets (type: integer)

The number of outgoing packets associated with an IP Flow. From NetFlow v9 flow records only.

$OutputIfaceSNMPIndex (type: integer)

The SNMP index of the output interface. From NetFlow v1/v5/v7 flow records only.

$outputSNMPIface (type: integer)

The output interface index. From NetFlow v9 flow records only.

$OutSourceMac (type: string)

The outgoing source MAC address. From NetFlow v9 flow records only.

$P2pTechnology (type: string)

Specifies if the Application ID is based on peer-to-peer technology. From IPFIX flow records only.

$PacketDeltaCount (type: integer)

The number of incoming packets since the previous report (if any) for this Flow at the Observation Point. From IPFIX flow records only.

$Packets (type: integer)

The number of packets in the Flow. From NetFlow v1/v5/v7 flow records only.

$PacketTotalCount (type: integer)

The total number of incoming packets for this Flow at the Observation Point since the Metering Process (re-)initialization for this Observation Point. From IPFIX flow records only.

$PaddingOctets (type: binary)

A sequence of 0x00 values. From IPFIX flow records only.

$PayloadLengthIPv6 (type: integer)

The value of the Payload Length field in the IPv6 header. From IPFIX flow records only.

$PenX.ElementY (type: binary)

An element with a PEN of X and an unrecognised elementID of Y, where X and Y are integers. From IPFIX flow records only.

$PortId (type: integer)

An identifier of a line port that is unique per IPFIX Device hosting an Observation Point. From IPFIX flow records only.

$PortRangeEnd (type: integer)

The port number identifying the end of a range of ports. From IPFIX flow records only.

$PortRangeNumPorts (type: integer)

The number of ports in a port range. From IPFIX flow records only.

$PortRangeStart (type: integer)

The port number identifying the start of a range of ports. From IPFIX flow records only.

$PortRangeStepSize (type: integer)

The step size in a port range. From IPFIX flow records only.

$PostDestinationMacAddress (type: string)

Like $DestinationMacAddress, but reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostDot1qCustomerVlanId (type: integer)

Like $Dot1qCustomerVlanId, but reports a potentially modified value caused by a middlebox function after the packet pass the Observation Point. From IPFIX flow records only.

$PostDot1qVlanId (type: integer)

Like $Dot1qVlanId, but reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostIpClassOfService (type: integer)

Like $IpClassOfService, but reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostIpDiffServCodePoint (type: integer)

Like $IpDiffServCodePoint, but reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostIpPrecedence (type: integer)

Like $IpPrecedence, but reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostLayer2OctetDeltaCount (type: integer)

Like $Layer2OctetDeltaCount, but reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostLayer2OctetTotalCount (type: integer)

Like $Layer2OctetTotalCount, but reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostMCastLayer2OctetDeltaCount (type: integer)

The number of layer 2 octets since the previous report (if any) in outgoing multicast packets sent for packets of this Flow by a multicast daemon within the Observation Domain. From IPFIX flow records only.

$PostMCastLayer2OctetTotalCount (type: integer)

The total number of layer 2 octets in outgoing multicast packets sent for packets of this Flow by a multicast daemon in the Observation Domain since the Metering Process (re-)initialization. From IPFIX flow records only.

$PostMCastOctetDeltaCount (type: integer)

The number of octets since the previous report (if any) in outgoing packets sent for packets of this Flow by a multicast daemon within the Observation Domain. From IPFIX flow records only.

$PostMCastOctetTotalCount (type: integer)

The total number of octets in outgoing multicast packets sent for packets of this Flow by a multicast daemon in the Observation Domain since the Metering Process (re-)initialization. From IPFIX flow records only.

$PostMCastPacketDeltaCount (type: integer)

The number of outgoing multicast packets since the previous report (if any) sent for packets of this Flow by a multicast daemon within the Observation Domain. From IPFIX flow records only.

$PostMCastPacketTotalCount (type: integer)

The total number of outgoing multicast packets sent for packets of this Flow by a multicast daemon within the Observation Domain since the Metering Process (re-)initialization. From IPFIX flow records only.

$PostMplsTopLabelExp (type: integer)

Like $MplsTopLabelExp, but reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostNAPTDestinationTransportPort (type: integer)

Like $DestinationTransportPort, but reports a modified value caused by a NAT middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostNAPTSourceTransportPort (type: integer)

Like $SourceTransportPort, but reports a modified value caused by a NAT middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostNATDestinationIPv4Address (type: ipaddr)

Like $DestinationIPv4Address, but reports a modified value caused by a NAT middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostNATDestinationIPv6Address (type: ipaddr)

Like $DestinationIPv6Address, but reports a modified value caused by a NAT64 middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostNATSourceIPv4Address (type: ipaddr)

Like $SourceIPv4Address, but reports a modified value caused by a NAT middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostNATSourceIPv6Address (type: ipaddr)

Like $SourceIPv6Address, but reports a modified value caused by a NAT64 middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostOctetDeltaCount (type: integer)

Like $OctetDeltaCount, but reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostOctetTotalCount (type: integer)

Like $OctetTotalCount, but reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostPacketDeltaCount (type: integer)

Like $PacketDeltaCount, but reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostPacketTotalCount (type: integer)

Like $PacketTotalCount, but reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostSourceMacAddress (type: string)

Like $SourceMacAddress, but reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point. From IPFIX flow records only.

$PostVlanId (type: integer)

The virtual LAN identifier associated with the egress interface. From IPFIX flow records only.

$PrivateEnterpriseNumber (type: integer)

A private enterprise number, as assigned by IANA. From IPFIX flow records only.

$ProtocolIdentifier (type: integer)

The value of the protocol number in the IP packet header. From NetFlow v9 and IPFIX flow records only.

$ProtocolType (type: integer)

The IP protocol type. From NetFlow v1/v5/v7 flow records only.

$PseudoWireControlWord (type: integer)

The 32-bit Preferred Pseudo Wire (PW) MPLS Control Word as defined in Section 3 of RFC 4385. From IPFIX flow records only.

$PseudoWireDestinationIPv4Address (type: ipaddr)

The destination IPv4 address of the PSN tunnel carrying the pseudowire. From IPFIX flow records only.

$PseudoWireId (type: integer)

A 32-bit non-zero connection identifier. From IPFIX flow records only.

$PseudoWireType (type: integer)

The type of MPLS Pseudo Wire (PW) as defined in RFC 4446. From IPFIX flow records only.

$RelativeError (type: string)

The maximum possible positive or negative error ratio for the reported value for a given Information Element as percentage of the measured value. From IPFIX flow records only.

$ResponderOctets (type: integer)

The total number of layer 4 payload bytes in a flow from the responder. From IPFIX flow records only.

$ResponderPackets (type: integer)

The total number of layer 4 packets in a flow from the responder. From IPFIX flow records only.

$Rfc3550JitterMicroseconds (type: integer)

The inter-arrival jitter as defined in section 6.4.1 of RFC 3550, measured in microseconds. From IPFIX flow records only.

$Rfc3550JitterMilliseconds (type: integer)

The inter-arrival jitter as defined in section 6.4.1 of RFC 3550, measured in milliseconds. From IPFIX flow records only.

$Rfc3550JitterNanoseconds (type: integer)

The inter-arrival jitter as defined in section 6.4.1 of RFC 3550, measured in nanoseconds. From IPFIX flow records only.

$RtpSequenceNumber (type: integer)

The RTP sequence number per RFC 3550. From IPFIX flow records only.

$SamplerId (type: integer)

The unique identifier associated with $SamplerName (deprecated in favor of $SelectorId). From IPFIX flow records only.

$SamplerMode (type: integer)

The sampler mode when using sampled NetFlow (in IPFIX, deprecated in favor of $SelectorAlgorithm). From NetFlow v9 and IPFIX flow records only.

$SamplerName (type: string)

The name of the flow sampler (deprecated in favor of $SelectorName). From IPFIX flow records only.

$SamplerRandomInterval (type: integer)

The packet interval at which to sample when using random sampling (deprecated in favor of $SamplingPacketInterval). From IPFIX flow records only.

$SamplingAlgorithm (type: integer)

The type of algorithm used for sampled NetFlow (in IPFIX, deprecated in favor of $SelectorAlgorithm). From NetFlow v9 and IPFIX flow records only.

$SamplingFlowInterval (type: integer)

Specifies the number of Flows that are consecutively sampled. From IPFIX flow records only.

$SamplingFlowSpacing (type: integer)

Specifies the number of Flows between two $SamplingFlowIntervals. From IPFIX flow records only.

$SamplingInterval (type: integer)

The rate at which packets are sampled when using sampled NetFlow (in IPFIX, deprecated in favor of $SamplingPacketInterval). From NetFlow v9 and IPFIX flow records only.

$SamplingPacketInterval (type: integer)

The number of packets that are consecutively sampled. From IPFIX flow records only.

$SamplingPacketSpace (type: integer)

The number of packets between two $SamplingPacketIntervals. From IPFIX flow records only.

$SamplingPopulation (type: integer)

Specifies the number of elements in the parent Population for random Sampling methods. From IPFIX flow records only.

$SamplingProbability (type: string)

Specifies the probability that a packet is sampled. From IPFIX flow records only.

$SamplingSize (type: integer)

The number of elements taken from the parent Population for random Sampling methods. From IPFIX flow records only.

$SamplingTimeInterval (type: integer)

The time interval in microseconds during which all arriving packets are sampled. From IPFIX flow records only.

$SamplingTimeSpace (type: integer)

The time interval in microseconds between two $SamplingTimeIntervals. From IPFIX flow records only.

$SectionExportedOctets (type: integer)

Specifies the observed length of the packet section. From IPFIX flow records only.

$SectionOffset (type: integer)

Specifies the offset of the packet section. From IPFIX flow records only.

$SelectionSequenceId (type: integer)

A unique value per Observation Domain, specifying the Observation Point and the sequence of Selectors through which packets are selected. From IPFIX flow records only.

$SelectorAlgorithm (type: integer)

Identifies the packet selection methods that are applied by the Selection Process. From IPFIX flow records only.

$SelectorId (type: integer)

The unique ID identifying a Primitive Selector. From IPFIX flow records only.

$SelectorIDTotalFlowsObserved (type: integer)

Specifies the total number of Flows observed by a Selector, for a specific value of $SelectorId. From IPFIX flow records only.

$SelectorIDTotalFlowsSelected (type: integer)

Specifies the total number of Flows selected by a Selector, for a specific value of $SelectorId. From IPFIX flow records only.

$SelectorIdTotalPktsObserved (type: integer)

The total number of packets observed by a Selector. From IPFIX flow records only.

$SelectorIdTotalPktsSelected (type: integer)

The total number of packets selected by a Selector, for a specific value of $SelectorId. From IPFIX flow records only.

$SelectorName (type: string)

The name of a selector identified by a $SelectorId. From IPFIX flow records only.

$SessionScope (type: integer)

Signifies that the options described by the Template apply to the IPFIX Transport Session that contains them. From IPFIX flow records only.

$SourceAddrPrefixMaskBits (type: integer)

The source address prefix mask bits. From NetFlow v5/v7 flow records only.

$SourceAutonomousSystem (type: integer)

The autonomous system (AS) number of the source. From NetFlow v5/v7/v9 flow records only.

$SourceIpAddress (type: ipaddr)

The source IP address. From NetFlow v1/v5/v7 flow records only.

$SourceIPv4Address (type: ipaddr)

The IPv4 source address in the IP packet header. From NetFlow v9 and IPFIX flow records only.

$SourceIPv4Prefix (type: ipaddr)

The IPv4 source address prefix. From IPFIX flow records only.

$SourceIPv4PrefixLength (type: integer)

The number of contiguous bits that are relevant in the source IPv4 Prefix Information Element. From IPFIX flow records only.

$SourceIPv6Address (type: ipaddr)

The IPv6 source address in the IP packet header. From NetFlow v9 and IPFIX flow records only.

$SourceIPv6Prefix (type: ipaddr)

The IPv6 source address prefix. From IPFIX flow records only.

$SourceIPv6PrefixLength (type: integer)

The number of contiguous bits that are relevant in the source IPv6 Prefix Information Element. From IPFIX flow records only.

$SourceMacAddress (type: string)

The IEEE 802 source MAC address field. From IPFIX flow records only.

$SourcePort (type: integer)

The TCP/UDP source port number or equivalent. From NetFlow v1/v5/v7/v9 flow records only.

$SourceTransportPort (type: integer)

The source port identifier in the transport header. From IPFIX flow records only.

$SourceV4Mask (type: integer)

The number of contiguous bits in the source address subnet mask (the sub-mask in slash notation). From NetFlow v9 flow records only.

$SourceV6Mask (type: integer)

The length of the IPv6 source mask in contiguous bits. From NetFlow v9 flow records only.

$SourceVlan (type: integer)

The virtual LAN identifier associated with ingress interface. From NetFlow v9 flow records only.

$SrcTrafficIndex (type: integer)

The BGP Policy Accounting Source Traffic Index. From IPFIX flow records only.

$StaIPv4Address (type: ipaddr)

The IPv4 address of a wireless station (STA). From IPFIX flow records only.

$StaMacAddress (type: string)

The IEEE 802 MAC address of a wireless station (STA). From IPFIX flow records only.

$SubTemplateList (type: string)

Specifies a generic Information Element with a subTemplateList abstract data type. From IPFIX flow records only.

$SubTemplateMultiList (type: string)

Specifies a generic Information Element with a subTemplateMultiList abstract data type. From IPFIX flow records only.

$SystemInitTimeMilliseconds (type: datetime)

The absolute timestamp of the last (re-)initialization of the IPFIX Device. From IPFIX flow records only.

$SysUpTimeMilisec (type: integer)

The current time in milliseconds since the export device booted. From the NetFlow v1/v5/v7/v9 flow header.

$TcpAcknowledgementNumber (type: integer)

The acknowledgement number in the TCP header. From IPFIX flow records only.

$TcpAckTotalCount (type: integer)

The total number of packets of this Flow with the TCP "Acknowledgment field significant" (ACK) flag set. From IPFIX flow records only.

$TcpControlBits (type: integer)

The TCP control bits observer for the packets of this Flow. From IPFIX flow records only.

$TcpDestinationPort (type: integer)

The destination port identifier in the TCP header. From IPFIX flow records only.

$TcpFinTotalCount (type: integer)

The total number of packets of this Flow with the TCP "No more data from sender" (FIN) flag set. From IPFIX flow records only.

$TCPFlags (type: integer)

A cumulative OR of the TCP flags seen for this flow. From NetFlow v9 flow records only.

$TcpHeaderLength (type: integer)

The length of the TCP header. From IPFIX flow records only.

$TcpOptions (type: integer)

The TCP options in packets of this Flow. From IPFIX flow records only.

$TcpPshTotalCount (type: integer)

The total number of packets of this Flow with the TCP "Push Function" (PSH) flag set. From IPFIX flow records only.

$TcpRstTotalCount (type: integer)

The total number of packets of this Flow with the TCP "Reset the connection" (RST) flag set. From IPFIX flow records only.

$TcpSequenceNumber (type: integer)

The sequence number in the TCP header. From IPFIX flow records only.

$TcpSourcePort (type: integer)

The source port identifier in the TCP header. From IPFIX flow records only.

$TcpSynTotalCount (type: integer)

The total number of packets of this Flow with the TCP "Synchronize sequence numbers" (SYN) flag set. From IPFIX flow records only.

$TcpUrgentPointer (type: integer)

The urgent pointer in the TCP header. From IPFIX flow records only.

$TcpUrgTotalCount (type: integer)

The total number of packets of this Flow with the TCP "Urgent Pointer field significant" (URG) flag set. From IPFIX flow records only.

$TcpWindowScale (type: integer)

The scale of the window field in the TCP header. From IPFIX flow records only.

$TcpWindowSize (type: integer)

The window field in the TCP header. From IPFIX flow records only.

$TemplateId (type: integer)

An identifier of a Template that is locally unique within a combination of a Transport session and an Observation Domain. From IPFIX flow records only.

$TimeMsecEnd (type: datetime)

The end time of the flow (ASA NSEL). From NetFlow v9 flow records only.

$TimeMsecStart (type: datetime)

The time that the flow was created, which is included in extended flow-teardown events in which the flow-create event was not sent earlier (ASA NSEL). From NetFlow v9 flow records only.

$TotalLengthIPv4 (type: integer)

The total length of the IPv4 packet. From IPFIX flow records only.

$TransportOctetDeltaCount (type: integer)

The number of octets, excluding IP header(s) and layer 4 transport protocol header(s), observed for this Flow at the Observation Point since the previous report (if any). From IPFIX flow records only.

$TransportPacketDeltaCount (type: integer)

The number of packets containing at least one octet beyond the IP header(s) and layer 4 transport protocol header(s), observed for this Flow at the Observation Point since the previous report (if any). From IPFIX flow records only.

$TunnelTechnology (type: string)

Specifies if the Application ID is used as a tunnel technology. From IPFIX flow records only.

$TypeOfService (type: integer)

The IP Type of Service (ToS). From NetFlow v1/v5/v7/v9 flow records only.

$UdpDestinationPort (type: integer)

The destination port identifier in the UDP header. From IPFIX flow records only.

$UdpMessageLength (type: integer)

The value of the Length field in the UDP header. From IPFIX flow records only.

$UdpSourcePort (type: integer)

The source port identifier in the UDP header. From IPFIX flow records only.

$UpperCILimit (type: string)

Specifies the upper limit of a confidence interval. From IPFIX flow records only.

$UserName (type: string)

The user name associated with the flow. From IPFIX flow records only.

$ValueDistributionMethod (type: integer)

A description of the method used to distribute the counters from Contributing Flows into the Aggregated Flow records described by an associated scope. From IPFIX flow records only.

$Version (type: integer)

The NetFlow export format version number. From the NetFlow v1/v5/v7/v9 and IPFIX flow header.

$VirtualStationInterfaceId (type: binary)

The Instance Identifier of the interface to a Virtual Station. From IPFIX flow records only.

$VirtualStationInterfaceName (type: string)

The name of the interface to a Virtual Station. From IPFIX flow records only.

$VirtualStationName (type: string)

The name of a Virtual Station. From IPFIX flow records only.

$VirtualStationUUID (type: binary)

The unique Identifier of a Virtual Station. From IPFIX flow records only.

$VlanId (type: integer)

The virtual LAN identifier associated with the ingress interface. From IPFIX flow records only.

$VRFname (type: string)

The name of a VPN Routing and Forwarding table (VRF). From IPFIX flow records only.

$WlanChannelId (type: integer)

The identifier of the 802.11 channel used. From IPFIX flow records only.

$WlanSSID (type: string)

The Service Set IDentifier (SSID) identifying an 802.11 network used. From IPFIX flow records only.

$WtpMacAddress (type: string)

The IEEE 802 MAC address of a wireless access point (WTP). From IPFIX flow records only.

Examples

Example 1. Parsing UDP NetFlow data

The following configuration receives NetFlow data over UDP and converts the parsed data into JSON.

nxlog.conf
<Extension netflow>
    Module      xm_netflow
</Extension>

<Extension json>
    Module      xm_json
</Extension>

<Input udpin>
    Module      im_udp
    ListenAddr  0.0.0.0:2162
    InputType   netflow
</Input>

<Output out>
    Module      om_file
    File        "netflow.log"
    Exec        to_json();
</Output>

<Route nf>
    Path        udpin => out
</Route>