Flow view interface

The Flow view provides 100% access to all the elements that were exported in the raw flows. Some columns or elements are generated by Scrutinizer. The Flow view interface retrieves all of the flows that match the values requested in consideration of the filters applied.

Notice:

  • Filters are passed to Flow View when drilling in.

  • Use the filters drop down box to find data in specific columns. NOTE: The sourceOrDestination option is not a column.

  • Click on the column headings to sort.

IPFIX, NetFlow, sFlow, NSEL, etc

Flow View is used to view flows generated by 100% of all flow technologies. The collector can save any type of NetFlow v1, v5, v6 and v9 data inclusive of IPFIX and other varients including NetFlow Security Event Logs (NSEL), NetStream, jFlow, AppFlow and others. This report provides access to view any and all flows received by the collector given the filters applied. Some of the columns that may appear in the exports are below.

Flow View field names

When looking at data in Flow View some data columns are Plixer specific:

  • flowDirection tells the reporting interface if the flow was collected ingress or egress on the router or switch interface. When direction is not exported, ‘ingres*’ is displayed which means direction was not exported with the flow and that ingress collection is assumed for the flow. NetFlow v5 does not export the direction bit.

  • intervalTime This is the time the collector received the flow.

  • applicationId This is the application as determined by settings under Admin tab > Definitions > Application Groups.

  • commonPort How the collector determines which port is the application port (also known as WellKnownPort).

For example, take a flow with a source port of 5678 and a destination port of 1234. The collector will look at both ports (5678, 1234) and perform the following logic:

  • Which port is lower: port 1234

  • Is there an entry in the local database for 1234 (e.g. HTTP)

  • If Yes: save it as the common port (1234)

  • else if: is port 5678 labeled in the local database (e.g. HTTPS)

  • If Yes: save it as the common port (5678)

  • else save 1234 as the common port (e.g. Unknown)

Note

If both source and destination ports were labeled, it would have gone with the lower port.

Fields mapping more or less to IPFIX fields

These field names are overloaded and don’t map to any one IPFIX field. IPFIX might send ‘sourceIPv4Address’ or ‘sourceIPv6Address’, the column is always named ‘sourceIPAddress’. The ‘sourceIPAddress’ column can store either IPv4 or IPv6.

  • ‘ipNextHopIPAddress’ /* v4 or v6 */

  • ‘sourceIPAddress’ /* v4 or v6 */

  • ‘destinationIPAddress’ /* v4 or v6 */

  • ‘sourceIPPrefixLength’ /* v4 or v6 */

  • ‘destinationIPPrefixLength’ /* v4 or v6 */

  • ‘ingress_octetDeltaCount’

  • ‘ingress_packetDeltaCount’

  • ‘egress_octetDeltaCount’

  • ‘egress_packetDeltaCount’

  • ‘snmp_interface’ /* (in|e)gress */

Note

/* v4 or v6 */ columns are used for both IPv4 and IPv6 formats.

Field names in both Cisco and IPFIX

The field names below exist only in Cisco docs. Except for the NBAR fields which only exist in Cisco’s docs. Notice that the field names are fairly descriptive.

The IPFIX field names and descriptions can be found here. The Cisco fields and descriptions can be found here and here:

Warning

The following names are subject to change depending on the version of firmware running on the hardware.

  • SAMPLING_INTERVAL

  • SAMPLING_ALGORITHM

  • ENGINE_TYPE

  • ENGINE_ID

  • FLOW_SAMPLER_ID

  • FLOW_SAMPLER_MODE

  • FLOW_SAMPLER_RANDOM_INTERVAL

  • SAMPLER_NAME

  • FORWARDING_STATUS

  • NBAR_APPLICATION_DESCRIPTION

  • NBAR_APPLICATION_ID

  • NBAR_APPLICATION_NAME

  • NBAR_SUB_APPLICATION_ID

  • NF_F_XLATE_SRC_ADDR_IPV4

  • NF_F_XLATE_DST_ADDR_IPV4

  • NF_F_SLATE_SRC_PORT

  • NF_F_XLATE_DST_PORT

  • NF_F_FW_EVENT

  • NF_F_FW_EXT_EVENT

  • NF_F_INGRESS_ACL_ID

  • NF_F_EGRESS_ACL_ID

  • NF_F_USERNAME

Note

The field names beginning with ‘NBAR’ were made up by plixer.

Archiving & rollups

The collector will perform rollups at intervals specified under the Admin tab under settings. In order for rollups to occur, the template exported must provide the element: octetDeltaCount. Please contact Plixer Technical Support to change the rollups to occur on an alternate field. Visit the Admin Tab > Settings > Data History page to configure how long to save the data.