idnits 2.17.1 draft-claise-ipfix-information-model-rfc5102bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with multicast IPv4 addresses in the document. If these are generic example addresses, they should be changed to use the 233.252.0.x range defined in RFC 5771 Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 28, 2011) is 4563 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC5101' is mentioned on line 7891, but not defined ** Obsolete undefined reference: RFC 5101 (Obsoleted by RFC 7011) -- Possible downref: Normative reference to a draft: ref. 'RFC5101bis' -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 1323 (Obsoleted by RFC 7323) -- Obsolete informational reference (is this intentional?): RFC 1385 (Obsoleted by RFC 6814) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) -- Obsolete informational reference (is this intentional?): RFC 4960 (Obsoleted by RFC 9260) == Outdated reference: A later version (-11) exists of draft-ietf-ipfix-configuration-model-10 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Quittek 3 Internet Draft NEC 4 Obsoletes: 5102 S. Bryant 5 Category: Standards Track B. Claise 6 Expires: April 30, 2012 P. Aitken 7 Cisco Systems, Inc. 8 J. Meyer 9 PayPal 10 October 28, 2011 12 Information Model for IP Flow Information eXport (IPFIX) 13 draft-claise-ipfix-information-model-rfc5102bis-01.txt 15 Abstract 17 This memo defines an information model for the IP Flow Information 18 eXport (IPFIX) protocol. It is used by the IPFIX protocol for encoding 19 measured traffic information and information related to the traffic 20 Observation Point, the traffic Metering Process, and the Exporting 21 Process. Although developed for the IPFIX protocol, the model is 22 defined in an open way that easily allows using it in other protocols, 23 interfaces, and applications. This document obsoletes RFC 5102. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on March 23, 2012. 42 Copyright Notice 44 Copyright (c) 2011 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 7 60 1.1. IPFIX Documents Overview . . . . . . . . . . . . . . . . . 8 61 2. Properties of IPFIX Protocol Information Elements . . . . . . 9 62 2.1. Information Elements Specification Template . . . . . . . 9 63 2.2. Scope of Information Elements . . . . . . . . . . . . . . 11 64 2.3. Naming Conventions for Information Elements . . . . . . . 11 65 3. Type Space . . . . . . . . . . . . . . . . . . . . . . . . . . 12 66 3.1. Abstract Data Types . . . . . . . . . . . . . . . . . . . 12 67 3.1.1. unsigned8 . . . . . . . . . . . . . . . . . . . . . . 12 68 3.1.2. unsigned16 . . . . . . . . . . . . . . . . . . . . . . 12 69 3.1.3. unsigned32 . . . . . . . . . . . . . . . . . . . . . . 12 70 3.1.4. unsigned64 . . . . . . . . . . . . . . . . . . . . . . 13 71 3.1.5. signed8 . . . . . . . . . . . . . . . . . . . . . . . 13 72 3.1.6. signed16 . . . . . . . . . . . . . . . . . . . . . . . 13 73 3.1.7. signed32 . . . . . . . . . . . . . . . . . . . . . . . 13 74 3.1.8. signed64 . . . . . . . . . . . . . . . . . . . . . . . 13 75 3.1.9. float32 . . . . . . . . . . . . . . . . . . . . . . . 13 76 3.1.10. float64 . . . . . . . . . . . . . . . . . . . . . . . 13 77 3.1.11. boolean . . . . . . . . . . . . . . . . . . . . . . . 13 78 3.1.12. macAddress . . . . . . . . . . . . . . . . . . . . . 13 79 3.1.13. octetArray . . . . . . . . . . . . . . . . . . . . . 13 80 3.1.14. string . . . . . . . . . . . . . . . . . . . . . . . 14 81 3.1.15. dateTimeSeconds . . . . . . . . . . . . . . . . . . . 14 82 3.1.16. dateTimeMilliseconds . . . . . . . . . . . . . . . . 14 83 3.1.17. dateTimeMicroseconds . . . . . . . . . . . . . . . . 14 84 3.1.18. dateTimeNanoseconds . . . . . . . . . . . . . . . . . 14 85 3.1.19. ipv4Address . . . . . . . . . . . . . . . . . . . . . 14 86 3.1.20. ipv6Address . . . . . . . . . . . . . . . . . . . . . 14 87 3.2. Data Type Semantics . . . . . . . . . . . . . . . . . . . 15 88 3.2.1. quantity . . . . . . . . . . . . . . . . . . . . . . . 15 89 3.2.2. totalCounter . . . . . . . . . . . . . . . . . . . . . 15 90 3.2.3. deltaCounter . . . . . . . . . . . . . . . . . . . . . 15 91 3.2.4. identifier . . . . . . . . . . . . . . . . . . . . . . 15 92 3.2.5. flags . . . . . . . . . . . . . . . . . . . . . . . . 16 93 4. Information Element Identifiers . . . . . . . . . . . . . . . 16 94 5. Information Elements . . . . . . . . . . . . . . . . . . . . . 20 95 5.1. Identifiers . . . . . . . . . . . . . . . . . . . . . . . 21 96 5.1.1. lineCardId . . . . . . . . . . . . . . . . . . . . . . 22 97 5.1.2. portId . . . . . . . . . . . . . . . . . . . . . . . . 22 98 5.1.3. ingressInterface . . . . . . . . . . . . . . . . . . . 22 99 5.1.4. egressInterface . . . . . . . . . . . . . . . . . . . 23 100 5.1.5. meteringProcessId . . . . . . . . . . . . . . . . . . 23 101 5.1.6. exportingProcessId . . . . . . . . . . . . . . . . . . 23 102 5.1.7. flowId . . . . . . . . . . . . . . . . . . . . . . . . 24 103 5.1.8. templateId . . . . . . . . . . . . . . . . . . . . . . 24 104 5.1.9. observationDomainId . . . . . . . . . . . . . . . . . 24 105 5.1.10. observationPointId . . . . . . . . . . . . . . . . . 25 106 5.1.11. commonPropertiesId . . . . . . . . . . . . . . . . . 25 107 5.2. Metering and Exporting Process Configuration . . . . . . . 25 108 5.2.1. exporterIPv4Address . . . . . . . . . . . . . . . . . 26 109 5.2.2. exporterIPv6Address . . . . . . . . . . . . . . . . . 26 110 5.2.3. exporterTransportPort . . . . . . . . . . . . . . . . 26 111 5.2.4. collectorIPv4Address . . . . . . . . . . . . . . . . . 27 112 5.2.5. collectorIPv6Address . . . . . . . . . . . . . . . . . 27 113 5.2.6. exportInterface . . . . . . . . . . . . . . . . . . . 27 114 5.2.7. exportProtocolVersion . . . . . . . . . . . . . . . . 28 115 5.2.8. exportTransportProtocol . . . . . . . . . . . . . . . 28 116 5.2.9. collectorTransportPort . . . . . . . . . . . . . . . . 29 117 5.2.10. flowKeyIndicator . . . . . . . . . . . . . . . . . . 29 118 5.3. Metering and Exporting Process Statistics . . . . . . . . 30 119 5.3.1. exportedMessageTotalCount . . . . . . . . . . . . . . 30 120 5.3.2. exportedOctetTotalCount . . . . . . . . . . . . . . . 30 121 5.3.3. exportedFlowRecordTotalCount . . . . . . . . . . . . . 31 122 5.3.4. observedFlowTotalCount . . . . . . . . . . . . . . . . 31 123 5.3.5. ignoredPacketTotalCount . . . . . . . . . . . . . . . 31 124 5.3.6. ignoredOctetTotalCount . . . . . . . . . . . . . . . . 32 125 5.3.7. notSentFlowTotalCount . . . . . . . . . . . . . . . . 32 126 5.3.8. notSentPacketTotalCount . . . . . . . . . . . . . . . 32 127 5.3.9. notSentOctetTotalCount . . . . . . . . . . . . . . . . 33 128 5.4. IP Header Fields . . . . . . . . . . . . . . . . . . . . . 33 129 5.4.1. ipVersion . . . . . . . . . . . . . . . . . . . . . . 33 130 5.4.2. sourceIPv4Address . . . . . . . . . . . . . . . . . . 34 131 5.4.3. sourceIPv6Address . . . . . . . . . . . . . . . . . . 34 132 5.4.4. sourceIPv4PrefixLength . . . . . . . . . . . . . . . . 34 133 5.4.5. sourceIPv6PrefixLength . . . . . . . . . . . . . . . . 35 134 5.4.6. sourceIPv4Prefix . . . . . . . . . . . . . . . . . . . 35 135 5.4.7. sourceIPv6Prefix . . . . . . . . . . . . . . . . . . . 35 136 5.4.8. destinationIPv4Address . . . . . . . . . . . . . . . . 35 137 5.4.9. destinationIPv6Address . . . . . . . . . . . . . . . . 36 138 5.4.10. destinationIPv4PrefixLength . . . . . . . . . . . . . 36 139 5.4.11. destinationIPv6PrefixLength . . . . . . . . . . . . . 36 140 5.4.12. destinationIPv4Prefix . . . . . . . . . . . . . . . . 36 141 5.4.13. destinationIPv6Prefix . . . . . . . . . . . . . . . . 37 142 5.4.14. ipTTL . . . . . . . . . . . . . . . . . . . . . . . . 37 143 5.4.15. protocolIdentifier . . . . . . . . . . . . . . . . . 37 144 5.4.16. nextHeaderIPv6 . . . . . . . . . . . . . . . . . . . 38 145 5.4.17. ipDiffServCodePoint . . . . . . . . . . . . . . . . . 38 146 5.4.18. ipPrecedence . . . . . . . . . . . . . . . . . . . . 38 147 5.4.19. ipClassOfService . . . . . . . . . . . . . . . . . . 39 148 5.4.20. postIpClassOfService . . . . . . . . . . . . . . . . 39 149 5.4.21. flowLabelIPv6 . . . . . . . . . . . . . . . . . . . . 40 150 5.4.22. isMulticast . . . . . . . . . . . . . . . . . . . . . 40 151 5.4.23. fragmentIdentification . . . . . . . . . . . . . . . 41 152 5.4.24. fragmentOffset . . . . . . . . . . . . . . . . . . . 41 153 5.4.25. fragmentFlags . . . . . . . . . . . . . . . . . . . . 41 154 5.4.26. ipHeaderLength . . . . . . . . . . . . . . . . . . . 42 155 5.4.27. ipv4IHL . . . . . . . . . . . . . . . . . . . . . . . 42 156 5.4.28. totalLengthIPv4 . . . . . . . . . . . . . . . . . . . 43 157 5.4.29. ipTotalLength . . . . . . . . . . . . . . . . . . . . 43 158 5.4.30. payloadLengthIPv6 . . . . . . . . . . . . . . . . . . 43 159 5.5. Transport Header Fields . . . . . . . . . . . . . . . . . 44 160 5.5.1. sourceTransportPort . . . . . . . . . . . . . . . . . 44 161 5.5.2. destinationTransportPort . . . . . . . . . . . . . . . 44 162 5.5.3. udpSourcePort . . . . . . . . . . . . . . . . . . . . 45 163 5.5.4. udpDestinationPort . . . . . . . . . . . . . . . . . . 45 164 5.5.5. udpMessageLength . . . . . . . . . . . . . . . . . . . 45 165 5.5.6. tcpSourcePort . . . . . . . . . . . . . . . . . . . . 46 166 5.5.7. tcpDestinationPort . . . . . . . . . . . . . . . . . . 46 167 5.5.8. tcpSequenceNumber . . . . . . . . . . . . . . . . . . 46 168 5.5.9. tcpAcknowledgementNumber . . . . . . . . . . . . . . . 46 169 5.5.10. tcpWindowSize . . . . . . . . . . . . . . . . . . . . 47 170 5.5.11. tcpWindowScale . . . . . . . . . . . . . . . . . . . 47 171 5.5.12. tcpUrgentPointer . . . . . . . . . . . . . . . . . . 47 172 5.5.13. tcpHeaderLength . . . . . . . . . . . . . . . . . . . 47 173 5.5.14. icmpTypeCodeIPv4 . . . . . . . . . . . . . . . . . . 48 174 5.5.15. icmpTypeIPv4 . . . . . . . . . . . . . . . . . . . . 48 175 5.5.16. icmpCodeIPv4 . . . . . . . . . . . . . . . . . . . . 48 176 5.5.17. icmpTypeCodeIPv6 . . . . . . . . . . . . . . . . . . 48 177 5.5.18. icmpTypeIPv6 . . . . . . . . . . . . . . . . . . . . 49 178 5.5.19. icmpCodeIPv6 . . . . . . . . . . . . . . . . . . . . 49 179 5.5.20. igmpType . . . . . . . . . . . . . . . . . . . . . . 49 180 5.6. Sub-IP Header Fields . . . . . . . . . . . . . . . . . . . 50 181 5.6.1. sourceMacAddress . . . . . . . . . . . . . . . . . . . 50 182 5.6.2. postSourceMacAddress . . . . . . . . . . . . . . . . . 50 183 5.6.3. vlanId . . . . . . . . . . . . . . . . . . . . . . . . 51 184 5.6.4. postVlanId . . . . . . . . . . . . . . . . . . . . . . 51 185 5.6.5. destinationMacAddress . . . . . . . . . . . . . . . . 51 186 5.6.6. postDestinationMacAddress . . . . . . . . . . . . . . 51 187 5.6.7. wlanChannelId . . . . . . . . . . . . . . . . . . . . 52 188 5.6.8. wlanSSID . . . . . . . . . . . . . . . . . . . . . . . 52 189 5.6.9. mplsTopLabelTTL . . . . . . . . . . . . . . . . . . . 52 190 5.6.10. mplsTopLabelExp . . . . . . . . . . . . . . . . . . . 53 191 5.6.11. postMplsTopLabelExp . . . . . . . . . . . . . . . . . 53 192 5.6.12. mplsLabelStackDepth . . . . . . . . . . . . . . . . . 53 193 5.6.13. mplsLabelStackLength . . . . . . . . . . . . . . . . 54 194 5.6.14. mplsPayloadLength . . . . . . . . . . . . . . . . . . 54 195 5.6.15. mplsTopLabelStackSection . . . . . . . . . . . . . . 54 196 5.6.16. mplsLabelStackSection2 . . . . . . . . . . . . . . . 55 197 5.6.17. mplsLabelStackSection3 . . . . . . . . . . . . . . . 55 198 5.6.18. mplsLabelStackSection4 . . . . . . . . . . . . . . . 55 199 5.6.19. mplsLabelStackSection5 . . . . . . . . . . . . . . . 56 200 5.6.20. mplsLabelStackSection6 . . . . . . . . . . . . . . . 56 201 5.6.21. mplsLabelStackSection7 . . . . . . . . . . . . . . . 56 202 5.6.22. mplsLabelStackSection8 . . . . . . . . . . . . . . . 57 203 5.6.23. mplsLabelStackSection9 . . . . . . . . . . . . . . . 57 204 5.6.24. mplsLabelStackSection10 . . . . . . . . . . . . . . . 57 205 5.7. Derived Packet Properties . . . . . . . . . . . . . . . . 57 206 5.7.1. ipPayloadLength . . . . . . . . . . . . . . . . . . . 58 207 5.7.2. ipNextHopIPv4Address . . . . . . . . . . . . . . . . . 58 208 5.7.3. ipNextHopIPv6Address . . . . . . . . . . . . . . . . . 58 209 5.7.4. bgpSourceAsNumber . . . . . . . . . . . . . . . . . . 59 210 5.7.5. bgpDestinationAsNumber . . . . . . . . . . . . . . . . 59 211 5.7.6. bgpNextAdjacentAsNumber . . . . . . . . . . . . . . . 59 212 5.7.7. bgpPrevAdjacentAsNumber . . . . . . . . . . . . . . . 60 213 5.7.8. bgpNextHopIPv4Address . . . . . . . . . . . . . . . . 60 214 5.7.9. bgpNextHopIPv6Address . . . . . . . . . . . . . . . . 60 215 5.7.10. mplsTopLabelType . . . . . . . . . . . . . . . . . . 60 216 5.7.11. mplsTopLabelIPv4Address . . . . . . . . . . . . . . . 61 217 5.7.12. mplsTopLabelIPv6Address . . . . . . . . . . . . . . . 62 218 5.7.13. mplsVpnRouteDistinguisher . . . . . . . . . . . . . . 62 219 5.8. Min/Max Flow Properties . . . . . . . . . . . . . . . . . 63 220 5.8.1. minimumIpTotalLength . . . . . . . . . . . . . . . . . 63 221 5.8.2. maximumIpTotalLength . . . . . . . . . . . . . . . . . 63 222 5.8.3. minimumTTL . . . . . . . . . . . . . . . . . . . . . . 63 223 5.8.4. maximumTTL . . . . . . . . . . . . . . . . . . . . . . 64 224 5.8.5. ipv4Options . . . . . . . . . . . . . . . . . . . . . 64 225 5.8.6. ipv6ExtensionHeaders . . . . . . . . . . . . . . . . . 66 226 5.8.7. tcpControlBits . . . . . . . . . . . . . . . . . . . . 67 227 5.8.8. tcpOptions . . . . . . . . . . . . . . . . . . . . . . 68 228 5.9. Flow Timestamps . . . . . . . . . . . . . . . . . . . . . 69 229 5.9.1. flowStartSeconds . . . . . . . . . . . . . . . . . . . 69 230 5.9.2. flowEndSeconds . . . . . . . . . . . . . . . . . . . . 69 231 5.9.3. flowStartMilliseconds . . . . . . . . . . . . . . . . 70 232 5.9.4. flowEndMilliseconds . . . . . . . . . . . . . . . . . 70 233 5.9.5. flowStartMicroseconds . . . . . . . . . . . . . . . . 70 234 5.9.6. flowEndMicroseconds . . . . . . . . . . . . . . . . . 70 235 5.9.7. flowStartNanoseconds . . . . . . . . . . . . . . . . . 70 236 5.9.8. flowEndNanoseconds . . . . . . . . . . . . . . . . . . 71 237 5.9.9. flowStartDeltaMicroseconds . . . . . . . . . . . . . . 71 238 5.9.10. flowEndDeltaMicroseconds . . . . . . . . . . . . . . 71 239 5.9.11. systemInitTimeMilliseconds . . . . . . . . . . . . . 71 240 5.9.12. flowStartSysUpTime . . . . . . . . . . . . . . . . . 72 241 5.9.13. flowEndSysUpTime . . . . . . . . . . . . . . . . . . 72 242 5.10. Per-Flow Counters . . . . . . . . . . . . . . . . . . . . 72 243 5.10.1. octetDeltaCount . . . . . . . . . . . . . . . . . . . 73 244 5.10.2. postOctetDeltaCount . . . . . . . . . . . . . . . . . 73 245 5.10.3. octetDeltaSumOfSquares . . . . . . . . . . . . . . . 73 246 5.10.4. octetTotalCount . . . . . . . . . . . . . . . . . . . 73 247 5.10.5. postOctetTotalCount . . . . . . . . . . . . . . . . . 74 248 5.10.6. octetTotalSumOfSquares . . . . . . . . . . . . . . . 74 249 5.10.7. packetDeltaCount . . . . . . . . . . . . . . . . . . 74 250 5.10.8. postPacketDeltaCount . . . . . . . . . . . . . . . . 74 251 5.10.9. packetTotalCount . . . . . . . . . . . . . . . . . . 75 252 5.10.10. postPacketTotalCount . . . . . . . . . . . . . . . . 75 253 5.10.11. droppedOctetDeltaCount . . . . . . . . . . . . . . . 76 254 5.10.12. droppedPacketDeltaCount . . . . . . . . . . . . . . 76 255 5.10.13. droppedOctetTotalCount . . . . . . . . . . . . . . . 76 256 5.10.14. droppedPacketTotalCount . . . . . . . . . . . . . . 76 257 5.10.15. postMCastPacketDeltaCount . . . . . . . . . . . . . 77 258 5.10.16. postMCastOctetDeltaCount . . . . . . . . . . . . . . 77 259 5.10.17. postMCastPacketTotalCount . . . . . . . . . . . . . 77 260 5.10.18. postMCastOctetTotalCount . . . . . . . . . . . . . . 78 261 5.10.19. tcpSynTotalCount . . . . . . . . . . . . . . . . . . 78 262 5.10.20. tcpFinTotalCount . . . . . . . . . . . . . . . . . . 78 263 5.10.21. tcpRstTotalCount . . . . . . . . . . . . . . . . . . 78 264 5.10.22. tcpPshTotalCount . . . . . . . . . . . . . . . . . . 79 265 5.10.23. tcpAckTotalCount . . . . . . . . . . . . . . . . . . 79 266 5.10.24. tcpUrgTotalCount . . . . . . . . . . . . . . . . . . 79 267 5.11. Miscellaneous Flow Properties . . . . . . . . . . . . . . 80 268 5.11.1. flowActiveTimeout . . . . . . . . . . . . . . . . . . 80 269 5.11.2. flowIdleTimeout . . . . . . . . . . . . . . . . . . . 80 270 5.11.3. flowEndReason . . . . . . . . . . . . . . . . . . . . 80 271 5.11.4. flowDurationMilliseconds . . . . . . . . . . . . . . 82 272 5.11.5. flowDurationMicroseconds . . . . . . . . . . . . . . 82 273 5.11.6. flowDirection . . . . . . . . . . . . . . . . . . . . 82 274 5.12. Padding . . . . . . . . . . . . . . . . . . . . . . . . . 82 275 5.12.1. paddingOctets . . . . . . . . . . . . . . . . . . . . 83 276 6. Extending the Information Model . . . . . . . . . . . . . . . 83 277 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 84 278 7.1. IPFIX Information Elements . . . . . . . . . . . . . . . . 84 279 7.2. MPLS Label Type Identifier . . . . . . . . . . . . . . . . 84 280 7.3. XML Namespace and Schema . . . . . . . . . . . . . . . . . 85 281 8. Security Considerations . . . . . . . . . . . . . . . . . . . 85 282 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 86 283 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 86 284 10.1. Normative References . . . . . . . . . . . . . . . . . . 86 285 10.2. Informative References . . . . . . . . . . . . . . . . . 86 286 Appendix A. XML Specification of IPFIX Information Elements . . . 91 287 Appendix B. XML Specification of Abstract Data Types . . . . . .160 288 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .173 290 DONE: 291 Errata ID: 1307 (technical) 292 Errata ID: 1492 (technical) 293 Errata ID: 1736 (technical) 294 Errata ID: 2879 (editorial) 295 Errata ID: 2944, which updates 1737 (technical) 296 Errata ID: 2945, which updates 1738 (technical) 297 Errata ID: 2946, which updates 1739 (technical) 298 Updated the reference to RFC5101bis 299 Clarified the time-related IEs 301 TO DO: 302 IPFIX Documents Overview 303 Should we repeat the IEs in this RFC or should we point to IANA? 304 Clarify the interaction with http://tools.ietf.org/html/draft- 305 trammell-ipfix-ie-doctors-02 306 IPFIX XML is different in the registry? Checked with Brian 307 some IE definitions have a reference to RFC5101. Should they refer 308 to RFC5101bis, which implies that the IANA registry would have to be 309 changed? Example: exportProtocolVersion. Note that the XML must be 310 kept in line, and that only exportProtocolVersion has been modified 311 in XML. 312 Found "to be done" in the appendix A in " 315 1. Introduction 317 The IP Flow Information eXport (IPFIX) protocol serves for 318 transmitting information related to measured IP traffic over the 319 Internet. The protocol specification in [RFC5101bis] defines how 320 Information Elements are transmitted. For Information Elements, it 321 specifies the encoding of a set of basic data types. However, the 322 list of Information Elements that can be transmitted by the protocol, 323 such as Flow attributes (source IP address, number of packets, etc.) 324 and information about the Metering and Exporting Process (packet 325 Observation Point, sampling rate, Flow timeout interval, etc.), is 326 not specified in [RFC5101bis]. 328 This document complements the IPFIX protocol specification by 329 providing the IPFIX information model. IPFIX-specific terminology 330 used in this document is defined in Section 2 of [RFC5101bis]. As in 331 [RFC5101bis], these IPFIX-specific terms have the first letter of a 332 word capitalized when used in this document. 334 The use of the term 'information model' is not fully in line with the 335 definition of this term in [RFC3444]. The IPFIX information model 336 does not specify relationships between Information Elements, but also 337 it does not specify a concrete encoding of Information Elements. 338 Besides the encoding used by the IPFIX protocol, other encodings of 339 IPFIX Information Elements can be applied, for example, XML-based 340 encodings. 342 The main part of this document is Section 5, which defines the 343 (extensible) list of Information Elements to be transmitted by the 344 IPFIX protocol. Section 2 defines a template for specifying IPFIX 345 Information Elements in Section 5. Section 3 defines the set of 346 abstract data types that are available for IPFIX Information 347 Elements. Section 6 discusses extensibility of the IPFIX information 348 model. 350 The main bodies of Sections 2, 3, and 5 were generated from XML 351 documents. The XML-based specification of template, abstract data 352 types, and IPFIX Information Elements can be used for automatically 353 checking syntactical correctness of the specification of IPFIX 354 Information Elements. It can further be used for generating IPFIX 355 protocol implementation code that deals with processing IPFIX 356 Information Elements. Also, code for applications that further 357 process traffic information transmitted via the IPFIX protocol can be 358 generated with the XML specification of IPFIX Information Elements. 360 For that reason, the XML document that served as a source for Section 361 5 and the XML schema that served as source for Sections 2 and 3 are 362 attached to this document in Appendices A and B. 364 Note that although partially generated from the attached XML 365 documents, the main body of this document is normative while the 366 appendices are informational. 368 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 369 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 370 document are to be interpreted as described in [RFC2119]. 372 1.1. IPFIX Documents Overview 374 The IPFIX protocol provides network administrators with access to IP 375 flow information. The architecture for the export of measured IP 376 flow information out of an IPFIX Exporting Process to a Collecting 377 Process is defined in [RFC5470], per the requirements defined in 378 [RFC3917]. The IPFIX specifications [RFC5101bis] document specifies 379 how IPFIX data records and templates are carried via a number of 380 transport protocols from IPFIX Exporting Processes to IPFIX 381 Collecting Processes. 383 Four IPFIX optimizations/extensions are currently specified: a 384 bandwidth saving method for the IPFIX protocol in [RFC5473], an 385 efficient method for exporting bidirectional flow in [RFC5103], a 386 method for the definition and export of complex data structures in 387 [RFC6313], and the specification of the Protocol for IPFIX Mediations 388 [IPFIX-MED-PROTO] based on the IPIFX Mediation Framework [RFC6183]. 390 IPFIX has a formal description of IPFIX Information Elements, their 391 name, type and additional semantic information, as specified in this 392 document, with the export of the Information Element types specified 393 in [RFC5610]. 395 [IPFIX-CONF] specifies a data model for configuring and monitoring 396 IPFIX and PSAMP compliant devices using the NETCONF protocol, while 397 the [RFC5815bis] specifies a MIB module for monitoring. 399 In terms of development, [RFC5153] provides guidelines for the 400 implementation and use of the IPFIX protocol, while [RFC5471] 401 provides guidelines for testing. 403 Finally, [RFC5472] describes what type of applications can use the 404 IPFIX protocol and how they can use the information provided. It 405 furthermore shows how the IPFIX framework relates to other 406 architectures and frameworks. 408 2. Properties of IPFIX Protocol Information Elements 410 2.1. Information Elements Specification Template 412 Information in messages of the IPFIX protocol is modeled in terms of 413 Information Elements of the IPFIX information model. IPFIX 414 Information Elements are specified in Section 5. For specifying 415 these Information Elements, a template is used that is described 416 below. 418 All Information Elements specified for the IPFIX protocol either in 419 this document or by any future extension MUST have the following 420 properties defined: 422 name - A unique and meaningful name for the Information Element. 424 elementId - A numeric identifier of the Information Element. If this 425 identifier is used without an enterprise identifier (see 426 [RFC5101bis] and enterpriseId below), then it is globally unique 427 and the list of allowed values is administered by IANA. It is 428 used for compact identification of an Information Element when 429 encoding Templates in the protocol. 431 description - The semantics of this Information Element. Describes 432 how this Information Element is derived from the Flow or other 433 information available to the observer. 435 dataType - One of the types listed in Section 3.1 of this document or 436 in a future extension of the information model. The type space 437 for attributes is constrained to facilitate implementation. The 438 existing type space does however encompass most basic types used 439 in modern programming languages, as well as some derived types 440 (such as ipv4Address) that are common to this domain and useful to 441 distinguish. 443 status - The status of the specification of this Information Element. 444 Allowed values are 'current', 'deprecated', and 'obsolete'. 446 Enterprise-specific Information Elements MUST have the following 447 property defined: 449 enterpriseId - Enterprises may wish to define Information Elements 450 without registering them with IANA, for example, for 451 enterprise-internal purposes. For such Information Elements, the 452 Information Element identifier described above is not sufficient 453 when the Information Element is used outside the enterprise. If 454 specifications of enterprise-specific Information Elements are 455 made public and/or if enterprise-specific identifiers are used by 456 the IPFIX protocol outside the enterprise, then the 457 enterprise-specific identifier MUST be made globally unique by 458 combining it with an enterprise identifier. Valid values for the 459 enterpriseId are defined by IANA as Structure of Management 460 Information (SMI) network management private enterprise codes. 461 They are defined at http://www.iana.org/assignments/enterprise- 462 numbers. 464 All Information Elements specified for the IPFIX protocol either in 465 this document or by any future extension MAY have the following 466 properties defined: 468 dataTypeSemantics - The integral types may be qualified by additional 469 semantic details. Valid values for the data type semantics are 470 specified in Section 3.2 of this document or in a future extension 471 of the information model. 473 units - If the Information Element is a measure of some kind, the 474 units identify what the measure is. 476 range - Some Information Elements may only be able to take on a 477 restricted set of values that can be expressed as a range (e.g., 0 478 through 511 inclusive). If this is the case, the valid inclusive 479 range should be specified. 481 reference - Identifies additional specifications that more precisely 482 define this item or provide additional context for its use. 484 2.2. Scope of Information Elements 486 By default, most Information Elements have a scope specified in their 487 definitions. 489 o The Information Elements defined in Sections 5.2 and 5.3 have a 490 default of "a specific Metering Process" or of "a specific 491 Exporting Process", respectively. 493 o The Information Elements defined in Sections 5.4-5.11 have a scope 494 of "a specific Flow". 496 Within Data Records defined by Option Templates, the IPFIX protocol 497 allows further limiting of the Information Element scope. The new 498 scope is specified by one or more scope fields and defined as the 499 combination of all specified scope values; see Section 3.4.2.1 on 500 IPFIX scopes in [RFC5101bis]. 502 2.3. Naming Conventions for Information Elements 504 The following naming conventions were used for naming Information 505 Elements in this document. It is recommended that extensions of the 506 model use the same conventions. 508 o Names of Information Elements should be descriptive. 510 o Names of Information Elements that are not enterprise-specific 511 MUST be unique within the IPFIX information model. 512 Enterprise-specific Information Elements SHOULD be prefixed with a 513 vendor name. 515 o Names of Information Elements start with non-capitalized letters. 517 o Composed names use capital letters for the first letter of each 518 component (except for the first one). All other letters are 519 non-capitalized, even for acronyms. Exceptions are made for 520 acronyms containing non-capitalized letter, such as 'IPv4' and 521 'IPv6'. Examples are sourceMacAddress and destinationIPv4Address. 523 o Middleboxes [RFC3234] may change Flow properties, such as the 524 Differentiated Service Code Point (DSCP) value or the source IP 525 address. If an IPFIX Observation Point is located in the path of 526 a Flow before one or more middleboxes that potentially modify 527 packets of the Flow, then it may be desirable to also report Flow 528 properties after the modification performed by the middleboxes. 529 An example is an Observation Point before a packet marker changing 530 a packet's IPv4 Type of Service (TOS) field that is encoded in 531 Information Element ipClassOfService. Then the value observed and 532 reported by Information Element ipClassOfService is valid at the 533 Observation Point, but not after the packet passed the packet 534 marker. For reporting the change value of the TOS field, the 535 IPFIX information model uses Information Elements that have a name 536 prefix "post", for example, "postIpClassOfService". Information 537 Elements with prefix "post" report on Flow properties that are not 538 necessarily observed at the Observation Point, but which are 539 obtained within the Flow's Observation Domain by other means 540 considered to be sufficiently reliable, for example, by analyzing 541 the packet marker's marking tables. 543 3. Type Space 545 This section describes the abstract data types that can be used for 546 the specification of IPFIX Information Elements in Section 4. 547 Section 3.1 describes the set of abstract data types. 549 Abstract data types unsigned8, unsigned16, unsigned32, unsigned64, 550 signed8, signed16, signed32, and signed64 are integral data types. 551 As described in Section 3.2, their data type semantics can be further 552 specified, for example, by 'totalCounter', 'deltaCounter', 553 'identifier', or 'flags'. 555 3.1. Abstract Data Types 557 This section describes the set of valid abstract data types of the 558 IPFIX information model. Note that further abstract data types may 559 be specified by future extensions of the IPFIX information model. 561 3.1.1. unsigned8 563 The type "unsigned8" represents a non-negative integer value in the 564 range of 0 to 255. 566 3.1.2. unsigned16 568 The type "unsigned16" represents a non-negative integer value in the 569 range of 0 to 65535. 571 3.1.3. unsigned32 572 The type "unsigned32" represents a non-negative integer value in the 573 range of 0 to 4294967295. 575 3.1.4. unsigned64 577 The type "unsigned64" represents a non-negative integer value in the 578 range of 0 to 18446744073709551615. 580 3.1.5. signed8 582 The type "signed8" represents an integer value in the range of -128 583 to 127. 585 3.1.6. signed16 587 The type "signed16" represents an integer value in the range of 588 -32768 to 32767. 590 3.1.7. signed32 592 The type "signed32" represents an integer value in the range of 593 -2147483648 to 2147483647. 595 3.1.8. signed64 597 The type "signed64" represents an integer value in the range of 598 -9223372036854775808 to 9223372036854775807. 600 3.1.9. float32 602 The type "float32" corresponds to an IEEE single-precision 32-bit 603 floating point type as defined in [IEEE.754.1985]. 605 3.1.10. float64 607 The type "float64" corresponds to an IEEE double-precision 64-bit 608 floating point type as defined in [IEEE.754.1985]. 610 3.1.11. boolean 612 The type "boolean" represents a binary value. The only allowed 613 values are "true" and "false". 615 3.1.12. macAddress 617 The type "macAddress" represents a string of 6 octets. 619 3.1.13. octetArray 620 The type "octetArray" represents a finite-length string of octets. 622 3.1.14. string 624 The type "string" represents a finite-length string of valid 625 characters from the Unicode character encoding set 626 [ISO.10646-1.1993]. Unicode allows for ASCII [ISO.646.1991] and many 627 other international character sets to be used. 629 3.1.15. dateTimeSeconds 631 The type "dateTimeSeconds" represents a time value in units of 632 seconds since the UNIX epoch, 1 January 1970 at 00:00 coordinated 633 universal time (UTC), excluding leap seconds. 635 3.1.16. dateTimeMilliseconds 637 The type "dateTimeSeconds" represents a time value in units of 638 milliseconds since the UNIX epoch, 1 January 1970 at 00:00 639 coordinated universal time (UTC), excluding leap seconds. 641 3.1.17. dateTimeMicroseconds 643 The type "dateTimeMicroseconds" represents a time value with 644 microsecond precision according to the NTP Timestamp format as 645 defined in section 6 of [RFC5905]. This field is made up of two 646 unsigned 32-bit integers, Seconds and Fraction. The Seconds field is 647 the number of seconds since the NTP epoch, 1 January 1900 at 00:00 648 UTC. The Fraction field is the fractional number of seconds in units 649 of 1/(2^32) seconds (approximately 233 picoseconds). 651 3.1.18. dateTimeNanoseconds 653 The type "dateTimeMicroseconds" represents a time value with 654 nanosecond precision according to the NTP Timestamp format as defined 655 in section 6 of [RFC5905]. This field is made up of two unsigned 32- 656 bit integers, Seconds and Fraction. The Seconds field is the number 657 of seconds since the NTP epoch, 1 January 1900 at 00:00 UTC. The 658 Fraction field is the fractional number of seconds in units of 659 1/(2^32) seconds (approximately 233 picoseconds). 661 3.1.19. ipv4Address 663 The type "ipv4Address" represents a value of an IPv4 address. 665 3.1.20. ipv6Address 667 The type "ipv6Address" represents a value of an IPv6 address. 669 3.2. Data Type Semantics 671 This section describes the set of valid data type semantics of the 672 IPFIX information model. Note that further data type semantics may 673 be specified by future extensions of the IPFIX information model. 675 3.2.1. quantity 677 A quantity value represents a discrete measured value pertaining to 678 the record. This is distinguished from counters that represent an 679 ongoing measured value whose "odometer" reading is captured as part 680 of a given record. If no semantic qualifier is given, the 681 Information Elements that have an integral data type should behave as 682 a quantity. 684 3.2.2. totalCounter 686 An integral value reporting the value of a counter. Counters are 687 unsigned and wrap back to zero after reaching the limit of the type. 688 For example, an unsigned64 with counter semantics will continue to 689 increment until reaching the value of 2**64 - 1. At this point, the 690 next increment will wrap its value to zero and continue counting from 691 zero. The semantics of a total counter is similar to the semantics 692 of counters used in SNMP, such as Counter32 defined in RFC 2578 693 [RFC2578]. The only difference between total counters and counters 694 used in SNMP is that the total counters have an initial value of 0. 695 A total counter counts independently of the export of its value. 697 3.2.3. deltaCounter 699 An integral value reporting the value of a counter. Counters are 700 unsigned and wrap back to zero after reaching the limit of the type. 701 For example, an unsigned64 with counter semantics will continue to 702 increment until reaching the value of 2**64 - 1. At this point, the 703 next increment will wrap its value to zero and continue counting from 704 zero. The semantics of a delta counter is similar to the semantics 705 of counters used in SNMP, such as Counter32 defined in RFC 2578 706 [RFC2578]. The only difference between delta counters and counters 707 used in SNMP is that the delta counters have an initial value of 0. 708 A delta counter is reset to 0 each time its value is exported. 710 3.2.4. identifier 712 An integral value that serves as an identifier. Specifically, 713 mathematical operations on two identifiers (aside from the equality 714 operation) are meaningless. For example, Autonomous System ID 1 * 715 Autonomous System ID 2 is meaningless. 717 3.2.5. flags 719 An integral value that actually represents a set of bit fields. 720 Logical operations are appropriate on such values, but not other 721 mathematical operations. Flags should always be of an unsigned type. 723 4. Information Element Identifiers 725 All Information Elements defined in Section 5 of this document or in 726 future extensions of the IPFIX information model have their 727 identifiers assigned by IANA. Their identifiers can be retrieved at 728 http://www.iana.org/assignments/ipfix. 730 The value of these identifiers is in the range of 1-32767. Within 731 this range, Information Element identifier values in the sub-range of 732 1-127 are compatible with field types used by NetFlow version 9 733 [RFC3954]. 735 +---------------------------------+---------------------------------+ 736 | Range of IANA-assigned | Description | 737 | Information Element identifiers | | 738 +---------------------------------+---------------------------------+ 739 | 0 | Reserved. | 740 | 1-127 | Information Element identifiers | 741 | | compatible with NetFlow version | 742 | | 9 field types [RFC3954]. | 743 | 128-32767 | Further Information Element | 744 | | identifiers. | 745 +---------------------------------+---------------------------------+ 747 Enterprise-specific Information Element identifiers have the same 748 range of 1-32767, but they are coupled with an additional enterprise 749 identifier. For enterprise-specific Information Elements, 750 Information Element identifier 0 is also reserved. 752 Enterprise-specific Information Element identifiers can be chosen by 753 an enterprise arbitrarily within the range of 1-32767. The same 754 identifier may be assigned by other enterprises for different 755 purposes. 757 Still, Collecting Processes can distinguish these Information 758 Elements because the Information Element identifier is coupled with 759 an enterprise identifier. 761 Enterprise identifiers MUST be registered as SMI network management 762 private enterprise code numbers with IANA. The registry can be found 763 at http://www.iana.org/assignments/enterprise-numbers. 765 The following list gives an overview of the Information Element 766 identifiers that are specified in Section 5 and are compatible with 767 field types used by NetFlow version 9 [RFC3954]. 769 +----+----------------------------+-------+-------------------------+ 770 | ID | Name | ID | Name | 771 +----+----------------------------+-------+-------------------------+ 772 | 1 | octetDeltaCount | 43 | RESERVED | 773 | 2 | packetDeltaCount | 44 | sourceIPv4Prefix | 774 | 3 | RESERVED | 45 | destinationIPv4Prefix | 775 | 4 | protocolIdentifier | 46 | mplsTopLabelType | 776 | 5 | ipClassOfService | 47 | mplsTopLabelIPv4Address | 777 | 6 | tcpControlBits | 48-51 | RESERVED | 778 | 7 | sourceTransportPort | 52 | minimumTTL | 779 | 8 | sourceIPv4Address | 53 | maximumTTL | 780 | 9 | sourceIPv4PrefixLength | 54 | fragmentIdentification | 781 | 10 | ingressInterface | 55 | postIpClassOfService | 782 | 11 | destinationTransportPort | 56 | sourceMacAddress | 783 | 12 | destinationIPv4Address | 57 |postDestinationMacAddress| 784 | 13 | destinationIPv4PrefixLength| 58 | vlanId | 785 | 14 | egressInterface | 59 | postVlanId | 786 | 15 | ipNextHopIPv4Address | 60 | ipVersion | 787 | 16 | bgpSourceAsNumber | 61 | flowDirection | 788 | 17 | bgpDestinationAsNumber | 62 | ipNextHopIPv6Address | 789 | 18 | bgpNexthopIPv4Address | 63 | bgpNexthopIPv6Address | 790 | 19 | postMCastPacketDeltaCount | 64 | ipv6ExtensionHeaders | 791 | 20 | postMCastOctetDeltaCount | 65-69 | RESERVED | 792 | 21 | flowEndSysUpTime | 70 | mplsTopLabelStackSection| 793 | 22 | flowStartSysUpTime | 71 | mplsLabelStackSection2 | 794 | 23 | postOctetDeltaCount | 72 | mplsLabelStackSection3 | 795 | 24 | postPacketDeltaCount | 73 | mplsLabelStackSection4 | 796 | 25 | minimumIpTotalLength | 74 | mplsLabelStackSection5 | 797 | 26 | maximumIpTotalLength | 75 | mplsLabelStackSection6 | 798 | 27 | sourceIPv6Address | 76 | mplsLabelStackSection7 | 799 | 28 | destinationIPv6Address | 77 | mplsLabelStackSection8 | 800 | 29 | sourceIPv6PrefixLength | 78 | mplsLabelStackSection9 | 801 | 30 | destinationIPv6PrefixLength| 79 | mplsLabelStackSection10 | 802 | 31 | flowLabelIPv6 | 80 | destinationMacAddress | 803 | 32 | icmpTypeCodeIPv4 | 81 | postSourceMacAddress | 804 | 33 | igmpType | 82-84 | RESERVED | 805 | 34 | RESERVED | 85 | octetTotalCount | 806 | 35 | RESERVED | 86 | packetTotalCount | 807 | 36 | flowActiveTimeout | 87 | RESERVED | 808 | 37 | flowIdleTimeout | 88 | fragmentOffset | 809 | 38 | RESERVED | 89 | RESERVED | 810 | 39 | RESERVED | 90 |mplsVpnRouteDistinguisher| 811 | 40 | exportedOctetTotalCount |91-127 | RESERVED | 812 | 41 | exportedMessageTotalCount | | | 813 | 42 |exportedFlowRecordTotalCount| | | 814 +----+----------------------------+-------+-------------------------+ 815 The following list gives an overview of the Information Element 816 identifiers that are specified in Section 5 and extends the list of 817 Information Element identifiers specified already in [RFC3954]. 819 +-----+---------------------------+-----+---------------------------+ 820 | ID | Name | ID | Name | 821 +-----+---------------------------+-----+---------------------------+ 822 | 128 | bgpNextAdjacentAsNumber | 169 | destinationIPv6Prefix | 823 | 129 | bgpPrevAdjacentAsNumber | 170 | sourceIPv6Prefix | 824 | 130 | exporterIPv4Address | 171 | postOctetTotalCount | 825 | 131 | exporterIPv6Address | 172 | postPacketTotalCount | 826 | 132 | droppedOctetDeltaCount | 173 | flowKeyIndicator | 827 | 133 | droppedPacketDeltaCount | 174 | postMCastPacketTotalCount | 828 | 134 | droppedOctetTotalCount | 175 | postMCastOctetTotalCount | 829 | 135 | droppedPacketTotalCount | 176 | icmpTypeIPv4 | 830 | 136 | flowEndReason | 177 | icmpCodeIPv4 | 831 | 137 | commonPropertiesId | 178 | icmpTypeIPv6 | 832 | 138 | observationPointId | 179 | icmpCodeIPv6 | 833 | 139 | icmpTypeCodeIPv6 | 180 | udpSourcePort | 834 | 140 | mplsTopLabelIPv6Address | 181 | udpDestinationPort | 835 | 141 | lineCardId | 182 | tcpSourcePort | 836 | 142 | portId | 183 | tcpDestinationPort | 837 | 143 | meteringProcessId | 184 | tcpSequenceNumber | 838 | 144 | exportingProcessId | 185 | tcpAcknowledgementNumber | 839 | 145 | templateId | 186 | tcpWindowSize | 840 | 146 | wlanChannelId | 187 | tcpUrgentPointer | 841 | 147 | wlanSSID | 188 | tcpHeaderLength | 842 | 148 | flowId | 189 | ipHeaderLength | 843 | 149 | observationDomainId | 190 | totalLengthIPv4 | 844 | 150 | flowStartSeconds | 191 | payloadLengthIPv6 | 845 | 151 | flowEndSeconds | 192 | ipTTL | 846 | 152 | flowStartMilliseconds | 193 | nextHeaderIPv6 | 847 | 153 | flowEndMilliseconds | 194 | mplsPayloadLength | 848 | 154 | flowStartMicroseconds | 195 | ipDiffServCodePoint | 849 | 155 | flowEndMicroseconds | 196 | ipPrecedence | 850 | 156 | flowStartNanoseconds | 197 | fragmentFlags | 851 | 157 | flowEndNanoseconds | 198 | octetDeltaSumOfSquares | 852 | 158 | flowStartDeltaMicroseconds| 199 | octetTotalSumOfSquares | 853 | 159 | flowEndDeltaMicroseconds | 200 | mplsTopLabelTTL | 854 | 160 | systemInitTimeMilliseconds| 201 | mplsLabelStackLength | 855 | 161 | flowDurationMilliseconds | 202 | mplsLabelStackDepth | 856 | 162 | flowDurationMicroseconds | 203 | mplsTopLabelExp | 857 | 163 | observedFlowTotalCount | 204 | ipPayloadLength | 858 | 164 | ignoredPacketTotalCount | 205 | udpMessageLength | 859 | 165 | ignoredOctetTotalCount | 206 | isMulticast | 860 | 166 | notSentFlowTotalCount | 207 | ipv4IHL | 861 | 167 | notSentPacketTotalCount | 208 | ipv4Options | 862 | 168 | notSentOctetTotalCount | 209 | tcpOptions | 863 +-----+---------------------------+-----+---------------------------+ 864 | ID | Name | ID | Name | 865 +-----+---------------------------+-----+---------------------------+ 866 | 210 | paddingOctets | 218 | tcpSynTotalCount | 867 | 211 | collectorIPv4Address | 219 | tcpFinTotalCount | 868 | 212 | collectorIPv6Address | 220 | tcpRstTotalCount | 869 | 213 | exportInterface | 221 | tcpPshTotalCount | 870 | 214 | exportProtocolVersion | 222 | tcpAckTotalCount | 871 | 215 | exportTransportProtocol | 223 | tcpUrgTotalCount | 872 | 216 | collectorTransportPort | 224 | ipTotalLength | 873 | 217 | exporterTransportPort | 237 | postMplsTopLabelExp | 874 | | | 238 | tcpWindowScale | 875 +-----+---------------------------+-----+---------------------------+ 877 5. Information Elements 879 This section describes the Information Elements of the IPFIX 880 information model. The elements are grouped into 12 groups according 881 to their semantics and their applicability: 883 1. Identifiers 884 2. Metering and Exporting Process Configuration 885 3. Metering and Exporting Process Statistics 886 4. IP Header Fields 887 5. Transport Header Fields 888 6. Sub-IP Header Fields 889 7. Derived Packet Properties 890 8. Min/Max Flow Properties 891 9. Flow Timestamps 892 10. Per-Flow Counters 893 11. Miscellaneous Flow Properties 894 12. Padding 896 The Information Elements that are derived from fields of packets or 897 from packet treatment, such as the Information Elements in groups 898 4-7, can typically serve as Flow Keys used for mapping packets to 899 Flows. 901 If they do not serve as Flow Keys, their value may change from packet 902 to packet within a single Flow. For Information Elements with values 903 that are derived from fields of packets or from packet treatment and 904 for which the value may change from packet to packet within a single 905 Flow, the IPFIX information model defines that their value is 906 determined by the first packet observed for the corresponding Flow, 907 unless the description of the Information Element explicitly 908 specifies a different semantics. This simple rule allows writing all 909 Information Elements related to header fields once when the first 910 packet of the Flow is observed. For further observed packets of the 911 same Flow, only Flow properties that depend on more than one packet, 912 such as the Information Elements in groups 8-11, need to be updated. 914 Information Elements with a name having the "post" prefix, for 915 example, "postIpClassOfService", do not report properties that were 916 actually observed at the Observation Point, but retrieved by other 917 means within the Observation Domain. These Information Elements can 918 be used if there are middlebox functions within the Observation 919 Domain changing Flow properties after packets passed the Observation 920 Point. 922 Information Elements in this section use the reference property to 923 reference [RFC0768], [RFC0791], [RFC0792], [RFC0793], [RFC1108], 924 [RFC1112], [RFC1191], [RFC1323], [RFC1385], [RFC1812], [RFC1930], 925 [RFC2113], [RFC2119], [RFC2460], [RFC2675], [RFC2863], [RFC3031], 926 [RFC3032], [RFC3193], [RFC3234], [RFC3260], [RFC3270], [RFC3376], 927 [RFC3954], [RFC4271], [RFC4291], [RFC4302], [RFC4303], [RFC4364], 928 [RFC4382], [RFC4443], [RFC4960], [RFC5036], [IEEE.802-11.1999], 929 [IEEE.802-1Q.2003], and [IEEE.802-3.2002]. 931 5.1. Identifiers 933 Information Elements grouped in the table below are identifying 934 components of the IPFIX architecture, of an IPFIX Device, or of the 935 IPFIX protocol. All of them have an integral abstract data type and 936 data type semantics "identifier" as described in Section 3.2.4. 938 Typically, some of them are used for limiting scopes of other 939 Information Elements. However, other Information Elements MAY be 940 used for limiting scopes. Note also that all Information Elements 941 listed below MAY be used for other purposes than limiting scopes. 943 +-----+---------------------------+-----+---------------------------+ 944 | ID | Name | ID | Name | 945 +-----+---------------------------+-----+---------------------------+ 946 | 141 | lineCardId | 148 | flowId | 947 | 142 | portId | 145 | templateId | 948 | 10 | ingressInterface | 149 | observationDomainId | 949 | 14 | egressInterface | 138 | observationPointId | 950 | 143 | meteringProcessId | 137 | commonPropertiesId | 951 | 144 | exportingProcessId | | | 952 +-----+---------------------------+-----+---------------------------+ 954 5.1.1. lineCardId 956 Description: 957 An identifier of a line card that is unique per IPFIX Device 958 hosting an Observation Point. Typically, this Information Element 959 is used for limiting the scope of other Information Elements. 960 Abstract Data Type: unsigned32 961 Data Type Semantics: identifier 962 ElementId: 141 963 Status: current 965 5.1.2. portId 967 Description: 968 An identifier of a line port that is unique per IPFIX Device 969 hosting an Observation Point. Typically, this Information Element 970 is used for limiting the scope of other Information Elements. 971 Abstract Data Type: unsigned32 972 Data Type Semantics: identifier 973 ElementId: 142 974 Status: current 976 5.1.3. ingressInterface 978 Description: 979 The index of the IP interface where packets of this Flow are being 980 received. The value matches the value of managed object 'ifIndex' 981 as defined in RFC 2863. Note that ifIndex values are not assigned 982 statically to an interface and that the interfaces may be 983 renumbered every time the device's management system is 984 re-initialized, as specified in RFC 2863. 985 Abstract Data Type: unsigned32 986 Data Type Semantics: identifier 987 ElementId: 10 988 Status: current 989 Reference: 990 See RFC 2863 for the definition of the ifIndex object. 992 5.1.4. egressInterface 994 Description: 995 The index of the IP interface where packets of this Flow are being 996 sent. The value matches the value of managed object 'ifIndex' as 997 defined in RFC 2863. Note that ifIndex values are not assigned 998 statically to an interface and that the interfaces may be 999 renumbered every time the device's management system is 1000 re-initialized, as specified in RFC 2863. 1001 Abstract Data Type: unsigned32 1002 Data Type Semantics: identifier 1003 ElementId: 14 1004 Status: current 1005 Reference: 1006 See RFC 2863 for the definition of the ifIndex object. 1008 5.1.5. meteringProcessId 1010 Description: 1011 An identifier of a Metering Process that is unique per IPFIX 1012 Device. Typically, this Information Element is used for limiting 1013 the scope of other Information Elements. Note that process 1014 identifiers are typically assigned dynamically. The Metering 1015 Process may be re-started with a different ID. 1016 Abstract Data Type: unsigned32 1017 Data Type Semantics: identifier 1018 ElementId: 143 1019 Status: current 1021 5.1.6. exportingProcessId 1023 Description: 1024 An identifier of an Exporting Process that is unique per IPFIX 1025 Device. Typically, this Information Element is used for limiting 1026 the scope of other Information Elements. Note that process 1027 identifiers are typically assigned dynamically. The Exporting 1028 Process may be re-started with a different ID. 1029 Abstract Data Type: unsigned32 1030 Data Type Semantics: identifier 1031 ElementId: 144 1032 Status: current 1034 5.1.7. flowId 1036 Description: 1037 An identifier of a Flow that is unique within an Observation 1038 Domain. This Information Element can be used to distinguish 1039 between different Flows if Flow Keys such as IP addresses and port 1040 numbers are not reported or are reported in separate records. 1041 Abstract Data Type: unsigned64 1042 Data Type Semantics: identifier 1043 ElementId: 148 1044 Status: current 1046 5.1.8. templateId 1048 Description: 1049 An identifier of a Template that is locally unique within a 1050 combination of a Transport session and an Observation Domain. 1051 Template IDs 0-255 are reserved for Template Sets, Options 1052 Template Sets, and other reserved Sets yet to be created. 1053 Template IDs of Data Sets are numbered from 256 to 65535. 1054 Typically, this Information Element is used for limiting the scope 1055 of other Information Elements. Note that after a re-start of the 1056 Exporting Process Template identifiers may be re-assigned. 1057 Abstract Data Type: unsigned16 1058 Data Type Semantics: identifier 1059 ElementId: 145 1060 Status: current 1062 5.1.9. observationDomainId 1064 Description: 1065 An identifier of an Observation Domain that is locally unique to 1066 an Exporting Process. The Exporting Process uses the Observation 1067 Domain ID to uniquely identify to the Collecting Process the 1068 Observation Domain where Flows were metered. It is RECOMMENDED 1069 that this identifier is also unique per IPFIX Device. A value of 1070 0 indicates that no specific Observation Domain is identified by 1071 this Information Element. Typically, this Information Element is 1072 used for limiting the scope of other Information Elements. 1073 Abstract Data Type: unsigned32 1074 Data Type Semantics: identifier 1075 ElementId: 149 1076 Status: current 1078 5.1.10. observationPointId 1080 Description: 1081 An identifier of an Observation Point that is unique per 1082 Observation Domain. It is RECOMMENDED that this identifier is 1083 also unique per IPFIX Device. Typically, this Information Element 1084 is used for limiting the scope of other Information Elements. 1085 Abstract Data Type: unsigned32 1086 Data Type Semantics: identifier 1087 ElementId: 138 1088 Status: current 1090 5.1.11. commonPropertiesId 1092 Description: 1093 An identifier of a set of common properties that is unique per 1094 Observation Domain and Transport Session. Typically, this 1095 Information Element is used to link to information reported in 1096 separate Data Records. 1097 Abstract Data Type: unsigned64 1098 Data Type Semantics: identifier 1099 ElementId: 137 1100 Status: current 1102 5.2. Metering and Exporting Process Configuration 1104 Information Elements in this section describe the configuration of 1105 the Metering Process or the Exporting Process. The set of these 1106 Information Elements is listed in the table below. 1108 +-----+--------------------------+-----+----------------------------+ 1109 | ID | Name | ID | Name | 1110 +-----+--------------------------+-----+----------------------------+ 1111 | 130 | exporterIPv4Address | 213 | exportInterface | 1112 | 131 | exporterIPv6Address | 214 | exportProtocolVersion | 1113 | 217 | exporterTransportPort | 215 | exportTransportProtocol | 1114 | 211 | collectorIPv4Address | 216 | collectorTransportPort | 1115 | 212 | collectorIPv6Address | 173 | flowKeyIndicator | 1116 +-----+--------------------------+-----+----------------------------+ 1118 5.2.1. exporterIPv4Address 1120 Description: 1121 The IPv4 address used by the Exporting Process. This is used by 1122 the Collector to identify the Exporter in cases where the identity 1123 of the Exporter may have been obscured by the use of a proxy. 1124 Abstract Data Type: ipv4Address 1125 Data Type Semantics: identifier 1126 ElementId: 130 1127 Status: current 1129 5.2.2. exporterIPv6Address 1131 Description: 1132 The IPv6 address used by the Exporting Process. This is used by 1133 the Collector to identify the Exporter in cases where the identity 1134 of the Exporter may have been obscured by the use of a proxy. 1135 Abstract Data Type: ipv6Address 1136 Data Type Semantics: identifier 1137 ElementId: 131 1138 Status: current 1140 5.2.3. exporterTransportPort 1142 Description: 1143 The source port identifier from which the Exporting Process sends 1144 Flow information. For the transport protocols UDP, TCP, and SCTP, 1145 this is the source port number. This field MAY also be used for 1146 future transport protocols that have 16-bit source port 1147 identifiers. This field may be useful for distinguishing multiple 1148 Exporting Processes that use the same IP address. 1149 Abstract Data Type: unsigned16 1150 Data Type Semantics: identifier 1151 ElementId: 217 1152 Status: current 1153 Reference: 1154 See RFC 768 for the definition of the UDP source port field. See 1155 RFC 793 for the definition of the TCP source port field. See RFC 1156 4960 for the definition of SCTP. Additional information on 1157 defined UDP and TCP port numbers can be found at 1158 http://www.iana.org/assignments/port-numbers. 1160 5.2.4. collectorIPv4Address 1162 Description: 1163 An IPv4 address to which the Exporting Process sends Flow 1164 information. 1165 Abstract Data Type: ipv4Address 1166 Data Type Semantics: identifier 1167 ElementId: 211 1168 Status: current 1170 5.2.5. collectorIPv6Address 1172 Description: 1173 An IPv6 address to which the Exporting Process sends Flow 1174 information. 1175 Abstract Data Type: ipv6Address 1176 Data Type Semantics: identifier 1177 ElementId: 212 1178 Status: current 1180 5.2.6. exportInterface 1182 Description: 1183 The index of the interface from which IPFIX Messages sent by the 1184 Exporting Process to a Collector leave the IPFIX Device. The 1185 value matches the value of managed object 'ifIndex' as defined in 1186 RFC 2863. Note that ifIndex values are not assigned statically to 1187 an interface and that the interfaces may be renumbered every time 1188 the device's management system is re-initialized, as specified in 1189 RFC 2863. 1190 Abstract Data Type: unsigned32 1191 Data Type Semantics: identifier 1192 ElementId: 213 1193 Status: current 1194 Reference: 1195 See RFC 2863 for the definition of the ifIndex object. 1197 5.2.7. exportProtocolVersion 1199 Description: 1200 The protocol version used by the Exporting Process for sending 1201 Flow information. The protocol version is given by the value of 1202 the Version Number field in the Message Header. The protocol 1203 version is 10 for IPFIX and 9 for NetFlow version 9. A value of 0 1204 indicates that no export protocol is in use. 1205 Abstract Data Type: unsigned8 1206 Data Type Semantics: identifier 1207 ElementId: 214 1208 Status: current 1209 Reference: 1210 See the IPFIX protocol specification [RFC5101] for the definition 1211 of the IPFIX Message Header. 1212 See RFC 3954 for the definition of the NetFlow version 9 message 1213 header. 1215 5.2.8. exportTransportProtocol 1217 Description: 1218 The value of the protocol number used by the Exporting Process for 1219 sending Flow information. The protocol number identifies the IP 1220 packet payload type. Protocol numbers are defined in the IANA 1221 Protocol Numbers registry. 1222 In Internet Protocol version 4 (IPv4), this is carried in the 1223 Protocol field. In Internet Protocol version 6 (IPv6), this is 1224 carried in the Next Header field in the last extension header of 1225 the packet. 1226 Abstract Data Type: unsigned8 1227 Data Type Semantics: identifier 1228 ElementId: 215 1229 Status: current 1230 Reference: 1231 See RFC 791 for the specification of the IPv4 protocol field. See 1232 RFC 2460 for the specification of the IPv6 protocol field. See 1233 the list of protocol numbers assigned by IANA at 1234 http://www.iana.org/assignments/protocol-numbers. 1236 5.2.9. collectorTransportPort 1238 Description: 1239 The destination port identifier to which the Exporting Process 1240 sends Flow information. For the transport protocols UDP, TCP, and 1241 SCTP, this is the destination port number. This field MAY also be 1242 used for future transport protocols that have 16-bit source port 1243 identifiers. 1244 Abstract Data Type: unsigned16 1245 Data Type Semantics: identifier 1246 ElementId: 216 1247 Status: current 1248 Reference: 1249 See RFC 768 for the definition of the UDP destination port field. 1250 See RFC 793 for the definition of the TCP destination port field. 1251 See RFC 4960 for the definition of SCTP. 1252 Additional information on defined UDP and TCP port numbers can be 1253 found at http://www.iana.org/assignments/port-numbers. 1255 5.2.10. flowKeyIndicator 1257 Description: 1258 This set of bit fields is used for marking the Information 1259 Elements of a Data Record that serve as Flow Key. Each bit 1260 represents an Information Element in the Data Record with the n-th 1261 bit representing the n-th Information Element. A bit set to value 1262 1 indicates that the corresponding Information Element is a Flow 1263 Key of the reported Flow. A bit set to value 0 indicates that 1264 this is not the case. 1265 If the Data Record contains more than 64 Information Elements, the 1266 corresponding Template SHOULD be designed such that all Flow Keys 1267 are among the first 64 Information Elements, because the 1268 flowKeyIndicator only contains 64 bits. If the Data Record 1269 contains less than 64 Information Elements, then the bits in the 1270 flowKeyIndicator for which no corresponding Information Element 1271 exists MUST have the value 0. 1272 Abstract Data Type: unsigned64 1273 Data Type Semantics: flags 1274 ElementId: 173 1275 Status: current 1277 5.3. Metering and Exporting Process Statistics 1279 Information Elements in this section describe statistics of the 1280 Metering Process and/or the Exporting Process. The set of these 1281 Information Elements is listed in the table below. 1283 +-----+-----------------------------+-----+-------------------------+ 1284 | ID | Name | ID | Name | 1285 +-----+-----------------------------+-----+-------------------------+ 1286 | 41 | exportedMessageTotalCount | 165 | ignoredOctetTotalCount | 1287 | 40 | exportedOctetTotalCount | 166 | notSentFlowTotalCount | 1288 | 42 | exportedFlowRecordTotalCount| 167 | notSentPacketTotalCount | 1289 | 163 | observedFlowTotalCount | 168 | notSentOctetTotalCount | 1290 | 164 | ignoredPacketTotalCount | | | 1291 +-----+-----------------------------+-----+-------------------------+ 1293 5.3.1. exportedMessageTotalCount 1295 Description: 1296 The total number of IPFIX Messages that the Exporting Process has 1297 sent since the Exporting Process (re-)initialization to a 1298 particular Collecting Process. The reported number excludes the 1299 IPFIX Message that carries the counter value. If this Information 1300 Element is sent to a particular Collecting Process, then by 1301 default it specifies the number of IPFIX Messages sent to this 1302 Collecting Process. 1303 Abstract Data Type: unsigned64 1304 Data Type Semantics: totalCounter 1305 ElementId: 41 1306 Status: current 1307 Units: messages 1309 5.3.2. exportedOctetTotalCount 1311 Description: 1312 The total number of octets that the Exporting Process has sent 1313 since the Exporting Process (re-)initialization to a particular 1314 Collecting Process. The value of this Information Element is 1315 calculated by summing up the IPFIX Message Header length values of 1316 all IPFIX Messages that were successfully sent to the Collecting 1317 Process. The reported number excludes octets in the IPFIX Message 1318 that carries the counter value. If this Information Element is 1319 sent to a particular Collecting Process, then by default it 1320 specifies the number of octets sent to this Collecting Process. 1321 Abstract Data Type: unsigned64 1322 Data Type Semantics: totalCounter 1323 ElementId: 40 1324 Status: current 1325 Units: octets 1327 5.3.3. exportedFlowRecordTotalCount 1329 Description: 1330 The total number of Flow Records that the Exporting Process has 1331 sent as Data Records since the Exporting Process 1332 (re-)initialization to a particular Collecting Process. The 1333 reported number excludes Flow Records in the IPFIX Message that 1334 carries the counter value. If this Information Element is sent to 1335 a particular Collecting Process, then by default it specifies the 1336 number of Flow Records sent to this process. 1337 Abstract Data Type: unsigned64 1338 Data Type Semantics: totalCounter 1339 ElementId: 42 1340 Status: current 1341 Units: flows 1343 5.3.4. observedFlowTotalCount 1345 Description: 1346 The total number of Flows observed in the Observation Domain since 1347 the Metering Process (re-)initialization for this Observation 1348 Point. 1349 Abstract Data Type: unsigned64 1350 Data Type Semantics: totalCounter 1351 ElementId: 163 1352 Status: current 1353 Units: flows 1355 5.3.5. ignoredPacketTotalCount 1357 Description: 1358 The total number of observed IP packets that the Metering Process 1359 did not process since the (re-)initialization of the Metering 1360 Process. 1361 Abstract Data Type: unsigned64 1362 Data Type Semantics: totalCounter 1363 ElementId: 164 1364 Status: current 1365 Units: packets 1367 5.3.6. ignoredOctetTotalCount 1369 Description: 1370 The total number of octets in observed IP packets (including the 1371 IP header) that the Metering Process did not process since the 1372 (re-)initialization of the Metering Process. 1373 Abstract Data Type: unsigned64 1374 Data Type Semantics: totalCounter 1375 ElementId: 165 1376 Status: current 1377 Units: octets 1379 5.3.7. notSentFlowTotalCount 1381 Description: 1382 The total number of Flow Records that were generated by the 1383 Metering Process and dropped by the Metering Process or by the 1384 Exporting Process instead of being sent to the Collecting Process. 1385 There are several potential reasons for this including resource 1386 shortage and special Flow export policies. 1387 Abstract Data Type: unsigned64 1388 Data Type Semantics: totalCounter 1389 ElementId: 166 1390 Status: current 1391 Units: flows 1393 5.3.8. notSentPacketTotalCount 1395 Description: 1396 The total number of packets in Flow Records that were generated by 1397 the Metering Process and dropped by the Metering Process or by the 1398 Exporting Process instead of being sent to the Collecting Process. 1399 There are several potential reasons for this including resource 1400 shortage and special Flow export policies. 1401 Abstract Data Type: unsigned64 1402 Data Type Semantics: totalCounter 1403 ElementId: 167 1404 Status: current 1405 Units: packets 1407 5.3.9. notSentOctetTotalCount 1409 Description: 1410 The total number of octets in packets in Flow Records that were 1411 generated by the Metering Process and dropped by the Metering 1412 Process or by the Exporting Process instead of being sent to the 1413 Collecting Process. There are several potential reasons for this 1414 including resource shortage and special Flow export policies. 1415 Abstract Data Type: unsigned64 1416 Data Type Semantics: totalCounter 1417 ElementId: 168 1418 Status: current 1419 Units: octets 1421 5.4. IP Header Fields 1423 Information Elements in this section indicate values of IP header 1424 fields or are derived from IP header field values in combination with 1425 further information. 1427 +-----+----------------------------+-----+--------------------------+ 1428 | ID | Name | ID | Name | 1429 +-----+----------------------------+-----+--------------------------+ 1430 | 60 | ipVersion | 193 | nextHeaderIPv6 | 1431 | 8 | sourceIPv4Address | 195 | ipDiffServCodePoint | 1432 | 27 | sourceIPv6Address | 196 | ipPrecedence | 1433 | 9 | sourceIPv4PrefixLength | 5 | ipClassOfService | 1434 | 29 | sourceIPv6PrefixLength | 55 | postIpClassOfService | 1435 | 44 | sourceIPv4Prefix | 31 | flowLabelIPv6 | 1436 | 170 | sourceIPv6Prefix | 206 | isMulticast | 1437 | 12 | destinationIPv4Address | 54 | fragmentIdentification | 1438 | 28 | destinationIPv6Address | 88 | fragmentOffset | 1439 | 13 | destinationIPv4PrefixLength| 197 | fragmentFlags | 1440 | 30 | destinationIPv6PrefixLength| 189 | ipHeaderLength | 1441 | 45 | destinationIPv4Prefix | 207 | ipv4IHL | 1442 | 169 | destinationIPv6Prefix | 190 | totalLengthIPv4 | 1443 | 192 | ipTTL | 224 | ipTotalLength | 1444 | 4 | protocolIdentifier | 191 | payloadLengthIPv6 | 1445 +-----+----------------------------+-----+--------------------------+ 1447 5.4.1. ipVersion 1449 Description: 1450 The IP version field in the IP packet header. 1451 Abstract Data Type: unsigned8 1452 Data Type Semantics: identifier 1453 ElementId: 60 1454 Status: current 1455 Reference: 1456 See RFC 791 for the definition of the version field in the IPv4 1457 packet header. See RFC 2460 for the definition of the version 1458 field in the IPv6 packet header. Additional information on 1459 defined version numbers can be found at 1460 http://www.iana.org/assignments/version-numbers. 1462 5.4.2. sourceIPv4Address 1464 Description: 1465 The IPv4 source address in the IP packet header. 1466 Abstract Data Type: ipv4Address 1467 Data Type Semantics: identifier 1468 ElementId: 8 1469 Status: current 1470 Reference: 1471 See RFC 791 for the definition of the IPv4 source address field. 1473 5.4.3. sourceIPv6Address 1475 Description: 1476 The IPv6 source address in the IP packet header. 1477 Abstract Data Type: ipv6Address 1478 Data Type Semantics: identifier 1479 ElementId: 27 1480 Status: current 1481 Reference: 1482 See RFC 2460 for the definition of the Source Address field in the 1483 IPv6 header. 1485 5.4.4. sourceIPv4PrefixLength 1487 Description: 1488 The number of contiguous bits that are relevant in the 1489 sourceIPv4Prefix Information Element. 1490 Abstract Data Type: unsigned8 1491 ElementId: 9 1492 Status: current 1493 Units: bits 1494 Range: The valid range is 0-32. 1496 5.4.5. sourceIPv6PrefixLength 1498 Description: 1499 The number of contiguous bits that are relevant in the 1500 sourceIPv6Prefix Information Element. 1501 Abstract Data Type: unsigned8 1502 ElementId: 29 1503 Status: current 1504 Units: bits 1505 Range: The valid range is 0-128. 1507 5.4.6. sourceIPv4Prefix 1509 Description: 1510 IPv4 source address prefix. 1511 Abstract Data Type: ipv4Address 1512 ElementId: 44 1513 Status: current 1515 5.4.7. sourceIPv6Prefix 1517 Description: 1518 IPv6 source address prefix. 1519 Abstract Data Type: ipv6Address 1520 ElementId: 170 1521 Status: current 1523 5.4.8. destinationIPv4Address 1525 Description: 1526 The IPv4 destination address in the IP packet header. 1527 Abstract Data Type: ipv4Address 1528 Data Type Semantics: identifier 1529 ElementId: 12 1530 Status: current 1531 Reference: 1532 See RFC 791 for the definition of the IPv4 destination address 1533 field. 1535 5.4.9. destinationIPv6Address 1537 Description: 1538 The IPv6 destination address in the IP packet header. 1539 Abstract Data Type: ipv6Address 1540 Data Type Semantics: identifier 1541 ElementId: 28 1542 Status: current 1543 Reference: 1544 See RFC 2460 for the definition of the Destination Address field 1545 in the IPv6 header. 1547 5.4.10. destinationIPv4PrefixLength 1549 Description: 1550 The number of contiguous bits that are relevant in the 1551 destinationIPv4Prefix Information Element. 1552 Abstract Data Type: unsigned8 1553 ElementId: 13 1554 Status: current 1555 Units: bits 1556 Range: The valid range is 0-32. 1558 5.4.11. destinationIPv6PrefixLength 1560 Description: 1561 The number of contiguous bits that are relevant in the 1562 destinationIPv6Prefix Information Element. 1563 Abstract Data Type: unsigned8 1564 ElementId: 30 1565 Status: current 1566 Units: bits 1567 Range: The valid range is 0-128. 1569 5.4.12. destinationIPv4Prefix 1571 Description: 1572 IPv4 destination address prefix. 1573 Abstract Data Type: ipv4Address 1574 ElementId: 45 1575 Status: current 1577 5.4.13. destinationIPv6Prefix 1579 Description: 1580 IPv6 destination address prefix. 1581 Abstract Data Type: ipv6Address 1582 ElementId: 169 1583 Status: current 1585 5.4.14. ipTTL 1587 Description: 1588 For IPv4, the value of the Information Element matches the value 1589 of the Time to Live (TTL) field in the IPv4 packet header. For 1590 IPv6, the value of the Information Element matches the value of 1591 the Hop Limit field in the IPv6 packet header. 1592 Abstract Data Type: unsigned8 1593 ElementId: 192 1594 Status: current 1595 Units: hops 1596 Reference: 1597 See RFC 791 for the definition of the IPv4 Time to Live field. 1598 See RFC 2460 for the definition of the IPv6 Hop Limit field. 1600 5.4.15. protocolIdentifier 1602 Description: 1603 The value of the protocol number in the IP packet header. The 1604 protocol number identifies the IP packet payload type. Protocol 1605 numbers are defined in the IANA Protocol Numbers registry. In 1606 Internet Protocol version 4 (IPv4), this is carried in the 1607 Protocol field. In Internet Protocol version 6 (IPv6), this is 1608 carried in the Next Header field in the last extension header of 1609 the packet. 1610 Abstract Data Type: unsigned8 1611 Data Type Semantics: identifier 1612 ElementId: 4 1613 Status: current 1614 Reference: 1615 See RFC 791 for the specification of the IPv4 protocol field. See 1616 RFC 2460 for the specification of the IPv6 protocol field. See 1617 the list of protocol numbers assigned by IANA at 1618 http://www.iana.org/assignments/protocol-numbers. 1620 5.4.16. nextHeaderIPv6 1622 Description: 1623 The value of the Next Header field of the IPv6 header. The value 1624 identifies the type of the following IPv6 extension header or of 1625 the following IP payload. Valid values are defined in the IANA 1626 Protocol Numbers registry. 1627 Abstract Data Type: unsigned8 1628 ElementId: 193 1629 Status: current 1630 Reference: 1631 See RFC 2460 for the definition of the IPv6 Next Header field. 1632 See the list of protocol numbers assigned by IANA at 1633 http://www.iana.org/assignments/protocol-numbers. 1635 5.4.17. ipDiffServCodePoint 1637 Description: 1638 The value of a Differentiated Services Code Point (DSCP) encoded 1639 in the Differentiated Services field. The Differentiated Services 1640 field spans the most significant 6 bits of the IPv4 TOS field or 1641 the IPv6 Traffic Class field, respectively. 1642 This Information Element encodes only the 6 bits of the 1643 Differentiated Services field. Therefore, its value may range 1644 from 0 to 63. 1645 Abstract Data Type: unsigned8 1646 Data Type Semantics: identifier 1647 ElementId: 195 1648 Status: current 1649 Range: The valid range is 0-63. 1650 Reference: 1651 See RFC 3260 for the definition of the Differentiated Services 1652 field. See RFC 1812 (Section 5.3.2) and RFC 791 for the 1653 definition of the IPv4 TOS field. See RFC 2460 for the definition 1654 of the IPv6 Traffic Class field. 1656 5.4.18. ipPrecedence 1658 Description: 1659 The value of the IP Precedence. The IP Precedence value is 1660 encoded in the first 3 bits of the IPv4 TOS field or the IPv6 1661 Traffic Class field, respectively. This Information Element 1662 encodes only these 3 bits. Therefore, its value may range from 0 1663 to 7. 1664 Abstract Data Type: unsigned8 1665 Data Type Semantics: identifier 1666 ElementId: 196 1667 Status: current 1668 Range: The valid range is 0-7. 1669 Reference: 1670 See RFC 1812 (Section 5.3.3) and RFC 791 for the definition of the 1671 IP Precedence. See RFC 1812 (Section 5.3.2) and RFC 791 for the 1672 definition of the IPv4 TOS field. See RFC 2460 for the definition 1673 of the IPv6 Traffic Class field. 1675 5.4.19. ipClassOfService 1677 Description: 1678 For IPv4 packets, this is the value of the TOS field in the IPv4 1679 packet header. For IPv6 packets, this is the value of the Traffic 1680 Class field in the IPv6 packet header. 1681 Abstract Data Type: unsigned8 1682 Data Type Semantics: identifier 1683 ElementId: 5 1684 Status: current 1685 Reference: 1686 See RFC 1812 (Section 5.3.2) and RFC 791 for the definition of the 1687 IPv4 TOS field. See RFC 2460 for the definition of the IPv6 1688 Traffic Class field. 1690 5.4.20. postIpClassOfService 1692 Description: 1693 The definition of this Information Element is identical to the 1694 definition of Information Element 'ipClassOfService', except that 1695 it reports a potentially modified value caused by a middlebox 1696 function after the packet passed the Observation Point. 1697 Abstract Data Type: unsigned8 1698 Data Type Semantics: identifier 1699 ElementId: 55 1700 Status: current 1701 Reference: 1702 See RFC 791 for the definition of the IPv4 TOS field. See RFC 1703 2460 for the definition of the IPv6 Traffic Class field. See RFC 1704 3234 for the definition of middleboxes. 1706 5.4.21. flowLabelIPv6 1708 Description: 1709 The value of the IPv6 Flow Label field in the IP packet header. 1710 Abstract Data Type: unsigned32 1711 Data Type Semantics: identifier 1712 ElementId: 31 1713 Status: current 1714 Reference: 1715 See RFC 2460 for the definition of the Flow Label field in the 1716 IPv6 packet header. 1718 5.4.22. isMulticast 1720 Description: 1721 If the IP destination address is not a reserved multicast address, 1722 then the value of all bits of the octet (including the reserved 1723 ones) is zero. 1724 The first bit of this octet is set to 1 if the Version field of 1725 the IP header has the value 4 and if the Destination Address field 1726 contains a reserved multicast address in the range from 224.0.0.0 1727 to 239.255.255.255. Otherwise, this bit is set to 0. The second 1728 and third bits of this octet are reserved for future use. 1729 The remaining bits of the octet are only set to values other than 1730 zero if the IP Destination Address is a reserved IPv6 multicast 1731 address. Then the fourth bit of the octet is set to the value of 1732 the T flag in the IPv6 multicast address and the remaining four 1733 bits are set to the value of the scope field in the IPv6 multicast 1734 address. 1736 0 1 2 3 4 5 6 7 1737 +------+------+------+------+------+------+------+------+ 1738 | IPv6 multicast scope | T | RES. | RES. | MCv4 | 1739 +------+------+------+------+------+------+------+------+ 1741 Bit 0: set to 1 if IPv4 multicast 1742 Bits 1-2: reserved for future use 1743 Bit 4: set to value of T flag, if IPv6 multicast 1744 Bits 4-7: set to value of multicast scope if IPv6 multicast 1746 Abstract Data Type: unsigned8 1747 Data Type Semantics: flags 1748 ElementId: 206 1749 Status: current 1750 Reference: 1751 See RFC 1112 for the specification of reserved IPv4 multicast 1752 addresses. See RFC 4291 for the specification of reserved IPv6 1753 multicast addresses and the definition of the T flag and the IPv6 1754 multicast scope. 1756 5.4.23. fragmentIdentification 1758 Description: 1759 The value of the Identification field in the IPv4 packet header or 1760 in the IPv6 Fragment header, respectively. The value is 0 for 1761 IPv6 if there is no fragment header. 1762 Abstract Data Type: unsigned32 1763 Data Type Semantics: identifier 1764 ElementId: 54 1765 Status: current 1766 Reference: 1767 See RFC 791 for the definition of the IPv4 Identification field. 1768 See RFC 2460 for the definition of the Identification field in the 1769 IPv6 Fragment header. 1771 5.4.24. fragmentOffset 1773 Description: 1774 The value of the IP fragment offset field in the IPv4 packet 1775 header or the IPv6 Fragment header, respectively. The value is 0 1776 for IPv6 if there is no fragment header. 1777 Abstract Data Type: unsigned16 1778 Data Type Semantics: identifier 1779 ElementId: 88 1780 Status: current 1781 Reference: 1782 See RFC 791 for the specification of the fragment offset in the 1783 IPv4 header. See RFC 2460 for the specification of the fragment 1784 offset in the IPv6 Fragment header. 1786 5.4.25. fragmentFlags 1788 Description: 1789 Fragmentation properties indicated by flags in the IPv4 packet 1790 header or the IPv6 Fragment header, respectively. 1792 Bit 0: (RS) Reserved. 1793 The value of this bit MUST be 0 until specified 1794 otherwise. 1796 Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment. 1797 Corresponds to the value of the DF flag in the 1798 IPv4 header. Will always be 0 for IPv6 unless 1799 a "don't fragment" feature is introduced to IPv6. 1801 Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments. 1802 Corresponds to the MF flag in the IPv4 header 1803 or to the M flag in the IPv6 Fragment header, 1804 respectively. The value is 0 for IPv6 if there 1805 is no fragment header. 1807 Bits 3-7: (DC) Don't Care. 1808 The values of these bits are irrelevant. 1810 0 1 2 3 4 5 6 7 1811 +---+---+---+---+---+---+---+---+ 1812 | R | D | M | D | D | D | D | D | 1813 | S | F | F | C | C | C | C | C | 1814 +---+---+---+---+---+---+---+---+ 1816 Abstract Data Type: unsigned8 1817 Data Type Semantics: flags 1818 ElementId: 197 1819 Status: current 1820 Reference: 1821 See RFC 791 for the specification of the IPv4 fragment flags. See 1822 RFC 2460 for the specification of the IPv6 Fragment header. 1824 5.4.26. ipHeaderLength 1826 Description: 1827 The length of the IP header. For IPv6, the value of this 1828 Information Element is 40. 1829 Abstract Data Type: unsigned8 1830 ElementId: 189 1831 Status: current 1832 Units: octets 1833 Reference: 1834 See RFC 791 for the specification of the IPv4 header. See RFC 1835 2460 for the specification of the IPv6 header. 1837 5.4.27. ipv4IHL 1839 Description: 1840 The value of the Internet Header Length (IHL) field in the IPv4 1841 header. It specifies the length of the header in units of 4 1842 octets. Please note that its unit is different from most of the 1843 other Information Elements reporting length values. 1845 Abstract Data Type: unsigned8 1846 ElementId: 207 1847 Status: current 1848 Units: 4 octets 1849 Reference: 1850 See RFC 791 for the specification of the IPv4 header. 1852 5.4.28. totalLengthIPv4 1854 Description: 1855 The total length of the IPv4 packet. 1856 Abstract Data Type: unsigned16 1857 ElementId: 190 1858 Status: current 1859 Units: octets 1860 Reference: 1861 See RFC 791 for the specification of the IPv4 total length. 1863 5.4.29. ipTotalLength 1865 Description: 1866 The total length of the IP packet. 1867 Abstract Data Type: unsigned64 1868 ElementId: 224 1869 Status: current 1870 Units: octets 1871 Reference: 1872 See RFC 791 for the specification of the IPv4 total length. See 1873 RFC 2460 for the specification of the IPv6 payload length. See 1874 RFC 2675 for the specification of the IPv6 jumbo payload length. 1876 5.4.30. payloadLengthIPv6 1878 Description: 1879 This Information Element reports the value of the Payload Length 1880 field in the IPv6 header. Note that IPv6 extension headers belong 1881 to the payload. Also note that in case of a jumbo payload option 1882 the value of the Payload Length field in the IPv6 header is zero 1883 and so will be the value reported by this Information Element. 1884 Abstract Data Type: unsigned16 1885 ElementId: 191 1886 Status: current 1887 Units: octets 1888 Reference: 1889 See RFC 2460 for the specification of the IPv6 payload length. 1890 See RFC 2675 for the specification of the IPv6 jumbo payload 1891 option. 1893 5.5. Transport Header Fields 1895 The set of Information Elements related to transport header fields 1896 and length includes the Information Elements listed in the table 1897 below. 1899 +-----+---------------------------+-----+---------------------------+ 1900 | ID | Name | ID | Name | 1901 +-----+---------------------------+-----+---------------------------+ 1902 | 7 | sourceTransportPort | 238 | tcpWindowScale | 1903 | 11 | destinationTransportPort | 187 | tcpUrgentPointer | 1904 | 180 | udpSourcePort | 188 | tcpHeaderLength | 1905 | 181 | udpDestinationPort | 32 | icmpTypeCodeIPv4 | 1906 | 205 | udpMessageLength | 176 | icmpTypeIPv4 | 1907 | 182 | tcpSourcePort | 177 | icmpCodeIPv4 | 1908 | 183 | tcpDestinationPort | 139 | icmpTypeCodeIPv6 | 1909 | 184 | tcpSequenceNumber | 178 | icmpTypeIPv6 | 1910 | 185 | tcpAcknowledgementNumber | 179 | icmpCodeIPv6 | 1911 | 186 | tcpWindowSize | 33 | igmpType | 1912 +-----+---------------------------+-----+---------------------------+ 1914 5.5.1. sourceTransportPort 1916 Description: 1917 The source port identifier in the transport header. For the 1918 transport protocols UDP, TCP, and SCTP, this is the source port 1919 number given in the respective header. This field MAY also be 1920 used for future transport protocols that have 16-bit source port 1921 identifiers. 1922 Abstract Data Type: unsigned16 1923 Data Type Semantics: identifier 1924 ElementId: 7 1925 Status: current 1926 Reference: 1927 See RFC 768 for the definition of the UDP source port field. See 1928 RFC 793 for the definition of the TCP source port field. See RFC 1929 4960 for the definition of SCTP. 1930 Additional information on defined UDP and TCP port numbers can be 1931 found at http://www.iana.org/assignments/port-numbers. 1933 5.5.2. destinationTransportPort 1935 Description: 1936 The destination port identifier in the transport header. For the 1937 transport protocols UDP, TCP, and SCTP, this is the destination 1938 port number given in the respective header. This field MAY also 1939 be used for future transport protocols that have 16-bit 1940 destination port identifiers. 1942 Abstract Data Type: unsigned16 1943 Data Type Semantics: identifier 1944 ElementId: 11 1945 Status: current 1946 Reference: 1947 See RFC 768 for the definition of the UDP destination port field. 1948 See RFC 793 for the definition of the TCP destination port field. 1949 See RFC 4960 for the definition of SCTP. Additional information 1950 on defined UDP and TCP port numbers can be found at 1951 http://www.iana.org/assignments/port-numbers. 1953 5.5.3. udpSourcePort 1955 Description: 1956 The source port identifier in the UDP header. 1957 Abstract Data Type: unsigned16 1958 Data Type Semantics: identifier 1959 ElementId: 180 1960 Status: current 1961 Reference: 1962 See RFC 768 for the definition of the UDP source port field. 1963 Additional information on defined UDP port numbers can be found at 1964 http://www.iana.org/assignments/port-numbers. 1966 5.5.4. udpDestinationPort 1968 Description: 1969 The destination port identifier in the UDP header. 1970 Abstract Data Type: unsigned16 1971 Data Type Semantics: identifier 1972 ElementId: 181 1973 Status: current 1974 Reference: 1975 See RFC 768 for the definition of the UDP destination port field. 1976 Additional information on defined UDP port numbers can be found at 1977 http://www.iana.org/assignments/port-numbers. 1979 5.5.5. udpMessageLength 1981 Description: 1982 The value of the Length field in the UDP header. 1983 Abstract Data Type: unsigned16 1984 ElementId: 205 1985 Status: current 1986 Units: octets 1987 Reference: 1988 See RFC 768 for the specification of the UDP header. 1990 5.5.6. tcpSourcePort 1992 Description: 1993 The source port identifier in the TCP header. 1994 Abstract Data Type: unsigned16 1995 Data Type Semantics: identifier 1996 ElementId: 182 1997 Status: current 1998 Reference: 1999 See RFC 793 for the definition of the TCP source port field. 2000 Additional information on defined TCP port numbers can be found at 2001 http://www.iana.org/assignments/port-numbers. 2003 5.5.7. tcpDestinationPort 2005 Description: 2006 The destination port identifier in the TCP header. 2007 Abstract Data Type: unsigned16 2008 Data Type Semantics: identifier 2009 ElementId: 183 2010 Status: current 2011 Reference: 2012 See RFC 793 for the definition of the TCP destination port field. 2013 Additional information on defined TCP port numbers can be found at 2014 http://www.iana.org/assignments/port-numbers. 2016 5.5.8. tcpSequenceNumber 2018 Description: 2019 The sequence number in the TCP header. 2020 Abstract Data Type: unsigned32 2021 ElementId: 184 2022 Status: current 2023 Reference: 2024 See RFC 793 for the definition of the TCP sequence number. 2026 5.5.9. tcpAcknowledgementNumber 2028 Description: 2029 The acknowledgement number in the TCP header. 2030 Abstract Data Type: unsigned32 2031 ElementId: 185 2032 Status: current 2033 Reference: 2034 See RFC 793 for the definition of the TCP acknowledgement number. 2036 5.5.10. tcpWindowSize 2038 Description: 2039 The window field in the TCP header. If the TCP window scale is 2040 supported, then TCP window scale must be known to fully interpret 2041 the value of this information. 2042 Abstract Data Type: unsigned16 2043 ElementId: 186 2044 Status: current 2045 Reference: 2046 See RFC 793 for the definition of the TCP window field. See RFC 2047 1323 for the definition of the TCP window scale. 2049 5.5.11. tcpWindowScale 2051 Description: 2052 The scale of the window field in the TCP header. 2053 Abstract Data Type: unsigned16 2054 ElementId: 238 2055 Status: current 2056 Reference: 2057 See RFC 1323 for the definition of the TCP window scale. 2059 5.5.12. tcpUrgentPointer 2061 Description: 2062 The urgent pointer in the TCP header. 2063 Abstract Data Type: unsigned16 2064 ElementId: 187 2065 Status: current 2066 Reference: 2067 See RFC 793 for the definition of the TCP urgent pointer. 2069 5.5.13. tcpHeaderLength 2071 Description: 2072 The length of the TCP header. Note that the value of this 2073 Information Element is different from the value of the Data Offset 2074 field in the TCP header. The Data Offset field indicates the 2075 length of the TCP header in units of 4 octets. This Information 2076 Elements specifies the length of the TCP header in units of 2077 octets. 2078 Abstract Data Type: unsigned8 2079 ElementId: 188 2080 Status: current 2081 Units: octets 2082 Reference: 2083 See RFC 793 for the definition of the TCP header. 2085 5.5.14. icmpTypeCodeIPv4 2087 Description: 2088 Type and Code of the IPv4 ICMP message. The combination of both 2089 values is reported as (ICMP type * 256) + ICMP code. 2090 Abstract Data Type: unsigned16 2091 Data Type Semantics: identifier 2092 ElementId: 32 2093 Status: current 2094 Reference: 2095 See RFC 792 for the definition of the IPv4 ICMP type and code 2096 fields. 2098 5.5.15. icmpTypeIPv4 2100 Description: 2101 Type of the IPv4 ICMP message. 2102 Abstract Data Type: unsigned8 2103 Data Type Semantics: identifier 2104 ElementId: 176 2105 Status: current 2106 Reference: 2107 See RFC 792 for the definition of the IPv4 ICMP type field. 2109 5.5.16. icmpCodeIPv4 2111 Description: 2112 Code of the IPv4 ICMP message. 2113 Abstract Data Type: unsigned8 2114 Data Type Semantics: identifier 2115 ElementId: 177 2116 Status: current 2117 Reference: 2118 See RFC 792 for the definition of the IPv4 ICMP code field. 2120 5.5.17. icmpTypeCodeIPv6 2122 Description: 2123 Type and Code of the IPv6 ICMP message. The combination of both 2124 values is reported as (ICMP type * 256) + ICMP code. 2125 Abstract Data Type: unsigned16 2126 Data Type Semantics: identifier 2127 ElementId: 139 2128 Status: current 2129 Reference: 2130 See RFC 4443 for the definition of the IPv6 ICMP type and code 2131 fields. 2133 5.5.18. icmpTypeIPv6 2135 Description: 2136 Type of the IPv6 ICMP message. 2137 Abstract Data Type: unsigned8 2138 Data Type Semantics: identifier 2139 ElementId: 178 2140 Status: current 2141 Reference: 2142 See RFC 4443 for the definition of the IPv6 ICMP type field. 2144 5.5.19. icmpCodeIPv6 2146 Description: 2147 Code of the IPv6 ICMP message. 2148 Abstract Data Type: unsigned8 2149 Data Type Semantics: identifier 2150 ElementId: 179 2151 Status: current 2152 Reference: 2153 See RFC 4443 for the definition of the IPv6 ICMP code field. 2155 5.5.20. igmpType 2157 Description: 2158 The type field of the IGMP message. 2159 Abstract Data Type: unsigned8 2160 Data Type Semantics: identifier 2161 ElementId: 33 2162 Status: current 2163 Reference: 2164 See RFC 3376 for the definition of the IGMP type field. 2166 5.6. Sub-IP Header Fields 2168 The set of Information Elements related to Sub-IP header fields 2169 includes the Information Elements listed in the table below. 2171 +-----+---------------------------+-----+---------------------------+ 2172 | ID | Name | ID | Name | 2173 +-----+---------------------------+-----+---------------------------+ 2174 | 56 | sourceMacAddress | 201 | mplsLabelStackLength | 2175 | 81 | postSourceMacAddress | 194 | mplsPayloadLength | 2176 | 58 | vlanId | 70 | mplsTopLabelStackSection | 2177 | 59 | postVlanId | 71 | mplsLabelStackSection2 | 2178 | 80 | destinationMacAddress | 72 | mplsLabelStackSection3 | 2179 | 57 | postDestinationMacAddress | 73 | mplsLabelStackSection4 | 2180 | 146 | wlanChannelId | 74 | mplsLabelStackSection5 | 2181 | 147 | wlanSSID | 75 | mplsLabelStackSection6 | 2182 | 200 | mplsTopLabelTTL | 76 | mplsLabelStackSection7 | 2183 | 203 | mplsTopLabelExp | 77 | mplsLabelStackSection8 | 2184 | 237 | postMplsTopLabelExp | 78 | mplsLabelStackSection9 | 2185 | 202 | mplsLabelStackDepth | 79 | mplsLabelStackSection10 | 2186 +-----+---------------------------+-----+---------------------------+ 2188 5.6.1. sourceMacAddress 2190 Description: 2191 The IEEE 802 source MAC address field. 2192 Abstract Data Type: macAddress 2193 Data Type Semantics: identifier 2194 ElementId: 56 2195 Status: current 2196 Reference: 2197 See IEEE.802-3.2002. 2199 5.6.2. postSourceMacAddress 2201 Description: 2202 The definition of this Information Element is identical to the 2203 definition of Information Element 'sourceMacAddress', except that 2204 it reports a potentially modified value caused by a middlebox 2205 function after the packet passed the Observation Point. 2206 Abstract Data Type: macAddress 2207 Data Type Semantics: identifier 2208 ElementId: 81 2209 Status: current 2210 Reference: 2211 See IEEE.802-3.2002. 2213 5.6.3. vlanId 2215 Description: 2216 The IEEE 802.1Q VLAN identifier (VID) extracted from the Tag 2217 Control Information field that was attached to the IP packet. 2218 Abstract Data Type: unsigned16 2219 Data Type Semantics: identifier 2220 ElementId: 58 2221 Status: current 2222 Reference: 2223 See IEEE.802-1Q.2003. 2225 5.6.4. postVlanId 2227 Description: 2228 The definition of this Information Element is identical to the 2229 definition of Information Element 'vlanId', except that it reports 2230 a potentially modified value caused by a middlebox function after 2231 the packet passed the Observation Point. 2232 Abstract Data Type: unsigned16 2233 Data Type Semantics: identifier 2234 ElementId: 59 2235 Status: current 2236 Reference: 2237 See IEEE.802-1Q.2003. 2239 5.6.5. destinationMacAddress 2241 Description: 2242 The IEEE 802 destination MAC address field. 2243 Abstract Data Type: macAddress 2244 Data Type Semantics: identifier 2245 ElementId: 80 2246 Status: current 2247 Reference: 2248 See IEEE.802-3.2002. 2250 5.6.6. postDestinationMacAddress 2252 Description: 2253 The definition of this Information Element is identical to the 2254 definition of Information Element 'destinationMacAddress', except 2255 that it reports a potentially modified value caused by a middlebox 2256 function after the packet passed the Observation Point. 2257 Abstract Data Type: macAddress 2258 Data Type Semantics: identifier 2259 ElementId: 57 2260 Status: current 2261 Reference: 2262 See IEEE.802-3.2002. 2264 5.6.7. wlanChannelId 2266 Description: 2267 The identifier of the 802.11 (Wi-Fi) channel used. 2268 Abstract Data Type: unsigned8 2269 Data Type Semantics: identifier 2270 ElementId: 146 2271 Status: current 2272 Reference: 2273 See IEEE.802-11.1999. 2275 5.6.8. wlanSSID 2277 Description: 2278 The Service Set IDentifier (SSID) identifying an 802.11 (Wi-Fi) 2279 network used. According to IEEE.802-11.1999, the SSID is encoded 2280 into a string of up to 32 characters. 2281 Abstract Data Type: string 2282 ElementId: 147 2283 Status: current 2284 Reference: 2285 See IEEE.802-11.1999. 2287 5.6.9. mplsTopLabelTTL 2289 Description: 2290 The TTL field from the top MPLS label stack entry, i.e., the last 2291 label that was pushed. 2292 Abstract Data Type: unsigned8 2293 ElementId: 200 2294 Status: current 2295 Units: hops 2296 Reference: 2297 See RFC 3032 for the specification of the TTL field. 2299 5.6.10. mplsTopLabelExp 2301 Description: 2302 The Exp field from the top MPLS label stack entry, i.e., the last 2303 label that was pushed. 2305 Bits 0-4: Don't Care, value is irrelevant. 2306 Bits 5-7: MPLS Exp field. 2308 0 1 2 3 4 5 6 7 2309 +---+---+---+---+---+---+---+---+ 2310 | don't care | Exp | 2311 +---+---+---+---+---+---+---+---+ 2313 Abstract Data Type: unsigned8 2314 Data Type Semantics: flags 2315 ElementId: 203 2316 Status: current 2317 Reference: 2318 See RFC 3032 for the specification of the Exp field. See RFC 3270 2319 for usage of the Exp field. 2321 5.6.11. postMplsTopLabelExp 2323 Description: 2324 The definition of this Information Element is identical to the 2325 definition of Information Element 'mplsTopLabelExp', except that 2326 it reports a potentially modified value caused by a middlebox 2327 function after the packet passed the Observation Point. 2328 Abstract Data Type: unsigned8 2329 Data Type Semantics: flags 2330 ElementId: 237 2331 Status: current 2332 Reference: 2333 See RFC 3032 for the specification of the Exp field. See RFC 3270 2334 for usage of the Exp field. 2336 5.6.12. mplsLabelStackDepth 2338 Description: 2339 The number of labels in the MPLS label stack. 2340 Abstract Data Type: unsigned32 2341 ElementId: 202 2342 Status: current 2343 Units: label stack entries 2344 Reference: 2345 See RFC 3032 for the specification of the MPLS label stack. 2347 5.6.13. mplsLabelStackLength 2349 Description: 2350 The length of the MPLS label stack in units of octets. 2351 Abstract Data Type: unsigned32 2352 ElementId: 201 2353 Status: current 2354 Units: octets 2355 Reference: 2356 See RFC 3032 for the specification of the MPLS label stack. 2358 5.6.14. mplsPayloadLength 2360 Description: 2361 The size of the MPLS packet without the label stack. 2362 Abstract Data Type: unsigned32 2363 ElementId: 194 2364 Status: current 2365 Units: octets 2366 Reference: 2367 See RFC 3031 for the specification of MPLS packets. See RFC 3032 2368 for the specification of the MPLS label stack. 2370 5.6.15. mplsTopLabelStackSection 2372 Description: 2373 The Label, Exp, and S fields from the top MPLS label stack entry, 2374 i.e., from the last label that was pushed. The size of this 2375 Information Element is 3 octets. 2377 0 1 2 2378 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 2379 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2380 | Label | Exp |S| 2381 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2383 Label: Label Value, 20 bits 2384 Exp: Experimental Use, 3 bits 2385 S: Bottom of Stack, 1 bit 2387 Abstract Data Type: octetArray 2388 Data Type Semantics: identifier 2389 ElementId: 70 2390 Status: current 2391 Reference: 2392 See RFC 3032. 2394 5.6.16. mplsLabelStackSection2 2396 Description: 2397 The Label, Exp, and S fields from the label stack entry that was 2398 pushed immediately before the label stack entry that would be 2399 reported by mplsTopLabelStackSection. See the definition of 2400 mplsTopLabelStackSection for further details. The size of this 2401 Information Element is 3 octets. 2402 Abstract Data Type: octetArray 2403 Data Type Semantics: identifier 2404 ElementId: 71 2405 Status: current 2406 Reference: 2407 See RFC 3032. 2409 5.6.17. mplsLabelStackSection3 2411 Description: 2412 The Label, Exp, and S fields from the label stack entry that was 2413 pushed immediately before the label stack entry that would be 2414 reported by mplsLabelStackSection2. See the definition of 2415 mplsTopLabelStackSection for further details. The size of this 2416 Information Element is 3 octets. 2417 Abstract Data Type: octetArray 2418 Data Type Semantics: identifier 2419 ElementId: 72 2420 Status: current 2421 Reference: 2422 See RFC 3032. 2424 5.6.18. mplsLabelStackSection4 2426 Description: 2427 The Label, Exp, and S fields from the label stack entry that was 2428 pushed immediately before the label stack entry that would be 2429 reported by mplsLabelStackSection3. See the definition of 2430 mplsTopLabelStackSection for further details. The size of this 2431 Information Element is 3 octets. 2432 Abstract Data Type: octetArray 2433 Data Type Semantics: identifier 2434 ElementId: 73 2435 Status: current 2436 Reference: 2437 See RFC 3032. 2439 5.6.19. mplsLabelStackSection5 2441 Description: 2442 The Label, Exp, and S fields from the label stack entry that was 2443 pushed immediately before the label stack entry that would be 2444 reported by mplsLabelStackSection4. See the definition of 2445 mplsTopLabelStackSection for further details. The size of this 2446 Information Element is 3 octets. 2447 Abstract Data Type: octetArray 2448 Data Type Semantics: identifier 2449 ElementId: 74 2450 Status: current 2451 Reference: 2452 See RFC 3032. 2454 5.6.20. mplsLabelStackSection6 2456 Description: 2457 The Label, Exp, and S fields from the label stack entry that was 2458 pushed immediately before the label stack entry that would be 2459 reported by mplsLabelStackSection5. See the definition of 2460 mplsTopLabelStackSection for further details. The size of this 2461 Information Element is 3 octets. 2462 Abstract Data Type: octetArray 2463 Data Type Semantics: identifier 2464 ElementId: 75 2465 Status: current 2466 Reference: 2467 See RFC 3032. 2469 5.6.21. mplsLabelStackSection7 2471 Description: 2472 The Label, Exp, and S fields from the label stack entry that was 2473 pushed immediately before the label stack entry that would be 2474 reported by mplsLabelStackSection6. See the definition of 2475 mplsTopLabelStackSection for further details. The size of this 2476 Information Element is 3 octets. 2477 Abstract Data Type: octetArray 2478 Data Type Semantics: identifier 2479 ElementId: 76 2480 Status: current 2481 Reference: 2482 See RFC 3032. 2484 5.6.22. mplsLabelStackSection8 2486 Description: 2487 The Label, Exp, and S fields from the label stack entry that was 2488 pushed immediately before the label stack entry that would be 2489 reported by mplsLabelStackSection7. See the definition of 2490 mplsTopLabelStackSection for further details. The size of this 2491 Information Element is 3 octets. 2492 Abstract Data Type: octetArray 2493 Data Type Semantics: identifier 2494 ElementId: 77 2495 Status: current 2496 Reference: 2497 See RFC 3032. 2499 5.6.23. mplsLabelStackSection9 2501 Description: 2502 The Label, Exp, and S fields from the label stack entry that was 2503 pushed immediately before the label stack entry that would be 2504 reported by mplsLabelStackSection8. See the definition of 2505 mplsTopLabelStackSection for further details. The size of this 2506 Information Element is 3 octets. 2507 Abstract Data Type: octetArray 2508 Data Type Semantics: identifier 2509 ElementId: 78 2510 Status: current 2511 Reference: 2512 See RFC 3032. 2514 5.6.24. mplsLabelStackSection10 2516 Description: 2517 The Label, Exp, and S fields from the label stack entry that was 2518 pushed immediately before the label stack entry that would be 2519 reported by mplsLabelStackSection9. See the definition of 2520 mplsTopLabelStackSection for further details. The size of this 2521 Information Element is 3 octets. 2522 Abstract Data Type: octetArray 2523 Data Type Semantics: identifier 2524 ElementId: 79 2525 Status: current 2526 Reference: 2527 See RFC 3032. 2528 5.7. Derived Packet Properties 2530 The set of Information Elements derived from packet properties (for 2531 example, values of header fields) includes the Information Elements 2532 listed in the table below. 2534 +-----+---------------------------+-----+---------------------------+ 2535 | ID | Name | ID | Name | 2536 +-----+---------------------------+-----+---------------------------+ 2537 | 204 | ipPayloadLength | 18 | bgpNextHopIPv4Address | 2538 | 15 | ipNextHopIPv4Address | 63 | bgpNextHopIPv6Address | 2539 | 62 | ipNextHopIPv6Address | 46 | mplsTopLabelType | 2540 | 16 | bgpSourceAsNumber | 47 | mplsTopLabelIPv4Address | 2541 | 17 | bgpDestinationAsNumber | 140 | mplsTopLabelIPv6Address | 2542 | 128 | bgpNextAdjacentAsNumber | 90 | mplsVpnRouteDistinguisher | 2543 | 129 | bgpPrevAdjacentAsNumber | | | 2544 +-----+---------------------------+-----+---------------------------+ 2546 5.7.1. ipPayloadLength 2548 Description: 2549 The effective length of the IP payload. For IPv4 packets, the 2550 value of this Information Element is the difference between the 2551 total length of the IPv4 packet (as reported by Information 2552 Element totalLengthIPv4) and the length of the IPv4 header (as 2553 reported by Information Element headerLengthIPv4). For IPv6, the 2554 value of the Payload Length field in the IPv6 header is reported 2555 except in the case that the value of this field is zero and that 2556 there is a valid jumbo payload option. In this case, the value of 2557 the Jumbo Payload Length field in the jumbo payload option is 2558 reported. 2559 Abstract Data Type: unsigned32 2560 ElementId: 204 2561 Status: current 2562 Units: octets 2563 Reference: 2564 See RFC 791 for the specification of IPv4 packets. See RFC 2460 2565 for the specification of the IPv6 payload length. See RFC 2675 2566 for the specification of the IPv6 jumbo payload length. 2568 5.7.2. ipNextHopIPv4Address 2570 Description: 2571 The IPv4 address of the next IPv4 hop. 2572 Abstract Data Type: ipv4Address 2573 Data Type Semantics: identifier 2574 ElementId: 15 2575 Status: current 2577 5.7.3. ipNextHopIPv6Address 2579 Description: 2581 The IPv6 address of the next IPv6 hop. 2582 Abstract Data Type: ipv6Address 2583 Data Type Semantics: identifier 2584 ElementId: 62 2585 Status: current 2587 5.7.4. bgpSourceAsNumber 2589 Description: 2590 The autonomous system (AS) number of the source IP address. If AS 2591 path information for this Flow is only available as an unordered 2592 AS set (and not as an ordered AS sequence), then the value of this 2593 Information Element is 0. 2594 Abstract Data Type: unsigned32 2595 Data Type Semantics: identifier 2596 ElementId: 16 2597 Status: current 2598 Reference: 2599 See RFC 4271 for a description of BGP-4, and see RFC 1930 for the 2600 definition of the AS number. 2602 5.7.5. bgpDestinationAsNumber 2604 Description: 2605 The autonomous system (AS) number of the destination IP address. 2606 If AS path information for this Flow is only available as an 2607 unordered AS set (and not as an ordered AS sequence), then the 2608 value of this Information Element is 0. 2609 Abstract Data Type: unsigned32 2610 Data Type Semantics: identifier 2611 ElementId: 17 2612 Status: current 2613 Reference: 2614 See RFC 4271 for a description of BGP-4, and see RFC 1930 for the 2615 definition of the AS number. 2617 5.7.6. bgpNextAdjacentAsNumber 2619 Description: 2620 The autonomous system (AS) number of the first AS in the AS path 2621 to the destination IP address. The path is deduced by looking up 2622 the destination IP address of the Flow in the BGP routing 2623 information base. If AS path information for this Flow is only 2624 available as an unordered AS set (and not as an ordered AS 2625 sequence), then the value of this Information Element is 0. 2626 Abstract Data Type: unsigned32 2627 Data Type Semantics: identifier 2628 ElementId: 128 2629 Status: current 2630 Reference: 2631 See RFC 4271 for a description of BGP-4, and see RFC 1930 for the 2632 definition of the AS number. 2634 5.7.7. bgpPrevAdjacentAsNumber 2636 Description: 2637 The autonomous system (AS) number of the last AS in the AS path 2638 from the source IP address. The path is deduced by looking up the 2639 source IP address of the Flow in the BGP routing information base. 2640 If AS path information for this Flow is only available as an 2641 unordered AS set (and not as an ordered AS sequence), then the 2642 value of this Information Element is 0. In case of BGP asymmetry, 2643 the bgpPrevAdjacentAsNumber might not be able to report the 2644 correct value. 2645 Abstract Data Type: unsigned32 2646 Data Type Semantics: identifier 2647 ElementId: 129 2648 Status: current 2649 Reference: 2650 See RFC 4271 for a description of BGP-4, and see RFC 1930 for the 2651 definition of the AS number. 2653 5.7.8. bgpNextHopIPv4Address 2655 Description: 2656 The IPv4 address of the next (adjacent) BGP hop. 2657 Abstract Data Type: ipv4Address 2658 Data Type Semantics: identifier 2659 ElementId: 18 2660 Status: current 2661 Reference: 2662 See RFC 4271 for a description of BGP-4. 2664 5.7.9. bgpNextHopIPv6Address 2666 Description: 2667 The IPv6 address of the next (adjacent) BGP hop. 2668 Abstract Data Type: ipv6Address 2669 Data Type Semantics: identifier 2670 ElementId: 63 2671 Status: current 2672 Reference: 2673 See RFC 4271 for a description of BGP-4. 2675 5.7.10. mplsTopLabelType 2676 Description: 2677 This field identifies the control protocol that 2678 allocated the top-of-stack label. Initial values for this field 2679 are listed below. Further values may be assigned by IANA in the 2680 MPLS label type registry. 2682 - 0x01 TE-MIDPT: Any TE tunnel mid-point or tail label 2683 - 0x02 Pseudowire: Any PWE3 or Cisco AToM based label 2684 - 0x03 VPN: Any label associated with VPN 2685 - 0x04 BGP: Any label associated with BGP or BGP routing 2686 - 0x05 LDP: Any label associated with dynamically assigned 2687 labels using LDP 2689 Abstract Data Type: unsigned8 2690 Data Type Semantics: identifier 2691 ElementId: 46 2692 Status: current 2693 Reference: 2694 See RFC 3031 for the MPLS label structure. See RFC 4364 for the 2695 association of MPLS labels with Virtual Private Networks (VPNs). 2696 See RFC 4271 for BGP and BGP routing. See RFC 5036 for Label 2697 Distribution Protocol (LDP). See the list of MPLS label types 2698 assigned by IANA at 2699 http://www.iana.org/assignments/mpls-label-values. 2701 5.7.11. mplsTopLabelIPv4Address 2703 Description: 2704 The IPv4 address of the system that the MPLS top label will cause 2705 this Flow to be forwarded to. 2706 Abstract Data Type: ipv4Address 2707 Data Type Semantics: identifier 2708 ElementId: 47 2709 Status: current 2710 Reference: 2711 See RFC 3031 for the association between MPLS labels and IP 2712 addresses. 2714 5.7.12. mplsTopLabelIPv6Address 2716 Description: 2717 The IPv6 address of the system that the MPLS top label will cause 2718 this Flow to be forwarded to. 2719 Abstract Data Type: ipv6Address 2720 Data Type Semantics: identifier 2721 ElementId: 140 2722 Status: current 2723 Reference: 2724 See RFC 3031 for the association between MPLS labels and IP 2725 addresses. 2727 5.7.13. mplsVpnRouteDistinguisher 2729 Description: 2730 The value of the VPN route distinguisher of a corresponding entry 2731 in a VPN routing and forwarding table. Route distinguisher 2732 ensures that the same address can be used in several different 2733 MPLS VPNs and that it is possible for BGP to carry several 2734 completely different routes to that address, one for each VPN. 2735 According to RFC 4364, the size of mplsVpnRouteDistinguisher is 8 2736 octets. However, in RFC 4382 an octet string with flexible length 2737 was chosen for representing a VPN route distinguisher by object 2738 MplsL3VpnRouteDistinguisher. This choice was made in order to be 2739 open to future changes of the size. This idea was adopted when 2740 choosing octetArray as abstract data type for this Information 2741 Element. The maximum length of this Information Element is 256 2742 octets. 2743 Abstract Data Type: octetArray 2744 Data Type Semantics: identifier 2745 ElementId: 90 2746 Status: current 2747 Reference: 2748 See RFC 4364 for the specification of the route distinguisher. 2749 See RFC 4382 for the specification of the MPLS/BGP Layer 3 Virtual 2750 Private Network (VPN) Management Information Base. 2752 5.8. Min/Max Flow Properties 2754 Information Elements in this section are results of minimum or 2755 maximum operations over all packets of a Flow. 2757 +-----+---------------------------+-----+---------------------------+ 2758 | ID | Name | ID | Name | 2759 +-----+---------------------------+-----+---------------------------+ 2760 | 25 | minimumIpTotalLength | 208 | ipv4Options | 2761 | 26 | maximumIpTotalLength | 64 | ipv6ExtensionHeaders | 2762 | 52 | minimumTTL | 6 | tcpControlBits | 2763 | 53 | maximumTTL | 209 | tcpOptions | 2764 +-----+---------------------------+-----+---------------------------+ 2766 5.8.1. minimumIpTotalLength 2768 Description: 2769 Length of the smallest packet observed for this Flow. The packet 2770 length includes the IP header(s) length and the IP payload length. 2771 Abstract Data Type: unsigned64 2772 ElementId: 25 2773 Status: current 2774 Units: octets 2775 Reference: 2776 See RFC 791 for the specification of the IPv4 total length. See 2777 RFC 2460 for the specification of the IPv6 payload length. See 2778 RFC 2675 for the specification of the IPv6 jumbo payload length. 2780 5.8.2. maximumIpTotalLength 2782 Description: 2783 Length of the largest packet observed for this Flow. The packet 2784 length includes the IP header(s) length and the IP payload length. 2785 Abstract Data Type: unsigned64 2786 ElementId: 26 2787 Status: current 2788 Units: octets 2789 Reference: 2790 See RFC 791 for the specification of the IPv4 total length. See 2791 RFC 2460 for the specification of the IPv6 payload length. See 2792 RFC 2675 for the specification of the IPv6 jumbo payload length. 2794 5.8.3. minimumTTL 2796 Description: 2797 Minimum TTL value observed for any packet in this Flow. 2798 Abstract Data Type: unsigned8 2799 ElementId: 52 2800 Status: current 2801 Units: hops 2802 Reference: 2803 See RFC 791 for the definition of the IPv4 Time to Live field. 2804 See RFC 2460 for the definition of the IPv6 Hop Limit field. 2806 5.8.4. maximumTTL 2808 Description: 2809 Maximum TTL value observed for any packet in this Flow. 2810 Abstract Data Type: unsigned8 2811 ElementId: 53 2812 Status: current 2813 Units: hops 2814 Reference: 2815 See RFC 791 for the definition of the IPv4 Time to Live field. 2816 See RFC 2460 for the definition of the IPv6 Hop Limit field. 2818 5.8.5. ipv4Options 2820 Description: 2821 IPv4 options in packets of this Flow. The information is encoded 2822 in a set of bit fields. For each valid IPv4 option type, there is 2823 a bit in this set. The bit is set to 1 if any observed packet of 2824 this Flow contains the corresponding IPv4 option type. Otherwise, 2825 if no observed packet of this Flow contained the respective IPv4 2826 option type, the value of the corresponding bit is 0. The list of 2827 valid IPv4 options is maintained by IANA. Note that for 2828 identifying an option not just the 5-bit Option Number, but all 8 2829 bits of the Option Type need to match one of the IPv4 options 2830 specified at http://www.iana.org/assignments/ip-parameters. 2831 Options are mapped to bits according to their option numbers. 2832 Option number X is mapped to bit X. The mapping is illustrated by 2833 the figure below. 2835 0 1 2 3 4 5 6 7 2836 +------+------+------+------+------+------+------+------+ 2837 | | EXP | to be assigned by IANA | QS | UMP | ... 2838 +------+------+------+------+------+------+------+------+ 2840 8 9 10 11 12 13 14 15 2841 +------+------+------+------+------+------+------+------+ 2842 ... | DPS |NSAPA | SDB |RTRALT|ADDEXT| TR | EIP |IMITD | ... 2843 +------+------+------+------+------+------+------+------+ 2844 16 17 18 19 20 21 22 23 2845 +------+------+------+------+------+------+------+------+ 2846 ... |ENCODE| VISA | FINN | MTUR | MTUP | ZSU | SSR | SID | ... 2847 +------+------+------+------+------+------+------+------+ 2849 24 25 26 27 28 29 30 31 2850 +------+------+------+------+------+------+------+------+ 2851 ... | RR |CIPSO |E-SEC | TS | LSR | SEC | NOP | EOOL | 2852 +------+------+------+------+------+------+------+------+ 2854 Type Option 2855 Bit Value Name Reference 2856 ---+-----+-------+------------------------------------ 2857 0 0 EOOL End of Options List, RFC 791 2858 1 1 NOP No Operation, RFC 791 2859 2 130 SEC Security, RFC 1108 2860 3 131 LSR Loose Source Route, RFC 791 2861 4 68 TS Time Stamp, RFC 791 2862 5 133 E-SEC Extended Security, RFC 1108 2863 6 134 CIPSO Commercial Security 2864 7 7 RR Record Route, RFC 791 2865 8 136 SID Stream ID, RFC 791 2866 9 137 SSR Strict Source Route, RFC 791 2867 10 10 ZSU Experimental Measurement 2868 11 11 MTUP (obsoleted) MTU Probe, RFC 1191 2869 12 12 MTUR (obsoleted) MTU Reply, RFC 1191 2870 13 205 FINN Experimental Flow Control 2871 14 142 VISA Experimental Access Control 2872 15 15 ENCODE 2873 16 144 IMITD IMI Traffic Descriptor 2874 17 145 EIP Extended Internet Protocol, RFC 1385 2875 18 82 TR Traceroute, RFC 3193 2876 19 147 ADDEXT Address Extension 2877 20 148 RTRALT Router Alert, RFC 2113 2878 21 149 SDB Selective Directed Broadcast 2879 22 150 NSAPA NSAP Address 2880 23 151 DPS Dynamic Packet State 2881 24 152 UMP Upstream Multicast Pkt. 2882 25 25 QS Quick-Start 2883 30 30 EXP RFC3692-style Experiment 2884 30 94 EXP RFC3692-style Experiment 2885 30 158 EXP RFC3692-style Experiment 2886 30 222 EXP RFC3692-style Experiment 2887 ... ... ... Further options numbers 2888 may be assigned by IANA 2890 Abstract Data Type: unsigned32 2891 Data Type Semantics: flags 2892 ElementId: 208 2893 Status: current 2894 Reference: 2895 See RFC 791 for the definition of IPv4 options. See the list of 2896 IPv4 option numbers assigned by IANA at 2897 http://www.iana.org/assignments/ip-parameters. 2899 5.8.6. ipv6ExtensionHeaders 2901 Description: 2902 IPv6 extension headers observed in packets of this Flow. The 2903 information is encoded in a set of bit fields. For each IPv6 2904 option header, there is a bit in this set. The bit is set to 1 if 2905 any observed packet of this Flow contains the corresponding IPv6 2906 extension header. Otherwise, if no observed packet of this Flow 2907 contained the respective IPv6 extension header, the value of the 2908 corresponding bit is 0. 2910 0 1 2 3 4 5 6 7 2911 +-----+-----+-----+-----+-----+-----+-----+-----+ 2912 | Reserved | ... 2913 +-----+-----+-----+-----+-----+-----+-----+-----+ 2915 8 9 10 11 12 13 14 15 2916 +-----+-----+-----+-----+-----+-----+-----+-----+ 2917 ... | Reserved | ... 2918 +-----+-----+-----+-----+-----+-----+-----+-----+ 2920 16 17 18 19 20 21 22 23 2921 +-----+-----+-----+-----+-----+-----+-----+-----+ 2922 ... | Reserved | ESP | AH | PAY | ... 2923 +-----+-----+-----+-----+-----+-----+-----+-----+ 2925 24 25 26 27 28 29 30 31 2926 +-----+-----+-----+-----+-----+-----+-----+-----+ 2927 ... | DST | HOP | Res | UNK | FRA0| RH | FRA1| Res | 2928 +-----+-----+-----+-----+-----+-----+-----+-----+ 2930 Bit IPv6 Option Description 2932 0, Res Reserved 2933 1, FRA1 44 Fragmentation header - not first fragment 2934 2, RH 43 Routing header 2935 3, FRA0 44 Fragment header - first fragment 2936 4, UNK Unknown Layer 4 header 2937 (compressed, encrypted, not supported) 2939 5, Res Reserved 2940 6, HOP 0 Hop-by-hop option header 2941 7, DST 60 Destination option header 2942 8, PAY 108 Payload compression header 2943 9, AH 51 Authentication Header 2944 10, ESP 50 Encrypted security payload 2945 11 to 31 Reserved 2947 Abstract Data Type: unsigned32 2948 Data Type Semantics: flags 2949 ElementId: 64 2950 Status: current 2951 Reference: 2952 See RFC 2460 for the general definition of IPv6 extension headers 2953 and for the specification of the hop-by-hop options header, the 2954 routing header, the fragment header, and the destination options 2955 header. See RFC 4302 for the specification of the authentication 2956 header. See RFC 4303 for the specification of the encapsulating 2957 security payload. 2959 5.8.7. tcpControlBits 2961 Description: 2962 TCP control bits observed for packets of this Flow. The 2963 information is encoded in a set of bit fields. For each TCP 2964 control bit, there is a bit in this set. A bit is set to 1 if any 2965 observed packet of this Flow has the corresponding TCP control bit 2966 set to 1. A value of 0 for a bit indicates that the corresponding 2967 bit was not set in any of the observed packets of this Flow. 2969 0 1 2 3 4 5 6 7 2970 +-----+-----+-----+-----+-----+-----+-----+-----+ 2971 | Reserved | URG | ACK | PSH | RST | SYN | FIN | 2972 +-----+-----+-----+-----+-----+-----+-----+-----+ 2974 Reserved: Reserved for future use by TCP. Must be zero. 2975 URG: Urgent Pointer field significant 2976 ACK: Acknowledgment field significant 2977 PSH: Push Function 2978 RST: Reset the connection 2979 SYN: Synchronize sequence numbers 2980 FIN: No more data from sender 2982 Abstract Data Type: unsigned8 2983 Data Type Semantics: flags 2984 ElementId: 6 2985 Status: current 2986 Reference: 2988 See RFC 793 for the definition of the TCP control bits in the TCP 2989 header. 2990 5.8.8. tcpOptions 2992 Description: 2993 TCP options in packets of this Flow. The information is encoded 2994 in a set of bit fields. For each TCP option, there is a bit in 2995 this set. The bit is set to 1 if any observed packet of this Flow 2996 contains the corresponding TCP option. Otherwise, if no observed 2997 packet of this Flow contained the respective TCP option, the value 2998 of the corresponding bit is 0. 2999 Options are mapped to bits according to their option numbers. 3000 Option number X is mapped to bit X. TCP option numbers are 3001 maintained by IANA. 3003 0 1 2 3 4 5 6 7 3004 +-----+-----+-----+-----+-----+-----+-----+-----+ 3005 | 63 | 62 | 61 | 60 | 59 | 58 | 57 | 56 | ... 3006 +-----+-----+-----+-----+-----+-----+-----+-----+ 3008 8 9 10 11 12 13 14 15 3009 +-----+-----+-----+-----+-----+-----+-----+-----+ 3010 ... | 55 | 54 | 53 | 52 | 51 | 50 | 49 | 48 |... 3011 +-----+-----+-----+-----+-----+-----+-----+-----+ 3013 16 17 18 19 20 21 22 23 3014 +-----+-----+-----+-----+-----+-----+-----+-----+ 3015 ... | 47 | 46 | 45 | 44 | 43 | 42 | 41 | 40 |... 3016 +-----+-----+-----+-----+-----+-----+-----+-----+ 3018 . . . 3020 56 57 58 59 60 61 62 63 3021 +-----+-----+-----+-----+-----+-----+-----+-----+ 3022 ... | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 3023 +-----+-----+-----+-----+-----+-----+-----+-----+ 3025 Abstract Data Type: unsigned64 3026 Data Type Semantics: flags 3027 ElementId: 209 3028 Status: current 3029 Reference: 3030 See RFC 793 for the definition of TCP options. See the list of 3031 TCP option numbers assigned by IANA at 3032 http://www.iana.org/assignments/tcp-parameters. 3034 5.9. Flow Timestamps 3036 Information Elements in this section are timestamps of events. 3038 Timestamps flowStartSeconds, flowEndSeconds, flowStartMilliseconds, 3039 flowEndMilliseconds, flowStartMicroseconds, flowEndMicroseconds, 3040 flowStartNanoseconds, flowEndNanoseconds, and 3041 systemInitTimeMilliseconds are absolute and have a well-defined fixed 3042 time base, such as, for example, the number of seconds since 0000 UTC 3043 Jan 1st 1970. 3045 Timestamps flowStartDeltaMicroseconds and flowEndDeltaMicroseconds 3046 are relative timestamps only valid within the scope of a single IPFIX 3047 Message. They contain the negative time offsets relative to the 3048 export time specified in the IPFIX Message Header. The maximum time 3049 offset that can be encoded by these delta counters is 1 hour, 11 3050 minutes, and 34.967295 seconds. 3052 Timestamps flowStartSysUpTime and flowEndSysUpTime are relative 3053 timestamps indicating the time relative to the last (re- 3054 )initialization of the IPFIX Device. For reporting the time of the 3055 last (re-)initialization, systemInitTimeMilliseconds can be reported, 3056 for example, in Data Records defined by Option Templates. 3058 +-----+---------------------------+-----+---------------------------+ 3059 | ID | Name | ID | Name | 3060 +-----+---------------------------+-----+---------------------------+ 3061 | 150 | flowStartSeconds | 156 | flowStartNanoseconds | 3062 | 151 | flowEndSeconds | 157 | flowEndNanoseconds | 3063 | 152 | flowStartMilliseconds | 158 | flowStartDeltaMicroseconds| 3064 | 153 | flowEndMilliseconds | 159 | flowEndDeltaMicroseconds | 3065 | 154 | flowStartMicroseconds | 160 | systemInitTimeMilliseconds| 3066 | 155 | flowEndMicroseconds | 22 | flowStartSysUpTime | 3067 | | | 21 | flowEndSysUpTime | 3068 +-----+---------------------------+-----+---------------------------+ 3070 5.9.1. flowStartSeconds 3072 Description: 3073 The absolute timestamp of the first packet of this Flow. 3074 Abstract Data Type: dateTimeSeconds 3075 ElementId: 150 3076 Status: current 3077 Units: seconds 3078 5.9.2. flowEndSeconds 3080 Description: 3081 The absolute timestamp of the last packet of this Flow. 3083 Abstract Data Type: dateTimeSeconds 3084 ElementId: 151 3085 Status: current 3086 Units: seconds 3088 5.9.3. flowStartMilliseconds 3090 Description: 3091 The absolute timestamp of the first packet of this Flow. 3092 Abstract Data Type: dateTimeMilliseconds 3093 ElementId: 152 3094 Status: current 3095 Units: milliseconds 3097 5.9.4. flowEndMilliseconds 3099 Description: 3100 The absolute timestamp of the last packet of this Flow. 3101 Abstract Data Type: dateTimeMilliseconds 3102 ElementId: 153 3103 Status: current 3104 Units: milliseconds 3106 5.9.5. flowStartMicroseconds 3108 Description: 3109 The absolute timestamp of the first packet of this Flow. 3110 Abstract Data Type: dateTimeMicroseconds 3111 ElementId: 154 3112 Status: current 3113 Units: microseconds 3115 5.9.6. flowEndMicroseconds 3117 Description: 3118 The absolute timestamp of the last packet of this Flow. 3119 Abstract Data Type: dateTimeMicroseconds 3120 ElementId: 155 3121 Status: current 3122 Units: microseconds 3123 5.9.7. flowStartNanoseconds 3125 Description: 3126 The absolute timestamp of the first packet of this Flow. 3127 Abstract Data Type: dateTimeNanoseconds 3128 ElementId: 156 3129 Status: current 3130 Units: nanoseconds 3132 5.9.8. flowEndNanoseconds 3134 Description: 3135 The absolute timestamp of the last packet of this Flow. 3136 Abstract Data Type: dateTimeNanoseconds 3137 ElementId: 157 3138 Status: current 3139 Units: nanoseconds 3141 5.9.9. flowStartDeltaMicroseconds 3143 Description: 3144 This is a relative timestamp only valid within the scope of a 3145 single IPFIX Message. It contains the negative time offset of the 3146 first observed packet of this Flow relative to the export time 3147 specified in the IPFIX Message Header. 3148 Abstract Data Type: unsigned32 3149 ElementId: 158 3150 Status: current 3151 Units: microseconds 3152 Reference: 3153 See the IPFIX protocol specification [RFC5101] for the 3154 definition of the IPFIX Message Header. 3156 5.9.10. flowEndDeltaMicroseconds 3158 Description: 3159 This is a relative timestamp only valid within the scope of a 3160 single IPFIX Message. It contains the negative time offset of the 3161 last observed packet of this Flow relative to the export time 3162 specified in the IPFIX Message Header. 3163 Abstract Data Type: unsigned32 3164 ElementId: 159 3165 Status: current 3166 Units: microseconds 3167 Reference: 3168 See the IPFIX protocol specification [RFC5101] for the 3169 definition of the IPFIX Message Header. 3171 5.9.11. systemInitTimeMilliseconds 3173 Description: 3174 The absolute timestamp of the last (re-)initialization of the 3175 IPFIX Device. 3176 Abstract Data Type: dateTimeMilliseconds 3177 ElementId: 160 3178 Status: current 3179 Units: milliseconds 3181 5.9.12. flowStartSysUpTime 3183 Description: 3184 The relative timestamp of the first packet of this Flow. It 3185 indicates the number of milliseconds since the last 3186 (re-)initialization of the IPFIX Device (sysUpTime). 3187 Abstract Data Type: unsigned32 3188 ElementId: 22 3189 Status: current 3190 Units: milliseconds 3192 5.9.13. flowEndSysUpTime 3194 Description: 3195 The relative timestamp of the last packet of this Flow. It 3196 indicates the number of milliseconds since the last 3197 (re-)initialization of the IPFIX Device (sysUpTime). 3198 Abstract Data Type: unsigned32 3199 ElementId: 21 3200 Status: current 3201 Units: milliseconds 3203 5.10. Per-Flow Counters 3205 Information Elements in this section are counters all having integer 3206 values. Their values may change for every report they are used in. 3207 They cannot serve as part of a Flow Key used for mapping packets to 3208 Flows. However, potentially they can be used for selecting exported 3209 Flows, for example, by only exporting Flows with more than a 3210 threshold number of observed octets. 3212 There are running counters and delta counters. Delta counters are 3213 reset to zero each time their values are exported. Running counters 3214 continue counting independently of the Exporting Process. 3216 There are per-Flow counters and counters related to the Metering 3217 Process and/or the Exporting Process. Per-Flow counters are Flow 3218 properties that potentially change each time a packet belonging to 3219 the Flow is observed. The set of per-Flow counters includes the 3220 Information Elements listed in the table below. Counters related to 3221 the Metering Process and/or the Exporting Process are described in 3222 Section 5.3. 3224 +-----+---------------------------+-----+---------------------------+ 3225 | ID | Name | ID | Name | 3226 +-----+---------------------------+-----+---------------------------+ 3227 | 1 | octetDeltaCount | 134 | droppedOctetTotalCount | 3228 | 23 | postOctetDeltaCount | 135 | droppedPacketTotalCount | 3229 | 198 | octetDeltaSumOfSquares | 19 | postMCastPacketDeltaCount | 3230 | 85 | octetTotalCount | 20 | postMCastOctetDeltaCount | 3231 | 171 | postOctetTotalCount | 174 | postMCastPacketTotalCount | 3232 | 199 | octetTotalSumOfSquares | 175 | postMCastOctetTotalCount | 3233 | 2 | packetDeltaCount | 218 | tcpSynTotalCount | 3234 | 24 | postPacketDeltaCount | 219 | tcpFinTotalCount | 3235 | 86 | packetTotalCount | 220 | tcpRstTotalCount | 3236 | 172 | postPacketTotalCount | 221 | tcpPshTotalCount | 3237 | 132 | droppedOctetDeltaCount | 222 | tcpAckTotalCount | 3238 | 133 | droppedPacketDeltaCount | 223 | tcpUrgTotalCount | 3239 +-----+---------------------------+-----+---------------------------+ 3241 5.10.1. octetDeltaCount 3243 Description: 3244 The number of octets since the previous report (if any) in 3245 incoming packets for this Flow at the Observation Point. The 3246 number of octets includes IP header(s) and IP payload. 3247 Abstract Data Type: unsigned64 3248 Data Type Semantics: deltaCounter 3249 ElementId: 1 3250 Status: current 3251 Units: octets 3253 5.10.2. postOctetDeltaCount 3255 Description: 3256 The definition of this Information Element is identical to the 3257 definition of Information Element 'octetDeltaCount', except that 3258 it reports a potentially modified value caused by a middlebox 3259 function after the packet passed the Observation Point. 3260 Abstract Data Type: unsigned64 3261 Data Type Semantics: deltaCounter 3262 ElementId: 23 3263 Status: current 3264 Units: octets 3265 5.10.3. octetDeltaSumOfSquares 3267 Description: 3268 The sum of the squared numbers of octets per incoming packet since 3269 the previous report (if any) for this Flow at the Observation 3270 Point. The number of octets includes IP header(s) and IP payload. 3271 Abstract Data Type: unsigned64 3272 ElementId: 198 3273 Status: current 3275 5.10.4. octetTotalCount 3276 Description: 3277 The total number of octets in incoming packets for this Flow at 3278 the Observation Point since the Metering Process 3279 (re-)initialization for this Observation Point. The number 3280 of octets includes IP header(s) and IP payload. 3281 Abstract Data Type: unsigned64 3282 Data Type Semantics: totalCounter 3283 ElementId: 85 3284 Status: current 3285 Units: octets 3287 5.10.5. postOctetTotalCount 3289 Description: 3290 The definition of this Information Element is identical to the 3291 definition of Information Element 'octetTotalCount', except that 3292 it reports a potentially modified value caused by a middlebox 3293 function after the packet passed the Observation Point. 3294 Abstract Data Type: unsigned64 3295 Data Type Semantics: totalCounter 3296 ElementId: 171 3297 Status: current 3298 Units: octets 3300 5.10.6. octetTotalSumOfSquares 3302 Description: 3303 The total sum of the squared numbers of octets in incoming packets 3304 for this Flow at the Observation Point since the Metering Process 3305 (re-)initialization for this Observation Point. The number of 3306 octets includes IP header(s) and IP payload. 3307 Abstract Data Type: unsigned64 3308 ElementId: 199 3309 Status: current 3310 Units: octets 3311 5.10.7. packetDeltaCount 3313 Description: 3314 The number of incoming packets since the previous report (if any) 3315 for this Flow at the Observation Point. 3316 Abstract Data Type: unsigned64 3317 Data Type Semantics: deltaCounter 3318 ElementId: 2 3319 Status: current 3320 Units: packets 3322 5.10.8. postPacketDeltaCount 3323 Description: 3324 The definition of this Information Element is identical to the 3325 definition of Information Element 'packetDeltaCount', except that 3326 it reports a potentially modified value caused by a middlebox 3327 function after the packet passed the Observation Point. 3328 Abstract Data Type: unsigned64 3329 Data Type Semantics: deltaCounter 3330 ElementId: 24 3331 Status: current 3332 Units: packets 3334 5.10.9. packetTotalCount 3335 Description: 3336 The total number of incoming packets for this Flow at the 3337 Observation Point since the Metering Process (re-)initialization 3338 for this Observation Point. 3339 Abstract Data Type: unsigned64 3340 Data Type Semantics: totalCounter 3341 ElementId: 86 3342 Status: current 3343 Units: packets 3344 5.10.10. postPacketTotalCount 3346 Description: 3347 The definition of this Information Element is identical to the 3348 definition of Information Element 'packetTotalCount', except that 3349 it reports a potentially modified value caused by a middlebox 3350 function after the packet passed the Observation Point. 3351 Abstract Data Type: unsigned64 3352 Data Type Semantics: totalCounter 3353 ElementId: 172 3354 Status: current 3355 Units: packets 3357 5.10.11. droppedOctetDeltaCount 3359 Description: 3360 The number of octets since the previous report (if any) in packets 3361 of this Flow dropped by packet treatment. The number of octets 3362 includes IP header(s) and IP payload. 3363 Abstract Data Type: unsigned64 3364 Data Type Semantics: deltaCounter 3365 ElementId: 132 3366 Status: current 3367 Units: octets 3369 5.10.12. droppedPacketDeltaCount 3371 Description: 3372 The number of packets since the previous report (if any) of this 3373 Flow dropped by packet treatment. 3374 Abstract Data Type: unsigned64 3375 Data Type Semantics: deltaCounter 3376 ElementId: 133 3377 Status: current 3378 Units: packets 3380 5.10.13. droppedOctetTotalCount 3382 Description: 3383 The total number of octets in packets of this Flow dropped by 3384 packet treatment since the Metering Process (re-)initialization 3385 for this Observation Point. The number of octets includes IP 3386 header(s) and IP payload. 3387 Abstract Data Type: unsigned64 3388 Data Type Semantics: totalCounter 3389 ElementId: 134 3390 Status: current 3391 Units: octets 3393 5.10.14. droppedPacketTotalCount 3395 Description: 3396 The number of packets of this Flow dropped by packet treatment 3397 since the Metering Process (re-)initialization for this 3398 Observation Point. 3399 Abstract Data Type: unsigned64 3400 Data Type Semantics: totalCounter 3401 ElementId: 135 3402 Status: current 3403 Units: packets 3405 5.10.15. postMCastPacketDeltaCount 3407 Description: 3408 The number of outgoing multicast packets since the previous report 3409 (if any) sent for packets of this Flow by a multicast daemon 3410 within the Observation Domain. This property cannot necessarily 3411 be observed at the Observation Point, but may be retrieved by 3412 other means. 3413 Abstract Data Type: unsigned64 3414 Data Type Semantics: deltaCounter 3415 ElementId: 19 3416 Status: current 3417 Units: packets 3419 5.10.16. postMCastOctetDeltaCount 3421 Description: 3422 The number of octets since the previous report (if any) in 3423 outgoing multicast packets sent for packets of this Flow by a 3424 multicast daemon within the Observation Domain. This property 3425 cannot necessarily be observed at the Observation Point, but may 3426 be retrieved by other means. The number of octets includes IP 3427 header(s) and IP payload. 3428 Abstract Data Type: unsigned64 3429 Data Type Semantics: deltaCounter 3430 ElementId: 20 3431 Status: current 3432 Units: octets 3433 5.10.17. postMCastPacketTotalCount 3435 Description: 3436 The total number of outgoing multicast packets sent for packets of 3437 this Flow by a multicast daemon within the Observation Domain 3438 since the Metering Process (re-)initialization. This property 3439 cannot necessarily be observed at the Observation Point, but may 3440 be retrieved by other means. 3441 Abstract Data Type: unsigned64 3442 Data Type Semantics: totalCounter 3443 ElementId: 174 3444 Status: current 3445 Units: packets 3447 5.10.18. postMCastOctetTotalCount 3449 Description: 3450 The total number of octets in outgoing multicast packets sent for 3451 packets of this Flow by a multicast daemon in the Observation 3452 Domain since the Metering Process (re-)initialization. This 3453 property cannot necessarily be observed at the Observation Point, 3454 but may be retrieved by other means. The number of octets 3455 includes IP header(s) and IP payload. 3456 Abstract Data Type: unsigned64 3457 Data Type Semantics: totalCounter 3458 ElementId: 175 3459 Status: current 3460 Units: octets 3462 5.10.19. tcpSynTotalCount 3464 Description: 3465 The total number of packets of this Flow with TCP "Synchronize 3466 sequence numbers" (SYN) flag set. 3467 Abstract Data Type: unsigned64 3468 Data Type Semantics: totalCounter 3469 ElementId: 218 3470 Status: current 3471 Units: packets 3472 Reference: 3473 See RFC 793 for the definition of the TCP SYN flag. 3474 5.10.20. tcpFinTotalCount 3476 Description: 3477 The total number of packets of this Flow with TCP "No more data 3478 from sender" (FIN) flag set. 3479 Abstract Data Type: unsigned64 3480 Data Type Semantics: totalCounter 3481 ElementId: 219 3482 Status: current 3483 Units: packets 3484 Reference: 3485 See RFC 793 for the definition of the TCP FIN flag. 3487 5.10.21. tcpRstTotalCount 3489 Description: 3490 The total number of packets of this Flow with TCP "Reset the 3491 connection" (RST) flag set. 3492 Abstract Data Type: unsigned64 3493 Data Type Semantics: totalCounter 3494 ElementId: 220 3495 Status: current 3496 Units: packets 3497 Reference: 3498 See RFC 793 for the definition of the TCP RST flag. 3500 5.10.22. tcpPshTotalCount 3502 Description: 3503 The total number of packets of this Flow with TCP "Push Function" 3504 (PSH) flag set. 3505 Abstract Data Type: unsigned64 3506 Data Type Semantics: totalCounter 3507 ElementId: 221 3508 Status: current 3509 Units: packets 3510 Reference: 3511 See RFC 793 for the definition of the TCP PSH flag. 3512 5.10.23. tcpAckTotalCount 3514 Description: 3515 The total number of packets of this Flow with TCP "Acknowledgment 3516 field significant" (ACK) flag set. 3517 Abstract Data Type: unsigned64 3518 Data Type Semantics: totalCounter 3519 ElementId: 222 3520 Status: current 3521 Units: packets 3522 Reference: 3523 See RFC 793 for the definition of the TCP ACK flag. 3525 5.10.24. tcpUrgTotalCount 3527 Description: 3528 The total number of packets of this Flow with TCP "Urgent Pointer 3529 field significant" (URG) flag set. 3530 Abstract Data Type: unsigned64 3531 Data Type Semantics: totalCounter 3532 ElementId: 223 3533 Status: current 3534 Units: packets 3535 Reference: 3536 See RFC 793 for the definition of the TCP URG flag. 3538 5.11. Miscellaneous Flow Properties 3540 Information Elements in this section describe properties of Flows 3541 that are related to Flow start, Flow duration, and Flow termination, 3542 but they are not timestamps as the Information Elements in Section 3543 5.9 are. 3545 +-----+---------------------------+-----+---------------------------+ 3546 | ID | Name | ID | Name | 3547 +-----+---------------------------+-----+---------------------------+ 3548 | 36 | flowActiveTimeout | 161 | flowDurationMilliseconds | 3549 | 37 | flowIdleTimeout | 162 | flowDurationMicroseconds | 3550 | 136 | flowEndReason | 61 | flowDirection | 3551 +-----+---------------------------+-----+---------------------------+ 3552 5.11.1. flowActiveTimeout 3554 Description: 3555 The number of seconds after which an active Flow is timed out 3556 anyway, even if there is still a continuous flow of packets. 3557 Abstract Data Type: unsigned16 3558 ElementId: 36 3559 Status: current 3560 Units: seconds 3562 5.11.2. flowIdleTimeout 3564 Description: 3565 A Flow is considered to be timed out if no packets belonging to 3566 the Flow have been observed for the number of seconds specified by 3567 this field. 3568 Abstract Data Type: unsigned16 3569 ElementId: 37 3570 Status: current 3571 Units: seconds 3573 5.11.3. flowEndReason 3575 Description: 3576 The reason for Flow termination. The range of values includes the 3577 following: 3579 0x01: idle timeout 3580 The Flow was terminated because it was considered to be 3581 idle. 3583 0x02: active timeout 3584 The Flow was terminated for reporting purposes while it was 3585 still active, for example, after the maximum lifetime of 3586 unreported Flows was reached. 3588 0x03: end of Flow detected 3589 The Flow was terminated because the Metering Process 3590 detected signals indicating the end of the Flow, for 3591 example, the TCP FIN flag. 3593 0x04: forced end 3594 The Flow was terminated because of some external event, for 3595 example, a shutdown of the Metering Process initiated by a 3596 network management application. 3598 0x05: lack of resources 3599 The Flow was terminated because of lack of resources 3600 available to the Metering Process and/or the Exporting 3601 Process. 3603 Abstract Data Type: unsigned8 3604 Data Type Semantics: identifier 3605 ElementId: 136 3606 Status: current 3608 5.11.4. flowDurationMilliseconds 3610 Description: 3611 The difference in time between the first observed packet of this 3612 Flow and the last observed packet of this Flow. 3613 Abstract Data Type: unsigned32 3614 ElementId: 161 3615 Status: current 3616 Units: milliseconds 3618 5.11.5. flowDurationMicroseconds 3620 Description: 3621 The difference in time between the first observed packet of this 3622 Flow and the last observed packet of this Flow. 3623 Abstract Data Type: unsigned32 3624 ElementId: 162 3625 Status: current 3626 Units: microseconds 3628 5.11.6. flowDirection 3630 Description: 3631 The direction of the Flow observed at the Observation Point. 3632 There are only two values defined. 3634 0x00: ingress flow 3635 0x01: egress flow 3637 Abstract Data Type: unsigned8 3638 Data Type Semantics: identifier 3639 ElementId: 61 3640 Status: current 3642 5.12. Padding 3644 This section contains a single Information Element that can be used 3645 for padding of Flow Records. 3647 IPFIX implementations may wish to align Information Elements within 3648 Data Records or to align entire Data Records to 4-octet or 8-octet 3649 boundaries. This can be achieved by including one or more 3650 paddingOctets Information Elements in a Data Record. 3652 +-----+---------------------------+-----+---------------------------+ 3653 | ID | Name | ID | Name | 3654 +-----+---------------------------+-----+---------------------------+ 3655 | 210 | paddingOctets | | | 3656 +-----+---------------------------+-----+---------------------------+ 3658 5.12.1. paddingOctets 3660 Description: 3661 The value of this Information Element is always a sequence of 0x00 3662 values. 3663 Abstract Data Type: octetArray 3664 ElementId: 210 3665 Status: current 3667 6. Extending the Information Model 3669 A key requirement for IPFIX is to allow for extending the set of 3670 Information Elements that are reported. This section defines the 3671 mechanism for extending this set. 3673 Extension can be done by defining new Information Elements. Each new 3674 Information Element MUST be assigned a unique Information Element 3675 identifier as part of its definition. These unique Information 3676 Element identifiers are the connection between the record structure 3677 communicated by the protocol using Templates and a consuming 3678 application. For generally applicable Information Elements, using 3679 IETF and IANA mechanisms to extend the information model is 3680 RECOMMENDED. 3682 Names of new Information Elements SHOULD be chosen according to the 3683 naming conventions given in Section 2.3. 3685 For extensions, the type space defined in Section 3 can be used. If 3686 required, new abstract data types can be added. New abstract data 3687 types MUST be defined in IETF Standards Track documents. 3689 Enterprises may wish to define Information Elements without 3690 registering them with IANA. IPFIX explicitly supports 3691 enterprise-specific Information Elements. Enterprise-specific 3692 Information Elements are described in Sections 2.1 and 4. 3694 However, before creating enterprise-specific Information Elements, 3695 the general applicability of such Information Elements should be 3696 considered. IPFIX does not support enterprise-specific abstract data 3697 types. 3699 7. IANA Considerations 3701 7.1. IPFIX Information Elements 3703 This document specifies an initial set of IPFIX Information Elements. 3704 The list of these Information Elements with their identifiers is 3705 given in Section 4. The Internet Assigned Numbers Authority (IANA) 3706 has created a new registry for IPFIX Information Element 3707 identifiers and filled it with the initial list in Section 4. 3709 New assignments for IPFIX Information Elements will be administered 3710 by IANA through Expert Review [RFC5226], i.e., review by one of a 3711 group of experts designated by an IETF Area Director. The group of 3712 experts MUST check the requested Information Element for completeness 3713 and accuracy of the description and for correct naming according to 3714 the naming conventions in Section 2.3. Requests for Information 3715 Elements that duplicate the functionality of existing Information 3716 Elements SHOULD be declined. The smallest available identifier 3717 SHOULD be assigned to a new Information Element. 3719 The specification of new IPFIX Information Elements MUST use the 3720 template specified in Section 2.1 and MUST be published using a 3721 well-established and persistent publication medium. The experts 3722 will initially be drawn from the Working Group Chairs and document 3723 editors of the IPFIX and PSAMP Working Groups. 3725 7.2. MPLS Label Type Identifier 3727 Information Element #46, named mplsTopLabelType, carries MPLS label 3728 types. Values for 5 different types have initially been defined. 3729 For ensuring extensibility of this information, IANA has created 3730 a new registry for MPLS label types and filled it with the 3731 initial list from the description Information Element #46, 3732 mplsTopLabelType. 3734 New assignments for MPLS label types will be administered by IANA 3735 through Expert Review [RFC5226], i.e., review by one of a group of 3736 experts designated by an IETF Area Director. The group of experts 3737 must double check the label type definitions with already defined 3738 label types for completeness, accuracy, and redundancy. The 3739 specification of new MPLS label types MUST be published using a 3740 well-established and persistent publication medium. 3742 7.3. XML Namespace and Schema 3744 Appendix B defines an XML schema for IPFIX Information Element 3745 definitions. All Information Elements specified in this document are 3746 defined by the XML specification in Appendix A that is a valid XML 3747 record according to the schema in Appendix B. This schema may also 3748 be used for specifying further Information Elements in future 3749 extensions of the IPFIX information model in a machine-readable way. 3751 Appendix B uses URNs to describe an XML namespace and an XML schema for 3752 IPFIX Information Elements conforming to a registry mechanism 3753 described in [RFC3688]. Two URI assignments have been made. 3755 1. Registration for the IPFIX information model namespace 3756 * URI: urn:ietf:params:xml:ns:ipfix-info 3757 * Registrant Contact: IETF IPFIX Working Group , 3758 as designated by the IESG . 3759 * XML: None. Namespace URIs do not represent an XML. 3761 2. Registration for the IPFIX information model schema 3762 * URI: urn:ietf:params:xml:schema:ipfix-info 3763 * Registrant Contact: IETF IPFIX Working Group , 3764 as designated by the IESG . 3765 * XML: See Appendix B of this document. 3767 8. Security Considerations 3769 The IPFIX information model itself does not directly introduce security 3770 issues. Rather, it defines a set of attributes that may for privacy or 3771 business issues be considered sensitive information. 3773 For example, exporting values of header fields may make attacks possible 3774 for the receiver of this information, which would otherwise only be 3775 possible for direct observers of the reported Flows along the data path. 3777 The underlying protocol used to exchange the information described here 3778 must therefore apply appropriate procedures to guarantee the integrity 3779 and confidentiality of the exported information. Such protocols are 3780 defined in separate documents, specifically the IPFIX protocol document 3781 [RFC5101bis]. 3783 This document does not specify any Information Element carrying keying 3784 material. If future extensions will do so, then appropriate precautions 3785 need to be taken for properly protecting such sensitive information. 3787 9. Acknowledgements 3789 The editors thank Paul Callato for creating the initial version of this 3790 document, and Thomas Dietz for developing the XSLT scripts that generate 3791 large portions of the text part of this document from the XML 3792 appendices. 3794 10. References 3796 10.1. Normative References 3798 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3799 Requirement Levels", BCP 14, RFC 2119, March 1997. 3801 [RFC5905] Mills, D., Delaware, U., Martin, J., Burbank, J. and W. 3802 Kasch, "Network Time Protocol Version 4: Protocol and 3803 Algorithms Specification", RFC 5905, June 2010 3805 [RFC5101bis] Claise, B., "Specification of the IP Flow Information 3806 eXport (IPFIX) Protocol for the Exchange of IP Traffic 3807 Flow Information", draft-claise-ipfix-protocol-rfc5101bis- 3808 02, Work in Progress, October 2011. 3810 10.2. Informative References 3812 [IEEE.754.1985] 3813 Institute of Electrical and Electronics Engineers, 3814 "Standard for Binary Floating-Point Arithmetic", IEEE 3815 Standard 754, August 1985. 3817 [IEEE.802-11.1999] 3818 "Information technology - Telecommunications and 3819 information exchange between systems - Local and 3820 metropolitan area networks - Specific requirements - Part 3821 11: Wireless LAN Medium Access Control (MAC) and Physical 3822 Layer (PHY) specifications", IEEE Standard 802.11, 1999, 3823 . 3826 [IEEE.802-1Q.2003] 3827 Institute of Electrical and Electronics Engineers, "Local 3828 and Metropolitan Area Networks: Virtual Bridged Local Area 3829 Networks", IEEE Standard 802.1Q, March 2003. 3831 [IEEE.802-3.2002] 3832 "Information technology - Telecommunications and 3833 information exchange between systems - Local and 3834 metropolitan area networks - Specific requirements - Part 3835 3: Carrier sense multiple access with collision detection 3836 (CSMA/CD) access method and physical layer 3837 specifications", IEEE Standard 802.3, September 2002. 3839 [ISO.10646-1.1993] 3840 International Organization for Standardization, 3841 "Information Technology - Universal Multiple-octet coded 3842 Character Set (UCS) - Part 1: Architecture and Basic 3843 Multilingual Plane", ISO Standard 10646-1, May 1993. 3845 [ISO.646.1991] 3846 International Organization for Standardization, 3847 "Information technology - ISO 7-bit coded character set 3848 for information interchange", ISO Standard 646, 1991. 3850 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 3851 August 1980. 3853 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September 3854 1981. 3856 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 3857 RFC 792, September 1981. 3859 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC 3860 793, September 1981. 3862 [RFC1108] Kent, S., "U.S. Department of Defense Security Options for 3863 the Internet Protocol", RFC 1108, November 1991. 3865 [RFC1112] Deering, S., "Host extensions for IP multicasting", STD 5, 3866 RFC 1112, August 1989. 3868 [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 3869 November 1990. 3871 [RFC1323] Jacobson, V., Braden, R., and D. Borman, "TCP Extensions 3872 for High Performance", RFC 1323, May 1992. 3874 [RFC1385] Wang, Z., "EIP: The Extended Internet Protocol", RFC 1385, 3875 November 1992. 3877 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 3878 RFC 1812, June 1995. 3880 [RFC1930] Hawkinson, J. and T. Bates, "Guidelines for creation, 3881 selection, and registration of an Autonomous System (AS)", 3882 BCP 6, RFC 1930, March 1996. 3884 [RFC2113] Katz, D., "IP Router Alert Option", RFC 2113, February 3885 1997. 3887 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 3888 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 3889 May 2008. 3891 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 3892 (IPv6) Specification", RFC 2460, December 1998. 3894 [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 3895 "Structure of Management Information Version 2 (SMIv2)", 3896 STD 58, RFC 2578, April 1999. 3898 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 3899 June 1999. 3901 [RFC2675] Borman, D., Deering, S., and R. Hinden, "IPv6 Jumbograms", 3902 RFC 2675, August 1999. 3904 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 3905 MIB", RFC 2863, June 2000. 3907 [RFC3031] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol 3908 Label Switching Architecture", RFC 3031, January 2001. 3910 [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., 3911 Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack 3912 Encoding", RFC 3032, January 2001. 3914 [RFC3193] Patel, B., Aboba, B., Dixon, W., Zorn, G., and S. Booth, 3915 "Securing L2TP using IPsec", RFC 3193, November 2001. 3917 [RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and 3918 Issues", RFC 3234, February 2002. 3920 [RFC3260] Grossman, D., "New Terminology and Clarifications for 3921 Diffserv", RFC 3260, April 2002. 3923 [RFC3270] Le Faucheur, F., Wu, L., Davie, B., Davari, S., Vaananen, 3924 P., Krishnan, R., Cheval, P., and J. Heinanen, "Multi- 3925 Protocol Label Switching (MPLS) Support of Differentiated 3926 Services", RFC 3270, May 2002. 3928 [RFC3376] Cain, B., Deering, S., Kouvelas, I., Fenner, B., and A. 3929 Thyagarajan, "Internet Group Management Protocol, Version 3930 3", RFC 3376, October 2002. 3932 [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between 3933 Information Models and Data Models", RFC 3444, January 3934 2003. 3936 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3937 January 2004. 3939 [RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, 3940 "Requirements for IP Flow Information Export (IPFIX)", RFC 3941 3917, October 2004. 3943 [RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export 3944 Version 9", RFC 3954, October 2004. 3946 [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A 3947 Border Gateway Protocol 4 (BGP-4)", RFC 4271, January 3948 2006. 3950 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 3951 Architecture", RFC 4291, February 2006. 3953 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 3954 2005. 3956 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 3957 4303, December 2005. 3959 [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private 3960 Networks (VPNs)", RFC 4364, February 2006. 3962 [RFC4382] Nadeau, T., Ed., and H. van der Linde, Ed., "MPLS/BGP 3963 Layer 3 Virtual Private Network (VPN) Management 3964 Information Base", RFC 4382, February 2006. 3966 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 3967 Control Message Protocol (ICMPv6) for the Internet 3968 Protocol Version 6 (IPv6) Specification", RFC 4443, March 3969 2006. 3971 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 3972 RFC 4960, September 2007. 3974 [RFC5036] Andersson, L., Ed., Minei, I., Ed., and B. Thomas, Ed., 3975 "LDP Specification", RFC 5036, October 2007. 3977 [RFC5103] Trammell, B., and E. Boschi, "Bidirectional Flow Export 3978 Using IP Flow Information Export (IPFIX)", RFC 5103, 3979 January 2008. 3981 [RFC5153] Boschi, E., Mark, L., Quittek J., and P. Aitken, "IP Flow 3982 Information Export (IPFIX) Implementation Guidelines", 3983 RFC5153, April 2008. 3985 [RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, 3986 "Architecture for IP Flow Information Export", RFC5470, 3987 March 2009. 3989 [RFC5471] Schmoll, C., Aitken, P., and B. Claise, "Guidelines for IP 3990 Flow Information Export (IPFIX) Testing", RFC5471, March 3991 2009. 3993 [RFC5472] Zseby, T., Boschi, E., Brownlee, N., and B. Claise, "IP 3994 Flow Information Export (IPFIX) Applicability", RFC5472, 3995 March 2009. 3997 [RFC5473] Boschi, E., Mark, L., and B. Claise, "Reducing Redundancy 3998 in IP Flow Information Export (IPFIX) and Packet Sampling 3999 (PSAMP) Reports", RFC5473, March 2009. 4001 [RFC5610] Boschi, E., Trammell, B., Mark, L., and T. Zseby, 4002 "Exporting Type Information for IP Flow Information Export 4003 (IPFIX) Information Elements", July 2009. 4005 [RFC6313] Claise, B., Dhandapani, G., Aitken, P, and S. Yates, 4006 "Export of Structured Data in IP Flow Information Export 4007 (IPFIX)", RFC6313, July 2011. 4009 [RFC6183] Kobayashi, A., Claise, B., Muenz, G, and K. Ishibashi, "IP 4010 Flow Information Export (IPFIX) Mediation: Framework", 4011 RFC6183, April 2011. 4013 [IPFIX-CONF] Muenz, G., Claise, B., and P. Aitken, "Configuration 4014 Data Model for IPFIX and PSAMP", draft-ietf-ipfix- 4015 configuration-model-10, Work in Progress, July 2011. 4017 [IPFIX-MED-PROTO] Claise, B., Kobayashi, A., and B. Trammell, 4018 "Specification of the Protocol for IPFIX Mediations", 4019 draft-claise-ipfix-mediation-protocol-04, Work in 4020 Progress, July 2011. 4022 [RFC5815bis] Dietz, T., Kobayashi, A., Claise, B., and G. Muenz, 4023 "Definitions of Managed Objects for IP Flow Information 4024 Export", draft-dkcm-ipfix-rfc5815bis-00.txt, Work in 4025 Progress, October 2011. 4027 Appendix A. XML Specification of IPFIX Information Elements 4029 This appendix contains a machine-readable description of the IPFIX 4030 information model coded in XML. Note that this appendix is of 4031 informational nature, while the text in Section 4 (generated from 4032 this appendix) is normative. 4034 Using a machine-readable syntax for the information model enables the 4035 creation of IPFIX-aware tools that can automatically adapt to 4036 extensions to the information model, by simply reading updated 4037 information model specifications. 4039 The wide availability of XML-aware tools and libraries for client 4040 devices is a primary consideration for this choice. In particular, 4041 libraries for parsing XML documents are readily available. Also, 4042 mechanisms such as the Extensible Stylesheet Language (XSL) allow for 4043 transforming a source XML document into other documents. This 4044 document was authored in XML and transformed according to [RFC2629]. 4046 It should be noted that the use of XML in Exporters, Collectors, or 4047 other tools is not mandatory for the deployment of IPFIX. In 4048 particular, Exporting Processes do not produce or consume XML as part 4049 of their operation. It is expected that IPFIX Collectors MAY take 4050 advantage of the machine readability of the information model vs. 4051 hard coding their behavior or inventing proprietary means for 4052 accommodating extensions. 4054 4056 4061 4065 4066 4067 An identifier of a line card that is unique per IPFIX 4068 Device hosting an Observation Point. Typically, this 4069 Information Element is used for limiting the scope 4070 of other Information Elements. 4071 4072 4073 4074 4078 4079 4080 An identifier of a line port that is unique per IPFIX 4081 Device hosting an Observation Point. Typically, this 4082 Information Element is used for limiting the scope 4083 of other Information Elements. 4084 4085 4086 4088 4092 4093 4094 The index of the IP interface where packets of this Flow 4095 are being received. The value matches the value of managed 4096 object 'ifIndex' as defined in RFC 2863. 4097 Note that ifIndex values are not assigned statically to an 4098 interface and that the interfaces may be renumbered every 4099 time the device's management system is re-initialized, as 4100 specified in RFC 2863. 4101 4102 4103 4104 4105 See RFC 2863 for the definition of the ifIndex object. 4106 4107 4108 4110 4114 4115 4116 The index of the IP interface where packets of 4117 this Flow are being sent. The value matches the value of 4118 managed object 'ifIndex' as defined in RFC 2863. 4119 Note that ifIndex values are not assigned statically to an 4120 interface and that the interfaces may be renumbered every 4121 time the device's management system is re-initialized, as 4122 specified in RFC 2863. 4124 4125 4126 4127 4128 See RFC 2863 for the definition of the ifIndex object. 4129 4130 4131 4133 4137 4138 4139 An identifier of a Metering Process that is unique per 4140 IPFIX Device. Typically, this Information Element is used 4141 for limiting the scope of other Information Elements. 4142 Note that process identifiers are typically assigned 4143 dynamically. 4144 The Metering Process may be re-started with a different ID. 4145 4146 4147 4149 4153 4154 4155 An identifier of an Exporting Process that is unique per 4156 IPFIX Device. Typically, this Information Element is used 4157 for limiting the scope of other Information Elements. 4158 Note that process identifiers are typically assigned 4159 dynamically. The Exporting Process may be re-started 4160 with a different ID. 4161 4162 4163 4165 4169 4170 4171 An identifier of a Flow that is unique within an Observation 4172 Domain. This Information Element can be used to distinguish 4173 between different Flows if Flow Keys such as IP addresses and 4174 port numbers are not reported or are reported in separate 4175 records. 4176 4177 4178 4180 4184 4185 4186 An identifier of a Template that is locally unique within a 4187 combination of a Transport session and an Observation Domain. 4188 4189 4190 Template IDs 0-255 are reserved for Template Sets, Options 4191 Template Sets, and other reserved Sets yet to be created. 4192 Template IDs of Data Sets are numbered from 256 to 65535. 4193 4194 4195 Typically, this Information Element is used for limiting 4196 the scope of other Information Elements. 4197 Note that after a re-start of the Exporting Process Template 4198 identifiers may be re-assigned. 4199 4200 4201 4203 4207 4208 4209 An identifier of an Observation Domain that is locally 4210 unique to an Exporting Process. The Exporting Process uses 4211 the Observation Domain ID to uniquely identify to the 4212 Collecting Process the Observation Domain where Flows 4213 were metered. It is RECOMMENDED that this identifier is 4214 also unique per IPFIX Device. 4215 4216 4217 A value of 0 indicates that no specific Observation Domain 4218 is identified by this Information Element. 4219 4220 4221 Typically, this Information Element is used for limiting 4222 the scope of other Information Elements. 4223 4224 4225 4227 4231 4232 4233 An identifier of an Observation Point that is unique per 4234 Observation Domain. It is RECOMMENDED that this identifier is 4235 also unique per IPFIX Device. Typically, this Information 4236 Element is used for limiting the scope of other Information 4237 Elements. 4238 4239 4240 4241 4245 4246 4247 An identifier of a set of common properties that is 4248 unique per Observation Domain and Transport Session. 4249 Typically, this Information Element is used to link to 4250 information reported in separate Data Records. 4251 4252 4253 4255 4259 4260 4261 The IPv4 address used by the Exporting Process. This is used 4262 by the Collector to identify the Exporter in cases where the 4263 identity of the Exporter may have been obscured by the use of 4264 a proxy. 4265 4266 4267 4268 4272 4273 4274 The IPv6 address used by the Exporting Process. This is used 4275 by the Collector to identify the Exporter in cases where the 4276 identity of the Exporter may have been obscured by the use of 4277 a proxy. 4278 4279 4280 4282 4286 4287 4288 The source port identifier from which the Exporting 4289 Process sends Flow information. For the transport protocols 4290 UDP, TCP, and SCTP, this is the source port number. 4291 This field MAY also be used for future transport protocols 4292 that have 16-bit source port identifiers. This field may 4293 be useful for distinguishing multiple Exporting Processes 4294 that use the same IP address. 4295 4296 4297 4298 4299 See RFC 768 for the definition of the UDP 4300 source port field. 4301 See RFC 793 for the definition of the TCP 4302 source port field. 4303 See RFC 4960 for the definition of SCTP. 4304 4305 4306 Additional information on defined UDP and TCP port numbers can 4307 be found at http://www.iana.org/assignments/port-numbers. 4308 4309 4310 4312 4317 4318 4319 An IPv4 address to which the Exporting Process sends Flow 4320 information. 4321 4322 4323 4325 4329 4330 4331 An IPv6 address to which the Exporting Process sends Flow 4332 information. 4333 4334 4335 4337 4341 4342 4343 The index of the interface from which IPFIX Messages sent 4344 by the Exporting Process to a Collector leave the IPFIX 4345 Device. The value matches the value of 4346 managed object 'ifIndex' as defined in RFC 2863. 4347 Note that ifIndex values are not assigned statically to an 4348 interface and that the interfaces may be renumbered every 4349 time the device's management system is re-initialized, as 4350 specified in RFC 2863. 4351 4352 4353 4354 4355 See RFC 2863 for the definition of the ifIndex object. 4356 4357 4358 4360 4364 4365 4366 The protocol version used by the Exporting Process for 4367 sending Flow information. The protocol version is given 4368 by the value of the Version Number field in the Message 4369 Header. 4370 4371 4372 The protocol version is 10 for IPFIX and 9 for NetFlow 4373 version 9. 4374 A value of 0 indicates that no export protocol is in use. 4375 4376 4377 4378 4379 See the IPFIX protocol specification [RFC5101] for the 4380 definition of the IPFIX Message Header. 4381 4382 4383 See RFC 3954 for the definition of the NetFlow 4384 version 9 message header. 4385 4386 4387 4389 4393 4394 4395 The value of the protocol number used by the Exporting Process 4396 for sending Flow information. 4397 The protocol number identifies the IP packet payload type. 4398 Protocol numbers are defined in the IANA Protocol Numbers 4399 registry. 4400 4402 4403 In Internet Protocol version 4 (IPv4), this is carried in the 4404 Protocol field. In Internet Protocol version 6 (IPv6), this 4405 is carried in the Next Header field in the last extension 4406 header of the packet. 4407 4408 4409 4410 4411 See RFC 791 for the specification of the IPv4 4412 protocol field. 4414 See RFC 2460 for the specification of the IPv6 4415 protocol field. 4416 See the list of protocol numbers assigned by IANA at 4417 http://www.iana.org/assignments/protocol-numbers. 4418 4419 4420 4422 4426 4427 4428 The destination port identifier to which the Exporting 4429 Process sends Flow information. For the transport protocols 4430 UDP, TCP, and SCTP, this is the destination port number. 4431 This field MAY also be used for future transport protocols 4432 that have 16-bit source port identifiers. 4433 4434 4435 4436 4437 See RFC 768 for the definition of the UDP 4438 destination port field. 4439 See RFC 793 for the definition of the TCP 4440 destination port field. 4441 See RFC 4960 for the definition of SCTP. 4442 4443 4444 Additional information on defined UDP and TCP port numbers can 4445 be found at http://www.iana.org/assignments/port-numbers. 4446 4447 4448 4450 4454 4455 4456 This set of bit fields is used for marking the Information 4457 Elements of a Data Record that serve as Flow Key. Each bit 4458 represents an Information Element in the Data Record with 4459 the n-th bit representing the n-th Information Element. 4460 A bit set to value 1 indicates that the corresponding 4461 Information Element is a Flow Key of the reported Flow. 4463 A bit set to value 0 indicates that this is not the case. 4464 4465 4466 If the Data Record contains more than 64 Information Elements, 4467 the corresponding Template SHOULD be designed such that all 4468 Flow Keys are among the first 64 Information Elements, because 4469 the flowKeyIndicator only contains 64 bits. If the Data Record 4470 contains less than 64 Information Elements, then the bits in 4471 the flowKeyIndicator for which no corresponding Information 4472 Element exists MUST have the value 0. 4473 4474 4475 4477 4481 4482 4483 The total number of IPFIX Messages that the Exporting Process 4484 has sent since the Exporting Process (re-)initialization to 4485 a particular Collecting Process. 4486 The reported number excludes the IPFIX Message that carries 4487 the counter value. 4488 If this Information Element is sent to a particular 4489 Collecting Process, then by default it specifies the number 4490 of IPFIX Messages sent to this Collecting Process. 4491 4492 4493 messages 4494 4496 4500 4501 4502 The total number of octets that the Exporting Process 4503 has sent since the Exporting Process (re-)initialization 4504 to a particular Collecting Process. 4505 The value of this Information Element is calculated by 4506 summing up the IPFIX Message Header length values of all 4507 IPFIX Messages that were successfully sent to the Collecting 4508 Process. The reported number excludes octets in the IPFIX 4509 Message that carries the counter value. 4510 If this Information Element is sent to a particular 4511 Collecting Process, then by default it specifies the number 4512 of octets sent to this Collecting Process. 4513 4514 4515 octets 4516 4518 4522 4523 4524 The total number of Flow Records that the Exporting 4525 Process has sent as Data Records since the Exporting 4526 Process (re-)initialization to a particular Collecting 4527 Process. The reported number excludes Flow Records in 4528 the IPFIX Message that carries the counter value. 4529 If this Information Element is sent to a particular 4530 Collecting Process, then by default it specifies the number 4531 of Flow Records sent to this process. 4532 4533 4534 flows 4535 4537 4541 4542 4543 The total number of Flows observed in the Observation Domain 4544 since the Metering Process (re-)initialization for this 4545 Observation Point. 4546 4547 4548 flows 4549 4551 4555 4556 4557 The total number of observed IP packets that the 4558 Metering Process did not process since the 4559 (re-)initialization of the Metering Process. 4560 4561 4562 packets 4563 4565 4569 4570 4571 The total number of octets in observed IP packets 4572 (including the IP header) that the Metering Process 4573 did not process since the (re-)initialization of the 4574 Metering Process. 4575 4576 4577 octets 4578 4580 4584 4585 4586 The total number of Flow Records that were generated by the 4587 Metering Process and dropped by the Metering Process or 4588 by the Exporting Process instead of being sent to the 4589 Collecting Process. There are several potential reasons for 4590 this including resource shortage and special Flow export 4591 policies. 4592 4593 4594 flows 4595 4597 4601 4602 4603 The total number of packets in Flow Records that were 4604 generated by the Metering Process and dropped 4605 by the Metering Process or by the Exporting Process 4606 instead of being sent to the Collecting Process. 4608 There are several potential reasons for this including 4609 resource shortage and special Flow export policies. 4610 4611 4612 packets 4613 4615 4619 4620 4621 The total number of octets in packets in Flow Records 4622 that were generated by the Metering Process and 4623 dropped by the Metering Process or by the Exporting 4624 Process instead of being sent to the Collecting Process. 4625 There are several potential reasons for this including 4626 resource shortage and special Flow export policies. 4627 4628 4629 octets 4630 4632 4636 4637 4638 The IP version field in the IP packet header. 4639 4640 4641 4642 4643 See RFC 791 for the definition of the version field 4644 in the IPv4 packet header. 4645 See RFC 2460 for the definition of the version field 4646 in the IPv6 packet header. 4647 Additional information on defined version numbers 4648 can be found at 4649 http://www.iana.org/assignments/version-numbers. 4650 4651 4652 4654 4658 4659 4660 The IPv4 source address in the IP packet header. 4661 4662 4663 4664 4665 See RFC 791 for the definition of the IPv4 source 4666 address field. 4667 4668 4669 4671 4675 4676 4677 The IPv6 source address in the IP packet header. 4678 4679 4680 4681 4682 See RFC 2460 for the definition of the 4683 Source Address field in the IPv6 header. 4684 4685 4686 4688 4691 4692 4693 The number of contiguous bits that are relevant in the 4694 sourceIPv4Prefix Information Element. 4695 4696 4697 bits 4698 0-32 4699 4701 4705 4706 4707 The number of contiguous bits that are relevant in the 4708 sourceIPv6Prefix Information Element. 4709 4710 4711 bits 4712 0-128 4713 4715 4718 4719 4720 IPv4 source address prefix. 4721 4722 4723 4725 4728 4729 4730 IPv6 source address prefix. 4731 4732 4733 4735 4739 4740 4741 The IPv4 destination address in the IP packet header. 4742 4743 4744 4745 4746 See RFC 791 for the definition of the IPv4 4747 destination address field. 4748 4749 4750 4752 4756 4757 4758 The IPv6 destination address in the IP packet header. 4759 4760 4761 4762 4763 See RFC 2460 for the definition of the 4764 Destination Address field in the IPv6 header. 4765 4766 4767 4769 4772 4773 4774 The number of contiguous bits that are relevant in the 4775 destinationIPv4Prefix Information Element. 4776 4777 4778 bits 4779 0-32 4780 4782 4785 4786 4787 The number of contiguous bits that are relevant in the 4788 destinationIPv6Prefix Information Element. 4789 4790 4791 bits 4792 0-128 4793 4795 4798 4799 IPv4 destination address prefix. 4800 4802 4804 4807 4808 IPv6 destination address prefix. 4809 4810 4812 4815 4816 4817 For IPv4, the value of the Information Element matches 4818 the value of the Time to Live (TTL) field in the IPv4 packet 4819 header. For IPv6, the value of the Information Element 4820 matches the value of the Hop Limit field in the IPv6 4821 packet header. 4822 4823 4824 4825 4826 See RFC 791 for the definition of the IPv4 4827 Time to Live field. 4828 See RFC 2460 for the definition of the IPv6 4829 Hop Limit field. 4830 4831 4832 hops 4833 4835 4839 4840 4841 The value of the protocol number in the IP packet header. 4842 The protocol number identifies the IP packet payload type. 4843 Protocol numbers are defined in the IANA Protocol Numbers 4844 registry. 4845 4847 4848 In Internet Protocol version 4 (IPv4), this is carried in the 4849 Protocol field. In Internet Protocol version 6 (IPv6), this 4850 is carried in the Next Header field in the last extension 4851 header of the packet. 4852 4853 4854 4855 4856 See RFC 791 for the specification of the IPv4 4857 protocol field. 4858 See RFC 2460 for the specification of the IPv6 4859 protocol field. 4860 See the list of protocol numbers assigned by IANA at 4861 http://www.iana.org/assignments/protocol-numbers. 4862 4863 4864 4866 4869 4870 4871 The value of the Next Header field of the IPv6 header. 4872 The value identifies the type of the following IPv6 4873 extension header or of the following IP payload. 4874 Valid values are defined in the IANA 4875 Protocol Numbers registry. 4876 4877 4878 4879 4880 See RFC 2460 for the definition of the IPv6 4881 Next Header field. 4882 See the list of protocol numbers assigned by IANA at 4883 http://www.iana.org/assignments/protocol-numbers. 4884 4885 4886 4888 4892 4893 4894 The value of a Differentiated Services Code Point (DSCP) 4895 encoded in the Differentiated Services field. The 4896 Differentiated Services field spans the most significant 4897 6 bits of the IPv4 TOS field or the IPv6 Traffic Class 4898 field, respectively. 4899 4900 4901 This Information Element encodes only the 6 bits of the 4902 Differentiated Services field. Therefore, its value may 4903 range from 0 to 63. 4904 4905 4906 4907 4908 See RFC 3260 for the definition of the 4909 Differentiated Services field. 4910 See RFC 1812 (Section 5.3.2) and RFC 791 for the definition 4911 of the IPv4 TOS field. See RFC 2460 for the definition of 4912 the IPv6 Traffic Class field. 4913 4914 4915 0-63 4916 4918 4922 4923 4924 The value of the IP Precedence. The IP Precedence value 4925 is encoded in the first 3 bits of the IPv4 TOS field 4926 or the IPv6 Traffic Class field, respectively. 4927 4928 4929 This Information Element encodes only these 3 bits. 4930 Therefore, its value may range from 0 to 7. 4931 4932 4933 4934 4935 See RFC 1812 (Section 5.3.3) and RFC 791 4936 for the definition of the IP Precedence. 4937 See RFC 1812 (Section 5.3.2) and RFC 791 4938 for the definition of the IPv4 TOS field. 4939 See RFC 2460 for the definition of the IPv6 4940 Traffic Class field. 4941 4942 4943 0-7 4944 4945 4949 4950 4951 For IPv4 packets, this is the value of the TOS field in 4952 the IPv4 packet header. For IPv6 packets, this is the 4953 value of the Traffic Class field in the IPv6 packet header. 4954 4955 4956 4957 4958 See RFC 1812 (Section 5.3.2) and RFC 791 4959 for the definition of the IPv4 TOS field. 4960 See RFC 2460 for the definition of the IPv6 4961 Traffic Class field. 4962 4963 4964 4966 4970 4971 4972 The definition of this Information Element is identical 4973 to the definition of Information Element 4974 'ipClassOfService', except that it reports a 4975 potentially modified value caused by a middlebox 4976 function after the packet passed the Observation Point. 4977 4978 4979 4980 4981 See RFC 791 for the definition of the IPv4 4982 TOS field. 4983 See RFC 2460 for the definition of the IPv6 4984 Traffic Class field. 4985 See RFC 3234 for the definition of middleboxes. 4986 4987 4988 4990 4994 4995 4996 The value of the IPv6 Flow Label field in the IP packet header. 4997 4998 4999 5000 5001 See RFC 2460 for the definition of the 5002 Flow Label field in the IPv6 packet header. 5003 5004 5005 5007 5011 5012 5013 If the IP destination address is not a reserved multicast 5014 address, then the value of all bits of the octet (including 5015 the reserved ones) is zero. 5016 5017 5018 The first bit of this octet is set to 1 if the Version 5019 field of the IP header has the value 4 and if the 5020 Destination Address field contains a reserved multicast 5021 address in the range from 224.0.0.0 to 239.255.255.255. 5022 Otherwise, this bit is set to 0. 5023 5024 5025 The second and third bits of this octet are reserved for 5026 future use. 5027 5028 5029 The remaining bits of the octet are only set to values 5030 other than zero if the IP Destination Address is a 5031 reserved IPv6 multicast address. Then the fourth bit 5032 of the octet is set to the value of the T flag in the 5033 IPv6 multicast address and the remaining four bits are 5034 set to the value of the scope field in the IPv6 5035 multicast address. 5036 5037 5038 0 1 2 3 4 5 6 7 5039 +------+------+------+------+------+------+------+------+ 5040 | IPv6 multicast scope | T | RES. | RES. | MCv4 | 5041 +------+------+------+------+------+------+------+------+ 5043 Bit 0: set to 1 if IPv4 multicast 5044 Bits 1-2: reserved for future use 5045 Bit 4: set to value of T flag, if IPv6 multicast 5046 Bits 4-7: set to value of multicast scope if IPv6 multicast 5047 5048 5049 5050 5051 See RFC 1112 for the specification of reserved 5052 IPv4 multicast addresses. 5053 See RFC 4291 for the specification of reserved 5054 IPv6 multicast addresses and the definition of the T flag 5055 and the IPv6 multicast scope. 5056 5057 5058 5060 5064 5065 5066 The value of the Identification field 5067 in the IPv4 packet header or in the IPv6 Fragment header, 5068 respectively. The value is 0 for IPv6 if there is 5069 no fragment header. 5070 5071 5072 5073 5074 See RFC 791 for the definition of the IPv4 5075 Identification field. 5076 See RFC 2460 for the definition of the 5077 Identification field in the IPv6 Fragment header. 5078 5079 5080 5082 5086 5087 5088 The value of the IP fragment offset field in the 5089 IPv4 packet header or the IPv6 Fragment header, 5090 respectively. The value is 0 for IPv6 if there is 5091 no fragment header. 5092 5093 5094 5095 5096 See RFC 791 for the specification of the 5097 fragment offset in the IPv4 header. 5098 See RFC 2460 for the specification of the 5099 fragment offset in the IPv6 Fragment header. 5100 5101 5102 5104 5108 5109 5110 Fragmentation properties indicated by flags in the IPv4 5111 packet header or the IPv6 Fragment header, respectively. 5112 5113 5115 Bit 0: (RS) Reserved. 5116 The value of this bit MUST be 0 until specified 5117 otherwise. 5118 Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment. 5119 Corresponds to the value of the DF flag in the 5120 IPv4 header. Will always be 0 for IPv6 unless 5121 a "don't fragment" feature is introduced to IPv6. 5122 Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments. 5123 Corresponds to the MF flag in the IPv4 header 5124 or to the M flag in the IPv6 Fragment header, 5125 respectively. The value is 0 for IPv6 if there 5126 is no fragment header. 5127 Bits 3-7: (DC) Don't Care. 5128 The values of these bits are irrelevant. 5130 0 1 2 3 4 5 6 7 5131 +---+---+---+---+---+---+---+---+ 5132 | R | D | M | D | D | D | D | D | 5133 | S | F | F | C | C | C | C | C | 5134 +---+---+---+---+---+---+---+---+ 5135 5136 5137 5138 5139 See RFC 791 for the specification of the IPv4 5140 fragment flags. 5141 See RFC 2460 for the specification of the IPv6 5142 Fragment header. 5143 5144 5145 5147 5150 5151 5152 The length of the IP header. For IPv6, the value of this 5153 Information Element is 40. 5154 5155 5156 5157 5158 See RFC 791 for the specification of the 5159 IPv4 header. 5160 See RFC 2460 for the specification of the 5161 IPv6 header. 5162 5163 5164 octets 5165 5167 5170 5171 5172 The value of the Internet Header Length (IHL) field in 5173 the IPv4 header. It specifies the length of the header 5174 in units of 4 octets. Please note that its unit is 5175 different from most of the other Information Elements 5176 reporting length values. 5177 5178 5179 5180 5181 See RFC 791 for the specification of the 5182 IPv4 header. 5183 5184 5185 4 octets 5186 5188 5191 5192 5193 The total length of the IPv4 packet. 5194 5195 5196 5197 5198 See RFC 791 for the specification of the 5199 IPv4 total length. 5200 5201 5202 octets 5203 5205 5208 5209 5210 The total length of the IP packet. 5211 5212 5213 5214 5215 See RFC 791 for the specification of the 5216 IPv4 total length. 5217 See RFC 2460 for the specification of the 5218 IPv6 payload length. 5219 See RFC 2675 for the specification of the 5220 IPv6 jumbo payload length. 5221 5222 5223 octets 5224 5226 5229 5230 5231 This Information Element reports the value of the Payload 5232 Length field in the IPv6 header. Note that IPv6 extension 5233 headers belong to the payload. Also note that in case of a 5234 jumbo payload option the value of the Payload Length field in 5235 the IPv6 header is zero and so will be the value reported 5236 by this Information Element. 5237 5238 5239 5240 5241 See RFC 2460 for the specification of the 5242 IPv6 payload length. 5243 See RFC 2675 for the specification of the 5244 IPv6 jumbo payload option. 5245 5246 5247 octets 5248 5250 5254 5255 5256 The source port identifier in the transport header. 5257 For the transport protocols UDP, TCP, and SCTP, this is the 5258 source port number given in the respective header. This 5259 field MAY also be used for future transport protocols that 5260 have 16-bit source port identifiers. 5261 5262 5263 5264 5265 See RFC 768 for the definition of the UDP 5266 source port field. 5267 See RFC 793 for the definition of the TCP 5268 source port field. 5269 See RFC 4960 for the definition of SCTP. 5270 5271 5272 Additional information on defined UDP and TCP port numbers can 5273 be found at http://www.iana.org/assignments/port-numbers. 5274 5275 5276 5278 5282 5283 5284 The destination port identifier in the transport header. 5285 For the transport protocols UDP, TCP, and SCTP, this is the 5286 destination port number given in the respective header. 5287 This field MAY also be used for future transport protocols 5288 that have 16-bit destination port identifiers. 5289 5290 5291 5292 5293 See RFC 768 for the definition of the UDP 5294 destination port field. 5295 See RFC 793 for the definition of the TCP 5296 destination port field. 5297 See RFC 4960 for the definition of SCTP. 5298 5299 5300 Additional information on defined UDP and TCP port numbers can 5301 be found at http://www.iana.org/assignments/port-numbers. 5302 5303 5304 5306 5310 5311 5312 The source port identifier in the UDP header. 5313 5314 5315 5316 5317 See RFC 768 for the definition of the 5318 UDP source port field. 5319 Additional information on defined UDP port numbers can 5320 be found at http://www.iana.org/assignments/port-numbers. 5321 5322 5323 5325 5330 5331 5332 The destination port identifier in the UDP header. 5333 5334 5335 5336 5337 See RFC 768 for the definition of the 5338 UDP destination port field. 5339 Additional information on defined UDP port numbers can 5340 be found at http://www.iana.org/assignments/port-numbers. 5341 5342 5343 5345 5348 5349 5350 The value of the Length field in the UDP header. 5351 5352 5353 5354 5355 See RFC 768 for the specification of the 5356 UDP header. 5357 5358 5359 octets 5360 5362 5366 5367 5368 The source port identifier in the TCP header. 5369 5370 5371 5372 5373 See RFC 793 for the definition of the TCP 5374 source port field. 5375 Additional information on defined TCP port numbers can 5376 be found at http://www.iana.org/assignments/port-numbers. 5377 5379 5380 5382 5386 5387 5388 The destination port identifier in the TCP header. 5389 5390 5391 5392 5393 See RFC 793 for the definition of the TCP 5394 destination port field. 5395 Additional information on defined TCP port numbers can 5396 be found at http://www.iana.org/assignments/port-numbers. 5397 5398 5399 5401 5404 5405 5406 The sequence number in the TCP header. 5407 5408 5409 5410 5411 See RFC 793 for the definition of the TCP 5412 sequence number. 5413 5414 5415 5417 5420 5421 5422 The acknowledgement number in the TCP header. 5423 5424 5425 5426 5427 See RFC 793 for the definition of the TCP 5428 acknowledgement number. 5429 5430 5431 5433 5436 5437 5438 The window field in the TCP header. 5439 If the TCP window scale is supported, 5440 then TCP window scale must be known 5441 to fully interpret the value of this information. 5442 5443 5444 5445 5446 See RFC 793 for the definition of the TCP window field. 5447 See RFC 1323 for the definition of the TCP window scale. 5448 5449 5450 5452 5455 5456 5457 The scale of the window field in the TCP header. 5458 5459 5460 5461 5462 See RFC 1323 for the definition of the TCP window scale. 5463 5464 5465 5467 5470 5471 5472 The urgent pointer in the TCP header. 5473 5474 5475 5476 5477 See RFC 793 for the definition of the TCP 5478 urgent pointer. 5479 5480 5481 5483 5486 5487 5488 The length of the TCP header. Note that the value of this 5489 Information Element is different from the value of the Data 5490 Offset field in the TCP header. The Data Offset field 5491 indicates the length of the TCP header in units of 4 octets. 5492 This Information Elements specifies the length of the TCP 5493 header in units of octets. 5494 5495 5496 5497 5498 See RFC 793 for the definition of the 5499 TCP header. 5500 5501 5502 octets 5503 5505 5509 5510 5511 Type and Code of the IPv4 ICMP message. The combination of 5512 both values is reported as (ICMP type * 256) + ICMP code. 5513 5514 5515 5516 5517 See RFC 792 for the definition of the IPv4 ICMP 5518 type and code fields. 5519 5520 5521 5522 5526 5527 5528 Type of the IPv4 ICMP message. 5529 5530 5531 5532 5533 See RFC 792 for the definition of the IPv4 ICMP 5534 type field. 5535 5536 5537 5539 5543 5544 5545 Code of the IPv4 ICMP message. 5546 5547 5548 5549 5550 See RFC 792 for the definition of the IPv4 5551 ICMP code field. 5552 5553 5554 5556 5560 5561 5562 Type and Code of the IPv6 ICMP message. The combination of 5563 both values is reported as (ICMP type * 256) + ICMP code. 5564 5565 5566 5567 5568 See RFC 4443 for the definition of the IPv6 5569 ICMP type and code fields. 5571 5572 5573 5575 5579 5580 5581 Type of the IPv6 ICMP message. 5582 5583 5584 5585 5586 See RFC 4443 for the definition of the IPv6 5587 ICMP type field. 5588 5589 5590 5592 5596 5597 5598 Code of the IPv6 ICMP message. 5599 5600 5601 5602 5603 See RFC 4443 for the definition of the IPv6 5604 ICMP code field. 5605 5606 5607 5609 5613 5614 5615 The type field of the IGMP message. 5616 5617 5618 5619 5620 See RFC 3376 for the definition of the IGMP 5621 type field. 5622 5623 5624 5626 5630 5631 5632 The IEEE 802 source MAC address field. 5633 5634 5635 5636 5637 See IEEE.802-3.2002. 5638 5639 5640 5642 5646 5647 5648 The definition of this Information Element is identical 5649 to the definition of Information Element 5650 'sourceMacAddress', except that it reports a 5651 potentially modified value caused by a middlebox 5652 function after the packet passed the Observation Point. 5653 5654 5655 5656 5657 See IEEE.802-3.2002. 5658 5659 5660 5662 5666 5667 5668 The IEEE 802.1Q VLAN identifier (VID) extracted from the Tag 5669 Control Information field that was attached to the IP packet. 5670 5671 5672 5673 5674 See IEEE.802-1Q.2003. 5675 5676 5677 5679 5683 5684 5685 The definition of this Information Element is identical 5686 to the definition of Information Element 5687 'vlanId', except that it reports a 5688 potentially modified value caused by a middlebox 5689 function after the packet passed the Observation Point. 5690 5691 5692 5693 5694 See IEEE.802-1Q.2003. 5695 5696 5697 5699 5703 5704 5705 The IEEE 802 destination MAC address field. 5706 5707 5708 5709 5710 See IEEE.802-3.2002. 5711 5712 5713 5714 5718 5719 5720 The definition of this Information Element is identical 5721 to the definition of Information Element 5722 'destinationMacAddress', except that it reports a 5723 potentially modified value caused by a middlebox 5724 function after the packet passed the Observation Point. 5725 5726 5727 5728 5729 See IEEE.802-3.2002. 5730 5731 5732 5734 5738 5739 5740 The identifier of the 802.11 (Wi-Fi) channel used. 5741 5742 5743 5744 5745 See IEEE.802-11.1999. 5746 5747 5748 5750 5753 5754 5755 The Service Set IDentifier (SSID) identifying an 802.11 5756 (Wi-Fi) network used. According to IEEE.802-11.1999, the 5757 SSID is encoded into a string of up to 32 characters. 5758 5759 5760 5761 5762 See IEEE.802-11.1999. 5763 5764 5765 5767 5770 5771 5772 The TTL field from the top MPLS label stack entry, 5773 i.e., the last label that was pushed. 5774 5775 5776 5777 5778 See RFC 3032 for the specification of the 5779 TTL field. 5780 5781 5782 hops 5783 5785 5789 5790 5791 The Exp field from the top MPLS label stack entry, 5792 i.e., the last label that was pushed. 5793 5794 5795 Bits 0-4: Don't Care, value is irrelevant. 5796 Bits 5-7: MPLS Exp field. 5798 0 1 2 3 4 5 6 7 5799 +---+---+---+---+---+---+---+---+ 5800 | don't care | Exp | 5801 +---+---+---+---+---+---+---+---+ 5802 5803 5804 5805 5806 See RFC 3032 for the specification of the Exp field. 5807 See RFC 3270 for usage of the Exp field. 5808 5809 5811 5813 5817 5818 5819 The definition of this Information Element is identical to the 5820 definition of Information Element 'mplsTopLabelExp', except 5821 that it reports a potentially modified value caused by a 5822 middlebox function after the packet passed the Observation 5823 Point. 5824 5825 5826 5827 5828 See RFC 3032 for the specification of the Exp field. 5829 See RFC 3270 for usage of the Exp field. 5830 5831 5832 5834 5837 5838 5839 The number of labels in the MPLS label stack. 5840 5841 5842 5843 5844 See RFC 3032 for the specification of 5845 the MPLS label stack. 5846 5847 5848 label stack entries 5849 5851 5854 5855 5856 The length of the MPLS label stack in units of octets. 5857 5858 5859 5860 5861 See RFC 3032 for the specification of 5862 the MPLS label stack. 5863 5864 5865 octets 5866 5868 5871 5872 5873 The size of the MPLS packet without the label stack. 5874 5875 5876 5877 5878 See RFC 3031 for the specification of 5879 MPLS packets. 5880 See RFC 3032 for the specification of 5881 the MPLS label stack. 5882 5883 5884 octets 5885 5887 5891 5892 5893 The Label, Exp, and S fields from the top MPLS label 5894 stack entry, i.e., from the last label that was pushed. 5895 5896 5897 The size of this Information Element is 3 octets. 5898 5899 5900 0 1 2 5901 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 5902 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5903 | Label | Exp |S| 5904 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5906 Label: Label Value, 20 bits 5907 Exp: Experimental Use, 3 bits 5908 S: Bottom of Stack, 1 bit 5909 5910 5911 5912 5913 See RFC 3032. 5914 5915 5916 5918 5922 5923 5924 The Label, Exp, and S fields from the label stack entry that 5925 was pushed immediately before the label stack entry that would 5926 be reported by mplsTopLabelStackSection. See the definition of 5927 mplsTopLabelStackSection for further details. 5928 5929 5930 The size of this Information Element is 3 octets. 5931 5932 5933 5934 5935 See RFC 3032. 5936 5937 5938 5940 5944 5945 5946 The Label, Exp, and S fields from the label stack entry that 5947 was pushed immediately before the label stack entry that would 5948 be reported by mplsLabelStackSection2. See the definition of 5949 mplsTopLabelStackSection for further details. 5950 5951 5952 The size of this Information Element is 3 octets. 5953 5954 5955 5956 5957 See RFC 3032. 5958 5959 5960 5962 5966 5967 5968 The Label, Exp, and S fields from the label stack entry that 5969 was pushed immediately before the label stack entry that would 5970 be reported by mplsLabelStackSection3. See the definition of 5971 mplsTopLabelStackSection for further details. 5972 5973 5974 The size of this Information Element is 3 octets. 5975 5976 5977 5978 5979 See RFC 3032. 5980 5981 5982 5984 5988 5989 5990 The Label, Exp, and S fields from the label stack entry that 5991 was pushed immediately before the label stack entry that would 5992 be reported by mplsLabelStackSection4. See the definition of 5993 mplsTopLabelStackSection for further details. 5994 5995 5996 The size of this Information Element is 3 octets. 5997 5998 5999 6000 6001 See RFC 3032. 6002 6004 6005 6007 6011 6012 6013 The Label, Exp, and S fields from the label stack entry that 6014 was pushed immediately before the label stack entry that would 6015 be reported by mplsLabelStackSection5. See the definition of 6016 mplsTopLabelStackSection for further details. 6017 6018 6019 The size of this Information Element is 3 octets. 6020 6021 6022 6023 6024 See RFC 3032. 6025 6026 6027 6029 6033 6034 6035 The Label, Exp, and S fields from the label stack entry that 6036 was pushed immediately before the label stack entry that would 6037 be reported by mplsLabelStackSection6. See the definition of 6038 mplsTopLabelStackSection for further details. 6039 6040 6041 The size of this Information Element is 3 octets. 6042 6043 6044 6045 6046 See RFC 3032. 6047 6048 6049 6051 6055 6056 6057 The Label, Exp, and S fields from the label stack entry that 6058 was pushed immediately before the label stack entry that would 6059 be reported by mplsLabelStackSection7. See the definition of 6060 mplsTopLabelStackSection for further details. 6061 6062 6063 The size of this Information Element is 3 octets. 6064 6065 6066 6067 6068 See RFC 3032. 6069 6070 6071 6073 6077 6078 6079 The Label, Exp, and S fields from the label stack entry that 6080 was pushed immediately before the label stack entry that would 6081 be reported by mplsLabelStackSection8. See the definition of 6082 mplsTopLabelStackSection for further details. 6083 6084 6085 The size of this Information Element is 3 octets. 6086 6087 6088 6089 6090 See RFC 3032. 6091 6092 6093 6095 6099 6100 6101 The Label, Exp, and S fields from the label stack entry that 6102 was pushed immediately before the label stack entry that would 6103 be reported by mplsLabelStackSection9. See the definition of 6104 mplsTopLabelStackSection for further details. 6105 6106 6107 The size of this Information Element is 3 octets. 6108 6109 6110 6111 6112 See RFC 3032. 6113 6114 6115 6117 6120 6121 6122 The effective length of the IP payload. 6123 6124 6125 For IPv4 packets, the value of this Information Element is 6126 the difference between the total length of the IPv4 packet 6127 (as reported by Information Element totalLengthIPv4) and the 6128 length of the IPv4 header (as reported by Information Element 6129 headerLengthIPv4). 6130 6131 6132 For IPv6, the value of the Payload Length field 6133 in the IPv6 header is reported except in the case that 6134 the value of this field is zero and that there is a valid 6135 jumbo payload option. In this case, the value of the 6136 Jumbo Payload Length field in the jumbo payload option 6137 is reported. 6138 6139 6140 6141 6142 See RFC 791 for the specification of 6143 IPv4 packets. 6144 See RFC 2460 for the specification of the 6145 IPv6 payload length. 6146 See RFC 2675 for the specification of the 6147 IPv6 jumbo payload length. 6149 6150 6151 octets 6152 6154 6158 6159 6160 The IPv4 address of the next IPv4 hop. 6161 6162 6163 6165 6169 6170 6171 The IPv6 address of the next IPv6 hop. 6172 6173 6174 6176 6180 6181 6182 The autonomous system (AS) number of the source IP address. 6183 If AS path information for this Flow is only available as 6184 an unordered AS set (and not as an ordered AS sequence), 6185 then the value of this Information Element is 0. 6186 6187 6188 6189 6190 See RFC 4271 for a description of BGP-4, and see RFC 1930 6191 for the definition of the AS number. 6192 6193 6194 6196 6200 6201 6202 The autonomous system (AS) number of the destination IP 6203 address. If AS path information for this Flow is only 6204 available as an unordered AS set (and not as an ordered AS 6205 sequence), then the value of this Information Element is 0. 6206 6207 6208 6209 6210 See RFC 4271 for a description of BGP-4, and see RFC 1930 for 6211 the definition of the AS number. 6212 6213 6214 6216 6220 6221 6222 The autonomous system (AS) number of the first AS in the AS 6223 path to the destination IP address. The path is deduced 6224 by looking up the destination IP address of the Flow in the 6225 BGP routing information base. If AS path information for 6226 this Flow is only available as an unordered AS set (and not 6227 as an ordered AS sequence), then the value of this Information 6228 Element is 0. 6229 6230 6231 6232 6233 See RFC 4271 for a description of BGP-4, and 6234 see RFC 1930 for the definition of the AS number. 6235 6236 6237 6239 6243 6244 6245 The autonomous system (AS) number of the last AS in the AS 6246 path from the source IP address. The path is deduced 6247 by looking up the source IP address of the Flow in the BGP 6248 routing information base. If AS path information for this 6249 Flow is only available as an unordered AS set (and not as 6250 an ordered AS sequence), then the value of this Information 6251 Element is 0. In case of BGP asymmetry, the 6252 bgpPrevAdjacentAsNumber might not be able to report the correct 6253 value. 6254 6255 6256 6257 6258 See RFC 4271 for a description of BGP-4, and 6259 see RFC 1930 for the definition of the AS number. 6260 6261 6262 6264 6268 6269 6270 The IPv4 address of the next (adjacent) BGP hop. 6271 6272 6273 6274 6275 See RFC 4271 for a description of BGP-4. 6276 6277 6278 6280 6284 6285 6286 The IPv6 address of the next (adjacent) BGP hop. 6287 6288 6289 6290 6291 See RFC 4271 for a description of BGP-4. 6292 6294 6295 6297 6301 6302 6303 This field identifies the control protocol that allocated the 6304 top-of-stack label. Initial values for this field are 6305 listed below. Further values may be assigned by IANA in 6306 the MPLS label type registry. 6307 6308 6309 - 0x01 TE-MIDPT: Any TE tunnel mid-point or tail label 6310 - 0x02 Pseudowire: Any PWE3 or Cisco AToM based label 6311 - 0x03 VPN: Any label associated with VPN 6312 - 0x04 BGP: Any label associated with BGP or BGP routing 6313 - 0x05 LDP: Any label associated with dynamically assigned 6314 labels using LDP 6315 6316 6317 6318 6319 See RFC 3031 for the MPLS label structure. 6320 See RFC 4364 for the association of MPLS labels 6321 with Virtual Private Networks (VPNs). 6322 See RFC 4271 for BGP and BGP routing. 6323 See RFC 5036 for Label Distribution Protocol (LDP). 6324 See the list of MPLS label types assigned by IANA at 6325 http://www.iana.org/assignments/mpls-label-values. 6326 6327 6328 6330 6334 6335 6336 The IPv4 address of the system that the MPLS top label will 6337 cause this Flow to be forwarded to. 6338 6339 6340 6341 6342 See RFC 3031 for the association between 6343 MPLS labels and IP addresses. 6344 6345 6346 6348 6352 6353 6354 The IPv6 address of the system that the MPLS top label will 6355 cause this Flow to be forwarded to. 6356 6357 6358 6359 6360 See RFC 3031 for the association between 6361 MPLS labels and IP addresses. 6362 6363 6364 6366 6370 6371 6372 The value of the VPN route distinguisher of a corresponding 6373 entry in a VPN routing and forwarding table. Route 6374 distinguisher ensures that the same address can be used in 6375 several different MPLS VPNs and that it is possible for BGP to 6376 carry several completely different routes to that address, one 6377 for each VPN. According to RFC 4364, the size of 6378 mplsVpnRouteDistinguisher is 8 octets. However, in RFC 4382 an 6379 octet string with flexible length was chosen for representing a 6380 VPN route distinguisher by object MplsL3VpnRouteDistinguisher. 6381 This choice was made in order to be open to future changes of 6382 the size. This idea was adopted when choosing octetArray as 6383 abstract data type for this Information Element. The maximum 6384 length of this Information Element is 256 octets. 6385 6386 6387 6388 6389 See RFC 4364 for the specification of the route 6390 distinguisher. See RFC 4382 for the specification 6391 of the MPLS/BGP Layer 3 Virtual Private Network (VPN) 6392 Management Information Base. 6393 6394 6395 6397 6400 6401 6402 Length of the smallest packet observed for this Flow. 6403 The packet length includes the IP header(s) length and 6404 the IP payload length. 6405 6406 6407 6408 6409 See RFC 791 for the specification of the 6410 IPv4 total length. 6411 See RFC 2460 for the specification of the 6412 IPv6 payload length. 6413 See RFC 2675 for the specification of the 6414 IPv6 jumbo payload length. 6415 6416 6417 octets 6418 6420 6423 6424 6425 Length of the largest packet observed for this Flow. 6426 The packet length includes the IP header(s) length and 6427 the IP payload length. 6428 6429 6430 6431 6432 See RFC 791 for the specification of the 6433 IPv4 total length. 6434 See RFC 2460 for the specification of the 6435 IPv6 payload length. 6436 See RFC 2675 for the specification of the 6437 IPv6 jumbo payload length. 6439 6440 6441 octets 6442 6444 6447 6448 6449 Minimum TTL value observed for any packet in this Flow. 6450 6451 6452 6453 6454 See RFC 791 for the definition of the IPv4 6455 Time to Live field. 6456 See RFC 2460 for the definition of the IPv6 6457 Hop Limit field. 6458 6459 6460 hops 6461 6463 6466 6467 6468 Maximum TTL value observed for any packet in this Flow. 6469 6470 6471 6472 6473 See RFC 791 for the definition of the IPv4 6474 Time to Live field. 6475 See RFC 2460 for the definition of the IPv6 6476 Hop Limit field. 6477 6478 6479 hops 6480 6482 6486 6487 6488 IPv4 options in packets of this Flow. 6489 The information is encoded in a set of bit fields. For 6490 each valid IPv4 option type, there is a bit in this set. 6491 The bit is set to 1 if any observed packet of this Flow 6492 contains the corresponding IPv4 option type. Otherwise, 6493 if no observed packet of this Flow contained the 6494 respective IPv4 option type, the value of the 6495 corresponding bit is 0. 6496 6497 6498 The list of valid IPv4 options is maintained by IANA. 6499 Note that for identifying an option not just the 5-bit 6500 Option Number, but all 8 bits of the Option Type need to 6501 match one of the IPv4 options specified at 6502 http://www.iana.org/assignments/ip-parameters. 6503 6504 6505 Options are mapped to bits according to their option numbers. 6506 Option number X is mapped to bit X. 6507 The mapping is illustrated by the figure below. 6508 6509 6511 0 1 2 3 4 5 6 7 6512 +------+------+------+------+------+------+------+------+ 6513 | | EXP | to be assigned by IANA | QS | UMP | ... 6514 +------+------+------+------+------+------+------+------+ 6516 8 9 10 11 12 13 14 15 6517 +------+------+------+------+------+------+------+------+ 6518 ... | DPS |NSAPA | SDB |RTRALT|ADDEXT| TR | EIP |IMITD | ... 6519 +------+------+------+------+------+------+------+------+ 6521 16 17 18 19 20 21 22 23 6522 +------+------+------+------+------+------+------+------+ 6523 ... |ENCODE| VISA | FINN | MTUR | MTUP | ZSU | SSR | SID | ... 6524 +------+------+------+------+------+------+------+------+ 6526 24 25 26 27 28 29 30 31 6527 +------+------+------+------+------+------+------+------+ 6528 ... | RR |CIPSO |E-SEC | TS | LSR | SEC | NOP | EOOL | 6529 +------+------+------+------+------+------+------+------+ 6531 Type Option 6533 Bit Value Name Reference 6534 ---+-----+-------+------------------------------------ 6535 0 0 EOOL End of Options List, RFC 791 6536 1 1 NOP No Operation, RFC 791 6537 2 130 SEC Security, RFC 1108 6538 3 131 LSR Loose Source Route, RFC 791 6539 4 68 TS Time Stamp, RFC 791 6540 5 133 E-SEC Extended Security, RFC 1108 6541 6 134 CIPSO Commercial Security 6542 7 7 RR Record Route, RFC 791 6543 8 136 SID Stream ID, RFC 791 6544 9 137 SSR Strict Source Route, RFC 791 6545 10 10 ZSU Experimental Measurement 6546 11 11 MTUP (obsoleted) MTU Probe, RFC 1191 6547 12 12 MTUR (obsoleted) MTU Reply, RFC 1191 6548 13 205 FINN Experimental Flow Control 6549 14 142 VISA Experimental Access Control 6550 15 15 ENCODE 6551 16 144 IMITD IMI Traffic Descriptor 6552 17 145 EIP Extended Internet Protocol, RFC 1385 6553 18 82 TR Traceroute, RFC 3193 6554 19 147 ADDEXT Address Extension 6555 20 148 RTRALT Router Alert, RFC 2113 6556 21 149 SDB Selective Directed Broadcast 6557 22 150 NSAPA NSAP Address 6558 23 151 DPS Dynamic Packet State 6559 24 152 UMP Upstream Multicast Pkt. 6560 25 25 QS Quick-Start 6561 30 30 EXP RFC3692-style Experiment 6562 30 94 EXP RFC3692-style Experiment 6563 30 158 EXP RFC3692-style Experiment 6564 30 222 EXP RFC3692-style Experiment 6565 ... ... ... Further options numbers 6566 may be assigned by IANA 6568 6569 6570 6571 6572 See RFC 791 for the definition of IPv4 options. 6573 See the list of IPv4 option numbers assigned by IANA 6574 at http://www.iana.org/assignments/ip-parameters. 6575 6576 6577 6579 6583 6584 6585 IPv6 extension headers observed in packets of this Flow. 6586 The information is encoded in a set of bit fields. For 6587 each IPv6 option header, there is a bit in this set. 6588 The bit is set to 1 if any observed packet of this Flow 6589 contains the corresponding IPv6 extension header. 6590 Otherwise, if no observed packet of this Flow contained 6591 the respective IPv6 extension header, the value of the 6592 corresponding bit is 0. 6593 6594 6596 0 1 2 3 4 5 6 7 6597 +-----+-----+-----+-----+-----+-----+-----+-----+ 6598 | Reserved | ... 6599 +-----+-----+-----+-----+-----+-----+-----+-----+ 6601 8 9 10 11 12 13 14 15 6602 +-----+-----+-----+-----+-----+-----+-----+-----+ 6603 ... | Reserved | ... 6604 +-----+-----+-----+-----+-----+-----+-----+-----+ 6606 16 17 18 19 20 21 22 23 6607 +-----+-----+-----+-----+-----+-----+-----+-----+ 6608 ... | Reserved | ESP | AH | PAY | ... 6609 +-----+-----+-----+-----+-----+-----+-----+-----+ 6611 24 25 26 27 28 29 30 31 6612 +-----+-----+-----+-----+-----+-----+-----+-----+ 6613 ... | DST | HOP | Res | UNK | FRA0| RH | FRA1| Res | 6614 +-----+-----+-----+-----+-----+-----+-----+-----+ 6616 Bit IPv6 Option Description 6617 0, Res Reserved 6618 1, FRA1 44 Fragmentation header - not first fragment 6619 2, RH 43 Routing header 6620 3, FRA0 44 Fragment header - first fragment 6621 4, UNK Unknown Layer 4 header 6622 (compressed, encrypted, not supported) 6623 5, Res Reserved 6624 6, HOP 0 Hop-by-hop option header 6625 7, DST 60 Destination option header 6626 8, PAY 108 Payload compression header 6627 9, AH 51 Authentication Header 6628 10, ESP 50 Encrypted security payload 6629 11 to 31 Reserved 6630 6631 6632 6633 6634 See RFC 2460 for the general definition of 6635 IPv6 extension headers and for the specification of 6636 the hop-by-hop options header, the routing header, 6637 the fragment header, and the destination options header. 6638 See RFC 4302 for the specification of the 6639 authentication header. 6640 See RFC 4303 for the specification of the 6641 encapsulating security payload. 6642 6643 6644 6646 6650 6651 6652 TCP control bits observed for packets of this Flow. 6653 The information is encoded in a set of bit fields. 6654 For each TCP control bit, there is a bit in this 6655 set. A bit is set to 1 if any observed packet of this 6656 Flow has the corresponding TCP control bit set to 1. 6657 A value of 0 for a bit indicates that the corresponding 6658 bit was not set in any of the observed packets 6659 of this Flow. 6660 6661 6662 0 1 2 3 4 5 6 7 6663 +-----+-----+-----+-----+-----+-----+-----+-----+ 6664 | Reserved | URG | ACK | PSH | RST | SYN | FIN | 6665 +-----+-----+-----+-----+-----+-----+-----+-----+ 6667 Reserved: Reserved for future use by TCP. Must be zero. 6668 URG: Urgent Pointer field significant 6669 ACK: Acknowledgment field significant 6670 PSH: Push Function 6671 RST: Reset the connection 6672 SYN: Synchronize sequence numbers 6673 FIN: No more data from sender 6674 6675 6676 6677 6678 See RFC 793 for the definition of 6679 the TCP control bits in the TCP header. 6680 6681 6682 6684 6688 6689 6690 TCP options in packets of this Flow. 6691 The information is encoded in a set of bit fields. For 6692 each TCP option, there is a bit in this set. 6693 The bit is set to 1 if any observed packet of this Flow 6694 contains the corresponding TCP option. 6695 Otherwise, if no observed packet of this Flow contained 6696 the respective TCP option, the value of the 6697 corresponding bit is 0. 6698 6699 6700 Options are mapped to bits according to their option 6701 numbers. Option number X is mapped to bit X. 6702 TCP option numbers are maintained by IANA. 6703 6704 6705 0 1 2 3 4 5 6 7 6706 +-----+-----+-----+-----+-----+-----+-----+-----+ 6707 | 63 | 62 | 61 | 60 | 59 | 58 | 57 | 56 | ... 6708 +-----+-----+-----+-----+-----+-----+-----+-----+ 6710 8 9 10 11 12 13 14 15 6711 +-----+-----+-----+-----+-----+-----+-----+-----+ 6712 ... | 55 | 54 | 53 | 52 | 51 | 50 | 49 | 48 |... 6713 +-----+-----+-----+-----+-----+-----+-----+-----+ 6715 16 17 18 19 20 21 22 23 6716 +-----+-----+-----+-----+-----+-----+-----+-----+ 6717 ... | 47 | 46 | 45 | 44 | 43 | 42 | 41 | 40 |... 6718 +-----+-----+-----+-----+-----+-----+-----+-----+ 6720 . . . 6722 56 57 58 59 60 61 62 63 6723 +-----+-----+-----+-----+-----+-----+-----+-----+ 6724 ... | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 6725 +-----+-----+-----+-----+-----+-----+-----+-----+ 6727 6728 6729 6730 6731 See RFC 793 for the definition of TCP options. 6732 See the list of TCP option numbers assigned by IANA 6733 at http://www.iana.org/assignments/tcp-parameters. 6734 6735 6736 6738 6741 6742 6743 The absolute timestamp of the first packet of this Flow. 6744 6745 6746 seconds 6747 6749 6752 6753 6754 The absolute timestamp of the last packet of this Flow. 6755 6756 6757 seconds 6758 6760 6763 6764 6765 The absolute timestamp of the first packet of this Flow. 6766 6767 6768 milliseconds 6769 6771 6774 6775 6776 The absolute timestamp of the last packet of this Flow. 6777 6778 6779 milliseconds 6780 6782 6785 6786 6787 The absolute timestamp of the first packet of this Flow. 6788 6789 6790 microseconds 6791 6793 6796 6797 6798 The absolute timestamp of the last packet of this Flow. 6799 6800 6801 microseconds 6802 6804 6807 6808 6809 The absolute timestamp of the first packet of this Flow. 6810 6811 6812 nanoseconds 6813 6815 6818 6819 6820 The absolute timestamp of the last packet of this Flow. 6821 6822 6823 nanoseconds 6824 6826 6829 6830 6831 This is a relative timestamp only valid within the scope 6832 of a single IPFIX Message. It contains the negative time 6833 offset of the first observed packet of this Flow relative 6834 to the export time specified in the IPFIX Message Header. 6835 6836 6837 6838 6839 See the IPFIX protocol specification [RFC5101] for the 6840 definition of the IPFIX Message Header. 6841 6842 6843 microseconds 6844 6846 6849 6850 6851 This is a relative timestamp only valid within the scope 6852 of a single IPFIX Message. It contains the negative time 6853 offset of the last observed packet of this Flow relative 6854 to the export time specified in the IPFIX Message Header. 6855 6856 6857 6858 6859 See the IPFIX protocol specification [RFC5101] for the 6860 definition of the IPFIX Message Header. 6861 6862 6863 microseconds 6864 6866 6870 6871 6872 The absolute timestamp of the last (re-)initialization of the 6873 IPFIX Device. 6874 6875 6876 milliseconds 6877 6879 6882 6883 6884 The relative timestamp of the first packet of this Flow. 6885 It indicates the number of milliseconds since the 6886 last (re-)initialization of the IPFIX Device (sysUpTime). 6887 6888 6889 milliseconds 6890 6892 6895 6896 6897 The relative timestamp of the last packet of this Flow. 6898 It indicates the number of milliseconds since the 6899 last (re-)initialization of the IPFIX Device (sysUpTime). 6900 6901 6902 milliseconds 6903 6905 6909 6910 6911 The number of octets since the previous report (if any) 6912 in incoming packets for this Flow at the Observation Point. 6913 The number of octets includes IP header(s) and IP payload. 6914 6915 6916 octets 6917 6919 6923 6924 6925 The definition of this Information Element is identical 6926 to the definition of Information Element 6927 'octetDeltaCount', except that it reports a 6928 potentially modified value caused by a middlebox 6929 function after the packet passed the Observation Point. 6930 6931 6932 octets 6933 6935 6938 6939 6940 The sum of the squared numbers of octets per incoming 6941 packet since the previous report (if any) for this 6942 Flow at the Observation Point. 6943 The number of octets includes IP header(s) and IP payload. 6944 6945 6946 6948 6952 6953 6954 The total number of octets in incoming packets 6955 for this Flow at the Observation Point since the Metering 6956 Process (re-)initialization for this Observation Point. The 6957 number of octets includes IP header(s) and IP payload. 6958 6959 6960 octets 6961 6963 6967 6968 6969 The definition of this Information Element is identical 6970 to the definition of Information Element 6971 'octetTotalCount', except that it reports a 6972 potentially modified value caused by a middlebox 6973 function after the packet passed the Observation Point. 6974 6975 6976 octets 6977 6979 6982 6983 6984 The total sum of the squared numbers of octets in incoming 6985 packets for this Flow at the Observation Point since the 6986 Metering Process (re-)initialization for this Observation 6987 Point. The number of octets includes IP header(s) and IP 6988 payload. 6989 6990 6991 octets 6992 6994 6998 6999 7000 The number of incoming packets since the previous report 7001 (if any) for this Flow at the Observation Point. 7002 7003 7004 packets 7005 7007 7011 7012 7013 The definition of this Information Element is identical 7014 to the definition of Information Element 7015 'packetDeltaCount', except that it reports a 7016 potentially modified value caused by a middlebox 7017 function after the packet passed the Observation Point. 7018 7019 7020 packets 7021 7023 7027 7028 7029 The total number of incoming packets for this Flow 7030 at the Observation Point since the Metering Process 7031 (re-)initialization for this Observation Point. 7032 7033 7034 packets 7035 7037 7041 7042 7043 The definition of this Information Element is identical 7044 to the definition of Information Element 7045 'packetTotalCount', except that it reports a 7046 potentially modified value caused by a middlebox 7047 function after the packet passed the Observation Point. 7048 7049 7050 packets 7051 7053 7057 7058 7059 The number of octets since the previous report (if any) 7060 in packets of this Flow dropped by packet treatment. 7061 The number of octets includes IP header(s) and IP payload. 7062 7063 7064 octets 7065 7067 7071 7072 7073 The number of packets since the previous report (if any) 7074 of this Flow dropped by packet treatment. 7075 7076 7077 packets 7078 7080 7084 7085 7086 The total number of octets in packets of this Flow dropped 7087 by packet treatment since the Metering Process 7088 (re-)initialization for this Observation Point. 7089 The number of octets includes IP header(s) and IP payload. 7090 7091 7092 octets 7093 7095 7099 7100 7101 The number of packets of this Flow dropped by packet 7102 treatment since the Metering Process 7103 (re-)initialization for this Observation Point. 7104 7105 7106 packets 7107 7108 7112 7113 7114 The number of outgoing multicast packets since the 7115 previous report (if any) sent for packets of this Flow 7116 by a multicast daemon within the Observation Domain. 7117 This property cannot necessarily be observed at the 7118 Observation Point, but may be retrieved by other means. 7119 7120 7121 packets 7122 7124 7128 7129 7130 The number of octets since the previous report (if any) 7131 in outgoing multicast packets sent for packets of this 7132 Flow by a multicast daemon within the Observation Domain. 7133 This property cannot necessarily be observed at the 7134 Observation Point, but may be retrieved by other means. 7135 The number of octets includes IP header(s) and IP payload. 7136 7137 7138 octets 7139 7141 7145 7146 7147 The total number of outgoing multicast packets sent for 7148 packets of this Flow by a multicast daemon within the 7149 Observation Domain since the Metering Process 7150 (re-)initialization. This property cannot necessarily 7151 be observed at the Observation Point, but may be retrieved 7152 by other means. 7153 7154 7155 packets 7157 7159 7163 7164 7165 The total number of octets in outgoing multicast packets 7166 sent for packets of this Flow by a multicast daemon in the 7167 Observation Domain since the Metering Process 7168 (re-)initialization. This property cannot necessarily be 7169 observed at the Observation Point, but may be retrieved by 7170 other means. 7171 The number of octets includes IP header(s) and IP payload. 7172 7173 7174 octets 7175 7177 7181 7182 7183 The total number of packets of this Flow with 7184 TCP "Synchronize sequence numbers" (SYN) flag set. 7185 7186 7187 7188 7189 See RFC 793 for the definition of the TCP SYN flag. 7190 7191 7192 packets 7193 7195 7199 7200 7201 The total number of packets of this Flow with 7202 TCP "No more data from sender" (FIN) flag set. 7203 7204 7205 7206 7207 See RFC 793 for the definition of the TCP FIN flag. 7208 7209 7210 packets 7211 7213 7217 7218 7219 The total number of packets of this Flow with 7220 TCP "Reset the connection" (RST) flag set. 7221 7222 7223 7224 7225 See RFC 793 for the definition of the TCP RST flag. 7226 7227 7228 packets 7229 7231 7235 7236 7237 The total number of packets of this Flow with 7238 TCP "Push Function" (PSH) flag set. 7239 7240 7241 7242 7243 See RFC 793 for the definition of the TCP PSH flag. 7244 7245 7246 packets 7247 7249 7254 7255 7256 The total number of packets of this Flow with 7257 TCP "Acknowledgment field significant" (ACK) flag set. 7258 7259 7260 7261 7262 See RFC 793 for the definition of the TCP ACK flag. 7263 7264 7265 packets 7266 7268 7272 7273 7274 The total number of packets of this Flow with 7275 TCP "Urgent Pointer field significant" (URG) flag set. 7276 7277 7278 7279 7280 See RFC 793 for the definition of the TCP URG flag. 7281 7282 7283 packets 7284 7286 7289 7290 7291 The number of seconds after which an active Flow is timed out 7292 anyway, even if there is still a continuous flow of packets. 7293 7294 7295 seconds 7296 7298 7301 7302 7303 A Flow is considered to be timed out if no packets belonging 7304 to the Flow have been observed for the number of seconds 7305 specified by this field. 7306 7307 7308 seconds 7309 7311 7315 7316 7317 The reason for Flow termination. The range of values includes 7318 the following: 7319 7320 7321 0x01: idle timeout 7322 The Flow was terminated because it was considered to be 7323 idle. 7324 0x02: active timeout 7325 The Flow was terminated for reporting purposes while it was 7326 still active, for example, after the maximum lifetime of 7327 unreported Flows was reached. 7328 0x03: end of Flow detected 7329 The Flow was terminated because the Metering Process 7330 detected signals indicating the end of the Flow, 7331 for example, the TCP FIN flag. 7332 0x04: forced end 7333 The Flow was terminated because of some external event, 7334 for example, a shutdown of the Metering Process initiated 7335 by a network management application. 7336 0x05: lack of resources 7337 The Flow was terminated because of lack of resources 7338 available to the Metering Process and/or the Exporting 7339 Process. 7340 7341 7342 7344 7347 7348 7349 The difference in time between the first observed packet 7350 of this Flow and the last observed packet of this Flow. 7351 7352 7353 milliseconds 7354 7356 7359 7360 7361 The difference in time between the first observed packet 7362 of this Flow and the last observed packet of this Flow. 7363 7364 7365 microseconds 7366 7368 7372 7373 7374 The direction of the Flow observed at the Observation 7375 Point. There are only two values defined. 7376 7377 7378 0x00: ingress flow 7379 0x01: egress flow 7380 7381 7382 7384 7387 7388 7389 The value of this Information Element is always a sequence of 7390 0x00 values. 7391 7392 7393 7395 7397 Appendix B. XML Specification of Abstract Data Types 7398 This appendix contains a machine-readable description of the abstract 7399 data types to be used for IPFIX Information Elements and a machine- 7400 readable description of the template used for defining IPFIX 7401 Information Elements. Note that this appendix is of informational 7402 nature, while the text in Sections 2 and 3 (generated from this 7403 appendix) is normative. 7405 At the same time, this appendix is also an XML schema that was used 7406 for creating the XML specification of Information Elements in 7407 Appendix A. It may also be used for specifying further Information 7408 Elements in extensions of the IPFIX information model. This schema 7409 and its namespace are registered by IANA at 7410 http://www.iana.org/assignments/xml-registry/schema/ipfix.xsd. 7412 7414 7419 7420 7421 7422 7423 The type "unsigned8" represents a 7424 non-negative integer value in the range of 0 to 255. 7425 7426 7427 7429 7430 7431 The type "unsigned16" represents a 7432 non-negative integer value in the range of 0 to 65535. 7433 7434 7435 7437 7438 7439 The type "unsigned32" represents a 7440 non-negative integer value in the range of 0 to 7441 4294967295. 7442 7443 7444 7445 7446 7447 The type "unsigned64" represents a 7448 non-negative integer value in the range of 0 to 7449 18446744073709551615. 7450 7451 7452 7454 7455 7456 The type "signed8" represents 7457 an integer value in the range of -128 to 127. 7458 7459 7460 7462 7463 7464 The type "signed16" represents an 7465 integer value in the range of -32768 to 32767. 7466 7467 7468 7470 7471 7472 The type "signed32" represents an 7473 integer value in the range of -2147483648 to 7474 2147483647. 7475 7476 7477 7479 7480 7481 The type "signed64" represents an 7482 integer value in the range of -9223372036854775808 7483 to 9223372036854775807. 7484 7485 7486 7488 7489 7490 The type "float32" corresponds to an IEEE 7491 single-precision 32-bit floating point type as defined 7492 in [IEEE.754.1985]. 7494 7495 7496 7498 7499 7500 The type "float64" corresponds to an IEEE 7501 double-precision 64-bit floating point type as defined 7502 in [IEEE.754.1985]. 7503 7504 7505 7507 7508 7509 The type "boolean" represents a binary 7510 value. The only allowed values are "true" and "false". 7511 7512 7513 7515 7516 7517 The type "macAddress" represents a 7518 string of 6 octets. 7519 7520 7521 7523 7524 7525 The type "octetArray" represents a 7526 finite-length string of octets. 7527 7528 7529 7531 7532 7533 7534 The type "string" represents a finite-length string 7535 of valid characters from the Unicode character encoding 7536 set [ISO.10646-1.1993]. Unicode allows for ASCII 7537 [ISO.646.1991] and many other international character 7538 sets to be used. 7539 7540 7541 7542 7543 7544 7545 The type "dateTimeSeconds" represents a time value 7546 in units of seconds based on coordinated universal time 7547 (UTC). The choice of an epoch, for example, 00:00 UTC, 7548 January 1, 1970, is left to corresponding encoding 7549 specifications for this type, for example, the IPFIX 7550 protocol specification. Leap seconds are excluded. 7551 Note that transformation of values might be required 7552 between different encodings if different epoch values 7553 are used. 7554 7555 7556 7558 7559 7560 The type "dateTimeMilliseconds" represents 7561 a time value in units of milliseconds 7562 based on coordinated universal time (UTC). 7563 The choice of an epoch, for example, 00:00 UTC, 7564 January 1, 1970, is left to corresponding encoding 7565 specifications for this type, for example, the IPFIX 7566 protocol specification. Leap seconds are excluded. 7567 Note that transformation of values might be required 7568 between different encodings if different epoch values 7569 are used. 7570 7571 7572 7574 7575 7576 The type "dateTimeMicroseconds" represents 7577 a time value in units of microseconds 7578 based on coordinated universal time (UTC). 7579 The choice of an epoch, for example, 00:00 UTC, 7580 January 1, 1970, is left to corresponding encoding 7581 specifications for this type, for example, the IPFIX 7582 protocol specification. Leap seconds are excluded. 7583 Note that transformation of values might be required 7584 between different encodings if different epoch values 7585 are used. 7586 7587 7588 7589 7590 7591 The type "dateTimeNanoseconds" represents 7592 a time value in units of nanoseconds 7593 based on coordinated universal time (UTC). 7594 The choice of an epoch, for example, 00:00 UTC, 7595 January 1, 1970, is left to corresponding encoding 7596 specifications for this type, for example, the IPFIX 7597 protocol specification. Leap seconds are excluded. 7598 Note that transformation of values might be required 7599 between different encodings if different epoch values 7600 are used. 7601 7602 7603 7605 7606 7607 The type "ipv4Address" represents a value 7608 of an IPv4 address. 7609 7610 7611 7612 7613 7614 The type "ipv6Address" represents a value 7615 of an IPv6 address. 7616 7617 7618 7619 7620 7622 7623 7624 7625 7626 7627 A quantity value represents a discrete 7628 measured value pertaining to the record. This is 7629 distinguished from counters that represent an ongoing 7630 measured value whose "odometer" reading is captured as 7631 part of a given record. If no semantic qualifier is 7632 given, the Information Elements that have an integral 7633 data type should behave as a quantity. 7634 7635 7636 7637 7638 7639 7640 An integral value reporting the value of a counter. 7641 Counters are unsigned and wrap back to zero after 7642 reaching the limit of the type. For example, an 7643 unsigned64 with counter semantics will continue to 7644 increment until reaching the value of 2**64 - 1. At 7645 this point, the next increment will wrap its value to 7646 zero and continue counting from zero. The semantics 7647 of a total counter is similar to the semantics of 7648 counters used in SNMP, such as Counter32 defined in 7649 RFC 2578 [RFC2578]. The only difference between total 7650 counters and counters used in SNMP is that the total 7651 counters have an initial value of 0. A total counter 7652 counts independently of the export of its value. 7653 7654 7655 7657 7658 7659 7660 An integral value reporting the value of a counter. 7661 Counters are unsigned and wrap back to zero after 7662 reaching the limit of the type. For example, an 7663 unsigned64 with counter semantics will continue to 7664 increment until reaching the value of 2**64 - 1. At 7665 this point, the next increment will wrap its value to 7666 zero and continue counting from zero. The semantics 7667 of a delta counter is similar to the semantics of 7668 counters used in SNMP, such as Counter32 defined in 7669 RFC 2578 [RFC2578]. The only difference between delta 7670 counters and counters used in SNMP is that the delta 7671 counters have an initial value of 0. A delta counter 7672 is reset to 0 each time its value is exported. 7673 7674 7675 7677 7678 7679 7680 An integral value that serves as an identifier. 7681 Specifically, mathematical operations on two 7682 identifiers (aside from the equality operation) are 7683 meaningless. For example, Autonomous System ID 1 * 7684 Autonomous System ID 2 is meaningless. 7686 7687 7688 7690 7691 7692 7693 An integral value that actually represents a set of 7694 bit fields. Logical operations are appropriate on 7695 such values, but not other mathematical operations. 7696 Flags should always be of an unsigned type. 7697 7698 7699 7700 7701 7703 7704 7705 7706 7707 7708 Used for Information Elements that are applicable to 7709 Flow Records only. 7710 7711 7712 7714 7715 7716 7717 Used for Information Elements that are applicable to 7718 option records only. 7719 7720 7721 7723 7724 7725 7726 Used for Information Elements that are applicable to 7727 Flow Records as well as to option records. 7728 7729 7730 7731 7732 7733 7734 7735 7736 7737 7738 Indicates that the Information Element definition 7739 is current and valid. 7740 7741 7742 7744 7745 7746 7747 Indicates that the Information Element definition is 7748 obsolete, but it permits new/continued implementation 7749 in order to foster interoperability with older/existing 7750 implementations. 7751 7752 7753 7754 7755 7756 7757 Indicates that the Information Element definition is 7758 obsolete and should not be implemented and/or can be 7759 removed if previously implemented. 7760 7761 7762 7763 7764 7766 7767 7768 7769 7770 7771 7773 7774 7776 7777 7778 7779 7780 7781 7782 7783 7784 7785 7786 7787 7789 7790 7791 7792 7793 7794 7795 7796 7797 7798 7800 7801 7802 The semantics of this Information Element. 7803 Describes how this Information Element is 7804 derived from the Flow or other information 7805 available to the observer. 7806 7807 7808 7810 7812 7813 7814 Identifies additional specifications that more 7815 precisely define this item or provide additional 7816 context for its use. 7817 7818 7819 7821 7823 7824 7825 If the Information Element is a measure of some 7826 kind, the units identify what the measure is. 7827 7828 7830 7832 7834 7835 7836 Some Information Elements may only be able to 7837 take on a restricted set of values that can be 7838 expressed as a range (e.g., 0 through 511 7839 inclusive). If this is the case, the valid 7840 inclusive range should be specified. 7841 7842 7843 7844 7846 7847 7848 7849 A unique and meaningful name for the Information 7850 Element. 7851 7852 7853 7855 7857 7858 7859 One of the types listed in Section 3.1 of this 7860 document or in a future extension of the 7861 information model. The type space for attributes 7862 is constrained to facilitate implementation. The 7863 existing type space does however encompass most 7864 basic types used in modern programming languages, 7865 as well as some derived types (such as ipv4Address) 7866 that are common to this domain and useful 7867 to distinguish. 7868 7869 7870 7872 7874 7875 7876 The integral types may be qualified by additional 7877 semantic details. Valid values for the data type 7878 semantics are specified in Section 3.2 of this 7879 document or in a future extension of the 7880 information model. 7881 7882 7883 7885 7887 7888 7889 A numeric identifier of the Information Element. 7890 If this identifier is used without an enterprise 7891 identifier (see [RFC5101] and 7892 enterpriseId below), then it is globally unique 7893 and the list of allowed values is administered by 7894 IANA. It is used for compact identification of an 7895 Information Element when encoding Templates in the 7896 protocol. 7897 7898 7899 7901 7903 7904 7905 Enterprises may wish to define Information Elements 7906 without registering them with IANA, for example, 7907 for enterprise-internal purposes. For such 7908 Information Elements, the Information Element 7909 identifier described above is not sufficient when 7910 the Information Element is used outside the 7911 enterprise. If specifications of 7912 enterprise-specific Information Elements are made 7913 public and/or if enterprise-specific identifiers 7914 are used by the IPFIX protocol outside the 7915 enterprise, then the enterprise-specific 7916 identifier MUST be made globally unique by 7917 combining it with an enterprise identifier. 7918 Valid values for the enterpriseId are 7919 defined by IANA as Structure of Management 7920 Information (SMI) network management private 7921 enterprise codes. They are defined at 7922 http://www.iana.org/assignments/enterprise-numbers. 7923 7924 7925 7926 7928 7929 7930 This property of an Information 7931 Element indicates in which kind of records the 7932 Information Element can be used. 7933 Allowed values for this property are 'data', 7934 'option', and 'all'. 7935 7936 7937 7939 7941 7942 7943 The status of the specification of this 7944 Information Element. Allowed values are 'current', 7945 'deprecated', and 'obsolete'. 7946 7947 7948 7949 7951 7952 to be done ... 7953 7954 7956 7957 7958 7959 7961 7962 7964 7965 7966 7967 7969 Authors' Addresses 7971 Juergen Quittek 7972 NEC 7973 Kurfuersten-Anlage 36 7974 Heidelberg 69115 7975 Germany 7977 Phone: +49 6221 90511-15 7978 EMail: quittek@nw.neclab.eu 7979 URI: http://www.neclab.eu/ 7981 Stewart Bryant 7982 Cisco Systems, Inc. 7983 250, Longwater Ave., Green Park 7984 Reading RG2 6GB 7985 United Kingdom 7987 EMail: stbryant@cisco.com 7989 Benoit Claise 7990 Cisco Systems, Inc. 7991 De Kleetlaan 6a b1 7992 Diegem 1831 7993 Belgium 7995 Phone: +32 2 704 5622 7996 EMail: bclaise@cisco.com 7998 Paul Aitken 7999 Cisco Systems, Inc. 8000 96 Commercial Quay 8001 Edinburgh EH6 6LX 8002 Scotland 8004 Phone: +44 131 561 3616 8005 EMail: paitken@cisco.com 8007 Jeff Meyer 8008 PayPal 8009 2211 N. First St. 8010 San Jose, CA 95131-2021 8011 US 8013 Phone: +1 408 976-9149 8014 EMail: jemeyer@paypal.com 8015 URI: http://www.paypal.com