NetFlow Tables

The following section describes the various NetFlow tables. Also, this section describes in detail the IPFX with extensions tables that are exported when the SonicWALL is configured to report flows.

Topics:
Static Tables
Dynamic Tables
Templates
NetFlow Version 5
NetFlow Version 9
IPFIX (NetFlow Version 10)
IPFIX with Extensions

Static Tables

Static Tables are tables with data that does not change over time. However, this data is required to correlate with other tables. Static tables are usually reported at a specified interval, but may also be configured to send just once. The following is a list of Static IPFIX tables that may be exported:
Applications Map—Reports all applications the firewall identifies, including various Attributes, Signature IDs, App IDs, Category Names, and Category IDs.
Viruses Map—Reports all viruses detected by the firewall.
Spyware Map—Reports all spyware detected by the firewall.
Intrusions Map—Reports all intrusions detected by the firewall.
Location Map—Represents SonicWALL’s location map describing the list of countries and regions with their IDs.
Services Map—Represents SonicWALL’s list of Services with Port Numbers, Protocol Type, Range of Port Numbers, and Names.
Rating Map—Represents SonicWALL’s list of Rating IDs and the Name of the Rating Type.
Table Layout Map—Reports SonicWALL’s list of tables to be exported, including Table ID and Table Names.
Column Map—Represents SonicWALL’s list of columns to be reported with Name, Type Size, and IPFIX Standard Equivalents for each column of every table.

Dynamic Tables

Unlike Static tables, the data of Dynamic tables change over time and are sent repeatedly, based on the activity of the firewall. The columns of these tables grow over time, with the exception of a few tables containing statistics or utilization reports. The following is a list of Dynamic IPFIX tables that may be exported:
Connections—Reports SonicWALL connections. The same flow tables can be reported multiple times by configuring triggers.
Users—Reports users logging in to the firewall via LDAP/RADIUS, Local, or SSO.
URLs—Reports URLs accessed through the firewall.
URL ratings—Reports Rating IDs for all URLs accessed through the firewall.
VPNs—Reports all VPN tunnels established through the firewall.
Devices—Reports the list of all devices connected through the firewall, including the MAC addresses, IP addresses, Interface, and NETBIOS name of connected devices.
SPAMs—Reports all email exchanges through the SPAM service.
Locations—Reports the Locations and Domain Names of an IP address.
VoIPs—Reports all VoIP/H323 calls through the firewall.

Templates

The following section shows examples of the type of Netflow template tables that are exported. You can perform a Diagnostic Report of your own Netflow Configuration by navigating to the System > Diagnostics screen, and click the Download Report button in the Tech Support Report section.

Topics:
NetFlow Version 5
NetFlow Version 9
IPFIX (NetFlow Version 10)
IPFIX with Extensions
NetFlow Version 5

The NetFlow version 5 datagram consists of a header and one or more flow records, using UDP to send export datagrams. The first field of the header contains the version number of the export datagram. The second field in the header contains the number of records in the datagram, which can be used to search through the records. Because NetFlow version 5 is a fixed datagram, no templates are available, and will follow the format of the tables listed below.

 

Table 103. NetFlow version 5 header format

Bytes

Contents

Description

0-1

version

NetFlow export format version number

2-3

count

Number of flows exported in this packet (1-30)

4-7

SysUptime

Current time in milliseconds since the export device booted

8-11

unix_secs

Current count of seconds since 0000 UTC 1970

12-15

unix_nsecs

Residual nanoseconds since 0000 UTC 1970

16-19

flow_sequence

Sequence counter of total flows seen

20

engine_type

Type of flow-switching engine

20

engine_id

Slot number of the flow-switching engine

22-23

sampling_interval

First two bits hold the sampling mode; remaining 14 bits hold value of sampling interval
 

Table 104. Netflow version 5 record format

Bytes

Contents

Description

0-3

srcaddr

Source IP address

4-7

dstaddr

Destination IP address

8-11

nexthop

IP address of the next hop router

12-13

input

SNMP index of input interface

14-15

output

SNMP index of output interface

10-19

dPkts

Packets in the flow

20-23

dOctets

Total number of Layer 3 bytes in the packets of the flow

24-27

First

SysUptime at start of flow

28-31

Last

SysUptime at the time the last packet of the flow was received

32-33

srcport

TCP/UDP source port number or equivalent

34-35

dstport

TCP/UDP destination port number or equivalent

36

pad1

Unused (zero) bytes

37

tcp_flags

Cumulative OR of TCP flags

38

prot

IP protocol type (for example, TCP=6; UDP=17)

39

tos

IP type of service (ToS)

40-41

src_as

Autonomous system number of the source, either origin or peer

42-43

dst_as

Autonomous system number of the destination, either origin or peer

44

src_mask

Source address prefix mask bits

45

dst_mask

Destination address prefix mask bits

46-47

pad2

Unused (zero) bytes
NetFlow Version 9

An example of a NetFlow version 9 template is displayed below.

The following table details the NetFlow version 9 Template FlowSet field descriptions.

 

Table 105. Netflow version 9 template FlowSet fields

Field Name

Description

Template ID

The firewall generates templates with a unique ID based on FlowSet templates matching the type of NetFlow data being exported.

Name

The name of the NetFlow template.

Number of Elements

The amount of fields listed in the NetFlow template.

Total Length

The total length in bytes of all reported fields in the NetFlow template.

Field Type

The field type is a numeric value that represents the type of field. Note that values of the field type may be vendor specific.

Field bytes

The length of the specific Field Type, in bytes.

IPFIX (NetFlow Version 10)

An example of an IPFIX (NetFlow version 10) template.

The following table details the IPFIX Template FlowSet Field Descriptions.

 

Table 106. IPFIX template FlowSet fields

Field Name

Description

Template ID

The firewall generates templates with a unique ID based on FlowSet templates matching the type of NetFlow data being exported.

Name

The name of the NetFlow template.

Number of Elements

The amount of fields listed in the NetFlow template.

Total Length

The total length in bytes of all reported fields in the NetFlow template.

Field Type

The field type is a numeric value that represents the type of field. Note that values of the field type may be vendor specific.

Field bytes

The length of the specific Field Type, in bytes.

IPFIX with Extensions

IPFIX with extensions exports templates that are a combination of NetFlow fields from the aforementioned versions and SonicWALL IDs. These flows contain several extensions, such as Enterprise-defined field types and Enterprise IDs.

* 
NOTE: The SonicWALL Specific Enterprise ID (EntID) is defined as 8741.

The following Name Template is a standard for the IPFIX with extensions templates. The values specified are static and correlate to the Table Name of all the NetFlow exportable templates.

The following template is an example of an IPFIX with extensions template.