Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Netflow Traffic Analyzer (NTA) > NTA 4.2.2 Administrator Guide > NTA Installation > Required fields

Required fields

Most flow-enabled devices use a set of static templates to which exported flows conform.

If flow packets do not include the following field types and appropriate values, SolarWinds NTA ignores the packets.

Requirements

  • The template must include all mandatory fields.
  • Where multiple elements are in a group, at least one of them must be included.
  • Optional fields are processed into flows if present. If not present, a default value is used.

Mandatory fields for the flow template schema

Mandatory fields are required. If a mandatory field, or at least one field from a group, is not included SolarWinds NTA cannot store flows.

Field Type Field Type Number Description
Protocol 4 Layer 4 protocol
SourceAddress 8 Source IP address
DestAddress 12 Destination IP address
Interfaces Group

At least one of the following fields must be included in the template:

InterfaceRx 10 SNMP ingress interface index
InterfaceTx 14 SNMP egress interface index

Bytes Group

At least one of the following fields must be included in the template:

Bytes 1 Delta bytes
Bytes 85 Total bytes
OutBytes 23 Out bytes
InitiatorOctets 231 Initiator bytes
ResponderOctets 232 Responder bytes

Optional fields for the flow template schema

If the following fields are not included in the template, a default value will be stored. Appropriate resources will thus show No Data.

Field Type Field Type Number Description
ToS 5 Type of service
SourceAS 16 Source BGP autonomous system number
DestAS 17 Destination BGP autonomous system number
PeerSrcAS 129 Peer source autonomous system number
PeerDstAS 128 Peer destination autonomous system number
ApplicationID 95 ID of application detected in NBAR2 flow
Source Port Group

At least one of the following fields should be included in the template:

SourcePort 7 Source TCP/UDP port
UdpSrcPort 180 Source UDP port
TcpSrcPort 182 Source TPC port
Destination Port Group

At least one of the following fields should be included in the template:

DestPort 11 Destination TCP/UDP port
UdpDstPort 181 Destination UDP port
TcpDstPort 183 Destination TPC port

Packets Group

At least one of the following fields should be included in the template. If no field is included, resources will show 0 in the packets column.

Packets 2 Delta packets
Packets 86 Total packets
OutPackets

24

Out packets
InitiatorPackets 298 Total packets in a flow from the device that triggered the session and remains the same for the life of the session
ResponderPackets 299 Total packets from the device which replies to the initiator

Long Flow Detection

At least one of the following field pairs should be included in the template for long-flow detection. For example, if including LastSwitched must also include FirstSwitched.

LastSwitched 21 System uptime at which the last packet of this flow was switched
FirstSwitched 22 System uptime at which the first packet of this flow was switched
FlowStartSeconds 150 Time in seconds that the flow started
FlowEndSeconds 151 Time in seconds that the flow ended
FlowStartMilliseconds 152 Time in milliseconds that the flow started
FlowEndMilliseconds 153 Time in milliseconds that the flow ended
FlowStartMicroseconds 154 Time in microseconds that the flow started
FlowEndMicroseconds 155 Time in microseconds that the flow ended
FlowStartNanoseconds 156 Time in nanoseconds that the flow started
FlowEndNanoseconds 157 Time in nanoseconds that the flow ended
FlowStartDeltaMicroseconds 158 Sets the start delta of the flow
FlowEndDeltaMicroseconds 159 Sets the end delta of the flow
FlowDurationMilliseconds 161 Elapsed time in milliseconds of the flow
FlowDurationMicroseconds 162 Elapsed time in microseconds of the flow

Cisco WLC Flows

The following fields must be included for Cisco Wireless devices.

Bytes 1 Total bytes
Packets 2 Total packets
FlowDirection 61 Direction of the flow defined as Ingress or egress.
ApplicationID 95 ID of application detected in flow
PostIPDiffServCodePoint 98

The definition of this Information Element is identical to 'ipDiffServCodePoint', except that it reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point.

WlanSSID 147 Service Set Identifier or name of the WLAN the wireless device is connected to
IPDiffServCodePoint 195

Value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services field. Differentiated Services fieldis the most significant six bits of the IPv4 TOS FIELD or the IPv6 Traffic Class field.

The value may range from 0 to 63 for this Information Element that encodes only the 6 bits of the Differentiated Services field.

WirelessStationMacAddress 365 MAC address of a wireless device
WirelessStationAddressIPv4 366 IPv4 address of a wireless device
WirelessAPMacAddress 367 MAC address of a wireless access point

Cisco ASA devices

The following fields must be included for processing flows from Cisco ASA devices.

FlowID 148 An identifier of a flow that is unique within an observation domain
FirewallEvent 233 Indicates a firewall event

Notes

  • If SolarWinds states that SolarWinds NTA supports flow monitoring for a device, at least one of the templates that the device exports satisfies these requirements.
  • The NetFlow v9 specification indicates that templates may be configurable on a device-by-device basis. However, most devices have a set of static templates to which exported flows conform. When SolarWinds states that a device is supported by SolarWinds NTA, SolarWinds has determined that at least one of the templates the device is capable of exporting will satisfy the SolarWinds NTA requirements. For more information, search for NetFlow version 9 flow record format on www.cisco.com.
  • Cisco 4500 series switches do not provide information for the TCP_FLAGS field (field type number 6) corresponding to a count of all TCP flags seen in the related flow.
  • Cisco Adaptive Security Appliances (ASA) are capable of providing flow data using a limited template based on the NetFlow v5 template.
 
Last modified
07:50, 10 Apr 2017

Tags

Classifications

Public