Incorrect field id in netflow v9
https://stackoverflow.com//questions/12668864
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
While analyzing Netflow V9, I am able to get most of the fields ids correctly along with their values as that is defined in
http://www.iana.org/assignments/ipfix/ipfix.xml
but I am getting 40000 ,40001, 40002, ... instead of 224, 225, 226, ... for NAT fileds, however the values for each fields I retrieved are correct.
I am certain that all fields' id and value are correctly obtained. I don't know what is the real problem. I tried with conversion of host to network byte and vice versa using
field_type = socket.ntohs(struct.unpack('H', template_data[a:b])[0])
P.S. I used cisco router for netflow v9.
Solution
Cisco doesn't use IPFIX, but NetFlow v9. Although IPFIX is derived from Cisco's NetFlow v9 specification, there are some differences. One of them is that IPFIX allows for per-vendor namespaces in the field type numbers using the PrivateEnterpriseNumber. NetFlow v9 does not have such a facility, therefore vendors have to arbitrarily choose a range of numbers to report their custom fields on and hope no one else picks the same range. In this case, I'm guessing your getting your NetFlow tickets from Cisco ASA, which indeed uses a number of fields in the range of 40000-40005.
There is a document called 'Cisco ASA 5500 Series Implementation Note for NetFlow Collectors, 8.3' which describes those fields.
