simonemainardi
commented
3 years ago
- Can NetFlow / ipfix fields exported by switch be configured?
Depends on the device and on the NetFlow version. V5 is not configurable. V9 / IPFIX are. Check the configuration of the device.
- Can all the fields in nprobe -T be obtained from NetFlow V9 / ipfix? Because I want to get some fields in the nprobe - t template, but I'm not sure whether the corresponding fields can be exported in the switch.
You can see all the fields supported by nProbe with NetFlow / IPFIX mappings if you type nprobe -H (capital H). Example:
ID NetFlow Label IPFIX Label Description
-------------------------------------------------------------------------------
[ 1][Len 4] %IN_BYTES %octetDeltaCount Incoming flow bytes (src->dst) [Aliased to %SRC_TO_DST_BYTES]
[ 2][Len 4] %IN_PKTS %packetDeltaCount Incoming flow packets (src->dst) [Aliased to %SRC_TO_DST_PKTS]
[ 4][Len 1] %PROTOCOL %protocolIdentifier IP protocol byte
[NFv9 58500][IPFIX 35632.1028][Len 16] %PROTOCOL_MAP IP protocol name
[ 5][Len 1] %SRC_TOS %ipClassOfService TOS/DSCP (src->dst)
[ 6][Len 1] %TCP_FLAGS %tcpControlBits Cumulative of all flow TCP flags
[ 7][Len 2] %L4_SRC_PORT %sourceTransportPort IPv4 source port
[NFv9 58503][IPFIX 35632.1031][Len 16] %L4_SRC_PORT_MAP Layer 4 source port symbolic name
[ 8][Len 4] %IPV4_SRC_ADDR %sourceIPv4Address IPv4 source address
If I export NetFlow / ipfix to nprobe by switch, then export nprobe flows to elasticsearch