Flow Information Elements

The –T flag enabled users to specify the format of NetFlow v9/IPFIX flows. The format options currently supported by nProbe are those specified in the NetFlow v9 RFC, namely (in square brackets it is specified the field Id as defined in the RFC). As nProbe can be extended by means of plugins, further information elements can be defined based on plugin presence. Following is the exhaustive list of all options available.

ID   NetFlow Label               IPFIX Label                   Description
[  1] %IN_BYTES                   %octetDeltaCount                 Incoming flow bytes (src->dst)
[  2] %IN_PKTS                    %packetDeltaCount                Incoming flow packets (src->dst)
[  4] %PROTOCOL                   %protocolIdentifier              IP protocol byte
[58500] %PROTOCOL_MAP                                              IP protocol name
[  5] %SRC_TOS                    %ipClassOfService                TOS/DSCP (src->dst)
[  6] %TCP_FLAGS                  %tcpControlBits                  Cumulative of all flow TCP flags
[  7] %L4_SRC_PORT                %sourceTransportPort             IPv4 source port
[58503] %L4_SRC_PORT_MAP                                           Layer 4 source port symbolic name
[  8] %IPV4_SRC_ADDR              %sourceIPv4Address               IPv4 source address
[  9] %IPV4_SRC_MASK              %sourceIPv4PrefixLength          IPv4 source subnet mask (/<bits>)
[ 10] %INPUT_SNMP                 %ingressInterface                Input interface SNMP idx
[ 11] %L4_DST_PORT                %destinationTransportPort        IPv4 destination port
[58507] %L4_DST_PORT_MAP                                           Layer 4 destination port symbolic name
[58508] %L4_SRV_PORT                                               Layer 4 server port
[58509] %L4_SRV_PORT_MAP                                           Layer 4 server port symbolic name
[ 12] %IPV4_DST_ADDR              %destinationIPv4Address          IPv4 destination address
[ 13] %IPV4_DST_MASK              %destinationIPv4PrefixLength     IPv4 dest subnet mask (/<bits>)
[ 14] %OUTPUT_SNMP                %egressInterface                 Output interface SNMP idx
[ 15] %IPV4_NEXT_HOP              %ipNextHopIPv4Address            IPv4 next hop address
[ 16] %SRC_AS                     %bgpSourceAsNumber               Source BGP AS
[ 17] %DST_AS                     %bgpDestinationAsNumber          Destination BGP AS
[ 21] %LAST_SWITCHED              %flowEndSysUpTime                SysUptime (msec) of the last flow pkt
[ 22] %FIRST_SWITCHED             %flowStartSysUpTime              SysUptime (msec) of the first flow pkt
[ 23] %OUT_BYTES                  %postOctetDeltaCount             Outgoing flow bytes (dst->src)
[ 24] %OUT_PKTS                   %postPacketDeltaCount            Outgoing flow packets (dst->src)
[ 27] %IPV6_SRC_ADDR              %sourceIPv6Address               IPv6 source address
[ 28] %IPV6_DST_ADDR              %destinationIPv6Address          IPv6 destination address
[ 29] %IPV6_SRC_MASK              %sourceIPv6PrefixLength          IPv6 source mask
[ 30] %IPV6_DST_MASK              %destinationIPv6PrefixLength     IPv6 destination mask
[ 32] %ICMP_TYPE                  %icmpTypeCodeIPv4                ICMP Type * 256 + ICMP code
[ 34] %SAMPLING_INTERVAL                                           Sampling rate
[ 35] %SAMPLING_ALGORITHM                                          Sampling type (deterministic/random)
[ 36] %FLOW_ACTIVE_TIMEOUT        %flowActiveTimeout               Activity timeout of flow cache entries
[ 37] %FLOW_INACTIVE_TIMEOUT      %flowIdleTimeout                 Inactivity timeout of flow cache entries
[ 38] %ENGINE_TYPE                                                 Flow switching engine
[ 39] %ENGINE_ID                                                   Id of the flow switching engine
[ 40] %TOTAL_BYTES_EXP            %exportedOctetTotalCount         Total bytes exported
[ 41] %TOTAL_PKTS_EXP             %exportedMessageTotalCount       Total flow packets exported
[ 42] %TOTAL_FLOWS_EXP            %exportedFlowRecordTotalCount    Total number of exported flows
[ 52] %MIN_TTL                    %minimumTTL                      Min flow TTL
[ 53] %MAX_TTL                    %maximumTTL                      Max flow TTL
[ 55] %DST_TOS                    %ipClassOfService                TOS/DSCP (dst->src)
[ 56] %IN_SRC_MAC                 %sourceMacAddress                Source MAC Address
[ 58] %SRC_VLAN                   %vlanId                          Source VLAN (inner VLAN in QinQ)
[ 59] %DST_VLAN                   %postVlanId                      Destination VLAN (inner VLAN in QinQ)
[243] %DOT1Q_SRC_VLAN             %dot1qVlanId                     Source VLAN (outer VLAN in QinQ)
[254] %DOT1Q_DST_VLAN             %postdot1qVlanId                 Destination VLAN (outer VLAN in QinQ)
[ 60] %IP_PROTOCOL_VERSION        %ipVersion                       [4=IPv4][6=IPv6]
[ 61] %DIRECTION                  %flowDirection                   It indicates where a sample has been taken (always 0)
[ 62] %IPV6_NEXT_HOP              %ipNextHopIPv6Address            IPv6 next hop address
[ 70] %MPLS_LABEL_1               %mplsTopLabelStackSection        MPLS label at position 1
[ 71] %MPLS_LABEL_2               %mplsLabelStackSection2          MPLS label at position 2
[ 72] %MPLS_LABEL_3               %mplsLabelStackSection3          MPLS label at position 3
[ 73] %MPLS_LABEL_4               %mplsLabelStackSection4          MPLS label at position 4
[ 74] %MPLS_LABEL_5               %mplsLabelStackSection5          MPLS label at position 5
[ 75] %MPLS_LABEL_6               %mplsLabelStackSection6          MPLS label at position 6
[ 76] %MPLS_LABEL_7               %mplsLabelStackSection7          MPLS label at position 7
[ 77] %MPLS_LABEL_8               %mplsLabelStackSection8          MPLS label at position 8
[ 78] %MPLS_LABEL_9               %mplsLabelStackSection9          MPLS label at position 9
[ 79] %MPLS_LABEL_10              %mplsLabelStackSection10         MPLS label at position 10
[ 80] %OUT_DST_MAC                %destinationMacAddress           Destination MAC Address
[ 95] %APPLICATION_ID             %application_id                  Collected Application Id (Cisco or IXIA)
[102] %PACKET_SECTION_OFFSET                                       Packet section offset
[103] %SAMPLED_PACKET_SIZE                                         Sampled packet size
[104] %SAMPLED_PACKET_ID                                           Sampled packet id
[130] %EXPORTER_IPV4_ADDRESS      %exporterIPv4Address             Exporter IPv4 Address
[131] %EXPORTER_IPV6_ADDRESS      %exporterIPv6Address             Exporter IPv6 Address
[148] %FLOW_ID                    %flowId                          Serial Flow Identifier
[150] %FLOW_START_SEC             %flowStartSeconds                Seconds (epoch) of the first flow packet
[151] %FLOW_END_SEC               %flowEndSeconds                  Seconds (epoch) of the last flow packet
[152] %FLOW_START_MILLISECONDS    %flowStartMilliseconds           Msec (epoch) of the first flow packet
[153] %FLOW_END_MILLISECONDS      %flowEndMilliseconds             Msec (epoch) of the last flow packet
[239] %BIFLOW_DIRECTION           %biflow_direction                1=initiator, 2=reverseInitiator
[277] %OBSERVATION_POINT_TYPE                                      Observation point type
[300] %OBSERVATION_POINT_ID                                        Observation point id
[302] %SELECTOR_ID                                                 Selector id
[304] %IPFIX_SAMPLING_ALGORITHM                                    Sampling algorithm
[309] %SAMPLING_SIZE                                               Number of packets to sample
[310] %SAMPLING_POPULATION                                         Sampling population
[312] %FRAME_LENGTH                                                Original L2 frame length
[318] %PACKETS_OBSERVED                                            Tot number of packets seen
[319] %PACKETS_SELECTED                                            Number of pkts selected for sampling
[335] %SELECTOR_NAME                                               Sampler name
[57899] %APPLICATION_NAME                                          Palo Alto App-Id
[57900] %USER_NAME                                                 Palo Alto User-Id
[NFv9 57552][IPFIX 35632.80] %FRAGMENTS                    Number of fragmented flow packets
[NFv9 57595][IPFIX 35632.123] %CLIENT_NW_LATENCY_MS        Network RTT/2 client <-> nprobe (msec)
[NFv9 57596][IPFIX 35632.124] %SERVER_NW_LATENCY_MS        Network RTT/2 nprobe <-> server (msec)
[NFv9 57597][IPFIX 35632.125] %APPL_LATENCY_MS             Application latency (msec)
[NFv9 57560][IPFIX 35632.88] %NUM_PKTS_UP_TO_128_BYTES     # packets whose IP size <= 128
[NFv9 57561][IPFIX 35632.89] %NUM_PKTS_128_TO_256_BYTES    # packets whose IP size > 128 and <= 256
[NFv9 57562][IPFIX 35632.90] %NUM_PKTS_256_TO_512_BYTES    # packets whose IP size > 256 and < 512
[NFv9 57563][IPFIX 35632.91] %NUM_PKTS_512_TO_1024_BYTES   # packets whose IP size > 512 and < 1024
[NFv9 57564][IPFIX 35632.92] %NUM_PKTS_1024_TO_1514_BYTES  # packets whose IP size > 1024 and <= 1514
[NFv9 57565][IPFIX 35632.93] %NUM_PKTS_OVER_1514_BYTES     # packets whose IP size > 1514
[NFv9 57570][IPFIX 35632.98] %CUMULATIVE_ICMP_TYPE         Cumulative OR of ICMP type packets
[NFv9 57573][IPFIX 35632.101] %SRC_IP_COUNTRY              Country where the src IP is located
[NFv9 57574][IPFIX 35632.102] %SRC_IP_CITY                 City where the src IP is located
[NFv9 57575][IPFIX 35632.103] %DST_IP_COUNTRY              Country where the dst IP is located
[NFv9 57576][IPFIX 35632.104] %DST_IP_CITY                 City where the dst IP is located
[NFv9 57577][IPFIX 35632.105] %FLOW_PROTO_PORT             L7 port that identifies the flow protocol or 0 if unknown
[NFv9 57578][IPFIX 35632.106] %UPSTREAM_TUNNEL_ID          Upstream tunnel identifier (e.g. GTP TEID) or 0 if unknown
[NFv9 57918][IPFIX 35632.446] %UPSTREAM_SESSION_ID         Upstream session identifier (e.g. L2TP) or 0 if unknown
[NFv9 57579][IPFIX 35632.107] %LONGEST_FLOW_PKT            Longest packet (bytes) of the flow
[NFv9 57580][IPFIX 35632.108] %SHORTEST_FLOW_PKT           Shortest packet (bytes) of the flow
[NFv9 57599][IPFIX 35632.127] %RETRANSMITTED_IN_BYTES      Number of retransmitted TCP flow bytes (src->dst)
[NFv9 57581][IPFIX 35632.109] %RETRANSMITTED_IN_PKTS       Number of retransmitted TCP flow packets (src->dst)
[NFv9 57600][IPFIX 35632.128] %RETRANSMITTED_OUT_BYTES     Number of retransmitted TCP flow bytes (dst->src)
[NFv9 57582][IPFIX 35632.110] %RETRANSMITTED_OUT_PKTS      Number of retransmitted TCP flow packets (dst->src)
[NFv9 57583][IPFIX 35632.111] %OOORDER_IN_PKTS             Number of out of order TCP flow packets (dst->src)
[NFv9 57584][IPFIX 35632.112] %OOORDER_OUT_PKTS            Number of out of order TCP flow packets (src->dst)
[NFv9 57585][IPFIX 35632.113] %UNTUNNELED_PROTOCOL         Untunneled IP protocol byte
[NFv9 57586][IPFIX 35632.114] %UNTUNNELED_IPV4_SRC_ADDR    Untunneled IPv4 source address
[NFv9 57587][IPFIX 35632.115] %UNTUNNELED_L4_SRC_PORT      Untunneled IPv4 source port
[NFv9 57588][IPFIX 35632.116] %UNTUNNELED_IPV4_DST_ADDR    Untunneled IPv4 destination address
[NFv9 57589][IPFIX 35632.117] %UNTUNNELED_L4_DST_PORT      Untunneled IPv4 destination port
[NFv9 57590][IPFIX 35632.118] %L7_PROTO                    Layer 7 protocol (numeric)
[NFv9 57591][IPFIX 35632.119] %L7_PROTO_NAME               Layer 7 protocol name
[NFv9 57592][IPFIX 35632.120] %DOWNSTREAM_TUNNEL_ID        Downstream tunnel identifier (e.g. GTP TEID) or 0 if unknown
[NFv9 57919][IPFIX 35632.447] %DOWNSTREAM_SESSION_ID       Downstream session identifier (e.g. L2TP) or 0 if unknown
[NFv9 57593][IPFIX 35632.121] %FLOW_USER_NAME              Flow username of the tunnel (if known)
[NFv9 57594][IPFIX 35632.122] %FLOW_SERVER_NAME            Flow server name (if known)
[NFv9 57598][IPFIX 35632.126] %PLUGIN_NAME                 Plugin name used by this flow (if any)
[NFv9 57868][IPFIX 35632.396] %UNTUNNELED_IPV6_SRC_ADDR    Untunneled IPv6 source address
[NFv9 57869][IPFIX 35632.397] %UNTUNNELED_IPV6_DST_ADDR    Untunneled IPv6 destination address
[NFv9 57819][IPFIX 35632.347] %NUM_PKTS_TTL_EQ_1           # packets with TTL = 1
[NFv9 57818][IPFIX 35632.346] %NUM_PKTS_TTL_2_5            # packets with TTL > 1 and TTL <= 5
[NFv9 57806][IPFIX 35632.334] %NUM_PKTS_TTL_5_32           # packets with TTL > 5 and TTL <= 32
[NFv9 57807][IPFIX 35632.335] %NUM_PKTS_TTL_32_64          # packets with TTL > 32 and <= 64
[NFv9 57808][IPFIX 35632.336] %NUM_PKTS_TTL_64_96          # packets with TTL > 64 and <= 96
[NFv9 57809][IPFIX 35632.337] %NUM_PKTS_TTL_96_128         # packets with TTL > 96 and <= 128
[NFv9 57810][IPFIX 35632.338] %NUM_PKTS_TTL_128_160        # packets with TTL > 128 and <= 160
[NFv9 57811][IPFIX 35632.339] %NUM_PKTS_TTL_160_192        # packets with TTL > 160 and <= 192
[NFv9 57812][IPFIX 35632.340] %NUM_PKTS_TTL_192_224        # packets with TTL > 192 and <= 224
[NFv9 57813][IPFIX 35632.341] %NUM_PKTS_TTL_224_255        # packets with TTL > 224 and <= 255
[NFv9 57821][IPFIX 35632.349] %IN_SRC_OSI_SAP              OSI Source SAP (OSI Traffic Only)
[NFv9 57822][IPFIX 35632.350] %OUT_DST_OSI_SAP             OSI Destination SAP (OSI Traffic Only)
[NFv9 57863][IPFIX 35632.391] %DURATION_IN                 Client to Server stream duration (msec)
[NFv9 57864][IPFIX 35632.392] %DURATION_OUT                Client to Server stream duration (msec)
[NFv9 57887][IPFIX 35632.415] %TCP_WIN_MIN_IN              Min TCP Window (src->dst)
[NFv9 57888][IPFIX 35632.416] %TCP_WIN_MAX_IN              Max TCP Window (src->dst)
[NFv9 57889][IPFIX 35632.417] %TCP_WIN_MSS_IN              TCP Max Segment Size (src->dst)
[NFv9 57890][IPFIX 35632.418] %TCP_WIN_SCALE_IN            TCP Window Scale (src->dst)
[NFv9 57891][IPFIX 35632.419] %TCP_WIN_MIN_OUT             Min TCP Window (dst->src)
[NFv9 57892][IPFIX 35632.420] %TCP_WIN_MAX_OUT             Max TCP Window (dst->src)
[NFv9 57893][IPFIX 35632.421] %TCP_WIN_MSS_OUT             TCP Max Segment Size (dst->src)
[NFv9 57894][IPFIX 35632.422] %TCP_WIN_SCALE_OUT           TCP Window Scale (dst->src)
[NFv9 57910][IPFIX 35632.438] %PAYLOAD_HASH                Initial flow payload hash
[NFv9 57915][IPFIX 35632.443] %SRC_AS_MAP                  Organization name for SRC_AS
[NFv9 57916][IPFIX 35632.444] %DST_AS_MAP                  Organization name for SRC_AS

Plugin BGP Update Listener templates:
[NFv9 57762][IPFIX 35632.290] %SRC_AS_PATH_1               Src AS path position 1
[NFv9 57763][IPFIX 35632.291] %SRC_AS_PATH_2               Src AS path position 2
[NFv9 57764][IPFIX 35632.292] %SRC_AS_PATH_3               Src AS path position 3
[NFv9 57765][IPFIX 35632.293] %SRC_AS_PATH_4               Src AS path position 4
[NFv9 57766][IPFIX 35632.294] %SRC_AS_PATH_5               Src AS path position 5
[NFv9 57767][IPFIX 35632.295] %SRC_AS_PATH_6               Src AS path position 6
[NFv9 57768][IPFIX 35632.296] %SRC_AS_PATH_7               Src AS path position 7
[NFv9 57769][IPFIX 35632.297] %SRC_AS_PATH_8               Src AS path position 8
[NFv9 57770][IPFIX 35632.298] %SRC_AS_PATH_9               Src AS path position 9
[NFv9 57771][IPFIX 35632.299] %SRC_AS_PATH_10              Src AS path position 10
[NFv9 57772][IPFIX 35632.300] %DST_AS_PATH_1               Dest AS path position 1
[NFv9 57773][IPFIX 35632.301] %DST_AS_PATH_2               Dest AS path position 2
[NFv9 57774][IPFIX 35632.302] %DST_AS_PATH_3               Dest AS path position 3
[NFv9 57775][IPFIX 35632.303] %DST_AS_PATH_4               Dest AS path position 4
[NFv9 57776][IPFIX 35632.304] %DST_AS_PATH_5               Dest AS path position 5
[NFv9 57777][IPFIX 35632.305] %DST_AS_PATH_6               Dest AS path position 6
[NFv9 57778][IPFIX 35632.306] %DST_AS_PATH_7               Dest AS path position 7
[NFv9 57779][IPFIX 35632.307] %DST_AS_PATH_8               Dest AS path position 8
[NFv9 57780][IPFIX 35632.308] %DST_AS_PATH_9               Dest AS path position 9
[NFv9 57781][IPFIX 35632.309] %DST_AS_PATH_10              Dest AS path position 10

Plugin DHCP Protocol templates:
[NFv9 57825][IPFIX 35632.353] %DHCP_CLIENT_MAC             MAC of the DHCP client
[NFv9 57826][IPFIX 35632.354] %DHCP_CLIENT_IP              DHCP assigned client IPv4 address
[NFv9 57827][IPFIX 35632.355] %DHCP_CLIENT_NAME            DHCP client name
[NFv9 57895][IPFIX 35632.423] %DHCP_REMOTE_ID              DHCP agent remote Id
[NFv9 57896][IPFIX 35632.424] %DHCP_SUBSCRIBER_ID          DHCP subscribed Id
[NFv9 57901][IPFIX 35632.429] %DHCP_MESSAGE_TYPE           DHCP message type

Plugin Diameter Protocol templates:
[NFv9 57871][IPFIX 35632.399] %DIAMETER_REQ_MSG_TYPE       DIAMETER Request Msg Type
[NFv9 57872][IPFIX 35632.400] %DIAMETER_RSP_MSG_TYPE       DIAMETER Response Msg Type
[NFv9 57873][IPFIX 35632.401] %DIAMETER_REQ_ORIGIN_HOST    DIAMETER Origin Host Request
[NFv9 57874][IPFIX 35632.402] %DIAMETER_RSP_ORIGIN_HOST    DIAMETER Origin Host Response
[NFv9 57875][IPFIX 35632.403] %DIAMETER_REQ_USER_NAME      DIAMETER Request User Name
[NFv9 57876][IPFIX 35632.404] %DIAMETER_RSP_RESULT_CODE    DIAMETER Response Result Code
[NFv9 57877][IPFIX 35632.405] %DIAMETER_EXP_RES_VENDOR_ID  DIAMETER Response Experimental Result Vendor Id
[NFv9 57878][IPFIX 35632.406] %DIAMETER_EXP_RES_RESULT_CODE        DIAMETER Response Experimental Result Code
[NFv9 57917][IPFIX 35632.445] %DIAMETER_HOP_BY_HOP_ID      DIAMETER Hop by Hop Identifier

Plugin DNS/LLMNR Protocol templates:
[NFv9 57677][IPFIX 35632.205] %DNS_QUERY                   DNS query
[NFv9 57678][IPFIX 35632.206] %DNS_QUERY_ID                DNS query transaction Id
[NFv9 57679][IPFIX 35632.207] %DNS_QUERY_TYPE              DNS query type (e.g. 1=A, 2=NS..)
[NFv9 57680][IPFIX 35632.208] %DNS_RET_CODE                DNS return code (e.g. 0=no error)
[NFv9 57681][IPFIX 35632.209] %DNS_NUM_ANSWERS             DNS # of returned answers
[NFv9 57824][IPFIX 35632.352] %DNS_TTL_ANSWER              TTL of the first A record (if any)
[NFv9 57870][IPFIX 35632.398] %DNS_RESPONSE                DNS response(s)

Plugin FTP Protocol templates:
[NFv9 57828][IPFIX 35632.356] %FTP_LOGIN                   FTP client login
[NFv9 57829][IPFIX 35632.357] %FTP_PASSWORD                FTP client password
[NFv9 57830][IPFIX 35632.358] %FTP_COMMAND                 FTP client command
[NFv9 57831][IPFIX 35632.359] %FTP_COMMAND_RET_CODE        FTP client command return code

Plugin GTPv0 Signaling Protocol templates:
[NFv9 57793][IPFIX 35632.321] %GTPV0_REQ_MSG_TYPE          GTPv0 Request Msg Type
[NFv9 57794][IPFIX 35632.322] %GTPV0_RSP_MSG_TYPE          GTPv0 Response Msg Type
[NFv9 57795][IPFIX 35632.323] %GTPV0_TID                   GTPv0 Tunnel Identifier
[NFv9 57798][IPFIX 35632.326] %GTPV0_APN_NAME              GTPv0 APN Name
[NFv9 57796][IPFIX 35632.324] %GTPV0_END_USER_IP           GTPv0 End User IP Address
[NFv9 57797][IPFIX 35632.325] %GTPV0_END_USER_MSISDN       GTPv0 End User MSISDN
[NFv9 57799][IPFIX 35632.327] %GTPV0_RAI_MCC               GTPv0 Mobile Country Code
[NFv9 57800][IPFIX 35632.328] %GTPV0_RAI_MNC               GTPv0 Mobile Network Code
[NFv9 57801][IPFIX 35632.329] %GTPV0_RAI_CELL_LAC          GTPv0 Cell Location Area Code
[NFv9 57802][IPFIX 35632.330] %GTPV0_RAI_CELL_RAC          GTPv0 Cell Routing Area Code
[NFv9 57803][IPFIX 35632.331] %GTPV0_RESPONSE_CAUSE        GTPv0 Cause of Operation

Plugin GTPv1 Signaling Protocol templates:
[NFv9 57692][IPFIX 35632.220] %GTPV1_REQ_MSG_TYPE          GTPv1 Request Msg Type
[NFv9 57693][IPFIX 35632.221] %GTPV1_RSP_MSG_TYPE          GTPv1 Response Msg Type
[NFv9 57694][IPFIX 35632.222] %GTPV1_C2S_TEID_DATA         GTPv1 Client->Server TunnelId Data
[NFv9 57695][IPFIX 35632.223] %GTPV1_C2S_TEID_CTRL         GTPv1 Client->Server TunnelId Control
[NFv9 57696][IPFIX 35632.224] %GTPV1_S2C_TEID_DATA         GTPv1 Server->Client TunnelId Data
[NFv9 57697][IPFIX 35632.225] %GTPV1_S2C_TEID_CTRL         GTPv1 Server->Client TunnelId Control
[NFv9 57698][IPFIX 35632.226] %GTPV1_END_USER_IP           GTPv1 End User IP Address
[NFv9 57699][IPFIX 35632.227] %GTPV1_END_USER_IMSI         GTPv1 End User IMSI
[NFv9 57700][IPFIX 35632.228] %GTPV1_END_USER_MSISDN       GTPv1 End User MSISDN
[NFv9 57701][IPFIX 35632.229] %GTPV1_END_USER_IMEI         GTPv1 End User IMEI
[NFv9 57702][IPFIX 35632.230] %GTPV1_APN_NAME              GTPv1 APN Name
[NFv9 57708][IPFIX 35632.236] %GTPV1_RAT_TYPE              GTPv1 RAT Type
[NFv9 57703][IPFIX 35632.231] %GTPV1_RAI_MCC               GTPv1 RAI Mobile Country Code
[NFv9 57704][IPFIX 35632.232] %GTPV1_RAI_MNC               GTPv1 RAI Mobile Network Code
[NFv9 57814][IPFIX 35632.342] %GTPV1_RAI_LAC               GTPv1 RAI Location Area Code
[NFv9 57815][IPFIX 35632.343] %GTPV1_RAI_RAC               GTPv1 RAI Routing Area Code
[NFv9 57816][IPFIX 35632.344] %GTPV1_ULI_MCC               GTPv1 ULI Mobile Country Code
[NFv9 57817][IPFIX 35632.345] %GTPV1_ULI_MNC               GTPv1 ULI Mobile Network Code
[NFv9 57705][IPFIX 35632.233] %GTPV1_ULI_CELL_LAC          GTPv1 ULI Cell Location Area Code
[NFv9 57706][IPFIX 35632.234] %GTPV1_ULI_CELL_CI           GTPv1 ULI Cell CI
[NFv9 57707][IPFIX 35632.235] %GTPV1_ULI_SAC               GTPv1 ULI SAC
[NFv9 57804][IPFIX 35632.332] %GTPV1_RESPONSE_CAUSE        GTPv1 Cause of Operation

Plugin GTPv2 Signaling Protocol templates:
[NFv9 57742][IPFIX 35632.270] %GTPV2_REQ_MSG_TYPE          GTPv2 Request Msg Type
[NFv9 57743][IPFIX 35632.271] %GTPV2_RSP_MSG_TYPE          GTPv2 Response Msg Type
[NFv9 57744][IPFIX 35632.272] %GTPV2_C2S_S1U_GTPU_TEID     GTPv2 Client->Svr S1U GTPU TEID
[NFv9 57745][IPFIX 35632.273] %GTPV2_C2S_S1U_GTPU_IP       GTPv2 Client->Svr S1U GTPU IP
[NFv9 57746][IPFIX 35632.274] %GTPV2_S2C_S1U_GTPU_TEID     GTPv2 Srv->Client S1U GTPU TEID
[NFv9 57907][IPFIX 35632.435] %GTPV2_S5_S8_GTPC_TEID       GTPv2 S5/S8 SGW GTPC TEIDs
[NFv9 57747][IPFIX 35632.275] %GTPV2_S2C_S1U_GTPU_IP       GTPv2 Srv->Client S1U GTPU IP
[NFv9 57911][IPFIX 35632.439] %GTPV2_C2S_S5_S8_GTPU_TEID   GTPv2 Client->Srv S5/S8 PGW GTPU TEID
[NFv9 57912][IPFIX 35632.440] %GTPV2_S2C_S5_S8_GTPU_TEID   GTPv2 Srv->Client S5/S8 PGW GTPU TEID
[NFv9 57913][IPFIX 35632.441] %GTPV2_C2S_S5_S8_GTPU_IP     GTPv2 Client->Srv S5/S8 PGW GTPU IP
[NFv9 57914][IPFIX 35632.442] %GTPV2_S2C_S5_S8_GTPU_IP     GTPv2 Srv->Client S5/S8 PGW GTPU IP
[NFv9 57748][IPFIX 35632.276] %GTPV2_END_USER_IMSI         GTPv2 End User IMSI
[NFv9 57749][IPFIX 35632.277] %GTPV2_END_USER_MSISDN       GTPv2 End User MSISDN
[NFv9 57750][IPFIX 35632.278] %GTPV2_APN_NAME              GTPv2 APN Name
[NFv9 57751][IPFIX 35632.279] %GTPV2_ULI_MCC               GTPv2 Mobile Country Code
[NFv9 57752][IPFIX 35632.280] %GTPV2_ULI_MNC               GTPv2 Mobile Network Code
[NFv9 57753][IPFIX 35632.281] %GTPV2_ULI_CELL_TAC          GTPv2 Tracking Area Code
[NFv9 57754][IPFIX 35632.282] %GTPV2_ULI_CELL_ID           GTPv2 Cell Identifier
[NFv9 57805][IPFIX 35632.333] %GTPV2_RESPONSE_CAUSE        GTPv2 Cause of Operation
[NFv9 57755][IPFIX 35632.283] %GTPV2_RAT_TYPE              GTPv2 RAT Type
[NFv9 57756][IPFIX 35632.284] %GTPV2_PDN_IP                GTPV2 PDN IP Address
[NFv9 57757][IPFIX 35632.285] %GTPV2_END_USER_IMEI         GTPv2 End User IMEI

Plugin HTTP Protocol templates:
[NFv9 57652][IPFIX 35632.180] %HTTP_URL                    HTTP URL
[NFv9 57832][IPFIX 35632.360] %HTTP_METHOD                 HTTP METHOD
[NFv9 57653][IPFIX 35632.181] %HTTP_RET_CODE               HTTP return code (e.g. 200, 304...)
[NFv9 57654][IPFIX 35632.182] %HTTP_REFERER                HTTP Referer
[NFv9 57655][IPFIX 35632.183] %HTTP_UA                     HTTP User Agent
[NFv9 57656][IPFIX 35632.184] %HTTP_MIME                   HTTP Mime Type
[NFv9 57659][IPFIX 35632.187] %HTTP_HOST                   HTTP Host Name
[NFv9 57833][IPFIX 35632.361] %HTTP_SITE                   HTTP server without host name

Plugin IMAP Protocol templates:
[NFv9 57732][IPFIX 35632.260] %IMAP_LOGIN                  Mail sender

Plugin MySQL Plugin templates:
[NFv9 57667][IPFIX 35632.195] %MYSQL_SERVER_VERSION        MySQL server version
[NFv9 57668][IPFIX 35632.196] %MYSQL_USERNAME              MySQL username
[NFv9 57669][IPFIX 35632.197] %MYSQL_DB                    MySQL database in use
[NFv9 57670][IPFIX 35632.198] %MYSQL_QUERY                 MySQL Query
[NFv9 57671][IPFIX 35632.199] %MYSQL_RESPONSE              MySQL server response
[NFv9 57792][IPFIX 35632.320] %MYSQL_APPL_LATENCY_USEC     MySQL request->response latecy (usec)

Plugin NETBIOS Protocol templates:
[NFv9 57982][IPFIX 35632.510] %NETBIOS_QUERY_NAME          NETBIOS Query Name
[NFv9 57983][IPFIX 35632.511] %NETBIOS_QUERY_TYPE          NETBIOS Query Type
[NFv9 57983][IPFIX 35632.511] %NETBIOS_QUERY_RSP           NETBIOS Query Response

Plugin Oracle Protocol templates:
[NFv9 57672][IPFIX 35632.200] %ORACLE_USERNAME             Oracle Username
[NFv9 57673][IPFIX 35632.201] %ORACLE_QUERY                Oracle Query
[NFv9 57674][IPFIX 35632.202] %ORACLE_RSP_CODE             Oracle Response Code
[NFv9 57675][IPFIX 35632.203] %ORACLE_RSP_STRING           Oracle Response String
[NFv9 57676][IPFIX 35632.204] %ORACLE_QUERY_DURATION       Oracle Query Duration (msec)

Plugin POP3 Protocol templates:
[NFv9 57682][IPFIX 35632.210] %POP_USER                    POP3 user login

Plugin System process information templates:
[NFv9 57640][IPFIX 35632.168] %SRC_PROC_PID                Src process PID
[NFv9 57641][IPFIX 35632.169] %SRC_PROC_NAME               Src process name
[NFv9 57897][IPFIX 35632.425] %SRC_PROC_UID                Src process UID
[NFv9 57844][IPFIX 35632.372] %SRC_PROC_USER_NAME          Src process user name
[NFv9 57845][IPFIX 35632.373] %SRC_FATHER_PROC_PID         Src father process PID
[NFv9 57846][IPFIX 35632.374] %SRC_FATHER_PROC_NAME        Src father process name
[NFv9 57855][IPFIX 35632.383] %SRC_PROC_ACTUAL_MEMORY      Src process actual memory (bytes)
[NFv9 57856][IPFIX 35632.384] %SRC_PROC_PEAK_MEMORY        Src process peak memory (bytes)
[NFv9 57857][IPFIX 35632.385] %SRC_PROC_AVERAGE_CPU_LOAD   Src process avg load (% * 100)
[NFv9 57858][IPFIX 35632.386] %SRC_PROC_NUM_PAGE_FAULTS    Src process num pagefaults
[NFv9 57865][IPFIX 35632.393] %SRC_PROC_PCTG_IOWAIT        Src process iowait time % (% * 100)
[NFv9 57847][IPFIX 35632.375] %DST_PROC_PID                Dst process PID
[NFv9 57848][IPFIX 35632.376] %DST_PROC_NAME               Dst process name
[NFv9 57898][IPFIX 35632.426] %DST_PROC_UID                Dst process UID
[NFv9 57849][IPFIX 35632.377] %DST_PROC_USER_NAME          Dst process user name
[NFv9 57850][IPFIX 35632.378] %DST_FATHER_PROC_PID         Dst father process PID
[NFv9 57851][IPFIX 35632.379] %DST_FATHER_PROC_NAME        Dst father process name
[NFv9 57859][IPFIX 35632.387] %DST_PROC_ACTUAL_MEMORY      Dst process actual memory (bytes)
[NFv9 57860][IPFIX 35632.388] %DST_PROC_PEAK_MEMORY        Dst process peak memory (bytes)
[NFv9 57861][IPFIX 35632.389] %DST_PROC_AVERAGE_CPU_LOAD   Dst process avg load (% * 100)
[NFv9 57862][IPFIX 35632.390] %DST_PROC_NUM_PAGE_FAULTS    Dst process num pagefaults
[NFv9 57866][IPFIX 35632.394] %DST_PROC_PCTG_IOWAIT        Src process iowait time % (% * 100)

Plugin Radius Protocol templates:
[NFv9 57712][IPFIX 35632.240] %RADIUS_REQ_MSG_TYPE         RADIUS Request Msg Type
[NFv9 57713][IPFIX 35632.241] %RADIUS_RSP_MSG_TYPE         RADIUS Response Msg Type
[NFv9 57714][IPFIX 35632.242] %RADIUS_USER_NAME            RADIUS User Name (Access Only)
[NFv9 57715][IPFIX 35632.243] %RADIUS_CALLING_STATION_ID   RADIUS Calling Station Id
[NFv9 57716][IPFIX 35632.244] %RADIUS_CALLED_STATION_ID    RADIUS Called Station Id
[NFv9 57717][IPFIX 35632.245] %RADIUS_NAS_IP_ADDR          RADIUS NAS IP Address
[NFv9 57718][IPFIX 35632.246] %RADIUS_NAS_IDENTIFIER       RADIUS NAS Identifier
[NFv9 57719][IPFIX 35632.247] %RADIUS_USER_IMSI            RADIUS User IMSI (Extension)
[NFv9 57720][IPFIX 35632.248] %RADIUS_USER_IMEI            RADIUS User MSISDN (Extension)
[NFv9 57721][IPFIX 35632.249] %RADIUS_FRAMED_IP_ADDR       RADIUS Framed IP
[NFv9 57722][IPFIX 35632.250] %RADIUS_ACCT_SESSION_ID      RADIUS Accounting Session Name
[NFv9 57723][IPFIX 35632.251] %RADIUS_ACCT_STATUS_TYPE     RADIUS Accounting Status Type
[NFv9 57724][IPFIX 35632.252] %RADIUS_ACCT_IN_OCTETS       RADIUS Accounting Input Octets
[NFv9 57725][IPFIX 35632.253] %RADIUS_ACCT_OUT_OCTETS      RADIUS Accounting Output Octets
[NFv9 57726][IPFIX 35632.254] %RADIUS_ACCT_IN_PKTS         RADIUS Accounting Input Packets
[NFv9 57727][IPFIX 35632.255] %RADIUS_ACCT_OUT_PKTS        RADIUS Accounting Output Packets

Plugin RTP Plugin templates:
[NFv9 57909][IPFIX 35632.437] %RTP_SSRC                    RTP Sync Source ID
[NFv9 57622][IPFIX 35632.150] %RTP_FIRST_SEQ               First flow RTP Seq Number
[NFv9 57623][IPFIX 35632.151] %RTP_FIRST_TS                First flow RTP timestamp
[NFv9 57624][IPFIX 35632.152] %RTP_LAST_SEQ                Last flow RTP Seq Number
[NFv9 57625][IPFIX 35632.153] %RTP_LAST_TS                 Last flow RTP timestamp
[NFv9 57626][IPFIX 35632.154] %RTP_IN_JITTER               RTP jitter (ms * 1000)
[NFv9 57627][IPFIX 35632.155] %RTP_OUT_JITTER              RTP jitter (ms * 1000)
[NFv9 57628][IPFIX 35632.156] %RTP_IN_PKT_LOST             Packet lost in stream (src->dst)
[NFv9 57629][IPFIX 35632.157] %RTP_OUT_PKT_LOST            Packet lost in stream (dst->src)
[NFv9 57902][IPFIX 35632.430] %RTP_IN_PKT_DROP             Packet discarded by Jitter Buffer (src->dst)
[NFv9 57903][IPFIX 35632.431] %RTP_OUT_PKT_DROP            Packet discarded by Jitter Buffer (dst->src)
[NFv9 57633][IPFIX 35632.161] %RTP_IN_PAYLOAD_TYPE         RTP payload type
[NFv9 57630][IPFIX 35632.158] %RTP_OUT_PAYLOAD_TYPE        RTP payload type
[NFv9 57631][IPFIX 35632.159] %RTP_IN_MAX_DELTA            Max delta (ms*100) between consecutive pkts (src->dst)
[NFv9 57632][IPFIX 35632.160] %RTP_OUT_MAX_DELTA           Max delta (ms*100) between consecutive pkts (dst->src)
[NFv9 57820][IPFIX 35632.348] %RTP_SIP_CALL_ID             SIP call-id corresponding to this RTP stream
[NFv9 57906][IPFIX 35632.434] %RTP_MOS                     RTP pseudo-MOS (value * 100) (average both directions)
[NFv9 57842][IPFIX 35632.370] %RTP_IN_MOS                  RTP pseudo-MOS (value * 100) (src->dst)
[NFv9 57904][IPFIX 35632.432] %RTP_OUT_MOS                 RTP pseudo-MOS (value * 100) (dst->src)
[NFv9 57908][IPFIX 35632.436] %RTP_R_FACTOR                RTP pseudo-R_FACTOR (value * 100) (average both directions)
[NFv9 57843][IPFIX 35632.371] %RTP_IN_R_FACTOR             RTP pseudo-R_FACTOR (value * 100) (src->dst)
[NFv9 57905][IPFIX 35632.433] %RTP_OUT_R_FACTOR            RTP pseudo-R_FACTOR (value * 100) (dst->src)
[NFv9 57853][IPFIX 35632.381] %RTP_IN_TRANSIT              RTP Transit (value * 100) (src->dst)
[NFv9 57854][IPFIX 35632.382] %RTP_OUT_TRANSIT             RTP Transit (value * 100) (dst->src)
[NFv9 57852][IPFIX 35632.380] %RTP_RTT                     RTP Round Trip Time (ms)
[NFv9 57867][IPFIX 35632.395] %RTP_DTMF_TONES              DTMF tones sent (if any) during the call

Plugin S1AP Protocol templates:
[NFv9 57879][IPFIX 35632.407] %S1AP_ENB_UE_S1AP_ID         S1AP ENB Identifier
[NFv9 57880][IPFIX 35632.408] %S1AP_MME_UE_S1AP_ID         S1AP MME Identifier
[NFv9 57881][IPFIX 35632.409] %S1AP_MSG_EMM_TYPE_MME_TO_ENB        S1AP EMM Message Type from MME to ENB
[NFv9 57882][IPFIX 35632.410] %S1AP_MSG_ESM_TYPE_MME_TO_ENB        S1AP ESM Message Type from MME to ENB
[NFv9 57883][IPFIX 35632.411] %S1AP_MSG_EMM_TYPE_ENB_TO_MME        S1AP EMM Message Type from ENB to MME
[NFv9 57884][IPFIX 35632.412] %S1AP_MSG_ESM_TYPE_ENB_TO_MME        S1AP ESM Message Type from ENB to MME
[NFv9 57885][IPFIX 35632.413] %S1AP_CAUSE_ENB_TO_MME       S1AP Cause from ENB to MME
[NFv9 57886][IPFIX 35632.414] %S1AP_DETAILED_CAUSE_ENB_TO_MME      S1AP Detailed Cause from ENB to MME

Plugin SIP Plugin templates:
[NFv9 57602][IPFIX 35632.130] %SIP_CALL_ID                 SIP call-id
[NFv9 57603][IPFIX 35632.131] %SIP_CALLING_PARTY           SIP Call initiator
[NFv9 57604][IPFIX 35632.132] %SIP_CALLED_PARTY            SIP Called party
[NFv9 57605][IPFIX 35632.133] %SIP_RTP_CODECS              SIP RTP codecs
[NFv9 57606][IPFIX 35632.134] %SIP_INVITE_TIME             SIP time (epoch) of INVITE
[NFv9 57607][IPFIX 35632.135] %SIP_TRYING_TIME             SIP time (epoch) of Trying
[NFv9 57608][IPFIX 35632.136] %SIP_RINGING_TIME            SIP time (epoch) of RINGING
[NFv9 57609][IPFIX 35632.137] %SIP_INVITE_OK_TIME          SIP time (epoch) of INVITE OK
[NFv9 57610][IPFIX 35632.138] %SIP_INVITE_FAILURE_TIME     SIP time (epoch) of INVITE FAILURE
[NFv9 57611][IPFIX 35632.139] %SIP_BYE_TIME                SIP time (epoch) of BYE
[NFv9 57612][IPFIX 35632.140] %SIP_BYE_OK_TIME             SIP time (epoch) of BYE OK
[NFv9 57613][IPFIX 35632.141] %SIP_CANCEL_TIME             SIP time (epoch) of CANCEL
[NFv9 57614][IPFIX 35632.142] %SIP_CANCEL_OK_TIME          SIP time (epoch) of CANCEL OK
[NFv9 57615][IPFIX 35632.143] %SIP_RTP_IPV4_SRC_ADDR       SIP RTP stream source IP
[NFv9 57616][IPFIX 35632.144] %SIP_RTP_L4_SRC_PORT         SIP RTP stream source port
[NFv9 57617][IPFIX 35632.145] %SIP_RTP_IPV4_DST_ADDR       SIP RTP stream dest IP
[NFv9 57618][IPFIX 35632.146] %SIP_RTP_L4_DST_PORT         SIP RTP stream dest port
[NFv9 57619][IPFIX 35632.147] %SIP_RESPONSE_CODE           SIP failure response code
[NFv9 57620][IPFIX 35632.148] %SIP_REASON_CAUSE            SIP Cancel/Bye/Failure reason cause
[NFv9 57834][IPFIX 35632.362] %SIP_C_IP                    SIP C IP adresses
[NFv9 57835][IPFIX 35632.363] %SIP_CALL_STATE              SIP Call State

Plugin SMTP Protocol templates:
[NFv9 57657][IPFIX 35632.185] %SMTP_MAIL_FROM              Mail sender
[NFv9 57658][IPFIX 35632.186] %SMTP_RCPT_TO                Mail recipient

Plugin SSDP Protocol templates:
[NFv9 57972][IPFIX 35632.500] %SSDP_HOST                   SSDP Host
[NFv9 57973][IPFIX 35632.501] %SSDP_USN                    SSDP USN

If you want to specify NetFlow v9 flows in a format similar to v5 flows you can do as follows:


Note that the fields start with a % and are separated by a space.