What is "Source ID" in Netflow V9 Packet Header
Hi,
My question is regarding the "Source ID" field that appears in Netflow V.9 packet header. Following Cisco link (http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.pdf) gives Source ID definition as -
"The Source ID field is a 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers). The format of this field is vendor specific. In the Cisco implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device."
I am using "Source ID" (combined with template id) to uniquely identify options templates exported by different routers. At our new lab setup where we have more than one routers configured to export Netflow, I observed that all the routers were exporting "Source ID" value as "0"(zero). It failed my assumption that I had formed based on definition from above Cisco doc.
I assumed -
SourceID Template Id Unique Key
source1 256 source1-256
source1 257 source1-257
source2 256 source2-256
source3 258 source3-258
But, I observed
SourceID Template Id Unique Key
0 256 0-256
0 257 0-257
0 256 0-256
0 258 0-258
Thus, same template id(256) from different routers(source1, source3) eventually form same unique key and breaks my code.
I would like to know if my interpretation that Source ID can be used to uniquely identify templates in this manner is correct or not ?
Is "Source ID" user configurable attribute ? How does it comply to the definition given in above Cisco doc ?
Thanks,
Deepak
Deepak,
Consider these quotations from the same RFC 3954:
Section 2: Terminology:
Observation Point
An Observation Point is a location in the network where IP packets
can be observed; for example, one or a set of interfaces on a network
device like a router. Every Observation Point is associated with an
Observation Domain.
Observation Domain
The set of Observation Points that is the largest aggregatable set of
flow information at the network device with NetFlow services enabled
is termed an Observation Domain. For example, a router line card
composed of several interfaces with each interface being an
Observation Point.
Section 7: Template Management:
A NetFlow Collector that receives Export Packets from several
Observation Domains from the same Exporter MUST be aware that the
uniqueness of the Template ID is not guaranteed across Observation
Domains.
Section 9: The Collector Side:
At any given time the Collector SHOULD maintain the following for all
the current Template Records and Options Template Records: Exporter,
Observation Domain, Template ID, Template Definition, Last Received.
Note that the Observation Domain is identified by the Source ID field
from the Export Packet.
So in other words, the Source ID is an identifier of the Observation Domain (and in fact, the IPFIX RFC calls this header field directly as Observation Domain ID). Template IDs are unique per Exporter and per Observation Domain, and if a single Exporter uses multiple templates in its different Observation Domains, the IDs of these templates could overlap even in a single Exporter. Observation Domain IDs (that is, Source IDs) identify only the internal structure of a single Exporter, and no provisions are done to preserve their uniqueness across multiple Exporters - for this, the source IP shall be used.
With respect to whether there can be multiple NetFlow instances on a single router, I am getting a feeling that with decentralized, distributed platforms, multiple linecards in a single router could run their own NetFlow analysis for data that pass through them, so each one provides a separate NetFlow collection. Thus, each linecard or each feature card doing its own NetFlow analysis should be assigned its own unique Observation Domain ID.
If it is not user configurable then system should automatically form the value based on router engine and line card. But what I have observed, at more than one routers, is that this value is always 0(zero).
I believe this is strongly dependent to the hardware construction of the router. As a remotely-related example, old 2600 series routers had two WIC slots. If you inserted two WIC-2T modules into these slots, you'd expect that they would be numbered Serial0/0, Serial0/1, Serial1/0, Serial1/1. Very surprisingly, however, these routers considered both slots to be internally connected to a single bus, and the interfaces were named Serial0/0, Serial0/1, Serial0/2 and Serial0/3 - as if they all were installed in a single slot '0'. Something similar may happen to the Observation Domains and their IDs. You would believe that each single linecard constituted a separate Observation Domain. However, the reality may be different, and the whole router can act as a single Observation Domain to the outside world. It's just the way it is constructed - and programmed.
It is not clear why Cisco doc says that one should use both "Source ID" and "Source IP Address" to properly distinguish between flows.
I think it's a poor wording in the RFC. I think what they want to say is that if you use the duplet <Source IP, Source ID> to distinguish between flows, then you're fine both for multiple flows from the same Exporter, and for multiple flows from different Exporters.
Moreover, isn't "Source IP Address" good enough to distinguish between flows from different sources ?
If an Exporter could truly be partitioned into multiple Observation Domains then the source IP would not be sufficient. I am just making up examples with no real-life backup here, but think of, say, a multi-chassis router with each chassis being one Observation Domain, or each linecard of a distributed switch being a standalone Observation Domain, or one router virtualized to several different contexts and virtual routers, each of them being a unique Observation Domain, reporting about the flows using the same source IP... I think you get the point.
I would put it this way... The existence of Source ID in NetFlow v9 (and Observation Domain ID in IPFIX) allows these protocols to nicely cope with situations in which a single physical device can be partitioned into several Observation Domains and perform independent reporting on them using a single source IP. However, the fact that these protocols have this ability does not mean that each and every device, even a Cisco router/switch, must necessarily make use of it.
Best regards,
Peter
Similar Messages
-
What are the different between Netflow protocols and Real Time Capture
Hi Gurus,
Let me know, if you have a link will be excelent, the different if we capture traffic in Real Time (using Spam Port) or export traffic by Netflow protocol.
When I capture traffic and analysis it (using Wireashark or TCPDump) in Real Time I see in detail all data, but in Netflow I see statistic?
Any other tip or link where could explian in detail, please?Capturing packets via a span port and inspecting with Wireshark or any pcap analysis tools is looking at actual datagrams - the details are much more indepth and detailed and you are not missing anything. You see the actual IP conversations.
NetFlow captures the header information from each of the IP conversations traversing your networking device and allows for flow analysis tools to decipher them and display the results. With NetFlow, each IP conversation is represented in a flow with information about its source and destination IP Address, port numbers, protocol, ToS, etc. Now remember, NetFlow is not all sampled - It captures all the IP conversation information. There is also sampled NetFlow like Seb stated in the previous reply, but not all NetFlow is sampled. You can enable sampling to capture 1 in 100 packets or 1 in x packets.
A simpler way to put it is, consider a phone call. Packet capture is like knowing who called whom, how did they call, what did they use, when did they call and also get to know what did they talk about.
NetFlow is like your phone bill - you know who called whom, when it happened, how long they talked, etc., but you do not know what did they talk about.
If you have a resource intensive network, capture NetFlow from all the nodes and do spanning from the most important interfaces.
Regards,
Don Thomas Jacob
http://www.solarwinds.com/netflow-traffic-analyzer.aspx
NOTE: Please rate and close questions if you found any of the answers helpful. -
Every time I try to download Java for Lion (no matter what the source) all I get is a document image labelled "unconfirmed download" and a warning that this type of file may harm my computer. What am I doin wrong?
Donna...
Even from Apple? > Java for OS X Lion Update 1
Restart your Mac before trying to download the file.
Do you have anti virus software installed or a program like LIttle Snitch?
If you are using Safari to download files, go to the Safari menu bar click Safari > Empty Cache
If that doesn't help, back to the menu bar, click Safari > Reset Safari. Select the top 5 boxes then click Reset.
If you still can't download the Java file, go to ~ / Library / Caches / com.apple.Safari
Move the Cache.db file from the com.apple.Safari folder to the Trash and restart your Mac. Try downloading that file again.
If it still won't download without that dialog, go to ~/Library/Safari. Move the Downloads.plist file from the Safari folder to the Trash.
Try again.
~ (Tilde) character represents the Home folder.
For Lion: To find the Home folder in OS X Lion, open the Finder, hold the Option key, and choose Go > Library -
What data sources are being used
Hi,
I am about to create a new Planning application (v9.3.1.1) and we currently have two other Planning applications. When I select Create Application from the administration menu, I can see one Data Source available in the listbox. Does that mean that the data source is currently unused and available, or is it a risk that any of the other planning applications that are already created are using this data source? I tried to see what data source the tw current planning applications are using I could not find that information anywhere.When you create an application and you see datasources available that should mean they are not currently being used.
You can always edit the datasource and check the database/schema it points to is empty.
Cheers
John
http://john-goodwin.blogspot.com/ -
What is IP precedence of Soft phone packets
If I have a soft phone installed on a PC (such as Cisco Unified Personal Communicator), what is IP Prec of the voice packets going out of the PC, who controls this, soft phone or PC? Thanks!
Thanks for quick responds!
Per my understanding, softphone manages it. But can not find the option to set IP prec in the configuration manual. So is DSCP EF or IP prec 5 is set up by default for voice packets? -
What is source to settle and source to pay?
Hi dudes
What is source to settle and source to pay.Please let me know process flow if possible.
Regards
Chinna KrishnaHI,
Source to pay is basically automat and synchronize your procurement and payment process.
Source to pay system like SRM provides strategic value through sustainable cost savings, contract compliance, and quick time-to-value. Companies are equipped with tools to drive superior results through an end-to-end source-to-pay process. Activities such as spend analysis, category management, requisitioning, sourcing, operational contracts, invoicing, and supplier management are part of an integrated platform.
this can connect you to your entire supply base-allowing multiple levels of suppliers, partners, and manufacturers to work together, while you reduce the cost of goods sold throughout the company.
this process integrates supplier qualification, negotiation, and contract management more tightly and cost-effectively with other enterprise functions and their suppliersu2019 processes u2013 through a single framework with support for multichannel suppliers.
So in NutShell you can say that this basically reduce the cost and time of the procurement process.
which basically reduce the workload of the purchasing and finance department.
Regards,
Sachin -
What's the best program for making a header containing rollover navigation links?
I have all CS4 programs and I'm looking to make a header that contains an interactive rollover nav bar. I want the bar to be located within the header. What is the best program for creating the header and rollover buttons. I'm aware i could manipulate the images in other programs, but placement and rollover button creation is what I'm looking for. Thanks. I'm thinking maybe flash or fireworks?
Spry can do this for you. See some samples here:
http://labs.adobe.com/technologies/spry/samples/menubar/MenuBarSample.html
Or there are commercially available menu systems from the likes of companies like Project Seven, whom I would personally recommend:
http://www.projectseven.com/ -
RTSP packet header information not set properly
How does the QuickTime Streaming Server set the field "Owner/Creator, Session Id (o):" in the RTSP packet header.
When analyzing the packets we get "Owner/Creator, Session Id (o): - 58 2721648327 IN IP4 127.0.0.0" which is not our Server's external IP.
When trying to connect threw a stateful packet inspection firewall, we can't connect to our stream because of the field "o" not being set properly.Was there ever a solution to nagardd's original post? I am experiencing the same issue w/ the netmask not being set even though it's setup to do so in /etc/netmasks.
My /etc/netmasks
root@fsintntwrkrus1 cat /etc/netmasks
# The netmasks file associates Internet Protocol (IP) address
# masks with IP network numbers.
# network-number netmask
# The term network-number refers to a number obtained from the Internet Network
# Information Center.
# Both the network-number and the netmasks are specified in
# "decimal dot" notation, e.g:
# 128.32.0.0 255.255.255.0
172.25.40.0 255.255.255.0
*172.25.237.0 255.255.254.0*
My ifconfig after boot
root@fsintntwrkrus1 ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
ipge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 172.25.40.10 netmask ffffff00 broadcast 172.25.40.255
ether 0:14:4f:22:21:20
ipge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 172.25.237.241 netmask ffff0000 broadcast 172.25.0.0
ether 0:14:4f:22:21:21 -
Whats the difference between the two XMP packet tags
Hi,
I opened a file Bluesquare.indd(from XMP SDK sampke) and I found two XMP packets inside the file.
One packet with tag
and another one with tag
When I tried to extract the xmp using getXMP() method from XMPFiles then, I got the packet with tag
So can you tell me, what is the difference between two packets, why they are different
what is its use.
Thanks & Regards,
Venkatesh.EMy feeling here is that simply changing join syntax and case vs decode issues is not going to give any significant improvement in performance, and as Tubby points out, there is not a lot to go on. I think you are going to have to investigate things along the line of parallel query and index vs full table scans as well any number of performance tuning methods before you will see any significant gains. I would start with the Performance Manual as a start and then follow that up with the hard yards of query plans and stats.
Alternatively, you could just set the gofast parameter to TRUE and everything will be all right.
Andre -
What video source files does Flash Video Encoder CS3 support?
I can't find this anywhere on the web. I successfully converted an AVI to FLV, but the quality wasn't very good, but that is because the AVI isn't very good. So I ripped it again with higher quality into an m4v format. It took over an hour for a 12 minute video only to say this error at the end:
The operation could not be completed because an error occurred.
Is there a list somewhere of the source video files supported?
thanks a lot,
JustindecibleXL wrote:
> Give him the best source material I can - exactly,
that's what I thought! I
> want to give him a TGA sequence that I create either
straight out of my 3D
> animation software or out of Premiere, but he always
tells me it's too big. He
> says it either crashes Flash, or the file size of the
FLV he creates using the
> TGAs is too big. The basic gist I'm getting from my
Flash guy is that the file
> size of the end product (the FLV) is directly effected
by the file size of the
> source material. I think that's why he's trying to get
me to give him stuff
> that's really small and compressed. The problem is that
in order to get it as
> small as he wants it, the quality takes a major hit.
There are options while converting to FLV to define the
quality, size etc...
This is where you impact on the final output. TGA might be
too large, try AVI or
MOV, tho again, the FLV converter is the one responsible for
the quality and size
of the final file.
> So I've got a TGA sequence that's 1.8GB. He told me that
was way too big for
> him to use.
It's too big :) Flash will die upon import of such file.
> So I processed the sequence using QuickTime pro into a
JPG sequence
> for him. The JPG sequence is 50MB. He tells me this is
STILL too big for him to
> use. Then he asks me for an AVI encoded with XVID. I
don't really feel like
> this is the right way to go, adding compression on top
of compression like
> that. But at the same time I don't know much about
Flash, so I'm not really
> inclined to argue with him.
>
> What do you guys think?
Try Mov or Avi
Btw. 50Mb it's not so big. If properly compressed, could be
very good quality and reasonable
size.
Best Regards
Urami
"Never play Leap-Frog with a Unicorn."
<urami>
If you want to mail me - DO NOT LAUGH AT MY ADDRESS
</urami> -
What is source system and open hub destination?
Hello,
Kindly tell me In BI data modeling workbench ,in modeling there is are two areas name as "Source system" and "Open Hub destination".What is mean by this???How we use it in BI?Hi,
Source system as the name suggests mentions the source of data. The place from where you are extractin data to BW.
http://help.sap.com/saphelp_nw2004s/helpdata/en/7a/27bcf087c7464db8b95eaa717b6e6a/content.htm
OpenHub is for exporting data out of BW.
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/11e1b990-0201-0010-bf9a-bf9d0ca791b0
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/3042c5fc-21a8-2910-c79e-ad530260ae2e
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/01d3a090-0201-0010-9783-bc
http://help.sap.com/saphelp_erp2005vp/helpdata/en/bf/50453c01f4f75fe10000000a11402f/frameset.htm
Thanks,
JituK -
What is source client of Solution Manager?
Hi
I wanted to apply note 990534 to configure MOZ.Can any body tell what exactly is source client of Solution Manager?
Regards
AratiCheck the below links :
What is Solution Manager?
Solution manager
/thread/384815 [original link is broken]
Is SAP Project System part of Solution Manager?
SAP Solution Manager is a centralized, robust solution management toolset that facilitates technical support for distributed systems -- with functionality that covers all key aspects of solution deployment, operation, and continuous improvement. It combines tools, content, and direct access to SAP to increase the reliability of solutions and lower total cost of ownership.
With SAP Solution Manager, you can be sure your entire SAP solution environment is performing at its maximum potential. The toolset addresses your entire IT environment, supporting SAP and non-SAP software and covering current and forthcoming SAP solutions. As part of SAP NetWeaver, SAP Solution Manager is included in the annual maintenance fee for SAP solutions.
SAP Solution Manager targets both technical and business aspects of your solutions, focusing strongly on core business processes. It supports the connection between business processes and the underlying IT infrastructure. As a result, it eases communication between your IT department and your lines of business. And it ensures that you derive the maximum benefits from your IT investments.
Check these links related to solution manager
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ce89c290-0201-0010-5985-dd64605111fd
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ce0b74e3-0601-0010-29a0-f2a6af98ef06
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/5348ada6-0301-0010-f38f-a5076178843e
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/5d29d690-0201-0010-2f9f-a0f957dee385 -
What causes "nge0: Receive length field error Packets" errors?
Can anyone help me identify what would be causing this error message?
I am getting these on the console about every 2 minutes whether I am actively using the network or not. The system is serving up 1 NFS mount., but errors continue even if no one is connected.
I'm running Solaris 10 on a Sun Ultra-20 workstation. The machine is attached to a small D-Link 10/100 switch along with a 6 other systems in my office.Pull the source code from Info-Zip.org and have a look. (It's no small tool, and figuring out where this is percolating up lilkely won't be easy.) I'd guess that the 4608 value is some random "garbage" value that's being returned for some error path that's been triggered; that code is not a valid macerrors.h error value, either.
Philosophically, this is a losing battle. Errors get added, bugs get introduced, and bugs get slain, and every so often a lower-level error percolates up somewhere. Capture the specific errors you need to deal with, and get out for the rest. If it's a zero, you're good. Otherwise, I'd suggest "Leaving, what a good idea" – print appropriate diagnostics and exit the script.
FWIW, you might get some better control by adding the files to the zip archive one at a time. Dumping out the ls -ale@ output for each file might also help when debugging, if something goes sideways. -
Cisco 831 no netflow export packets through IPSEC
I have cisco 831 in remote office. Remote office is connected to Central Office through IPSec tunnel. I has configured netflow export from sorce address Lan interface (inside interface) remote office to Server central office. But I did not see netflow packet in central Office at netflow server. May be somebody fixed the problem ?
Check 'ip route-cache flow' cmd enabled on tunnel interface.
also check this bug-id:CSCef28662.
Try this link:
http://www.cisco.com/en/US/tech/tk812/technologies_white_paper09186a008022bde8.shtml#wp1002626 -
How does IOS choose what IPv6 source address to use?
I have a 3750X with IOS 15.2.2E.
I have multiple IPv6 addresses on the default VLAN (VLAN 1):
ipv6 address 2001:470:...../64
ipv6 address 2001:470:...../64
ipv6 address 2605:A000:..../64
I have one default IPv6 route:
ipv6 route ::/0 Vlan1 FE80::.....
S ::/0 [1/0]
via FE80::....., Vlan1
My question is: when I issue a ping from the 3750X, how does the switch choose what source address to use?
Currently, it seems to use the 2605:A000 address, but why?
Can I change this behavior?
Thanks!OK,
How about my second question: Can I change this behavior in IOS?
Thanks!
Maybe you are looking for
-
Why is my thunderbird acting very slow and keeps giving me (not responding)
I have just purchased a brand new HP all in one touch screen computer for work, which has windows 8 installed on it. We all use firefox as a browser as well as thunderbird for an email. My firefox seems to be working just fine however my thunderbird
-
Making type change color on rollover: Cant make it work
Incredibly, I can not figure out how to make hyperlinked text change color on rollover. I thought it was a matter of assigning a new CSS rule, but I cant find the dialog box within which to specify a rollover color. I cant believe how difficult and o
-
Can anybody tell me when mac os X 10.9 will launch in India
can anybody tell me when mac os X 10.9 will launch in India
-
Importing Microsoft DB into Oracle DB
I want to know whether we can import Microsoft Database into Oracle Database. If so which tool to be used, or how to do ? Please let me know. Thanking you, Soumyasri Raju
-
Hello experts! I wish to add a text field to transaction IW41 in which the user can inform the employee tha executed the operation. It´s just a text field related to the confirmation. Any advice? The customer does not have the HR module implemented.