Flow Record Requirements
Traffic Insights supports NetFlow v9 and IPFIX network flow records. While a minimum set of fields (corresponding to a 5T, or 5-tuple, record type) is required to receive network flow data on each network device that serves as a traffic monitor, a recommended set of fields, including those for application visibility, is advised for optimum performance. The specific configuration of these records varies by network environment.
Configuration of Network Flows on Cisco vs. non-Cisco Devices
Network flow configuration varies based on your environment. For Cisco Catalyst SD-WAN Manager (formerly vManage) and Meraki MX, configuration is primarily done via their user interfaces.
See Configuring Traffic Monitors Via Cisco SD-WAN for SD-WAN Manager.
See Configuring Traffic Monitors Via Meraki Dashboard for Meraki MX.
For other Cisco or non-Cisco devices, manual configuration of NetFlow v9 or IPFIX records may be necessary for Traffic Insights ingestion. The minimum and recommended fields for these records are detailed in the following sections. Manual configuration steps for Cisco devices are available under Configuring Traffic Monitors on Cisco Devices Via CLI.
Network Flow Records and Fields
Information within this section is based on IP Flow Information Export (IPFIX) Entities from the Internet Assigned Numbers Authority (IANA). The IANA document serves as a network flow data dictionary reference.
Fields are uniquely referenced by number (in parentheses in the tables below) rather than by descriptive name. The descriptions are included here for understanding but are not part of the standard nomenclature in network flow traffic records.
Fields come in two types: match fields and collect fields. Match fields identify and classify the data collected (e.g., source and destination IP addresses determine traffic type). Collect fields gather additional data about the traffic, such as bytes used, packets sent, or related applications, primarily for analysis.
How Records are Recognized by ThousandEyes
ThousandEyes recognizes a network flow record as valid so long as it includes at least the minimum fields listed below; if any one of the minimum-required fields is missing, the record is ignored. Records can, of course, include more than the minimum-required fields.
In cases where IPv4 and IPv6 alternatives exist for specific fields, both are listed, and you should choose the option appropriate for your interface.
Minimum Fields Required
For Traffic Insights to ingest your network's flow records, the following mandatory collect and match fields must be included:
Description
IANA Field
Cisco Alternative Fields
Number of total bytes transferred
Collect
octetDeltaCount (1)
Protocol ID, IPv4 or IPv6
Match
protocolIdentifier (4)
Source port
Match
sourceTransportPort (7)
Source IP address
Match
Use one of: sourceIPv4Address (8), sourceIPv6Address (27)
ID of the interface where packets are received
Match
ingressInterface (10)
Destination port
Match
destinationTransportPort (11)
Destination IP address
Match
Use one of: destinationIPv4Address (12), destinationIPv6Address (28)
ID of the interface packets are sent to
Collect
egressInterface (14)
Recommended Fields
For optimum network visibility, we recommend including the following collect fields in your flow records, in addition to the minimum required fields:
Description
Field Type
IANA Field
Number of incoming packets
Collect
packetDeltaCount (2)
TCP transport flags
Collect
tcpControlBits (6)
IP address of the next hop
Collect
Use one of: ipNextHopIPv4Address (15), ipNextHopIPv6Address (62)
Direction of the traffic flow
Collect
flowDirection (61)
ID of the application generating the traffic (for Cisco networks)
Collect
applicationId (95)
The point where traffic observation occurs
Collect
observationPointId (Interface) (138)
Timestamp of the absolute first packet
Collect
flowStartMilliseconds (152)
Timestamp of the absolute last packet
Collect
flowEndMilliseconds (153)
Last updated