# Flow Record Requirements Traffic Insights supports NetFlow v9 and IPFIX network flow records. While a minimum set of fields (corresponding to a 5T, or 5-tuple, record type) is required to receive network flow data on each network device that serves as a traffic monitor, a recommended set of fields, including those for application visibility, is advised for optimum performance. The specific configuration of these records varies by network environment. ## Configuration of Network Flows on Cisco vs. non-Cisco Devices Network flow configuration varies based on your environment. For Cisco Catalyst SD-WAN Manager (formerly vManage) and Meraki MX, configuration is primarily done via their user interfaces. * See [Configuring Traffic Monitors Via Cisco SD-WAN](https://docs.thousandeyes.com/product-documentation/traffic-insights/traffic-insights-configuration-guide/configuring-traffic-monitors-via-sd-wan) for SD-WAN Manager. * See [Configuring Traffic Monitors Via Meraki Dashboard](https://docs.thousandeyes.com/product-documentation/traffic-insights/traffic-insights-configuration-guide/configuring-traffic-monitors-via-meraki-dashboard) for Meraki MX. For other Cisco or non-Cisco devices, manual configuration of NetFlow v9 or IPFIX records may be necessary for Traffic Insights ingestion. The minimum and recommended fields for these records are detailed in the following sections. Manual configuration steps for Cisco devices are available under [Configuring Traffic Monitors on Cisco Devices Via CLI](https://docs.thousandeyes.com/product-documentation/traffic-insights/traffic-insights-configuration-guide/configuring-traffic-monitors-via-cli). ## Network Flow Records and Fields Information within this section is based on [IP Flow Information Export (IPFIX) Entities](https://www.iana.org/assignments/ipfix/ipfix.xhtml) from the Internet Assigned Numbers Authority (IANA). The IANA document serves as a network flow data dictionary reference. Fields are uniquely referenced by number (in parentheses in the tables below) rather than by descriptive name. The descriptions are included here for understanding but are not part of the standard nomenclature in network flow traffic records. Fields come in two types: *match* fields and *collect* fields. Match fields identify and classify the data collected (e.g., source and destination IP addresses determine traffic type). Collect fields gather additional data about the traffic, such as bytes used, packets sent, or related applications, primarily for analysis. {% hint style="info" %} The IANA document covers standard fields up to number 32767. Any number above 32767, for example 45005, are Cisco-specific and are not part of the IANA standard. Not all IANA fields have a Cisco equivalent. {% endhint %} ## How Records are Recognized by ThousandEyes ThousandEyes recognizes a network flow record as valid so long as it includes at least the minimum fields listed below; if any one of the minimum-required fields is missing, the record is ignored. Records can, of course, include more than the minimum-required fields. In cases where IPv4 and IPv6 alternatives exist for specific fields, both are listed, and you should choose the option appropriate for your interface. ## Minimum Fields Required For Traffic Insights to ingest your network's flow records, the following mandatory collect and match fields must be included: | **Description** | **IANA Field** | **Cisco Alternative Fields** | | ---------------------------------------------- | -------------- | -------------------------------------------------------------------- | | Number of total bytes transferred | Collect | octetDeltaCount (1) | | Protocol ID, IPv4 or IPv6 | Match | protocolIdentifier (4) | | Source port | Match | sourceTransportPort (7) | | Source IP address | Match | Use one of: sourceIPv4Address (8), sourceIPv6Address (27) | | ID of the interface where packets are received | Match | ingressInterface (10) | | Destination port | Match | destinationTransportPort (11) | | Destination IP address | Match | Use one of: destinationIPv4Address (12), destinationIPv6Address (28) | | ID of the interface packets are sent to | Collect | egressInterface (14) | {% hint style="info" %} When configuring Nexus devices, do not include `ingressInterface (10)` or `egressInterface (14)`. {% endhint %} ## Recommended Fields For optimum network visibility, we recommend including the following collect fields in your flow records, in addition to the minimum required fields: | **Description** | **Field Type** | **IANA Field** | | ----------------------------------------------------------------- | -------------- | ---------------------------------------------------------------- | | Number of incoming packets | Collect | packetDeltaCount (2) | | TCP transport flags | Collect | tcpControlBits (6) | | IP address of the next hop | Collect | Use one of: ipNextHopIPv4Address (15), ipNextHopIPv6Address (62) | | Direction of the traffic flow | Collect | flowDirection (61) | | ID of the application generating the traffic (for Cisco networks) | Collect | applicationId (95) | | The point where traffic observation occurs | Collect | observationPointId (Interface) (138) | | Timestamp of the absolute first packet | Collect | flowStartMilliseconds (152) | | Timestamp of the absolute last packet | Collect | flowEndMilliseconds (153) | {% hint style="info" %} Some IOS-XE platforms, such as Cat9K and Nexus, cannot configure application name and next-hop within the same record. Therefore, we recommend excluding the `ipNextHopIPv4Address` (and `ipv6` equivalent) field for these platforms. For Nexus devices, we recommend you exclude both application name (`applicationId`) and next-hop fields. {% endhint %}