NetFlow/IPFIX interface

From Allegro Network Multimeter Manual
Jump to navigation Jump to search

The Allegro Network Multimeter can generate NetFlow/IPFIX messages for the traffic it analyzes. The Settings enable users to configure the IPFIX output. The IPFIX output can be configured to use a TCP or UDP connection to send IPFIX messages to a specific IP and port. See the Settings for detailed information about how to set the correct values.

IPFIX settings

It is possible to export standard IPFIX records as well as Allegro-specific interface statistics.

IPFIX flow export

The settings dialogue allows a user to specify an active flow timeout. Even if a flow is active, the Allegro Network Multimeter will generate and send a flow record in the specified amount of time.

The flow export contains the following data:

  • Start and end timestamp in milliseconds (start can be time of last export).
    • until firmware 4.0, timestamps were exported in nanoseconds resolution, but some IPFIX collectors do not support this
  • Source and destination IP address.
  • Source and destination port.
  • Layer 4 protocol (TCP, UDP, ...).
  • ingress and egress network interface.
  • IP DSCP class.
  • VLAN IDs, if applicable.
  • Number of bytes and packets per direction.

Instead of the ingress/egress network interface, it is possible to report the Virtual Link Group of the flow by enabling the corresponding option in the IPFIX settings.

Interface throughput measurement

The Allegro Network Multimeter is able to measure interface throughput on a millisecond basis to identify micro bursts in network connections. If Allegro-specific interface statistics is enabled in the IPFIX settings, regular messages are sent containing the number of packets and bytes within a configurable time interval. The Allegro Network Multimeter can measure time intervals as small as one millisecond; the exact value can be chosen in the Interface and MAC throughput configuration section.

The message format is described as follows.

IPFIX message content

The IPFIX message contains the following fields:

allegroMessageType = 5

ingressInterface = ...

packetDeltaCount = ...

octetDeltaCount = ...

allegroUpdateIntervalMilliseconds = ...

observationTimeMilliseconds = ...

  • message type 5 is the interface throughput update message.
  • the ingress interface describes the corresponding network interface on which the packets were received. The value corresponds to the interface ID in the interface stats web page.
  • the packet delta count describes the number of packets within the specified interval.
  • the octet delta count describes the number of bytes on Layer 2 within the specified interval.
  • the update interval describes the duration of the reported interval in milliseconds.
  • the observation timestamp describes the UTC timestamp of the reported interval in milliseconds.

To calculate the (extrapolated) Bit/s throughput in the interval, the following formula can be used:

bps = octectDeltaCount * 8 * 1000000 / updateInterval

Detailed IPFIX message description

The IPFIX module sends IPFIX templates for all its messages which is needed to decode the message. As a reference, the format of the interface throughput updates is as follows:

Byte offset Size Meaning
0 1 message type (allegro packets enterprise field, field key 0)
1 4 ingress interface (predefined IPFIX field, field key 10)
5 8 packet delta count (predefined IPFIX field, field key 2)
13 8 octet delta count (predefined IPFIX field, field key 1)
21 8 update interval (allegro packets enterprise field, field key 13)
29 8 observation timestamp (predefined IPFIX field, field key 323)

SIP events

An event is reported upon SIP INVITE request and its OK response as well as BYE requests and its OK response.

Template IDs

SIP event Template ID
INVITE request 4352
BYE request 8448
OK response 2304