The Cisco Netflow 7-Tuple

A flow is identified as a unidirectional stream of packets which all have the same combination of seven fields (or 7 tuple)

•Source IP address

•Destination IP address

•Source port number

•Destination port number

•Layer 3 protocol type

•ToS byte

•Input logical interface (ifIndex)

Even if there is only one different field in the tuple then it is considered as a new flow. A flow record can contains other accounting/data fields (such as the AS number). The which that depend on the version record format that you configure for export.

One easy way to see this in action is to use SSH. SSH sets the type of services bits based on the type of traffic being sent. IE

For the IP Type of Service field [RFC0791], it is recommended that interactive sessions (those having a user terminal or forwarding X11 connections) use the IPTOS_LOWDELAY, and non-interactive connections use IPTOS_THROUGHPUT. [See here]

From ip.h we can see that


IPTOS_LOWDELAY             0x10 is used for interactive sessions

IPTOS_THROUGHPUT        0x08 is used for file transfers

If you do a tcpdump of a ssh interactive session or a file transfer you quickly notice that the SSH sets TOS values as follows:

SSH Authentication / Negotiation packets  = TOS 0x0

SSH Interactive packets = TOS 0x10

SSH File transfer packets = TOS 0x08

Consider the network diagram below where a single router connects two hosts. This network (and the setup details) can be found in my post about understanding netflow and nfsen.

image_038

If you start up a SCP session (it file transfer) between ZZZ and ABC you can see that four flows are recorded on the router:

rtr01#show ip cache flow | i 10.48.254.73
Fa0/1         10.48.254.73    Fa0/0         10.48.0.220     06 0016 94FC    19K
Fa0/1         10.48.254.73    Fa0/0         10.48.0.220     06 0016 94FC    17
Fa0/0         10.48.0.220     Fa0/1         10.48.254.73    06 94FC 0016    13K
Fa0/0         10.48.0.220     Fa0/1         10.48.254.73    06 94FC 0016    12

The two flows with low packet counts (17 & 12) are the authentication flows and the other two are data transfer.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s