Contact Us
menu
irp demo
Request Noction IRP Demo

Request a personalized demo/review session of our Intelligent Routing Platform

irp trial
Start Noction IRP Trial

Evaluate Noction IRP, and see how it meets your network optimization challenges

nfa demo
Noction Flow Analyzer Demo

Schedule a one-on-one demonstration of our network traffic analysis product

nfa trial
Free Noction Flow Analyzer Trial

Test drive NFA today with your own fully featured 30-day free trial

Source ID and Observation Domain ID fields meaning & configuration details

Dec 9, 2021
Source IDThis article highlights the importance of the Source ID and Observation Domain ID fields when several metering processes are running on the exporter observation domain. The existence of Source ID in NetFlow v9 and Observation Domain ID in IPFIX allows these protocols to handle situations where a single flow exporter can be split into multiple Observation Domains and perform independent reporting on them using a single source IP address.

1. Source ID in NetFlow Version 9 Header

In this section, we identify the Source ID field in the NetFlow v9 packet header and explain how the Source ID value is generated by Cisco devices.

The NetFlow Version 9 record format consists of a packet header followed by at least one or more template or data FlowSets (Figure 1). A template FlowSet provides a description of the fields that will be present in future data FlowSets.

Table 1 summarizes the meaning of the fields located in the NetFlow v9 packet header. Notice the Source ID which is in the last position inside the header.

NetFlow v9 Packet Header
Template FlowSet
Data FlowSet
Data FlowSet
Template FlowSet
Data FlowSet
Data FlowSet
Data FlowSet

Figure 1 – NetFlow v9 Record Format

Bytes Content Description
0-1 Version NetFlow version number, for version 9 it is 0x0009
2-3 Count Number of flow sets exported in this packet, both template and data (1-30)
4-7 SysUptime Current time in seconds since the export device booted
8-11 Unix timestamp The current count of seconds since January 1, 1970, UTC
12-15 Flow sequence Sequence counter of all export packets sent by the export device. This is a change from the Version 5 and Version 8 headers, where this number represented total flows
16-19 Source ID A 32-bit value, that is used to guarantee uniqueness for all flows exported from a particular device. The format of this field is vendor-specific

Table 1 – NetFlow v9 Packet Header Format

The captured NetFlow v9 header is shown in Figure 2. It is marked with a black box and is 20 Bytes long. The header starts with the first two bytes (0x0009), which specify a flow version. The last four bytes of the header (0x00000100) are the Source identifiers bytes.

NOTE: Notice the bytes highlighted in blue which start with the value 0x0009 (flow version) and end with the value 0x00 02 00 08 (Figure 2). These are the bytes of the entire NetFlow v9 record inside the Ethernet frame. The length of the record is 80 bytes (20 bytes of packet header plus 60 bytes of the Template FlowSet).

NetFlow v9 Packet Header

Figure 2 – Captured NetFlow v9 Packet Header

In our case, the Source ID inside the captured NetFlow v9 packet header is 256 or 0x00000100 in hexadecimal format. Collector devices should use the combination of the source IP address plus the Source ID field to associate an incoming NetFlow export packet with a unique instance of NetFlow on a particular device.

In Cisco’s implementation, the first two bytes are reserved for future expansion, and will always be zero (Figure 3). Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device.

Source ID Decimal Value

Figure 3 – Source ID with Decimal Value 256 in NetFlow 9 Packet Header

2. Observation Domain ID in IPFIX Header

Similar to Source ID in the NetFlow v9 header, IANA defines a 32-bit identifier of the Observation Domain – observationDomainId for IPFIX messages. The identifier is located in the IPFIX header and is locally unique to the exporting process of the templates. The export process uses the Observation Domain ID to uniquely identify the collection process in which the flows were metered.

Figure 4 shows a scenario where the IPFX exporter is partitioned into two Observation domains. They are two nProbe instances running on Debian Linux; each captures packets on a single interface (dmz0, lan0). In this case, both exports use the same source IP address 10.0.0.2, which is not sufficient to distinguish between them. Therefore, the IPFIX device must be able to generate a unique Observation Domain Id for each metering process in order to perform independent reporting using a single source IP address.
nProbe instances

Figure 4 – Exporter Running Two nProbe Instances

Figure 5 shows captured IPFIX messages with Observation Domain Ids 87 and 81 inside the header.
Observation Domain ID

Figure 5 – Observation Domain Ids 87 and 81 in IPFIX Messages

Noction Flow Analyzer (NFA) correctly recognizes the Observation Domain Ids in received IPFIX messages and reports on them with the same source IP address 10.0.0.2 (Management→ Inventory section) (Figure 6). The Exporter ID (aka Observation Domain ID) filtering and grouping options are present in NFA’s Data Explorer section to allow for even more granular flow analysis.

IPFIX Exporters

Figure 6 – IPFIX Exporters Reported in NFA Inventory

3. Configuration

Some vendors allow the Observation Domain Id to be configured for NetFlow v9 and IPFIX. For example, starting with Junos OS Release 14.1, you can configure the observation domain ID on your Juniper devices, which causes the first 8 bits of the field to be configured.

To specify the Observation Domain Id for IPFIX flows:

[edit services flow-monitoring version-ipfix]
template template-name {
    observation-domain-id domain-id;
}

To specify the source ID for version 9 flows:

[edit services flow-monitoring version9]
template template-name {
    source-id source-id;
}

Conclusion

If the observation domain is not unique, the collector cannot uniquely identify an IPFIX or NetFlow v9 Exporting Process. Juniper recommends configuring Observation Domain ID so, that it is unique for each IPFIX flow. However, if this option is not available, the observation domain ID is predefined and is set to a fixed value that is derived from the combination of an FPC slot, sampling protocol, PFE Instance, and the lookup chip (LU) Instance fields.

Noction Flow Analyzer try

START FREE TRIAL
noction flow analyzer price
Tags: NetFlow

SUBSCRIBE TO NEWSLETTER

You May Also Like

ACK and NACK in Networking

ACK and NACK in Networking

Apr 8

In networking, communication between devices relies on the efficient exchange of data packets. Among the essential...