Required fields in SolarWinds NTA
Most flow-enabled devices use a set of static templates to which exported flows conform.
If flow packets do not include the following field types and appropriate values, NTA ignores the packets.
Requirements
- The template must include all mandatory fields.
- Where multiple elements are in a group, at least one of them must be included.
- Optional fields are processed into flows if present. If not present, a default value is used.
For more information about fields required for sampled flows, see Sampled flow supported fields.
Mandatory fields for the flow template schema
Mandatory fields are required. If a mandatory field, or at least one field from a group, is not included NTA cannot store flows.
| Field Type | Field Type Number | Description |
|---|---|---|
| Protocol | 4 | Layer 4 protocol |
| SourceAddress | 8, 27 | Source IP address or source IPv6 address |
| DestAddress | 12, 28 | Destination IP address or destination IPv6 address |
|
Interfaces Group At least one of the following fields must be included in the template. |
||
| InterfaceRx | 10 | SNMP ingress interface index |
| InterfaceTx | 14 | SNMP egress interface index |
|
Bytes Group At least one of the following fields must be included in the template. |
||
| Bytes | 1 | Delta bytes |
| Bytes | 85 | Total bytes |
| OutBytes | 23 | Out bytes |
| InitiatorOctets | 231 | Initiator bytes |
| ResponderOctets | 232 | Responder bytes |
Optional fields for the flow template schema
If the following fields are not included in the template, a default value will be stored. Appropriate widgets will thus show No Data.
| Field Type | Field Type Number | Description |
|---|---|---|
| ToS | 5 | Type of service |
| SourceAS | 16 | Source BGP autonomous system number |
| DestAS | 17 | Destination BGP autonomous system number |
| PeerSrcAS | 129 | Peer source autonomous system number |
| PeerDstAS | 128 | Peer destination autonomous system number |
| ApplicationID | 95 | ID of application detected in NBAR2 flow |
|
Source Port Group At least one of the following fields should be included in the template. |
||
| SourcePort | 7 | Source TCP/UDP port |
| UdpSrcPort | 180 | Source UDP port |
| TcpSrcPort | 182 | Source TPC port |
|
Destination Port Group At least one of the following fields should be included in the template. |
||
| DestPort | 11 | Destination TCP/UDP port |
| UdpDstPort | 181 | Destination UDP port |
| TcpDstPort | 183 | Destination TPC port |
|
Packets Group At least one of the following fields should be included in the template. If no field is included, widgets will show 0 in the packets column. |
||
| Packets | 2 | Delta packets |
| Packets | 86 | Total packets |
| OutPackets |
24 |
Out packets |
| InitiatorPackets | 298 | Total packets in a flow from the device that triggered the session and remains the same for the life of the session |
| ResponderPackets | 299 | Total packets from the device which replies to the initiator |
|
Long Flow Detection At least one of the following field pairs should be included in the template for long-flow detection. For example, if including LastSwitched must also include FirstSwitched. |
||
| LastSwitched | 21 | System uptime at which the last packet of this flow was switched |
| FirstSwitched | 22 | System uptime at which the first packet of this flow was switched |
| FlowStartSeconds | 150 | Time in seconds that the flow started |
| FlowEndSeconds | 151 | Time in seconds that the flow ended |
| FlowStartMilliseconds | 152 | Time in milliseconds that the flow started |
| FlowEndMilliseconds | 153 | Time in milliseconds that the flow ended |
| FlowStartMicroseconds | 154 | Time in microseconds that the flow started |
| FlowEndMicroseconds | 155 | Time in microseconds that the flow ended |
| FlowStartNanoseconds | 156 | Time in nanoseconds that the flow started |
| FlowEndNanoseconds | 157 | Time in nanoseconds that the flow ended |
| FlowStartDeltaMicroseconds | 158 | Sets the start delta of the flow |
| FlowEndDeltaMicroseconds | 159 | Sets the end delta of the flow |
| FlowDurationMilliseconds | 161 | Elapsed time in milliseconds of the flow |
| FlowDurationMicroseconds | 162 | Elapsed time in microseconds of the flow |
|
Cisco WLC Flows The following fields must be included for Cisco Wireless devices. |
||
| Bytes | 1 | Total bytes |
| Packets | 2 | Total packets |
| FlowDirection | 61 | Direction of the flow defined as Ingress or egress. |
| ApplicationID | 95 | ID of application detected in flow |
| WlanSSID | 147 | Service Set Identifier or name of the WLAN the wireless device is connected to |
| WirelessStationMacAddress | 365 | MAC address of a wireless device |
| WirelessAPMacAddress | 367 | MAC address of a wireless access point |
|
PostIPDiffServCodePoint As of NTA 2023.1, this field is optional. |
98 |
The definition of this Information Element is identical to |
|
IPDiffServCodePoint As of NTA 2023.1, this field is optional. |
195 |
Value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services field. Differentiated Services field is the most significant six bits of the IPv4 TOS FIELD or the IPv6 Traffic Class field. The value may range from 0 to 63 for this Information Element that encodes only the 6 bits of the Differentiated Services field. |
|
Cisco WLC Flows At least one of the following fields should be included in the template. |
||
| WirelessStationAddressIPv4 | 366 | IPv4 address of a wireless device |
| IPv4SourceAddress | 8 | Source IPv4 address |
| IPv4DestinationAddress | 12 | Destination IPv4 address |
|
Cisco ASA devices The following fields must be included for processing flows from Cisco ASA devices. |
||
| FlowID | 148 | An identifier of a flow that is unique within an observation domain. |
| FirewallEvent | 233 | Indicates a firewall event. |
|
NAT Group The following fields must be included for NAT stitching |
||
| Post-NAT Source IPv4 | 225 | Source IP address for Network Address Translation (NAT). |
| Post-NAT Destination IPv4 | 226 | Destination IP address for Network Address Translation (NAT). |
| Post-NAT Source Port | 227 | Source port for Network Address Translation (NAT). |
| Post-NAT Destination Port | 228 | Destination port for Network Address Translation (NAT). |
Notes
- If SolarWinds states that NTA supports flow monitoring for a device, at least one of the templates that the device exports satisfies these requirements.
- The NetFlow v9 specification indicates that templates may be configurable on a device-by-device basis. However, most devices have a set of static templates to which exported flows conform. When SolarWinds states that a device is supported by NTA, SolarWinds has determined that at least one of the templates the device is capable of exporting will satisfy the NTA requirements. For more information, search for NetFlow version 9 flow record format on www.cisco.com.
- Cisco 4500 series switches do not provide information for the TCP_FLAGS field (field type number 6) corresponding to a count of all TCP flags seen in the related flow.
- Cisco Adaptive Security Appliances (ASA) are capable of providing flow data using a limited template based on the NetFlow v5 template.