FDR Packeteer-2 Flow Data (20010)
Description
FDR Packeteer-2 Flow Data Converter translates Blue Coat’s PacketShaper flows into syslog messages 1-to-1. Each flow record is converted into a syslog message in the “key=value” format. The tables below describe the mapping between Packeteer-2 Flow Data and key values.
FDR Packeteer-2 Header
This table describes the header present in each Packeteer-2 protocol packet.
| Name | Bytes | NetFlow Logic field |
|---|---|---|
| Version | 2 | |
| Flow records in this PDU | 1 | |
| Shaper Serial Number | 5 | device |
| Unix Time in sec | 4 | |
| Residual nanoseconds | 4 | |
| Total flows seen | 4 | |
| PacketeerFlowRecordsID | 4 | flow_id |
| SysUpTime in millisec | 4 |
FDR Packeteer-2 Records
This table describes the data records present in each Packeteer-2 packet. The number of bytes used and any additional information is given for each data item included in the FDR packet.
| Name | Bytes | Description | NetFlow Logic field |
|---|---|---|---|
| Source IPaddr | 4 | The IP address from which a flow was sent | src_ip |
| Destination IPaddr | 4 | The IP address to which a flow was sent | dest_ip |
| Packeteer ClassID | 4 | A numeric descriptor for a PacketShaper-identified traffic class | class_id |
| Inbound IFindex | 2 | The PacketShaper interface through which the flow entered | ifindex_in |
| Outbound IFindex | 2 | The PacketShaper interface through which the flow exited | ifindex_out |
| Packet Count | 4 | The total number of packets in the flow | packets |
| Byte Count | 4 | The total number of bytes in the flow | bytes |
| Time at Start of Flow | 4 | SysUpTime when first packet seen | first_time |
| Time at End of Flow | 4 | SysUpTime when last packet seen | last_time |
| Source Port | 2 | The port on which the flow was sent | src_port |
| Destination Port | 2 | The port to which the flow was sent | dest_port |
| Packeteer Policy | 1 | priority=1, rate=2, uncontrolled=8, discard=16 or never-admit=32 | policy |
| TCP flags | 1 | The logical sum (AND) of all TCP flags seen during the flow | tcp_flag |
| Layer 4 protocol | 1 | The type of layer 4 protocol for the flow. Common IP protocol values are: 1 ICMP; 2 IGMP; 6 TCP; 9 IGRP;17 UDP; 41 IPv6; 46 RSVP; 47 GRE; 50 IPSec; 51 IPSec; 108 IPComp | protocol |
| IP ToS/DiffServ Byte (DSCP) | 1 | The value of any Type of Service or DiffServ (DSCP) for the flow, if present | tos |
| Packeteer Service Type | 2 | The type of service (TOS) | service_id |
| Server at Source or Dest. | 1 | The location of the server for this flow, may not apply to some protocols: s = source of the flow; d = destination of the flow; 0 = unknown (may not be a client/server based protocol) | srv_loc |
| Packeteer Policy Priority | 1 | Priority for this flow (0-7), either the priority assigned by a priority policy, or the priority assigned to excess rate with a rate policy | priority |
| Retransmitted Bytes | 4 | The number of bytes requiring retransmission for this flow | r_bytes |
| VLanID | 2 | The ID number of any 802.1q VLAN associated with the flow | vlan_id |
| TTL | 1 | Time to Live of the flow's last packet | ttl |
| Measurements Type | 1 | 'p'=Ping 'v'=RTCP 'a'=RTM 't'=TCP 0=none | m_type |
| Measurement 1 | 4 | The first measurement in this FDR packet (see below) | m1 |
| Measurement 2 | 4 | The second measurement in this FDR packet (see below) | m2 |
| Measurement 3 | 4 | The third measurement in this FDR packet (see below) | m3 |
Input
FDR Packeteer-2
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | “nfc_id=20010” |
| device | PacketShaper Serial Number(1) | <string> |
| flow_id | PacketShaper flow identifier | <number> |
| src_ip | The IP address from which a flow was sent | <IPv4_address> |
| dest_ip | The IP address to which a flow was sent | <IPv4_address> |
| class_id | PacketShaper traffic class ID | <number> |
| application | Application (class ID name) (2) | <string> |
| ifindex_in | Inbound Interface | <number> |
| ifindex_out | Outbound Interface | <number> |
| packets | Packet Count | <number> |
| bytes | Byte Count | <number> |
| first_time | Time at Start of Flow | <number> |
| last_time | Time at End of Flow | <number> |
| src_port | Source Port | <number> |
| dest_port | Destination Port | <number> |
| policy | Packeteer Policy | <number> |
| tcp_flag | TCP flags | <string>, e.g. “SYN,ACK,FIN” |
| protocol | Transport Protocol (TCP = 6, UDP = 17) | <number> |
| tos | IP ToS/DiffServ Byte (DSCP) | <number> |
| service_id | Packeteer Service Type | <number> |
| srv_loc | Server Location | <number> |
| priority | Packeteer Policy Priority | <number> |
| r_bytes | Retransmitted Bytes | <number> |
| vlan_id | VLanID | <number> |
| ttl | TTL | <number> |
| m_type | Measurements Type | <number> |
| m1 | Measurement 1 | <number> |
| m2 | Measurement 2 | <number> |
| m3 | Measurement 3 | <number> |
(1) This field is taken from Packeteer-2 Header.
(2) This field is populated from a lookup CSV file that maps class ID to Application name.