FDR Packeteer-2 Flow Data (20010)

Description 
FDR Packeteer-2 Flow Data Converter translates Blue Coat’s PacketShaper flows into syslog messages 1-to-1. Each flow record is converted into a syslog message in the “key=value” format. The tables below describe the mapping between Packeteer-2 Flow Data and key values. 
FDR Packeteer-2 Header 
This table describes the header present in each Packeteer-2 protocol packet.
Name
Bytes
NetFlow Logic field
Version
2
​
Flow records in this PDU
1
​
Shaper Serial Number
5
device
Unix Time in sec
4
​
Residual nanoseconds
4
​
Total flows seen
4
​
PacketeerFlowRecordsID
4
flow_id
SysUpTime in millisec
4
​
FDR Packeteer-2 Records 
This table describes the data records present in each Packeteer-2 packet. The number of bytes used and any additional information is given for each data item included in the FDR packet.
Name
Bytes
Description
NetFlow Logic field
Source IPaddr
4
The IP address from which a flow was sent
src_ip
Destination IPaddr
4
The IP address to which a flow was sent
dest_ip
Packeteer ClassID
4
A numeric descriptor for a PacketShaper-identified traffic class
class_id
Inbound IFindex
2
The PacketShaper interface through which the flow entered
ifindex_in
Outbound IFindex
2
The PacketShaper interface through which the flow exited
ifindex_out
Packet Count
4
The total number of packets in the flow
packets
Byte Count
4
The total number of bytes in the flow
bytes
Time at Start of Flow
4
SysUpTime when first packet seen
first_time
Time at End of Flow
4
SysUpTime when last packet seen
last_time
Source Port
2
The port on which the flow was sent
src_port
Destination Port
2
The port to which the flow was sent
dest_port
Packeteer Policy
1
priority=1, rate=2, uncontrolled=8, discard=16 or never-admit=32
policy
TCP flags
1
The logical sum (AND) of all TCP flags seen during the flow
tcp_flag
Layer 4 protocol
1
The type of layer 4 protocol for the flow. Common IP protocol values are:
1 ICMP 
2 IGMP 
6 TCP 
9 IGRP 
17 UDP 
41 IPv6 
46 RSVP 
47 GRE 
50 IPSec 
51 IPSec 
108 IPComp
protocol
IP ToS/DiffServ Byte (DSCP)
1
The value of any Type of Service or DiffServ (DSCP) for the flow, if present
tos
Packeteer Service Type
2
The type of service (TOS)
service_id
Server at Source or Dest.
1
The location of the server for this flow, may not apply to some protocols:
s = source of the flow 
d = destination of the flow 
0 = unknown (may not be a client/server based protocol)
srv_loc
Packeteer Policy Priority
1
Priority for this flow (0-7), either the priority assigned by a priority policy, or the priority assigned to excess rate with a rate policy
priority
Retransmitted Bytes
4
The number of bytes requiring retransmission for this flow
r_bytes
VLanID
2
The ID number of any 802.1q VLAN associated with the flow
vlan_id
TTL
1
Time to Live of the flow's last packet
ttl
Measurements Type
1
'p'=Ping 'v'=RTCP 'a'=RTM 't'=TCP 0=none
m_type
Measurement 1
4
The first measurement in this FDR packet (see below)
m1
Measurement 2
4
The second measurement in this FDR packet (see below)
m2
Measurement 3
4
The third measurement in this FDR packet (see below)
m3
Input 
FDR Packeteer-2 
Syslog/JSON Message Fields
Key
Field Description
Comments
nfc_id
Message type identifier
“nfc_id=20010”
device
PacketShaper Serial Number(1)
<string>
flow_id
PacketShaper flow identifier
<number>
src_ip
The IP address from which a flow was sent
<IPv4_address>
dest_ip
The IP address to which a flow was sent
<IPv4_address>
class_id
PacketShaper traffic class ID
<number>
application
Application (class ID name) (2)
<string>
ifindex_in
Inbound Interface
<number>
ifindex_out
Outbound Interface
<number>
packets
Packet Count
<number>
bytes
Byte Count
<number>
first_time
Time at Start of Flow
<number>
last_time
Time at End of Flow
<number>
src_port
Source Port
<number>
dest_port
Destination Port
<number>
policy
Packeteer Policy
<number>
tcp_flag
TCP flags
<string>, e.g. “SYN,ACK,FIN”
protocol
Transport Protocol (TCP = 6, UDP = 17)
<number>
tos
IP ToS/DiffServ Byte (DSCP)
<number>
service_id
Packeteer Service Type
<number>
srv_loc
Server Location
<number>
priority
Packeteer Policy Priority
<number>
r_bytes
Retransmitted Bytes
<number>
vlan_id
VLanID
<number>
ttl
TTL
<number>
m_type
Measurements Type
<number>
m1
Measurement 1
<number>
m2
Measurement 2
<number>
m3
Measurement 3
<number>
(1) This field is taken from Packeteer-2 Header.
(2) This field is populated from a lookup CSV file that maps class ID to Application name.

Flow Capture and Replay Data (21001 / 31001 / 21800 / 21900)

Appendix 1 - NetFlow v5 - NetFlow v9 Field Types Mapping

Last updated 2 months ago

Name	Bytes	NetFlow Logic field
Version	2
Flow records in this PDU	1
Shaper Serial Number	5	device
Unix Time in sec	4
Residual nanoseconds	4
Total flows seen	4
PacketeerFlowRecordsID	4	flow_id
SysUpTime in millisec	4

Name	Bytes	Description	NetFlow Logic field
Source IPaddr	4	The IP address from which a flow was sent	src_ip
Destination IPaddr	4	The IP address to which a flow was sent	dest_ip
Packeteer ClassID	4	A numeric descriptor for a PacketShaper-identified traffic class	class_id
Inbound IFindex	2	The PacketShaper interface through which the flow entered	ifindex_in
Outbound IFindex	2	The PacketShaper interface through which the flow exited	ifindex_out
Packet Count	4	The total number of packets in the flow	packets
Byte Count	4	The total number of bytes in the flow	bytes
Time at Start of Flow	4	SysUpTime when first packet seen	first_time
Time at End of Flow	4	SysUpTime when last packet seen	last_time
Source Port	2	The port on which the flow was sent	src_port
Destination Port	2	The port to which the flow was sent	dest_port
Packeteer Policy	1	priority=1, rate=2, uncontrolled=8, discard=16 or never-admit=32	policy
TCP flags	1	The logical sum (AND) of all TCP flags seen during the flow	tcp_flag
Layer 4 protocol	1	The type of layer 4 protocol for the flow. Common IP protocol values are: 1 ICMP 2 IGMP 6 TCP 9 IGRP 17 UDP 41 IPv6 46 RSVP 47 GRE 50 IPSec 51 IPSec 108 IPComp	protocol
IP ToS/DiffServ Byte (DSCP)	1	The value of any Type of Service or DiffServ (DSCP) for the flow, if present	tos
Packeteer Service Type	2	The type of service (TOS)	service_id
Server at Source or Dest.	1	The location of the server for this flow, may not apply to some protocols: s = source of the flow d = destination of the flow 0 = unknown (may not be a client/server based protocol)	srv_loc
Packeteer Policy Priority	1	Priority for this flow (0-7), either the priority assigned by a priority policy, or the priority assigned to excess rate with a rate policy	priority
Retransmitted Bytes	4	The number of bytes requiring retransmission for this flow	r_bytes
VLanID	2	The ID number of any 802.1q VLAN associated with the flow	vlan_id
TTL	1	Time to Live of the flow's last packet	ttl
Measurements Type	1	'p'=Ping 'v'=RTCP 'a'=RTM 't'=TCP 0=none	m_type
Measurement 1	4	The first measurement in this FDR packet (see below)	m1
Measurement 2	4	The second measurement in this FDR packet (see below)	m2
Measurement 3	4	The third measurement in this FDR packet (see below)	m3

Key	Field Description	Comments
nfc_id	Message type identifier	“nfc_id=20010”
device	PacketShaper Serial Number(1)	<string>
flow_id	PacketShaper flow identifier	<number>
src_ip	The IP address from which a flow was sent	<IPv4_address>
dest_ip	The IP address to which a flow was sent	<IPv4_address>
class_id	PacketShaper traffic class ID	<number>
application	Application (class ID name) (2)	<string>
ifindex_in	Inbound Interface	<number>
ifindex_out	Outbound Interface	<number>
packets	Packet Count	<number>
bytes	Byte Count	<number>
first_time	Time at Start of Flow	<number>
last_time	Time at End of Flow	<number>
src_port	Source Port	<number>
dest_port	Destination Port	<number>
policy	Packeteer Policy	<number>
tcp_flag	TCP flags	<string>, e.g. “SYN,ACK,FIN”
protocol	Transport Protocol (TCP = 6, UDP = 17)	<number>
tos	IP ToS/DiffServ Byte (DSCP)	<number>
service_id	Packeteer Service Type	<number>
srv_loc	Server Location	<number>
priority	Packeteer Policy Priority	<number>
r_bytes	Retransmitted Bytes	<number>
vlan_id	VLanID	<number>
ttl	TTL	<number>
m_type	Measurements Type	<number>
m1	Measurement 1	<number>
m2	Measurement 2	<number>
m3	Measurement 3	<number>