Skip to main content
Version: 2.10.0

Original Flow Data

Original Flow Data Converter Service

This page allows you to provide mapping between flow data elements and their corresponding key names in key-value pairs in syslog or JSON output.

There are two mapping files:

  1. For Blue Coat Packeteer-2 device. It allows you to map ClassIDs to application names

  2. Custom IPFIX Information Elements. It allows you to specify key names for custom enterprise fields in IPFIX, as well as override standard IPFIX elements names. This CSV file has the following format:

    PEN, IE ID, Format, Name, Description

    Where:
    PEN – IPFIX Private Enterprise number, e.g. for Netscaler it is 5951
    IE ID – IPFIX Information Element ID
    Format – one of the values specified in the table below
    Name – key name for this IPFIX element
    Description – optional description

FormatDescriptionExample
FMT_NONEno output
FMT_UNKNOWNN bytes as hex0102DEADBEEF0201
FMT_UINT8_DECunsigned integer 1 byte as decimal127
FMT_UINT8_HEXunsigned integer 1 byte as hex1F
FMT_UINT16_DECunsigned integer 2 bytes as decimal5000
FMT_FLOW_LABELunsigned integer 20 bits as decimal106000
FMT_MPLS_LABELunsigned integer 3 bytes as text17:28:39
FMT_APP_TAGapplication tag 1 byte (engine ID) + n bytes (selector)1:7000
FMT_HTTP_HOSTHTTP host n bytes: Application ID 4 bytes (engine ID + selector ID), sub-application ID 2 bytes, value (hostname) n bytes"100:3000,hostA"
FMT_TCP_FLAGSunsigned integer 1 byte as text"FIN,RST"
FMT_UINT32_DECunsigned integer 4 bytes as decimal77000
FMT_UINT32_HEXunsigned integer 4 bytes as hex01ABCD02
FMT_UINTN_DECunsigned integer n bytes as decimal9600000
FMT_IPV44 bytes as text127.0.0.1
FMT_IPV616 bytes as text2001:0db8:11a3:09d7:1f34:8a2e:07a0:765d
FMT_STRINGn bytes ACSCII as text"ascii text"
FMT_MAC6 bytes as text00:a1:cd:12:34:56
FMT_ARR324 bytes array as hex01ABCD02
FMT_ARR648 bytes array as hex01ABCD0201ABCD02
FMT_EVENTunsigned integer 1 byte as text"Flow created"
FMT_DTIME_SECunsigned integer 4 or 8 byte as text (date)"1985-04-12T23:20:50Z"
FMT_DTIME_MSECunsigned integer 4 or 8 byte as text (date)"1985-04-12T23:20:50.001Z"
FMT_DTIME_USECunsigned integer 4 or 8 byte as text (date)"1985-04-12T23:20:50.000001Z"
FMT_DTIME_NSECunsigned integer 4 or 8 byte as text (date)"1985-04-12T23:20:50.000000001Z"