Avatar of cpatte7372
cpatte7372Flag for United Kingdom of Great Britain and Northern Ireland

asked on 

Flexible Netflow Understanding

Hello Community,

Can someone please let me know how to get a show output to include both 'timestamp first' and 'timestamp last'. As you can see from the show command I can only see 'timestamp first'


 uk01380-Birmingham-1921#show flow monitor FlowMonitor1 cache format record 
  Cache type:                               Normal
  Cache size:                                32768
  Current entries:                              21
  High Watermark:                               99
  Flows added:                               16931
  Flows aged:                                16910
    - Active timeout      ( 86520 secs)          0
    - Inactive timeout    (    15 secs)      16910
    - Event aged                                 0
    - Watermark aged                             0
    - Emergency aged                             0


IPV4 SOURCE ADDRESS:       10.44.113.253
IPV4 DESTINATION ADDRESS:  10.45.69.161
TRNS SOURCE PORT:          0
TRNS DESTINATION PORT:     0
INTERFACE INPUT:           Tu0
IP PROTOCOL:               47
iterface output:          Gi0/1.10
flow direction:            Input
counter bytes:             357012582
counter packets:           852153
timestamp first:           15:12:51.312

I know its possible to get both 'timestamp first' and 'timestamp last', but I just don't know how to get it on our routers.


Cheers

Carlton
Routers

Avatar of undefined
Last Comment
cpatte7372
Avatar of Ian Meredith
Ian Meredith
Flag of Australia image

The timestamp time values show if you have configured your monitoring correctly.... once you have fixed the configuration of your monitoring the timestamp first and last values will display when you run your reporting....

taken from this webpage..... http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/flexible_netflow/command_reference/b_fnf_32se_3850_cr_chapter_010.html#wp3519681722



collect timestamp absolute
To configure the absolute time of the first seen or last seen packet in a flow as a non-key field for a flow record, use the collect timestamp absolute command in flow record configuration mode. To disable the use of the first seen or last seen packet in a flow as a non-key field for a flow record, use the no form of this command.

collect timestamp absolute { first | last }

no collect timestamp absolute { first | last }

Syntax Description
first      
Configures the absolute time for the time that the first packet was seen from the flows as a non-key field and enables collecting time stamps based on the absolute time for the time the first packet was seen from the flows.

last      
Configures the absolute time for the time that the last packet was seen from the flows as a non-key field and enables collecting time stamps based on the absolute time for the time that the most recent packet was seen from the flows.

Command Default
The absolute time field is not configured as a non-key field.

Command Modes
Flow record configuration

Command History
Release      Modification
Cisco IOS XE 3.2SE

This command was introduced.

Usage Guidelines
The Flexible NetFlow collect commands are used to configure non-key fields for the flow monitor record and to enable capturing of the values in the fields for the flow created with the record. The values in non-key fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a non-key field does not create a new flow. In most cases, the values for non-key fields are taken from only the first packet in the flow.

Examples
The following example configures time stamps based on the absolute time for the time that the first packet was seen from the flows as a non-key field:

Switch(config)# flow record FLOW-RECORD-1
Switch(config-flow-record)# collect timestamp absolute first

The following example configures the time stamps based on the absolute time for the time that the most recent packet was seen from the flows as a non-key field:

Switch(config)# flow record FLOW-RECORD-1
Switch(config-flow-record)# collect timestamp absolute last
Avatar of cpatte7372
cpatte7372
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Ian, that's great. Can you please explain what is meant by a non-key field?
ASKER CERTIFIED SOLUTION
Avatar of Ian Meredith
Ian Meredith
Flag of Australia image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of cpatte7372
cpatte7372
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Excellent
Routers
Routers

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.

49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo