Flexible Netflow Understanding

Hello Community,

Can someone please let me know how to get a show output to include both 'timestamp first' and 'timestamp last'. As you can see from the show command I can only see 'timestamp first'


 uk01380-Birmingham-1921#show flow monitor FlowMonitor1 cache format record 
  Cache type:                               Normal
  Cache size:                                32768
  Current entries:                              21
  High Watermark:                               99
  Flows added:                               16931
  Flows aged:                                16910
    - Active timeout      ( 86520 secs)          0
    - Inactive timeout    (    15 secs)      16910
    - Event aged                                 0
    - Watermark aged                             0
    - Emergency aged                             0


IPV4 SOURCE ADDRESS:       10.44.113.253
IPV4 DESTINATION ADDRESS:  10.45.69.161
TRNS SOURCE PORT:          0
TRNS DESTINATION PORT:     0
INTERFACE INPUT:           Tu0
IP PROTOCOL:               47
iterface output:          Gi0/1.10
flow direction:            Input
counter bytes:             357012582
counter packets:           852153
timestamp first:           15:12:51.312

I know its possible to get both 'timestamp first' and 'timestamp last', but I just don't know how to get it on our routers.


Cheers

Carlton
cpatte7372Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ian MeredithCommented:
The timestamp time values show if you have configured your monitoring correctly.... once you have fixed the configuration of your monitoring the timestamp first and last values will display when you run your reporting....

taken from this webpage..... http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/flexible_netflow/command_reference/b_fnf_32se_3850_cr_chapter_010.html#wp3519681722



collect timestamp absolute
To configure the absolute time of the first seen or last seen packet in a flow as a non-key field for a flow record, use the collect timestamp absolute command in flow record configuration mode. To disable the use of the first seen or last seen packet in a flow as a non-key field for a flow record, use the no form of this command.

collect timestamp absolute { first | last }

no collect timestamp absolute { first | last }

Syntax Description
first      
Configures the absolute time for the time that the first packet was seen from the flows as a non-key field and enables collecting time stamps based on the absolute time for the time the first packet was seen from the flows.

last      
Configures the absolute time for the time that the last packet was seen from the flows as a non-key field and enables collecting time stamps based on the absolute time for the time that the most recent packet was seen from the flows.

Command Default
The absolute time field is not configured as a non-key field.

Command Modes
Flow record configuration

Command History
Release      Modification
Cisco IOS XE 3.2SE

This command was introduced.

Usage Guidelines
The Flexible NetFlow collect commands are used to configure non-key fields for the flow monitor record and to enable capturing of the values in the fields for the flow created with the record. The values in non-key fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a non-key field does not create a new flow. In most cases, the values for non-key fields are taken from only the first packet in the flow.

Examples
The following example configures time stamps based on the absolute time for the time that the first packet was seen from the flows as a non-key field:

Switch(config)# flow record FLOW-RECORD-1
Switch(config-flow-record)# collect timestamp absolute first

The following example configures the time stamps based on the absolute time for the time that the most recent packet was seen from the flows as a non-key field:

Switch(config)# flow record FLOW-RECORD-1
Switch(config-flow-record)# collect timestamp absolute last
0
cpatte7372Author Commented:
Ian, that's great. Can you please explain what is meant by a non-key field?
0
Ian MeredithCommented:
Flow Definition

A flow is defined as a set of packets having common properties: one or more packet header fields (e.g. destination IP address, transport header field), one or more characteristics of the packet itself (e.g. number of MPLS labels), one or more fields derived from packet treatment (e.g. the BGP next hop). A packet belongs to a flow record if it completely matches all defined flow properties.

NetFlow defines a flow by a combination of key-fields in the packet. In the documentation they are also called "flow keys" because they define a flow. Usually additional information is reported in a flow, such as number of packets and bytes, start and stop time, and so on. These reporting fields do not define a flow; therefore, they are called "flow values" or "non-key-fields". For consistency, we use only the terms "key-field" and "non-key-field."

Initially, NetFlow defines a flow as the combination of the following seven key-fields:

    Source IP address.

    Destination IP address.

    Source port number.

    Destination port number.

    Layer 3 protocol type.

    ToS byte.

    Logical interface (ifIndex), which is the input ifIndex in case of ingress NetFlow, or the output ifIndex with egress NetFlow. Note also that the command ip flow-egress input-interface lets you use the input ifIndex as a key-field even if NetFlow egress is configured. This means that the input ifIndex is an additional key-field.

Key-fields are a set of values that determine how a flow is identified. The seven key-fields define a unique flow that represents a unidirectional stream of packets. If a flow has a different field than another flow, it is considered a new flow. A flow contains other accounting fields (such as the AS number in the NetFlow version 5 flow format) that depend on the version record format that you configure for export. Next to the key-fields, the non-key-fields complete the flow records with extra information such as number of packets, number of bytes, and BGP AS numbers.

Specific to the router, the "router-based aggregation feature" aggregates the flow records further. It works by reducing or modifying the initial set of seven key-fields. For example, as described later, in Table 7-3, the Protocol Port-TOS aggregation type applies the source and destination application ports as key-fields. Alternatively, the destination IP address key-field can be modified to the destination prefix key-field, entailing flow records aggregation. Various aggregation types imply different key-field selection. More details are described in the section "NetFlow Version 8: Router-Based Aggregation."

Additionally, the Catalyst 6500/Cisco 7600 offers extra flexibility in the key-field configuration. The flow mask is used for data aggregation in the NetFlow cache. You can select (configure) the flow mask from a predefined set of values. For example, if you are interested in the traffic accounting per source and destination IP address, the destination-source (see Figure 7-2) is the best flow mask option, because it uses only the source and destination IP addresses as key-fields to classify the observed packets.

Taken from this link:
http://etutorials.org/Networking/network+management/Part+II+Implementations+on+the+Cisco+Devices/Chapter+7.+NetFlow/Fundamentals+of+NetFlow/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cpatte7372Author Commented:
Excellent
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.