Collecting Traffic Sampling Output in a File
You configure
traffic sampling results to a file in the /var/tmp directory.
To collect the sampled packets in a file, include the file statement at the [edit forwarding-options sampling output] hierarchy level:
[edit forwarding-options sampling family family-name output] file <disable> filename filename <files number> <size bytes> <stamp | no-stamp > <world-readable | no-world-readable>;
To configure the period of time before an active flow is exported,
include the flow-active-timeout statement at the [edit
forwarding-options sampling output family (inet | inet6 | mpls)] hierarchy level:
[edit forwarding-options sampling family (inet | inet6 | mpls) output] flow-active-timeout seconds;
To configure the period of time before a flow is considered
inactive, include the flow-inactive-timeout statement at
the [edit forwarding-options sampling output] hierarchy
level:
[edit forwarding-options sampling family (inet | inet6 | mpls) output] flow-inactive-timeout seconds;
To configure the interface that sends out monitored information,
include the interface statement at the [edit forwarding-options
sampling output] hierarchy level:
[edit forwarding-options sampling family (inet | inet6 | mpls) output] interface interface-name { engine-id number; engine-type number; source-address address; }
This feature is not supported with the version 9 template format. You must send traffic flows collected using version 9 to a server. For more information see Collecting Traffic Sampling Output in the Cisco Systems NetFlow Services Export Version 9 Format.
Traffic Sampling Output Format
Traffic sampling output is saved to an ASCII text file. The following is an example of the traffic sampling output that is saved to a file in the /var/tmp directory. Each line in the output file contains information for one sampled packet. You can optionally display a timestamp for each line.
The column headers are repeated after each group of 1000 packets.
# Apr 7 15:48:50
Time Dest Src Dest Src Proto TOS Pkt Intf IP TCP
addr addr port port len num frag flags
Apr 7 15:48:54 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0
Apr 7 15:48:55 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0
Apr 7 15:48:56 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0
Apr 7 15:48:57 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0
Apr 7 15:48:58 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0The output contains the following fields:
Time—Time at which the packet was received (displayed only if you include the
stampstatement in the configuration)Dest addr—Destination IP address in the packet
Src addr—Source IP address in the packet
Dest port—Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port for the destination address
Src port—TCP or UDP port for the source address
Proto—Packet’s protocol type
TOS—Contents of the type-of-service (ToS) field in the IP header
Pkt len—Length of the sampled packet, in bytes
Intf num—Unique number that identifies the sampled logical interface
IP frag—IP fragment number, if applicable
TCP flags—Any TCP flags found in the IP header
To set the timestamp option for the file my-sample, enter the following:
[edit forwarding-options sampling family (inet | inet6 | mpls) output file] user@host# set filename my-sample files 5 size 2m world-readable stamp;
Whenever you toggle the timestamp option, a new header is included in the file. If you set the stamp option, the Time field is displayed.
# Apr 7 15:48:50 # Time Dest Src Dest Src Proto TOS Pkt Intf IP TCP # addr addr port port len num frag flags # Feb 1 20:31:21 # Dest Src Dest Src Proto TOS Pkt Intf IP TCP # addr addr port port len num frag flags