Table 3-1 NetFlow Fields
Field Type
|
Value
|
Length (Bytes)
|
Description
|
sceSubscriberId
|
300
|
64
|
The subscriber identification string, introduced through the subscriber management interfaces. For an unknown subscriber this field may contain an empty string. The string is padded with zeros.
|
scePackageId
|
301
|
2
|
The ID of the service configuration package/profile assigned to the subscriber.
|
sceServiceId
|
302
|
4
|
The service classification of the reported session.
|
sceProtocolId
|
303
|
2
|
The unique ID of the protocol associated with the reported session.
The PROTOCOL_ID will be the Generic IP / Generic TCP / Generic UDP protocol ID value, according to the specific transport protocol of the transaction, unless a more specific protocol definition (such as a signature-based or a port-based protocol) that matches the reported session is assigned to a service.
|
sceSkipppedSessions
|
304
|
4
|
The number of unreported sessions since the previous reporting record of this kind.
|
sceInitiatingSide
|
305
|
1
|
The initiating side of the transaction:
• 0—Subscriber side
• 1—Network side
|
sceReportTime
|
306
|
4
|
Ending time stamp of this reporting record. The field is in UNIX time_t format, which is the number of seconds since midnight of 1 January 1970.
|
sceTransactionDurationMillisec
|
307
|
4
|
Duration, in milliseconds, of the transaction reported in this reporting record.
|
sceTimeFrame
|
308
|
1
|
Which of the four possible time frames was used for the period during which the reporting record was generated.
The field takes a value in the range 0 to 3.
|
sceSessionUpstreamVolume
|
309
|
4
|
Upstream volume of the transaction, in bytes. The volume refers to the aggregated upstream volume on both links of all the flows bundled in the transaction.
|
sceSessionDownstreamVolume
|
310
|
4
|
Downstream volume of the transaction, in bytes. The volume refers to the aggregated downstream volume on both links of all the flows bundled in the transaction.
|
sceIpProtocolType
|
311
|
1
|
The IP protocol type.
|
sceProtocolSignature
|
312
|
4
|
The ID of the protocol signature associated with this session
|
sceZoneId
|
313
|
4
|
The ID of the zone associated with this session
|
sceFlavorId
|
314
|
4
|
For protocol signatures that have flavors, this field contains the ID of the flavor associated with this session.
|
sceFlowCloseMode
|
315
|
1
|
The reason for the end of the flow.
|
|
316-319
|
|
Reserved.
|
sceAccessString
|
320
|
128, 256, 512, 1024
|
A Layer 7 property, extracted from the transaction.
|
sceInfoString
|
324
|
128, 256, 512, 1024
|
A Layer 7 property, extracted from the transaction.
|
|
328-350
|
|
Reserved.
|
sceServiceUsageSubscriberCounterId
|
351
|
2
|
Each service is mapped to a counter. There are 32 counters in the subscriber scope.
|
sceBreachState
|
352
|
1
|
Indicates whether the subscriber's quota was breached:
• 0—The quota was not breached
• 1—The quota was breached
|
sceReason
|
353
|
1
|
The reason that the reporting record was generated:
• 0—Periodic record
• 1—Subscriber logout
• 2—Package switch
• 3—Wraparound
• 4—End of aggregation period
|
sceConfiguredDuration
|
354
|
4
|
Configured period, in seconds, between successive reporting records.
|
sceDuration
|
355
|
4
|
The number of seconds that have passed since the previous reporting record of this type.
|
sceEndTime
|
356
|
4
|
Ending time stamp of this reporting record. The field is in UNIX time_t format, which is the number of seconds since midnight of 1 January 1970
|
sceUpstreamVolume
|
357
|
4
|
Aggregated upstream volume on both links of all sessions, in kilobytes, for the current reporting period.
|
sceDownstreamVolume
|
358
|
4
|
Aggregated downstream volume on both links of all sessions, in kilobytes, for the current reporting period.
|
sceSessions
|
359
|
2
|
Aggregated number of sessions for the reported service, for the current reporting period.
|
sceSeconds
|
360
|
2
|
Aggregated number of session seconds for the reported service, for the current reporting period.
|
scePackageCounterId
|
361
|
2
|
Each package is mapped to a counter. There are 64 package usage counters.
|
sceGeneratorId
|
362
|
1
|
A numeric value identifying the processor generating the reporting record.
|
sceServiceGlobalCounterId
|
363
|
2
|
Each service is mapped to a counter. There 64 global usage counters
|
sceConcurrentSessions
|
364
|
4
|
Concurrent number of sessions using the reported service when this reporting record was generated.
|
sceActiveSubscribers
|
365
|
4
|
Concurrent number of subscribers using the reported service when this reporting record was generated.
|
sceTotalActiveSubscribers
|
366
|
4
|
Concurrent number of subscribers in the system when this reporting record was generated.
|
sceLinkId
|
367
|
1
|
A numeric value associated with the reported network link:
• 0—Physical link 1
• 1—Physical link 2
|
sceVirtualLinkId
|
368
|
1
|
A numeric value associated with the reported virtual network link.
|
|
369-399
|
|
Reserved
|
sceAttackId
|
400
|
4
|
Unique attack ID.
|
sceAttackIp
|
401
|
4
|
The IP address related to this attack.
|
sceAttackOtherIp
|
402
|
4
|
The other IP address related to this attack if it exists, -1 otherwise.
|
sceAttackPortNumber
|
403
|
2
|
The port number related to this attack if one exists (if this is an IP scan, for example), -1 otherwise.
|
sceAttackType
|
404
|
4
|
Who sceAttackIp belongs to:
• 0—Attacked
• 1—Attacker
|
sceAttackSide
|
405
|
1
|
The IP address side:
• 0—Subscriber
• 1—Network
|
sceAttackIpProtocol
|
406
|
1
|
The IP protocol type:
• 0—Other
• 1—ICMP
• 6—TCP
• 17—UDP
|
sceAttacks
|
407
|
1
|
The number of attacks in the current reporting period. Since attack reports are generated per attack, the value is 0 or 1.
|
sceAttackMaliciousSessions
|
408
|
4
|
Aggregated number of sessions for the reported attack, for the current reporting period. If the SCE platform blocks the attack, this field takes the value -1.
|
|
409-499
|
|
Reserved
|