2

The value is in theory precise down to the millisecond, but I am skeptical. Does that number tell when the packet was transmitted, or when the connection began or ended?

Note: Subsequently I noticed that there are flow-start time & flow-end time fields.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Spresso
  • 21
  • 4

2 Answers2

0

There are both in Netflow v9: according to rfc3954:

  • section 5.1: sysUptime is the Time in milliseconds since this device was first booted.
  • section 8: LAST_SWITCHED and FIRST_SWITCHED sysuptime in msec in which respectively the last/first packet of this flow has been switched.

So you can have both a sysuptime for a flow or the whole device. Looks like your original question is about the header of a Netflow packet, so that would be the uptime of the device.

One last thing: the sysUptime value can only record about 49 days, since it is a 32bit value.

Xavier Nicollet
  • 600
  • 3
  • 10
-1

RFC 5102 (which is based on Cisco NetFlow Version 9) talks about flowStartSysUpTime and flowEndSysUpTime. No other sysUptimes.

So, at least, this may be version and/or system dependent.

Community
  • 1
brownian
  • 291
  • 3
  • 13
  • I think there is indeed a sysUptime value in NetFlow Version 9 header. You should remove this answer. – Xavier Nicollet Oct 14 '16 at 15:25
  • @XavierNicollet, I didn't say that there is no such value in NetFlow Version 9 header. I said that RFC5102-based implementations' headers MAY not contain this value. – brownian Oct 17 '16 at 08:57