An ESXi host transport node supports two distributed firewall IPFIX flow templates.

The following diagram shows the flow of traffic to the IPFIX collector.

Diagram showing the flow of traffic to the IPFIX collector

The following table describes the information elements in the IPFIX templates.

Table 1. IPFIX Information Elements
Name Data Type Size (Octet) Description
sourceIPv4Address ipv4Address 4 The IPv4 source address in the IP packet header.
destinationIPv4Address ipv4Address 4 The IPv4 destination address in the IP packet header.
sourceIPv6Address ipv6Address 16 The IPv6 source address in the IP packet header.
destinationIPv6Address ipv6Address 16 The IPv6 destination address in the IP packet header.
sourceTransportPort unsigned16 2 The source port identifier in the transport header.
destinationTransportPort unsigned16 2 The destination port identifier in the transport header.
octetDeltaCount unsigned64 8 The number of octets since the previous report (if any) in incoming packets for the flow at the observation point. The number of octets includes IP headers and IP payload.
packetDeltaCount unsigned64 8 The number of incoming packets since the previous report (if any) for the flow at the observation point.
flowId unsigned64 8 A flow identifier that is unique within an observation domain. This information element helps to distinguish between different flows when flow keys, such as IP addresses and port numbers are not reported, or are reported in separate records.
flowStartSeconds dateTimeSeconds 4 The absolute timestamp of the first packet of the flow.
flowEndSeconds dateTimeSeconds 4 The absolute timestamp of the last packet of the flow.
protocolIdentifier unsigned8 1 The value of the protocol number in the IP packet header.
firewallEvent unsigned8 1 Valid values are:
  • 1 - Flow Created
  • 2 - Flow Deleted
  • 3 - Flow Denied
  • 4 - Flow Alert (not used in this implementation)
  • 5 - Flow Update
icmpTypeIPv4 unsigned8 1 Type of the IPv4 ICMP message.
icmpCodeIPv4 unsigned8 1 Code of the IPv4 ICMP message.
icmpTypeIPv6 unsigned8 1 Type of the IPv6 ICMP message.
icmpCodeIPv6 unsigned8 1 Code of the IPv6 ICMP message.
ruleId unsigned32 4 firewall Rule Id - Enterprise specific IE.
sessionFlags unsigned8 1

Session Flags - Enterprise specific IE. Valid values are:

  • 0 - unknown
  • 0x1 - established
flowDirection unsigned8 1

Flow Direction- Enterprise specific IE. Valid values are:

  • 0 - unknown
  • 1 - forward
  • 2 - reverse
algControlFlowId unsigned64 8
ALG Control Flow ID - Enterprise specific IE. Valid values are:
  • 0
  • flowId of ALG control flow
algType unsigned8 1
ALG Control Flow ID - Enterprise specific IE. Valid values are:
  • 0 - none
  • 1 - FTP
  • 2 - Oracle
  • 3 - SUNRPC
  • 4 - DCERPC
  • 5 - TFTP
algFlowType unsigned8 1
ALG Control Flow ID - Enterprise specific IE. Valid values are:
  • 0 - none
  • 1 - control flow
  • 2 - data flow
averageLatency unsigned32 4

Average TCP Latency - Enterprise specific IE

Unit is in microseconds.

vifUuid octetArray 16

VIF UUID - Enterprise specific IE.

Uniquely identifies the VIF (octet array of 16).

vifId string 48

VIF ID - Enterprise specific IE.

Uniquely identifies the VIF (char string format UTF-8).

IPv4 Template

Template ID: 294 

IPFIX_TEMPLATE_FIELD(sourceIPv4Address,4)
IPFIX_TEMPLATE_FIELD(destinationIPv4Address,4)
IPFIX_TEMPLATE_FIELD(sourceTransportPort,2)
IPFIX_TEMPLATE_FIELD(destinationTransportPort,2)
IPFIX_TEMPLATE_FIELD(protocolIdentifier,1)
IPFIX_TEMPLATE_FIELD(icmpTypeIPv4,1)
IPFIX_TEMPLATE_FIELD(icmpCodeIPv4,1)
IPFIX_TEMPLATE_FIELD(flowStartSeconds,4)
IPFIX_TEMPLATE_FIELD(flowEndSeconds,4)
IPFIX_TEMPLATE_FIELD(octetDeltaCount,8)
IPFIX_TEMPLATE_FIELD(packetDeltaCount,8)
IPFIX_TEMPLATE_FIELD(firewallEvent,1)
IPFIX_TEMPLATE_FIELD(flowDirection,1)
IPFIX_TEMPLATE_FIELD(ruleId,4)
IPFIX_TEMPLATE_FIELD(sessionFlags,1)
IPFIX_TEMPLATE_FIELD(reportingRole,1)
IPFIX_TEMPLATE_FIELD(flowDirection,1)
IPFIX_TEMPLATE_FIELD(flowId,8)
IPFIX_TEMPLATE_FIELD(algControlFlowId,8)
IPFIX_TEMPLATE_FIELD(algType,1)
IPFIX_TEMPLATE_FIELD(algFlowType,1)
IPFIX_TEMPLATE_FIELD(averageLatency,4)
IPFIX_TEMPLATE_FIELD(retransmissionCount,4)
IPFIX_TEMPLATE_FIELD(vifUuid,16)
IPFIX_TEMPLATE_FIELD(vifId,48)

IPv6 Template

Template ID: 295 

IPFIX_TEMPLATE_FIELD(sourceIPv6Address,16)
IPFIX_TEMPLATE_FIELD(destinationIPv6Address,16)
IPFIX_TEMPLATE_FIELD(sourceTransportPort,2)
IPFIX_TEMPLATE_FIELD(destinationTransportPort,2)
IPFIX_TEMPLATE_FIELD(protocolIdentifier,1)
IPFIX_TEMPLATE_FIELD(icmpTypeIPv6,1)
IPFIX_TEMPLATE_FIELD(icmpCodeIPv6,1)
IPFIX_TEMPLATE_FIELD(flowStartSeconds,4)
IPFIX_TEMPLATE_FIELD(flowEndSeconds,4)
IPFIX_TEMPLATE_FIELD(octetDeltaCount,8)
IPFIX_TEMPLATE_FIELD(packetDeltaCount,8)
IPFIX_TEMPLATE_FIELD(firewallEvent,1)
IPFIX_TEMPLATE_FIELD(flowDirection,1)
IPFIX_TEMPLATE_FIELD(ruleId,4)
IPFIX_TEMPLATE_FIELD(vifUuid,16)
IPFIX_TEMPLATE_FIELD(sessionFlags,1)
IPFIX_TEMPLATE_FIELD(reportingRole,1)
IPFIX_TEMPLATE_FIELD(flowId,8)
IPFIX_TEMPLATE_FIELD(algControlFlowId,8)
IPFIX_TEMPLATE_FIELD(algType,1)
IPFIX_TEMPLATE_FIELD(algFlowType,1)
IPFIX_TEMPLATE_FIELD(averageLatency,4)
IPFIX_TEMPLATE_FIELD(retransmissionCount,4)
IPFIX_TEMPLATE_FIELD(vifUuid,16)
IPFIX_TEMPLATE_FIELD(vifId,48)