Probe IPFIX Fields
The WhiteOwl probe exports flow data using IPFIX (IP Flow Information Export), the IETF standard for network flow reporting. Each flow record contains a rich set of fields covering standard network metadata, TCP performance analytics, deep packet inspection, microburst detection, and encapsulation visibility.
Standard IPFIX Fields
These fields follow the IANA IPFIX Information Element registry and are compatible with any standard IPFIX collector.
| Field | IPFIX ID | Size | Description |
|---|---|---|---|
| Octet Delta Count | 1 | 8 bytes | Total bytes transferred in the flow |
| Packet Delta Count | 2 | 8 bytes | Total packets in the flow |
| Protocol | 4 | 1 byte | IP protocol number (6=TCP, 17=UDP, 1=ICMP) |
| IP Class of Service | 5 | 1 byte | ToS/DSCP value from the IP header |
| TCP Control Bits | 6 | 2 bytes | Cumulative TCP flags observed (SYN, ACK, FIN, RST, etc.) |
| Source Port | 7 | 2 bytes | Layer 4 source port |
| Source IPv4 Address | 8 | 4 bytes | Source IP address |
| Ingress Interface | 10 | 4 bytes | Interface index where the packet was captured |
| Destination Port | 11 | 2 bytes | Layer 4 destination port |
| Destination IPv4 Address | 12 | 4 bytes | Destination IP address |
| Minimum TTL | 52 | 1 byte | Lowest TTL value observed in the flow |
| Maximum TTL | 53 | 1 byte | Highest TTL value observed in the flow |
| Fragment Identification | 54 | 4 bytes | IP fragment identification field |
| Source MAC Address | 56 | 6 bytes | Source MAC from the Ethernet header |
| VLAN ID | 58 | 2 bytes | 802.1Q VLAN tag (0 if untagged) |
| Destination MAC Address | 80 | 6 bytes | Destination MAC from the Ethernet header |
| Fragment Offset | 88 | 2 bytes | IP fragment offset |
| Flow Start Time | 152 | 8 bytes | Timestamp of the first packet (milliseconds) |
| Flow End Time | 153 | 8 bytes | Timestamp of the last packet (milliseconds) |
Enterprise Fields (PEN 99999)
Enterprise fields use Private Enterprise Number 99999 to export probe-specific measurements that go beyond standard IPFIX. These fields require a collector that supports enterprise information elements, such as goflow2 with custom field mappings.
TCP Performance
Real-time TCP performance metrics calculated per-flow from observed packet behavior. These provide SolarWinds-style network quality visibility without requiring agents on endpoints.
| Field | Enterprise ID | Size | Description |
|---|---|---|---|
| Min RTT | 1 | 4 bytes | Minimum round-trip time observed (microseconds), measured from SYN/SYN-ACK handshake |
| Max RTT | 2 | 4 bytes | Maximum round-trip time observed (microseconds) |
| Avg RTT | 3 | 4 bytes | Average round-trip time (microseconds) |
| Retransmit Count | 4 | 4 bytes | Number of TCP retransmissions detected via sequence number analysis |
| Min TCP Window | 5 | 2 bytes | Smallest TCP window size advertised (bytes) |
| Max TCP Window | 6 | 2 bytes | Largest TCP window size advertised (bytes) |
Microburst Detection
Short-duration traffic spike measurements using configurable sliding windows. Useful for identifying bursty traffic patterns that averages hide.
| Field | Enterprise ID | Size | Description |
|---|---|---|---|
| Max Bytes Per Window | 7 | 8 bytes | Peak bytes observed in a single burst window |
| Max Packets Per Window | 8 | 8 bytes | Peak packets observed in a single burst window |
| Burst Window Duration | 9 | 2 bytes | Burst detection window size (milliseconds) |
Deep Packet Inspection (nDPI)
Application-layer classification powered by nDPI. The probe inspects the first N packets of each flow to identify the application protocol and category. Results are exported as numeric IDs that map to nDPI's protocol and category registries.
| Field | Enterprise ID | Size | Description |
|---|---|---|---|
| Application Protocol ID | 900 | 2 bytes | nDPI protocol identifier (e.g., 7=HTTP, 91=TLS, 126=Spotify) |
| Application Category ID | 901 | 2 bytes | nDPI category identifier (e.g., 5=Web, 10=Streaming, 14=Network) |
Protocol and category IDs are resolved to human-readable names in ClickHouse using dictionary lookups. For example, protocol ID 91 resolves to TLS and category ID 5 resolves to Web.
Encapsulation
Visibility into tunneled and tagged traffic. The probe detects VLAN, MPLS, and VXLAN encapsulation and exports the relevant metadata. For VXLAN, the probe decapsulates the outer headers and reports flow data based on the inner (overlay) packet, with the VNI stored as metadata.
| Field | Enterprise ID | Size | Description |
|---|---|---|---|
| MPLS Top Label | 910 | 4 bytes | Top-of-stack MPLS label (20-bit value in uint32) |
| MPLS Exp | 911 | 1 byte | MPLS Traffic Class / Experimental bits (3-bit value) |
| MPLS TTL | 912 | 1 byte | MPLS Time-to-Live |
| VXLAN VNI | 920 | 4 bytes | VXLAN Network Identifier (24-bit value in uint32) |
VLAN ID uses the standard IPFIX field 58, not an enterprise field. It is natively supported by all IPFIX collectors without custom configuration.
Field Behavior
- Zero values: All fields are always present in every flow record. A value of
0indicates the field is not applicable (e.g.,vlan_id = 0means untagged traffic,vxlan_vni = 0means non-VXLAN). - TCP performance fields: Only populated for TCP flows. UDP and ICMP flows will have zeros for RTT, retransmit, and window fields.
- DPI fields: Populated after the probe classifies the flow (typically within the first 12 packets). Unclassified flows report
0for both protocol and category IDs. - VXLAN flows: The 5-tuple (src/dst IP, src/dst port, protocol) reflects the inner packet. The outer tunnel headers are stripped during decapsulation.
goflow2 Mapping
To receive these enterprise fields in goflow2, add the following to your mapping configuration:
ipfix:
mapping:
# TCP Performance
- { field: 1, pen: 99999, penprovided: true, destination: min_rtt_us }
- { field: 2, pen: 99999, penprovided: true, destination: max_rtt_us }
- { field: 3, pen: 99999, penprovided: true, destination: avg_rtt_us }
- { field: 4, pen: 99999, penprovided: true, destination: retransmit_count }
- { field: 5, pen: 99999, penprovided: true, destination: min_tcp_window }
- { field: 6, pen: 99999, penprovided: true, destination: max_tcp_window }
# Microburst
- { field: 7, pen: 99999, penprovided: true, destination: max_bytes_per_window }
- { field: 8, pen: 99999, penprovided: true, destination: max_packets_per_window }
- { field: 9, pen: 99999, penprovided: true, destination: burst_window_ms }
# DPI
- { field: 900, pen: 99999, penprovided: true, destination: app_protocol_id }
- { field: 901, pen: 99999, penprovided: true, destination: app_category_id }
# Encapsulation
- { field: 910, pen: 99999, penprovided: true, destination: mpls_top_label }
- { field: 911, pen: 99999, penprovided: true, destination: mpls_exp }
- { field: 912, pen: 99999, penprovided: true, destination: mpls_ttl }
- { field: 920, pen: 99999, penprovided: true, destination: vxlan_vni }