How useful is the sysUptime value in a Netflow packet?

Question

The value is in theory precise down to the millisecond, but I am skeptical. Does that number tell when the packet was transmitted, or when the connection began or ended?

Note: Subsequently I noticed that there are flow-start time & flow-end time fields.

Xavier Nicollet · Answer 1 · 2016-10-14T15:23:49.387

There are both in Netflow v9: according to rfc3954:

section 5.1: sysUptime is the Time in milliseconds since this device was first booted.
section 8: LAST_SWITCHED and FIRST_SWITCHED sysuptime in msec in which respectively the last/first packet of this flow has been switched.

So you can have both a sysuptime for a flow or the whole device. Looks like your original question is about the header of a Netflow packet, so that would be the uptime of the device.

One last thing: the sysUptime value can only record about 49 days, since it is a 32bit value.

score -1 · Answer 2 · edited Oct 07 '21 at 06:58

-1

RFC 5102 (which is based on Cisco NetFlow Version 9) talks about flowStartSysUpTime and flowEndSysUpTime. No other sysUptimes.

So, at least, this may be version and/or system dependent.

edited Oct 07 '21 at 06:58

Community

1

answered Mar 20 '12 at 14:40

brownian

291

How useful is the sysUptime value in a Netflow packet?

2 Answers2