Flow eLog Format

Flow eLogs can be used on NAT devices deployed in centralized mode. Flow eLog information is sent to a log server in binary format.

V1 Format (NAT444)

Table 1 Description of log syntax fields

Field

Description

Length in Bytes

version

Version number. The value is 0x10.

1

log_type

Log type. The value is fixed to 0x04.

1

count

Number of flow records in an existing packet.

2

unix_sec

Number of seconds since January 1, 1970, 00:00 (UTC).

4

flow_sequence

Sequence number of the flow for which logs are generated. The value is numbered from 0. When four bytes overflow, the value is reversed to 0.

4

Cpu-id

CPU ID of a service board.

4bit

Instance-type
Instance type:
  • 1: NAT444

4bit

instance_id

ID of a NAT444 instance.

1

slot

Slot ID of a service board.

1

ucSeqCarreid

Carry flag

1 bit

Reserv

Reserved field.

7 (unit: bit)

prot

Type of the protocol running on the IP network.

1

operator

Operation string.

1

ip_ver

IP version number.

1

tos_ipv4

IP ToS

1

sip

Source IP address.

4

natsip

IP address after NAT is implemented.

4

dip

Destination IP address.

4

natdip

Destination IP address after NAT is implemented.

4

sport

Source port number.

2

natsport

Source port number after NAT is implemented.

2

dport

Destination port number.

2

natdport

Destination port number after NAT is implemented.

2

stime

Start time of a flow.

4

etime

End time of a flow.

4

inpkt

Number of user-to-network flow packets. (This field is not in use.)

4

inbyte

Number of bytes of user-to-network flow packets. (This field is not in use.)

4

outpkt

Number of network-to-user flow packets. (This field is not in use.)

4

outbyte

Number of bytes of network-to-user flow packets. (This field is not in use.)

4

svpn

Source VPN ID.

2

dvpn

Destination VPN ID.

2

pad1

Reserved.

4

pad2

Reserved.

4

Example flow elog in V1 format (NAT444):

0000  00 00 c0 a8 50 0a 20 0b  c7 9e af ee 08 00 45 00 
0010  00 6c 00 00 00 00 40 11  59 25 c0 a8 50 01 c0 a8
0020  50 0a 07 ef 23 2a 00 58  00 00 10 04 00 01 5b 29
0030  55 4e 00 00 00 03 01 23  04 00 11 00 04 00 ca 54
0040  1a 02 6f 00 00 02 7b b0  26 83 7b b0 26 83 9c 40
0050  04 02 23 29 23 29 5b 29  55 3c 5b 29 55 4e 00 00
0060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

V2 Format (NAT444)

Table 2 Description of log syntax fields

Field

Value

Length in Bytes

version

Version number. The value is 0x10.

1

log_type
Log type:
  • 0x14: NAT444 logs

1

count

Number of flow records in an existing packet.

2

unix_sec

Number of seconds since January 1, 1970, 00:00 (UTC).

4

flow_sequence

Sequence number of the flow for which the log is generated. The value is numbered from 0. When four bytes overflow, the value is reversed to 0.

4

Cpu-id

CPU ID of a service board.

4bit

Instance-type
Instance type:
  • 1: NAT444

4bit

instance_id

ID of a NAT444 instance.

1

slot

Slot ID of a service board.

1

ucSeqCarreid

Carry flag

1 bit

Reserv

Reserved field.

7 (unit: bit)

prot
Type of the protocol running on the IP network:
  • TCP
  • UCP
  • ICMP

1

operator

Operation string. (This field is not in use.)

1

ip_ver

IP version number. (This field is not in use.)

1

tos_ipv4

IP ToS. (This field is not in use.)

1

sip

Source IPv4 address before NAT is implemented.

4

natsip

Source IPv4 address after NAT is implemented.

4

dip

Destination IPv4 address before NAT is implemented.

4

natdip

Destination IPv4 address after NAT is implemented.

4

sport

Source port number before NAT is implemented.

2

natsport

Source port number after NAT is implemented.

2

dport

Destination port number before NAT is implemented.

2

natdport

Destination port number after NAT is implemented.

2

stime

Start time of a flow.

4

etime

End time of a flow.

4

inpkt

Number of user-to-network flow packets. (This field is not in use.)

4

inbyte

Number of bytes of user-to-network flow packets. (This field is not in use.)

4

outpkt

Number of network-to-user flow packets. (This field is not in use.)

4

outbyte

Number of bytes of network-to-user flow packets. (This field is not in use.)

4

svpn

Source VPN ID.

2

dvpn

Destination VPN ID.

2

pad1

Reserved.

4

pad2

Reserved.

4

Example flow elog in V2 format (NAT444):

0000  00 00 c0 a8 50 0a 20 0b  c7 9e af ee 08 00 45 00
0010  00 90 00 00 00 00 40 11  59 01 c0 a8 50 01 c0 a8
0020  50 0a 07 ef 23 2a 00 7c  00 00 10 14 00 01 5b 29
0030  5b 82 00 00 00 04 01 23  04 00 11 00 04 00 ca 54
0040  1a 02 6f 00 00 02 7b b0  26 83 7b b0 26 83 9c 40
0050  04 07 23 29 23 29 5b 29  5b 82 00 00 00 00 00 00 
0060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
0070  00 00 00 00 00 00 00 00  00 00 00 23 00 04 00 00
0080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

NAT64 Logs in V2 Format

Table 3 Description of log syntax fields

Field

Value

Length in Bytes

version

Version number, fixed at 0x10.

1

log_type

NAT64 log type, fixed at 0x15.

1

count

Number of flow records in the current packet.

2

unix_sec

Number of seconds from 00:00, January 1, 1970 to the time the packet was generated.

4

flow_sequence

Sequence number of the flow for which the log is generated. The value is numbered from 0. When four bytes overflow, the value is reversed to 0.

4

Cpu-id

CPU ID of a service board.

4bit

Instance-type

NAT64 instance type, fixed at 5.

4bit

Instance-id

NAT64 instance ID.

1

slot

Slot ID of a service board.

1

ucSeqCarreid

Carry flag

1 bit

Reserv

Reserved field.

7 (unit: bit)

prot

Type of protocol over IP.

1

ip_ver

IP version number. (This field is not in use.)

1

flag

Flag field, fixed at 0x03. (This field is not in use.)

1

res

Reserved. (This field is not in use.)

1

stIP6SourceIP

Source IP6 address before NAT64 processing.

16

stIP6DestIP

Destination IP6 address before NAT64 processing.

16

sport

Source port number before NAT64 processing.

2

dport

Destination port number before NAT64 processing.

2

stime

Date and time when the flow started.

4

etime

Date and time when the flow ended.

4

inpkt

Number of forward flow packets. (This field is not in use.)

4

inbyte

Number of forward flow bytes. (This field is not in use.)

4

outpkt

Number of reverse flow packets. (This field is not in use.)

4

outbyte

Number of reverse flow bytes. (This field is not in use.)

4

svpn

Source VPN ID.

2

dvpn

Destination VPN ID.

2

natsport

Source port number after NAT64 processing.

2

natdport

Destination port number after NAT64 processing.

2

natsip

Source IPv4 address after NAT64 processing.

4

natdip

Destination IPv4 address after NAT64 processing

4

TunnelID

Tunnel ID. (This field is not in use.)

4

pad2

Reserved. (This field is not in use.)

2

pad2

Reserved. (This field is not in use.)

2

pad3

Reserved. (This field is not in use.)

4

pad3

Reserved. (This field is not in use.)

4
Parent Topic: Flow Log Format
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >