Cisco Cisco IOS Software Release 12.0(15)S

The SourcePrefix-ToS aggregation scheme groups flows with common source prefix, source prefix 
mask, source BGP autonomous system, ToS byte, and input interface. The aggregated NetFlow Export 
record reports the following:

Source prefix

Source prefix mask

Source autonomous system

ToS byte

Number of bytes summarized by this aggregated record

Number of packets summarized by this aggregation record

Input interface

Starting and ending time stamps

This aggregation scheme is particularly useful for generating data with which to examine the sources of 
network traffic passing through a NetFlow-enabled device. Figure 5 displays the Source Prefix-ToS 
aggregation export record format and a list follows describing the data.

When a router does not have a prefix for the source IP address in the flow, 0.0.0.0 with 0 
mask bits is used rather than making /32 entries to prevent DOS attacks with random source 
address from thrashing the aggregation caches. This is done for the destination in the 
DestinationPrefix-ToS, and the Prefix-ToS and Prefix-Port aggregation schemes.

Flows: Number of main cache flows that were aggregated.

Packets: Number of packets in the aggregated flows.

Flows

Packets

Bytes

First

Last

0

4

8

12

16

20

Reserved

24

Source Prefix

ToS

Src Mask Bits

Source Interface

Source AS

28