Exported network telemetry provides information across all network layers including performance metrics and rich application layer telemetry.

Layer

Information

Link layer (L2)

- ARP

- MAC addresses

- VLAN tag

- Interface index
Network and transport layer (L3/L4)

- IP addresses, ports, protocols

- Volumetric statistics (bytes, packets, flows)

- Timestamp and signaling (TCP flags)

- Network performance metrics (Round Trip Time (RTT), Server Response Time (SRT), TCP retransmissions, jitter)

- Extended TCP telemetry (Time To Live (TTL), SYN packet size, default TCP window size)

- VxLAN ID
Application layer (L7)

- DHCP

- DNS

- HTTP

- Email

- Application ID (Network Based Application Recognition (NBAR2))

Note: For further details on NBAR2, refer to the following RFC: Cisco Systems Export of Application Information in IP Flow Information Export (IPFIX).

- Samba

- Extended VoIP

- PostgressSQL

- MySQL

The network traffic is monitored on the interface level. When SSL offloading with re-encryption is used, network telemetry does not contain any application layer telemetry related to the HTTP protocol. However, TLS/SSL information such as Server Name Indication (SNI), TLS version, or certificate information is available (depending on the TLS version in use).

The reduction ratio of original traffic volume to network telemetry volume is 250:1 which means that monitoring of 1Gbps of traffic generates approximately 4Mbps of traffic statistics. The real value may vary according to traffic structure and mixture of application protocols.

For further details on IPFIX, refer to the following RFC: Information Model for IP Flow Information Export