Classic NetFlow and flow analytics typically rely on L3/L4 fields — source IP, destination IP, port, protocol and byte count. That data is valuable for network capacity and traffic direction, but in modern HTTP and API traffic it cannot answer the question "what happened?" on its own. Hundreds of different hosts, paths, methods and application behaviors can share the same IP and port.
Operations and security teams can see high traffic volumes on the flow collector screen, but if they cannot see which URL, method, status code or client context generated that traffic, analysis stays incomplete. L7 context is required for capacity planning, DDoS analysis, PCI scope reporting and request-level audit.
Closing this gap with a separate flow probe or external collector layer is possible, but it adds installation work, separate maintenance, a separate high-availability model and separate monitoring overhead. When application traffic is already traversing the ADC/WAAP layer, reproducing the same context at a different point is operationally inefficient.
The right approach is to produce flow exports at the traffic transit point and deliver them to external systems in standard IPFIX / NetFlow format. Standard fields preserve network visibility while Enterprise IE fields add HTTP context. Flow analytics systems can then answer not only "which IP talked how much?" but also "which path, which response and which client context was involved?"
TR7 Native IPFIX / NetFlow Export combines standard IPFIX fields with TR7 Enterprise IE fields, producing L7-enriched flow records from both the request and response phases.
TR7 removes flow export from the role of an external probe and implements it as a built-in observability layer inside the ADC/WAAP data path.
Standard and enterprise information elements are prepared by the built-in library. The Lua wrapper collects the required values from the request and response phases and converts them into IPFIX records.
On the request side, host, path, query, method, headers and uploaded byte data are collected. On the response side, status code, response content-type, downloaded bytes and termination state complete the flow record.
The IPFIX v10 format uses template sets and template IDs to define flow fields for external systems. This model enables collectors to parse fields correctly and maintains compatibility with standard flow analytics tooling.
Under TR7 Enterprise Number 57011, custom fields are defined for upload/download byte counts, request query, X-Forwarded-For, Referer, Cookie, response content-type and termination state. Classic flow data is enriched with L7 context through this mechanism.
IPFIX / NetFlow export combines standard network fields with HTTP request/response detail, sending enriched flow records to collector systems.
TR7 can export sourceIPv4Address, destinationIPv4Address, sourceIPv6Address and destinationIPv6Address using standard IPFIX information elements. Both IPv4 and IPv6 traffic are visible within flow analytics scope. Dual-stack environments are not limited to IPv4-only analysis. Source and destination network visibility is preserved on the collector side through standard fields.
The sourceTransportPort and destinationTransportPort fields are included in the flow record. These fields are important in network-level analysis for client connections, VIP ports and service access. Combined with HTTP context, it becomes possible to see which application path runs over which port. Capacity and anomaly analysis becomes more meaningful.
Standard HTTP fields such as httpRequestHost, httpRequestPath, httpRequestMethod and httpMessageVersion elevate the flow record to L7 level. Different hosts or paths arriving on the same IP and port can be distinguished. This provides critical visibility in virtual service and multi-application environments. Flow analytics no longer sees only the connection — it sees the context of the application request.
The httpStatusCode field indicates whether the response was a success, redirect, client error or server error. The request content-type and response content-type fields help analyze the type of data being transferred. This information is especially valuable for error rate analysis, API behavior inspection and data-type-based traffic investigation. L7 error trends can be read more clearly on the flow collector.
The httpUserAgent, httpReferrer and httpCookie fields enable more detailed analysis of client behavior. These fields can be used for bot analysis, user flow inspection and client-type differentiation. The Cookie field may contain sensitive data, so the export policy should be designed carefully. It should be enabled only for secure environments and limited collector targets when needed.
The TR7 Enterprise IE includes uploadedBytes and downloadedBytes fields. These fields allow request body and response body volume to be measured at the flow level. Not just total connection byte count but directional application data flow can be analyzed. This visibility is valuable in cases such as large uploads, abnormal downloads or suspected data exfiltration.
The httpRequestQuery field adds query parameters beyond the path into the flow record. The httpXForwardedFor field helps analyze the real client IP behind a proxy chain. Both fields are particularly useful when correlating application logs with flow records. Request context becomes more complete in security and compliance investigations.
The httpTerminationStateCode field provides an additional signal about how the connection ended. Normal close, error, interruption or unexpected termination can be differentiated in flow analytics. This information helps in jointly evaluating network and application layer issues. It is a valuable field for SRE teams during error root cause analysis.
Enterprise IE fields are defined under TR7 Enterprise Number 57011. This structure does not break standard IPFIX compatibility; it carries custom fields in a clearly parseable way. When the collector side is configured to recognize these fields, L7 details become available in flow dashboards. Standard and custom fields are combined in the same export record.
TR7's export approach is built on IPFIX v10 and supports a NetFlow v9 backward-compatible path. This makes integration with organizations' existing flow collector and network visibility investments straightforward. Rather than learning a new custom log format, the standard flow ecosystem can be used. L7 enrichment arrives as TR7's additional value layer.
IPFIX / NetFlow export operates alongside template structure, enterprise fields, transport behavior, byte order and build dependencies.
The IPFIX version value is 10. Template Set ID is 2 and Template ID is 256. This template informs the collector which fields will arrive and in which order.
The IPFIX header consists of version, length, exportTime, sequenceNumber and observationDomainId fields. Total header length is 16 bytes. This structure provides the base frame for standard IPFIX collector compatibility.
TR7 custom information elements are carried under Enterprise Number 57011. The uploadedBytes, downloadedBytes, httpRequestQuery, httpXForwardedFor, httpReferrer, httpCookie, httpResponseContentType and httpTerminationStateCode fields are defined in this scope. Non-standard L7 fields are explicitly differentiated through this mechanism.
The default transport for export is UDP. The collector port is configurable to values such as 4779 or 2055 depending on environment requirements. UDP is a low-overhead and widely used flow transport model; for environments requiring delivery guarantees, the collector architecture should be planned accordingly.
Multi-byte fields are transmitted using network byte order. This behavior is critical for correct parsing of port, length, template and counter fields. Collector compatibility depends heavily on this standard encoding.
The built-in C library is compiled as a shared library for Lua integration. The build environment requires Lua development packages, pkg-config and compilation tools. The resulting library is called by the Lua wrapper to produce flow records.
A service provider receiving IPFIX export from TR7 can view HTTP host, path and status code details in their existing flow analytics system. Classic IP/port analysis is extended with L7 context. Capacity and anomaly investigation becomes more meaningful.
Financial institutions can export every HTTP request as a flow record to external systems. Host, path, method, status code and byte fields can be correlated with a SIEM or flow collector. Audit questions about which traffic flowed through which application path are answered more clearly.
Security teams can use uploaded/downloaded byte values and HTTP status code distribution from flow records for anomaly detection. Sudden high uploads, abnormal downloads or dense 4xx/5xx patterns can be monitored at the collector. TR7 carries L7 signals to the flow layer for attack analysis.
Application paths within cardholder data scope can be tracked with host and URL context inside the flow export. Audit teams receive traffic evidence based on the relevant HTTP path rather than just IP/port. This strengthens scope determination and audit trail creation processes.
Operations teams can view traffic volume by HTTP path rather than IP/port alone in their existing flow analytics system. Which endpoint carries what load can be analyzed in greater detail. This visibility supports resource planning and growth decisions.
IPFIX v10 and NetFlow v9-compatible native export — HTTP-enriched flow records without a separate probe. Let's run a live walkthrough on your own collector infrastructure.