Flow Table Reports

Flow table reports contain various information on the traffic flows passing Threat Defender. Using Threat Defender, you can generate plain flow table reports and anonymized flow table reports that do not contain IP addresses (see Flow Table Reporting).

The following table contains the content of flow table reports in the order they are reported.

Column Header

Description

thread_id

ID of the processing thread. It starts at 0 and is incremented for each new processing thread.

vlan_tag

VLAN tag assigned to the flow. If the flow has no VLAN tag, this entry is 0.

src_ip

Source IP address of the flow. In anonymized reports, these entries are hashed.

src_port

Source port of the flow.

dst_ip

Destination IP address of the flow. In anonymized reports, these entries are hashed.

dst_port

Destination port of the flow.

l4_protocol

Layer 4 protocol ID as stated in the IP header.

src_asset

Source asset of the flow.

dst_asset

Destination asset of the flow.

src_asset_tags

Tags assigned to the source asset of the flow.

dst_asset_tags

Tags assigned to the destination asset of the flow.

user_id

ID of the user who initiated the flow.

flow_id

Flow ID

dpi_protocol

DPI protocol used by the flow.

dpi_application

DPI application used by the flow.

packets_src_to_dst

Number of packets sent from the flow source to the flow destination.

packets_dst_to_src

Number of packets sent from the flow destination to the flow source.

bytes_src_to_dst

Number of bytes sent from the flow source to the flow destination.

bytes_dst_to_src

Number of bytes sent from the flow destination to the flow source.

flow_start_ts

Timestamp of the start of the flow in microsecond resolution.

flow_last_packet_ts

Timestamp of the last packet belonging to the flow in microsecond resolution.

hash_element_last_lazy_ts

Timestamp when the flow was last checked for timeout eviction.

hash_table_last_update_ts

Timestamp of the last flow table update in microsecond resolution.

hash_element_lifetime

Amount of time left in microseconds before this entry is evicted.

hash_element_timeout

Total amount of time in microseconds that this entry is allowed to persist.

hash_element_timeout_queue

Queue number where this entry is stored. 0 indicates a short timeout (5s); 1 indicates a medium timeout (60s); 2 indicates a long timeout (1hr).