Flow Table Reports

Flow table reports contain various information on the traffic flows passing Threat Defender. Using Threat Defender, you can generate plain flow table reports and anonymized flow table reports that do not contain IP addresses (see Flow Table Reporting).

The following table contains the content of flow table reports in the order they are reported.

Column Header Description
thread_id ID of the processing thread. It starts at 0 and is incremented for each new processing thread.
vlan_tag VLAN tag assigned to the flow. If the flow has no VLAN tag, this entry is 0.
src_ip Source IP address of the flow. In anonymized reports, these entries are hashed.
src_port Source port of the flow.
dst_ip Destination IP address of the flow. In anonymized reports, these entries are hashed.
dst_port Destination port of the flow.
l4_protocol Layer 4 protocol ID as stated in the IP header.
src_asset Source asset of the flow.
dst_asset Destination asset of the flow.
src_asset_tags Tags assigned to the source asset of the flow.
dst_asset_tags Tags assigned to the destination asset of the flow.
user_id ID of the user who initiated the flow.
flow_id Flow ID
dpi_protocol DPI protocol used by the flow.
dpi_application DPI application used by the flow.
packets_src_to_dst Number of packets sent from the flow source to the flow destination.
packets_dst_to_src Number of packets sent from the flow destination to the flow source.
bytes_src_to_dst Number of bytes sent from the flow source to the flow destination.
bytes_dst_to_src Number of bytes sent from the flow destination to the flow source.
flow_start_ts Timestamp of the start of the flow in microsecond resolution.
flow_last_packet_ts Timestamp of the last packet belonging to the flow in microsecond resolution.
hash_element_last_lazy_ts Timestamp when the flow was last checked for timeout eviction.
hash_table_last_update_ts Timestamp of the last flow table update in microsecond resolution.
hash_element_lifetime Amount of time left in microseconds before this entry is evicted.
hash_element_timeout Total amount of time in microseconds that this entry is allowed to persist.
hash_element_timeout_queue Queue number where this entry is stored. 0 indicates a short timeout (5s); 1 indicates a medium timeout (60s); 2 indicates a long timeout (1hr).

results matching ""

    No results matching ""