WARNING: Version 5.5 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Flow Event Fieldsedit
These fields contain data about the flow itself.
start_timeedit
type: date
example: 2015-01-24 14:06:05.071000
format: YYYY-MM-DDTHH:MM:SS.milliZ
required: True
The time, the first packet for the flow has been seen.
last_timeedit
type: date
example: 2015-01-24 14:06:05.071000
format: YYYY-MM-DDTHH:MM:SS.milliZ
required: True
The time, the most recent processed packet for the flow has been seen.
finaledit
Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.
flow_idedit
Internal flow id based on connection meta data and address.
vlanedit
Innermost VLAN address used in network packets.
outer_vlanedit
Second innermost VLAN address used in network packets.
source Fieldsedit
Properties of the source host
source.macedit
Source MAC address as indicated by first packet seen for the current flow.
source.ipedit
Innermost IPv4 source address as indicated by first packet seen for the current flow.
source.ip_locationedit
type: geo_point
example: 40.715, -74.011
The GeoIP location of the ip_source
IP address. The field is a string containing the latitude and longitude separated by a comma.
source.outer_ipedit
Second innermost IPv4 source address as indicated by first packet seen for the current flow.
source.outer_ip_locationedit
type: geo_point
example: 40.715, -74.011
The GeoIP location of the outer_ip_source
IP address. The field is a string containing the latitude and longitude separated by a comma.
source.ipv6edit
Innermost IPv6 source address as indicated by first packet seen for the current flow.
source.ipv6_locationedit
type: geo_point
example: 60.715, -76.011
The GeoIP location of the ipv6_source
IP address. The field is a string containing the latitude and longitude separated by a comma.
source.outer_ipv6edit
Second innermost IPv6 source address as indicated by first packet seen for the current flow.
source.outer_ipv6_locationedit
type: geo_point
example: 60.715, -76.011
The GeoIP location of the outer_ipv6_source
IP address. The field is a string containing the latitude and longitude separated by a comma.
source.portedit
Source port number as indicated by first packet seen for the current flow.
stats Fieldsedit
Object with source to destination flow measurements.
source.stats.net_packets_totaledit
type: long
Total number of packets
source.stats.net_bytes_totaledit
type: long
Total number of bytes
dest Fieldsedit
Properties of the destination host
dest.macedit
Destination MAC address as indicated by first packet seen for the current flow.
dest.ipedit
Innermost IPv4 destination address as indicated by first packet seen for the current flow.
dest.ip_locationedit
type: geo_point
example: 40.715, -74.011
The GeoIP location of the ip_dest
IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.outer_ipedit
Second innermost IPv4 destination address as indicated by first packet seen for the current flow.
dest.outer_ip_locationedit
type: geo_point
example: 40.715, -74.011
The GeoIP location of the outer_ip_dest
IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.ipv6edit
Innermost IPv6 destination address as indicated by first packet seen for the current flow.
dest.ipv6_locationedit
type: geo_point
example: 60.715, -76.011
The GeoIP location of the ipv6_dest
IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.outer_ipv6edit
Second innermost IPv6 destination address as indicated by first packet seen for the current flow.
dest.outer_ipv6_locationedit
type: geo_point
example: 60.715, -76.011
The GeoIP location of the outer_ipv6_dest
IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.portedit
Destination port number as indicated by first packet seen for the current flow.
stats Fieldsedit
Object with destination to source flow measurements.
dest.stats.net_packets_totaledit
type: long
Total number of packets
dest.stats.net_bytes_totaledit
type: long
Total number of bytes
icmp_idedit
ICMP id used in ICMP based flow.
connection_idedit
optional TCP connection id