WARNING: Version 5.6 of Packetbeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

Elastic Docs Packetbeat Reference [5.6] Exported Fields
« DNS Fields HTTP Fields »

Flow Event Fieldsedit

These fields contain data about the flow itself.

start_timeedit

type: date

example: 2015-01-24 14:06:05.071000

format: YYYY-MM-DDTHH:MM:SS.milliZ

required: True

The time, the first packet for the flow has been seen.

last_timeedit

type: date

example: 2015-01-24 14:06:05.071000

format: YYYY-MM-DDTHH:MM:SS.milliZ

required: True

The time, the most recent processed packet for the flow has been seen.

finaledit

Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.

flow_idedit

Internal flow id based on connection meta data and address.

vlanedit

Innermost VLAN address used in network packets.

outer_vlanedit

Second innermost VLAN address used in network packets.

source Fieldsedit

Properties of the source host

source.macedit

Source MAC address as indicated by first packet seen for the current flow.

source.ipedit

Innermost IPv4 source address as indicated by first packet seen for the current flow.

source.ip_locationedit

type: geo_point

example: 40.715, -74.011

The GeoIP location of the ip_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.outer_ipedit

Second innermost IPv4 source address as indicated by first packet seen for the current flow.

source.outer_ip_locationedit

type: geo_point

example: 40.715, -74.011

The GeoIP location of the outer_ip_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.ipv6edit

Innermost IPv6 source address as indicated by first packet seen for the current flow.

source.ipv6_locationedit

type: geo_point

example: 60.715, -76.011

The GeoIP location of the ipv6_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.outer_ipv6edit

Second innermost IPv6 source address as indicated by first packet seen for the current flow.

source.outer_ipv6_locationedit

type: geo_point

example: 60.715, -76.011

The GeoIP location of the outer_ipv6_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.portedit

Source port number as indicated by first packet seen for the current flow.

stats Fieldsedit

Object with source to destination flow measurements.

source.stats.net_packets_totaledit

type: long

Total number of packets

source.stats.net_bytes_totaledit

type: long

Total number of bytes

dest Fieldsedit

Properties of the destination host

dest.macedit

Destination MAC address as indicated by first packet seen for the current flow.

dest.ipedit

Innermost IPv4 destination address as indicated by first packet seen for the current flow.

dest.ip_locationedit

type: geo_point

example: 40.715, -74.011

The GeoIP location of the ip_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.outer_ipedit

Second innermost IPv4 destination address as indicated by first packet seen for the current flow.

dest.outer_ip_locationedit

type: geo_point

example: 40.715, -74.011

The GeoIP location of the outer_ip_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.ipv6edit

Innermost IPv6 destination address as indicated by first packet seen for the current flow.

dest.ipv6_locationedit

type: geo_point

example: 60.715, -76.011

The GeoIP location of the ipv6_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.outer_ipv6edit

Second innermost IPv6 destination address as indicated by first packet seen for the current flow.

dest.outer_ipv6_locationedit

type: geo_point

example: 60.715, -76.011

The GeoIP location of the outer_ipv6_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.portedit

Destination port number as indicated by first packet seen for the current flow.

stats Fieldsedit

Object with destination to source flow measurements.

dest.stats.net_packets_totaledit

type: long

Total number of packets

dest.stats.net_bytes_totaledit

type: long

Total number of bytes

icmp_idedit

ICMP id used in ICMP based flow.

connection_idedit

optional TCP connection id

« DNS Fields HTTP Fields »