- Packetbeat Reference: other versions:
- Overview
- Getting started with Packetbeat
- Setting up and running Packetbeat
- Upgrading Packetbeat
- Configuring Packetbeat
- Set traffic capturing options
- Set up flows to monitor network traffic
- Specify which transaction protocols to monitor
- Specify which processes to monitor
- Specify general settings
- Configure the internal queue
- Configure the output
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Export GeoIP Information
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- HTTP Endpoint
- packetbeat.reference.yml
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DNS fields
- Docker fields
- Flow Event fields
- Host fields
- HTTP fields
- ICMP fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Raw fields
- Redis fields
- Thrift-RPC fields
- TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitoring Packetbeat
- Securing Packetbeat
- Visualizing Packetbeat data in Kibana
- Troubleshooting
- Contributing to Beats
Flow Event fields
editFlow Event fields
editThese fields contain data about the flow itself.
-
start_time -
type: date
example: 2015-01-24 14:06:05.071000
format: YYYY-MM-DDTHH:MM:SS.milliZ
required: True
The time, the first packet for the flow has been seen.
-
last_time -
type: date
example: 2015-01-24 14:06:05.071000
format: YYYY-MM-DDTHH:MM:SS.milliZ
required: True
The time, the most recent processed packet for the flow has been seen.
-
final -
Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.
-
flow_id -
Internal flow id based on connection meta data and address.
-
vlan -
Innermost VLAN address used in network packets.
-
outer_vlan -
Second innermost VLAN address used in network packets.
source fields
editProperties of the source host
-
source.mac -
Source MAC address as indicated by first packet seen for the current flow.
-
source.ip -
Innermost IPv4 source address as indicated by first packet seen for the current flow.
-
source.ip_location -
type: geo_point
example: 40.715, -74.011
The GeoIP location of the
ip_sourceIP address. The field is a string containing the latitude and longitude separated by a comma. -
source.outer_ip -
Second innermost IPv4 source address as indicated by first packet seen for the current flow.
-
source.outer_ip_location -
type: geo_point
example: 40.715, -74.011
The GeoIP location of the
outer_ip_sourceIP address. The field is a string containing the latitude and longitude separated by a comma. -
source.ipv6 -
Innermost IPv6 source address as indicated by first packet seen for the current flow.
-
source.ipv6_location -
type: geo_point
example: 60.715, -76.011
The GeoIP location of the
ipv6_sourceIP address. The field is a string containing the latitude and longitude separated by a comma. -
source.outer_ipv6 -
Second innermost IPv6 source address as indicated by first packet seen for the current flow.
-
source.outer_ipv6_location -
type: geo_point
example: 60.715, -76.011
The GeoIP location of the
outer_ipv6_sourceIP address. The field is a string containing the latitude and longitude separated by a comma. -
source.port -
Source port number as indicated by first packet seen for the current flow.
stats fields
editObject with source to destination flow measurements.
-
source.stats.net_packets_total -
type: long
Total number of packets
-
source.stats.net_bytes_total -
type: long
Total number of bytes
dest fields
editProperties of the destination host
-
dest.mac -
Destination MAC address as indicated by first packet seen for the current flow.
-
dest.ip -
Innermost IPv4 destination address as indicated by first packet seen for the current flow.
-
dest.ip_location -
type: geo_point
example: 40.715, -74.011
The GeoIP location of the
ip_destIP address. The field is a string containing the latitude and longitude separated by a comma. -
dest.outer_ip -
Second innermost IPv4 destination address as indicated by first packet seen for the current flow.
-
dest.outer_ip_location -
type: geo_point
example: 40.715, -74.011
The GeoIP location of the
outer_ip_destIP address. The field is a string containing the latitude and longitude separated by a comma. -
dest.ipv6 -
Innermost IPv6 destination address as indicated by first packet seen for the current flow.
-
dest.ipv6_location -
type: geo_point
example: 60.715, -76.011
The GeoIP location of the
ipv6_destIP address. The field is a string containing the latitude and longitude separated by a comma. -
dest.outer_ipv6 -
Second innermost IPv6 destination address as indicated by first packet seen for the current flow.
-
dest.outer_ipv6_location -
type: geo_point
example: 60.715, -76.011
The GeoIP location of the
outer_ipv6_destIP address. The field is a string containing the latitude and longitude separated by a comma. -
dest.port -
Destination port number as indicated by first packet seen for the current flow.
stats fields
editObject with destination to source flow measurements.
-
dest.stats.net_packets_total -
type: long
Total number of packets
-
dest.stats.net_bytes_total -
type: long
Total number of bytes
-
icmp_id -
ICMP id used in ICMP based flow.
-
connection_id -
optional TCP connection id
On this page