- Packetbeat Reference: other versions:
- Overview
- Contributing to Beats
- Getting started with Packetbeat
- Setting up and running Packetbeat
- Upgrading Packetbeat
- Configuring Packetbeat
- Set traffic capturing options
- Set up flows to monitor network traffic
- Specify which transaction protocols to monitor
- Specify which processes to monitor
- Specify general settings
- Configure the internal queue
- Configure the output
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Export GeoIP Information
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- packetbeat.reference.yml
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DNS fields
- Docker fields
- Flow Event fields
- HTTP fields
- ICMP fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Raw fields
- Redis fields
- Thrift-RPC fields
- TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitoring Packetbeat
- Securing Packetbeat
- Visualizing Packetbeat data in Kibana
- Troubleshooting
WARNING: Version 6.2 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Flow Event fields
editFlow Event fields
editThese fields contain data about the flow itself.
start_time
edittype: date
example: 2015-01-24 14:06:05.071000
format: YYYY-MM-DDTHH:MM:SS.milliZ
required: True
The time, the first packet for the flow has been seen.
last_time
edittype: date
example: 2015-01-24 14:06:05.071000
format: YYYY-MM-DDTHH:MM:SS.milliZ
required: True
The time, the most recent processed packet for the flow has been seen.
final
editIndicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.
flow_id
editInternal flow id based on connection meta data and address.
vlan
editInnermost VLAN address used in network packets.
outer_vlan
editSecond innermost VLAN address used in network packets.
source fields
editProperties of the source host
source.mac
editSource MAC address as indicated by first packet seen for the current flow.
source.ip
editInnermost IPv4 source address as indicated by first packet seen for the current flow.
source.ip_location
edittype: geo_point
example: 40.715, -74.011
The GeoIP location of the ip_source IP address. The field is a string containing the latitude and longitude separated by a comma.
source.outer_ip
editSecond innermost IPv4 source address as indicated by first packet seen for the current flow.
source.outer_ip_location
edittype: geo_point
example: 40.715, -74.011
The GeoIP location of the outer_ip_source IP address. The field is a string containing the latitude and longitude separated by a comma.
source.ipv6
editInnermost IPv6 source address as indicated by first packet seen for the current flow.
source.ipv6_location
edittype: geo_point
example: 60.715, -76.011
The GeoIP location of the ipv6_source IP address. The field is a string containing the latitude and longitude separated by a comma.
source.outer_ipv6
editSecond innermost IPv6 source address as indicated by first packet seen for the current flow.
source.outer_ipv6_location
edittype: geo_point
example: 60.715, -76.011
The GeoIP location of the outer_ipv6_source IP address. The field is a string containing the latitude and longitude separated by a comma.
source.port
editSource port number as indicated by first packet seen for the current flow.
stats fields
editObject with source to destination flow measurements.
source.stats.net_packets_total
edittype: long
Total number of packets
source.stats.net_bytes_total
edittype: long
Total number of bytes
dest fields
editProperties of the destination host
dest.mac
editDestination MAC address as indicated by first packet seen for the current flow.
dest.ip
editInnermost IPv4 destination address as indicated by first packet seen for the current flow.
dest.ip_location
edittype: geo_point
example: 40.715, -74.011
The GeoIP location of the ip_dest IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.outer_ip
editSecond innermost IPv4 destination address as indicated by first packet seen for the current flow.
dest.outer_ip_location
edittype: geo_point
example: 40.715, -74.011
The GeoIP location of the outer_ip_dest IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.ipv6
editInnermost IPv6 destination address as indicated by first packet seen for the current flow.
dest.ipv6_location
edittype: geo_point
example: 60.715, -76.011
The GeoIP location of the ipv6_dest IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.outer_ipv6
editSecond innermost IPv6 destination address as indicated by first packet seen for the current flow.
dest.outer_ipv6_location
edittype: geo_point
example: 60.715, -76.011
The GeoIP location of the outer_ipv6_dest IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.port
editDestination port number as indicated by first packet seen for the current flow.
stats fields
editObject with destination to source flow measurements.
dest.stats.net_packets_total
edittype: long
Total number of packets
dest.stats.net_bytes_total
edittype: long
Total number of bytes
icmp_id
editICMP id used in ICMP based flow.
connection_id
editoptional TCP connection id
On this page
start_timelast_timefinalflow_idvlanouter_vlan- source fields
source.macsource.ipsource.ip_locationsource.outer_ipsource.outer_ip_locationsource.ipv6source.ipv6_locationsource.outer_ipv6source.outer_ipv6_locationsource.port- stats fields
source.stats.net_packets_totalsource.stats.net_bytes_total- dest fields
dest.macdest.ipdest.ip_locationdest.outer_ipdest.outer_ip_locationdest.ipv6dest.ipv6_locationdest.outer_ipv6dest.outer_ipv6_locationdest.port- stats fields
dest.stats.net_packets_totaldest.stats.net_bytes_totalicmp_idconnection_id