WARNING: Version 5.6 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Flow Event Fields
editFlow Event Fields
editThese fields contain data about the flow itself.
start_time
edittype: date
example: 2015-01-24 14:06:05.071000
format: YYYY-MM-DDTHH:MM:SS.milliZ
required: True
The time, the first packet for the flow has been seen.
last_time
edittype: date
example: 2015-01-24 14:06:05.071000
format: YYYY-MM-DDTHH:MM:SS.milliZ
required: True
The time, the most recent processed packet for the flow has been seen.
final
editIndicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.
flow_id
editInternal flow id based on connection meta data and address.
vlan
editInnermost VLAN address used in network packets.
outer_vlan
editSecond innermost VLAN address used in network packets.
source Fields
editProperties of the source host
source.mac
editSource MAC address as indicated by first packet seen for the current flow.
source.ip
editInnermost IPv4 source address as indicated by first packet seen for the current flow.
source.ip_location
edittype: geo_point
example: 40.715, -74.011
The GeoIP location of the ip_source
IP address. The field is a string containing the latitude and longitude separated by a comma.
source.outer_ip
editSecond innermost IPv4 source address as indicated by first packet seen for the current flow.
source.outer_ip_location
edittype: geo_point
example: 40.715, -74.011
The GeoIP location of the outer_ip_source
IP address. The field is a string containing the latitude and longitude separated by a comma.
source.ipv6
editInnermost IPv6 source address as indicated by first packet seen for the current flow.
source.ipv6_location
edittype: geo_point
example: 60.715, -76.011
The GeoIP location of the ipv6_source
IP address. The field is a string containing the latitude and longitude separated by a comma.
source.outer_ipv6
editSecond innermost IPv6 source address as indicated by first packet seen for the current flow.
source.outer_ipv6_location
edittype: geo_point
example: 60.715, -76.011
The GeoIP location of the outer_ipv6_source
IP address. The field is a string containing the latitude and longitude separated by a comma.
source.port
editSource port number as indicated by first packet seen for the current flow.
stats Fields
editObject with source to destination flow measurements.
source.stats.net_packets_total
edittype: long
Total number of packets
source.stats.net_bytes_total
edittype: long
Total number of bytes
dest Fields
editProperties of the destination host
dest.mac
editDestination MAC address as indicated by first packet seen for the current flow.
dest.ip
editInnermost IPv4 destination address as indicated by first packet seen for the current flow.
dest.ip_location
edittype: geo_point
example: 40.715, -74.011
The GeoIP location of the ip_dest
IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.outer_ip
editSecond innermost IPv4 destination address as indicated by first packet seen for the current flow.
dest.outer_ip_location
edittype: geo_point
example: 40.715, -74.011
The GeoIP location of the outer_ip_dest
IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.ipv6
editInnermost IPv6 destination address as indicated by first packet seen for the current flow.
dest.ipv6_location
edittype: geo_point
example: 60.715, -76.011
The GeoIP location of the ipv6_dest
IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.outer_ipv6
editSecond innermost IPv6 destination address as indicated by first packet seen for the current flow.
dest.outer_ipv6_location
edittype: geo_point
example: 60.715, -76.011
The GeoIP location of the outer_ipv6_dest
IP address. The field is a string containing the latitude and longitude separated by a comma.
dest.port
editDestination port number as indicated by first packet seen for the current flow.
stats Fields
editObject with destination to source flow measurements.
dest.stats.net_packets_total
edittype: long
Total number of packets
dest.stats.net_bytes_total
edittype: long
Total number of bytes
icmp_id
editICMP id used in ICMP based flow.
connection_id
editoptional TCP connection id