Assurance Sensor Metrics
  • 08 Aug 2024
  • 59 Minutes to read
  • Contributors
  • PDF

Assurance Sensor Metrics

  • PDF

Article summary

Metrics

Depending on sensor type, different metrics and KPIs are reported. Directionality and granularity is also depending on the test type and test configuration. This article outline the reported metrics per test type for all sensors –
Cisco Provider Connectivity Assurance Sensor Control (formerly Skylight sensor: control) , Cisco Provider Connectivity Assurance Sensor Agents (formerly Skylight sensor: agents), and Cisco Provider Connectivity Assurance Sensor Capture (formerly Skylight sensor: capture)


Synthetic measurements (active)

Terminology

Measurement Sessions

A measurement session is a stream of packets sent from a sending endpoint to one or several receiving endpoints. Some streams are reflected back to the origin using reflectors, in this mode of operation the sender is referred to as the source and the refector the target. Other sessions consist of client / server response mechanisms, such as an HTTP GET (web page retreival) where the initiator of the request is the source and the web service is the target. The measurement packets have a wide variety of encodings, including IPv4, IEEE802, TWAMP, etc. A test session can be either a continous test, like 24/7 ping - or a single-run test such as a TCP throughput test.

Measurement sessions types and directions

• One-way (OW) is a unidirectional measurement stream where metrics are measured on a path from a source to a destination (direction SD). A one-way session may also be multicast, from one sender to a group of receivers.
• Two-way (TW) is a bi-directional measurement stream between a sender and a reflector where metrics are measured separately on both paths, i.e., the source to destination (SD) path, and the return path from a reflector and back called the destination to source (DS) path.
Round Trip (RT) is a bi-directional measurement stream between sender and a reflector (or service like a HTTP server) where metrics are recorded for the full source-destination-source path. In a round-trip measurement, you cannot distinguish between the SD and DS directions.
Note that some session types may report a combination of round-trip and two-way metrics.

Metric Classification

There are several efforts in standardizing metrics, including IETF RFCs and ITU-T. IETF classifies metrics into 'singleton', 'sample', and 'statistical', where singletons are individual instances of a measurement (e.g. the one-way delay of one packet) and samples are a collection of singletons (such as a vector of one-way delay metrics). Statistical metrics are derived from the more primitive values, such as the average of the one-way delay metric over some time interval.

The major part of the metrics in this article fall into the 'statistical' class. Note, though, that some 'higher level' statistical metrics are derived from other statistical metrics. For example, the quality metrics, including MOS and R-value, is computed by a composition of loss and latency together with static codec impairment parameters.

While most statistical metrics are computed immediately at the time of the sampling by the sender/receiver, many of the higher level metrics could be computed off-line, such as by a server or a presentation client.

Continous session metrics report

For continous session types, where the sender never stops transmitting its test packets or streams, a function to periodically report the measurements is leveraged. At every report interval the sender / receiver will collect and calculate KPIs for the last interval into a metrics report which is sent upstream towards Cisco Provider Connectivity Assurance (formerly Skylight performance analytics).

The metrics set depends on the session type but typically contains metrics such as max, min, percentiles based on the raw measured metrics.

The metrics reports are numbered (statRound) and timestamped (statTime) and mechanisms are in place to retransmit lost reports if connectivity towards Cisco Provider Connectivity Assurance is down temporarily.
Screenshot 2023-10-02 121708.png

Percentiles

A percentile is a statistical value that represents a distribution of result data. When calculating a percentile, the complete set of data collected during an interval is stored in a list that is sorted in ascending order. A specific percentile may then be retrieved from the sorted list by reading the corresponding element in the list. In this way percentile 0 (min) is equal to the first value (smallest) in the sorted list, percentile 100 is the last value (largest) in the list, and the median (percentile 50) is the value at the middle of the list.

Example, if there are 1000 measured delay values during a report interval; the 99th delay percentile will then represent the 10th highest delay value. I.e the max value after 1% largest values have been discarded. This is useful to filter out spikes and short-lived anomalities that may otherwise disturb any analytics done on the metrics set. Percentiles are abbreviated with a 'p'. The 25th percentile is termed p25, etc.

Metric types for synthetic measurements

Time domain metrics

Time metrics are related to latency, that is, the passing of time between the sending of a packet and its reception or between sending a request towards a service and getting a response.

Counted metrics

Count metrics holds information about number packets received and metrics derived from packet sequence numbering such as loss, reorders and duplicates.

Packet field metrics

These metrics are derived form fields in the received ethernet or IP headers, such as DSCP or TTL values.

Quality metrics

A quality metric is higher level metric derived from one or many metrics to form customer experience measure. Examples include MOS score and TCP efficiency.

Metrics by session type

TWAMP Stateful / Stateless (RFC5357)

Available with sensors:

  • Sensor Control standalone
  • Sensor Control with NFV (SFP compute or Module)
  • Sensor Agent actuate

Session type: continuous test at configurable packet per second (PPS) rates
Metrics reporting intervals 1s – 900s
Scheduled execution supported: no - continous mode only

Metrics list

metricmetric variantunitdirectionsdescriptionremark
delaypercentiles (min, 25, 50, avg, 75, 90, 95, 98, 99, max)μsSD, DS, RT*Latency from source to destination or destination to source* Roundtrip mode supported in Sensor Control only
jitterpercentiles (min, 25, 50, avg, 75, 90, 95, 98, 99, max)μsSD, DS, RT*Inter-packet delay variation (IPDV) - difference in delay between consecutive packets* Roundtrip mode supported in Sensor Control only
delay variationpercentiles (25, 50, avg, 75, 90, 95, 98, 99, max)μsSD, DS, RT*Delay variation over the metrics report interval - difference between delay percentile and minimum delay* Roundtrip mode supported in Sensor Control only
losspacket loss totalpacketsSD, DS, (RT*)Number of lost packets during the report interval* Roundtrip for TWAMP stateless
losslost burst max / minpacketsSD, DS, (RT*)Longest / shortest loss period length during the report interval* Roundtrip for TWAMP stateless
losslost %%SD, DS, (RT*)Percentage packets lost* Roundtrip for TWAMP stateless
losslost periodscountSD, DS, (RT*)Number of loss occurances during the report interval, if any* Roundtrip for TWAMP stateless
sequencepackets reordered, packets duplicatedcount and %SD, DS, (RT*)Number and percentage of reordered or duplicated packets* Roundtrip for TWAMP stateless
out-of-boundspackets too latecountSD, DS, (RT*)Number of packets belonging to a previous interval, where they were reported as lost.* Roundtrip for TWAMP stateless
dscpDiffserv code point (TOS) min / maxvalueDSLowest and highest dscp seen over the report interval* RFC5357 does not support separation of DSCP per direction, only the received TOS in DS direction can be seen.
ttltime-to-live min / maxvalueSD, DS, (RT*)Lowest and highest TTL value seen over the report interval* Roundtrip for TWAMP stateless
vpriovlan priority min / maxvalueSD, DS, (RT*)Lowest and highest VLAN priority seen over the report interval

UDP / ICMP Echo

Available with sensors:

  • Sensor Control standalone
  • Sensor Control with NFV (SFP compute or Module)
  • Sensor Agent actuate

Session type: continous test at configurable packet per second (PPS) rates
Metrics reporting intervals 1s – 900s
Scheduled execution supported: no - continous mode only

Metrics list

metricmetric variantunitdirectionsdescriptionremark
delaypercentiles (min, 25, 50, avg, 75, 90, 95, 98, 99, max)μsRTLatency from source to destination or destination to source
jitterpercentiles (min, 25, 50, avg, 75, 90, 95, 98, 99, max)μsRTInter-packet delay variation (IPDV) - difference in delay between consecutive packets
delay variationpercentiles (25, 50, avg, 75, 90, 95, 98, 99, max)μsRTDelay variation over the metrics report interval - difference between delay percentile and minimum delay
losspacket loss totalpacketsRTNumber of lost packets during the report interval
losslost burst max / minpacketsRTLongest / shortest loss period length during the report interval
losslost %%RTPercentage packets lost
losslost periodscountRTNumber of loss occurances during the report interval, if any
sequencingpackets reordered, packets duplicatedcount and %RTNumber and percentage of reordered or duplicated packets
out-of-boundspackets too latecountRTNumber of packets belonging to a previous interval, where they were reported as lost.
dscpDiffserv code point (TOS) min / maxvalueRTLowest and highest dscp seen over the report intervalUDP echo only
ttltime-to-live min / maxvalueRTLowest and highest TTL value seen over the report interval
vpriovlan priority min / maxvalueRTLowest and highest VLAN priority seen over the report interval

TCP throughput (RFC6349)

Available with sensors:

  • Sensor Agent throughput

Session type: one-shot test or continous test
Session duration: 1s – 24hrs
Metrics reporting intervals 1s – 60s
Scheduled execution supported: yes

Metrics list

metricmetric variantunitdirectionsdescriptionremark
throughputtx ratebits/sSD, DSTCP throughput bitrate
delaybuffer delaymsRTRoundtrip delay during test
windowcwndkByteSD, DSTCP window size during test
retransmissionefficiency retxkByteSD, DSretransmitted data during test
efficiencyTCP efficiency%SD, DSTCP throughput data percentage versus retransmission data during test

path trace

Available with sensors:

  • Sensor Agent trace

Session type: one-shot test
Session duration: undefined
Metrics reporting intervals report after finished trace
Scheduled execution supported: yes

Metrics list

metricmetric variantunitdirectionsdescriptionremark
finalHopAvgRttMsmsRTAverage round-trip-time to last hop (destination hop)
finalHopMaxRttMsmsRTMaximum round-trip-time to last hop (destination hop)
finalHopMinRttMsmsRTMinimum round-trip-time to last hop (destination hop)
finalHopTimeoutCountcountRTNumber of timeouts while trying to reach last hop
hopAvgRttMsreported individually per hopmsRTAverage round-trip time to this hop
hopMaxRttMsreported individually per hopmsRTMaximum round-trip time to this hop
hopMinRttMsreported individually per hopmsRTMinimum round-trip time to this hop
hopTimeoutCountreported individually per hopcountRTNumber of timeouts while trying to reach this hop
pathAvgRttMsmsRTSum of all average hop RTT values on the path
pathHopCountcountRTNumber of hops from source to destination
pathMaxRttMsmsRTSum of all maximum hop RTT values on the path
pathMinRttMsmsRTSum of all minimum hop RTT values on the path
pathProbeCountcountRTNumber of test packets (probes) sent
pathTimeoutCountcountRTSum of all timeouts during test
pathTimeoutPercent%RTTimeouts as a percentage of all probes sent

transfer

Available with sensors:

  • Sensor Agent transfer

Session type: one-shot test or continous test
Session duration: undefined
Metrics reporting intervals report after finished transfer test
Scheduled execution supported: yes, for one-shot mode

Metrics list

metricmetric variantunitdirectionsdescriptionremark
httpCodevalueRTReturn code from HTTP service
testSpeedBitsPerSecbits/sDSDownload speed server to agent
testStatusCodevalueRTsee Agent: transfer - Status codes for details
testTimeNameLookupMsmsRTTime spent looking up the IP addressCan be used as a performance metric for the DNS service
testTimeConnectMsmsRTTime to finish SYN, SYN-ACK TCP connection, including previous DNS lookup phase
testTimeAppConnectMsmsRTTime to complete SSL handshake, including previous DNS and TCP connect phases
testTimePreTransferMsmsRTTime when request for asset sent (HTTP/FTP get for page or file)
testTimeStartTransferMsmsRTTime when first packet of asset started arriving, or error response received if asset nonexistent
testTimeTotalMsmsRTTotal time from start of test until asset fully downloaded (or error condition hit)
testTimeRedirectMsmsRTIn case of a HTTP redirect, this metric will report the total time for the new DNS lookup plus the time to perform a new TCP and SSL handshake

The agent transfer documentation contains an explanatory picture for the metric flow during a transfer test operation - Agent: transfer - Configuration


Capture-based metrics (passive)

Terminology

Metric or Field

This is the reported statistic, which could be a specific protocol field like "response.status" for the HTTP return code, a metadata type identifier as "client.zone.name" which ties the reported metric to a group of clients in a zone – or a more generic QoE metric like "server.rt" denoting the service / server response time in milliseconds.

Layers

This column indicates in which protocol layer each metric is available. Some metrics are specific for only one protocol, and others are common across many or all supported protocol parsers.

Metrics in alphabetical order

Metric / Field NameTypeLayersDescription
abortsnumbercitrixThe number of aborted Citrix sessions
aborts.rationumbercitrixThe ratio of aborts to the total number of launch attempts
ajax.requestsnumberhttpThe number of javascript requests
alert.access_deniedbooltlsA valid certificate was received, but when access control was applied, the sender decided not to proceed with negotiation. Code 49.
alert.bad_certificatebooltlsA certificate was corrupt, contained signatures that did not verify correctly, etc. Code 42.
alert.bad_record_macbooltlsThis alert is returned if a record is received with an incorrect MAC. Code 20.
alert.certificate_expiredbooltlsA certificate has expired or is not currently valid. Code 45.
alert.certificate_revokedbooltlsA certificate was revoked by its signer. Code 44.
alert.certificate_unknownbooltlsSome other (unspecified) issue arose in processing the certificate, rendering it unacceptable. Code 46.
alert.close_notifybooltlsThis message notifies the recipient that the sender will not send any more messages on this connection. Code 0.
alert.decode_errorbooltlsA message could not be decoded because some field was out of the specified range or the length of the message was incorrect. Code 50.
alert.decompression_failurebooltlsThe decompression function received improper input (e.g., data that would expand to excessive length). Code 30.
alert.decrypt_errorbooltlsA handshake cryptographic operation failed, including being unable to correctly verify a signature or validate a Finished message. Code 51.
alert.decryption_failedbooltlsThis alert was used in some earlier versions of TLS, and may have permitted certain attacks against the CBC mode. Code 21.
alert.export_restrictionbooltlsThis alert was used in some earlier versions of TLS. Code 60.
alert.handshake_failurebooltlsReception of a handshake failure alert message indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available. Code 40.
alert.illegal_parameterbooltlsA field in the handshake was out of range or inconsistent with other fields. Code 47.
alert.insufficient_securitybooltlsReturned instead of a handshake failure when a negotiation has failed specifically because the server requires ciphers more secure than those supported by the client. Code 71.
alert.internal_errorbooltlsAn internal error unrelated to the peer or the correctness of the protocol (such as a memory allocation failure) makes it impossible to continue. Code 80.
alert.no_certificatebooltlsThis alert was used in SSLv3 but not any version of TLS. Code 41.
alert.no_renegotiationbooltlsSent by the client in response to a hello request or by the server in response to a client hello after initial handshaking. Code 100.
alert.protocol_versionbooltlsThe protocol version the client has attempted to negotiate is recognized but not supported. Code 70.
alert.record_overflowbooltlsA TLSCiphertext record was received that had a length more than 2^14+2048 bytes, or a record decrypted to a TLSCompressed record with more than 2^14+1024 bytes. Code 22.
alert.unexpected_messagebooltlsAn inappropriate message was received. Code 10.
alert.unknown_cabooltlsA valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not be located or couldn't be matched with a known, trusted CA. Code 48.
alert.unsupported_certificatebooltlsA certificate was of an unsupported type. Code 43.
alert.unsupported_extensionbooltlsSent by clients that receive an extended server hello containing an extension that they did not put in the corresponding client hello. Code 110.
alert.user_canceledbooltlsThis handshake is being canceled for some reason unrelated to a protocol failure. Code 90.
alert_typesalerttypestlsFlags of alerts present in the TLS conversation
application.idapplication_idcitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe application ID
application.nameapplicationcitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe application
attemptsnumbercitrixThe total number of launch attempts
begintimecitrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voipThe timestamp of the first captured packet
beginsnumbervoipThe number of VoIP flows that started
callstringvoipThe VoIP call id
call.directioncalldirectionvoipThe direction (inbound, outbound, unknown) of the VoIP calls
call.durationnumbervoipThe total duration of the VoIP calls
call.global.jitternumbervoipThe average measured jitter for call PDUs (protocol data units) in both directions
call.global.rttnumbervoipThe average round-trip time for call PDUs (protocol data units) in both directions
call.jitter.countnumbervoipThe total number of measured jitters for call PDUs (protocol data units) in both directions
call.jitter.deviationnumbervoipThe deviation of the measured jitter for call PDUs (protocol data units) in both directions
call.jitter.totalnumbervoipThe sum of both caller and callee average round-trip times
call.rtt.countnumbervoipThe total number of round-trip times for call PDUs (protocol data units) in both directions
call.rtt.deviationnumbervoipThe deviation of the round-trip time for call PDUs (protocol data units) in both directions
call.rtt.totalnumbervoipThe sum of both caller and callee average round-trip times
call.statecallstatevoipThe latest call state in this conversation
calleestringvoipThe VoIP callee id
callee.codecstringvoipThe voice codec of the callee
callee.ipipvoipThe IP address of the callee
callee.jitternumbervoipThe average measured jitter for a PDU (protocol data unit) emitted by the callee
callee.jitter.countnumbervoipThe number of measured jitters for PDUs (protocol data units) emitted by the callee
callee.jitter.deviationnumbervoipThe deviation of the measured jitters for PDUs (protocol data units) emitted by the callee
callee.labelstringvoipThe display name of the callee
callee.lost.pdusnumbervoipThe number of lost callee PDUs (protocol data units)
callee.lost.pdus.rationumbervoipThe ratio of lost to the total number of PDUs (protocol data units) emitted by the callee
callee.macmacvoipThe MAC address of the Callee
callee.rttnumbervoipThe average round-trip time for PDUs (protocol data units) emitted by the caller
callee.rtt.countnumbervoipThe number of round-trip times for PDUs (protocol data units) emitted by the caller
callee.rtt.deviationnumbervoipThe deviation of the round-trip time for PDUs (protocol data units) emitted by the caller
callee.zone.idzone_idvoipThe zone ID of the callee
callee.zone.namezonevoipThe zone of the callee
callerstringvoipThe VoIP caller id
caller.codecstringvoipThe voice codec of the caller
caller.ipipvoipThe IP address of the caller
caller.jitternumbervoipThe average measured jitter for a PDU (protocol data unit) emitted by the the caller
caller.jitter.countnumbervoipThe number of measured jitters for PDUs (protocol data units) emitted by the caller
caller.jitter.deviationnumbervoipThe deviation of the measured jitters for PDUs (protocol data units) emitted by the caller
caller.labelstringvoipThe display name of the caller
caller.lost.pdusnumbervoipThe number of lost caller PDUs (protocol data units)
caller.lost.pdus.rationumbervoipThe ratio of lost to the total number of PDUs (protocol data units) emitted by the caller
caller.macmacvoipThe MAC address of the Caller
caller.rttnumbervoipThe average round-trip time for PDUs (protocol data units) emitted by the callee
caller.rtt.countnumbervoipThe number of round-trip times for PDUs (protocol data units emitted by the callee
caller.rtt.deviationnumbervoipThe deviation of the round-trip time for PDUs (protocol data units) emitted by the callee
caller.zone.idzone_idvoipThe zone ID of the caller
caller.zone.namezonevoipThe zone of the caller
capture.hostnamepollercitrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voipThe probe device hostname that captured this traffic
capture.idpoller_idcitrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voipThe probe device ID that captured this traffic
cgp.client.pdusnumbercitrixThe total number of CGP PDUs (protocol data units) at applicative level emitted by the client
cgp.dest.pdusnumbercitrixThe total number of CGP PDUs (protocol data units) at applicative level emitted by the destination
cgp.pdusnumbercitrixThe total number of CGP PDUs (protocol data units) at applicative level in both directions
cgp.server.pdusnumbercitrixThe total number of CGP PDUs (protocol data units) at applicative level emitted by the server
cgp.source.pdusnumbercitrixThe total number of CGP PDUs (protocol data units) at applicative level emitted by the source
channelchannelcitrix_channelsThe Citrix channel
chunked.transfersnumberhttpThe number of times the HTTP 'chunked' transfer encoding has been used
cipherciphersuitetlsThe set of cryptographic algorithms used to secure this conversation
cipher.is_weakbooltlsIs the TLS cipher weak?
citrix.applicationstringcitrix citrix_channelsThe published Citrix application being executed
client.common_namestringtlsThe Common Name of the client certificate
client.compressed.pdusnumbercitrix_channelsThe number of compressed client PDUs (protocol data units)
client.compressed.pdus.rationumbercitrix_channelsThe ratio of compressions to the total number of PDUs (protocol data units) emitted by the client
client.datanumbertlsThe total number of client data PDUs (protocol data units)
client.datasource.kindpktsourcekindcitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe packet source type (pcap file, netflow, network iface, rpcapd) on which this traffic has been captured (client-side)
client.datasource.namepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe packet source name on which this traffic has been captured (client-side)
client.datasource.pairpktsourcepaircitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe packet source type and name on which this traffic has been captured (client-side)
client.diffservdiffservicmp other_ip tcp udpThe client differentiated service
client.dttnumbercitrix citrix_channels databases http smb tcp tlsThe average data-transfer time for PDUs (protocol data units) emitted by the client
client.dtt.countnumbercitrix citrix_channels databases http smb tcp tlsThe number of data-transfer times for PDUs (protocol data units) emitted by the client
client.dtt.deviationnumbercitrix citrix_channels databases http smb tcp tlsThe deviation of the data-transfer time for PDUs (protocol data units) emitted by the client
client.dupacksnumbertcpThe number of duplicated ACK packets from the client
client.dupacks.rationumbertcpThe ratio of duplicated ACKs to the total number of packets emitted by the client
client.emtunumbericmp non_ip other_ip tcp udpThe maximum payload in a single ethernet packet emmited by the client in these conversations (this value is assumed to be the MTU of the client's network interface, although the actual MTU value might be greater)
client.error.ipipicmpThe IP address of the client, as it appears in the headers of the ICMP error message
client.error.portporticmpThe port of the client, as it appears in the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
client.error.zone.idzone_idicmpThe zone ID of the client, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
client.error.zone.namezoneicmpThe zone of the client, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
client.expirationtimetlsThe expiration date of the client certificate
client.filepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe name of the Pcap File used as traffic source (client-side)
client.finsnumbertcpThe number of FIN packets emitted by the client
client.fins.rationumbertcpThe average number of client FIN packets in a connection
client.hostnamehostnamecitrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voipThe hostname of the client
client.interfacepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe name of the network interface on which this traffic has been captured (client-side)
client.ipipcitrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voipThe IP address of the client
client.ja3tls_fingerprinttlsThe JA3 client fingerprint
client.keepalivesnumbercitrixThe number of keep alives from the client
client.key.bitsnumbertlsThe number of bits in the client key
client.key.typekeytypetlsThe type of the client key
client.macmaccitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe MAC address of the client
client.metanumbertlsThe total number of client metadata (handshake, change cipher spec & alerts PDU types)
client.osostcpThe client operating system
client.payloadnumbercitrix citrix_channels tcp tls udp voipThe total amount of bytes of data (without headers) emitted by the client
client.payload.pdusnumbercitrix citrix_channels tcp voipThe total number of PDUs (protocol data units) with payload emitted by the client
client.payload.rationumbercitrix citrix_channels tcp tls udp voipThe ratio of payload bytes to the entire traffic emitted by the client
client.pdusnumbercitrix citrix_channels dns icmp non_ip other_ip tcp udp voipThe total number of PDUs (protocol data units) at applicative level emitted by the client
client.portportcitrix citrix_channels databases http smb tcp tls udp voipThe TCP/UDP port of the client
client.rdnumbertcpThe average retransmission delay for PDUs emitted by the client
client.rd.countnumbertcpThe number of retransmission delays for PDUs emitted by the client
client.rd.deviationnumbertcpThe deviation of the retransmission delay for PDUs emitted by the client
client.remotepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe name of the network interface on which this traffic has been captured via rpcapd (client-side)
client.retrans.payloadnumbertcpThe total amount of bytes of data (without headers) in retransmitted PDUs emitted by the client
client.retrans.pdus.rationumbertcpThe ratio of retransmissions to the total number of PDUs (protocol data units) with payload emitted by the client
client.retrans.trafficnumbertcpThe total amount of bytes in retransmitted PDUs emitted by the client
client.retrans.traffic.rationumbertcpThe ratio of retransmitted traffic to the entire traffic emitted by the client
client.rstsnumbertcpThe number of RST packets emitted by the client
client.rsts.rationumbertcpThe average number of client RST packets in a connection
client.rttnumbertcpThe average round-trip time for PDUs (protocol data units) emitted by the server
client.rtt.countnumbertcpThe number of round-trip times for PDUs (protocol data units) emitted by the server
client.rtt.deviationnumbertcpThe deviation of the round-trip time for PDUs (protocol data units) emitted by the server
client.signalization.payloadnumbervoipThe total amount of bytes of data (without headers) in all signalization PDUs (protocol data units) emitted by the client
client.signalization.pdusnumbervoipThe total number of signalization PDUs (protocol data units) emitted by the client
client.signalization.rdnumbervoipThe average retransmission delay for signalization PDUs (protocol data units) emitted by the client
client.signalization.rd.countnumbervoipThe number of retransmission delays for signalization PDUs (protocol data units) emitted by the client
client.signalization.rd.deviationnumbervoipThe deviation of the retransmission delay for signalization PDUs (protocol data units) emitted by the client
client.signalization.retrans.pdus.rationumbervoipThe ratio of retransmissions to the total number of signalization PDUs (protocol data units) emitted by the client
client.signalization.rttnumbervoipThe average round-trip time for signalization PDUs (protocol data units) emitted by the server
client.signalization.rtt.countnumbervoipThe number of round-trip times for signalization PDUs (protocol data units) emitted by the server
client.signalization.rtt.deviationnumbervoipThe deviation of the round-trip time for signalization PDUs (protocol data units) emitted by the server
client.signalization.trafficnumbervoipThe total amount of bytes in signalization PDUs (protocol data units) emitted by the client
client.signaturestringtlsThe client signature
client.trafficnumberdns icmp non_ip other_ip tcp tls udp voipThe total amount of bytes emitted by the client
client.vlanvlancitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe inner VLAN id on the client side of the transaction (alias of client.vlans.inner)
client.vlansarraycitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe VLAN ids on the client side of the transaction. The first VLAN id represents the outer VLAN and the last VLAN id represents the inner VLAN
client.vlans.countnumbercitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe number of VLANs on the client side of the transaction
client.vlans.innervlancitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe inner VLAN id on the client side of the transaction
client.vlans.outervlancitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe outer VLAN id on the client side of the transaction
client.zero_windowsnumbertcpThe number of zero-window size packets emitted by the client
client.zero_windows.rationumbertcpThe ratio of zero-window size to the total number of packets emitted by the client
client.zone.idzone_idcitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe zone id of the client
client.zone.namezonecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe zone of the client
closesnumbertcpThe number of TCP sessions that ended properly (by acked FIN or RST)
commanddatabasecommanddatabasesThe database command type
compressed.pdusnumbercitrix_channelsThe total number of compressed PDUs (protocol data units) in both directions
compressed.pdus.rationumbercitrix_channelsThe ratio of compressions to the total number of PDUs (protocol data units) in both directions
compressed.responsesnumberhttpThe number of compressed HTTP responses
ctnumbertcp tlsThe average connection time
ct.countnumbertcp tlsThe number of successful handshakes
ct.deviationnumbertcp tlsThe deviation of the connection time
data.payloadnumbersmbThe total amount of bytes of data in both directions
databasestringdatabasesThe name of the database
dcerpcdcerpctcp udpThe identifier of the DCE/RPC service
decryptednumbertlsThe number of decrypted conversations
dest.common_namestringtlsThe Common Name of the destination certificate
dest.compressed.pdusnumbercitrix_channelsThe number of compressed destination PDUs (protocol data units)
dest.compressed.pdus.rationumbercitrix_channelsThe ratio of compressions to the total number of PDUs (protocol data units) emitted by the destination
dest.datanumbertlsThe total number of destination data PDUs (protocol data units)
dest.datasource.kindpktsourcekindcitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe packet source type (pcap file, netflow, network iface, rpcapd) on which this traffic has been captured (destination-side)
dest.datasource.namepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe packet source name on which this traffic has been captured (destination-side)
dest.datasource.pairpktsourcepaircitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe packet source type and name on which this traffic has been captured (destination-side)
dest.diffservdiffservicmp other_ip tcp udpThe destination differentiated service
dest.dttnumbercitrix citrix_channels databases http smb tcp tlsThe average data-transfer time for PDUs (protocol data units) emitted by the destination
dest.dtt.countnumbercitrix citrix_channels databases http smb tcp tlsThe number of data-transfer times for PDUs (protocol data units) emitted by the destination
dest.dtt.deviationnumbercitrix citrix_channels databases http smb tcp tlsThe deviation of the data-transfer time for PDUs (protocol data units) emitted by the destination
dest.dupacksnumbertcpThe number of duplicated ACK packets from the destination
dest.dupacks.rationumbertcpThe ratio of duplicated ACKs to the total number of packets emitted by the destination
dest.emtunumbericmp non_ip other_ip tcp udpThe maximum payload in a single ethernet packet emmited by the destination in these conversations (this value is assumed to be the MTU of the destination's network interface, although the actual MTU value might be greater)
dest.error.ipipicmpThe IP address of the destination, as it appears in the headers of the ICMP error message
dest.error.portporticmpThe port of the destination, as it appears in the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
dest.error.zone.idzone_idicmpThe zone ID of the destination, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
dest.error.zone.namezoneicmpThe zone of the destination, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
dest.expirationtimetlsThe expiration date of the destination certificate
dest.filepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe name of the Pcap File used as traffic source (destination-side)
dest.finsnumbertcpThe number of FIN packets emitted by the destination
dest.fins.rationumbertcpThe average number of destination FIN packets in a connection
dest.hostnamehostnamecitrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voipThe hostname of the destination
dest.interfacepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe name of the network interface on which this traffic has been captured (destination-side)
dest.ipipcitrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voipThe IP address of the destination
dest.ja3tls_fingerprinttlsThe JA3 destination fingerprint
dest.keepalivesnumbercitrixThe number of keep alives from the destination
dest.key.bitsnumbertlsThe number of bits in the destination key
dest.key.typekeytypetlsThe type of the destination key
dest.macmaccitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe MAC address of the destination
dest.metanumbertlsThe total number of destination metadata (handshake, change cipher spec & alerts PDU types)
dest.osostcpThe destination operating system
dest.payloadnumbercitrix citrix_channels tcp tls udp voipThe total amount of bytes of data (without headers) emitted by the destination
dest.payload.pdusnumbercitrix citrix_channels tcp voipThe total number of PDUs (protocol data units) with payload emitted by the destination
dest.payload.rationumbercitrix citrix_channels tcp tls udp voipThe ratio of payload bytes to the entire traffic emitted by the destination
dest.pdusnumbercitrix citrix_channels dns icmp non_ip other_ip tcp udp voipThe total number of PDUs (protocol data units) at applicative level emitted by the destination
dest.portportcitrix citrix_channels databases http smb tcp tls udp voipThe TCP/UDP port of the destination
dest.rdnumbertcpThe average retransmission delay for PDUs emitted by the destination
dest.rd.countnumbertcpThe number of retransmission delays for PDUs emitted by the destination
dest.rd.deviationnumbertcpThe deviation of the retransmission delay for PDUs emitted by the destination
dest.remotepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe name of the network interface on which this traffic has been captured via rpcapd (destination-side)
dest.retrans.payloadnumbertcpThe total amount of bytes of data (without headers) in retransmitted PDUs emitted by the destination
dest.retrans.pdus.rationumbertcpThe ratio of retransmissions to the total number of PDUs (protocol data units) with payload emitted by the destination
dest.retrans.trafficnumbertcpThe total amount of bytes in retransmitted PDUs emitted by the destination
dest.retrans.traffic.rationumbertcpThe ratio of retransmitted traffic to the entire traffic emitted by the destination
dest.rstsnumbertcpThe number of RST packets emitted by the destination
dest.rsts.rationumbertcpThe average number of destination RST packets in a connection
dest.rttnumbertcpThe average round-trip time for PDUs (protocol data units) emitted by the source
dest.rtt.countnumbertcpThe number of round-trip times for PDUs (protocol data units) emitted by the source
dest.rtt.deviationnumbertcpThe deviation of the round-trip time for PDUs (protocol data units) emitted by the source
dest.signalization.payloadnumbervoipThe total amount of bytes of data (without headers) in all signalization PDUs (protocol data units) emitted by the destination
dest.signalization.pdusnumbervoipThe total number of signalization PDUs (protocol data units) emitted by the destination
dest.signalization.rdnumbervoipThe average retransmission delay for signalization PDUs (protocol data units) emitted by the destination
dest.signalization.rd.countnumbervoipThe number of retransmission delays for signalization PDUs (protocol data units) emitted by the destination
dest.signalization.rd.deviationnumbervoipThe deviation of the retransmission delay for signalization PDUs (protocol data units) emitted by the destination
dest.signalization.retrans.pdus.rationumbervoipThe ratio of retransmissions to the total number of signalization PDUs (protocol data units) emitted by the destination
dest.signalization.rttnumbervoipThe average round-trip time for signalization PDUs (protocol data units) emitted by the source
dest.signalization.rtt.countnumbervoipThe number of round-trip times for signalization PDUs (protocol data units) emitted by the source
dest.signalization.rtt.deviationnumbervoipThe deviation of the round-trip time for signalization PDUs (protocol data units) emitted by the source
dest.signalization.trafficnumbervoipThe total amount of bytes in signalization PDUs (protocol data units) emitted by the destination
dest.signaturestringtlsThe destination signature
dest.trafficnumberdns icmp non_ip other_ip tcp tls udp voipThe total amount of bytes emitted by the destination
dest.vlanvlancitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe inner VLAN id on the destination side of the transaction (alias of destination.vlans.inner)
dest.vlansarraycitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe VLAN ids on the destination side of the transaction. The first VLAN id represents the outer VLAN and the last VLAN id represents the inner VLAN
dest.vlans.countnumbercitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe number of VLANs on the destination side of the transaction
dest.vlans.innervlancitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe inner VLAN id on the destination side of the transaction
dest.vlans.outervlancitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe outer VLAN id on the destination side of the transaction
dest.zero_windowsnumbertcpThe number of zero-window size packets emitted by the destination
dest.zero_windows.rationumbertcpThe ratio of zero-window size to the total number of packets emitted by the destination
dest.zone.idzone_idcitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe zone id of the destination
dest.zone.namezonecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe zone of the destination
dns.rtnumberdnsThe average DNS response time
dns.rt.deviationnumberdnsThe deviation of the DNS response time
domainstringcitrix citrix_channels smbThe Windows Domain of the user
domain.primarystringhttp tlsThe primary domain name (www.example.org -> example.org)
domain.shortstringhttp tlsThe primary domain name, without TLD
domain.toplevelstringhttp tlsThe top-level domain name (TLD)
dtt.countnumbercitrix citrix_channels databases http smb tcp tlsThe total number of data-transfer times in both directions
dtt.deviationnumbercitrix citrix_channels databases http smb tcp tlsThe deviation of the data-transfer time in both directions
dtt.totalnumbercitrix citrix_channels databases http smb tcp tlsThe sum of both client and server average data-transfer times
dupacksnumbertcpThe total number of duplicated ACK packets in both directions
dupacks.rationumbertcpThe ratio of duplicated ACKs to the total number of packets in both directions
encryptionencryptioncitrixThe Citrix encryption type
endtimecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe timestamp of the last captured packet
endsnumbervoipThe number of VoIP flows that ended
error.alertsnumbertlsThe total number of error alerts (everything but close notifications)
error.codestringdatabasesThe error code, specific to some databases (MySQL, TDS and TNS)
error.hitsnumberhttpThe number of hits with a response code of at least 400
error.messagestringdatabasesThe database error message
error.protocolipprotocolicmpThe IP protocol of the PDU (protocol data unit) transported by the ICMP error message
error.statusstringdatabasesThe database error status
errorsnumberdatabases dns smb voipThe number of errors
errors.rationumberdatabases dns smb voipThe ratio of errors to the total number of queries
filepathsmbThe file path
file.countnumberflowsThe number of processed files
file.iddescriptorsmbThe CIFS file descriptor id
finsnumbertcpThe total number of FIN packets in both directions
fins.rationumbertcpThe average number of FIN packets in a connection
global.dttnumbercitrix citrix_channels databases http smb tcp tlsThe average data-transfer time in both directions
global.emtunumbericmp non_ip other_ip tcp udpThe maximum payload in a single ethernet packet in both directions
global.rdnumbertcpThe average retransmission delay in both directions
global.rttnumbertcpThe average round-trip time in both directions
global.signalization.rdnumbervoipThe average retransmission delay for signalization PDUs (protocol data units) in both directions
global.signalization.rttnumbervoipThe average round-trip time for signalization PDUs (protocol data units) in both directions
has_contributedboolhttpDid this hit contribute to the metrics of the page it is attached to?
has_timeoutedbooldatabases http smbDid this transaction timeout?
has_voiceboolvoipWas there any voice in the conversation?
headersnumberhttpThe total amount of bytes of headers in both query and response PDUs (protocol data units)
hituuidhttpThis hit's unique identifier
hit.parentuuidhttpThis hit's parent's unique identifier
hit.referreruuidhttpThis hit's referrer's unique identifier
hit.rtnumberhttpThe average hit response time
hit.rt.countnumberhttpThe number of HTTP hit response times
hit.rt.deviationnumberhttpThe deviation of the hit response time
hitsnumberhttpThe number of HTTP hits
hoststringhttpThe URL Host
icmp.codenumbericmpThe ICMP message code
icmp.messageicmpmessageicmpThe ICMP message
icmp.typeicmptypeicmpThe ICMP message type
ip.familyipfamilycitrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voipThe IP address family
ip.protocolipprotocolother_ip voipThe IP protocol
is_ajaxboolhttpIs this hit requested through javascript?
is_chunkedboolhttpDoes this hit use HTTP 'chunked' transfer encoding?
is_compressedboolhttpIs this hit compressed?
is_deepinspectboolhttpWas page reconstruction activated for this hit?
is_mainboolhttpIs this hit the main resource of the page?
is_rootboolhttpIs this a root hit?
keepalivesnumbercitrixThe total number of keep alives in both directions
launch.timenumbercitrixThe average launch time for Citrix applications
launch.time.deviationnumbercitrixThe deviation of the launch time
layerlayercitrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voipThe layer
login.timenumbercitrixThe average login time
login.time.countnumbercitrixThe number of logins
login.time.deviationnumbercitrixThe deviation of the login time
lost.pdusnumbervoipThe total number of lost PDUs (protocol data units) in both directions
lost.pdus.rationumbervoipThe ratio of lost to the total number of PDUs (protocol data units) in both directions
metadata.payloadnumbersmbThe total amount of bytes of metadata in both directions
metadata.readnumbersmbThe total amount of bytes of metadata read by SMB commands (directory listing commands, for example)
metadata.writtennumbersmbThe total amount of bytes of metadata written by SMB commands
methodhttpquerymethodhttpThe HTTP request method
modulestringcitrixThe name of the Citrix module used by the client
mosnumbervoipThe VOIP mean opinion score
netflow.hostnamehostnameicmp tcp udpThe hostname of the emitter
netflow.ipipicmp tcp udpThe IP address of the emitter
nonip.protocolethernetprotocolnon_ipThe OSI layer 2 protocol
origin.ipiphttpThe original client's IP, as it appears in the HTTP header
page.begintimehttpThe timestamp of the first packet in this page
page.endtimehttpThe timestamp of the last packet in this page
page.errorsnumberhttpThe number of errors in all the hits that contributed to these pages, errors consisting of HTTP response codes of at least 400
page.hitsnumberhttpThe number of hits that contributed to these pages
page.load.timenumberhttpThe average page load time
page.load.time.deviationnumberhttpThe deviation of the page load time
page.request.trafficnumberhttpThe total amount of bytes of request traffic (headers + payload) in all the hits that contributed to these pages
page.response.trafficnumberhttpThe total amount of bytes of response traffic (headers + payload) in all the hits that contributed to these pages
page.timeoutsnumberhttpThe number of timeouts in all the hits that contributed to these pages
page.trafficnumberhttpThe total amount of bytes of query and response traffic (headers + payload) in all the hits that contributed to these pages
pagesnumberhttpThe number of HTTP pages
payloadnumbercitrix citrix_channels databases http smb tcp udp voipThe total amount of bytes of data (without headers) in both directions
payload.pdusnumbercitrix citrix_channels tcp voipThe total number of PDUs (protocol data units) with payload in both directions
payload.rationumbercitrix citrix_channels tcp tls udp voipThe ratio of payload bytes to the entire traffic in both directions
pcapstringdns tcp voipThe link to the associated captured PCAP file (generated according to the configuration of zones and applications)
pdusnumbercitrix citrix_channels databases dns icmp non_ip other_ip smb tcp udp voipThe total number of PDUs (protocol data units) at applicative level in both directions
pointsnumbercitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe number of points
protostackprotostackcitrix citrix_channels databases icmp non_ip other_ip smb tcp tls udp voipThe protocol stack
queriesnumberdatabases dns smbThe number of queries
querydatabasequerydatabasesThe database query
query.begintimedatabases smbThe timestamp of the first query packet
query.classdnsclassdnsThe class of the DNS query
query.endtimedatabases smbThe timestamp of the last query packet
query.namestringdnsThe name of the DNS query
query.payloadnumberdatabases smbThe total amount of bytes of payload in query PDUs (protocol data units) emitted by the client
query.pdusnumberdatabases smbThe total number of query PDUs (protocol data units) at applicative level
query.tcp_pdusnumberhttpThe number of TCP packets that form up these HTTP queries
query.typednstypednsThe type of the DNS query
query.writenumbersmbThe total amount of bytes of data to be written
query_256databasequerydatabasesFirst 256 characters of the query
rd.countnumbertcpThe total number of retransmission delays in both directions
rd.deviationnumbertcpThe deviation of the retransmission delay in both directions
rd.totalnumbertcpThe sum of both client and server average data-transfer times
request.begintimehttpThe timestamp of the first request packet
request.content_lengthnumberhttpThe average Content-Length in the headers of these HTTP requests
request.content_length.countnumberhttpThe number of HTTP requests with a Content-Length header
request.content_packpathhttpThe path to the pack file that contains the HTTP request content
request.content_typemimetypehttpThe mime-type in the Content-Type header of the HTTP request
request.endtimehttpThe timestamp of the last request packet
request.headersnumberhttpThe total amount of bytes of headers in request PDUs (protocol data units) emitted by the client
request.payloadnumberhttpThe total amount of bytes of payload in request PDUs (protocol data units) emitted by the client
request.payload.sha256sha256httpThe hash sha256 calculated using the bytes of payload in request PDUs (protocol data units) emitted by the client
request.trafficnumberhttpThe total amount of bytes (headers + payload) in request PDUs (protocol data units) emitted by the client
response.begintimedatabases http smbThe timestamp of the first response packet
response.categorystringhttpThe HTTP response mime-type's category
response.classdnsclassdnsThe class of the DNS response
response.codednscodednsThe DNS response code
response.content_lengthnumberhttpThe average Content-Length in the headers of these HTTP responses
response.content_length.countnumberhttpThe number of HTTP responses with a Content-Length header
response.content_packpathhttpThe path to the pack file that contains the HTTP response content
response.content_typemimetypehttpThe mime-type in the Content-Type header of the HTTP response
response.endtimedatabases http smbThe timestamp of the first response packet
response.headersnumberhttpThe total amount of bytes of headers in response PDUs (protocol data units) emitted by the server
response.payloadnumberdatabases http smbThe total amount of bytes of payload in response PDUs (protocol data units) emitted by the server
response.payload.sha256sha256httpThe hash sha256 calculated using the bytes of payload in response PDUs (protocol data units) emitted by the server
response.pdusnumberdatabases smbThe total number of PDUs (protocol data units) at applicative level emitted by the server
response.readnumbersmbThe total amount of bytes of data read by SMB commands
response.statushttpstatushttpThe HTTP response code
response.status.categoryhttpstatuscategoryhttpThe category of the response status code
response.tcp_pdusnumberhttpThe number of TCP packets that form up these HTTP responses
response.trafficnumberhttpThe total amount of bytes (headers + payload) in response PDUs (protocol data units) emitted by the client
response.typednstypednsThe type of the DNS response
response.writtennumbersmbThe total amount of bytes of data effectively written by SMB commands
resumednumbertlsThe number of resumed sessions
retrans.payloadnumbertcpThe total amount of bytes of data (without headers) in retransmitted PDUs in both directions
retrans.pdus.rationumbertcpThe ratio of retransmissions to the total number of PDUs (protocol data units) with payload in both directions
retrans.trafficnumberdns icmp non_ip other_ip tcp udp voipThe total amount of bytes in retransmitted PDUs in both directions
retrans.traffic.rationumbertcpThe ratio of retransmitted traffic to the entire traffic in both directions
rows.integratednumberflowsThe number of integrated rows
rows.integrated.per_minutenumberflowsThe number of integrated rows per minute
rows.totalnumberflowsThe total number of analyzed rows
rows.total.per_minutenumberflowsThe number of total rows per minute
rows.truncatednumberflowsThe number of truncated rows
rows.truncated.per_minutenumberflowsThe number of truncated rows per minute
rstsnumbertcpThe total number of RST packets in both directions
rsts.rationumbertcpThe average number of RST packets in a connection
rtt.countnumbertcpThe total number of round-trip times in both directions
rtt.deviationnumbertcpThe deviation of the round-trip time in both directions
rtt.totalnumbertcpThe sum of both client and server average round-trip times
server.common_namestringtlsThe Common Name of the server certificate
server.compressed.pdusnumbercitrix_channelsThe number of compressed server PDUs (protocol data units)
server.compressed.pdus.rationumbercitrix_channelsThe ratio of compressions to the total number of PDUs (protocol data units) emitted by the server
server.datanumbertlsThe total number of server data PDUs (protocol data units)
server.datasource.kindpktsourcekindcitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe packet source type (pcap file, netflow, network iface, rpcapd) on which this traffic has been captured (server-side)
server.datasource.namepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe packet source name on which this traffic has been captured (server-side)
server.datasource.pairpktsourcepaircitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe packet source type and name on which this traffic has been captured (server-side)
server.diffservdiffservicmp other_ip tcp udpThe server differentiated service
server.dttnumbercitrix citrix_channels databases http smb tcp tlsThe average data-transfer time for PDUs (protocol data units) emitted by the server
server.dtt.countnumbercitrix citrix_channels databases http smb tcp tlsThe number of data-transfer times for PDUs (protocol data units) emitted by the server
server.dtt.deviationnumbercitrix citrix_channels databases http smb tcp tlsThe deviation of the data-transfer time for PDUs (protocol data units) emitted by the server
server.dupacksnumbertcpThe number of duplicated ACK packets from the server
server.dupacks.rationumbertcpThe ratio of duplicated ACKs to the total number of packets emitted by the server
server.emtunumbericmp non_ip other_ip tcp udpThe maximum payload in a single ethernet packet emmited by the server in these conversations (this value is assumed to be the MTU of the server's network interface, although the actual MTU value might be greater)
server.error.ipipicmpThe IP address of the server, as it appears in the headers of the ICMP error message
server.error.portporticmpThe port of the server, as it appears in the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
server.error.zone.idzone_idicmpThe zone ID of the server, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
server.error.zone.namezoneicmpThe zone of the server, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
server.expirationtimetlsThe expiration date of the server certificate
server.filepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe name of the Pcap File used as traffic source (server-side)
server.finsnumbertcpThe number of FIN packets emitted by the server
server.fins.rationumbertcpThe average number of server FIN packets in a connection
server.hostnamehostnamecitrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voipThe hostname of the server
server.interfacepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe name of the network interface on which this traffic has been captured (server-side)
server.ipipcitrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voipThe IP address of the server
server.ja3tls_fingerprinttlsThe JA3 server fingerprint
server.keepalivesnumbercitrixThe number of keep alives from the server
server.key.bitsnumbertlsThe number of bits in the server key
server.key.typekeytypetlsThe type of the server key
server.macmaccitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe MAC address of the server
server.metanumbertlsThe total number of server metadata (handshake, change cipher spec & alerts PDU types)
server.osostcpThe server operating system
server.payloadnumbercitrix citrix_channels tcp tls udp voipThe total amount of bytes of data (without headers) emitted by the server
server.payload.pdusnumbercitrix citrix_channels tcp voipThe total number of PDUs (protocol data units) with payload emitted by the server
server.payload.rationumbercitrix citrix_channels tcp tls udp voipThe ratio of payload bytes to the entire traffic emitted by the server
server.pdusnumbercitrix citrix_channels dns icmp non_ip other_ip tcp udp voipThe total number of PDUs (protocol data units) at applicative level emitted by the server
server.portportcitrix citrix_channels databases http smb tcp tls udp voipThe TCP/UDP port of the server
server.rdnumbertcpThe average retransmission delay for PDUs emitted by the server
server.rd.countnumbertcpThe number of retransmission delays for PDUs emitted by the server
server.rd.deviationnumbertcpThe deviation of the retransmission delay for PDUs emitted by the server
server.remotepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe name of the network interface on which this traffic has been captured via rpcapd (server-side)
server.retrans.payloadnumbertcpThe total amount of bytes of data (without headers) in retransmitted PDUs emitted by the server
server.retrans.pdus.rationumbertcpThe ratio of retransmissions to the total number of PDUs (protocol data units) with payload emitted by the server
server.retrans.trafficnumbertcpThe total amount of bytes in retransmitted PDUs emitted by the server
server.retrans.traffic.rationumbertcpThe ratio of retransmitted traffic to the entire traffic emitted by the server
server.rstsnumbertcpThe number of RST packets emitted by the server
server.rsts.rationumbertcpThe average number of server RST packets in a connection
server.rtnumbercitrix citrix_channels databases smb tcp tlsThe average server response time (SRT)
server.rt.countnumbercitrix citrix_channels databases smb tcp tlsThe number of server response times
server.rt.deviationnumbercitrix citrix_channels databases smb tcp tlsThe deviation of the server response time
server.rttnumbertcpThe average round-trip time for PDUs (protocol data units) emitted by the client
server.rtt.countnumbertcpThe number of round-trip times for PDUs (protocol data units) emitted by the client
server.rtt.deviationnumbertcpThe deviation of the round-trip time for PDUs (protocol data units) emitted by the client
server.signalization.last_codenumbervoipLast SIP or MGCP response code
server.signalization.payloadnumbervoipThe total amount of bytes of data (without headers) in all signalization PDUs (protocol data units) emitted by the server
server.signalization.pdusnumbervoipThe total number of signalization PDUs (protocol data units) emitted by the server
server.signalization.rdnumbervoipThe average retransmission delay for signalization PDUs (protocol data units) emitted by the server
server.signalization.rd.countnumbervoipThe number of retransmission delays for signalization PDUs (protocol data units) emitted by the server
server.signalization.rd.deviationnumbervoipThe deviation of the retransmission delay for signalization PDUs (protocol data units) emitted by the server
server.signalization.retrans.pdus.rationumbervoipThe ratio of retransmissions to the total number of signalization PDUs (protocol data units) emitted by the server
server.signalization.rtnumbervoipThe average server response time for signalization PDUs (protocol data units)
server.signalization.rt.countnumbervoipThe number of server response times for signalization PDUs (protocol data units)
server.signalization.rt.deviationnumbervoipThe deviation of the server response time for signalization PDUs (protocol data units)
server.signalization.rttnumbervoipThe average round-trip time for signalization PDUs (protocol data units) emitted by the client
server.signalization.rtt.countnumbervoipThe number of round-trip times for signalization PDUs (protocol data units) emitted by the client
server.signalization.rtt.deviationnumbervoipThe deviation of the round-trip time for signalization PDUs (protocol data units) emitted by the client
server.signalization.trafficnumbervoipThe total amount of bytes in signalization PDUs (protocol data units) emitted by the server
server.signaturestringtlsThe server signature
server.trafficnumberdns icmp non_ip other_ip tcp tls udp voipThe total amount of bytes emitted by the server
server.vlanvlancitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe inner VLAN id on the server side of the transaction (alias of server.vlans.inner)
server.vlansarraycitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe VLAN ids on the server side of the transaction. The first VLAN id represents the outer VLAN and the last VLAN id represents the inner VLAN
server.vlans.countnumbercitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe number of VLANs on the server side of the transaction
server.vlans.innervlancitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe inner VLAN id on the server side of the transaction
server.vlans.outervlancitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe outer VLAN id on the server side of the transaction
server.zero_windowsnumbertcpThe number of zero-window size packets emitted by the server
server.zero_windows.rationumbertcpThe ratio of zero-window size to the total number of packets emitted by the server
server.zone.idzone_idcitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe zone id of the server
server.zone.namezonecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe zone of the server
server_namestringtlsThe Server Name Indication of the conversation
signalization.pdusnumbervoipThe total number of signalization PDUs (protocol data units) in both directions
signalization.rd.countnumbervoipThe total number of retransmission delays for signalization PDUs (protocol data units) in both directions
signalization.rd.deviationnumbervoipThe deviation of the retransmission delay for signalization PDUs (protocol data units) in both directions
signalization.rd.totalnumbervoipThe sum of both client and server average retransmission delays for signalization PDUs (protocol data units)
signalization.retrans.pdus.rationumbervoipThe ratio of retransmissions to the total number of signalization PDUs (protocol data units) in both directions
signalization.rtt.countnumbervoipThe total number of round-trip times for signalization PDUs (protocol data units) in both directions
signalization.rtt.deviationnumbervoipThe deviation of the round-trip time for signalization PDUs (protocol data units) in both directions
signalization.rtt.totalnumbervoipThe sum of both client and server average round-trip times
signalization.trafficnumbervoipThe total amount of bytes in signalization PDUs (protocol data units) in both directions
smb.commandsmbcommandsmbThe SMB command
smb.command.codenumbersmbThe raw SMB command
smb.sha256sha256smbThe sha256 hash
smb.statussmbstatussmbThe SMB status
smb.subcommandsmbsubcommandsmbThe SMB subcommand
smb.subcommand.codenumbersmbThe raw SMB subcommand
smb.versionsmb_versionsmbThe SMB protocol version
softwarestringhttpThe software in the Server header of the HTTP response
source.common_namestringtlsThe Common Name of the source certificate
source.compressed.pdusnumbercitrix_channelsThe number of compressed source PDUs (protocol data units)
source.compressed.pdus.rationumbercitrix_channelsThe ratio of compressions to the total number of PDUs (protocol data units) emitted by the source
source.datanumbertlsThe total number of source data PDUs (protocol data units)
source.datasource.kindpktsourcekindcitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe packet source type (pcap file, netflow, network iface, rpcapd) on which this traffic has been captured (source-side)
source.datasource.namepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe packet source name on which this traffic has been captured (source-side)
source.datasource.pairpktsourcepaircitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe packet source type and name on which this traffic has been captured (source-side)
source.diffservdiffservicmp other_ip tcp udpThe source differentiated service
source.dttnumbercitrix citrix_channels databases http smb tcp tlsThe average data-transfer time for PDUs (protocol data units) emitted by the source
source.dtt.countnumbercitrix citrix_channels databases http smb tcp tlsThe number of data-transfer times for PDUs (protocol data units) emitted by the source
source.dtt.deviationnumbercitrix citrix_channels databases http smb tcp tlsThe deviation of the data-transfer time for PDUs (protocol data units) emitted by the source
source.dupacksnumbertcpThe number of duplicated ACK packets from the source
source.dupacks.rationumbertcpThe ratio of duplicated ACKs to the total number of packets emitted by the source
source.emtunumbericmp non_ip other_ip tcp udpThe maximum payload in a single ethernet packet emmited by the source in these conversations (this value is assumed to be the MTU of the source's network interface, although the actual MTU value might be greater)
source.error.ipipicmpThe IP address of the source, as it appears in the headers of the ICMP error message
source.error.portporticmpThe port of the source, as it appears in the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
source.error.zone.idzone_idicmpThe zone ID of the source, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
source.error.zone.namezoneicmpThe zone of the source, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
source.expirationtimetlsThe expiration date of the source certificate
source.filepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe name of the Pcap File used as traffic source (source-side)
source.finsnumbertcpThe number of FIN packets emitted by the source
source.fins.rationumbertcpThe average number of source FIN packets in a connection
source.hostnamehostnamecitrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voipThe hostname of the source
source.interfacepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe name of the network interface on which this traffic has been captured (source-side)
source.ipipcitrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voipThe IP address of the source
source.ja3tls_fingerprinttlsThe JA3 source fingerprint
source.keepalivesnumbercitrixThe number of keep alives from the source
source.key.bitsnumbertlsThe number of bits in the source key
source.key.typekeytypetlsThe type of the source key
source.macmaccitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe MAC address of the source
source.metanumbertlsThe total number of source metadata (handshake, change cipher spec & alerts PDU types)
source.osostcpThe source operating system
source.payloadnumbercitrix citrix_channels tcp tls udp voipThe total amount of bytes of data (without headers) emitted by the source
source.payload.pdusnumbercitrix citrix_channels tcp voipThe total number of PDUs (protocol data units) with payload emitted by the source
source.payload.rationumbercitrix citrix_channels tcp tls udp voipThe ratio of payload bytes to the entire traffic emitted by the source
source.pdusnumbercitrix citrix_channels dns icmp non_ip other_ip tcp udp voipThe total number of PDUs (protocol data units) at applicative level emitted by the source
source.portportcitrix citrix_channels databases http smb tcp tls udp voipThe TCP/UDP port of the source
source.rdnumbertcpThe average retransmission delay for PDUs emitted by the source
source.rd.countnumbertcpThe number of retransmission delays for PDUs emitted by the source
source.rd.deviationnumbertcpThe deviation of the retransmission delay for PDUs emitted by the source
source.remotepktsourcenamecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe name of the network interface on which this traffic has been captured via rpcapd (source-side)
source.retrans.payloadnumbertcpThe total amount of bytes of data (without headers) in retransmitted PDUs emitted by the source
source.retrans.pdus.rationumbertcpThe ratio of retransmissions to the total number of PDUs (protocol data units) with payload emitted by the source
source.retrans.trafficnumbertcpThe total amount of bytes in retransmitted PDUs emitted by the source
source.retrans.traffic.rationumbertcpThe ratio of retransmitted traffic to the entire traffic emitted by the source
source.rstsnumbertcpThe number of RST packets emitted by the source
source.rsts.rationumbertcpThe average number of source RST packets in a connection
source.rttnumbertcpThe average round-trip time for PDUs (protocol data units) emitted by the destination
source.rtt.countnumbertcpThe number of round-trip times for PDUs (protocol data units) emitted by the destination
source.rtt.deviationnumbertcpThe deviation of the round-trip time for PDUs (protocol data units) emitted by the destination
source.signalization.payloadnumbervoipThe total amount of bytes of data (without headers) in all signalization PDUs (protocol data units) emitted by the source
source.signalization.pdusnumbervoipThe total number of signalization PDUs (protocol data units) emitted by the source
source.signalization.rdnumbervoipThe average retransmission delay for signalization PDUs (protocol data units) emitted by the source
source.signalization.rd.countnumbervoipThe number of retransmission delays for signalization PDUs (protocol data units) emitted by the source
source.signalization.rd.deviationnumbervoipThe deviation of the retransmission delay for signalization PDUs (protocol data units) emitted by the source
source.signalization.retrans.pdus.rationumbervoipThe ratio of retransmissions to the total number of signalization PDUs (protocol data units) emitted by the source
source.signalization.rttnumbervoipThe average round-trip time for signalization PDUs (protocol data units) emitted by the destination
source.signalization.rtt.countnumbervoipThe number of round-trip times for signalization PDUs (protocol data units) emitted by the destination
source.signalization.rtt.deviationnumbervoipThe deviation of the round-trip time for signalization PDUs (protocol data units) emitted by the destination
source.signalization.trafficnumbervoipThe total amount of bytes in signalization PDUs (protocol data units) emitted by the source
source.signaturestringtlsThe source signature
source.trafficnumberdns icmp non_ip other_ip tcp tls udp voipThe total amount of bytes emitted by the source
source.vlanvlancitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe inner VLAN id on the source side of the transaction (alias of source.vlans.inner)
source.vlansarraycitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe VLAN ids on the source side of the transaction. The first VLAN id represents the outer VLAN and the last VLAN id represents the inner VLAN
source.vlans.countnumbercitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe number of VLANs on the source side of the transaction
source.vlans.innervlancitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe inner VLAN id on the source side of the transaction
source.vlans.outervlancitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe outer VLAN id on the source side of the transaction
source.zero_windowsnumbertcpThe number of zero-window size packets emitted by the source
source.zero_windows.rationumbertcpThe ratio of zero-window size to the total number of packets emitted by the source
source.zone.idzone_idcitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe zone id of the source
source.zone.namezonecitrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voipThe zone of the source
successesnumbercitrix databases dns smb voipThe number of successes
successes.rationumbercitrix databases dns smb voipThe ratio of successes
synsnumbertcpThe number of SYN packets emitted by the client
syns.rationumbertcpThe average number of SYN packets in a connection
systemdatabasesystemdatabasesThe database system
tcp_pdusnumberhttpThe number of TCP packets that form up the HTTP queries and responses
time_exclusion.anyboolcitrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voipWas there any time exclusion?
time_exclusion.business_hoursboolcitrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voipWas there a business hours time exclusion?
time_exclusion.maintenance_windowsboolcitrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voipWas there a maintenance windows time exclusion?
timeoutsnumbercitrixThe number of flows that timeouted
tls.versiontls_versiontlsThe TLS protocol version
tls.version.is_weakbooltlsIs the TLS protocol version weak?
tls.version.majornumbertlsThe TLS protocol major version
tls.version.minornumbertlsThe TLS protocol minor version
trafficnumberdns http icmp non_ip other_ip tcp tls udp voipThe total amount of bytes in both directions
treepathsmbThe tree this CIFS command relates to
tree.iddescriptorsmbThe id of the tree this CIFS command relates to
unclosednumbertcpThe number of TCP sessions that didn't properly end
urlurlhttpThe path, query and fragment parts of the URL
url.baseurlhttpThe URL without the query string and fragment
url.pathpathhttpThe URL path
userstringcitrix citrix_channels databases smbThe user
user.experiencenumbertcpThe end-user experience (sum of RTTs, DTTs and SRT)
user_agentuseragenthttpThe user-agent
uuiduuidcitrix citrix_channels databases dns http smb tcp tls voipThe unique identifier of this TCP session
voice.countnumbervoipNumber of packets where we had voice in the conversation
warningsnumbersmbThe number of warnings (mainly client-side)
warnings.rationumbersmbThe ratio of warnings to the total number of SMB queries
zero_windowsnumbertcpThe total number of zero-window size packets in both directions
zero_windows.rationumbertcpThe ratio of zero-window size to the total number of packets in both directions

© 2024 Cisco and/or its affiliates. All rights reserved.
 
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms

For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks



Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.