Skylight sensor metrics

15 Feb 2024
59 Minutes to read
Contributors

Print
Share
Dark
Light
PDF

Skylight sensor metrics

Updated on 15 Feb 2024
59 Minutes to read
Contributors

Print
Share
Dark
Light
PDF

Article Summary

Share feedback

Thanks for sharing your feedback!

Metrics

Depending on sensor type, different metrics and KPIs are reported. Directionality and granularity is also depending on the test type and test configuration. This article outline the reported metrics per test type for all sensors – sensor control, sensor agents and Sensor capture

Synthetic measurements (active)

Terminology

Measurement Sessions

A measurement session is a stream of packets sent from a sending endpoint to one or several receiving endpoints. Some streams are reflected back to the origin using reflectors, in this mode of operation the sender is referred to as the source and the refector the target. Other sessions consist of client / server response mechanisms, such as an HTTP GET (web page retreival) where the initiator of the request is the source and the web service is the target. The measurement packets have a wide variety of encodings, including IPv4, IEEE802, TWAMP, etc. A test session can be either a continous test, like 24/7 ping - or a single-run test such as a TCP throughput test.

Measurement sessions types and directions

• One-way (OW) is a unidirectional measurement stream where metrics are measured on a path from a source to a destination (direction SD). A one-way session may also be multicast, from one sender to a group of receivers.
• Two-way (TW) is a bi-directional measurement stream between a sender and a reflector where metrics are measured separately on both paths, i.e., the source to destination (SD) path, and the return path from a reflector and back called the destination to source (DS) path.
• Round Trip (RT) is a bi-directional measurement stream between sender and a reflector (or service like a HTTP server) where metrics are recorded for the full source-destination-source path. In a round-trip measurement, you cannot distinguish between the SD and DS directions.
Note that some session types may report a combination of round-trip and two-way metrics.

Metric Classification

There are several efforts in standardizing metrics, including IETF RFCs and ITU-T. IETF classifies metrics into 'singleton', 'sample', and 'statistical', where singletons are individual instances of a measurement (e.g. the one-way delay of one packet) and samples are a collection of singletons (such as a vector of one-way delay metrics). Statistical metrics are derived from the more primitive values, such as the average of the one-way delay metric over some time interval.

The major part of the metrics in this article fall into the 'statistical' class. Note, though, that some 'higher level' statistical metrics are derived from other statistical metrics. For example, the quality metrics, including MOS and R-value, is computed by a composition of loss and latency together with static codec impairment parameters.

While most statistical metrics are computed immediately at the time of the sampling by the sender/receiver, many of the higher level metrics could be computed off-line, such as by a server or a presentation client.

Continous session metrics report

For continous session types, where the sender never stops transmitting its test packets or streams, a function to periodically report the measurements is leveraged. At every report interval the sender / receiver will collect and calculate KPIs for the last interval into a metrics report which is sent upstream towards Analytics.

The metrics set depends on the session type but typically contains metrics such as max, min, percentiles based on the raw measured metrics.

The metrics reports are numbered (statRound) and timestamped (statTime) and mechanisms are in place to retransmit lost reports if connectivity towards Analytics is down temporarily.
Screenshot 2023-10-02 121708.png

Percentiles

A percentile is a statistical value that represents a distribution of result data. When calculating a percentile, the complete set of data collected during an interval is stored in a list that is sorted in ascending order. A specific percentile may then be retrieved from the sorted list by reading the corresponding element in the list. In this way percentile 0 (min) is equal to the first value (smallest) in the sorted list, percentile 100 is the last value (largest) in the list, and the median (percentile 50) is the value at the middle of the list.

Example, if there are 1000 measured delay values during a report interval; the 99th delay percentile will then represent the 10th highest delay value. I.e the max value after 1% largest values have been discarded. This is useful to filter out spikes and short-lived anomalities that may otherwise disturb any analytics done on the metrics set. Percentiles are abbreviated with a 'p'. The 25th percentile is termed p25, etc.

Metric types for synthetic measurements

Time domain metrics

Time metrics are related to latency, that is, the passing of time between the sending of a packet and its reception or between sending a request towards a service and getting a response.

Counted metrics

Count metrics holds information about number packets received and metrics derived from packet sequence numbering such as loss, reorders and duplicates.

Packet field metrics

These metrics are derived form fields in the received ethernet or IP headers, such as DSCP or TTL values.

Quality metrics

A quality metric is higher level metric derived from one or many metrics to form customer experience measure. Examples include MOS score and TCP efficiency.

Metrics by session type

TWAMP Stateful / Stateless (RFC5357)

Available with sensors:

Sensor control standalone
Sensor control with NFV (SFP compute or Module)
Sensor agent actuate

Session type: continous test at configurable packet per second (PPS) rates
Metrics reporting intervals 1s – 900s
Scheduled execution supported: no - continous mode only

Metrics list

metric	metric variant	unit	directions	description	remark
delay	percentiles (min, 25, 50, avg, 75, 90, 95, 98, 99, max)	μs	SD, DS, RT*	Latency from source to destination or destination to source	* Roundtrip mode supported in Sensor control only
jitter	percentiles (min, 25, 50, avg, 75, 90, 95, 98, 99, max)	μs	SD, DS, RT*	Inter-packet delay variation (IPDV) - difference in delay between consecutive packets	* Roundtrip mode supported in Sensor control only
delay variation	percentiles (25, 50, avg, 75, 90, 95, 98, 99, max)	μs	SD, DS, RT*	Delay variation over the metrics report interval - difference between delay percentile and minimum delay	* Roundtrip mode supported in Sensor control only
loss	packet loss total	packets	SD, DS, (RT*)	Number of lost packets during the report interval	* Roundtrip for TWAMP stateless
loss	lost burst max / min	packets	SD, DS, (RT*)	Longest / shortest loss period length during the report interval	* Roundtrip for TWAMP stateless
loss	lost %	%	SD, DS, (RT*)	Percentage packets lost	* Roundtrip for TWAMP stateless
loss	lost periods	count	SD, DS, (RT*)	Number of loss occurances during the report interval, if any	* Roundtrip for TWAMP stateless
sequence	packets reordered, packets duplicated	count and %	SD, DS, (RT*)	Number and percentage of reordered or duplicated packets	* Roundtrip for TWAMP stateless
out-of-bounds	packets too late	count	SD, DS, (RT*)	Number of packets belonging to a previous interval, where they were reported as lost.	* Roundtrip for TWAMP stateless
dscp	Diffserv code point (TOS) min / max	value	DS	Lowest and highest dscp seen over the report interval	* RFC5357 does not support separation of DSCP per direction, only the received TOS in DS direction can be seen.
ttl	time-to-live min / max	value	SD, DS, (RT*)	Lowest and highest TTL value seen over the report interval	* Roundtrip for TWAMP stateless
vprio	vlan priority min / max	value	SD, DS, (RT*)	Lowest and highest VLAN priority seen over the report interval

UDP / ICMP Echo

Available with sensors:

Sensor control standalone
Sensor control with NFV (SFP compute or Module)
Sensor agent actuate

Session type: continous test at configurable packet per second (PPS) rates
Metrics reporting intervals 1s – 900s
Scheduled execution supported: no - continous mode only

Metrics list

metric	metric variant	unit	directions	description	remark
delay	percentiles (min, 25, 50, avg, 75, 90, 95, 98, 99, max)	μs	RT	Latency from source to destination or destination to source
jitter	percentiles (min, 25, 50, avg, 75, 90, 95, 98, 99, max)	μs	RT	Inter-packet delay variation (IPDV) - difference in delay between consecutive packets
delay variation	percentiles (25, 50, avg, 75, 90, 95, 98, 99, max)	μs	RT	Delay variation over the metrics report interval - difference between delay percentile and minimum delay
loss	packet loss total	packets	RT	Number of lost packets during the report interval
loss	lost burst max / min	packets	RT	Longest / shortest loss period length during the report interval
loss	lost %	%	RT	Percentage packets lost
loss	lost periods	count	RT	Number of loss occurances during the report interval, if any
sequencing	packets reordered, packets duplicated	count and %	RT	Number and percentage of reordered or duplicated packets
out-of-bounds	packets too late	count	RT	Number of packets belonging to a previous interval, where they were reported as lost.
dscp	Diffserv code point (TOS) min / max	value	RT	Lowest and highest dscp seen over the report interval	UDP echo only
ttl	time-to-live min / max	value	RT	Lowest and highest TTL value seen over the report interval
vprio	vlan priority min / max	value	RT	Lowest and highest VLAN priority seen over the report interval

TCP throughput (RFC6349)

Available with sensors:

Sensor agent throughput

Session type: one-shot test or continous test
Session duration: 1s – 24hrs
Metrics reporting intervals 1s – 60s
Scheduled execution supported: yes

Metrics list

metric	metric variant	unit	directions	description
throughput	tx rate	bits/s	SD, DS	TCP throughput bitrate
delay	buffer delay	ms	RT	Roundtrip delay during test
window	cwnd	kByte	SD, DS	TCP window size during test
retransmission	efficiency retx	kByte	SD, DS	retransmitted data during test
efficiency	TCP efficiency	%	SD, DS	TCP throughput data percentage versus retransmission data during test

path trace

Available with sensors:

Sensor agent trace

Session type: one-shot test
Session duration: undefined
Metrics reporting intervals report after finished trace
Scheduled execution supported: yes

Metrics list

metric	metric variant	unit	directions	description
finalHopAvgRttMs		ms	RT	Average round-trip-time to last hop (destination hop)
finalHopMaxRttMs		ms	RT	Maximum round-trip-time to last hop (destination hop)
finalHopMinRttMs		ms	RT	Minimum round-trip-time to last hop (destination hop)
finalHopTimeoutCount		count	RT	Number of timeouts while trying to reach last hop
hopAvgRttMs	reported individually per hop	ms	RT	Average round-trip time to this hop
hopMaxRttMs	reported individually per hop	ms	RT	Maximum round-trip time to this hop
hopMinRttMs	reported individually per hop	ms	RT	Minimum round-trip time to this hop
hopTimeoutCount	reported individually per hop	count	RT	Number of timeouts while trying to reach this hop
pathAvgRttMs		ms	RT	Sum of all average hop RTT values on the path
pathHopCount		count	RT	Number of hops from source to destination
pathMaxRttMs		ms	RT	Sum of all maximum hop RTT values on the path
pathMinRttMs		ms	RT	Sum of all minimum hop RTT values on the path
pathProbeCount		count	RT	Number of test packets (probes) sent
pathTimeoutCount		count	RT	Sum of all timeouts during test
pathTimeoutPercent		%	RT	Timeouts as a percentage of all probes sent

transfer

Available with sensors:

Sensor agent transfer

Session type: one-shot test or continous test
Session duration: undefined
Metrics reporting intervals report after finished transfer test
Scheduled execution supported: yes, for one-shot mode

Metrics list

metric	unit	directions	description	remark
httpCode	value	RT	Return code from HTTP service
testSpeedBitsPerSec	bits/s	DS	Download speed server to agent
testStatusCode	value	RT	see Agent: transfer - Status codes for details
testTimeNameLookupMs	ms	RT	Time spent looking up the IP address	Can be used as a performance metric for the DNS service
testTimeConnectMs	ms	RT	Time to finish SYN, SYN-ACK TCP connection, including previous DNS lookup phase
testTimeAppConnectMs	ms	RT	Time to complete SSL handshake, including previous DNS and TCP connect phases
testTimePreTransferMs	ms	RT	Time when request for asset sent (HTTP/FTP get for page or file)
testTimeStartTransferMs	ms	RT	Time when first packet of asset started arriving, or error response received if asset nonexistent
testTimeTotalMs	ms	RT	Total time from start of test until asset fully downloaded (or error condition hit)
testTimeRedirectMs	ms	RT	In case of a HTTP redirect, this metric will report the total time for the new DNS lookup plus the time to perform a new TCP and SSL handshake

The agent transfer documentation contains an explanatory picture for the metric flow during a transfer test operation - Agent: transfer - Configuration

Capture-based metrics (passive)

Terminology

Metric or Field

This is the reported statistic, which could be a specific protocol field like "response.status" for the HTTP return code, a metadata type identifier as "client.zone.name" which ties the reported metric to a group of clients in a zone – or a more generic QoE metric like "server.rt" denoting the service / server response time in milliseconds.

Layers

This column indicates in which protocol layer each metric is available. Some metrics are specific for only one protocol, and others are common across many or all supported protocol parsers.

Metrics in alphabetical order

Metric / Field Name	Type	Layers	Description
aborts	number	citrix	The number of aborted Citrix sessions
aborts.ratio	number	citrix	The ratio of aborts to the total number of launch attempts
ajax.requests	number	http	The number of javascript requests
alert.access_denied	bool	tls	A valid certificate was received, but when access control was applied, the sender decided not to proceed with negotiation. Code 49.
alert.bad_certificate	bool	tls	A certificate was corrupt, contained signatures that did not verify correctly, etc. Code 42.
alert.bad_record_mac	bool	tls	This alert is returned if a record is received with an incorrect MAC. Code 20.
alert.certificate_expired	bool	tls	A certificate has expired or is not currently valid. Code 45.
alert.certificate_revoked	bool	tls	A certificate was revoked by its signer. Code 44.
alert.certificate_unknown	bool	tls	Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable. Code 46.
alert.close_notify	bool	tls	This message notifies the recipient that the sender will not send any more messages on this connection. Code 0.
alert.decode_error	bool	tls	A message could not be decoded because some field was out of the specified range or the length of the message was incorrect. Code 50.
alert.decompression_failure	bool	tls	The decompression function received improper input (e.g., data that would expand to excessive length). Code 30.
alert.decrypt_error	bool	tls	A handshake cryptographic operation failed, including being unable to correctly verify a signature or validate a Finished message. Code 51.
alert.decryption_failed	bool	tls	This alert was used in some earlier versions of TLS, and may have permitted certain attacks against the CBC mode. Code 21.
alert.export_restriction	bool	tls	This alert was used in some earlier versions of TLS. Code 60.
alert.handshake_failure	bool	tls	Reception of a handshake failure alert message indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available. Code 40.
alert.illegal_parameter	bool	tls	A field in the handshake was out of range or inconsistent with other fields. Code 47.
alert.insufficient_security	bool	tls	Returned instead of a handshake failure when a negotiation has failed specifically because the server requires ciphers more secure than those supported by the client. Code 71.
alert.internal_error	bool	tls	An internal error unrelated to the peer or the correctness of the protocol (such as a memory allocation failure) makes it impossible to continue. Code 80.
alert.no_certificate	bool	tls	This alert was used in SSLv3 but not any version of TLS. Code 41.
alert.no_renegotiation	bool	tls	Sent by the client in response to a hello request or by the server in response to a client hello after initial handshaking. Code 100.
alert.protocol_version	bool	tls	The protocol version the client has attempted to negotiate is recognized but not supported. Code 70.
alert.record_overflow	bool	tls	A TLSCiphertext record was received that had a length more than 2^14+2048 bytes, or a record decrypted to a TLSCompressed record with more than 2^14+1024 bytes. Code 22.
alert.unexpected_message	bool	tls	An inappropriate message was received. Code 10.
alert.unknown_ca	bool	tls	A valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not be located or couldn't be matched with a known, trusted CA. Code 48.
alert.unsupported_certificate	bool	tls	A certificate was of an unsupported type. Code 43.
alert.unsupported_extension	bool	tls	Sent by clients that receive an extended server hello containing an extension that they did not put in the corresponding client hello. Code 110.
alert.user_canceled	bool	tls	This handshake is being canceled for some reason unrelated to a protocol failure. Code 90.
alert_types	alerttypes	tls	Flags of alerts present in the TLS conversation
application.id	application_id	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The application ID
application.name	application	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The application
attempts	number	citrix	The total number of launch attempts
begin	time	citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip	The timestamp of the first captured packet
begins	number	voip	The number of VoIP flows that started
call	string	voip	The VoIP call id
call.direction	calldirection	voip	The direction (inbound, outbound, unknown) of the VoIP calls
call.duration	number	voip	The total duration of the VoIP calls
call.global.jitter	number	voip	The average measured jitter for call PDUs (protocol data units) in both directions
call.global.rtt	number	voip	The average round-trip time for call PDUs (protocol data units) in both directions
call.jitter.count	number	voip	The total number of measured jitters for call PDUs (protocol data units) in both directions
call.jitter.deviation	number	voip	The deviation of the measured jitter for call PDUs (protocol data units) in both directions
call.jitter.total	number	voip	The sum of both caller and callee average round-trip times
call.rtt.count	number	voip	The total number of round-trip times for call PDUs (protocol data units) in both directions
call.rtt.deviation	number	voip	The deviation of the round-trip time for call PDUs (protocol data units) in both directions
call.rtt.total	number	voip	The sum of both caller and callee average round-trip times
call.state	callstate	voip	The latest call state in this conversation
callee	string	voip	The VoIP callee id
callee.codec	string	voip	The voice codec of the callee
callee.ip	ip	voip	The IP address of the callee
callee.jitter	number	voip	The average measured jitter for a PDU (protocol data unit) emitted by the callee
callee.jitter.count	number	voip	The number of measured jitters for PDUs (protocol data units) emitted by the callee
callee.jitter.deviation	number	voip	The deviation of the measured jitters for PDUs (protocol data units) emitted by the callee
callee.label	string	voip	The display name of the callee
callee.lost.pdus	number	voip	The number of lost callee PDUs (protocol data units)
callee.lost.pdus.ratio	number	voip	The ratio of lost to the total number of PDUs (protocol data units) emitted by the callee
callee.mac	mac	voip	The MAC address of the Callee
callee.rtt	number	voip	The average round-trip time for PDUs (protocol data units) emitted by the caller
callee.rtt.count	number	voip	The number of round-trip times for PDUs (protocol data units) emitted by the caller
callee.rtt.deviation	number	voip	The deviation of the round-trip time for PDUs (protocol data units) emitted by the caller
callee.zone.id	zone_id	voip	The zone ID of the callee
callee.zone.name	zone	voip	The zone of the callee
caller	string	voip	The VoIP caller id
caller.codec	string	voip	The voice codec of the caller
caller.ip	ip	voip	The IP address of the caller
caller.jitter	number	voip	The average measured jitter for a PDU (protocol data unit) emitted by the the caller
caller.jitter.count	number	voip	The number of measured jitters for PDUs (protocol data units) emitted by the caller
caller.jitter.deviation	number	voip	The deviation of the measured jitters for PDUs (protocol data units) emitted by the caller
caller.label	string	voip	The display name of the caller
caller.lost.pdus	number	voip	The number of lost caller PDUs (protocol data units)
caller.lost.pdus.ratio	number	voip	The ratio of lost to the total number of PDUs (protocol data units) emitted by the caller
caller.mac	mac	voip	The MAC address of the Caller
caller.rtt	number	voip	The average round-trip time for PDUs (protocol data units) emitted by the callee
caller.rtt.count	number	voip	The number of round-trip times for PDUs (protocol data units emitted by the callee
caller.rtt.deviation	number	voip	The deviation of the round-trip time for PDUs (protocol data units) emitted by the callee
caller.zone.id	zone_id	voip	The zone ID of the caller
caller.zone.name	zone	voip	The zone of the caller
capture.hostname	poller	citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip	The probe device hostname that captured this traffic
capture.id	poller_id	citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip	The probe device ID that captured this traffic
cgp.client.pdus	number	citrix	The total number of CGP PDUs (protocol data units) at applicative level emitted by the client
cgp.dest.pdus	number	citrix	The total number of CGP PDUs (protocol data units) at applicative level emitted by the destination
cgp.pdus	number	citrix	The total number of CGP PDUs (protocol data units) at applicative level in both directions
cgp.server.pdus	number	citrix	The total number of CGP PDUs (protocol data units) at applicative level emitted by the server
cgp.source.pdus	number	citrix	The total number of CGP PDUs (protocol data units) at applicative level emitted by the source
channel	channel	citrix_channels	The Citrix channel
chunked.transfers	number	http	The number of times the HTTP 'chunked' transfer encoding has been used
cipher	ciphersuite	tls	The set of cryptographic algorithms used to secure this conversation
cipher.is_weak	bool	tls	Is the TLS cipher weak?
citrix.application	string	citrix citrix_channels	The published Citrix application being executed
client.common_name	string	tls	The Common Name of the client certificate
client.compressed.pdus	number	citrix_channels	The number of compressed client PDUs (protocol data units)
client.compressed.pdus.ratio	number	citrix_channels	The ratio of compressions to the total number of PDUs (protocol data units) emitted by the client
client.data	number	tls	The total number of client data PDUs (protocol data units)
client.datasource.kind	pktsourcekind	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The packet source type (pcap file, netflow, network iface, rpcapd) on which this traffic has been captured (client-side)
client.datasource.name	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The packet source name on which this traffic has been captured (client-side)
client.datasource.pair	pktsourcepair	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The packet source type and name on which this traffic has been captured (client-side)
client.diffserv	diffserv	icmp other_ip tcp udp	The client differentiated service
client.dtt	number	citrix citrix_channels databases http smb tcp tls	The average data-transfer time for PDUs (protocol data units) emitted by the client
client.dtt.count	number	citrix citrix_channels databases http smb tcp tls	The number of data-transfer times for PDUs (protocol data units) emitted by the client
client.dtt.deviation	number	citrix citrix_channels databases http smb tcp tls	The deviation of the data-transfer time for PDUs (protocol data units) emitted by the client
client.dupacks	number	tcp	The number of duplicated ACK packets from the client
client.dupacks.ratio	number	tcp	The ratio of duplicated ACKs to the total number of packets emitted by the client
client.emtu	number	icmp non_ip other_ip tcp udp	The maximum payload in a single ethernet packet emmited by the client in these conversations (this value is assumed to be the MTU of the client's network interface, although the actual MTU value might be greater)
client.error.ip	ip	icmp	The IP address of the client, as it appears in the headers of the ICMP error message
client.error.port	port	icmp	The port of the client, as it appears in the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
client.error.zone.id	zone_id	icmp	The zone ID of the client, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
client.error.zone.name	zone	icmp	The zone of the client, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
client.expiration	time	tls	The expiration date of the client certificate
client.file	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The name of the Pcap File used as traffic source (client-side)
client.fins	number	tcp	The number of FIN packets emitted by the client
client.fins.ratio	number	tcp	The average number of client FIN packets in a connection
client.hostname	hostname	citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip	The hostname of the client
client.interface	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The name of the network interface on which this traffic has been captured (client-side)
client.ip	ip	citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip	The IP address of the client
client.ja3	tls_fingerprint	tls	The JA3 client fingerprint
client.keepalives	number	citrix	The number of keep alives from the client
client.key.bits	number	tls	The number of bits in the client key
client.key.type	keytype	tls	The type of the client key
client.mac	mac	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The MAC address of the client
client.meta	number	tls	The total number of client metadata (handshake, change cipher spec & alerts PDU types)
client.os	os	tcp	The client operating system
client.payload	number	citrix citrix_channels tcp tls udp voip	The total amount of bytes of data (without headers) emitted by the client
client.payload.pdus	number	citrix citrix_channels tcp voip	The total number of PDUs (protocol data units) with payload emitted by the client
client.payload.ratio	number	citrix citrix_channels tcp tls udp voip	The ratio of payload bytes to the entire traffic emitted by the client
client.pdus	number	citrix citrix_channels dns icmp non_ip other_ip tcp udp voip	The total number of PDUs (protocol data units) at applicative level emitted by the client
client.port	port	citrix citrix_channels databases http smb tcp tls udp voip	The TCP/UDP port of the client
client.rd	number	tcp	The average retransmission delay for PDUs emitted by the client
client.rd.count	number	tcp	The number of retransmission delays for PDUs emitted by the client
client.rd.deviation	number	tcp	The deviation of the retransmission delay for PDUs emitted by the client
client.remote	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The name of the network interface on which this traffic has been captured via rpcapd (client-side)
client.retrans.payload	number	tcp	The total amount of bytes of data (without headers) in retransmitted PDUs emitted by the client
client.retrans.pdus.ratio	number	tcp	The ratio of retransmissions to the total number of PDUs (protocol data units) with payload emitted by the client
client.retrans.traffic	number	tcp	The total amount of bytes in retransmitted PDUs emitted by the client
client.retrans.traffic.ratio	number	tcp	The ratio of retransmitted traffic to the entire traffic emitted by the client
client.rsts	number	tcp	The number of RST packets emitted by the client
client.rsts.ratio	number	tcp	The average number of client RST packets in a connection
client.rtt	number	tcp	The average round-trip time for PDUs (protocol data units) emitted by the server
client.rtt.count	number	tcp	The number of round-trip times for PDUs (protocol data units) emitted by the server
client.rtt.deviation	number	tcp	The deviation of the round-trip time for PDUs (protocol data units) emitted by the server
client.signalization.payload	number	voip	The total amount of bytes of data (without headers) in all signalization PDUs (protocol data units) emitted by the client
client.signalization.pdus	number	voip	The total number of signalization PDUs (protocol data units) emitted by the client
client.signalization.rd	number	voip	The average retransmission delay for signalization PDUs (protocol data units) emitted by the client
client.signalization.rd.count	number	voip	The number of retransmission delays for signalization PDUs (protocol data units) emitted by the client
client.signalization.rd.deviation	number	voip	The deviation of the retransmission delay for signalization PDUs (protocol data units) emitted by the client
client.signalization.retrans.pdus.ratio	number	voip	The ratio of retransmissions to the total number of signalization PDUs (protocol data units) emitted by the client
client.signalization.rtt	number	voip	The average round-trip time for signalization PDUs (protocol data units) emitted by the server
client.signalization.rtt.count	number	voip	The number of round-trip times for signalization PDUs (protocol data units) emitted by the server
client.signalization.rtt.deviation	number	voip	The deviation of the round-trip time for signalization PDUs (protocol data units) emitted by the server
client.signalization.traffic	number	voip	The total amount of bytes in signalization PDUs (protocol data units) emitted by the client
client.signature	string	tls	The client signature
client.traffic	number	dns icmp non_ip other_ip tcp tls udp voip	The total amount of bytes emitted by the client
client.vlan	vlan	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The inner VLAN id on the client side of the transaction (alias of client.vlans.inner)
client.vlans	array	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The VLAN ids on the client side of the transaction. The first VLAN id represents the outer VLAN and the last VLAN id represents the inner VLAN
client.vlans.count	number	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The number of VLANs on the client side of the transaction
client.vlans.inner	vlan	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The inner VLAN id on the client side of the transaction
client.vlans.outer	vlan	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The outer VLAN id on the client side of the transaction
client.zero_windows	number	tcp	The number of zero-window size packets emitted by the client
client.zero_windows.ratio	number	tcp	The ratio of zero-window size to the total number of packets emitted by the client
client.zone.id	zone_id	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The zone id of the client
client.zone.name	zone	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The zone of the client
closes	number	tcp	The number of TCP sessions that ended properly (by acked FIN or RST)
command	databasecommand	databases	The database command type
compressed.pdus	number	citrix_channels	The total number of compressed PDUs (protocol data units) in both directions
compressed.pdus.ratio	number	citrix_channels	The ratio of compressions to the total number of PDUs (protocol data units) in both directions
compressed.responses	number	http	The number of compressed HTTP responses
ct	number	tcp tls	The average connection time
ct.count	number	tcp tls	The number of successful handshakes
ct.deviation	number	tcp tls	The deviation of the connection time
data.payload	number	smb	The total amount of bytes of data in both directions
database	string	databases	The name of the database
dcerpc	dcerpc	tcp udp	The identifier of the DCE/RPC service
decrypted	number	tls	The number of decrypted conversations
dest.common_name	string	tls	The Common Name of the destination certificate
dest.compressed.pdus	number	citrix_channels	The number of compressed destination PDUs (protocol data units)
dest.compressed.pdus.ratio	number	citrix_channels	The ratio of compressions to the total number of PDUs (protocol data units) emitted by the destination
dest.data	number	tls	The total number of destination data PDUs (protocol data units)
dest.datasource.kind	pktsourcekind	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The packet source type (pcap file, netflow, network iface, rpcapd) on which this traffic has been captured (destination-side)
dest.datasource.name	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The packet source name on which this traffic has been captured (destination-side)
dest.datasource.pair	pktsourcepair	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The packet source type and name on which this traffic has been captured (destination-side)
dest.diffserv	diffserv	icmp other_ip tcp udp	The destination differentiated service
dest.dtt	number	citrix citrix_channels databases http smb tcp tls	The average data-transfer time for PDUs (protocol data units) emitted by the destination
dest.dtt.count	number	citrix citrix_channels databases http smb tcp tls	The number of data-transfer times for PDUs (protocol data units) emitted by the destination
dest.dtt.deviation	number	citrix citrix_channels databases http smb tcp tls	The deviation of the data-transfer time for PDUs (protocol data units) emitted by the destination
dest.dupacks	number	tcp	The number of duplicated ACK packets from the destination
dest.dupacks.ratio	number	tcp	The ratio of duplicated ACKs to the total number of packets emitted by the destination
dest.emtu	number	icmp non_ip other_ip tcp udp	The maximum payload in a single ethernet packet emmited by the destination in these conversations (this value is assumed to be the MTU of the destination's network interface, although the actual MTU value might be greater)
dest.error.ip	ip	icmp	The IP address of the destination, as it appears in the headers of the ICMP error message
dest.error.port	port	icmp	The port of the destination, as it appears in the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
dest.error.zone.id	zone_id	icmp	The zone ID of the destination, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
dest.error.zone.name	zone	icmp	The zone of the destination, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
dest.expiration	time	tls	The expiration date of the destination certificate
dest.file	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The name of the Pcap File used as traffic source (destination-side)
dest.fins	number	tcp	The number of FIN packets emitted by the destination
dest.fins.ratio	number	tcp	The average number of destination FIN packets in a connection
dest.hostname	hostname	citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip	The hostname of the destination
dest.interface	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The name of the network interface on which this traffic has been captured (destination-side)
dest.ip	ip	citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip	The IP address of the destination
dest.ja3	tls_fingerprint	tls	The JA3 destination fingerprint
dest.keepalives	number	citrix	The number of keep alives from the destination
dest.key.bits	number	tls	The number of bits in the destination key
dest.key.type	keytype	tls	The type of the destination key
dest.mac	mac	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The MAC address of the destination
dest.meta	number	tls	The total number of destination metadata (handshake, change cipher spec & alerts PDU types)
dest.os	os	tcp	The destination operating system
dest.payload	number	citrix citrix_channels tcp tls udp voip	The total amount of bytes of data (without headers) emitted by the destination
dest.payload.pdus	number	citrix citrix_channels tcp voip	The total number of PDUs (protocol data units) with payload emitted by the destination
dest.payload.ratio	number	citrix citrix_channels tcp tls udp voip	The ratio of payload bytes to the entire traffic emitted by the destination
dest.pdus	number	citrix citrix_channels dns icmp non_ip other_ip tcp udp voip	The total number of PDUs (protocol data units) at applicative level emitted by the destination
dest.port	port	citrix citrix_channels databases http smb tcp tls udp voip	The TCP/UDP port of the destination
dest.rd	number	tcp	The average retransmission delay for PDUs emitted by the destination
dest.rd.count	number	tcp	The number of retransmission delays for PDUs emitted by the destination
dest.rd.deviation	number	tcp	The deviation of the retransmission delay for PDUs emitted by the destination
dest.remote	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The name of the network interface on which this traffic has been captured via rpcapd (destination-side)
dest.retrans.payload	number	tcp	The total amount of bytes of data (without headers) in retransmitted PDUs emitted by the destination
dest.retrans.pdus.ratio	number	tcp	The ratio of retransmissions to the total number of PDUs (protocol data units) with payload emitted by the destination
dest.retrans.traffic	number	tcp	The total amount of bytes in retransmitted PDUs emitted by the destination
dest.retrans.traffic.ratio	number	tcp	The ratio of retransmitted traffic to the entire traffic emitted by the destination
dest.rsts	number	tcp	The number of RST packets emitted by the destination
dest.rsts.ratio	number	tcp	The average number of destination RST packets in a connection
dest.rtt	number	tcp	The average round-trip time for PDUs (protocol data units) emitted by the source
dest.rtt.count	number	tcp	The number of round-trip times for PDUs (protocol data units) emitted by the source
dest.rtt.deviation	number	tcp	The deviation of the round-trip time for PDUs (protocol data units) emitted by the source
dest.signalization.payload	number	voip	The total amount of bytes of data (without headers) in all signalization PDUs (protocol data units) emitted by the destination
dest.signalization.pdus	number	voip	The total number of signalization PDUs (protocol data units) emitted by the destination
dest.signalization.rd	number	voip	The average retransmission delay for signalization PDUs (protocol data units) emitted by the destination
dest.signalization.rd.count	number	voip	The number of retransmission delays for signalization PDUs (protocol data units) emitted by the destination
dest.signalization.rd.deviation	number	voip	The deviation of the retransmission delay for signalization PDUs (protocol data units) emitted by the destination
dest.signalization.retrans.pdus.ratio	number	voip	The ratio of retransmissions to the total number of signalization PDUs (protocol data units) emitted by the destination
dest.signalization.rtt	number	voip	The average round-trip time for signalization PDUs (protocol data units) emitted by the source
dest.signalization.rtt.count	number	voip	The number of round-trip times for signalization PDUs (protocol data units) emitted by the source
dest.signalization.rtt.deviation	number	voip	The deviation of the round-trip time for signalization PDUs (protocol data units) emitted by the source
dest.signalization.traffic	number	voip	The total amount of bytes in signalization PDUs (protocol data units) emitted by the destination
dest.signature	string	tls	The destination signature
dest.traffic	number	dns icmp non_ip other_ip tcp tls udp voip	The total amount of bytes emitted by the destination
dest.vlan	vlan	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The inner VLAN id on the destination side of the transaction (alias of destination.vlans.inner)
dest.vlans	array	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The VLAN ids on the destination side of the transaction. The first VLAN id represents the outer VLAN and the last VLAN id represents the inner VLAN
dest.vlans.count	number	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The number of VLANs on the destination side of the transaction
dest.vlans.inner	vlan	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The inner VLAN id on the destination side of the transaction
dest.vlans.outer	vlan	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The outer VLAN id on the destination side of the transaction
dest.zero_windows	number	tcp	The number of zero-window size packets emitted by the destination
dest.zero_windows.ratio	number	tcp	The ratio of zero-window size to the total number of packets emitted by the destination
dest.zone.id	zone_id	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The zone id of the destination
dest.zone.name	zone	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The zone of the destination
dns.rt	number	dns	The average DNS response time
dns.rt.deviation	number	dns	The deviation of the DNS response time
domain	string	citrix citrix_channels smb	The Windows Domain of the user
domain.primary	string	http tls	The primary domain name (www.example.org -> example.org)
domain.short	string	http tls	The primary domain name, without TLD
domain.toplevel	string	http tls	The top-level domain name (TLD)
dtt.count	number	citrix citrix_channels databases http smb tcp tls	The total number of data-transfer times in both directions
dtt.deviation	number	citrix citrix_channels databases http smb tcp tls	The deviation of the data-transfer time in both directions
dtt.total	number	citrix citrix_channels databases http smb tcp tls	The sum of both client and server average data-transfer times
dupacks	number	tcp	The total number of duplicated ACK packets in both directions
dupacks.ratio	number	tcp	The ratio of duplicated ACKs to the total number of packets in both directions
encryption	encryption	citrix	The Citrix encryption type
end	time	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The timestamp of the last captured packet
ends	number	voip	The number of VoIP flows that ended
error.alerts	number	tls	The total number of error alerts (everything but close notifications)
error.code	string	databases	The error code, specific to some databases (MySQL, TDS and TNS)
error.hits	number	http	The number of hits with a response code of at least 400
error.message	string	databases	The database error message
error.protocol	ipprotocol	icmp	The IP protocol of the PDU (protocol data unit) transported by the ICMP error message
error.status	string	databases	The database error status
errors	number	databases dns smb voip	The number of errors
errors.ratio	number	databases dns smb voip	The ratio of errors to the total number of queries
file	path	smb	The file path
file.count	number	flows	The number of processed files
file.id	descriptor	smb	The CIFS file descriptor id
fins	number	tcp	The total number of FIN packets in both directions
fins.ratio	number	tcp	The average number of FIN packets in a connection
global.dtt	number	citrix citrix_channels databases http smb tcp tls	The average data-transfer time in both directions
global.emtu	number	icmp non_ip other_ip tcp udp	The maximum payload in a single ethernet packet in both directions
global.rd	number	tcp	The average retransmission delay in both directions
global.rtt	number	tcp	The average round-trip time in both directions
global.signalization.rd	number	voip	The average retransmission delay for signalization PDUs (protocol data units) in both directions
global.signalization.rtt	number	voip	The average round-trip time for signalization PDUs (protocol data units) in both directions
has_contributed	bool	http	Did this hit contribute to the metrics of the page it is attached to?
has_timeouted	bool	databases http smb	Did this transaction timeout?
has_voice	bool	voip	Was there any voice in the conversation?
headers	number	http	The total amount of bytes of headers in both query and response PDUs (protocol data units)
hit	uuid	http	This hit's unique identifier
hit.parent	uuid	http	This hit's parent's unique identifier
hit.referrer	uuid	http	This hit's referrer's unique identifier
hit.rt	number	http	The average hit response time
hit.rt.count	number	http	The number of HTTP hit response times
hit.rt.deviation	number	http	The deviation of the hit response time
hits	number	http	The number of HTTP hits
host	string	http	The URL Host
icmp.code	number	icmp	The ICMP message code
icmp.message	icmpmessage	icmp	The ICMP message
icmp.type	icmptype	icmp	The ICMP message type
ip.family	ipfamily	citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip	The IP address family
ip.protocol	ipprotocol	other_ip voip	The IP protocol
is_ajax	bool	http	Is this hit requested through javascript?
is_chunked	bool	http	Does this hit use HTTP 'chunked' transfer encoding?
is_compressed	bool	http	Is this hit compressed?
is_deepinspect	bool	http	Was page reconstruction activated for this hit?
is_main	bool	http	Is this hit the main resource of the page?
is_root	bool	http	Is this a root hit?
keepalives	number	citrix	The total number of keep alives in both directions
launch.time	number	citrix	The average launch time for Citrix applications
launch.time.deviation	number	citrix	The deviation of the launch time
layer	layer	citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip	The layer
login.time	number	citrix	The average login time
login.time.count	number	citrix	The number of logins
login.time.deviation	number	citrix	The deviation of the login time
lost.pdus	number	voip	The total number of lost PDUs (protocol data units) in both directions
lost.pdus.ratio	number	voip	The ratio of lost to the total number of PDUs (protocol data units) in both directions
metadata.payload	number	smb	The total amount of bytes of metadata in both directions
metadata.read	number	smb	The total amount of bytes of metadata read by SMB commands (directory listing commands, for example)
metadata.written	number	smb	The total amount of bytes of metadata written by SMB commands
method	httpquerymethod	http	The HTTP request method
module	string	citrix	The name of the Citrix module used by the client
mos	number	voip	The VOIP mean opinion score
netflow.hostname	hostname	icmp tcp udp	The hostname of the emitter
netflow.ip	ip	icmp tcp udp	The IP address of the emitter
nonip.protocol	ethernetprotocol	non_ip	The OSI layer 2 protocol
origin.ip	ip	http	The original client's IP, as it appears in the HTTP header
page.begin	time	http	The timestamp of the first packet in this page
page.end	time	http	The timestamp of the last packet in this page
page.errors	number	http	The number of errors in all the hits that contributed to these pages, errors consisting of HTTP response codes of at least 400
page.hits	number	http	The number of hits that contributed to these pages
page.load.time	number	http	The average page load time
page.load.time.deviation	number	http	The deviation of the page load time
page.request.traffic	number	http	The total amount of bytes of request traffic (headers + payload) in all the hits that contributed to these pages
page.response.traffic	number	http	The total amount of bytes of response traffic (headers + payload) in all the hits that contributed to these pages
page.timeouts	number	http	The number of timeouts in all the hits that contributed to these pages
page.traffic	number	http	The total amount of bytes of query and response traffic (headers + payload) in all the hits that contributed to these pages
pages	number	http	The number of HTTP pages
payload	number	citrix citrix_channels databases http smb tcp udp voip	The total amount of bytes of data (without headers) in both directions
payload.pdus	number	citrix citrix_channels tcp voip	The total number of PDUs (protocol data units) with payload in both directions
payload.ratio	number	citrix citrix_channels tcp tls udp voip	The ratio of payload bytes to the entire traffic in both directions
pcap	string	dns tcp voip	The link to the associated captured PCAP file (generated according to the configuration of zones and applications)
pdus	number	citrix citrix_channels databases dns icmp non_ip other_ip smb tcp udp voip	The total number of PDUs (protocol data units) at applicative level in both directions
points	number	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The number of points
protostack	protostack	citrix citrix_channels databases icmp non_ip other_ip smb tcp tls udp voip	The protocol stack
queries	number	databases dns smb	The number of queries
query	databasequery	databases	The database query
query.begin	time	databases smb	The timestamp of the first query packet
query.class	dnsclass	dns	The class of the DNS query
query.end	time	databases smb	The timestamp of the last query packet
query.name	string	dns	The name of the DNS query
query.payload	number	databases smb	The total amount of bytes of payload in query PDUs (protocol data units) emitted by the client
query.pdus	number	databases smb	The total number of query PDUs (protocol data units) at applicative level
query.tcp_pdus	number	http	The number of TCP packets that form up these HTTP queries
query.type	dnstype	dns	The type of the DNS query
query.write	number	smb	The total amount of bytes of data to be written
query_256	databasequery	databases	First 256 characters of the query
rd.count	number	tcp	The total number of retransmission delays in both directions
rd.deviation	number	tcp	The deviation of the retransmission delay in both directions
rd.total	number	tcp	The sum of both client and server average data-transfer times
request.begin	time	http	The timestamp of the first request packet
request.content_length	number	http	The average Content-Length in the headers of these HTTP requests
request.content_length.count	number	http	The number of HTTP requests with a Content-Length header
request.content_pack	path	http	The path to the pack file that contains the HTTP request content
request.content_type	mimetype	http	The mime-type in the Content-Type header of the HTTP request
request.end	time	http	The timestamp of the last request packet
request.headers	number	http	The total amount of bytes of headers in request PDUs (protocol data units) emitted by the client
request.payload	number	http	The total amount of bytes of payload in request PDUs (protocol data units) emitted by the client
request.payload.sha256	sha256	http	The hash sha256 calculated using the bytes of payload in request PDUs (protocol data units) emitted by the client
request.traffic	number	http	The total amount of bytes (headers + payload) in request PDUs (protocol data units) emitted by the client
response.begin	time	databases http smb	The timestamp of the first response packet
response.category	string	http	The HTTP response mime-type's category
response.class	dnsclass	dns	The class of the DNS response
response.code	dnscode	dns	The DNS response code
response.content_length	number	http	The average Content-Length in the headers of these HTTP responses
response.content_length.count	number	http	The number of HTTP responses with a Content-Length header
response.content_pack	path	http	The path to the pack file that contains the HTTP response content
response.content_type	mimetype	http	The mime-type in the Content-Type header of the HTTP response
response.end	time	databases http smb	The timestamp of the first response packet
response.headers	number	http	The total amount of bytes of headers in response PDUs (protocol data units) emitted by the server
response.payload	number	databases http smb	The total amount of bytes of payload in response PDUs (protocol data units) emitted by the server
response.payload.sha256	sha256	http	The hash sha256 calculated using the bytes of payload in response PDUs (protocol data units) emitted by the server
response.pdus	number	databases smb	The total number of PDUs (protocol data units) at applicative level emitted by the server
response.read	number	smb	The total amount of bytes of data read by SMB commands
response.status	httpstatus	http	The HTTP response code
response.status.category	httpstatuscategory	http	The category of the response status code
response.tcp_pdus	number	http	The number of TCP packets that form up these HTTP responses
response.traffic	number	http	The total amount of bytes (headers + payload) in response PDUs (protocol data units) emitted by the client
response.type	dnstype	dns	The type of the DNS response
response.written	number	smb	The total amount of bytes of data effectively written by SMB commands
resumed	number	tls	The number of resumed sessions
retrans.payload	number	tcp	The total amount of bytes of data (without headers) in retransmitted PDUs in both directions
retrans.pdus.ratio	number	tcp	The ratio of retransmissions to the total number of PDUs (protocol data units) with payload in both directions
retrans.traffic	number	dns icmp non_ip other_ip tcp udp voip	The total amount of bytes in retransmitted PDUs in both directions
retrans.traffic.ratio	number	tcp	The ratio of retransmitted traffic to the entire traffic in both directions
rows.integrated	number	flows	The number of integrated rows
rows.integrated.per_minute	number	flows	The number of integrated rows per minute
rows.total	number	flows	The total number of analyzed rows
rows.total.per_minute	number	flows	The number of total rows per minute
rows.truncated	number	flows	The number of truncated rows
rows.truncated.per_minute	number	flows	The number of truncated rows per minute
rsts	number	tcp	The total number of RST packets in both directions
rsts.ratio	number	tcp	The average number of RST packets in a connection
rtt.count	number	tcp	The total number of round-trip times in both directions
rtt.deviation	number	tcp	The deviation of the round-trip time in both directions
rtt.total	number	tcp	The sum of both client and server average round-trip times
server.common_name	string	tls	The Common Name of the server certificate
server.compressed.pdus	number	citrix_channels	The number of compressed server PDUs (protocol data units)
server.compressed.pdus.ratio	number	citrix_channels	The ratio of compressions to the total number of PDUs (protocol data units) emitted by the server
server.data	number	tls	The total number of server data PDUs (protocol data units)
server.datasource.kind	pktsourcekind	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The packet source type (pcap file, netflow, network iface, rpcapd) on which this traffic has been captured (server-side)
server.datasource.name	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The packet source name on which this traffic has been captured (server-side)
server.datasource.pair	pktsourcepair	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The packet source type and name on which this traffic has been captured (server-side)
server.diffserv	diffserv	icmp other_ip tcp udp	The server differentiated service
server.dtt	number	citrix citrix_channels databases http smb tcp tls	The average data-transfer time for PDUs (protocol data units) emitted by the server
server.dtt.count	number	citrix citrix_channels databases http smb tcp tls	The number of data-transfer times for PDUs (protocol data units) emitted by the server
server.dtt.deviation	number	citrix citrix_channels databases http smb tcp tls	The deviation of the data-transfer time for PDUs (protocol data units) emitted by the server
server.dupacks	number	tcp	The number of duplicated ACK packets from the server
server.dupacks.ratio	number	tcp	The ratio of duplicated ACKs to the total number of packets emitted by the server
server.emtu	number	icmp non_ip other_ip tcp udp	The maximum payload in a single ethernet packet emmited by the server in these conversations (this value is assumed to be the MTU of the server's network interface, although the actual MTU value might be greater)
server.error.ip	ip	icmp	The IP address of the server, as it appears in the headers of the ICMP error message
server.error.port	port	icmp	The port of the server, as it appears in the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
server.error.zone.id	zone_id	icmp	The zone ID of the server, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
server.error.zone.name	zone	icmp	The zone of the server, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
server.expiration	time	tls	The expiration date of the server certificate
server.file	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The name of the Pcap File used as traffic source (server-side)
server.fins	number	tcp	The number of FIN packets emitted by the server
server.fins.ratio	number	tcp	The average number of server FIN packets in a connection
server.hostname	hostname	citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip	The hostname of the server
server.interface	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The name of the network interface on which this traffic has been captured (server-side)
server.ip	ip	citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip	The IP address of the server
server.ja3	tls_fingerprint	tls	The JA3 server fingerprint
server.keepalives	number	citrix	The number of keep alives from the server
server.key.bits	number	tls	The number of bits in the server key
server.key.type	keytype	tls	The type of the server key
server.mac	mac	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The MAC address of the server
server.meta	number	tls	The total number of server metadata (handshake, change cipher spec & alerts PDU types)
server.os	os	tcp	The server operating system
server.payload	number	citrix citrix_channels tcp tls udp voip	The total amount of bytes of data (without headers) emitted by the server
server.payload.pdus	number	citrix citrix_channels tcp voip	The total number of PDUs (protocol data units) with payload emitted by the server
server.payload.ratio	number	citrix citrix_channels tcp tls udp voip	The ratio of payload bytes to the entire traffic emitted by the server
server.pdus	number	citrix citrix_channels dns icmp non_ip other_ip tcp udp voip	The total number of PDUs (protocol data units) at applicative level emitted by the server
server.port	port	citrix citrix_channels databases http smb tcp tls udp voip	The TCP/UDP port of the server
server.rd	number	tcp	The average retransmission delay for PDUs emitted by the server
server.rd.count	number	tcp	The number of retransmission delays for PDUs emitted by the server
server.rd.deviation	number	tcp	The deviation of the retransmission delay for PDUs emitted by the server
server.remote	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The name of the network interface on which this traffic has been captured via rpcapd (server-side)
server.retrans.payload	number	tcp	The total amount of bytes of data (without headers) in retransmitted PDUs emitted by the server
server.retrans.pdus.ratio	number	tcp	The ratio of retransmissions to the total number of PDUs (protocol data units) with payload emitted by the server
server.retrans.traffic	number	tcp	The total amount of bytes in retransmitted PDUs emitted by the server
server.retrans.traffic.ratio	number	tcp	The ratio of retransmitted traffic to the entire traffic emitted by the server
server.rsts	number	tcp	The number of RST packets emitted by the server
server.rsts.ratio	number	tcp	The average number of server RST packets in a connection
server.rt	number	citrix citrix_channels databases smb tcp tls	The average server response time (SRT)
server.rt.count	number	citrix citrix_channels databases smb tcp tls	The number of server response times
server.rt.deviation	number	citrix citrix_channels databases smb tcp tls	The deviation of the server response time
server.rtt	number	tcp	The average round-trip time for PDUs (protocol data units) emitted by the client
server.rtt.count	number	tcp	The number of round-trip times for PDUs (protocol data units) emitted by the client
server.rtt.deviation	number	tcp	The deviation of the round-trip time for PDUs (protocol data units) emitted by the client
server.signalization.last_code	number	voip	Last SIP or MGCP response code
server.signalization.payload	number	voip	The total amount of bytes of data (without headers) in all signalization PDUs (protocol data units) emitted by the server
server.signalization.pdus	number	voip	The total number of signalization PDUs (protocol data units) emitted by the server
server.signalization.rd	number	voip	The average retransmission delay for signalization PDUs (protocol data units) emitted by the server
server.signalization.rd.count	number	voip	The number of retransmission delays for signalization PDUs (protocol data units) emitted by the server
server.signalization.rd.deviation	number	voip	The deviation of the retransmission delay for signalization PDUs (protocol data units) emitted by the server
server.signalization.retrans.pdus.ratio	number	voip	The ratio of retransmissions to the total number of signalization PDUs (protocol data units) emitted by the server
server.signalization.rt	number	voip	The average server response time for signalization PDUs (protocol data units)
server.signalization.rt.count	number	voip	The number of server response times for signalization PDUs (protocol data units)
server.signalization.rt.deviation	number	voip	The deviation of the server response time for signalization PDUs (protocol data units)
server.signalization.rtt	number	voip	The average round-trip time for signalization PDUs (protocol data units) emitted by the client
server.signalization.rtt.count	number	voip	The number of round-trip times for signalization PDUs (protocol data units) emitted by the client
server.signalization.rtt.deviation	number	voip	The deviation of the round-trip time for signalization PDUs (protocol data units) emitted by the client
server.signalization.traffic	number	voip	The total amount of bytes in signalization PDUs (protocol data units) emitted by the server
server.signature	string	tls	The server signature
server.traffic	number	dns icmp non_ip other_ip tcp tls udp voip	The total amount of bytes emitted by the server
server.vlan	vlan	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The inner VLAN id on the server side of the transaction (alias of server.vlans.inner)
server.vlans	array	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The VLAN ids on the server side of the transaction. The first VLAN id represents the outer VLAN and the last VLAN id represents the inner VLAN
server.vlans.count	number	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The number of VLANs on the server side of the transaction
server.vlans.inner	vlan	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The inner VLAN id on the server side of the transaction
server.vlans.outer	vlan	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The outer VLAN id on the server side of the transaction
server.zero_windows	number	tcp	The number of zero-window size packets emitted by the server
server.zero_windows.ratio	number	tcp	The ratio of zero-window size to the total number of packets emitted by the server
server.zone.id	zone_id	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The zone id of the server
server.zone.name	zone	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The zone of the server
server_name	string	tls	The Server Name Indication of the conversation
signalization.pdus	number	voip	The total number of signalization PDUs (protocol data units) in both directions
signalization.rd.count	number	voip	The total number of retransmission delays for signalization PDUs (protocol data units) in both directions
signalization.rd.deviation	number	voip	The deviation of the retransmission delay for signalization PDUs (protocol data units) in both directions
signalization.rd.total	number	voip	The sum of both client and server average retransmission delays for signalization PDUs (protocol data units)
signalization.retrans.pdus.ratio	number	voip	The ratio of retransmissions to the total number of signalization PDUs (protocol data units) in both directions
signalization.rtt.count	number	voip	The total number of round-trip times for signalization PDUs (protocol data units) in both directions
signalization.rtt.deviation	number	voip	The deviation of the round-trip time for signalization PDUs (protocol data units) in both directions
signalization.rtt.total	number	voip	The sum of both client and server average round-trip times
signalization.traffic	number	voip	The total amount of bytes in signalization PDUs (protocol data units) in both directions
smb.command	smbcommand	smb	The SMB command
smb.command.code	number	smb	The raw SMB command
smb.sha256	sha256	smb	The sha256 hash
smb.status	smbstatus	smb	The SMB status
smb.subcommand	smbsubcommand	smb	The SMB subcommand
smb.subcommand.code	number	smb	The raw SMB subcommand
smb.version	smb_version	smb	The SMB protocol version
software	string	http	The software in the Server header of the HTTP response
source.common_name	string	tls	The Common Name of the source certificate
source.compressed.pdus	number	citrix_channels	The number of compressed source PDUs (protocol data units)
source.compressed.pdus.ratio	number	citrix_channels	The ratio of compressions to the total number of PDUs (protocol data units) emitted by the source
source.data	number	tls	The total number of source data PDUs (protocol data units)
source.datasource.kind	pktsourcekind	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The packet source type (pcap file, netflow, network iface, rpcapd) on which this traffic has been captured (source-side)
source.datasource.name	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The packet source name on which this traffic has been captured (source-side)
source.datasource.pair	pktsourcepair	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The packet source type and name on which this traffic has been captured (source-side)
source.diffserv	diffserv	icmp other_ip tcp udp	The source differentiated service
source.dtt	number	citrix citrix_channels databases http smb tcp tls	The average data-transfer time for PDUs (protocol data units) emitted by the source
source.dtt.count	number	citrix citrix_channels databases http smb tcp tls	The number of data-transfer times for PDUs (protocol data units) emitted by the source
source.dtt.deviation	number	citrix citrix_channels databases http smb tcp tls	The deviation of the data-transfer time for PDUs (protocol data units) emitted by the source
source.dupacks	number	tcp	The number of duplicated ACK packets from the source
source.dupacks.ratio	number	tcp	The ratio of duplicated ACKs to the total number of packets emitted by the source
source.emtu	number	icmp non_ip other_ip tcp udp	The maximum payload in a single ethernet packet emmited by the source in these conversations (this value is assumed to be the MTU of the source's network interface, although the actual MTU value might be greater)
source.error.ip	ip	icmp	The IP address of the source, as it appears in the headers of the ICMP error message
source.error.port	port	icmp	The port of the source, as it appears in the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
source.error.zone.id	zone_id	icmp	The zone ID of the source, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
source.error.zone.name	zone	icmp	The zone of the source, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message
source.expiration	time	tls	The expiration date of the source certificate
source.file	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The name of the Pcap File used as traffic source (source-side)
source.fins	number	tcp	The number of FIN packets emitted by the source
source.fins.ratio	number	tcp	The average number of source FIN packets in a connection
source.hostname	hostname	citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip	The hostname of the source
source.interface	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The name of the network interface on which this traffic has been captured (source-side)
source.ip	ip	citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip	The IP address of the source
source.ja3	tls_fingerprint	tls	The JA3 source fingerprint
source.keepalives	number	citrix	The number of keep alives from the source
source.key.bits	number	tls	The number of bits in the source key
source.key.type	keytype	tls	The type of the source key
source.mac	mac	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The MAC address of the source
source.meta	number	tls	The total number of source metadata (handshake, change cipher spec & alerts PDU types)
source.os	os	tcp	The source operating system
source.payload	number	citrix citrix_channels tcp tls udp voip	The total amount of bytes of data (without headers) emitted by the source
source.payload.pdus	number	citrix citrix_channels tcp voip	The total number of PDUs (protocol data units) with payload emitted by the source
source.payload.ratio	number	citrix citrix_channels tcp tls udp voip	The ratio of payload bytes to the entire traffic emitted by the source
source.pdus	number	citrix citrix_channels dns icmp non_ip other_ip tcp udp voip	The total number of PDUs (protocol data units) at applicative level emitted by the source
source.port	port	citrix citrix_channels databases http smb tcp tls udp voip	The TCP/UDP port of the source
source.rd	number	tcp	The average retransmission delay for PDUs emitted by the source
source.rd.count	number	tcp	The number of retransmission delays for PDUs emitted by the source
source.rd.deviation	number	tcp	The deviation of the retransmission delay for PDUs emitted by the source
source.remote	pktsourcename	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The name of the network interface on which this traffic has been captured via rpcapd (source-side)
source.retrans.payload	number	tcp	The total amount of bytes of data (without headers) in retransmitted PDUs emitted by the source
source.retrans.pdus.ratio	number	tcp	The ratio of retransmissions to the total number of PDUs (protocol data units) with payload emitted by the source
source.retrans.traffic	number	tcp	The total amount of bytes in retransmitted PDUs emitted by the source
source.retrans.traffic.ratio	number	tcp	The ratio of retransmitted traffic to the entire traffic emitted by the source
source.rsts	number	tcp	The number of RST packets emitted by the source
source.rsts.ratio	number	tcp	The average number of source RST packets in a connection
source.rtt	number	tcp	The average round-trip time for PDUs (protocol data units) emitted by the destination
source.rtt.count	number	tcp	The number of round-trip times for PDUs (protocol data units) emitted by the destination
source.rtt.deviation	number	tcp	The deviation of the round-trip time for PDUs (protocol data units) emitted by the destination
source.signalization.payload	number	voip	The total amount of bytes of data (without headers) in all signalization PDUs (protocol data units) emitted by the source
source.signalization.pdus	number	voip	The total number of signalization PDUs (protocol data units) emitted by the source
source.signalization.rd	number	voip	The average retransmission delay for signalization PDUs (protocol data units) emitted by the source
source.signalization.rd.count	number	voip	The number of retransmission delays for signalization PDUs (protocol data units) emitted by the source
source.signalization.rd.deviation	number	voip	The deviation of the retransmission delay for signalization PDUs (protocol data units) emitted by the source
source.signalization.retrans.pdus.ratio	number	voip	The ratio of retransmissions to the total number of signalization PDUs (protocol data units) emitted by the source
source.signalization.rtt	number	voip	The average round-trip time for signalization PDUs (protocol data units) emitted by the destination
source.signalization.rtt.count	number	voip	The number of round-trip times for signalization PDUs (protocol data units) emitted by the destination
source.signalization.rtt.deviation	number	voip	The deviation of the round-trip time for signalization PDUs (protocol data units) emitted by the destination
source.signalization.traffic	number	voip	The total amount of bytes in signalization PDUs (protocol data units) emitted by the source
source.signature	string	tls	The source signature
source.traffic	number	dns icmp non_ip other_ip tcp tls udp voip	The total amount of bytes emitted by the source
source.vlan	vlan	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The inner VLAN id on the source side of the transaction (alias of source.vlans.inner)
source.vlans	array	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The VLAN ids on the source side of the transaction. The first VLAN id represents the outer VLAN and the last VLAN id represents the inner VLAN
source.vlans.count	number	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The number of VLANs on the source side of the transaction
source.vlans.inner	vlan	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The inner VLAN id on the source side of the transaction
source.vlans.outer	vlan	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The outer VLAN id on the source side of the transaction
source.zero_windows	number	tcp	The number of zero-window size packets emitted by the source
source.zero_windows.ratio	number	tcp	The ratio of zero-window size to the total number of packets emitted by the source
source.zone.id	zone_id	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The zone id of the source
source.zone.name	zone	citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip	The zone of the source
successes	number	citrix databases dns smb voip	The number of successes
successes.ratio	number	citrix databases dns smb voip	The ratio of successes
syns	number	tcp	The number of SYN packets emitted by the client
syns.ratio	number	tcp	The average number of SYN packets in a connection
system	databasesystem	databases	The database system
tcp_pdus	number	http	The number of TCP packets that form up the HTTP queries and responses
time_exclusion.any	bool	citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip	Was there any time exclusion?
time_exclusion.business_hours	bool	citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip	Was there a business hours time exclusion?
time_exclusion.maintenance_windows	bool	citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip	Was there a maintenance windows time exclusion?
timeouts	number	citrix	The number of flows that timeouted
tls.version	tls_version	tls	The TLS protocol version
tls.version.is_weak	bool	tls	Is the TLS protocol version weak?
tls.version.major	number	tls	The TLS protocol major version
tls.version.minor	number	tls	The TLS protocol minor version
traffic	number	dns http icmp non_ip other_ip tcp tls udp voip	The total amount of bytes in both directions
tree	path	smb	The tree this CIFS command relates to
tree.id	descriptor	smb	The id of the tree this CIFS command relates to
unclosed	number	tcp	The number of TCP sessions that didn't properly end
url	url	http	The path, query and fragment parts of the URL
url.base	url	http	The URL without the query string and fragment
url.path	path	http	The URL path
user	string	citrix citrix_channels databases smb	The user
user.experience	number	tcp	The end-user experience (sum of RTTs, DTTs and SRT)
user_agent	useragent	http	The user-agent
uuid	uuid	citrix citrix_channels databases dns http smb tcp tls voip	The unique identifier of this TCP session
voice.count	number	voip	Number of packets where we had voice in the conversation
warnings	number	smb	The number of warnings (mainly client-side)
warnings.ratio	number	smb	The ratio of warnings to the total number of SMB queries
zero_windows	number	tcp	The total number of zero-window size packets in both directions
zero_windows.ratio	number	tcp	The ratio of zero-window size to the total number of packets in both directions

© 2024 Accedian Networks Inc. All rights reserved. Accedian^®, Accedian Networks^®, the Accedian logo™, Skylight™, Skylight Interceptor™ and per-packet intel™, are trademarks or registered trademarks of Accedian Networks Inc. To view a list of Accedian trademarks visit: http://accedian.com/legal/trademarks/.

Was this article helpful?

What's Next

Codec parameters for MOS calculation

Table of contents

Metrics
Synthetic measurements (active)
Metrics by session type
Capture-based metrics (passive)