- Print
- PDF
Metrics
Depending on sensor type, different metrics and KPIs are reported. Directionality and granularity is also depending on the test type and test configuration. This article outline the reported metrics per test type for all sensors –
Cisco Provider Connectivity Assurance Sensor Control (formerly Skylight sensor: control) , Cisco Provider Connectivity Assurance Sensor Agents (formerly Skylight sensor: agents), and Cisco Provider Connectivity Assurance Sensor Capture (formerly Skylight sensor: capture)
Synthetic measurements (active)
Terminology
Measurement Sessions
A measurement session is a stream of packets sent from a sending endpoint to one or several receiving endpoints. Some streams are reflected back to the origin using reflectors, in this mode of operation the sender is referred to as the source and the refector the target. Other sessions consist of client / server response mechanisms, such as an HTTP GET (web page retreival) where the initiator of the request is the source and the web service is the target. The measurement packets have a wide variety of encodings, including IPv4, IEEE802, TWAMP, etc. A test session can be either a continous test, like 24/7 ping - or a single-run test such as a TCP throughput test.
Measurement sessions types and directions
• One-way (OW) is a unidirectional measurement stream where metrics are measured on a path from a source to a destination (direction SD). A one-way session may also be multicast, from one sender to a group of receivers.
• Two-way (TW) is a bi-directional measurement stream between a sender and a reflector where metrics are measured separately on both paths, i.e., the source to destination (SD) path, and the return path from a reflector and back called the destination to source (DS) path.
• Round Trip (RT) is a bi-directional measurement stream between sender and a reflector (or service like a HTTP server) where metrics are recorded for the full source-destination-source path. In a round-trip measurement, you cannot distinguish between the SD and DS directions.
Note that some session types may report a combination of round-trip and two-way metrics.
Metric Classification
There are several efforts in standardizing metrics, including IETF RFCs and ITU-T. IETF classifies metrics into 'singleton', 'sample', and 'statistical', where singletons are individual instances of a measurement (e.g. the one-way delay of one packet) and samples are a collection of singletons (such as a vector of one-way delay metrics). Statistical metrics are derived from the more primitive values, such as the average of the one-way delay metric over some time interval.
The major part of the metrics in this article fall into the 'statistical' class. Note, though, that some 'higher level' statistical metrics are derived from other statistical metrics. For example, the quality metrics, including MOS and R-value, is computed by a composition of loss and latency together with static codec impairment parameters.
While most statistical metrics are computed immediately at the time of the sampling by the sender/receiver, many of the higher level metrics could be computed off-line, such as by a server or a presentation client.
Continous session metrics report
For continous session types, where the sender never stops transmitting its test packets or streams, a function to periodically report the measurements is leveraged. At every report interval the sender / receiver will collect and calculate KPIs for the last interval into a metrics report which is sent upstream towards Cisco Provider Connectivity Assurance (formerly Skylight performance analytics).
The metrics set depends on the session type but typically contains metrics such as max, min, percentiles based on the raw measured metrics.
The metrics reports are numbered (statRound) and timestamped (statTime) and mechanisms are in place to retransmit lost reports if connectivity towards Cisco Provider Connectivity Assurance is down temporarily.
Percentiles
A percentile is a statistical value that represents a distribution of result data. When calculating a percentile, the complete set of data collected during an interval is stored in a list that is sorted in ascending order. A specific percentile may then be retrieved from the sorted list by reading the corresponding element in the list. In this way percentile 0 (min) is equal to the first value (smallest) in the sorted list, percentile 100 is the last value (largest) in the list, and the median (percentile 50) is the value at the middle of the list.
Example, if there are 1000 measured delay values during a report interval; the 99th delay percentile will then represent the 10th highest delay value. I.e the max value after 1% largest values have been discarded. This is useful to filter out spikes and short-lived anomalities that may otherwise disturb any analytics done on the metrics set. Percentiles are abbreviated with a 'p'. The 25th percentile is termed p25, etc.
Metric types for synthetic measurements
Time domain metrics
Time metrics are related to latency, that is, the passing of time between the sending of a packet and its reception or between sending a request towards a service and getting a response.
Counted metrics
Count metrics holds information about number packets received and metrics derived from packet sequence numbering such as loss, reorders and duplicates.
Packet field metrics
These metrics are derived form fields in the received ethernet or IP headers, such as DSCP or TTL values.
Quality metrics
A quality metric is higher level metric derived from one or many metrics to form customer experience measure. Examples include MOS score and TCP efficiency.
Metrics by session type
TWAMP Stateful / Stateless (RFC5357)
Available with sensors:
- Sensor Control standalone
- Sensor Control with NFV (SFP compute or Module)
- Sensor Agent actuate
Session type: continuous test at configurable packet per second (PPS) rates
Metrics reporting intervals 1s – 900s
Scheduled execution supported: no - continous mode only
Metrics list
metric | metric variant | unit | directions | description | remark |
---|---|---|---|---|---|
delay | percentiles (min, 25, 50, avg, 75, 90, 95, 98, 99, max) | μs | SD, DS, RT* | Latency from source to destination or destination to source | * Roundtrip mode supported in Sensor Control only |
jitter | percentiles (min, 25, 50, avg, 75, 90, 95, 98, 99, max) | μs | SD, DS, RT* | Inter-packet delay variation (IPDV) - difference in delay between consecutive packets | * Roundtrip mode supported in Sensor Control only |
delay variation | percentiles (25, 50, avg, 75, 90, 95, 98, 99, max) | μs | SD, DS, RT* | Delay variation over the metrics report interval - difference between delay percentile and minimum delay | * Roundtrip mode supported in Sensor Control only |
loss | packet loss total | packets | SD, DS, (RT*) | Number of lost packets during the report interval | * Roundtrip for TWAMP stateless |
loss | lost burst max / min | packets | SD, DS, (RT*) | Longest / shortest loss period length during the report interval | * Roundtrip for TWAMP stateless |
loss | lost % | % | SD, DS, (RT*) | Percentage packets lost | * Roundtrip for TWAMP stateless |
loss | lost periods | count | SD, DS, (RT*) | Number of loss occurances during the report interval, if any | * Roundtrip for TWAMP stateless |
sequence | packets reordered, packets duplicated | count and % | SD, DS, (RT*) | Number and percentage of reordered or duplicated packets | * Roundtrip for TWAMP stateless |
out-of-bounds | packets too late | count | SD, DS, (RT*) | Number of packets belonging to a previous interval, where they were reported as lost. | * Roundtrip for TWAMP stateless |
dscp | Diffserv code point (TOS) min / max | value | DS | Lowest and highest dscp seen over the report interval | * RFC5357 does not support separation of DSCP per direction, only the received TOS in DS direction can be seen. |
ttl | time-to-live min / max | value | SD, DS, (RT*) | Lowest and highest TTL value seen over the report interval | * Roundtrip for TWAMP stateless |
vprio | vlan priority min / max | value | SD, DS, (RT*) | Lowest and highest VLAN priority seen over the report interval |
UDP / ICMP Echo
Available with sensors:
- Sensor Control standalone
- Sensor Control with NFV (SFP compute or Module)
- Sensor Agent actuate
Session type: continous test at configurable packet per second (PPS) rates
Metrics reporting intervals 1s – 900s
Scheduled execution supported: no - continous mode only
Metrics list
metric | metric variant | unit | directions | description | remark |
---|---|---|---|---|---|
delay | percentiles (min, 25, 50, avg, 75, 90, 95, 98, 99, max) | μs | RT | Latency from source to destination or destination to source | |
jitter | percentiles (min, 25, 50, avg, 75, 90, 95, 98, 99, max) | μs | RT | Inter-packet delay variation (IPDV) - difference in delay between consecutive packets | |
delay variation | percentiles (25, 50, avg, 75, 90, 95, 98, 99, max) | μs | RT | Delay variation over the metrics report interval - difference between delay percentile and minimum delay | |
loss | packet loss total | packets | RT | Number of lost packets during the report interval | |
loss | lost burst max / min | packets | RT | Longest / shortest loss period length during the report interval | |
loss | lost % | % | RT | Percentage packets lost | |
loss | lost periods | count | RT | Number of loss occurances during the report interval, if any | |
sequencing | packets reordered, packets duplicated | count and % | RT | Number and percentage of reordered or duplicated packets | |
out-of-bounds | packets too late | count | RT | Number of packets belonging to a previous interval, where they were reported as lost. | |
dscp | Diffserv code point (TOS) min / max | value | RT | Lowest and highest dscp seen over the report interval | UDP echo only |
ttl | time-to-live min / max | value | RT | Lowest and highest TTL value seen over the report interval | |
vprio | vlan priority min / max | value | RT | Lowest and highest VLAN priority seen over the report interval |
TCP throughput (RFC6349)
Available with sensors:
- Sensor Agent throughput
Session type: one-shot test or continous test
Session duration: 1s – 24hrs
Metrics reporting intervals 1s – 60s
Scheduled execution supported: yes
Metrics list
metric | metric variant | unit | directions | description | remark |
---|---|---|---|---|---|
throughput | tx rate | bits/s | SD, DS | TCP throughput bitrate | |
delay | buffer delay | ms | RT | Roundtrip delay during test | |
window | cwnd | kByte | SD, DS | TCP window size during test | |
retransmission | efficiency retx | kByte | SD, DS | retransmitted data during test | |
efficiency | TCP efficiency | % | SD, DS | TCP throughput data percentage versus retransmission data during test |
path trace
Available with sensors:
- Sensor Agent trace
Session type: one-shot test
Session duration: undefined
Metrics reporting intervals report after finished trace
Scheduled execution supported: yes
Metrics list
metric | metric variant | unit | directions | description | remark |
---|---|---|---|---|---|
finalHopAvgRttMs | ms | RT | Average round-trip-time to last hop (destination hop) | ||
finalHopMaxRttMs | ms | RT | Maximum round-trip-time to last hop (destination hop) | ||
finalHopMinRttMs | ms | RT | Minimum round-trip-time to last hop (destination hop) | ||
finalHopTimeoutCount | count | RT | Number of timeouts while trying to reach last hop | ||
hopAvgRttMs | reported individually per hop | ms | RT | Average round-trip time to this hop | |
hopMaxRttMs | reported individually per hop | ms | RT | Maximum round-trip time to this hop | |
hopMinRttMs | reported individually per hop | ms | RT | Minimum round-trip time to this hop | |
hopTimeoutCount | reported individually per hop | count | RT | Number of timeouts while trying to reach this hop | |
pathAvgRttMs | ms | RT | Sum of all average hop RTT values on the path | ||
pathHopCount | count | RT | Number of hops from source to destination | ||
pathMaxRttMs | ms | RT | Sum of all maximum hop RTT values on the path | ||
pathMinRttMs | ms | RT | Sum of all minimum hop RTT values on the path | ||
pathProbeCount | count | RT | Number of test packets (probes) sent | ||
pathTimeoutCount | count | RT | Sum of all timeouts during test | ||
pathTimeoutPercent | % | RT | Timeouts as a percentage of all probes sent |
transfer
Available with sensors:
- Sensor Agent transfer
Session type: one-shot test or continous test
Session duration: undefined
Metrics reporting intervals report after finished transfer test
Scheduled execution supported: yes, for one-shot mode
Metrics list
metric | metric variant | unit | directions | description | remark |
---|---|---|---|---|---|
httpCode | value | RT | Return code from HTTP service | ||
testSpeedBitsPerSec | bits/s | DS | Download speed server to agent | ||
testStatusCode | value | RT | see Agent: transfer - Status codes for details | ||
testTimeNameLookupMs | ms | RT | Time spent looking up the IP address | Can be used as a performance metric for the DNS service | |
testTimeConnectMs | ms | RT | Time to finish SYN, SYN-ACK TCP connection, including previous DNS lookup phase | ||
testTimeAppConnectMs | ms | RT | Time to complete SSL handshake, including previous DNS and TCP connect phases | ||
testTimePreTransferMs | ms | RT | Time when request for asset sent (HTTP/FTP get for page or file) | ||
testTimeStartTransferMs | ms | RT | Time when first packet of asset started arriving, or error response received if asset nonexistent | ||
testTimeTotalMs | ms | RT | Total time from start of test until asset fully downloaded (or error condition hit) | ||
testTimeRedirectMs | ms | RT | In case of a HTTP redirect, this metric will report the total time for the new DNS lookup plus the time to perform a new TCP and SSL handshake |
The agent transfer documentation contains an explanatory picture for the metric flow during a transfer test operation - Agent: transfer - Configuration
Capture-based metrics (passive)
Terminology
Metric or Field
This is the reported statistic, which could be a specific protocol field like "response.status" for the HTTP return code, a metadata type identifier as "client.zone.name" which ties the reported metric to a group of clients in a zone – or a more generic QoE metric like "server.rt" denoting the service / server response time in milliseconds.
Layers
This column indicates in which protocol layer each metric is available. Some metrics are specific for only one protocol, and others are common across many or all supported protocol parsers.
Metrics in alphabetical order
Metric / Field Name | Type | Layers | Description |
---|---|---|---|
aborts | number | citrix | The number of aborted Citrix sessions |
aborts.ratio | number | citrix | The ratio of aborts to the total number of launch attempts |
ajax.requests | number | http | The number of javascript requests |
alert.access_denied | bool | tls | A valid certificate was received, but when access control was applied, the sender decided not to proceed with negotiation. Code 49. |
alert.bad_certificate | bool | tls | A certificate was corrupt, contained signatures that did not verify correctly, etc. Code 42. |
alert.bad_record_mac | bool | tls | This alert is returned if a record is received with an incorrect MAC. Code 20. |
alert.certificate_expired | bool | tls | A certificate has expired or is not currently valid. Code 45. |
alert.certificate_revoked | bool | tls | A certificate was revoked by its signer. Code 44. |
alert.certificate_unknown | bool | tls | Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable. Code 46. |
alert.close_notify | bool | tls | This message notifies the recipient that the sender will not send any more messages on this connection. Code 0. |
alert.decode_error | bool | tls | A message could not be decoded because some field was out of the specified range or the length of the message was incorrect. Code 50. |
alert.decompression_failure | bool | tls | The decompression function received improper input (e.g., data that would expand to excessive length). Code 30. |
alert.decrypt_error | bool | tls | A handshake cryptographic operation failed, including being unable to correctly verify a signature or validate a Finished message. Code 51. |
alert.decryption_failed | bool | tls | This alert was used in some earlier versions of TLS, and may have permitted certain attacks against the CBC mode. Code 21. |
alert.export_restriction | bool | tls | This alert was used in some earlier versions of TLS. Code 60. |
alert.handshake_failure | bool | tls | Reception of a handshake failure alert message indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available. Code 40. |
alert.illegal_parameter | bool | tls | A field in the handshake was out of range or inconsistent with other fields. Code 47. |
alert.insufficient_security | bool | tls | Returned instead of a handshake failure when a negotiation has failed specifically because the server requires ciphers more secure than those supported by the client. Code 71. |
alert.internal_error | bool | tls | An internal error unrelated to the peer or the correctness of the protocol (such as a memory allocation failure) makes it impossible to continue. Code 80. |
alert.no_certificate | bool | tls | This alert was used in SSLv3 but not any version of TLS. Code 41. |
alert.no_renegotiation | bool | tls | Sent by the client in response to a hello request or by the server in response to a client hello after initial handshaking. Code 100. |
alert.protocol_version | bool | tls | The protocol version the client has attempted to negotiate is recognized but not supported. Code 70. |
alert.record_overflow | bool | tls | A TLSCiphertext record was received that had a length more than 2^14+2048 bytes, or a record decrypted to a TLSCompressed record with more than 2^14+1024 bytes. Code 22. |
alert.unexpected_message | bool | tls | An inappropriate message was received. Code 10. |
alert.unknown_ca | bool | tls | A valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not be located or couldn't be matched with a known, trusted CA. Code 48. |
alert.unsupported_certificate | bool | tls | A certificate was of an unsupported type. Code 43. |
alert.unsupported_extension | bool | tls | Sent by clients that receive an extended server hello containing an extension that they did not put in the corresponding client hello. Code 110. |
alert.user_canceled | bool | tls | This handshake is being canceled for some reason unrelated to a protocol failure. Code 90. |
alert_types | alerttypes | tls | Flags of alerts present in the TLS conversation |
application.id | application_id | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The application ID |
application.name | application | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The application |
attempts | number | citrix | The total number of launch attempts |
begin | time | citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip | The timestamp of the first captured packet |
begins | number | voip | The number of VoIP flows that started |
call | string | voip | The VoIP call id |
call.direction | calldirection | voip | The direction (inbound, outbound, unknown) of the VoIP calls |
call.duration | number | voip | The total duration of the VoIP calls |
call.global.jitter | number | voip | The average measured jitter for call PDUs (protocol data units) in both directions |
call.global.rtt | number | voip | The average round-trip time for call PDUs (protocol data units) in both directions |
call.jitter.count | number | voip | The total number of measured jitters for call PDUs (protocol data units) in both directions |
call.jitter.deviation | number | voip | The deviation of the measured jitter for call PDUs (protocol data units) in both directions |
call.jitter.total | number | voip | The sum of both caller and callee average round-trip times |
call.rtt.count | number | voip | The total number of round-trip times for call PDUs (protocol data units) in both directions |
call.rtt.deviation | number | voip | The deviation of the round-trip time for call PDUs (protocol data units) in both directions |
call.rtt.total | number | voip | The sum of both caller and callee average round-trip times |
call.state | callstate | voip | The latest call state in this conversation |
callee | string | voip | The VoIP callee id |
callee.codec | string | voip | The voice codec of the callee |
callee.ip | ip | voip | The IP address of the callee |
callee.jitter | number | voip | The average measured jitter for a PDU (protocol data unit) emitted by the callee |
callee.jitter.count | number | voip | The number of measured jitters for PDUs (protocol data units) emitted by the callee |
callee.jitter.deviation | number | voip | The deviation of the measured jitters for PDUs (protocol data units) emitted by the callee |
callee.label | string | voip | The display name of the callee |
callee.lost.pdus | number | voip | The number of lost callee PDUs (protocol data units) |
callee.lost.pdus.ratio | number | voip | The ratio of lost to the total number of PDUs (protocol data units) emitted by the callee |
callee.mac | mac | voip | The MAC address of the Callee |
callee.rtt | number | voip | The average round-trip time for PDUs (protocol data units) emitted by the caller |
callee.rtt.count | number | voip | The number of round-trip times for PDUs (protocol data units) emitted by the caller |
callee.rtt.deviation | number | voip | The deviation of the round-trip time for PDUs (protocol data units) emitted by the caller |
callee.zone.id | zone_id | voip | The zone ID of the callee |
callee.zone.name | zone | voip | The zone of the callee |
caller | string | voip | The VoIP caller id |
caller.codec | string | voip | The voice codec of the caller |
caller.ip | ip | voip | The IP address of the caller |
caller.jitter | number | voip | The average measured jitter for a PDU (protocol data unit) emitted by the the caller |
caller.jitter.count | number | voip | The number of measured jitters for PDUs (protocol data units) emitted by the caller |
caller.jitter.deviation | number | voip | The deviation of the measured jitters for PDUs (protocol data units) emitted by the caller |
caller.label | string | voip | The display name of the caller |
caller.lost.pdus | number | voip | The number of lost caller PDUs (protocol data units) |
caller.lost.pdus.ratio | number | voip | The ratio of lost to the total number of PDUs (protocol data units) emitted by the caller |
caller.mac | mac | voip | The MAC address of the Caller |
caller.rtt | number | voip | The average round-trip time for PDUs (protocol data units) emitted by the callee |
caller.rtt.count | number | voip | The number of round-trip times for PDUs (protocol data units emitted by the callee |
caller.rtt.deviation | number | voip | The deviation of the round-trip time for PDUs (protocol data units) emitted by the callee |
caller.zone.id | zone_id | voip | The zone ID of the caller |
caller.zone.name | zone | voip | The zone of the caller |
capture.hostname | poller | citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip | The probe device hostname that captured this traffic |
capture.id | poller_id | citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip | The probe device ID that captured this traffic |
cgp.client.pdus | number | citrix | The total number of CGP PDUs (protocol data units) at applicative level emitted by the client |
cgp.dest.pdus | number | citrix | The total number of CGP PDUs (protocol data units) at applicative level emitted by the destination |
cgp.pdus | number | citrix | The total number of CGP PDUs (protocol data units) at applicative level in both directions |
cgp.server.pdus | number | citrix | The total number of CGP PDUs (protocol data units) at applicative level emitted by the server |
cgp.source.pdus | number | citrix | The total number of CGP PDUs (protocol data units) at applicative level emitted by the source |
channel | channel | citrix_channels | The Citrix channel |
chunked.transfers | number | http | The number of times the HTTP 'chunked' transfer encoding has been used |
cipher | ciphersuite | tls | The set of cryptographic algorithms used to secure this conversation |
cipher.is_weak | bool | tls | Is the TLS cipher weak? |
citrix.application | string | citrix citrix_channels | The published Citrix application being executed |
client.common_name | string | tls | The Common Name of the client certificate |
client.compressed.pdus | number | citrix_channels | The number of compressed client PDUs (protocol data units) |
client.compressed.pdus.ratio | number | citrix_channels | The ratio of compressions to the total number of PDUs (protocol data units) emitted by the client |
client.data | number | tls | The total number of client data PDUs (protocol data units) |
client.datasource.kind | pktsourcekind | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The packet source type (pcap file, netflow, network iface, rpcapd) on which this traffic has been captured (client-side) |
client.datasource.name | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The packet source name on which this traffic has been captured (client-side) |
client.datasource.pair | pktsourcepair | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The packet source type and name on which this traffic has been captured (client-side) |
client.diffserv | diffserv | icmp other_ip tcp udp | The client differentiated service |
client.dtt | number | citrix citrix_channels databases http smb tcp tls | The average data-transfer time for PDUs (protocol data units) emitted by the client |
client.dtt.count | number | citrix citrix_channels databases http smb tcp tls | The number of data-transfer times for PDUs (protocol data units) emitted by the client |
client.dtt.deviation | number | citrix citrix_channels databases http smb tcp tls | The deviation of the data-transfer time for PDUs (protocol data units) emitted by the client |
client.dupacks | number | tcp | The number of duplicated ACK packets from the client |
client.dupacks.ratio | number | tcp | The ratio of duplicated ACKs to the total number of packets emitted by the client |
client.emtu | number | icmp non_ip other_ip tcp udp | The maximum payload in a single ethernet packet emmited by the client in these conversations (this value is assumed to be the MTU of the client's network interface, although the actual MTU value might be greater) |
client.error.ip | ip | icmp | The IP address of the client, as it appears in the headers of the ICMP error message |
client.error.port | port | icmp | The port of the client, as it appears in the TCP/UDP PDU (protocol data unit) transported by the ICMP error message |
client.error.zone.id | zone_id | icmp | The zone ID of the client, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message |
client.error.zone.name | zone | icmp | The zone of the client, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message |
client.expiration | time | tls | The expiration date of the client certificate |
client.file | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The name of the Pcap File used as traffic source (client-side) |
client.fins | number | tcp | The number of FIN packets emitted by the client |
client.fins.ratio | number | tcp | The average number of client FIN packets in a connection |
client.hostname | hostname | citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip | The hostname of the client |
client.interface | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The name of the network interface on which this traffic has been captured (client-side) |
client.ip | ip | citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip | The IP address of the client |
client.ja3 | tls_fingerprint | tls | The JA3 client fingerprint |
client.keepalives | number | citrix | The number of keep alives from the client |
client.key.bits | number | tls | The number of bits in the client key |
client.key.type | keytype | tls | The type of the client key |
client.mac | mac | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The MAC address of the client |
client.meta | number | tls | The total number of client metadata (handshake, change cipher spec & alerts PDU types) |
client.os | os | tcp | The client operating system |
client.payload | number | citrix citrix_channels tcp tls udp voip | The total amount of bytes of data (without headers) emitted by the client |
client.payload.pdus | number | citrix citrix_channels tcp voip | The total number of PDUs (protocol data units) with payload emitted by the client |
client.payload.ratio | number | citrix citrix_channels tcp tls udp voip | The ratio of payload bytes to the entire traffic emitted by the client |
client.pdus | number | citrix citrix_channels dns icmp non_ip other_ip tcp udp voip | The total number of PDUs (protocol data units) at applicative level emitted by the client |
client.port | port | citrix citrix_channels databases http smb tcp tls udp voip | The TCP/UDP port of the client |
client.rd | number | tcp | The average retransmission delay for PDUs emitted by the client |
client.rd.count | number | tcp | The number of retransmission delays for PDUs emitted by the client |
client.rd.deviation | number | tcp | The deviation of the retransmission delay for PDUs emitted by the client |
client.remote | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The name of the network interface on which this traffic has been captured via rpcapd (client-side) |
client.retrans.payload | number | tcp | The total amount of bytes of data (without headers) in retransmitted PDUs emitted by the client |
client.retrans.pdus.ratio | number | tcp | The ratio of retransmissions to the total number of PDUs (protocol data units) with payload emitted by the client |
client.retrans.traffic | number | tcp | The total amount of bytes in retransmitted PDUs emitted by the client |
client.retrans.traffic.ratio | number | tcp | The ratio of retransmitted traffic to the entire traffic emitted by the client |
client.rsts | number | tcp | The number of RST packets emitted by the client |
client.rsts.ratio | number | tcp | The average number of client RST packets in a connection |
client.rtt | number | tcp | The average round-trip time for PDUs (protocol data units) emitted by the server |
client.rtt.count | number | tcp | The number of round-trip times for PDUs (protocol data units) emitted by the server |
client.rtt.deviation | number | tcp | The deviation of the round-trip time for PDUs (protocol data units) emitted by the server |
client.signalization.payload | number | voip | The total amount of bytes of data (without headers) in all signalization PDUs (protocol data units) emitted by the client |
client.signalization.pdus | number | voip | The total number of signalization PDUs (protocol data units) emitted by the client |
client.signalization.rd | number | voip | The average retransmission delay for signalization PDUs (protocol data units) emitted by the client |
client.signalization.rd.count | number | voip | The number of retransmission delays for signalization PDUs (protocol data units) emitted by the client |
client.signalization.rd.deviation | number | voip | The deviation of the retransmission delay for signalization PDUs (protocol data units) emitted by the client |
client.signalization.retrans.pdus.ratio | number | voip | The ratio of retransmissions to the total number of signalization PDUs (protocol data units) emitted by the client |
client.signalization.rtt | number | voip | The average round-trip time for signalization PDUs (protocol data units) emitted by the server |
client.signalization.rtt.count | number | voip | The number of round-trip times for signalization PDUs (protocol data units) emitted by the server |
client.signalization.rtt.deviation | number | voip | The deviation of the round-trip time for signalization PDUs (protocol data units) emitted by the server |
client.signalization.traffic | number | voip | The total amount of bytes in signalization PDUs (protocol data units) emitted by the client |
client.signature | string | tls | The client signature |
client.traffic | number | dns icmp non_ip other_ip tcp tls udp voip | The total amount of bytes emitted by the client |
client.vlan | vlan | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The inner VLAN id on the client side of the transaction (alias of client.vlans.inner) |
client.vlans | array | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The VLAN ids on the client side of the transaction. The first VLAN id represents the outer VLAN and the last VLAN id represents the inner VLAN |
client.vlans.count | number | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The number of VLANs on the client side of the transaction |
client.vlans.inner | vlan | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The inner VLAN id on the client side of the transaction |
client.vlans.outer | vlan | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The outer VLAN id on the client side of the transaction |
client.zero_windows | number | tcp | The number of zero-window size packets emitted by the client |
client.zero_windows.ratio | number | tcp | The ratio of zero-window size to the total number of packets emitted by the client |
client.zone.id | zone_id | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The zone id of the client |
client.zone.name | zone | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The zone of the client |
closes | number | tcp | The number of TCP sessions that ended properly (by acked FIN or RST) |
command | databasecommand | databases | The database command type |
compressed.pdus | number | citrix_channels | The total number of compressed PDUs (protocol data units) in both directions |
compressed.pdus.ratio | number | citrix_channels | The ratio of compressions to the total number of PDUs (protocol data units) in both directions |
compressed.responses | number | http | The number of compressed HTTP responses |
ct | number | tcp tls | The average connection time |
ct.count | number | tcp tls | The number of successful handshakes |
ct.deviation | number | tcp tls | The deviation of the connection time |
data.payload | number | smb | The total amount of bytes of data in both directions |
database | string | databases | The name of the database |
dcerpc | dcerpc | tcp udp | The identifier of the DCE/RPC service |
decrypted | number | tls | The number of decrypted conversations |
dest.common_name | string | tls | The Common Name of the destination certificate |
dest.compressed.pdus | number | citrix_channels | The number of compressed destination PDUs (protocol data units) |
dest.compressed.pdus.ratio | number | citrix_channels | The ratio of compressions to the total number of PDUs (protocol data units) emitted by the destination |
dest.data | number | tls | The total number of destination data PDUs (protocol data units) |
dest.datasource.kind | pktsourcekind | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The packet source type (pcap file, netflow, network iface, rpcapd) on which this traffic has been captured (destination-side) |
dest.datasource.name | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The packet source name on which this traffic has been captured (destination-side) |
dest.datasource.pair | pktsourcepair | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The packet source type and name on which this traffic has been captured (destination-side) |
dest.diffserv | diffserv | icmp other_ip tcp udp | The destination differentiated service |
dest.dtt | number | citrix citrix_channels databases http smb tcp tls | The average data-transfer time for PDUs (protocol data units) emitted by the destination |
dest.dtt.count | number | citrix citrix_channels databases http smb tcp tls | The number of data-transfer times for PDUs (protocol data units) emitted by the destination |
dest.dtt.deviation | number | citrix citrix_channels databases http smb tcp tls | The deviation of the data-transfer time for PDUs (protocol data units) emitted by the destination |
dest.dupacks | number | tcp | The number of duplicated ACK packets from the destination |
dest.dupacks.ratio | number | tcp | The ratio of duplicated ACKs to the total number of packets emitted by the destination |
dest.emtu | number | icmp non_ip other_ip tcp udp | The maximum payload in a single ethernet packet emmited by the destination in these conversations (this value is assumed to be the MTU of the destination's network interface, although the actual MTU value might be greater) |
dest.error.ip | ip | icmp | The IP address of the destination, as it appears in the headers of the ICMP error message |
dest.error.port | port | icmp | The port of the destination, as it appears in the TCP/UDP PDU (protocol data unit) transported by the ICMP error message |
dest.error.zone.id | zone_id | icmp | The zone ID of the destination, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message |
dest.error.zone.name | zone | icmp | The zone of the destination, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message |
dest.expiration | time | tls | The expiration date of the destination certificate |
dest.file | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The name of the Pcap File used as traffic source (destination-side) |
dest.fins | number | tcp | The number of FIN packets emitted by the destination |
dest.fins.ratio | number | tcp | The average number of destination FIN packets in a connection |
dest.hostname | hostname | citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip | The hostname of the destination |
dest.interface | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The name of the network interface on which this traffic has been captured (destination-side) |
dest.ip | ip | citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip | The IP address of the destination |
dest.ja3 | tls_fingerprint | tls | The JA3 destination fingerprint |
dest.keepalives | number | citrix | The number of keep alives from the destination |
dest.key.bits | number | tls | The number of bits in the destination key |
dest.key.type | keytype | tls | The type of the destination key |
dest.mac | mac | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The MAC address of the destination |
dest.meta | number | tls | The total number of destination metadata (handshake, change cipher spec & alerts PDU types) |
dest.os | os | tcp | The destination operating system |
dest.payload | number | citrix citrix_channels tcp tls udp voip | The total amount of bytes of data (without headers) emitted by the destination |
dest.payload.pdus | number | citrix citrix_channels tcp voip | The total number of PDUs (protocol data units) with payload emitted by the destination |
dest.payload.ratio | number | citrix citrix_channels tcp tls udp voip | The ratio of payload bytes to the entire traffic emitted by the destination |
dest.pdus | number | citrix citrix_channels dns icmp non_ip other_ip tcp udp voip | The total number of PDUs (protocol data units) at applicative level emitted by the destination |
dest.port | port | citrix citrix_channels databases http smb tcp tls udp voip | The TCP/UDP port of the destination |
dest.rd | number | tcp | The average retransmission delay for PDUs emitted by the destination |
dest.rd.count | number | tcp | The number of retransmission delays for PDUs emitted by the destination |
dest.rd.deviation | number | tcp | The deviation of the retransmission delay for PDUs emitted by the destination |
dest.remote | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The name of the network interface on which this traffic has been captured via rpcapd (destination-side) |
dest.retrans.payload | number | tcp | The total amount of bytes of data (without headers) in retransmitted PDUs emitted by the destination |
dest.retrans.pdus.ratio | number | tcp | The ratio of retransmissions to the total number of PDUs (protocol data units) with payload emitted by the destination |
dest.retrans.traffic | number | tcp | The total amount of bytes in retransmitted PDUs emitted by the destination |
dest.retrans.traffic.ratio | number | tcp | The ratio of retransmitted traffic to the entire traffic emitted by the destination |
dest.rsts | number | tcp | The number of RST packets emitted by the destination |
dest.rsts.ratio | number | tcp | The average number of destination RST packets in a connection |
dest.rtt | number | tcp | The average round-trip time for PDUs (protocol data units) emitted by the source |
dest.rtt.count | number | tcp | The number of round-trip times for PDUs (protocol data units) emitted by the source |
dest.rtt.deviation | number | tcp | The deviation of the round-trip time for PDUs (protocol data units) emitted by the source |
dest.signalization.payload | number | voip | The total amount of bytes of data (without headers) in all signalization PDUs (protocol data units) emitted by the destination |
dest.signalization.pdus | number | voip | The total number of signalization PDUs (protocol data units) emitted by the destination |
dest.signalization.rd | number | voip | The average retransmission delay for signalization PDUs (protocol data units) emitted by the destination |
dest.signalization.rd.count | number | voip | The number of retransmission delays for signalization PDUs (protocol data units) emitted by the destination |
dest.signalization.rd.deviation | number | voip | The deviation of the retransmission delay for signalization PDUs (protocol data units) emitted by the destination |
dest.signalization.retrans.pdus.ratio | number | voip | The ratio of retransmissions to the total number of signalization PDUs (protocol data units) emitted by the destination |
dest.signalization.rtt | number | voip | The average round-trip time for signalization PDUs (protocol data units) emitted by the source |
dest.signalization.rtt.count | number | voip | The number of round-trip times for signalization PDUs (protocol data units) emitted by the source |
dest.signalization.rtt.deviation | number | voip | The deviation of the round-trip time for signalization PDUs (protocol data units) emitted by the source |
dest.signalization.traffic | number | voip | The total amount of bytes in signalization PDUs (protocol data units) emitted by the destination |
dest.signature | string | tls | The destination signature |
dest.traffic | number | dns icmp non_ip other_ip tcp tls udp voip | The total amount of bytes emitted by the destination |
dest.vlan | vlan | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The inner VLAN id on the destination side of the transaction (alias of destination.vlans.inner) |
dest.vlans | array | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The VLAN ids on the destination side of the transaction. The first VLAN id represents the outer VLAN and the last VLAN id represents the inner VLAN |
dest.vlans.count | number | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The number of VLANs on the destination side of the transaction |
dest.vlans.inner | vlan | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The inner VLAN id on the destination side of the transaction |
dest.vlans.outer | vlan | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The outer VLAN id on the destination side of the transaction |
dest.zero_windows | number | tcp | The number of zero-window size packets emitted by the destination |
dest.zero_windows.ratio | number | tcp | The ratio of zero-window size to the total number of packets emitted by the destination |
dest.zone.id | zone_id | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The zone id of the destination |
dest.zone.name | zone | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The zone of the destination |
dns.rt | number | dns | The average DNS response time |
dns.rt.deviation | number | dns | The deviation of the DNS response time |
domain | string | citrix citrix_channels smb | The Windows Domain of the user |
domain.primary | string | http tls | The primary domain name (www.example.org -> example.org) |
domain.short | string | http tls | The primary domain name, without TLD |
domain.toplevel | string | http tls | The top-level domain name (TLD) |
dtt.count | number | citrix citrix_channels databases http smb tcp tls | The total number of data-transfer times in both directions |
dtt.deviation | number | citrix citrix_channels databases http smb tcp tls | The deviation of the data-transfer time in both directions |
dtt.total | number | citrix citrix_channels databases http smb tcp tls | The sum of both client and server average data-transfer times |
dupacks | number | tcp | The total number of duplicated ACK packets in both directions |
dupacks.ratio | number | tcp | The ratio of duplicated ACKs to the total number of packets in both directions |
encryption | encryption | citrix | The Citrix encryption type |
end | time | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The timestamp of the last captured packet |
ends | number | voip | The number of VoIP flows that ended |
error.alerts | number | tls | The total number of error alerts (everything but close notifications) |
error.code | string | databases | The error code, specific to some databases (MySQL, TDS and TNS) |
error.hits | number | http | The number of hits with a response code of at least 400 |
error.message | string | databases | The database error message |
error.protocol | ipprotocol | icmp | The IP protocol of the PDU (protocol data unit) transported by the ICMP error message |
error.status | string | databases | The database error status |
errors | number | databases dns smb voip | The number of errors |
errors.ratio | number | databases dns smb voip | The ratio of errors to the total number of queries |
file | path | smb | The file path |
file.count | number | flows | The number of processed files |
file.id | descriptor | smb | The CIFS file descriptor id |
fins | number | tcp | The total number of FIN packets in both directions |
fins.ratio | number | tcp | The average number of FIN packets in a connection |
global.dtt | number | citrix citrix_channels databases http smb tcp tls | The average data-transfer time in both directions |
global.emtu | number | icmp non_ip other_ip tcp udp | The maximum payload in a single ethernet packet in both directions |
global.rd | number | tcp | The average retransmission delay in both directions |
global.rtt | number | tcp | The average round-trip time in both directions |
global.signalization.rd | number | voip | The average retransmission delay for signalization PDUs (protocol data units) in both directions |
global.signalization.rtt | number | voip | The average round-trip time for signalization PDUs (protocol data units) in both directions |
has_contributed | bool | http | Did this hit contribute to the metrics of the page it is attached to? |
has_timeouted | bool | databases http smb | Did this transaction timeout? |
has_voice | bool | voip | Was there any voice in the conversation? |
headers | number | http | The total amount of bytes of headers in both query and response PDUs (protocol data units) |
hit | uuid | http | This hit's unique identifier |
hit.parent | uuid | http | This hit's parent's unique identifier |
hit.referrer | uuid | http | This hit's referrer's unique identifier |
hit.rt | number | http | The average hit response time |
hit.rt.count | number | http | The number of HTTP hit response times |
hit.rt.deviation | number | http | The deviation of the hit response time |
hits | number | http | The number of HTTP hits |
host | string | http | The URL Host |
icmp.code | number | icmp | The ICMP message code |
icmp.message | icmpmessage | icmp | The ICMP message |
icmp.type | icmptype | icmp | The ICMP message type |
ip.family | ipfamily | citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip | The IP address family |
ip.protocol | ipprotocol | other_ip voip | The IP protocol |
is_ajax | bool | http | Is this hit requested through javascript? |
is_chunked | bool | http | Does this hit use HTTP 'chunked' transfer encoding? |
is_compressed | bool | http | Is this hit compressed? |
is_deepinspect | bool | http | Was page reconstruction activated for this hit? |
is_main | bool | http | Is this hit the main resource of the page? |
is_root | bool | http | Is this a root hit? |
keepalives | number | citrix | The total number of keep alives in both directions |
launch.time | number | citrix | The average launch time for Citrix applications |
launch.time.deviation | number | citrix | The deviation of the launch time |
layer | layer | citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip | The layer |
login.time | number | citrix | The average login time |
login.time.count | number | citrix | The number of logins |
login.time.deviation | number | citrix | The deviation of the login time |
lost.pdus | number | voip | The total number of lost PDUs (protocol data units) in both directions |
lost.pdus.ratio | number | voip | The ratio of lost to the total number of PDUs (protocol data units) in both directions |
metadata.payload | number | smb | The total amount of bytes of metadata in both directions |
metadata.read | number | smb | The total amount of bytes of metadata read by SMB commands (directory listing commands, for example) |
metadata.written | number | smb | The total amount of bytes of metadata written by SMB commands |
method | httpquerymethod | http | The HTTP request method |
module | string | citrix | The name of the Citrix module used by the client |
mos | number | voip | The VOIP mean opinion score |
netflow.hostname | hostname | icmp tcp udp | The hostname of the emitter |
netflow.ip | ip | icmp tcp udp | The IP address of the emitter |
nonip.protocol | ethernetprotocol | non_ip | The OSI layer 2 protocol |
origin.ip | ip | http | The original client's IP, as it appears in the HTTP header |
page.begin | time | http | The timestamp of the first packet in this page |
page.end | time | http | The timestamp of the last packet in this page |
page.errors | number | http | The number of errors in all the hits that contributed to these pages, errors consisting of HTTP response codes of at least 400 |
page.hits | number | http | The number of hits that contributed to these pages |
page.load.time | number | http | The average page load time |
page.load.time.deviation | number | http | The deviation of the page load time |
page.request.traffic | number | http | The total amount of bytes of request traffic (headers + payload) in all the hits that contributed to these pages |
page.response.traffic | number | http | The total amount of bytes of response traffic (headers + payload) in all the hits that contributed to these pages |
page.timeouts | number | http | The number of timeouts in all the hits that contributed to these pages |
page.traffic | number | http | The total amount of bytes of query and response traffic (headers + payload) in all the hits that contributed to these pages |
pages | number | http | The number of HTTP pages |
payload | number | citrix citrix_channels databases http smb tcp udp voip | The total amount of bytes of data (without headers) in both directions |
payload.pdus | number | citrix citrix_channels tcp voip | The total number of PDUs (protocol data units) with payload in both directions |
payload.ratio | number | citrix citrix_channels tcp tls udp voip | The ratio of payload bytes to the entire traffic in both directions |
pcap | string | dns tcp voip | The link to the associated captured PCAP file (generated according to the configuration of zones and applications) |
pdus | number | citrix citrix_channels databases dns icmp non_ip other_ip smb tcp udp voip | The total number of PDUs (protocol data units) at applicative level in both directions |
points | number | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The number of points |
protostack | protostack | citrix citrix_channels databases icmp non_ip other_ip smb tcp tls udp voip | The protocol stack |
queries | number | databases dns smb | The number of queries |
query | databasequery | databases | The database query |
query.begin | time | databases smb | The timestamp of the first query packet |
query.class | dnsclass | dns | The class of the DNS query |
query.end | time | databases smb | The timestamp of the last query packet |
query.name | string | dns | The name of the DNS query |
query.payload | number | databases smb | The total amount of bytes of payload in query PDUs (protocol data units) emitted by the client |
query.pdus | number | databases smb | The total number of query PDUs (protocol data units) at applicative level |
query.tcp_pdus | number | http | The number of TCP packets that form up these HTTP queries |
query.type | dnstype | dns | The type of the DNS query |
query.write | number | smb | The total amount of bytes of data to be written |
query_256 | databasequery | databases | First 256 characters of the query |
rd.count | number | tcp | The total number of retransmission delays in both directions |
rd.deviation | number | tcp | The deviation of the retransmission delay in both directions |
rd.total | number | tcp | The sum of both client and server average data-transfer times |
request.begin | time | http | The timestamp of the first request packet |
request.content_length | number | http | The average Content-Length in the headers of these HTTP requests |
request.content_length.count | number | http | The number of HTTP requests with a Content-Length header |
request.content_pack | path | http | The path to the pack file that contains the HTTP request content |
request.content_type | mimetype | http | The mime-type in the Content-Type header of the HTTP request |
request.end | time | http | The timestamp of the last request packet |
request.headers | number | http | The total amount of bytes of headers in request PDUs (protocol data units) emitted by the client |
request.payload | number | http | The total amount of bytes of payload in request PDUs (protocol data units) emitted by the client |
request.payload.sha256 | sha256 | http | The hash sha256 calculated using the bytes of payload in request PDUs (protocol data units) emitted by the client |
request.traffic | number | http | The total amount of bytes (headers + payload) in request PDUs (protocol data units) emitted by the client |
response.begin | time | databases http smb | The timestamp of the first response packet |
response.category | string | http | The HTTP response mime-type's category |
response.class | dnsclass | dns | The class of the DNS response |
response.code | dnscode | dns | The DNS response code |
response.content_length | number | http | The average Content-Length in the headers of these HTTP responses |
response.content_length.count | number | http | The number of HTTP responses with a Content-Length header |
response.content_pack | path | http | The path to the pack file that contains the HTTP response content |
response.content_type | mimetype | http | The mime-type in the Content-Type header of the HTTP response |
response.end | time | databases http smb | The timestamp of the first response packet |
response.headers | number | http | The total amount of bytes of headers in response PDUs (protocol data units) emitted by the server |
response.payload | number | databases http smb | The total amount of bytes of payload in response PDUs (protocol data units) emitted by the server |
response.payload.sha256 | sha256 | http | The hash sha256 calculated using the bytes of payload in response PDUs (protocol data units) emitted by the server |
response.pdus | number | databases smb | The total number of PDUs (protocol data units) at applicative level emitted by the server |
response.read | number | smb | The total amount of bytes of data read by SMB commands |
response.status | httpstatus | http | The HTTP response code |
response.status.category | httpstatuscategory | http | The category of the response status code |
response.tcp_pdus | number | http | The number of TCP packets that form up these HTTP responses |
response.traffic | number | http | The total amount of bytes (headers + payload) in response PDUs (protocol data units) emitted by the client |
response.type | dnstype | dns | The type of the DNS response |
response.written | number | smb | The total amount of bytes of data effectively written by SMB commands |
resumed | number | tls | The number of resumed sessions |
retrans.payload | number | tcp | The total amount of bytes of data (without headers) in retransmitted PDUs in both directions |
retrans.pdus.ratio | number | tcp | The ratio of retransmissions to the total number of PDUs (protocol data units) with payload in both directions |
retrans.traffic | number | dns icmp non_ip other_ip tcp udp voip | The total amount of bytes in retransmitted PDUs in both directions |
retrans.traffic.ratio | number | tcp | The ratio of retransmitted traffic to the entire traffic in both directions |
rows.integrated | number | flows | The number of integrated rows |
rows.integrated.per_minute | number | flows | The number of integrated rows per minute |
rows.total | number | flows | The total number of analyzed rows |
rows.total.per_minute | number | flows | The number of total rows per minute |
rows.truncated | number | flows | The number of truncated rows |
rows.truncated.per_minute | number | flows | The number of truncated rows per minute |
rsts | number | tcp | The total number of RST packets in both directions |
rsts.ratio | number | tcp | The average number of RST packets in a connection |
rtt.count | number | tcp | The total number of round-trip times in both directions |
rtt.deviation | number | tcp | The deviation of the round-trip time in both directions |
rtt.total | number | tcp | The sum of both client and server average round-trip times |
server.common_name | string | tls | The Common Name of the server certificate |
server.compressed.pdus | number | citrix_channels | The number of compressed server PDUs (protocol data units) |
server.compressed.pdus.ratio | number | citrix_channels | The ratio of compressions to the total number of PDUs (protocol data units) emitted by the server |
server.data | number | tls | The total number of server data PDUs (protocol data units) |
server.datasource.kind | pktsourcekind | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The packet source type (pcap file, netflow, network iface, rpcapd) on which this traffic has been captured (server-side) |
server.datasource.name | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The packet source name on which this traffic has been captured (server-side) |
server.datasource.pair | pktsourcepair | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The packet source type and name on which this traffic has been captured (server-side) |
server.diffserv | diffserv | icmp other_ip tcp udp | The server differentiated service |
server.dtt | number | citrix citrix_channels databases http smb tcp tls | The average data-transfer time for PDUs (protocol data units) emitted by the server |
server.dtt.count | number | citrix citrix_channels databases http smb tcp tls | The number of data-transfer times for PDUs (protocol data units) emitted by the server |
server.dtt.deviation | number | citrix citrix_channels databases http smb tcp tls | The deviation of the data-transfer time for PDUs (protocol data units) emitted by the server |
server.dupacks | number | tcp | The number of duplicated ACK packets from the server |
server.dupacks.ratio | number | tcp | The ratio of duplicated ACKs to the total number of packets emitted by the server |
server.emtu | number | icmp non_ip other_ip tcp udp | The maximum payload in a single ethernet packet emmited by the server in these conversations (this value is assumed to be the MTU of the server's network interface, although the actual MTU value might be greater) |
server.error.ip | ip | icmp | The IP address of the server, as it appears in the headers of the ICMP error message |
server.error.port | port | icmp | The port of the server, as it appears in the TCP/UDP PDU (protocol data unit) transported by the ICMP error message |
server.error.zone.id | zone_id | icmp | The zone ID of the server, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message |
server.error.zone.name | zone | icmp | The zone of the server, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message |
server.expiration | time | tls | The expiration date of the server certificate |
server.file | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The name of the Pcap File used as traffic source (server-side) |
server.fins | number | tcp | The number of FIN packets emitted by the server |
server.fins.ratio | number | tcp | The average number of server FIN packets in a connection |
server.hostname | hostname | citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip | The hostname of the server |
server.interface | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The name of the network interface on which this traffic has been captured (server-side) |
server.ip | ip | citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip | The IP address of the server |
server.ja3 | tls_fingerprint | tls | The JA3 server fingerprint |
server.keepalives | number | citrix | The number of keep alives from the server |
server.key.bits | number | tls | The number of bits in the server key |
server.key.type | keytype | tls | The type of the server key |
server.mac | mac | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The MAC address of the server |
server.meta | number | tls | The total number of server metadata (handshake, change cipher spec & alerts PDU types) |
server.os | os | tcp | The server operating system |
server.payload | number | citrix citrix_channels tcp tls udp voip | The total amount of bytes of data (without headers) emitted by the server |
server.payload.pdus | number | citrix citrix_channels tcp voip | The total number of PDUs (protocol data units) with payload emitted by the server |
server.payload.ratio | number | citrix citrix_channels tcp tls udp voip | The ratio of payload bytes to the entire traffic emitted by the server |
server.pdus | number | citrix citrix_channels dns icmp non_ip other_ip tcp udp voip | The total number of PDUs (protocol data units) at applicative level emitted by the server |
server.port | port | citrix citrix_channels databases http smb tcp tls udp voip | The TCP/UDP port of the server |
server.rd | number | tcp | The average retransmission delay for PDUs emitted by the server |
server.rd.count | number | tcp | The number of retransmission delays for PDUs emitted by the server |
server.rd.deviation | number | tcp | The deviation of the retransmission delay for PDUs emitted by the server |
server.remote | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The name of the network interface on which this traffic has been captured via rpcapd (server-side) |
server.retrans.payload | number | tcp | The total amount of bytes of data (without headers) in retransmitted PDUs emitted by the server |
server.retrans.pdus.ratio | number | tcp | The ratio of retransmissions to the total number of PDUs (protocol data units) with payload emitted by the server |
server.retrans.traffic | number | tcp | The total amount of bytes in retransmitted PDUs emitted by the server |
server.retrans.traffic.ratio | number | tcp | The ratio of retransmitted traffic to the entire traffic emitted by the server |
server.rsts | number | tcp | The number of RST packets emitted by the server |
server.rsts.ratio | number | tcp | The average number of server RST packets in a connection |
server.rt | number | citrix citrix_channels databases smb tcp tls | The average server response time (SRT) |
server.rt.count | number | citrix citrix_channels databases smb tcp tls | The number of server response times |
server.rt.deviation | number | citrix citrix_channels databases smb tcp tls | The deviation of the server response time |
server.rtt | number | tcp | The average round-trip time for PDUs (protocol data units) emitted by the client |
server.rtt.count | number | tcp | The number of round-trip times for PDUs (protocol data units) emitted by the client |
server.rtt.deviation | number | tcp | The deviation of the round-trip time for PDUs (protocol data units) emitted by the client |
server.signalization.last_code | number | voip | Last SIP or MGCP response code |
server.signalization.payload | number | voip | The total amount of bytes of data (without headers) in all signalization PDUs (protocol data units) emitted by the server |
server.signalization.pdus | number | voip | The total number of signalization PDUs (protocol data units) emitted by the server |
server.signalization.rd | number | voip | The average retransmission delay for signalization PDUs (protocol data units) emitted by the server |
server.signalization.rd.count | number | voip | The number of retransmission delays for signalization PDUs (protocol data units) emitted by the server |
server.signalization.rd.deviation | number | voip | The deviation of the retransmission delay for signalization PDUs (protocol data units) emitted by the server |
server.signalization.retrans.pdus.ratio | number | voip | The ratio of retransmissions to the total number of signalization PDUs (protocol data units) emitted by the server |
server.signalization.rt | number | voip | The average server response time for signalization PDUs (protocol data units) |
server.signalization.rt.count | number | voip | The number of server response times for signalization PDUs (protocol data units) |
server.signalization.rt.deviation | number | voip | The deviation of the server response time for signalization PDUs (protocol data units) |
server.signalization.rtt | number | voip | The average round-trip time for signalization PDUs (protocol data units) emitted by the client |
server.signalization.rtt.count | number | voip | The number of round-trip times for signalization PDUs (protocol data units) emitted by the client |
server.signalization.rtt.deviation | number | voip | The deviation of the round-trip time for signalization PDUs (protocol data units) emitted by the client |
server.signalization.traffic | number | voip | The total amount of bytes in signalization PDUs (protocol data units) emitted by the server |
server.signature | string | tls | The server signature |
server.traffic | number | dns icmp non_ip other_ip tcp tls udp voip | The total amount of bytes emitted by the server |
server.vlan | vlan | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The inner VLAN id on the server side of the transaction (alias of server.vlans.inner) |
server.vlans | array | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The VLAN ids on the server side of the transaction. The first VLAN id represents the outer VLAN and the last VLAN id represents the inner VLAN |
server.vlans.count | number | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The number of VLANs on the server side of the transaction |
server.vlans.inner | vlan | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The inner VLAN id on the server side of the transaction |
server.vlans.outer | vlan | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The outer VLAN id on the server side of the transaction |
server.zero_windows | number | tcp | The number of zero-window size packets emitted by the server |
server.zero_windows.ratio | number | tcp | The ratio of zero-window size to the total number of packets emitted by the server |
server.zone.id | zone_id | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The zone id of the server |
server.zone.name | zone | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The zone of the server |
server_name | string | tls | The Server Name Indication of the conversation |
signalization.pdus | number | voip | The total number of signalization PDUs (protocol data units) in both directions |
signalization.rd.count | number | voip | The total number of retransmission delays for signalization PDUs (protocol data units) in both directions |
signalization.rd.deviation | number | voip | The deviation of the retransmission delay for signalization PDUs (protocol data units) in both directions |
signalization.rd.total | number | voip | The sum of both client and server average retransmission delays for signalization PDUs (protocol data units) |
signalization.retrans.pdus.ratio | number | voip | The ratio of retransmissions to the total number of signalization PDUs (protocol data units) in both directions |
signalization.rtt.count | number | voip | The total number of round-trip times for signalization PDUs (protocol data units) in both directions |
signalization.rtt.deviation | number | voip | The deviation of the round-trip time for signalization PDUs (protocol data units) in both directions |
signalization.rtt.total | number | voip | The sum of both client and server average round-trip times |
signalization.traffic | number | voip | The total amount of bytes in signalization PDUs (protocol data units) in both directions |
smb.command | smbcommand | smb | The SMB command |
smb.command.code | number | smb | The raw SMB command |
smb.sha256 | sha256 | smb | The sha256 hash |
smb.status | smbstatus | smb | The SMB status |
smb.subcommand | smbsubcommand | smb | The SMB subcommand |
smb.subcommand.code | number | smb | The raw SMB subcommand |
smb.version | smb_version | smb | The SMB protocol version |
software | string | http | The software in the Server header of the HTTP response |
source.common_name | string | tls | The Common Name of the source certificate |
source.compressed.pdus | number | citrix_channels | The number of compressed source PDUs (protocol data units) |
source.compressed.pdus.ratio | number | citrix_channels | The ratio of compressions to the total number of PDUs (protocol data units) emitted by the source |
source.data | number | tls | The total number of source data PDUs (protocol data units) |
source.datasource.kind | pktsourcekind | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The packet source type (pcap file, netflow, network iface, rpcapd) on which this traffic has been captured (source-side) |
source.datasource.name | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The packet source name on which this traffic has been captured (source-side) |
source.datasource.pair | pktsourcepair | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The packet source type and name on which this traffic has been captured (source-side) |
source.diffserv | diffserv | icmp other_ip tcp udp | The source differentiated service |
source.dtt | number | citrix citrix_channels databases http smb tcp tls | The average data-transfer time for PDUs (protocol data units) emitted by the source |
source.dtt.count | number | citrix citrix_channels databases http smb tcp tls | The number of data-transfer times for PDUs (protocol data units) emitted by the source |
source.dtt.deviation | number | citrix citrix_channels databases http smb tcp tls | The deviation of the data-transfer time for PDUs (protocol data units) emitted by the source |
source.dupacks | number | tcp | The number of duplicated ACK packets from the source |
source.dupacks.ratio | number | tcp | The ratio of duplicated ACKs to the total number of packets emitted by the source |
source.emtu | number | icmp non_ip other_ip tcp udp | The maximum payload in a single ethernet packet emmited by the source in these conversations (this value is assumed to be the MTU of the source's network interface, although the actual MTU value might be greater) |
source.error.ip | ip | icmp | The IP address of the source, as it appears in the headers of the ICMP error message |
source.error.port | port | icmp | The port of the source, as it appears in the TCP/UDP PDU (protocol data unit) transported by the ICMP error message |
source.error.zone.id | zone_id | icmp | The zone ID of the source, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message |
source.error.zone.name | zone | icmp | The zone of the source, determined using the TCP/UDP PDU (protocol data unit) transported by the ICMP error message |
source.expiration | time | tls | The expiration date of the source certificate |
source.file | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The name of the Pcap File used as traffic source (source-side) |
source.fins | number | tcp | The number of FIN packets emitted by the source |
source.fins.ratio | number | tcp | The average number of source FIN packets in a connection |
source.hostname | hostname | citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip | The hostname of the source |
source.interface | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The name of the network interface on which this traffic has been captured (source-side) |
source.ip | ip | citrix citrix_channels databases dns http icmp other_ip smb tcp tls udp voip | The IP address of the source |
source.ja3 | tls_fingerprint | tls | The JA3 source fingerprint |
source.keepalives | number | citrix | The number of keep alives from the source |
source.key.bits | number | tls | The number of bits in the source key |
source.key.type | keytype | tls | The type of the source key |
source.mac | mac | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The MAC address of the source |
source.meta | number | tls | The total number of source metadata (handshake, change cipher spec & alerts PDU types) |
source.os | os | tcp | The source operating system |
source.payload | number | citrix citrix_channels tcp tls udp voip | The total amount of bytes of data (without headers) emitted by the source |
source.payload.pdus | number | citrix citrix_channels tcp voip | The total number of PDUs (protocol data units) with payload emitted by the source |
source.payload.ratio | number | citrix citrix_channels tcp tls udp voip | The ratio of payload bytes to the entire traffic emitted by the source |
source.pdus | number | citrix citrix_channels dns icmp non_ip other_ip tcp udp voip | The total number of PDUs (protocol data units) at applicative level emitted by the source |
source.port | port | citrix citrix_channels databases http smb tcp tls udp voip | The TCP/UDP port of the source |
source.rd | number | tcp | The average retransmission delay for PDUs emitted by the source |
source.rd.count | number | tcp | The number of retransmission delays for PDUs emitted by the source |
source.rd.deviation | number | tcp | The deviation of the retransmission delay for PDUs emitted by the source |
source.remote | pktsourcename | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The name of the network interface on which this traffic has been captured via rpcapd (source-side) |
source.retrans.payload | number | tcp | The total amount of bytes of data (without headers) in retransmitted PDUs emitted by the source |
source.retrans.pdus.ratio | number | tcp | The ratio of retransmissions to the total number of PDUs (protocol data units) with payload emitted by the source |
source.retrans.traffic | number | tcp | The total amount of bytes in retransmitted PDUs emitted by the source |
source.retrans.traffic.ratio | number | tcp | The ratio of retransmitted traffic to the entire traffic emitted by the source |
source.rsts | number | tcp | The number of RST packets emitted by the source |
source.rsts.ratio | number | tcp | The average number of source RST packets in a connection |
source.rtt | number | tcp | The average round-trip time for PDUs (protocol data units) emitted by the destination |
source.rtt.count | number | tcp | The number of round-trip times for PDUs (protocol data units) emitted by the destination |
source.rtt.deviation | number | tcp | The deviation of the round-trip time for PDUs (protocol data units) emitted by the destination |
source.signalization.payload | number | voip | The total amount of bytes of data (without headers) in all signalization PDUs (protocol data units) emitted by the source |
source.signalization.pdus | number | voip | The total number of signalization PDUs (protocol data units) emitted by the source |
source.signalization.rd | number | voip | The average retransmission delay for signalization PDUs (protocol data units) emitted by the source |
source.signalization.rd.count | number | voip | The number of retransmission delays for signalization PDUs (protocol data units) emitted by the source |
source.signalization.rd.deviation | number | voip | The deviation of the retransmission delay for signalization PDUs (protocol data units) emitted by the source |
source.signalization.retrans.pdus.ratio | number | voip | The ratio of retransmissions to the total number of signalization PDUs (protocol data units) emitted by the source |
source.signalization.rtt | number | voip | The average round-trip time for signalization PDUs (protocol data units) emitted by the destination |
source.signalization.rtt.count | number | voip | The number of round-trip times for signalization PDUs (protocol data units) emitted by the destination |
source.signalization.rtt.deviation | number | voip | The deviation of the round-trip time for signalization PDUs (protocol data units) emitted by the destination |
source.signalization.traffic | number | voip | The total amount of bytes in signalization PDUs (protocol data units) emitted by the source |
source.signature | string | tls | The source signature |
source.traffic | number | dns icmp non_ip other_ip tcp tls udp voip | The total amount of bytes emitted by the source |
source.vlan | vlan | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The inner VLAN id on the source side of the transaction (alias of source.vlans.inner) |
source.vlans | array | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The VLAN ids on the source side of the transaction. The first VLAN id represents the outer VLAN and the last VLAN id represents the inner VLAN |
source.vlans.count | number | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The number of VLANs on the source side of the transaction |
source.vlans.inner | vlan | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The inner VLAN id on the source side of the transaction |
source.vlans.outer | vlan | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The outer VLAN id on the source side of the transaction |
source.zero_windows | number | tcp | The number of zero-window size packets emitted by the source |
source.zero_windows.ratio | number | tcp | The ratio of zero-window size to the total number of packets emitted by the source |
source.zone.id | zone_id | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The zone id of the source |
source.zone.name | zone | citrix citrix_channels databases dns http icmp non_ip other_ip smb tcp tls udp voip | The zone of the source |
successes | number | citrix databases dns smb voip | The number of successes |
successes.ratio | number | citrix databases dns smb voip | The ratio of successes |
syns | number | tcp | The number of SYN packets emitted by the client |
syns.ratio | number | tcp | The average number of SYN packets in a connection |
system | databasesystem | databases | The database system |
tcp_pdus | number | http | The number of TCP packets that form up the HTTP queries and responses |
time_exclusion.any | bool | citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip | Was there any time exclusion? |
time_exclusion.business_hours | bool | citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip | Was there a business hours time exclusion? |
time_exclusion.maintenance_windows | bool | citrix citrix_channels databases dns flows http icmp non_ip other_ip smb tcp tls udp voip | Was there a maintenance windows time exclusion? |
timeouts | number | citrix | The number of flows that timeouted |
tls.version | tls_version | tls | The TLS protocol version |
tls.version.is_weak | bool | tls | Is the TLS protocol version weak? |
tls.version.major | number | tls | The TLS protocol major version |
tls.version.minor | number | tls | The TLS protocol minor version |
traffic | number | dns http icmp non_ip other_ip tcp tls udp voip | The total amount of bytes in both directions |
tree | path | smb | The tree this CIFS command relates to |
tree.id | descriptor | smb | The id of the tree this CIFS command relates to |
unclosed | number | tcp | The number of TCP sessions that didn't properly end |
url | url | http | The path, query and fragment parts of the URL |
url.base | url | http | The URL without the query string and fragment |
url.path | path | http | The URL path |
user | string | citrix citrix_channels databases smb | The user |
user.experience | number | tcp | The end-user experience (sum of RTTs, DTTs and SRT) |
user_agent | useragent | http | The user-agent |
uuid | uuid | citrix citrix_channels databases dns http smb tcp tls voip | The unique identifier of this TCP session |
voice.count | number | voip | Number of packets where we had voice in the conversation |
warnings | number | smb | The number of warnings (mainly client-side) |
warnings.ratio | number | smb | The ratio of warnings to the total number of SMB queries |
zero_windows | number | tcp | The total number of zero-window size packets in both directions |
zero_windows.ratio | number | tcp | The ratio of zero-window size to the total number of packets in both directions |
© 2024 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks