Skip to content

Commit

Permalink
Change the fields exported by flows
Browse files Browse the repository at this point in the history 
* Change the fields exported by flows

* Change ip4 to ip and ip6 to ipv6
  • Loading branch information
@monicasarbu
monicasarbu authored and Steffen Siering committed Apr 4, 2016
1 parent 68bae2b commit 2f48f37
Show file tree
Hide file tree
Showing 9 changed files with 394 additions and 330 deletions.
214 changes: 116 additions & 98 deletions packetbeat/docs/fields.asciidoc
View file

Large diffs are not rendered by default.

254 changes: 134 additions & 120 deletions packetbeat/etc/fields.yml
View file
Expand Up @@ -169,163 +169,177 @@ flows_event:
description: >
Internal flow id based on connection meta data and address.
- name: mac_source
description: >
Source MAC address as indicated by first packet seen for the current flow.
- name: mac_dest
description: >
Destination MAC address as indicated by first packet seen for the current flow.
- name: vlan
description: >
Innermost VLAN address used in network packets.
- name: outter_vlan
- name: outer_vlan
description: >
Second innermost VLAN address used in network packets.
- name: ip4_source
description: >
Innermost IPv4 source address as indicated by first packet seen for the
current flow.
- name: ip4_source_location
type: geo_point
example: "40.715, -74.011"
- name: source
type: group
description: >
The GeoIP location of the `ip4_source` IP address. The field is a string
containing the latitude and longitude separated by a comma.
Properties of the source host
fields:
- name: mac
description: >
Source MAC address as indicated by first packet seen for the current flow.
- name: ip4_dest
description: >
Innermost IPv4 destination address as indicated by first packet seen for the
current flow.
- name: ip
description: >
Innermost IPv4 source address as indicated by first packet seen for the
current flow.
- name: ip4_dest_location
type: geo_point
example: "40.715, -74.011"
description: >
The GeoIP location of the `ip4_dest` IP address. The field is a string
containing the latitude and longitude separated by a comma.
- name: ip_location
type: geo_point
example: "40.715, -74.011"
description: >
The GeoIP location of the `ip_source` IP address. The field is a string
containing the latitude and longitude separated by a comma.
- name: outter_ip4_source
description: >
Second innermost IPv4 source address as indicated by first packet seen
for the current flow.
- name: outer_ip
description: >
Second innermost IPv4 source address as indicated by first packet seen
for the current flow.
- name: outter_ip4_source_location
type: geo_point
example: "40.715, -74.011"
description: >
The GeoIP location of the `outter_ip4_source` IP address. The field is a
string containing the latitude and longitude separated by a comma.
- name: outer_ip_location
type: geo_point
example: "40.715, -74.011"
description: >
The GeoIP location of the `outer_ip_source` IP address. The field is a
string containing the latitude and longitude separated by a comma.
- name: outter_ip4_dest
description: >
Second innermost IPv4 destination address as indicated by first packet
seen for the current flow.
- name: ipv6
description: >
Innermost IPv6 source address as indicated by first packet seen for the
current flow.
- name: outter_ip4_dest_location
type: geo_point
example: "40.715, -74.011"
description: >
The GeoIP location of the `outter_ip4_dest` IP address. The field is a
string containing the latitude and longitude separated by a comma.
- name: ipv6_location
type: geo_point
example: "60.715, -76.011"
description: >
The GeoIP location of the `ipv6_source` IP address. The field is a string
containing the latitude and longitude separated by a comma.
- name: ip6_source
description: >
Innermost IPv6 source address as indicated by first packet seen for the
current flow.
- name: outer_ipv6
description: >
Second innermost IPv6 source address as indicated by first packet seen
for the current flow.
- name: ip6_source_location
type: geo_point
example: "60.715, -76.011"
description: >
The GeoIP location of the `ip6_source` IP address. The field is a string
containing the latitude and longitude separated by a comma.
- name: outer_ipv6_location
type: geo_point
example: "60.715, -76.011"
description: >
The GeoIP location of the `outer_ipv6_source` IP address. The field is a
string containing the latitude and longitude separated by a comma.
- name: ip6_dest
description: >
Innermost IPv6 destination address as indicated by first packet seen for the
current flow.
- name: port
description: >
Source port number as indicated by first packet seen for the current flow.
- name: ip6_dest_location
type: geo_point
example: "60.715, -76.011"
description: >
The GeoIP location of the `ip6_dest` IP address. The field is a string
containing the latitude and longitude separated by a comma.
- name: stats
type: group
description: >
Object with source to destination flow measurements.
fields:
- name: net_packets_total
description: >
Total number of packets
- name: outter_ip6_source
description: >
Second innermost IPv6 source address as indicated by first packet seen
for the current flow.
- name: net_bytes_total
description: >
Total number of bytes
- name: outter_ip6_source_location
type: geo_point
example: "60.715, -76.011"
description: >
The GeoIP location of the `outter_ip6_source` IP address. The field is a
string containing the latitude and longitude separated by a comma.
- name: outter_ip6_dest
description: >
Second innermost IPv6 destination address as indicated by first packet
seen for the current flow.
- name: outter_ip6_dest_location
type: geo_point
example: "60.715, -76.011"
- name: dest
type: group
description: >
The GeoIP location of the `outter_ip6_dest` IP address. The field is a
string containing the latitude and longitude separated by a comma.
Properties of the destination host
fields:
- name: mac
description: >
Destination MAC address as indicated by first packet seen for the current flow.
- name: icmp_id
description: >
ICMP id used in ICMP based flow.
- name: ip
description: >
Innermost IPv4 destination address as indicated by first packet seen for the
current flow.
- name: port_source
description: >
Source port number as indicated by first packet seen for the current flow.
- name: ip_location
type: geo_point
example: "40.715, -74.011"
description: >
The GeoIP location of the `ip_dest` IP address. The field is a string
containing the latitude and longitude separated by a comma.
- name: port_dest
description: >
Destination port number as indicated by first packet seen for the current flow.
- name: outer_ip
description: >
Second innermost IPv4 destination address as indicated by first packet
seen for the current flow.
- name: transport
description: >
The transport protocol used by the flow. If known, one of "udp" or "tcp".
- name: outer_ip_location
type: geo_point
example: "40.715, -74.011"
description: >
The GeoIP location of the `outer_ip_dest` IP address. The field is a
string containing the latitude and longitude separated by a comma.
- name: connection_id
description: >
optional TCP connection id
- name: ipv6
description: >
Innermost IPv6 destination address as indicated by first packet seen for the
current flow.
- name: stats_source
type: group
description: >
Object with source to destination flow measurements.
fields:
- name: net_packets_total
- name: ipv6_location
type: geo_point
example: "60.715, -76.011"
description: >
Total number of packets
The GeoIP location of the `ipv6_dest` IP address. The field is a string
containing the latitude and longitude separated by a comma.
- name: net_bytes_total
- name: outer_ipv6
description: >
Total number of bytes
Second innermost IPv6 destination address as indicated by first packet
seen for the current flow.
- name: stats_dest
type: group
description: >
Object with destination to source flow measurements.
fields:
- name: net_packets_total
- name: outer_ipv6_location
type: geo_point
example: "60.715, -76.011"
description: >
Total number of packets
The GeoIP location of the `outer_ipv6_dest` IP address. The field is a
string containing the latitude and longitude separated by a comma.
- name: net_bytes_total
- name: port
description: >
Total number of bytes
Destination port number as indicated by first packet seen for the current flow.
- name: stats
type: group
description: >
Object with destination to source flow measurements.
fields:
- name: net_packets_total
description: >
Total number of packets
- name: net_bytes_total
description: >
Total number of bytes
- name: icmp_id
description: >
ICMP id used in ICMP based flow.
- name: transport
description: >
The transport protocol used by the flow. If known, one of "udp" or "tcp".
- name: connection_id
description: >
optional TCP connection id
trans_event:
type: group
Expand Down
54 changes: 31 additions & 23 deletions packetbeat/etc/packetbeat.template.json
View file
Expand Up @@ -24,33 +24,25 @@
"client_location": {
"type": "geo_point"
},
"ip4_dest_location": {
"type": "geo_point"
},
"ip4_source_location": {
"type": "geo_point"
},
"ip6_dest_location": {
"type": "geo_point"
},
"ip6_source_location": {
"type": "geo_point"
"dest": {
"properties": {
"ip_location": {
"type": "geo_point"
},
"ipv6_location": {
"type": "geo_point"
},
"outer_ip_location": {
"type": "geo_point"
},
"outer_ipv6_location": {
"type": "geo_point"
}
}
},
"last_time": {
"type": "date"
},
"outter_ip4_dest_location": {
"type": "geo_point"
},
"outter_ip4_source_location": {
"type": "geo_point"
},
"outter_ip6_dest_location": {
"type": "geo_point"
},
"outter_ip6_source_location": {
"type": "geo_point"
},
"params": {
"norms": false,
"type": "text"
Expand All @@ -67,6 +59,22 @@
"norms": false,
"type": "text"
},
"source": {
"properties": {
"ip_location": {
"type": "geo_point"
},
"ipv6_location": {
"type": "geo_point"
},
"outer_ip_location": {
"type": "geo_point"
},
"outer_ipv6_location": {
"type": "geo_point"
}
}
},
"start_time": {
"type": "date"
}
Expand Down

0 comments on commit 2f48f37

Please sign in to comment.