Custom Filters
User Guide 19.11 documentation
| Keyword | Field | Operand Type |
|---|---|---|
0win |
Total number of zero-windows | Decimal or hexa. |
0win.count.clt |
Number of zero-windows from the Client | Decimal or hexa. |
0win.count.srv |
Number of zero-windows from the Server | Decimal or hexa. |
app |
– | Application name |
capture.begin |
Capture begin time | Date and time |
capture.end |
Capture end time | Date and time |
capture.name |
Capture name (distributed probe) | Capture |
ct |
Connection time | Duration |
ct.count |
Number of successful handshakes | Decimal or hexa. |
dcerpc |
Distributed Computing Environment | DCE RPC UUID |
delta_session |
Difference between created session and finished sessions | Decimal or hexa. |
device |
Either Client or Server Device | Packet datasource |
device.clt |
Device id (Client side) | Packet datasource |
device.srv |
Device id (Server side) | Packet datasource |
diffserv |
Either Client or Server Diffserv | - |
diffserv.clt |
Client Diffserv | - |
diffserv.srv |
Server Diffserv | - |
dtt |
Sum of DTT (Data Transfert Time) in both directions | Duration |
dtt.clt |
Average data transfer time from Client | Duration |
dtt.count |
– | Decimal or hexa. |
dtt.count.clt |
– | Decimal or hexa. |
dtt.count.srv |
– | Decimal or hexa. |
dtt.srv |
Average data transfer time from Server | Duration |
dup_ack.count |
Total Duplicate ACKs | Decimal or hexa. |
dup_ack.count.clt |
Duplicate ACKs from Client to Server | Decimal or hexa. |
dup_ack.count.srv |
Duplicate ACKs from Server to Client | Decimal or hexa. |
eth.proto |
Ethernet Type Protocol | Ethernet type |
eurt |
End-user response time: sum of RTT, DTT and SRT | Duration |
fin.count |
Total number of FIN packets | Decimal or hexa. |
fin.count.clt |
Number of FINs emitted by the Client | Decimal or hexa. |
fin.count.srv |
Number of FINs emitted by the Server | Decimal or hexa. |
ip |
Either Client or Server IP or subnet | Address or netmask |
ip.clt |
IP that initiated a connection to a server | Address or netmask |
ip.netflow |
IP of the netflow capture | Address or netmask |
ip.srv |
IP that replied to another IP (works also without handshak... | Address or netmask |
mac |
Either Client or Server MAC address | MAC address |
mac.clt |
Client MAC (physical) address | MAC address |
mac.srv |
Server MAC (physical) address | MAC address |
mtu |
The global MTU (Maximum Transmission Unit) | Decimal or hexa. |
mtu.clt |
Client MTU (Maximum Transmission Unit) | Decimal or hexa. |
mtu.srv |
Server MTU (Maximum Transmission Unit) | Decimal or hexa. |
os |
Either Client or Server Operating System | OS name |
os.clt |
Client Operating System | OS name |
os.srv |
Server Operating System | OS name |
payload |
Total payload | Byte quantity |
payload.clt |
Payload from Client to Server | Byte quantity |
payload.count |
Number of IP packets with a payload | Decimal or hexa. |
payload.count.clt |
Number of packets with payload emitted by the Client | Decimal or hexa. |
payload.count.srv |
Number of packets with a payload emitted by the Server | Decimal or hexa. |
payload.ret |
Total retransmission payload | Byte quantity |
payload.ret.clt |
Retransmission payload from Client to Server | Byte quantity |
payload.ret.srv |
Retransmission payload from Server to Client | Byte quantity |
payload.srv |
Payload from Server to Client | Byte quantity |
pkt.count |
Number of IP packets | Decimal or hexa. |
pkt.count.clt |
Number of packets emitted by the Client | Decimal or hexa. |
pkt.count.srv |
Number of packets emitted by the Server | Decimal or hexa. |
port |
Either the client or the server port | Port number |
port.clt |
TCP/UDP client Port. | Port number |
port.srv |
TCP/UDP server Port. | Port number |
protostack |
Protocols Stack | Wildcard or regex |
rd |
Sum of RD (Retransmission delay) in both directions | Duration |
rd.clt |
Retransmission delay from Client to Server | Duration |
rd.count |
Retransmission count (both directions) | Decimal or hexa. |
rd.count.clt |
Retransmission count from Client to Server | Decimal or hexa. |
rd.count.srv |
Retransmission count from Server to Client | Decimal or hexa. |
rd.rate |
Total retransmission ratio | Rate |
rd.rate.clt |
Retransmission ratio from Client to Server | Rate |
rd.rate.srv |
Retransmission ratio from Server to Client | Rate |
rd.srv |
Retransmission delay from Server to Client | Duration |
ret |
Total retransmission traffic | Byte quantity |
ret.clt |
Retransmission traffic from Client to Server | Byte quantity |
ret.srv |
Retransmission traffic from Server to Client | Byte quantity |
rst.count |
Total number of RST packets | Decimal or hexa. |
rst.count.clt |
Number of RSTs emitted by the Client | Decimal or hexa. |
rst.count.srv |
Number of RSTs emitted by the Server | Decimal or hexa. |
rtt |
Sum of RTT (Round Trip Time) in both directions | Duration |
rtt.clt |
The round-trip time for packets emitted by the Client | Duration |
rtt.count |
Number of RTT (in both directions) | Decimal or hexa. |
rtt.count.clt |
Number of RTT for packets emitted by the Client | Decimal or hexa. |
rtt.count.srv |
Number of RTT for packets emitted by the Server | Decimal or hexa. |
rtt.srv |
The round-trip time for packets emitted by the Server | Duration |
srt |
Server response time (SRT), elapsed time from the client r... | Duration |
srt.count |
Number of SRT computed in a time interval | Decimal or hexa. |
syn.count |
Number of SYN packets | Decimal or hexa. |
tcp_close.count |
Number of times the connection has been closed (by acked F... | Decimal or hexa. |
traffic |
Total traffic | Byte quantity |
traffic.clt |
Traffic emitted by the Client | Byte quantity |
traffic.srv |
Traffic emitted by the Server | Byte quantity |
vlan |
Either Client or Server VLAN | Decimal or hexa. |
vlan.clt |
Tagged Link (802.1Q) seen on the Client side | Decimal or hexa. |
vlan.srv |
Tagged Link (802.1Q) seen on the Server side | Decimal or hexa. |
zone |
Either Client or Server Zone | Zone name |
zone.clt |
Client zone as described in the configuration. | Zone name |
zone.srv |
Server zone as described in the configuration. | Zone name |
| Keyword | Field | Operand Type |
|---|---|---|
0win |
Total number of zero-windows | Decimal or hexa. |
0win.count.dst |
Number of zero-windows from the Destination | Decimal or hexa. |
0win.count.src |
Number of zero-windows from the Source | Decimal or hexa. |
app |
– | Application name |
capture.begin |
Capture begin time | Date and time |
capture.end |
Capture end time | Date and time |
capture.name |
Capture name (distributed probe) | Capture |
ct |
Connection time | Duration |
ct.count |
Number of successful handshakes | Decimal or hexa. |
dcerpc |
Distributed Computing Environment | DCE RPC UUID |
delta_session |
Difference between created session and finished sessions | Decimal or hexa. |
device |
Either Soure or Destination Device | Packet datasource |
device.dst |
Device id (Destination side) | Packet datasource |
device.src |
Device id (Source side) | Packet datasource |
diffserv |
Either Source or Destination Diffserv | - |
diffserv.dst |
Destination Diffserv | - |
diffserv.src |
Source Diffserv | - |
dtt |
Sum of DTT (Data Transfert Time) in both directions | Duration |
dtt.count |
– | Decimal or hexa. |
dtt.count.dst |
– | Decimal or hexa. |
dtt.count.src |
– | Decimal or hexa. |
dtt.dst |
Average data transfer time from Destination | Duration |
dtt.src |
Average data transfer time from Source | Duration |
dup_ack.count |
Total Duplicate ACKs | Decimal or hexa. |
dup_ack.count.dst |
Duplicate ACKs from Destination to Source | Decimal or hexa. |
dup_ack.count.src |
Duplicate ACKs from Source to Destination | Decimal or hexa. |
eth.proto |
Ethernet Type Protocol | Ethernet type |
eurt |
End-user response time: sum of RTT, DTT and SRT | Duration |
fin.count |
Total number of FIN packets | Decimal or hexa. |
fin.count.dst |
Number of FINs emitted by the Destination | Decimal or hexa. |
fin.count.src |
Number of FINs emitted by the Source | Decimal or hexa. |
ip |
Either Source or Destination IP or subnet | Address or netmask |
ip.dst |
IP address to which network communication is sent | Address or netmask |
ip.netflow |
IP of the netflow capture | Address or netmask |
ip.src |
IP address from which network communication originated | Address or netmask |
mac |
Either Source or Destination MAC address | MAC address |
mac.dst |
Destination MAC (physical) Address | MAC address |
mac.src |
Source MAC (physical) Address | MAC address |
mtu |
The global MTU (Maximum Transmission Unit) | Decimal or hexa. |
mtu.dst |
Destination MTU (Max Tranfert Unit) | Decimal or hexa. |
mtu.src |
Source MTU (Max Tranfert Unit) | Decimal or hexa. |
os |
Either Source or Destination Operating System | OS name |
os.dst |
Destination Operating System | OS name |
os.src |
Source Operating System | OS name |
payload |
Total payload | Byte quantity |
payload.count |
Number of IP packets with a payload | Decimal or hexa. |
payload.count.dst |
Number of packets with a payload sent by the Destination | Decimal or hexa. |
payload.count.src |
Number of packets with payload sent by the Source | Decimal or hexa. |
payload.dst |
Payload from Destination to Source | Byte quantity |
payload.ret |
Total retransmission payload | Byte quantity |
payload.ret.dst |
Retransmission payload from Destination to Source | Byte quantity |
payload.ret.src |
Retransmission payload from Source to Destination | Byte quantity |
payload.src |
Payload from Source to Destination | Byte quantity |
pkt.count |
Number of IP packets | Decimal or hexa. |
pkt.count.dst |
Number of packets emitted by the Destination | Decimal or hexa. |
pkt.count.src |
Number of packets emitted by the Source | Decimal or hexa. |
port |
Either the client or the server port | Port number |
port.clt |
TCP/UDP client Port. | Port number |
port.srv |
TCP/UDP server Port. | Port number |
protostack |
Protocols Stack | Wildcard or regex |
rd |
Sum of RD (Retransmission delay) in both directions | Duration |
rd.count |
Retransmission count (both directions) | Decimal or hexa. |
rd.count.dst |
Retransmission count from Destination to Source | Decimal or hexa. |
rd.count.src |
Retransmission count from Source to Destination | Decimal or hexa. |
rd.dst |
Retransmission delay from Destination to Source | Duration |
rd.rate |
Total retransmission ratio | Rate |
rd.rate.dst |
Retransmission ratio from Destination to Source | Rate |
rd.rate.src |
Retransmission ratio from Source to Destination | Rate |
rd.src |
Retransmission delay from Source to Destination | Duration |
ret |
Total retransmission traffic | Byte quantity |
ret.dst |
Retransmission traffic from Destination to Source | Byte quantity |
ret.src |
Retransmission traffic from Source to Destination | Byte quantity |
rst.count |
Total number of RST packets | Decimal or hexa. |
rst.count.dst |
Number of RSTs emitted by the Destination | Decimal or hexa. |
rst.count.src |
Number of RSTs emitted by the Source | Decimal or hexa. |
rtt |
Sum of RTT (Round Trip Time) in both directions | Duration |
rtt.count |
Number of RTT (in both directions) | Decimal or hexa. |
rtt.count.dst |
Number of RTT for packets emitted by the Destination | Decimal or hexa. |
rtt.count.src |
Number of RTT for packets emitted by the Source | Decimal or hexa. |
rtt.dst |
The round-trip time for packets emitted by the Destination | Duration |
rtt.src |
The round-trip time for packets emitted by the Source | Duration |
srt |
Server response time (SRT), elapsed time from the client r... | Duration |
srt.count |
Number of SRT computed in a time interval | Decimal or hexa. |
syn.count |
Number of SYN packets | Decimal or hexa. |
tcp_close.count |
Number of times the connection has been closed (by acked F... | Decimal or hexa. |
traffic |
Total traffic | Byte quantity |
traffic.dst |
Traffic emitted by the Destination | Byte quantity |
traffic.src |
Traffic emitted by the Source | Byte quantity |
vlan |
Either Source or Destination VLAN | Decimal or hexa. |
vlan.dst |
Tagged Link (802.1Q) seen on the Destination side | Decimal or hexa. |
vlan.src |
Tagged Link (802.1Q) seen on the Source side | Decimal or hexa. |
zone |
Either Source or Destination Zone | Zone name |
zone.dst |
Zone to which network communication is sent | Zone name |
zone.src |
Zone from which network communication originated | Zone name |
| Keyword | Field | Operand Type |
|---|---|---|
app |
– | Application name |
capture.begin |
Capture begin time | Date and time |
capture.end |
Capture end time | Date and time |
capture.name |
Capture name (distributed probe) | Capture |
device |
Either Client or Server Device | Packet datasource |
device.clt |
Device id (Client side) | Packet datasource |
device.srv |
Device id (Server side) | Packet datasource |
dtt |
Sum of DTT (Data Transfert Time) in both directions | Duration |
dtt.clt |
Average data transfer time from Client | Duration |
dtt.count |
– | Decimal or hexa. |
dtt.count.clt |
– | Decimal or hexa. |
dtt.count.srv |
– | Decimal or hexa. |
dtt.srv |
Average data transfer time from Server | Duration |
eth.proto |
Ethernet Type Protocol | Ethernet type |
http.dtt |
Sum of DTT (Data Transfert Time) in both directions | Duration |
http.dtt.clt |
Average data transfer time from Client | Duration |
http.dtt.srv |
Average data transfer time from Server | Duration |
http.hit.count |
Number of HTTP hits | Decimal or hexa. |
http.hit.err.count |
Sum of Hits with an error status (4xx and 5xx) | Decimal or hexa. |
http.hit.rt |
Average of the hit response time | Duration |
http.host |
URL Host | String |
http.page.count |
Number of HTTP pages | Decimal or hexa. |
http.page.hit_count |
The number of hits that contributed to this page | Decimal or hexa. |
http.page.lt |
Page load time average | Duration |
http.request.length |
Sum of content length generated by HTTP Queries | Byte quantity |
http.request.method |
The HTTP method used to query | HTTP method |
http.resp.status |
The HTTP response code (1xx to 5xx) | HTTP status or category |
http.resp.status.cat |
The category of the HTTP response code | HTTP status category |
http.resp.status.code |
The HTTP response code | HTTP status |
http.response.length |
Sum of content length generated by HTTP Responses | Byte quantity |
http.response.server |
Software declared as the HTTP server | String |
http.url.path |
The path, query and fragment parts of the URL. | Wildcard or regex |
http.user_agent |
User agent | String |
ip |
Either Client or Server IP or subnet | Address or netmask |
ip.clt |
IP that initiated a connection to a server | Address or netmask |
ip.srv |
IP that replied to another IP (works also without handshak... | Address or netmask |
mac |
Either Client or Server MAC address | MAC address |
mac.clt |
Client MAC (physical) address | MAC address |
mac.srv |
Server MAC (physical) address | MAC address |
port |
Either the client or the server port | Port number |
port.clt |
TCP/UDP client Port. | Port number |
port.srv |
TCP/UDP server Port. | Port number |
vlan |
Either Client or Server VLAN | Decimal or hexa. |
vlan.clt |
Tagged Link (802.1Q) seen on the Client side | Decimal or hexa. |
vlan.srv |
Tagged Link (802.1Q) seen on the Server side | Decimal or hexa. |
zone |
Either Client or Server Zone | Zone name |
zone.clt |
Client zone as described in the configuration. | Zone name |
zone.srv |
Server zone as described in the configuration. | Zone name |
| Keyword | Field | Operand Type |
|---|---|---|
app |
– | Application name |
capture.begin |
Capture begin time | Date and time |
capture.end |
Capture end time | Date and time |
capture.name |
Capture name (distributed probe) | Capture |
device |
Either Client or Server Device | Packet datasource |
device.clt |
Device id (Client side) | Packet datasource |
device.srv |
Device id (Server side) | Packet datasource |
dtt |
Sum of DTT (Data Transfert Time) in both directions | Duration |
dtt.clt |
Average data transfer time from Client | Duration |
dtt.count |
– | Decimal or hexa. |
dtt.count.clt |
– | Decimal or hexa. |
dtt.count.srv |
– | Decimal or hexa. |
dtt.srv |
Average data transfer time from Server | Duration |
eth.proto |
Ethernet Type Protocol | Ethernet type |
ip |
Either Client or Server IP or subnet | Address or netmask |
ip.clt |
IP that initiated a connection to a server | Address or netmask |
ip.srv |
IP that replied to another IP (works also without handshak... | Address or netmask |
mac |
Either Client or Server MAC address | MAC address |
mac.clt |
Client MAC (physical) address | MAC address |
mac.srv |
Server MAC (physical) address | MAC address |
port |
Either the client or the server port | Port number |
port.clt |
TCP/UDP client Port. | Port number |
port.srv |
TCP/UDP server Port. | Port number |
protostack |
Protocols Stack | Wildcard or regex |
sql.dbname |
The database or instance name which is used to execute the... | Wildcard or regex |
sql.dbuser |
Authenticated username who execute the queries | Wildcard or regex |
sql.dtt |
Sum of DTT (Data Transfert Time) in both directions | Duration |
sql.dtt.clt |
Average data transfer time from Client | Duration |
sql.dtt.srv |
Average data transfer time from Server | Duration |
sql.error.code |
The system specific error code | String |
sql.error.count |
Number of errors | Decimal or hexa. |
sql.error.msg |
The SQL error message | String |
sql.error.rate |
Errors ratio | Rate |
sql.error.status |
The SQL error status | String |
sql.query.command |
Type of SQL command | SQL command |
sql.query.count |
Number of queries | Decimal or hexa. |
sql.query.packets |
Query packets at applicative level (PDU) | Decimal or hexa. |
sql.query.payload |
Sum of query payload | Byte quantity |
sql.response.packets |
Response packets at applicative level (PDU) | Decimal or hexa. |
sql.response.payload |
Sum of response payload | Byte quantity |
sql.system |
Database system | SQL system |
srt |
Server response time (SRT), elapsed time from the client r... | Duration |
srt.count |
Number of SRT computed in a time interval | Decimal or hexa. |
vlan |
Either Client or Server VLAN | Decimal or hexa. |
vlan.clt |
Tagged Link (802.1Q) seen on the Client side | Decimal or hexa. |
vlan.srv |
Tagged Link (802.1Q) seen on the Server side | Decimal or hexa. |
zone |
Either Client or Server Zone | Zone name |
zone.clt |
Client zone as described in the configuration. | Zone name |
zone.srv |
Server zone as described in the configuration. | Zone name |
| Keyword | Field | Operand Type |
|---|---|---|
app |
– | Application name |
capture.begin |
Capture begin time | Date and time |
capture.end |
Capture end time | Date and time |
capture.name |
Capture name (distributed probe) | Capture |
cifs.command |
CIFS Command | SMB command |
cifs.data.payload |
Payload of data (files transferred) without CIFS meta info... | Byte quantity |
cifs.domain |
CIFS Domain | String |
cifs.error.count |
Number of errors (mostly Server side) | Decimal or hexa. |
cifs.fileid |
CIFS File ID | Decimal or hexa. |
cifs.meta.payload |
Metadata payload used for the CIFS commands (like ‘move’, ... | Byte quantity |
cifs.meta.read |
Number of metadata bytes read | Byte quantity |
cifs.meta.written |
Number of metadata bytes written | Byte quantity |
cifs.path |
CIFS Path to the file related to this command | Wildcard or regex |
cifs.query.count |
Number of queries | Decimal or hexa. |
cifs.query.packets |
Query packets at applicative level (PDU) | Decimal or hexa. |
cifs.query.payload |
Sum of query payload | Byte quantity |
cifs.query.write |
Number of bytes to be written | Byte quantity |
cifs.response.packets |
Response packets at applicative level (PDU) | Decimal or hexa. |
cifs.response.payload |
Sum of response payload | Byte quantity |
cifs.response.read |
Number of bytes read | Byte quantity |
cifs.response.written |
Number of bytes effectively written | Byte quantity |
cifs.status |
CIFS Status | SMB status |
cifs.subcommand |
CIFS Subcommand | SMB sub-command |
cifs.success.count |
Number of queries with OK or Informational status | Decimal or hexa. |
cifs.tree |
CIFS Tree related to this command | Wildcard or regex |
cifs.tree.id |
CIFS Tree ID | Decimal or hexa. |
cifs.user |
CIFS User | String |
cifs.warning.count |
Number of warnings (mostly Client side) | Decimal or hexa. |
device |
Either Client or Server Device | Packet datasource |
device.clt |
Device id (Client side) | Packet datasource |
device.srv |
Device id (Server side) | Packet datasource |
dtt |
Sum of DTT (Data Transfert Time) in both directions | Duration |
dtt.clt |
Average data transfer time from Client | Duration |
dtt.count |
– | Decimal or hexa. |
dtt.count.clt |
– | Decimal or hexa. |
dtt.count.srv |
– | Decimal or hexa. |
dtt.srv |
Average data transfer time from Server | Duration |
eth.proto |
Ethernet Type Protocol | Ethernet type |
ip |
Either Client or Server IP or subnet | Address or netmask |
ip.clt |
IP that initiated a connection to a server | Address or netmask |
ip.srv |
IP that replied to another IP (works also without handshak... | Address or netmask |
mac |
Either Client or Server MAC address | MAC address |
mac.clt |
Client MAC (physical) address | MAC address |
mac.srv |
Server MAC (physical) address | MAC address |
port |
Either the client or the server port | Port number |
port.clt |
TCP/UDP client Port. | Port number |
port.srv |
TCP/UDP server Port. | Port number |
protostack |
Protocols Stack | Wildcard or regex |
srt |
Server response time (SRT), elapsed time from the client r... | Duration |
srt.count |
Number of SRT computed in a time interval | Decimal or hexa. |
vlan |
Either Client or Server VLAN | Decimal or hexa. |
vlan.clt |
Tagged Link (802.1Q) seen on the Client side | Decimal or hexa. |
vlan.srv |
Tagged Link (802.1Q) seen on the Server side | Decimal or hexa. |
zone |
Either Client or Server Zone | Zone name |
zone.clt |
Client zone as described in the configuration. | Zone name |
zone.srv |
Server zone as described in the configuration. | Zone name |
| Keyword | Field | Operand Type |
|---|---|---|
app |
– | Application name |
capture.begin |
Capture begin time | Date and time |
capture.end |
Capture end time | Date and time |
capture.name |
Capture name (distributed probe) | Capture |
device |
Either Emitting or Server Device | Packet datasource |
device.clt |
Device id (Emitting side) | Packet datasource |
device.srv |
Device id (Server side) | Packet datasource |
diffserv |
Either Client or Server Diffserv | - |
diffserv.clt |
Client Diffserv | - |
diffserv.srv |
Server Diffserv | - |
eth.proto |
Ethernet Type Protocol | Ethernet type |
icmp.code |
ICMP Code | Decimal or hexa. |
icmp.err.ip |
Either Client or Server Error IP | Address or netmask |
icmp.err.ip.clt |
Client IP of the ICMP Error | Address or netmask |
icmp.err.ip.srv |
Server IP of the ICMP Error | Address or netmask |
icmp.err.port |
Either Client or Server Error Port | Port number |
icmp.err.port.clt |
ICMP Client Error Port | Port number |
icmp.err.port.srv |
ICMP Server Error Port | Port number |
icmp.err.zone |
Either Client or Server Error Zone | Zone name |
icmp.err.zone.clt |
Client zone of the ICMP error | Zone name |
icmp.err.zone.srv |
Server zone of the ICMP error | Zone name |
icmp.protocol |
Which protocol caused an error | - |
icmp.type |
ICMP type | Icmp Type. |
ip |
Either Emitting or Server IP or subnet | Address or netmask |
ip.clt |
IP that sent the packet | Address or netmask |
ip.netflow |
IP of the netflow capture | Address or netmask |
ip.srv |
IP that replied to another IP (works also without handshak... | Address or netmask |
mac |
Either Client or Server MAC address | MAC address |
mac.clt |
Client MAC (physical) address | MAC address |
mac.srv |
Server MAC (physical) address | MAC address |
mtu |
The global MTU (Maximum Transmission Unit) | Decimal or hexa. |
mtu.clt |
Client MTU (Maximum Transmission Unit) | Decimal or hexa. |
mtu.srv |
Server MTU (Maximum Transmission Unit) | Decimal or hexa. |
pkt.count |
Number of IP packets | Decimal or hexa. |
pkt.count.clt |
Number of packets emitted by the Client | Decimal or hexa. |
pkt.count.srv |
Number of packets emitted by the Server | Decimal or hexa. |
protostack |
Protocols Stack | Wildcard or regex |
traffic |
Total traffic | Byte quantity |
traffic.clt |
Traffic emitted by the Client | Byte quantity |
traffic.srv |
Traffic emitted by the Server | Byte quantity |
vlan |
Either Emitting or Server VLAN | Decimal or hexa. |
vlan.clt |
Tagged Link (802.1Q) seen on the Emitting side | Decimal or hexa. |
vlan.srv |
Tagged Link (802.1Q) seen on the Server side | Decimal or hexa. |
zone |
Either Emitting or Server Zone | Zone name |
zone.clt |
Zone from where the ICMP packet was sent | Zone name |
zone.srv |
Server zone as described in the configuration. | Zone name |
| Keyword | Field | Operand Type |
|---|---|---|
capture.begin |
Capture begin time | Date and time |
capture.end |
Capture end time | Date and time |
capture.name |
Capture name (distributed probe) | Capture |
device |
Either Client or Server Device | Packet datasource |
device.clt |
Device id (Client side) | Packet datasource |
device.srv |
Device id (Server side) | Packet datasource |
dns.pkt.count |
Number of IP packets | Decimal or hexa. |
dns.pkt.count.clt |
Number of packets emitted by the Client | Decimal or hexa. |
dns.pkt.count.srv |
Number of packets emitted by the Server | Decimal or hexa. |
dns.req.class |
The DNS class of the Request | DNS class |
dns.req.name |
The name or IP address to resolve | Wildcard or regex |
dns.req.type |
The DNS type of the Request | DNS type |
dns.res.class |
The DNS class of the Response | DNS class |
dns.res.rcode |
Code of DNS Response | DNS result |
dns.res.type |
The DNS type of the Response | DNS type |
dns.traffic |
Total traffic | Byte quantity |
dns.traffic.clt |
Traffic emitted by the Client | Byte quantity |
dns.traffic.srv |
Traffic emitted by the Server | Byte quantity |
drt |
DNS response time | Duration |
drt.count |
Number of DNS RT computed in a time interval | Decimal or hexa. |
eth.proto |
Ethernet Type Protocol | Ethernet type |
ip |
Either Client or Server IP or subnet | Address or netmask |
ip.clt |
IP that initiated a connection to a server | Address or netmask |
ip.requester |
IP that initiated a connection to a server | Address or netmask |
ip.srv |
IP that replied to another IP (works also without handshak... | Address or netmask |
mac |
Either Client or Server MAC address | MAC address |
mac.clt |
Client MAC (physical) address | MAC address |
mac.srv |
Server MAC (physical) address | MAC address |
pkt.count |
Number of IP packets | Decimal or hexa. |
pkt.count.clt |
Number of packets emitted by the Client | Decimal or hexa. |
pkt.count.srv |
Number of packets emitted by the Server | Decimal or hexa. |
traffic |
Total traffic | Byte quantity |
traffic.clt |
Traffic emitted by the Client | Byte quantity |
traffic.srv |
Traffic emitted by the Server | Byte quantity |
vlan |
Either Client or Server VLAN | Decimal or hexa. |
vlan.clt |
Tagged Link (802.1Q) seen on the Client side | Decimal or hexa. |
vlan.srv |
Tagged Link (802.1Q) seen on the Server side | Decimal or hexa. |
zone |
Either Client or Server Zone | Zone name |
zone.clt |
Client zone as described in the configuration. | Zone name |
zone.srv |
Server zone as described in the configuration. | Zone name |
| Keyword | Field | Operand Type |
|---|---|---|
app |
– | Application name |
capture.begin |
Capture begin time | Date and time |
capture.end |
Capture end time | Date and time |
capture.name |
Capture name (distributed probe) | Capture |
device |
Either Client or Server Device | Packet datasource |
device.clt |
Device id (Client side) | Packet datasource |
device.srv |
Device id (Server side) | Packet datasource |
eth.proto |
Ethernet Type Protocol | Ethernet type |
mac |
Either Client or Server MAC address | MAC address |
mac.clt |
Client MAC (physical) address | MAC address |
mac.srv |
Server MAC (physical) address | MAC address |
mtu |
The global MTU (Maximum Transmission Unit) | Decimal or hexa. |
mtu.clt |
Client MTU (Maximum Transmission Unit) | Decimal or hexa. |
mtu.srv |
Server MTU (Maximum Transmission Unit) | Decimal or hexa. |
nonip.proto |
Ethernet Protocol | Ethernet type |
pkt.count |
Number of IP packets | Decimal or hexa. |
pkt.count.clt |
Number of packets emitted by the Client | Decimal or hexa. |
pkt.count.srv |
Number of packets emitted by the Server | Decimal or hexa. |
protostack |
Protocols Stack | Wildcard or regex |
traffic |
Total traffic | Byte quantity |
traffic.clt |
Traffic emitted by the Client | Byte quantity |
traffic.srv |
Traffic emitted by the Server | Byte quantity |
vlan |
Either Client or Server VLAN | Decimal or hexa. |
vlan.clt |
Tagged Link (802.1Q) seen on the Client side | Decimal or hexa. |
vlan.srv |
Tagged Link (802.1Q) seen on the Server side | Decimal or hexa. |
zone |
Either Client or Server Zone | Zone name |
zone.clt |
Client zone as described in the configuration. | Zone name |
zone.srv |
Server zone as described in the configuration. | Zone name |
| Keyword | Field | Operand Type |
|---|---|---|
app |
– | Application name |
capture.begin |
Capture begin time | Date and time |
capture.end |
Capture end time | Date and time |
capture.name |
Capture name (distributed probe) | Capture |
device |
Either Client or Server Device | Packet datasource |
device.clt |
Device id (Client side) | Packet datasource |
device.srv |
Device id (Server side) | Packet datasource |
eth.proto |
Ethernet Type Protocol | Ethernet type |
ip |
Either Client or Server IP or subnet | Address or netmask |
ip.callee |
IP of the Callee | Address or netmask |
ip.caller |
IP of the Caller | Address or netmask |
ip.clt |
IP that initiated a connection to a server | Address or netmask |
ip.srv |
IP that replied to another IP (works also without handshak... | Address or netmask |
mac |
Either Client or Server MAC address | MAC address |
mac.callee |
Callee MAC (physical) address | MAC address |
mac.caller |
Caller MAC (physical) address | MAC address |
mac.clt |
Client MAC (physical) address | MAC address |
mac.srv |
Server MAC (physical) address | MAC address |
payload |
Total payload | Byte quantity |
payload.clt |
Payload from Client to Server | Byte quantity |
payload.count |
Number of IP packets with a payload | Decimal or hexa. |
payload.count.clt |
Number of packets with payload emitted by the Client | Decimal or hexa. |
payload.count.srv |
Number of packets with a payload emitted by the Server | Decimal or hexa. |
payload.srv |
Payload from Server to Client | Byte quantity |
pkt.count |
Number of IP packets | Decimal or hexa. |
pkt.count.clt |
Number of packets emitted by the Client | Decimal or hexa. |
pkt.count.srv |
Number of packets emitted by the Server | Decimal or hexa. |
port |
Either the client or the server port | Port number |
port.clt |
TCP/UDP client Port. | Port number |
port.srv |
TCP/UDP server Port. | Port number |
protostack |
Protocols Stack | Wildcard or regex |
sign.rd |
Sum of signalization RD (Retransmission delay) in both dir... | Duration |
sign.rd.count |
The total number of retransmission delays for signalizatio... | Decimal or hexa. |
sign.rd.rate |
The ratio of retransmission of signalization packets to th... | Rate |
sign.rtt |
Sum of signalization RTT (Round Trip Time) in both directi... | Duration |
sign.rtt.clt |
The average round-trip time for a signalization packet emi... | Duration |
sign.rtt.count |
Number of RTT for signalization data in both directions | Decimal or hexa. |
sign.rtt.count.clt |
Number of RTT for signalization data from Client to Server | Decimal or hexa. |
sign.rtt.count.srv |
Number of RTT for signalization data from Client to Server | Decimal or hexa. |
sign.rtt.srv |
The average round-trip time for a signalization packet emi... | Duration |
sign.srt |
Server response time for signalization data | Duration |
sign.srt.count |
Number of SRT for signalization data from Server to Client | Duration |
traffic |
Traffic for the voice only | Byte quantity |
traffic.clt |
Traffic emitted by the Caller | Byte quantity |
traffic.srv |
Traffic emitted by the Callee | Byte quantity |
vlan |
Either Client or Server VLAN | Decimal or hexa. |
vlan.clt |
Tagged Link (802.1Q) seen on the Client side | Decimal or hexa. |
vlan.srv |
Tagged Link (802.1Q) seen on the Server side | Decimal or hexa. |
voip.sign.traffic |
Traffic for the signalisation only | Byte quantity |
voip.traffic |
Traffic for the voice only | Byte quantity |
zone |
Either Client or Server Zone | Zone name |
zone.callee |
Callee zone as described in the configuration. | Zone name |
zone.caller |
Caller zone as described in the configuration. | Zone name |
zone.clt |
Client zone as described in the configuration. | Zone name |
zone.srv |
Server zone as described in the configuration. | Zone name |
| Keyword | Field | Operand Type |
|---|---|---|
app |
– | Application name |
capture.begin |
Capture begin time | Date and time |
capture.end |
Capture end time | Date and time |
capture.name |
Capture name (distributed probe) | Capture |
citrix.abort.count |
Number of aborted Citrix sessions. | Decimal or hexa. |
citrix.application |
Published application being executed | Wildcard or regex |
citrix.cgp.pdus.count |
CGP total query packets at applicative level (Packet Data ... | Decimal or hexa. |
citrix.cgp.pdus.count.clt |
CGP query packets at applicative level (Packet Data Units)... | Decimal or hexa. |
citrix.cgp.pdus.count.srv |
CGP response packets at applicative level (Packet Data Uni... | Decimal or hexa. |
citrix.channel |
The Citrix channel type used. | Citrix channel |
citrix.channel.id |
The Citrix channel ID number. | Citrix channel ID |
citrix.compressed.count |
Total number of compressed packets (in both directions). | Decimal or hexa. |
citrix.compressed.count.clt |
Number of compressed client packets. | Decimal or hexa. |
citrix.compressed.count.srv |
Number of compressed server packets. | Decimal or hexa. |
citrix.domain |
Windows Domain of the user | String |
citrix.encryption |
The encryption type used between the client and the server... | Citrix encryption type |
citrix.ka.count |
Total number of Citrix Keep-Alives (in both directions). | Decimal or hexa. |
citrix.ka.count.clt |
Citrix Keep-Alives from clients. | Decimal or hexa. |
citrix.ka.count.srv |
Citrix Keep-Alives from servers. | Decimal or hexa. |
citrix.launch_time |
Time for a client to launch an application through Citrix. | Duration |
citrix.login_time |
Time for a client to login the Citrix server. | Duration |
citrix.module |
The Citrix module name used by the client. | String |
citrix.pdus.count |
Total packets at applicative level (Packet Data Units). | Decimal or hexa. |
citrix.pdus.count.clt |
Query packets at applicative level (Packet Data Units). | Decimal or hexa. |
citrix.pdus.count.srv |
Response packets at applicative level (Packet Data Units). | Decimal or hexa. |
citrix.timeout.count |
Number of timeouted Citrix session. | Decimal or hexa. |
citrix.username |
Authenticated username | Wildcard or regex |
device |
Either Client or Server Device | Packet datasource |
device.clt |
Device id (Client side) | Packet datasource |
device.srv |
Device id (Server side) | Packet datasource |
dtt |
Sum of DTT (Data Transfert Time) in both directions | Duration |
dtt.clt |
Average data transfer time from Client | Duration |
dtt.count |
– | Decimal or hexa. |
dtt.count.clt |
– | Decimal or hexa. |
dtt.count.srv |
– | Decimal or hexa. |
dtt.srv |
Average data transfer time from Server | Duration |
eth.proto |
Ethernet Type Protocol | Ethernet type |
ip |
Either Client or Server IP or subnet | Address or netmask |
ip.clt |
IP that initiated a connection to a server | Address or netmask |
ip.srv |
IP that replied to another IP (works also without handshak... | Address or netmask |
mac |
Either Client or Server MAC address | MAC address |
mac.clt |
Client MAC (physical) address | MAC address |
mac.srv |
Server MAC (physical) address | MAC address |
payload |
Total payload | Byte quantity |
payload.clt |
Payload from Client to Server | Byte quantity |
payload.count |
Number of IP packets with a payload | Decimal or hexa. |
payload.count.clt |
Number of packets with payload emitted by the Client | Decimal or hexa. |
payload.count.srv |
Number of packets with a payload emitted by the Server | Decimal or hexa. |
payload.srv |
Payload from Server to Client | Byte quantity |
port |
Either the client or the server port | Port number |
port.clt |
TCP/UDP client Port. | Port number |
port.srv |
TCP/UDP server Port. | Port number |
protostack |
Protocols Stack | Wildcard or regex |
rd.rate |
Ratio of all compressed packets (in both directions) by th... | Rate |
rd.rate.clt |
Ratio of compressed packets sent from the client by the cl... | Rate |
rd.rate.srv |
Ratio of all compressed packets recieved to the server by ... | Rate |
srt |
Server response time (SRT), elapsed time from the client r... | Duration |
srt.count |
Number of SRT computed in a time interval | Decimal or hexa. |
vlan |
Either Client or Server VLAN | Decimal or hexa. |
vlan.clt |
Tagged Link (802.1Q) seen on the Client side | Decimal or hexa. |
vlan.srv |
Tagged Link (802.1Q) seen on the Server side | Decimal or hexa. |
zone |
Either Client or Server Zone | Zone name |
zone.clt |
Client zone as described in the configuration. | Zone name |
zone.srv |
Server zone as described in the configuration. | Zone name |
This can be either:
eth1),iface (Network Interface), rpcap
(Remote Capture), pcap (a PCAP file) or netflow,: and the name of the datasource, which can be a wildcard. For
example: iface:eth1 or pcap:ottawa*.pcap.eth1.Operators: !=, <, <=, =, >, >= (only
!= and = are allowed when comparing with a kind of
datasource).
1, eth1, iface:eth1 (same as
just eth1), pcap:ottawa*.pcap.This can be either an IPv4 address (either complete, or with wildcards patterns
* to form a netmask), or an IPv6 address.
Operators: !=, =
192.168.*.*, 192.168.5.10, 2001:db8:85a3::8a2e:370:7334192.524.1.1, 1::2::3This value must be a valid application name, enclosed in quotes.
Operators: !=, =
"http""unknown-app"This value indicates a quantity of bytes with its unit. Note that there’s no space between the quantity and the unit.
Operators: !=, <, <=, =, >, >=
42B, 4KB, 4KiB, 56MiB4 KiBThis value must be either a capture’s Device ID, Name or IP.
Operators: !=, =
"PVX""unknown-capture"The Citrix channel name, as seen at the start of the conversation (only available on the Citrix Channel pages).
Operators: !=, =
'AURTCX', 'BASE''channel'Either a decimal number or an hexadecimal number which must be prefixed by
0x (only available on the Citrix Channel pages).
Operators: !=, <, <=, =, >, >=
0x21, 0x7a5E, 40X45, 0xTHThe Citrix encryption type used for this conversation.
Operators: !=, =
'basic', 'off''random text'An valid UUID of the DCE-RPC protocol.
Operators: !=, =
506b1890-14c8-11d1-bbc3-00805fa6962e506b1890-, FOOA DNS class, either numeric or symbolic.
Operators: !=, =
1, INA, MXA DNS result code, either numeric or symbolic.
Operators: !=, =
0, NoError, ServFail45778, SomeCodeA DNS type value, either numeric or symbolic.
Operators: !=, =
4, A, MX1223648, FOOA date and time value in the following format: YYYY-MM-DD hh:mm. Note that
the value must be enclosed in simple or double quotes.
Operators: !=, <, <=, =, >, >=
"2000-01-01 00:00", '2012-06-14 17:15'"2000-01-01", 2013/11/02 14:58Either a decimal number or an hexadecimal number which must be prefixed by
0x.
Operators: !=, <, <=, =, >, >=
0x21, 0x7a5E, 40X45, 0xTHA duration in microseconds, minutes, etc. depending on the unit set. The lowest
value is in microsecond, specified as us or µs.
Operators: !=, <, <=, =, >, >=
42us, 4µs, 5m4 microsecondsThe ethernet protocol ID
Operators: !=, =
"IPv4", 0x0800, 2048"FOO", 123456789A symbol representing the HTTP method name.
Operators: !=, =
GET, HEADfoo, getA HTTP status number
Operators: !=, <, <=, =, >, >=
200, 404GET, SuccessA symbol representing the category of the HTTP status number. For example,
Success will correspond to all HTTP “successful” codes. Available categories
are: noresp, info, success, redirect, client, server,
invalid.
Operators: !=, =
Redirect, Success200, GETA HTTP status number, or a symbol representing the category of HTTP status
number: Success will correspond to all HTTP “successful” codes. Available
categories are: noresp, info, success, redirect, client,
server, invalid.
Operators: !=, =
404, SuccessGETThe ICMP type as either a decimal number or an hexadecimal number which must be
prefixed by 0x.
Operators: !=, <, <=, =, >, >=
0x21, 0xFE, 40X45, 0xTHA MAC address of the form XX:XX:XX:XX:XX:XX, where XX is a hexadecimal
number.
Operators: !=, =
01:23:45:67:89:ab, FF:ab:45:7b:D6:55AA:AA:AA:AAThe name of an operating system, like 'linux' or 'windows'. Note that
the value must be enclosed in single or double quotes.
Operators: !=, =
"linux", 'windows'unknown osThe value represents a TCP or UDP port number as a numeric value. It can also be
given as a port range as in 45-80.
Operators: !=, <, <=, =, >, >=
8085-12A numeric value as a percentage. The value can be lower than 1%, as in
0.024%.
Operators: !=, <, <=, =, >, >=
0.25%, 4%, 99%45 %The SMB command used in the transaction. It can be a command id in decimal or hexadecimal form, or a command name inside strings.
Operators: !=, =
'SMB2_com_logoff', 0x0e, 2random textThe status of the SMB transaction. It can be a status id in decimal or
hexadecimal form, or a status code inside quotes. The special values ok,
warning and error are also accepted and mean, respectively, a match on
every success, warning and error status. The special value common matches a
set of common statuses.
Operators: !=, =
'SMB_status_no_such_file', 'error', 0xc000000frandom textThe SMB sub-command associated with the command used in the transaction. It can be a sub-command id in decimal or hexadecimal form, or a sub-command name inside strings.
Operators: !=, =
'SMB_TRANS2_open2', 0x0d, 16random textA single SQL command, inside quotes.
Operators: !=, =
'CREATE INDEX', 'INSERT''SELECT * FROM users;', INSERTThe name of the RDBMS dialect used in the connection, inside quotes. Remind that ‘TNS’ is used for Oracle, ‘DRDA’ for DB2, ‘TDS(msg)’ for MSSQL.
Operators: !=, =
'DRDA', 'MySQL', 'PostgresQL', 'TDS(msg)', 'TNS'MySQLA character string enclosed in single or double quotes. It can contain the *
wildcard that matches anything, or for more accurate search, it can be prefixed
by a ~ which will treat the value as a regular expression pattern.
Operators: !=, =
"*some thing*", '~^.*\.[a-z]{2}$'not enclosed in quotesEither a string containing wildcard *, or a regular expression if prefixed
by ~. The value should be surrounded by simple or double quotes.
Operators: !=, =
"google.com", "~\.google\.(com|fr)", '*.securactive.org'foo.comThe name of a zone, using the path notation '/Private/Local'. The =
operator will return results matching only this specific zone, whereas the
in operator will also return results contained in children zones. Note that
the value must be enclosed in single or double quotes.
Operators: !=, =, in
"/Private"/NonExistent/Zone
Custom Filters