The following table describes the metadata fields that are always available in the query data.

Metadata FieldDescription

Application

Classification of the top application detected in the protocol stack (for example, "tcp" or "http"). For the full path and application name, see the ApplicationPath field.

ApplicationID

Identifier that NetMon assigns to the application. Internal use only.

ApplicationPath

Entire path (or stack) for an application, as the NetMon Engine detected and processed it. For example, a user accessing the Amazon website might see a session that goes through TCP, then HTTP, resulting in an application path that looks like: "/tcp/http/amazon"

By examining the application path, you can do queries on the sub-protocols to investigate issues.

Captured

A download icon appears in the row if NetMon captured packets during the session. You can download and analyze them in a packet-viewer such as Wireshark.

CapturedRemoved

Number of sessions that were captured and written to disk, but expired due to storage constraints.

ChildFlowNumber

Number of documents (a record in the database) that are associated with the session (or flow). Long sessions have a large number of child flows.

DestBytes

Total bytes transferred by the server (bytes out).

DestBytesDelta

Bytes transferred by the server since the last update.

DestIP

IP address of the destination for this session.

DestMAC

MAC (media access control) address for the destination of the session.

Duration

Duration in seconds for the session.

FieldCount

Number of fields used in NetMon's messages. Internal use only.

FlowCompleted

Boolean flag that indicates if the session has finished (true) or not (false).

FlowSessionCount

Number of sessions that are stitched together. The number 1 indicates a one-directional session (a half session) and 2 indicates a bi-directional session (a full session). There can be two or more half sessions.

LatestUpdate

Boolean flag that indicates if this row contains the most recent update from this session (true) or not (false).

MessageSize

Size in bytes of the internal message stored for this session. (Every session includes a message, which is the entire set of data.)

PacketsDelta

Packets received since the last update.

TotalPackets

Total packets received for the session (packets in).

DestPort

Port number for the destination of this session.

Protocol

Protocol ID number. Internal use only.

Session

Identifier for this session, which is the same ID used in the LogRhythm SIEM.

SrcBytes

Total bytes transferred by the client (bytes in).

SrcBytesDelta

Bytes transferred by the client since the last update.

SrcIP

IP address of the source for this session.

SrcMAC

MAC address for the source of the session.

SrcPort

Port number for the source of this session.

ThreadID

Identifier for the Engine worker thread. Internal use only.

TimeDelta

Seconds since the last update.

TimePrevious

Time stamp in seconds for the previous update to this session.

TimeStart

Time stamp in seconds for when the session started (when NetMon received the first packet).

TimeUpdated

Time stamp in seconds for when the session was updated. If this time is different from the value in the TimeStart field, this is a long-running session.

TotalBytes

Total bytes transferred by the client and server.

TotalBytesDelta

Bytes transferred since the last update.

Written

A Boolean flag that indicates if the session update was written to disk (true) or not (false). A part of a long-running session might be written to disk if NetMon ran low on memory and was not able to yet classify the session.