The following table describes the metadata fields that are always available in the query data.
Classification of the top application detected in the protocol stack (for example, "tcp" or "http"). For the full path and application name, see the ApplicationPath field.
Identifier that NetMon assigns to the application. Internal use only.
Entire path (or stack) for an application, as the NetMon Engine detected and processed it. For example, a user accessing the Amazon website might see a session that goes through TCP, then HTTP, resulting in an application path that looks like: "/tcp/http/amazon"
By examining the application path, you can do queries on the sub-protocols to investigate issues.
A download icon appears in the row if NetMon captured packets during the session. You can download and analyze them in a packet-viewer such as Wireshark.
Number of sessions that were captured and written to disk, but expired due to storage constraints.
Number of documents (a record in the database) that are associated with the session (or flow). Long sessions have a large number of child flows.
Total bytes transferred by the server (bytes out).
Bytes transferred by the server since the last update.
IP address of the destination for this session.
MAC (media access control) address for the destination of the session.
Duration in seconds for the session.
Number of fields used in NetMon's messages. Internal use only.
Boolean flag that indicates if the session has finished (true) or not (false).
Number of sessions that are stitched together. The number 1 indicates a one-directional session (a half session) and 2 indicates a bi-directional session (a full session). There can be two or more half sessions.
Boolean flag that indicates if this row contains the most recent update from this session (true) or not (false).
Size in bytes of the internal message stored for this session. (Every session includes a message, which is the entire set of data.)
Packets received since the last update.
Total packets received for the session (packets in).
Port number for the destination of this session.
Protocol ID number. Internal use only.
Identifier for this session, which is the same ID used in the LogRhythm SIEM.
Total bytes transferred by the client (bytes in).
Bytes transferred by the client since the last update.
IP address of the source for this session.
MAC address for the source of the session.
Port number for the source of this session.
Identifier for the Engine worker thread. Internal use only.
Seconds since the last update.
Time stamp in seconds for the previous update to this session.
Time stamp in seconds for when the session started (when NetMon received the first packet).
Time stamp in seconds for when the session was updated. If this time is different from the value in the TimeStart field, this is a long-running session.
Total bytes transferred by the client and server.
Bytes transferred since the last update.
A Boolean flag that indicates if the session update was written to disk (true) or not (false). A part of a long-running session might be written to disk if NetMon ran low on memory and was not able to yet classify the session.