The following table describes the metadata fields that are always available in the query data.
|
Metadata Field |
Description |
|---|---|
|
Application |
Classification of the top application detected in the protocol stack (for example, "tcp" or "http"). For the full path and application name, see the ApplicationPath field. |
|
ApplicationID |
Identifier that NetMon assigns to the application. Internal use only. |
|
ApplicationPath |
Entire path (or stack) for an application, as the NetMon Engine detected and processed it. For example, a user accessing the Amazon website might see a session that goes through TCP, then HTTP, resulting in an application path that looks like: "/tcp/http/amazon" By examining the application path, you can do queries on the sub-protocols to investigate issues. |
|
Captured |
A download icon appears in the row if NetMon captured packets during the session. You can download and analyze them in a packet-viewer such as Wireshark. |
|
CapturedRemoved
|
Number of sessions that were captured and written to disk, but expired due to storage constraints. |
|
ChildFlowNumber |
Number of documents (a record in the database) that are associated with the session (or flow). Long sessions have a large number of child flows. |
|
DestBytes |
Total bytes transferred by the server (bytes out). |
|
DestBytesDelta |
Bytes transferred by the server since the last update. |
|
DestIP |
IP address of the destination for this session. |
|
DestMAC |
MAC (media access control) address for the destination of the session. |
|
Duration |
Duration in seconds for the session. |
|
FieldCount |
Number of fields used in NetMon's messages. Internal use only. |
|
FlowCompleted |
Boolean flag that indicates if the session has finished (true) or not (false). |
|
FlowSessionCount |
Number of sessions that are stitched together. The number 1 indicates a one-directional session (a half session) and 2 indicates a bi-directional session (a full session). There can be two or more half sessions. |
|
LatestUpdate |
Boolean flag that indicates if this row contains the most recent update from this session (true) or not (false). |
|
MessageSize |
Size in bytes of the internal message stored for this session. (Every session includes a message, which is the entire set of data.) |
|
PacketsDelta |
Packets received since the last update. |
|
TotalPackets |
Total packets received for the session (packets in). |
|
DestPort |
Port number for the destination of this session. |
|
Protocol |
Protocol ID number. Internal use only. |
|
Session |
Identifier for this session, which is the same ID used in the LogRhythm SIEM. |
|
SrcBytes |
Total bytes transferred by the client (bytes in). |
|
SrcBytesDelta |
Bytes transferred by the client since the last update. |
|
SrcIP |
IP address of the source for this session. |
|
SrcMAC |
MAC address for the source of the session. |
|
SrcPort |
Port number for the source of this session. |
|
ThreadID |
Identifier for the Engine worker thread. Internal use only. |
|
TimeDelta |
Seconds since the last update. |
|
TimePrevious |
Time stamp in seconds for the previous update to this session. |
|
TimeStart |
Time stamp in seconds for when the session started (when NetMon received the first packet). |
|
TimeUpdated |
Time stamp in seconds for when the session was updated. If this time is different from the value in the TimeStart field, this is a long-running session. |
|
TotalBytes |
Total bytes transferred by the client and server. |
|
TotalBytesDelta |
Bytes transferred since the last update. |
|
Written |
A Boolean flag that indicates if the session update was written to disk (true) or not (false). A part of a long-running session might be written to disk if NetMon ran low on memory and was not able to yet classify the session. |