Static Fields in the Query Data
The following table describes the metadata fields that are always available in the query data.
| Metadata Field | Description |
|---|---|
Application | Classification of the top application detected in the protocol stack (for example, "tcp" or "http"). For the full path and application name, see the ApplicationPath field. |
ApplicationID | Identifier that NetMon assigns to the application. Internal use only. |
ApplicationPath | Entire path (or stack) for an application, as the NetMon Engine detected and processed it. For example, a user accessing the Amazon website might see a session that goes through TCP, then HTTP, resulting in an application path that looks like: "/tcp/http/amazon" By examining the application path, you can do queries on the sub-protocols to investigate issues. |
Captured | A download icon appears in the row if NetMon captured packets during the session. You can download and analyze them in a packet-viewer such as Wireshark. |
CapturedRemoved | Number of sessions that were captured and written to disk, but expired due to storage constraints. |
ChildFlowNumber | Number of documents (a record in the database) that are associated with the session (or flow). Long sessions have a large number of child flows. |
DestBytes | Total bytes transferred by the server (bytes out). |
DestBytesDelta | Bytes transferred by the server since the last update. |
DestIP | IP address of the destination for this session. |
DestMAC | MAC (media access control) address for the destination of the session. |
Duration | Duration in seconds for the session. |
FieldCount | Number of fields used in NetMon's messages. Internal use only. |
FlowCompleted | Boolean flag that indicates if the session has finished (true) or not (false). |
FlowSessionCount | Number of sessions that are stitched together. The number 1 indicates a one-directional session (a half session) and 2 indicates a bi-directional session (a full session). There can be two or more half sessions. |
LatestUpdate | Boolean flag that indicates if this row contains the most recent update from this session (true) or not (false). |
MessageSize | Size in bytes of the internal message stored for this session. (Every session includes a message, which is the entire set of data.) |
PacketsDelta | Packets received since the last update. |
TotalPackets | Total packets received for the session (packets in). |
DestPort | Port number for the destination of this session. |
Protocol | Protocol ID number. Internal use only. |
Session | Identifier for this session, which is the same ID used in the LogRhythm SIEM. |
SrcBytes | Total bytes transferred by the client (bytes in). |
SrcBytesDelta | Bytes transferred by the client since the last update. |
SrcIP | IP address of the source for this session. |
SrcMAC | MAC address for the source of the session. |
SrcPort | Port number for the source of this session. |
ThreadID | Identifier for the Engine worker thread. Internal use only. |
TimeDelta | Seconds since the last update. |
TimePrevious | Time stamp in seconds for the previous update to this session. |
TimeStart | Time stamp in seconds for when the session started (when NetMon received the first packet). |
TimeUpdated | Time stamp in seconds for when the session was updated. If this time is different from the value in the TimeStart field, this is a long-running session. |
TotalBytes | Total bytes transferred by the client and server. |
TotalBytesDelta | Bytes transferred since the last update. |
Written | A Boolean flag that indicates if the session update was written to disk (true) or not (false). A part of a long-running session might be written to disk if NetMon ran low on memory and was not able to yet classify the session. |