From: Eric Leblond <eric@regit.org>
Date: Tue, 28 May 2019 21:54:08 +0000 (+0200)
Subject: doc: document flow event_type
X-Git-Tag: suricata-5.0.0-rc1~314
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dbf3606169089469c59ea05cd6bb82309faad3b7;p=thirdparty%2Fsuricata.git

doc: document flow event_type
---

diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index 5b85a9104f..a20c22d853 100644
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -860,3 +860,47 @@ Example of SSH logging:
         "software_version": "OpenSSH_6.7",
      }
   }
+
+Event type: Flow
+----------------
+
+Fields
+~~~~~~
+
+* "pkts_toserver": total number of packets to server, include bypassed packets
+* "pkts_toclient": total number of packets to client
+* "bytes_toserver": total bytes count to server
+* "bytes_toclient": total bytes count to client
+* "bypassed.pkts_toserver": number of bypassed packets to server
+* "bypassed.pkts_toclient": number of bypassed packets to client
+* "bypassed.bytes_toserver": bypassed bytes count to server
+* "bypassed.bytes_toclient": bypassed bytes count to client
+* "start": date of start of the flow
+* "end": date of end of flow (last seen packet)
+* "age": duration of the flow
+* "bypass": if the flow has been bypassed, it is set to "local" (internal bypass) or "capture"
+* "state": display state of the flow (include "new", "established", "closed", "bypassed")
+* "reason": mechanism that did trigger the end of the flow (include "timeout", "forced" and "shutdown")
+* "alerted": "true" or "false" depending if an alert has been seen on flow
+
+Example ::
+
+  "flow": {
+    "pkts_toserver": 23,
+    "pkts_toclient": 21,
+    "bytes_toserver": 4884,
+    "bytes_toclient": 7392,
+    "bypassed": {
+      "pkts_toserver": 10,
+      "pkts_toclient": 8,
+      "bytes_toserver": 1305,
+      "bytes_toclient": 984
+    },
+    "start": "2019-05-28T23:32:29.025256+0200",
+    "end": "2019-05-28T23:35:28.071281+0200",
+    "age": 179,
+    "bypass": "capture",
+    "state": "bypassed",
+    "reason": "timeout",
+    "alerted": false
+  }