]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
doc/netflow: Discuss netflow
authorJeff Lucovsky <jlucovsky@oisf.net>
Sat, 28 Jun 2025 14:18:49 +0000 (10:18 -0400)
committerVictor Julien <victor@inliniac.net>
Thu, 10 Jul 2025 17:36:37 +0000 (19:36 +0200)
Add discussion for netflow configuration, event type and fields
contained in netflow records.

Issue: 5139

doc/userguide/output/eve/eve-json-format.rst
doc/userguide/output/eve/eve-json-output.rst
etc/schema.json

index 180fe6ca0441b18e235b9ba2080851f99748b463..70bad2cdff5539299b538ad2e4e95aafcb19a898 100644 (file)
@@ -3178,3 +3178,30 @@ Example of POP3 logging:
           "data": []
       }
    }
+
+Event type: Netflow
+-------------------
+
+Fields
+~~~~~~
+
+* "age": duration of the flow (measured from timestamp of last packet and first packet)
+* "bytes": total number of bytes to client
+* "end": date of the end of the flow
+* "max_ttl": maximum observed Time-To-Live (TTL) value
+* "min_ttl": minimum observed TTL value
+* "pkts": total number of packets to client
+* "start": date of start of the flow
+* "tx_cnt": number of transactions seen in the flow (only present if flow has an application layer)
+
+Example ::
+
+ "netflow": {
+    "pkts": 1,
+    "bytes": 160,
+    "start": "2013-02-26T17:02:42.907340-0500",
+    "end": "2013-02-26T17:02:42.907340-0500",
+    "age": 0,
+    "min_ttl": 1,
+    "max_ttl": 1
+  }
index 6b96b56b46201c6af8e9fcfc7f69aca5967d41e9..4b49fb507826b33af81ea2c5fbb1fe362d90a1b4 100644 (file)
@@ -348,6 +348,23 @@ YAML::
 The logger is disabled by default since ARP can generate a large
 number of events.
 
+Netflow
+~~~~~~~
+
+Netflow records closely relate to flow records except that they are unidirectional while flow records
+are bidirectional. This means that there will be twice as many netflow records as there are flow records.
+
+Netflow records are disabled by default.
+
+YAML::
+
+      #- netflow
+
+To enable netflow, change this to::
+
+      - netflow:
+          enabled: yes
+
 MQTT
 ~~~~
 
index 366a50d1d89095705e3c446e75a7c8e54c313648..2ba472f5aa4bed9d3a8b9de12de8343203c0a693 100644 (file)
             "additionalProperties": false,
             "properties": {
                 "age": {
-                    "type": "integer"
+                    "type": "integer",
+                    "description": "Duration of the flow (measured from timestamp of last packet and first packet)",
+                    "suricata": {
+                        "keywords": [
+                            "flow.age"
+                        ]
+                    }
                 },
                 "bytes": {
-                    "type": "integer"
+                    "type": "integer",
+                    "description": "Total number of bytes transferred to server/client",
+                    "suricata": {
+                        "keywords": [
+                            "flow.bytes",
+                            "flow.bytes_toserver",
+                            "flow.bytes_toclient"
+                        ]
+                    }
                 },
                 "end": {
-                    "type": "string"
+                    "type": "string",
+                    "description": "Date of the end of the flow"
                 },
                 "max_ttl": {
-                    "type": "integer"
+                    "type": "integer",
+                    "description": "Maximum observed Time-To-Live (TTL) value"
                 },
                 "min_ttl": {
-                    "type": "integer"
+                    "type": "integer",
+                    "description": "Minimum observed TTL value"
                 },
                 "pkts": {
-                    "type": "integer"
+                    "type": "integer",
+                    "description": "Total number of packets transferred to server,client",
+                    "suricata": {
+                        "keywords": [
+                            "flow.pkts",
+                            "flow.pkts_toserver",
+                            "flow.pkts_toclient"
+                        ]
+                    }
                 },
                 "start": {
-                    "type": "string"
+                    "type": "string",
+                    "description": "Date of start of the flow"
                 },
                 "tx_cnt": {
-                    "type": "integer"
+                    "type": "integer",
+                    "description": "Number of transactions seen in the flow (only present if flow has an application layer)"
                 }
             },
             "optional": true