Red Hat SummitThis documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.Este conteúdo não está disponível no idioma selecionado.
Chapter 10. Network flows format reference
These are the specifications for network flows format, used both internally and when exporting flows to Kafka.
10.1. Network Flows format reference
This is the specification of the network flows format, used both internally and when exporting flows to Kafka.
The document is organized in two main categories: Labels and regular Fields. This distinction only matters when querying Loki. This is because Labels, unlike Fields, must be used in stream selectors.
If you are reading this specification as a reference for the Kafka export feature, you must treat all Labels and Fields as regular fields and ignore any distinctions between them that are specific to Loki.
10.1.1. Labels
- SrcK8S_Namespace
-
OptionalSrcK8S_Namespace:string
-
Source namespace
- DstK8S_Namespace
-
OptionalDstK8S_Namespace:string
-
Destination namespace
- SrcK8S_OwnerName
-
OptionalSrcK8S_OwnerName:string
-
Source owner, such as Deployment, StatefulSet, etc.
- DstK8S_OwnerName
-
OptionalDstK8S_OwnerName:string
-
Destination owner, such as Deployment, StatefulSet, etc.
- FlowDirection
-
FlowDirection:
FlowDirection(see the following section, Enumeration: FlowDirection)
-
FlowDirection:
Flow direction from the node observation point
- _RecordType
-
Optional_RecordType:RecordType
-
Type of record: 'flowLog' for regular flow logs, or 'allConnections', 'newConnection', 'heartbeat', 'endConnection' for conversation tracking
10.1.2. Fields
- SrcAddr
-
SrcAddr:
string
-
SrcAddr:
Source IP address (ipv4 or ipv6)
- DstAddr
-
DstAddr:
string
-
DstAddr:
Destination IP address (ipv4 or ipv6)
- SrcMac
-
SrcMac:
string
-
SrcMac:
Source MAC address
- DstMac
-
DstMac:
string
-
DstMac:
Destination MAC address
- SrcK8S_Name
-
OptionalSrcK8S_Name:string
-
Name of the source matched Kubernetes object, such as Pod name, Service name, etc.
- DstK8S_Name
-
OptionalDstK8S_Name:string
-
Name of the destination matched Kubernetes object, such as Pod name, Service name, etc.
- SrcK8S_Type
-
OptionalSrcK8S_Type:string
-
Kind of the source matched Kubernetes object, such as Pod, Service, etc.
- DstK8S_Type
-
OptionalDstK8S_Type:string
-
Kind of the destination matched Kubernetes object, such as Pod name, Service name, etc.
- SrcPort
-
OptionalSrcPort:number
-
Source port
- DstPort
-
OptionalDstPort:number
-
Destination port
- SrcK8S_OwnerType
-
OptionalSrcK8S_OwnerType:string
-
Kind of the source Kubernetes owner, such as Deployment, StatefulSet, etc.
- DstK8S_OwnerType
-
OptionalDstK8S_OwnerType:string
-
Kind of the destination Kubernetes owner, such as Deployment, StatefulSet, etc.
- SrcK8S_HostIP
-
OptionalSrcK8S_HostIP:string
-
Source node IP
- DstK8S_HostIP
-
OptionalDstK8S_HostIP:string
-
Destination node IP
- SrcK8S_HostName
-
OptionalSrcK8S_HostName:string
-
Source node name
- DstK8S_HostName
-
OptionalDstK8S_HostName:string
-
Destination node name
- Proto
-
Proto:
number
-
Proto:
L4 protocol
- Interface
-
OptionalInterface:string
-
Network interface
- IfDirection
-
OptionalIfDirection:InterfaceDirection(see the following section, Enumeration: InterfaceDirection)
-
Flow direction from the network interface observation point
- Flags
-
OptionalFlags:number
-
TCP flags
- Packets
-
OptionalPackets:number
-
Number of packets
- Packets_AB
-
OptionalPackets_AB:number
-
In conversation tracking, A to B packets counter per conversation
- Packets_BA
-
OptionalPackets_BA:number
-
In conversation tracking, B to A packets counter per conversation
- Bytes
-
OptionalBytes:number
-
Number of bytes
- Bytes_AB
-
OptionalBytes_AB:number
-
In conversation tracking, A to B bytes counter per conversation
- Bytes_BA
-
OptionalBytes_BA:number
-
In conversation tracking, B to A bytes counter per conversation
- IcmpType
-
OptionalIcmpType:number
-
ICMP type
- IcmpCode
-
OptionalIcmpCode:number
-
ICMP code
- PktDropLatestState
-
OptionalPktDropLatestState:string
-
Pkt TCP state for drops
- PktDropLatestDropCause
-
OptionalPktDropLatestDropCause:string
-
Pkt cause for drops
- PktDropLatestFlags
-
OptionalPktDropLatestFlags:number
-
Pkt TCP flags for drops
- PktDropPackets
-
OptionalPktDropPackets:number
-
Number of packets dropped by the kernel
- PktDropPackets_AB
-
OptionalPktDropPackets_AB:number
-
In conversation tracking, A to B packets dropped counter per conversation
- PktDropPackets_BA
-
OptionalPktDropPackets_BA:number
-
In conversation tracking, B to A packets dropped counter per conversation
- PktDropBytes
-
OptionalPktDropBytes:number
-
Number of bytes dropped by the kernel
- PktDropBytes_AB
-
OptionalPktDropBytes_AB:number
-
In conversation tracking, A to B bytes dropped counter per conversation
- PktDropBytes_BA
-
OptionalPktDropBytes_BA:number
-
In conversation tracking, B to A bytes dropped counter per conversation
- DnsId
-
OptionalDnsId:number
-
DNS record id
- DnsFlags
-
OptionalDnsFlags:number
-
DNS flags for DNS record
- DnsFlagsResponseCode
-
OptionalDnsFlagsResponseCode:string
-
Parsed DNS header RCODEs name
- DnsLatencyMs
-
OptionalDnsLatencyMs:number
-
Calculated time between response and request, in milliseconds
- TimeFlowStartMs
-
TimeFlowStartMs:
number
-
TimeFlowStartMs:
Start timestamp of this flow, in milliseconds
- TimeFlowEndMs
-
TimeFlowEndMs:
number
-
TimeFlowEndMs:
End timestamp of this flow, in milliseconds
- TimeReceived
-
TimeReceived:
number
-
TimeReceived:
Timestamp when this flow was received and processed by the flow collector, in seconds
- TimeFlowRttNs
-
OptionalTimeFlowRttNs:number
-
Flow Round Trip Time (RTT) in nanoseconds
- _HashId
-
Optional_HashId:string
-
In conversation tracking, the conversation identifier
- _IsFirst
-
Optional_IsFirst:string
-
In conversation tracking, a flag identifying the first flow
- numFlowLogs
-
OptionalnumFlowLogs:number
-
In conversation tracking, a counter of flow logs per conversation
10.1.3. Enumeration: FlowDirection
- Ingress
-
Ingress =
"0"
-
Ingress =
Incoming traffic, from the node observation point
- Egress
-
Egress =
"1"
-
Egress =
Outgoing traffic, from the node observation point
- Inner
-
Inner =
"2"
-
Inner =
Inner traffic, with the same source and destination node
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}