Skip to content

Format

Jump to bottom
SkuldNorniern edited this page Nov 6, 2023 · 4 revisions

Understanding FluereFlow

FluereFlow serves as a detailed record of network communications or transactions occurring between two IP addresses. It draws inspiration from the Cisco NetFlow format, encapsulating comprehensive data about individual network transactions, including specifics about the source and destination, various counters pertaining to the type and quantity of packets exchanged, and other pertinent metadata.

Structure of a FluereRecord

Each FluereRecord instance encapsulates detailed information about a specific network transaction. Here are the fields that constitute a FluereRecord:

Core Fields

  1. source: IpAddr

    • Description: Originating IP address of the communication.
    • Type: IP Address (supports both IPv4 and IPv6).

  2. destination: IpAddr

    • Description: Target IP address where the communication is directed.
    • Type: IP Address (supports both IPv4 and IPv6).

  3. d_pkts: u32

    • Description: Cumulative number of packets transmitted during the communication.
    • Type: 32-bit unsigned integer.

  4. d_octets: usize

    • Description: Aggregate number of octets (bytes) transferred throughout the communication.
    • Type: Unsigned size type (commonly used for indexing and counting).

Timestamp Fields

  1. first: u64

    • Description: Timestamp marking the initiation of the communication (usually denoted in microseconds since the epoch).
    • Type: 64-bit unsigned integer.

  2. last: u64

    • Description: Timestamp marking the conclusion of the communication (usually denoted in microseconds since the epoch).
    • Type: 64-bit unsigned integer.

Communication Details

  1. src_port: u16

    • Description: Source port utilized during the communication.
    • Type: 16-bit unsigned integer.

  2. dst_port: u16

    • Description: Destination port utilized during the communication.
    • Type: 16-bit unsigned integer.

Packet Details

  1. min_pkt: u32

    • Description: Size of the smallest packet transmitted in the communication.
    • Type: 32-bit unsigned integer.

  2. max_pkt: u32

    • Description: Size of the largest packet transmitted in the communication.
    • Type: 32-bit unsigned integer.

TTL (Time-to-Live) Fields

  1. min_ttl: u8

    • Description: Minimum TTL value observed across the packets.
    • Type: 8-bit unsigned integer.

  2. max_ttl: u8

    • Description: Maximum TTL value observed across the packets.
    • Type: 8-bit unsigned integer.

Traffic Details

  1. in_pkts: u32

    • Description: Count of incoming packets.
    • Type: 32-bit unsigned integer.

  2. out_pkts: u32

    • Description: Count of outgoing packets.
    • Type: 32-bit unsigned integer.

  3. in_bytes: usize

    • Description: Total volume of incoming bytes.
    • Type: Unsigned size type.

  4. out_bytes: usize

    • Description: Total volume of outgoing bytes.
    • Type: Unsigned size type.

TCP Flags Counters

The following fields represent counters for specific TCP flags encountered during the communication. All of them are of type u32 (32-bit unsigned integer):

  • fin_cnt: u32: FIN flag counter.
  • syn_cnt: u32: SYN flag counter.
  • rst_cnt: u32: RST flag counter.
  • psh_cnt: u32: PSH flag counter.
  • ack_cnt: u32: ACK flag counter.
  • urg_cnt: u32: URG flag counter.
  • ece_cnt: u32: ECE flag counter.
  • cwr_cnt: u32: CWR flag counter.
  • ns_cnt : u32: NS flag counter (Deprecated as per RFC 3540, moved to Historic state).

Protocol and Service Type

  1. prot: u8

    • Description: Protocol number denoting the communication protocol (e.g., TCP, UDP).
    • Type: 8-bit unsigned integer.

  2. tos: u8

    • Description: Type of service value, typically utilized for QoS (Quality of Service) classification.
    • Type: 8-bit unsigned integer.
Clone this wiki locally