From b4bc4cd916401cee23ca4610a32cac1432177410 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 14 Jan 2020 21:18:23 +0100 Subject: [PATCH] [Filebeat] Fixes for NetFlow v9 devices from various vendors (#15449) - Allow for zero scope fields in options template NetFlow v9 spec allows for options templates that contain no scope fields. The netflow input was treating this case as an error and discarding the template, but that is only applicable to IPFIX. - Use additional fields to populate bytes/pkt counters Some devices out there (Cisco NSEL) use fields 231/232 as bytes counters, when those are supposed to be layer 4 payload counters. This updates the ECS fields populator to use those fields when the expected ones are not found. - Support a classId of 32 bits While the spec mandates a classId of 8 bits, some Cisco ASA devices actually use a 32 bit version of this field. This patches the field to allow up to 32-bit integers and updates the index pattern to use `long` for the `netflow.class_id` field. - Add more fields from v9 Cisco devices Fixes #14212 (cherry picked from commit c3a360485699c9c0f887d72111dddc773a630b4c) --- CHANGELOG.next.asciidoc | 3 + filebeat/docs/fields.asciidoc | 2 +- .../filebeat/input/netflow/_meta/fields.yml | 2 +- x-pack/filebeat/input/netflow/convert.go | 32 +- .../input/netflow/decoder/fields/cisco.csv | 14 + .../input/netflow/decoder/fields/doc.go | 1 + .../fields/ipfix-information-elements.csv | 8 +- .../netflow/decoder/fields/zfields_cisco.go | 14 + .../netflow/decoder/fields/zfields_ipfix.go | 2 +- .../input/netflow/decoder/ipfix/decoder.go | 1 + .../netflow/decoder/template/template.go | 5 +- .../netflow/decoder/template/template_test.go | 8 + .../input/netflow/decoder/v9/decoder.go | 3 +- x-pack/filebeat/input/netflow/fields.go | 2 +- .../golden/Netflow-9-Cisco-ASA-2.golden.json | 45 ++ .../Netflow-9-Huawei-Netstream.golden.json | 1 + .../golden/ipfix_cisco.pcap.golden.json | 580 +++++++++++++++++- 17 files changed, 671 insertions(+), 52 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 888a0eb23f9b..3c750ac917be 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -54,6 +54,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix filebeat azure dashboards, event category should be `Alert`. {pull}14668[14668] - Check content-type when creating new reader in s3 input. {pull}15252[15252] {issue}15225[15225] - Fix session reset detection and a crash in Netflow input. {pull}14904[14904] +- netflow: Allow for options templates without scope fields. {pull}15449[15449] +- netflow: Fix bytes/packets counters on some devices (NSEL and Netstream). {pull}15449[15449] +- netflow: Fix compatibility with some Cisco devices by changing the field `class_id` from short to long. {pull}15449[15449] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 5f59c8a232fd..770aaf0e19c2 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -12898,7 +12898,7 @@ type: long *`netflow.class_id`*:: + -- -type: short +type: long -- diff --git a/x-pack/filebeat/input/netflow/_meta/fields.yml b/x-pack/filebeat/input/netflow/_meta/fields.yml index d88ab6d5ab9b..f5a4c0823d58 100644 --- a/x-pack/filebeat/input/netflow/_meta/fields.yml +++ b/x-pack/filebeat/input/netflow/_meta/fields.yml @@ -194,7 +194,7 @@ type: long - name: class_id - type: short + type: long - name: minimum_ttl type: short diff --git a/x-pack/filebeat/input/netflow/convert.go b/x-pack/filebeat/input/netflow/convert.go index 09e9df185b9d..0ad0098cb3b9 100644 --- a/x-pack/filebeat/input/netflow/convert.go +++ b/x-pack/filebeat/input/netflow/convert.go @@ -245,22 +245,10 @@ func flowToBeatEvent(flow record.Record) (event beat.Event) { ecsNetwork["transport"] = IPProtocol(proto).String() ecsNetwork["iana_number"] = proto } - countBytes, hasBytes := getKeyUint64(flow.Fields, "octetDeltaCount") - if !hasBytes { - countBytes, hasBytes = getKeyUint64(flow.Fields, "octetTotalCount") - } - countPkts, hasPkts := getKeyUint64(flow.Fields, "packetDeltaCount") - if !hasPkts { - countPkts, hasPkts = getKeyUint64(flow.Fields, "packetTotalCount") - } - revBytes, hasRevBytes := getKeyUint64(flow.Fields, "reverseOctetDeltaCount") - if !hasRevBytes { - revBytes, hasRevBytes = getKeyUint64(flow.Fields, "reverseOctetTotalCount") - } - revPkts, hasRevPkts := getKeyUint64(flow.Fields, "reversePacketDeltaCount") - if !hasRevPkts { - revPkts, hasRevPkts = getKeyUint64(flow.Fields, "reversePacketTotalCount") - } + countBytes, hasBytes := getKeyUint64Alternatives(flow.Fields, "octetDeltaCount", "octetTotalCount", "initiatorOctets") + countPkts, hasPkts := getKeyUint64Alternatives(flow.Fields, "packetDeltaCount", "packetTotalCount", "initiatorPackets") + revBytes, hasRevBytes := getKeyUint64Alternatives(flow.Fields, "reverseOctetDeltaCount", "reverseOctetTotalCount", "responderOctets") + revPkts, hasRevPkts := getKeyUint64Alternatives(flow.Fields, "reversePacketDeltaCount", "reversePacketTotalCount", "responderPackets") if hasRevBytes { ecsDest["bytes"] = revBytes @@ -337,6 +325,18 @@ func getKeyUint64(dict record.Map, key string) (value uint64, found bool) { return } +func getKeyUint64Alternatives(dict record.Map, keys ...string) (value uint64, found bool) { + var iface interface{} + for _, key := range keys { + if iface, found = dict[key]; found { + if value, found = iface.(uint64); found { + return + } + } + } + return +} + func getKeyString(dict record.Map, key string) (value string, found bool) { iface, found := dict[key] if !found { diff --git a/x-pack/filebeat/input/netflow/decoder/fields/cisco.csv b/x-pack/filebeat/input/netflow/decoder/fields/cisco.csv index 653a275d06f8..65e5f9b5b75c 100644 --- a/x-pack/filebeat/input/netflow/decoder/fields/cisco.csv +++ b/x-pack/filebeat/input/netflow/decoder/fields/cisco.csv @@ -270,6 +270,20 @@ netscalerUnknown465,5951,465,unsigned32 ingressAclID,0,33000,aclid egressAclID,0,33001,aclid fwExtEvent,0,33002,unsigned16 +fwEventLevel,0,33003,unsigned32 +fwEventLevelID,0,33004,unsigned32 +fwConfiguredValue,0,33005,unsigned32 +fwCtsSrcSGT,0,34000,unsigned32 +fwExtEventAlt,0,35001,unsigned32 +fwBlackoutSecs,0,35004,unsigned32 +fwHalfOpenHigh,0,35005,unsigned32 +fwHalfOpenRate,0,35006,unsigned32 +fwZonePairID,0,35007,unsigned32 +fwMaxSessions,0,35008,unsigned32 +fwZonePairName,0,35009,unsigned32 +fwExtEventDesc,0,35010,string +fwSummaryPktCount,0,35011,unsigned32 +fwHalfOpenCount,0,35012,unsigned32 username,0,40000,string XlateSourceAddressIPV4,0,40001,ipv4Address XlateDestinationAddressIPV4,0,40002,ipv4Address diff --git a/x-pack/filebeat/input/netflow/decoder/fields/doc.go b/x-pack/filebeat/input/netflow/decoder/fields/doc.go index cf6ddacf37ff..d3ae43e45212 100644 --- a/x-pack/filebeat/input/netflow/decoder/fields/doc.go +++ b/x-pack/filebeat/input/netflow/decoder/fields/doc.go @@ -8,3 +8,4 @@ package fields //go:generate go run gen.go -output zfields_cert.go -export CertFields --column-pen=1 --column-id=2 --column-name=3 --column-type=4 cert_pen6871.csv //go:generate go run gen.go -output zfields_cisco.go -export CiscoFields --column-pen=2 --column-id=3 --column-name=1 --column-type=4 cisco.csv //go:generate go run gen.go -output zfields_assorted.go -export AssortedFields --column-pen=1 --column-id=2 --column-name=3 --column-type=4 assorted.csv +//go:generate go fmt diff --git a/x-pack/filebeat/input/netflow/decoder/fields/ipfix-information-elements.csv b/x-pack/filebeat/input/netflow/decoder/fields/ipfix-information-elements.csv index 974d95dbce33..c2c5143f96b4 100644 --- a/x-pack/filebeat/input/netflow/decoder/fields/ipfix-information-elements.csv +++ b/x-pack/filebeat/input/netflow/decoder/fields/ipfix-information-elements.csv @@ -1,3 +1,9 @@ +; WARNING: This is an edited version of the original IANA document! +; +; Changes +; ======= +; 2020-01-14 - @adriansr: Change field 51 (classId) from unsigned8 to unsigned32 +; ;ElementID,Name,Abstract Data Type,Data Type Semantics,Status,Description,Units,Range,References,Requester,Revision,Date 0,Reserved,,,,,,,,[RFC5102],,2013-02-18 1,octetDeltaCount,unsigned64,deltaCounter,current,"The number of octets since the previous report (if any) @@ -335,7 +341,7 @@ Sampling. Use with samplerRandomInterval.",,,,[RFC7270],0,2014-04-04 50,samplerRandomInterval,unsigned32,quantity,deprecated,"Deprecated in favor of 305 samplingPacketInterval. Packet interval at which to sample -- in case of random sampling. Used in connection with the samplerMode 0x02 (random sampling) value.",,,,[RFC7270],0,2014-04-04 -51,classId,unsigned8,identifier,deprecated,"Deprecated in favor of 302 selectorId. Characterizes the traffic +51,classId,unsigned32,identifier,deprecated,"Deprecated in favor of 302 selectorId. Characterizes the traffic class, i.e., QoS treatment.",,,,[RFC7270],0,2014-04-04 52,minimumTTL,unsigned8,,current,Minimum TTL value observed for any packet in this Flow.,hops,,"See [RFC791] for the definition of the IPv4 Time to Live field. diff --git a/x-pack/filebeat/input/netflow/decoder/fields/zfields_cisco.go b/x-pack/filebeat/input/netflow/decoder/fields/zfields_cisco.go index ae37275d5281..7d1abc1b62c5 100644 --- a/x-pack/filebeat/input/netflow/decoder/fields/zfields_cisco.go +++ b/x-pack/filebeat/input/netflow/decoder/fields/zfields_cisco.go @@ -280,6 +280,20 @@ var CiscoFields = FieldDict{ Key{EnterpriseID: 0, FieldID: 33000}: {Name: "ingressAclID", Decoder: ACLID}, Key{EnterpriseID: 0, FieldID: 33001}: {Name: "egressAclID", Decoder: ACLID}, Key{EnterpriseID: 0, FieldID: 33002}: {Name: "fwExtEvent", Decoder: Unsigned16}, + Key{EnterpriseID: 0, FieldID: 33003}: {Name: "fwEventLevel", Decoder: Unsigned32}, + Key{EnterpriseID: 0, FieldID: 33004}: {Name: "fwEventLevelID", Decoder: Unsigned32}, + Key{EnterpriseID: 0, FieldID: 33005}: {Name: "fwConfiguredValue", Decoder: Unsigned32}, + Key{EnterpriseID: 0, FieldID: 34000}: {Name: "fwCtsSrcSGT", Decoder: Unsigned32}, + Key{EnterpriseID: 0, FieldID: 35001}: {Name: "fwExtEventAlt", Decoder: Unsigned32}, + Key{EnterpriseID: 0, FieldID: 35004}: {Name: "fwBlackoutSecs", Decoder: Unsigned32}, + Key{EnterpriseID: 0, FieldID: 35005}: {Name: "fwHalfOpenHigh", Decoder: Unsigned32}, + Key{EnterpriseID: 0, FieldID: 35006}: {Name: "fwHalfOpenRate", Decoder: Unsigned32}, + Key{EnterpriseID: 0, FieldID: 35007}: {Name: "fwZonePairID", Decoder: Unsigned32}, + Key{EnterpriseID: 0, FieldID: 35008}: {Name: "fwMaxSessions", Decoder: Unsigned32}, + Key{EnterpriseID: 0, FieldID: 35009}: {Name: "fwZonePairName", Decoder: Unsigned32}, + Key{EnterpriseID: 0, FieldID: 35010}: {Name: "fwExtEventDesc", Decoder: String}, + Key{EnterpriseID: 0, FieldID: 35011}: {Name: "fwSummaryPktCount", Decoder: Unsigned32}, + Key{EnterpriseID: 0, FieldID: 35012}: {Name: "fwHalfOpenCount", Decoder: Unsigned32}, Key{EnterpriseID: 0, FieldID: 40000}: {Name: "username", Decoder: String}, Key{EnterpriseID: 0, FieldID: 40001}: {Name: "XlateSourceAddressIPV4", Decoder: Ipv4Address}, Key{EnterpriseID: 0, FieldID: 40002}: {Name: "XlateDestinationAddressIPV4", Decoder: Ipv4Address}, diff --git a/x-pack/filebeat/input/netflow/decoder/fields/zfields_ipfix.go b/x-pack/filebeat/input/netflow/decoder/fields/zfields_ipfix.go index 1a47ad39c269..045ec5c3499b 100644 --- a/x-pack/filebeat/input/netflow/decoder/fields/zfields_ipfix.go +++ b/x-pack/filebeat/input/netflow/decoder/fields/zfields_ipfix.go @@ -59,7 +59,7 @@ var IpfixFields = FieldDict{ Key{EnterpriseID: 0, FieldID: 48}: {Name: "samplerId", Decoder: Unsigned8}, Key{EnterpriseID: 0, FieldID: 49}: {Name: "samplerMode", Decoder: Unsigned8}, Key{EnterpriseID: 0, FieldID: 50}: {Name: "samplerRandomInterval", Decoder: Unsigned32}, - Key{EnterpriseID: 0, FieldID: 51}: {Name: "classId", Decoder: Unsigned8}, + Key{EnterpriseID: 0, FieldID: 51}: {Name: "classId", Decoder: Unsigned32}, Key{EnterpriseID: 0, FieldID: 52}: {Name: "minimumTTL", Decoder: Unsigned8}, Key{EnterpriseID: 0, FieldID: 53}: {Name: "maximumTTL", Decoder: Unsigned8}, Key{EnterpriseID: 0, FieldID: 54}: {Name: "fragmentIdentification", Decoder: Unsigned32}, diff --git a/x-pack/filebeat/input/netflow/decoder/ipfix/decoder.go b/x-pack/filebeat/input/netflow/decoder/ipfix/decoder.go index 7c130bbdb02b..cb445622d099 100644 --- a/x-pack/filebeat/input/netflow/decoder/ipfix/decoder.go +++ b/x-pack/filebeat/input/netflow/decoder/ipfix/decoder.go @@ -108,6 +108,7 @@ func (d DecoderIPFIX) ReadOptionsTemplateFlowSet(buf *bytes.Buffer) (templates [ } template.ID = tID template.ScopeFields = scopeCount + template.IsOptions = true templates = append(templates, &template) } return templates, nil diff --git a/x-pack/filebeat/input/netflow/decoder/template/template.go b/x-pack/filebeat/input/netflow/decoder/template/template.go index dc42bcc26f07..e04dc93cfe36 100644 --- a/x-pack/filebeat/input/netflow/decoder/template/template.go +++ b/x-pack/filebeat/input/netflow/decoder/template/template.go @@ -29,6 +29,9 @@ type Template struct { Length int VariableLength bool ScopeFields int + // IsOptions signals that this is an options template. Previously + // ScopeFields>0 was used for this, but that's unreliable under v9. + IsOptions bool } type FieldTemplate struct { @@ -84,7 +87,7 @@ func (t *Template) Apply(data *bytes.Buffer, n int) ([]record.Record, error) { } } makeFn := t.makeFlow - if t.ScopeFields > 0 { + if t.IsOptions { makeFn = t.makeOptions } events := make([]record.Record, 0, alloc) diff --git a/x-pack/filebeat/input/netflow/decoder/template/template_test.go b/x-pack/filebeat/input/netflow/decoder/template/template_test.go index 6ab22766170e..882756dc9a2a 100644 --- a/x-pack/filebeat/input/netflow/decoder/template/template_test.go +++ b/x-pack/filebeat/input/netflow/decoder/template/template_test.go @@ -313,6 +313,7 @@ func TestOptionsTemplate_Apply(t *testing.T) { record: Template{ Length: 7, ScopeFields: 1, + IsOptions: true, Fields: []FieldTemplate{ {Length: 4, Info: &fields.Field{Name: "sourceIPv4Address", Decoder: fields.Ipv4Address}}, {Length: 2, Info: &fields.Field{Name: "destinationTransportPort", Decoder: fields.Unsigned16}}, @@ -343,6 +344,7 @@ func TestOptionsTemplate_Apply(t *testing.T) { record: Template{ Length: 7, ScopeFields: 2, + IsOptions: true, Fields: []FieldTemplate{ {Length: 4, Info: &fields.Field{Name: "sourceIPv4Address", Decoder: fields.Ipv4Address}}, {Length: 2, Info: &fields.Field{Name: "destinationTransportPort", Decoder: fields.Unsigned16}}, @@ -386,6 +388,7 @@ func TestOptionsTemplate_Apply(t *testing.T) { record: Template{ Length: 7, ScopeFields: 3, + IsOptions: true, Fields: []FieldTemplate{ {Length: 4, Info: &fields.Field{Name: "sourceIPv4Address", Decoder: fields.Ipv4Address}}, {Length: 2, Info: &fields.Field{Name: "destinationTransportPort", Decoder: fields.Unsigned16}}, @@ -415,6 +418,7 @@ func TestOptionsTemplate_Apply(t *testing.T) { record: Template{ Length: 7, ScopeFields: 1, + IsOptions: true, Fields: []FieldTemplate{ {Length: 4, Info: &fields.Field{Name: "sourceIPv4Address", Decoder: fields.Ipv4Address}}, {Length: 2, Info: &fields.Field{Name: "destinationTransportPort", Decoder: fields.Unsigned16}}, @@ -446,6 +450,7 @@ func TestOptionsTemplate_Apply(t *testing.T) { record: Template{ Length: 7, ScopeFields: 2, + IsOptions: true, Fields: []FieldTemplate{ {Length: 4, Info: &fields.Field{Name: "sourceIPv4Address", Decoder: fields.Ipv4Address}}, {Length: 2, Info: &fields.Field{Name: "destinationTransportPort", Decoder: fields.Unsigned16}}, @@ -489,6 +494,7 @@ func TestOptionsTemplate_Apply(t *testing.T) { record: Template{ Length: 6, ScopeFields: 1, + IsOptions: true, VariableLength: true, Fields: []FieldTemplate{ {Length: 4, Info: &fields.Field{Name: "sourceIPv4Address", Decoder: fields.Ipv4Address}}, @@ -522,6 +528,7 @@ func TestOptionsTemplate_Apply(t *testing.T) { record: Template{ Length: 6, ScopeFields: 1, + IsOptions: true, VariableLength: true, Fields: []FieldTemplate{ {Length: 4, Info: &fields.Field{Name: "sourceIPv4Address", Decoder: fields.Ipv4Address}}, @@ -571,6 +578,7 @@ func TestOptionsTemplate_Apply(t *testing.T) { Length: 6, VariableLength: true, ScopeFields: 2, + IsOptions: true, Fields: []FieldTemplate{ {Length: 4, Info: &fields.Field{Name: "sourceIPv4Address", Decoder: fields.Ipv4Address}}, {Length: VariableLength, Info: &fields.Field{Name: "vpnIdentifier", Decoder: fields.OctetArray}}, diff --git a/x-pack/filebeat/input/netflow/decoder/v9/decoder.go b/x-pack/filebeat/input/netflow/decoder/v9/decoder.go index f59726846525..6b4fc9be8be7 100644 --- a/x-pack/filebeat/input/netflow/decoder/v9/decoder.go +++ b/x-pack/filebeat/input/netflow/decoder/v9/decoder.go @@ -184,7 +184,7 @@ func (d DecoderV9) ReadOptionsTemplateFlowSet(buf *bytes.Buffer) (templates []*t if buf.Len() < int(length) { return nil, io.EOF } - if scopeLen == 0 || scopeLen&3 != 0 || optsLen&3 != 0 { + if (scopeLen+optsLen) == 0 || scopeLen&3 != 0 || optsLen&3 != 0 { return nil, fmt.Errorf("bad length for options template. scope=%d options=%d", scopeLen, optsLen) } template, err := ReadFields(d, buf, (scopeLen+optsLen)/4) @@ -193,6 +193,7 @@ func (d DecoderV9) ReadOptionsTemplateFlowSet(buf *bytes.Buffer) (templates []*t } template.ID = tID template.ScopeFields = scopeLen / 4 + template.IsOptions = true templates = append(templates, &template) } return templates, nil diff --git a/x-pack/filebeat/input/netflow/fields.go b/x-pack/filebeat/input/netflow/fields.go index e55936179242..92226a14406d 100644 --- a/x-pack/filebeat/input/netflow/fields.go +++ b/x-pack/filebeat/input/netflow/fields.go @@ -19,5 +19,5 @@ func init() { // AssetNetflow returns asset data. // This is the base64 encoded gzipped contents of input/netflow. func AssetNetflow() string { - return "eJysXUuT5Cbyv8+nUPjyv/w94dfsYw572nWsD7vrgw97IxDKknBLQAOq6vKn3wAkFVWCahL1HBzhnv79Mnkl+ULzbfMC16+NAHsa5eVT01huR/jafPNvsD+P8vLNp6bpwDDNleVSfG3+9qlpmuZnDmNnmpOWU7P8ZkNF1/zy68+//LdxVObzp6Y5+V/76iHfNoJOEItyf+xVwdem13JWy08S0t6V+Hn5tVheLNNJ2X64Cn2B60XqLvp5RrT789sAHtbI0yZeA5O6W1AtdE17bezATQNnEPbzp50a8KaktqB3qsTjf0eRf4GlHbW00TBSC11jZWMH2LibDs6cQWMHapseBOjwW06voPDniO9xwmJtaddpMObu7/Jz947a7s8/FhX/z7hNcJH6ZZXRcNH88utX99fNSeqJxrMX62TkrBkQ/ig5aDVK0eNU+k9rQJ+p++umkxN1evzdTell4GyIZ61pwdGbjGKWT2AsnVRSsY5awCn2G5/A728HdZsurG9G+qycfDLxceTpBcNPzT/lxaPud5fSkrkFG6hpWgDR6FkILvr/d0sY5AOTosvN0xm04VIkdeTCQn93OgrUXA/jQtzMBrrE0ZPMgiUdjJYSJmdhd2fQz9AOpyh7qQIGhLN0OHlaWsnkSHgHwvITT1gLM0ht91CuCBupMUSeiNvVnO1tXgZqmSJMCqvlSFpuzQ63Ls0OuRxIq6kwbosQ9x80nKvzT2Rvbxaweo5TGk78jYwgejsUT5bonTDiNNMnmpiq3LIay4U3GNWDjjnQI9+Bq4YPdaPnigh4s2SQCq952yuyrBs1RMxTm9jbabkOGg+8Bl+vuJLGkolRY0m1OYg4ak2RtyUgOmKuhsyKOJOPgRpLta0Ae9Wr7ac8MmsTF3yaJ8IVsdLSMbfLM2j6dgB9MzF/OnJAceBYaNXB3kmvYvH7ZaQtjJ6k1DqwSRH3C4TJLhjncqPI+wVcqqOhkxq56IMRO9OxdF1XHB17qbkdJtSsUGb5Gfz5kTPC6Hsw78YKKIieC0BNzgK585OfA4KD1y0HPZwXzFHdCCYwhvZwhMLPVXC7K2i8fddytqCJYZXuxJG7uAg7qdEQK9VyzDCL+wDFO0/uBIBG7I4VMckOdz5BE01FJyfsKQ2ebLmG601h7V5CDrJcDwjISdN+AmE375z5xcfchQe89GWXTpRll3uNy9Oy4/1axXIeqUgtStZ0ebFoFFdkHye+b5o7roEl1yMfMcVeIe6qfvQpcWgPgDcLwg2TDEA70HtoxrG5NwDGUvZCDG7sniOB/+EowY9HCfZOA5Lgy1GCvcODJPjzUYK/HCX461GC77+rcTnrbdMR47aFscT9fw0uSjKVw9cbDie01sFagig88DTS3hDqAsf8xZ+BrvedPJ0MYLxdqS9Ud87NNpbaeb+Yz7bjWYngwJGOu73Vz9wM5YmwB/NYFQEZzYjV9HTijHDRwd6py+SHjK3CUaXGxZuo24wxQbnbFKNw23h1Zjp+Co5MCPqU5ImNmVuoebTc50Q03PQ4UWZlaWYn+FI41T1mc94IOlYa6RX0D8t5XMwl+oQkSQz/Yz8OHEVHLS0dyObC0O53ytw5r0msKQ3neoa1soAPY2IkMkWjpVJbrFuR21/w9cWBOwXwJv1BgZo7YcklaqCm3GlkcpqkIEpLBdpySEZoaYnyVmkLRqIcus8r7R207CHZB8u4vTI628Co7sr19SWB4t+ewIJ2F+VSWitHhgNQBbUwqZHapNXLTuXFxXFsoEK4iSw2lx5mTAKQtdBLsqxia4UiLsLDiTLjoXC5A/ribf4EVcCCvLhaihVai10lMy2rJddhg2RBRa3gSmiQG0z0U93fMZTVDOZqLEyEC25JVKXHj6Sb9RJkPSN4MoyIAD2KcMbW3GxFUrYXUh+5sVaC2itTSHfCha0dwIavHsHGUH3rp2s7RdfYvrBUBItqfxURa1T7q3RRXuDqwijnqheHBPtybaXqcbm2YsNuXkuyEJZLSTpUvnz2DLXKKs5e3ckqRs3dVsbHtT04YLyFcWjLKsU64EGx8DqDYIALbBySshchLyN0Pfg0CprgwkXnLjFUXOiAs+69sZI+x4XDhmQ0tqGmEhdX5pElY0Wvo6RdBEbEBVxhCj8h0R/GhzksPvq417PUfBxLrXAflzPo3MYtBW3pPp8yLEXFUbSZJ1/Yep2phmLfIrKwVQSPtVREDfAx+41rMHlEd6Bw4JvS8KYwa1uzpZwBXqvzGWD+uBiyZevK9Tz/RPhQvBj+96XPe5auvDNXOISinU9L+01XvMeZHEdgVlakqe6guNxDCPDRXXoLbGslRdZSF3jU3bgQ4SertkNyS+3VEvhr+yoq3DaHPPFapDY1rqJDKjNUIp3hqUPOuq/qr6lpp/MetaBboa+uC9MRHGqfXVjUpkftDrsRfURLsBuX1Lz3PKJfh0Q00LG4P82R+KcnxQZXcMtdZJWzhuml1GCUFM4VQsFOXMOFjiNWx9CqfNan8sQoHnLW5FRRAKu/xGPvntER4d63vK7bBewAWoCt89M39DuuR96mrwRPjUe+aV7a71/xrUQBpjSXmttr6WADis3Gygl0rdQNjxU/gdWSwJmlhGY35A1lEc2EysDcSXLhOlkMyBjzCJQUljebEXJ9cfLwkuzp3bNYAzVcDWd0xPtGB/Ghj65uL0bY+q11O0a4eV/K9figcPHm/O1Wmb5ePErDrCLGaqATasgTfSMrBUquA1bWadY4aeq+EDYAezFz8T28Yg2TiKZeLioHyQWprmJJRV9nQAZDBoxvWsSNL16LiiLSAx69B+/w+FrSwyzXDOCRAT+Eewb8IG6BGQO9tC+XPylYY7IKbEctXRr6nU87ctryMXUhtlKOQMXzGm9oH8BccgIu7rYRa48MumEjApt5ulXScEW0iMUHCpTl2rWKYyhcQiEXQ+FYHIGSMtkDkCl9rQici02FFNeJ/7H0hSWTktlb4x5sgQ2Cv86IK5OL8BTd94iNIYGfbunL37o/qCBZjrLf7/bswO3seyxqoCCYvioLXRW67RU505F33F5952bxEePKHQZiFC/cE70G8gJ73fI7CHPib6FtqAHiY1scLtGDgtvrBlYvays3FR+vgJWIxt7k3ka4ZJvE/CO6PHZ9gLdUZ2vf762Nj6rce9+w3pOtFezBVWKTdbz3hinVPGKeGd2QWra5i7aTczsmXAR/U49cvJCTpm6YqMrjrQh435WKMCJreqGOYKf+xzyKQeGPjSA6y0umRL1YQ9b+G7xFiFnCj4tZaGvkOFsgoHWi/SK3h/yXafgZC4tNaDhiuFDmEV7hYSc40H7+jgPvp3e8B2PJQM3gbuOE05JeLw+IzlCmJ70MjLBVHipnq2ZLNBUubOal1iqBpaWPJjx23dN1kh/RONnLQgX1y4OZMNXeQ3E7VKMWeTvaOP9iVsrFbpyMfOJ7XXOHcpSXGhiT4sR9momMcIb9FZsDphwTb9Rxzl+CpOZRTYoIN+0phrDVWuiLt2qeBcQRl8/ARIXlrDj1kyKZBeqLQUrzM3V3ivO+lOYG2Vd15trO1F/QIXzdHvGVt6TnOXCr+8gzz/U64CSHtz/EQJ/z3dOzt+BqX77cwStKx0v6fhb8WH/mSnR7QXaYqtWSdseo4INGBx+m0SQFt1LHn0mJ84/YVHOCbUvHIrl8pjvYMK8QwoDckCnrV4IzFhQytInQYp58eR/zmTRL6542OyC6yeFiVe1D6ofvgqWv3ae7tgqr7ftttvnGYoN+hB2/e2XUQi/19QCFmduPoPGfAcU+Jw9dI6OvDBiiNJhUd0Uma3UPXpJmxfHhA5zJSY1QDg+Pu5kNFs23fa557ezWLWW6T3AfpitpWqpT7QMIS6oBlcphCX0g41/ta97O4bER2EEWe0X6xH788uU78ju3FnTNU6cdA/qt0wPDs/g9M62+xt/BPhWeDQkf2gJQ2FATPJCRjQgOvIq+Z6l+G31PE1qd0CT7/FcwUYfTaIEGmUfbMrLhXWtl2jlMjKKM333K9/25PJL0TjDgVPC5jrCKvixSvitvvZS1OzLqxqzdjdsVV/+dgiQFruK6URx56uxXfoLO3fD4F+Pr+8uolF/zhPEhP590EZ9Uneq+tbHi7j9yiHDfg3VePtdGuDCWOkfV0v0peNpRuGMonv4M/mBj45GPLu1urI/4CtTB9ET0bPMjmA5mO3LaVITxy9cNF5oD38KtZ1i/OXJwYpM09c/BD9Jsb7IP8iQmpeolW0KNIzzByFan+RYbjd/4UZPvodcaD6tcq8/EWyLb34HZUGkh+39p4J0LYMcQVsiFOQlPKNvi+UiC+b7pAzb5mf5S8JOIOPmt2ke8n/zijP0O3tO5L80M7cDeB7WcvRS/Dn1kmIXhvSj23iM8/h9lcGAzt8+Qeam+2wz9/QOHZFTZWcNaR0dWeTyDFBbeLP7raDEYl8qKJroaWFXmi/DmKmyiBvwUOsluHrGlo0m2fATCJ7OP9N8DTYabDjG+wfrGe2pn45+SIzzn1CM5kykGZ1m8fA2vMziHKJ0Peq78Ch5k4vlxGdRS3SeChufgtZU/94Q2ixbUVnj5PkRzcV7V+z94O4J2Gr/O0lICbwyggy7zUO9Jg+agwQxyxCH9RPscPu1TqOcr5E1Nrh38vZ1BjRREDZoazMmlb2R9AgHCal7+nQL6RlreVqAWBFGg/VQhoGZuw79PVv55afpG1k9BOJHCP5h3s2VgasfSlt11F/rG74H3w21/1DD4zzZVE2hLJqqUG8hBVSKmD1NpXdY63fpRttGpPzTOsxIFXs7/AgAA///VU2iI" + return "eJysXU2T5CbSvs+vUPjyXl5P+Gv2Yw572nWsD7vrgw97IxDKknBLQAOq6vKv3wAkFVWCahL1HBzhnn4eEkiS/ELzbfMC16+NAHsa5eVT01huR/jafPNvsD+P8vLNp6bpwDDNleVSfG3+9qlpmuZnDmNnmpOWU7P8ZkNF1/zy68+//LdxVObzp6Y5+V/76iHfNoJOEA/l/tirgq9Nr+Wslp8kRnt3xM/Lr8XjxWO6UbYfroO+wPUidRf9PDO0+/PbAB7WyNM2vAYmdbegWuia9trYgZsGziDs5087MeBNSW1B70SJ5/+OIP8CSztqaaNhpBa6xsrGDrBxNx2cOYPGDtQ2PQjQ4becXEHgzxHf44LF0tKu02DM3d/l1+4dsd2ffywi/p9xSnCR+mUdo+Gi+eXXr+6vm5PUE41XL5bJyFkzIPxx5CDVKEWPE+k/rQF9pu6vm05O1Mnxd7ekl4GzIV61pgVHbzKCWT6BsXRSScE6agEn2G98Aq/fDuqULuxvZvRZufHJxMeRpzcMvzT/lBePutcupSVzGzZQ07QAotGzEFz0/++2MIwPTIout05n0IZLkZSRCwv93ekoEHM9jAtxMxvoEkdPMguWdDBaSpichd2dQb9CO5yi7KUKGBDO0uHG09JKJkfCOxCWn3jCWphBaruHckXYSI0h8kScVnO2t3kZqGWKMCmsliNpuTU73Lo1O+RyIK2mwjgVIe4/aDhX55/I3t4sYPUcpzSc+BsZQfR2KF4s0bvBiJNMn2hiqXLbaiwX3mBUTzrmQM98B66aPtTNnisi4M2SQSq85G2vyLJv1BAxT21Ct9PjOmg88Rp8veBKGksmRo0l1eYg4qg1Rd6WgOiIuRoyK+JMPgZqLNW2AuxFr7af8siqTVzwaZ4IV8RKS8eclmfQ9O0A+mZi/nTkgOLA8aBVB3s3ehWL15eRtjB6klLrwCZF3C8QJrtgnMuNIu8XcKmMhk5q5KIPRuxMx9J9XXF07KXmdphQq0KZ5Wfw50fOCKPvwbwbK6Agei4AtTgL5M5Pfg4IDl63HPRwXjBHdSOYwBjawxEKv1bB7a6g8fZdy9mCJoZVuhNH7uIi7KRGQ6xUyzHDbO4DFO88uRMAGqEdK2KSHe58giaaik5O2FMaPNmEhM8vCmv3A+RWcbkdEJCTpv0Ewm7OOfN7j7kKDzjpi5JOlGV3ew3L02PH6lrFch6pSO1J1nL5YdEorsg+THzfMndcA0vuRz5gip1C3E396FLi0B4AbxaEmyYZgHag99CMst+ff2MpeyEGN3fPkcD/cJTgx6MEe58BSfDlKMHe30ES/PkowV+OEvz1KMH339V4nPW26Yhx26JY4v6/BhflmMrh6wWHG7TWv1piKDzwNNLeEOrixvy9n4Gu9508nQxgnF2pL1R3zss2ltp5v5nP1PGsRPDfSMedbvUzN0N5HuzBPFYFQEYzYjU9nTgjXHSw9+ky6SFjq3BUqXHxJuqUMSYo9+tiFE6NV2em46fgyISYT0meUMzcRs2j5T4louEmx4kyK0sTO8GXwonuMZvzRtCh0kivoH9YzuNiLtEnJEli+B/7eeAoOmpp6UQ2F4Z2v1PmznlNXk1pONczrIUFfBQTI5EZGi2V2kLditT+gq+vDdwJgDfpDwLU3AlLKlEDNeVOI5PTJAVRWirQlgMiQJO3QlswEuXQfVpp76BlD8k+VsbpyuhsA6O6K5fXVwTKI1ewoN1FuVTWypHhAFRBLUxqpDZp9bJLeXFxHBuoEG4hi82lhxmTAGQt9JIrq1CtUMNFeDhRYjzULXdAX7vNn6AKWBgvLpZiB63FriMzLatHrsOGkQUVtQNXQsO4wUQ/lf0dQ1nNYK7GwkS44JZERXr8TLpZL0HWM4In04gI0LMIZ2xNzVbkZHsh9ZEbayWovTKFdCdc2NoJbPjqGWwM1bd+urRTdI3t60pFsKj0VxGxRqW/ShflBa4ujHKuenFIsK/WVooeV2srFHbzWpJ1sFxK0qHy1bNnqHWs4uzV3VjFqLnbqvi4rgcHjFUYh7asclgHPDgsvM4gGOACG4ek7EXIywhdDz6Ngia4cNG5SwwVFzrgrHtvrKTPceGwIRmN7aepxMWFeWTFWNHrKGkXgRFxAVeYwk9I9If5YQ6Ljz7u5Sw1H8dSK9zH5Qw6p7iloC3d51OGpag4ijbz5AtbrzPVUOxbRBa2iuCxlIqoAT5mv3H9JY/oDhQOfBMa3hRmb2tUyhngtTifAeaPiyFbtq5czvNPhA/Fm+F/X/q8Z+nOO3OFQyja+bS0V7piHWdyHIFZWZGmuoPicg8hwEc36S2wrZMUWUtd4FFz40KEX6zaBskttVdL4K/tq6hw2xzyxGuR2tS4ig6pzFCJdIanDjnrvqq9pqabznvUgm6FvromTEdwqHt2YVGbHLUadiP6iI5gNy+pee95RL9OiWigY3F7miPxL0+KDa7glrvIKmcN01upwSgpnCuEgp24hgsdR6yMoVP5rE/liVE85KzJqaIAVn+Jx949oyPCvW95XbcL2AG0AFvnp2/od1yPvE1fCZ4aj3zPvLTfv+JbiQJMaS41t9fSyQYUm42VE+jaUTc8dvgJrJYEziw1aFYhbyiL6CVUBuZOkgvXyWJAxphHoORgebMZIdcHJw8PyZ7ePYs1UMPVcEZHvG90EB/66Op0McLWq9btGOHWfSnX44PCxZvzt1tl+nrxKA2zihirgU6oKU/0jawUqHEdsLJOs8ZJU/eFsAHYi5mL7+EVa5hE9PRyUTlJLkh1FUsq+joDMhgyYHzTIm5+8V5UFJEe8GgdvMPja0kPq1wzgUcG/BTuGfCTuAVmDPTSvlz+omCNySqwHbV06ed3Pu3IacvH1IXYSjkCFc9rvKF9AHPJCbi420asPTLoho0IbObpVknDFdEiFh8oUJZr1yqOoXAJhVwMhWNxBErKZA9ApvS1InAuNhVSXCf+x9IXlkxKZm+Ne7AFNgj+OiOuTC7CS3TfIzaGBH66pS9/6/6gwshylP1e27MTt7PvsaiBgmD6qix0Vei2V+RMR95xe/Wdm8VHjCt3GIhRvFAneg3kBfay5TUIc+JvoW2oAeJjWxwu0YOC03UDq5e1lZuKj1fASkRjb1K3ES7ZNmL+DV0eu76/W6qztc/31sZHVe69b1jvydYO7MFVwybreO9NU6p5xDwzuiG1bHMXbSfndky4CP6mHrl4ISdN3TRRlcdbEfC+KxVhRNb0Qh3BTvyPeRSDwh+bQXSWl0yJerGGrP03eIsQs4QfF7PQ1shxtkBA60T7RU6H/Idp+BkLi01oOGK4UOYRXuFhJzjQfv6OA++nd7wHY8lAzeBu44TTkt4vD4jOUKYnvQyMsFUeKmerZks0FS5s5qXWKoGlpY8mPHbV6bqRH9G4sZeNCuKXBzNhqb2H4jRUozZ5O9o4/2JWysVunIx84ntZc4dylJcaGJPixH2aiYxwhv0VmwOmHBNv1HHOX4Kk5lFNigi37CmGoGot9MWqmmcBccTlMzBRYTkrTv2kSGaB+mCQ0vxM3Z3ivC+luUH2VZ25tjP1F3QIX7dHfOUt6XkO3O4+8sxzvQy4kcPbH2Kgz/nu6dVbcLUvX+7gFaXjJX0/C36sP3Mlur0gO0zVakm7Y1TwQbODD5NokoJbqeOvpMT5R2yqOcG2pWORXD7THWyYFwhhQG7IlPUrwRkLChnaRGgxT768j/lKmqV1T5sdEN3kcLGq9iH1w2fB0tfuU62twmr7fpttvrHYoB9hx+9eGbXQS309QGHm9iNo/FdAsc/JQ9fI6CsDhigNJtVdkcla3YOXpFlxfPgAZ3JSI5TDw+NuZoNF822fa147q7qlTPcJ7sN0JU1LdaJ9AGFJNaBSOCyhD2T8q33N2zk8NgI7yGKvSJ/Yj1++fEd+59aCrnnqtGNAv3V6YHgWv2eW1df4O9inwrMh4UNbAAobaoIHMrIRwYFX0fcs1W+j72lCqxOaZJ//CibqcBot0CDzaFtGNrxrrUw7h4VRlPG7L/m+v5ZHkt4JBpwIPtcRdtGXRcq18tZLWauRUTdmrTZuV1z9dwqSFLiK60Zx5Kmz3/kJOnfD41+Mr+8vo1J+zRPGh/x80kV8UnWq+9bGirv/xiHCfQ/WeflcG+HCWOocVUv3p+BpR+GOoXj5M/iDjY1HPrq0u7E+4itQB9MT0bPNj2A6mO3ISVMRxi9fN1xoDnwKt55h/ebIwYVN0tQ/Bz9Is73JPsiTWJSql2wJMY7wBCNbneZbbDRe8aMm30OvNR52uVaeibdEtr8Ds6HSQvb/0MA7F8COIeyQC3MSnlC2xfORpDxbvMMmv9JfCn4SESc/VfuI94tfnLHfwXs696WZoR3Y+6CWs5fi16GPDLMwvBfF3nuEx/+bDA5s5vYZMj+q7zZDf//AIRlVdtaw1tGRVR7PIIWFN4v/OloMxqWyooWuBlaV+SK8uQqbqAE/hU6ym0ds6WiSLR+B8MnsI/33QJPhpkPMb7C+8Z7a2fin5AjPOfVIzmSKwVkWP76G1xmcQ5TOBz0XfgUPMvH8uAxqqe4TQcNz8NrKn3tCm0ULaiu8fB+iuTiv6v0fvB1BO4lfZ2kpgTcG0EGXeaj3pEFz0GAGOeKQfqF9Dp/2KdTzHfKmJtcO/p5mUCMFUYOmBnNy6RtZn0CAsJqXf6eAvpGWtxWoBUEUaL9UCKiZ2/DPk5V/Xpq+kfVTEG5I4R/Mu9UyMLVjacvuqoW+8Xvg/XDTjxoG/9mmagJtyUSVchM5KErE9GEirdtaJ1s/yjY69YfmeVaiwMv5XwAAAP//WmxoCA==" } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json index 05db12395794..dc73be6acf35 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA-2.golden.json @@ -6,6 +6,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 763, "ip": "192.168.0.17", "locality": "private", "port": 80 @@ -51,6 +52,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 844, "community_id": "1:XaNCBbXLPvRPq4YmlYj+3C8LbyE=", "direction": "unknown", "iana_number": 6, @@ -60,6 +62,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 81, "ip": "192.168.0.2", "locality": "private", "port": 61775 @@ -73,6 +76,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 6207, "ip": "192.168.0.17", "locality": "private", "port": 80 @@ -118,6 +122,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 6288, "community_id": "1:ApLoUXZvqTmJTtS6gao5Sqg0kgQ=", "direction": "unknown", "iana_number": 6, @@ -127,6 +132,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 81, "ip": "192.168.0.2", "locality": "private", "port": 61776 @@ -140,6 +146,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 6207, "ip": "192.168.0.17", "locality": "private", "port": 80 @@ -185,6 +192,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 6288, "community_id": "1:ApLoUXZvqTmJTtS6gao5Sqg0kgQ=", "direction": "unknown", "iana_number": 6, @@ -194,6 +202,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 81, "ip": "192.168.0.2", "locality": "private", "port": 61776 @@ -207,6 +216,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 9075, "ip": "192.168.0.18", "locality": "private", "port": 80 @@ -252,6 +262,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 9156, "community_id": "1:64faG50xtU56JMAADXSJ0Lro5iE=", "direction": "unknown", "iana_number": 6, @@ -261,6 +272,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 81, "ip": "192.168.0.1", "locality": "private", "port": 56635 @@ -274,6 +286,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 9075, "ip": "192.168.0.18", "locality": "private", "port": 80 @@ -319,6 +332,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 9156, "community_id": "1:64faG50xtU56JMAADXSJ0Lro5iE=", "direction": "unknown", "iana_number": 6, @@ -328,6 +342,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 81, "ip": "192.168.0.1", "locality": "private", "port": 56635 @@ -341,6 +356,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 5536, "ip": "192.168.0.17", "locality": "private", "port": 80 @@ -386,6 +402,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 5617, "community_id": "1:8hx//bjfEFu4sYomYN8bh9DeMaQ=", "direction": "unknown", "iana_number": 6, @@ -395,6 +412,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 81, "ip": "192.168.0.2", "locality": "private", "port": 61773 @@ -408,6 +426,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 5536, "ip": "192.168.0.17", "locality": "private", "port": 80 @@ -453,6 +472,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 5617, "community_id": "1:8hx//bjfEFu4sYomYN8bh9DeMaQ=", "direction": "unknown", "iana_number": 6, @@ -462,6 +482,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 81, "ip": "192.168.0.2", "locality": "private", "port": 61773 @@ -543,6 +564,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 14179, "ip": "192.168.0.18", "locality": "private", "port": 80 @@ -588,6 +610,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 14248, "community_id": "1:IZ8RrSqt8oeb2F2Rp9296zm54bc=", "direction": "unknown", "iana_number": 6, @@ -597,6 +620,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 69, "ip": "192.168.0.1", "locality": "private", "port": 56649 @@ -610,6 +634,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 14179, "ip": "192.168.0.18", "locality": "private", "port": 80 @@ -655,6 +680,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 14248, "community_id": "1:IZ8RrSqt8oeb2F2Rp9296zm54bc=", "direction": "unknown", "iana_number": 6, @@ -664,6 +690,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 69, "ip": "192.168.0.1", "locality": "private", "port": 56649 @@ -745,6 +772,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 14178, "ip": "192.168.0.17", "locality": "private", "port": 80 @@ -790,6 +818,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 14247, "community_id": "1:E1vNamQGw5X+X+vT1g7ui6Nc3O0=", "direction": "unknown", "iana_number": 6, @@ -799,6 +828,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 69, "ip": "192.168.0.2", "locality": "private", "port": 61777 @@ -812,6 +842,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 14178, "ip": "192.168.0.17", "locality": "private", "port": 80 @@ -857,6 +888,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 14247, "community_id": "1:E1vNamQGw5X+X+vT1g7ui6Nc3O0=", "direction": "unknown", "iana_number": 6, @@ -866,6 +898,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 69, "ip": "192.168.0.2", "locality": "private", "port": 61777 @@ -947,6 +980,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 881, "ip": "192.168.0.17", "locality": "private", "port": 80 @@ -992,6 +1026,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 956, "community_id": "1:pkwcoe/zjCLerUgj+HGAwwt4wV8=", "direction": "unknown", "iana_number": 6, @@ -1001,6 +1036,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 75, "ip": "192.168.0.1", "locality": "private", "port": 56650 @@ -1014,6 +1050,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 881, "ip": "192.168.0.17", "locality": "private", "port": 80 @@ -1059,6 +1096,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 956, "community_id": "1:pkwcoe/zjCLerUgj+HGAwwt4wV8=", "direction": "unknown", "iana_number": 6, @@ -1068,6 +1106,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 75, "ip": "192.168.0.1", "locality": "private", "port": 56650 @@ -1149,6 +1188,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 14178, "ip": "192.168.0.18", "locality": "private", "port": 80 @@ -1194,6 +1234,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 14247, "community_id": "1:35/w0D/WO1QvBp8O+Vd95Nb+tt4=", "direction": "unknown", "iana_number": 6, @@ -1203,6 +1244,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 69, "ip": "192.168.0.1", "locality": "private", "port": 56651 @@ -1216,6 +1258,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 14178, "ip": "192.168.0.18", "locality": "private", "port": 80 @@ -1261,6 +1304,7 @@ "type": "netflow_flow" }, "network": { + "bytes": 14247, "community_id": "1:35/w0D/WO1QvBp8O+Vd95Nb+tt4=", "direction": "unknown", "iana_number": 6, @@ -1270,6 +1314,7 @@ "ip": "192.0.2.1" }, "source": { + "bytes": 69, "ip": "192.168.0.1", "locality": "private", "port": 56651 diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Huawei-Netstream.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Huawei-Netstream.golden.json index 223e3bc161d1..99db67a6ed81 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Huawei-Netstream.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Huawei-Netstream.golden.json @@ -6,6 +6,7 @@ "Meta": null, "Fields": { "destination": { + "bytes": 0, "ip": "10.111.112.204", "locality": "private", "port": 2598 diff --git a/x-pack/filebeat/input/netflow/testdata/golden/ipfix_cisco.pcap.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/ipfix_cisco.pcap.golden.json index 08f146cddcb3..2ff196e79506 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/ipfix_cisco.pcap.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/ipfix_cisco.pcap.golden.json @@ -5,9 +5,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 719, + "packets": 5 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -56,13 +64,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 719, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 5, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 719, + "packets": 5 } }, "Private": null, @@ -72,9 +90,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 1477, + "packets": 6 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -123,13 +149,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 1477, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 6, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 1477, + "packets": 6 } }, "Private": null, @@ -139,9 +175,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 1, + "packets": 1 + }, + "destination": { + "bytes": 0, + "packets": 1 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -190,13 +234,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 1, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 2, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 1 + }, + "source": { + "bytes": 1, + "packets": 1 } }, "Private": null, @@ -206,9 +260,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 108580, + "packets": 79 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -257,13 +319,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 108580, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 79, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 108580, + "packets": 79 } }, "Private": null, @@ -273,9 +345,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 342, + "packets": 5 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -324,13 +404,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 342, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 5, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 342, + "packets": 5 } }, "Private": null, @@ -340,9 +430,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 1851, + "packets": 17 + }, + "destination": { + "bytes": 9437, + "packets": 18 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -391,13 +489,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 11288, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 35, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 9437, + "packets": 18 + }, + "source": { + "bytes": 1851, + "packets": 17 } }, "Private": null, @@ -407,9 +515,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 51480, + "packets": 39 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -458,13 +574,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 51480, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 39, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 51480, + "packets": 39 } }, "Private": null, @@ -474,9 +600,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 5135, + "packets": 55 + }, + "destination": { + "bytes": 36894, + "packets": 47 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -525,13 +659,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 42029, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 102, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 36894, + "packets": 47 + }, + "source": { + "bytes": 5135, + "packets": 55 } }, "Private": null, @@ -541,9 +685,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 6533, + "packets": 14 + }, + "destination": { + "bytes": 6400, + "packets": 20 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -592,13 +744,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 12933, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 34, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 6400, + "packets": 20 + }, + "source": { + "bytes": 6533, + "packets": 14 } }, "Private": null, @@ -608,9 +770,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 5684, + "packets": 491 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -659,13 +829,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 5684, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 491, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 5684, + "packets": 491 } }, "Private": null, @@ -675,9 +855,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 4965, + "packets": 13 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -726,13 +914,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 4965, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 13, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 4965, + "packets": 13 } }, "Private": null, @@ -742,9 +940,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 138, + "packets": 4 + }, + "destination": { + "bytes": 0, + "packets": 2 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -793,13 +999,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 138, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 6, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 2 + }, + "source": { + "bytes": 138, + "packets": 4 } }, "Private": null, @@ -809,9 +1025,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 1, + "packets": 1 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -860,13 +1084,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 1, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 1, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 1, + "packets": 1 } }, "Private": null, @@ -876,9 +1110,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 6079, + "packets": 10 + }, + "destination": { + "bytes": 1571, + "packets": 13 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -927,13 +1169,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 7650, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 23, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 1571, + "packets": 13 + }, + "source": { + "bytes": 6079, + "packets": 10 } }, "Private": null, @@ -943,9 +1195,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 2807, + "packets": 6 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -994,13 +1254,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 2807, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 6, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 2807, + "packets": 6 } }, "Private": null, @@ -1010,9 +1280,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 0, + "packets": 1 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1061,13 +1339,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 0, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 1, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 0, + "packets": 1 } }, "Private": null, @@ -1077,9 +1365,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 1877, + "packets": 11 + }, + "destination": { + "bytes": 3409, + "packets": 7 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1128,13 +1424,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 5286, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 18, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 3409, + "packets": 7 + }, + "source": { + "bytes": 1877, + "packets": 11 } }, "Private": null, @@ -1144,9 +1450,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 2255, + "packets": 7 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1195,13 +1509,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 2255, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 7, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 2255, + "packets": 7 } }, "Private": null, @@ -1211,9 +1535,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 538, + "packets": 5 + }, + "destination": { + "bytes": 0, + "packets": 0 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1262,13 +1594,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 538, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 5, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 538, + "packets": 5 } }, "Private": null, @@ -1278,9 +1620,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 1487, + "packets": 21 + }, + "destination": { + "bytes": 6305, + "packets": 15 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1329,13 +1679,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 7792, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 36, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 6305, + "packets": 15 + }, + "source": { + "bytes": 1487, + "packets": 21 } }, "Private": null, @@ -1345,9 +1705,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 3110, + "packets": 7 + }, + "destination": { + "bytes": 1973, + "packets": 10 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1396,13 +1764,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 5083, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 17, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 1973, + "packets": 10 + }, + "source": { + "bytes": 3110, + "packets": 7 } }, "Private": null, @@ -1412,9 +1790,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 2, + "packets": 4 + }, + "destination": { + "bytes": 2, + "packets": 4 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1463,13 +1849,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 4, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 8, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 2, + "packets": 4 + }, + "source": { + "bytes": 2, + "packets": 4 } }, "Private": null, @@ -1479,9 +1875,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 2, + "packets": 2 + }, + "destination": { + "bytes": 0, + "packets": 2 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1530,13 +1934,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 2, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 4, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 2 + }, + "source": { + "bytes": 2, + "packets": 2 } }, "Private": null, @@ -1546,9 +1960,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 0, + "packets": 4 + }, + "destination": { + "bytes": 0, + "packets": 2 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1597,13 +2019,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 0, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 6, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 2 + }, + "source": { + "bytes": 0, + "packets": 4 } }, "Private": null, @@ -1613,9 +2045,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 1005, + "packets": 4 + }, + "destination": { + "bytes": 174, + "packets": 3 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1664,13 +2104,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 1179, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 7, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 174, + "packets": 3 + }, + "source": { + "bytes": 1005, + "packets": 4 } }, "Private": null, @@ -1680,9 +2130,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 138, + "packets": 4 + }, + "destination": { + "bytes": 0, + "packets": 2 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1731,13 +2189,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 138, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 6, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 2 + }, + "source": { + "bytes": 138, + "packets": 4 } }, "Private": null, @@ -1747,9 +2215,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 31, + "packets": 2 + }, + "destination": { + "bytes": 0, + "packets": 1 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1798,13 +2274,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 31, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 3, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 0, + "packets": 1 + }, + "source": { + "bytes": 31, + "packets": 2 } }, "Private": null, @@ -1814,9 +2300,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 13482, + "packets": 17 + }, + "destination": { + "bytes": 8989, + "packets": 19 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1865,13 +2359,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 22471, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 36, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 8989, + "packets": 19 + }, + "source": { + "bytes": 13482, + "packets": 17 } }, "Private": null, @@ -1881,9 +2385,17 @@ "Timestamp": "2018-07-03T10:47:00Z", "Meta": null, "Fields": { + "client": { + "bytes": 28373, + "packets": 133 + }, + "destination": { + "bytes": 233345, + "packets": 236 + }, "event": { "action": "netflow_flow", - "category": "network_traffic", + "category": "network_session", "created": "2018-07-03T10:47:00Z", "kind": "event" }, @@ -1932,13 +2444,23 @@ "waasoptimization_segment": 16 }, "network": { + "bytes": 261718, "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", "direction": "unknown", "iana_number": 6, + "packets": 369, "transport": "tcp" }, "observer": { "ip": "10.101.255.2" + }, + "server": { + "bytes": 233345, + "packets": 236 + }, + "source": { + "bytes": 28373, + "packets": 133 } }, "Private": null,