Filter definitions
IOTA allows quick filtering for various metrics, based on the metadata that is extracted from the captured network traffic. On this page, you can find the filter types and their definitions. The metadata fields described below can be used for filtering traffic in the IOTA GUI, or via the IOTA API.
Field | Type | Description |
---|---|---|
FLOW_ID | UUID | Unique flow identifier (randomly generated) |
DATE_PKT_MS_FIRST | DateTime64(3) | Date/time (with nanosecond precision) of the first packet from flow |
TIMESTAMP_FIRST_PKT_NS | UInt64 | Epoch timestamp (in nanoseconds) of the first packet from flow |
ANALYSIS_SESSION_KEY_CUSTOM | String | User defined analysis session identifier, used to group records which are part of the same analysis session |
ANALYSIS_SESSION_KEY_RANDOM | String | Automatically generated session identifier (format: YYYYMMDDhhmmss… in nanoseconds) |
EVENT_DATE_MS | DateTime64(3) | Date/time (with millisecond precision) that the flow record was created |
EVENT_TIMESTAMP_NS | UInt64 | Epoch timestamp (in nanoseconds) of the time the record was created |
EVENT_TYPE | String | Flow record type, possible values: initial_dump, tcp_latencies_dump, application_dump, base_finish_dump |
START_FILE_NAME | Nullable(String) | Filename of the first file processed in the analysis session |
IP_SRC | String | IP source address of the first packet detected in the flow |
IP_DST | String | IP destination address of the first packet detected in the flow |
PORT_SRC | Nullable(UInt16) | L4 source port number |
PORT_DST | Nullable(UInt16) | L4 destination port |
PROTOCOL_NAME | String | Protocol name |
PROTOCOL_TAG | String | Type of traffic, examples: Messaging, Network Management, VoIP, etc |
IS_TUNNELED | Nullable(Bool) | Indicates if flow contains tunnel |
TUNNEL_SRC_IP | Nullable(String) | IP source address of the outer IP header (only in the case of tunnel traffic, otherwise null) |
TUNNEL_DST_IP | Nullable(String) | IP destination address of the outer IP header (only in the case of tunnel traffic, otherwise null) |
TUNNEL_SRC_MAC | Nullable(FixedString(17)) | MAC source address of the outer Ethernet header (only in the case of tunnel traffic, otherwise null) |
TUNNEL_DST_MAC | Nullable(FixedString(17)) | MAC destination address of the outer Ethernet header (only in the case of tunnel traffic, otherwise null) |
TUNNEL_OUT_VLAN | Nullable(UInt16) | Outer VLAN ID (from 802.1ad tag if QinQ, otherwise from 802.1Q tag) of the outer Ethernet header (only in the case of tunnel traffic, with VLAN tag on the outer L2 header) |
TUNNEL_OUT_MPLS | Nullable(UInt16) | Outer MPLS label number of the outer L2 MPLS header (only in the case of tunnel traffic) |
TUNNEL_IN_VLAN | Nullable(UInt16) | Inner VLAN ID (802.1Q) of the outer Ethernet header (only in the case of tunnel traffic, with QinQ on the outer L2 header) |
TUNNEL_IN_MPLS | Nullable(UInt16) | Inner MPLS label number of the outer L2 MPLS header (only in the case of tunnel traffic, with double MPLS at the outer L2 layer) |
OUT_VLAN | Nullable(UInt16) | VLAN ID number |
OUT_MPLS | Nullable(UInt16) | Outer MPLS header label number |
IN_VLAN | Nullable(UInt16) | Inner VLAN ID number (only when QinQ is present) |
IN_MPLS | Nullable(UInt16) | Inner MPLS header label number |
FLOW_HASH_5TUPLE | Nullable(UInt32) | 5tuple identifies a flow by source and destination IP, L4 protocol, and L4 source and destination ports. |
MAC_SRC | FixedString(17) | MAC source address |
MAC_DST | FixedString(17) | MAC destination address |
SRC_IP_COUNTRY | Nullable(String) | Country associated with source IP address (ISO 3166-1 alpha-2 codes) |
SRC_IP_LOCATION_LONGITUDE | Nullable(Float64) | Longitude (geographic coordinate) associated with source IP address |
SRC_IP_LOCATION_LATITUDE | Nullable(Float64) | Latitude (geographic coordinate) associated with source IP address |
SERVER_HOST_ASNAME | Nullable(String) | AS (autonomos system) name associated with destination IP address |
DST_IP_COUNTRY | Nullable(String) | Country associated with destination IP address (ISO 3166-1 alpha-2 codes) |
DST_IP_LOCATION_LONGITUDE | Nullable(Float64) | Longitude (geographic coordinate) associated with destination IP address |
DST_IP_LOCATION_LATITUDE | Nullable(Float64) | Latitude (geographic coordinate) associated with destination IP address |
APPLICATION | Nullable(String) | Application in the flow (if undetectable, then it will be filled with value from PROTOCOL_NAME) |
APPLICATION_TAG | Nullable(String) | Tag used to group applications/protocols |
APPLICATION_SUB_TAG | Nullable(String) | Sub tag used to further group application/protocols |
RTT_MS | Nullable(Float64) | Round trip time of the TCP 3-way handshake (in seconds, millisecond precision) |
LATENCY_SYN_SYNACK_NSEC | Nullable(UInt64) | Time between SYN-SYNACK of the 3-way handshake (in nanoseconds) |
LATENCY_SYNACK_ACK_NSEC | Nullable(UInt64) | Time between SYNACK-ACK of the 3-way handshake (in nanoseconds) |
TCP_CLIENT_WS | Nullable(UInt8) | TCP window scale offered by the client |
TCP_SERVER_WS | Nullable(UInt8) | TCP window scale offered by the server |
TCP_CLIENT_SACK | Nullable(Bool) | TCP SACK supported by the client |
TCP_SERVER_SACK | Nullable(Bool) | TCP SACK supported by the server |
TCP_CLIENT_TS | Nullable(Bool) | TCP timestamp option supported by the client |
TCP_SERVER_TS | Nullable(Bool) | TCP timestamp option supported by the server |
TCP_CLIENT_MSS | Nullable(UInt16) | TCP maximum segment size supported by the client |
TCP_SERVER_MSS | Nullable(UInt16) | TCP maximum segment size supported by the server |
TIMESTAMP_LAST_PKT_NS | Nullable(UInt64) | Epoch timestamp (in nanoseconds) of the last packet from flow |
DATE_PKT_MS_LAST | Nullable(DateTime64(3)) | Date/time (with nanosecond precision) of the last packet from flow |
FLOW_DURATION_MILLISECONDS | Nullable(UInt32) | Flow duration (in milliseconds) |
PROTOCOL_STACK | Nullable(String) | Order of protocol headers found in the flow, separated by “ | ” |
HIGHEST_PROTOCOL | Nullable(String) | Highest layer protocol detected in the flow |
TOTAL_IN_PACKETS | Nullable(UInt64) | Total packets from server to client |
TOTAL_OUT_PACKETS | Nullable(UInt64) | Total packets from client to server |
TOTAL_IN_BYTES | Nullable(UInt64) | Total bytes from server to client |
TOTAL_OUT_BYTES | Nullable(UInt64) | Total bytes from client to server |
PAYLOAD_BYTES | Nullable(UInt64) | Total size of payloads from all packets |
TOTAL_TRANSACTION_COUNT | Nullable(UInt32) | Total number of TCP transaction measured |
TOTAL_TRANSACTION_TIME_MS | Nullable(Float64) | Sum of all TCP transactions (in seconds, millisecond precision) |
TOTAL_TRANSACTION_TIME_MS_MIN | Nullable(Float64) | Smallest TCP transaction time measured (in seconds, millisecond precision) |
TOTAL_TRANSACTION_TIME_MS_AVG | Nullable(Float64) | Average of all TCP transactions (in seconds, millisecond precision) |
TOTAL_TRANSACTION_TIME_MS_MAX | Nullable(Float64) | Longest TCP transaction time measured (in seconds, millisecond precision) |
APP_LATENCY_MS | Nullable(Float64) | Sum of all TCP application latency measurements (in seconds, millisecond precision) |
APP_LATENCY_MS_MIN | Nullable(Float64) | Smallest TCP application latency time measured (in seconds, millisecond precision) |
APP_LATENCY_MS_AVG | Nullable(Float64) | Average of all TCP application latency measurements (in seconds, millisecond precision) |
APP_LATENCY_MS_MAX | Nullable(Float64) | Longest TCP application latency time measured (in seconds, millisecond precision) |
TCP_CLIENT_SYN | Nullable(UInt16) | Number of TCP packets with the SYN flag set and originating from the client side |
TCP_SERVER_SYNACK | Nullable(UInt16) | Number of TCP packets with the SYN and ACK flags set and originating from the server side |
TCP_ACK_SUM | Nullable(UInt16) | Number of TCP packets with ACK set |
TCP_RST_SUM | Nullable(UInt16) | Number of TCP packets with RST set |
TCP_FIN_SUM | Nullable(UInt16) | Number of TCP packets with FIN set |
TCP_CLIENT_TOTAL_ZERO_WINDOW_DURATION | Nullable(UInt64) | Total TCP zero window duration forced by the client side (in nanoseconds) |
TCP_SERVER_TOTAL_ZERO_WINDOW_DURATION | Nullable(UInt64) | Total TCP zero window duration forced by the server side (in nanoseconds) |
CLIENT_HOST_NAME | Nullable(String) | Client hostname taken from DNS, DHCP, DHCPv6, mDNS, or NETBIOS (in that order or priority) |
SERVER_HOST_NAME | Nullable(String) | Server hostname taken from DNS, DHCP, DHCPv6, mDNS, or NETBIOS (in that order or priority) |
CLIENT_HOST_NAME_DNS | Nullable(String) | Client hostname gathered from DNS |
SERVER_HOST_NAME_DNS | Nullable(String) | Server hostname gathered from DNS |
CLIENT_HOST_NAME_DHCP | Nullable(String) | Client hostname gathered from DHCP |
SERVER_HOST_NAME_DHCP | Nullable(String) | Server hostname gathered from DHCP |
CLIENT_HOST_NAME_DHCPV6 | Nullable(String) | Client hostname gathered from DHCP.6 |
SERVER_HOST_NAME_DHCPV6 | Nullable(String) | Server hostname gathered from DHCPv6 |
CLIENT_HOST_NAME_MDNS | Nullable(String) | Client hostname gathered from mDNS |
SERVER_HOST_NAME_MDNS | Nullable(String) | Server hostname gathered from mDNS |
CLIENT_HOST_NAME_NETBIOS | Nullable(String) | Client hostname gathered from NETBIOS |
SERVER_HOST_NAME_NETBIOS | Nullable(String) | Server hostname gathered from NETBIOS |
OS_NAME | Nullable(String) | Client operating system name |
OS_VERSION | Nullable(String) | Client operating system version |
BROWSER_NAME | Nullable(String) | Client browser name |
BROWSER_VERSION | Nullable(String) | Client browser version |
HTTP_REQUEST_HOST | Nullable(String) | Host value from HTTP request header |
HTTP_REQUEST_URL | Nullable(String) | URL from HTTP request header |
HTTP_REQUEST_USERAGENT | Nullable(String) | User agent string from HTTP request header |
HTTP_REQUEST_X_FORWARDED_FOR | Nullable(String) | X-Forwarded-For value from HTTP request header |
HTTP_REQUEST_X_SESSION_TYPE | Nullable(String) | X-Session-Type value from HTTP request header |
HTTP_REQUEST_X_STREAM_TYPE | Nullable(String) | X-Stream-Type value from HTTP request header |
HTTP_REQUEST_X_ONLINE_HOST | Nullable(String) | X-Online-Host value from HTTP request header |
HTTP_REQUEST_X_REQUESTED_WITH | Nullable(String) | X-Requested-Wish value from HTTP request header |
HTTP_RESPONSE_CODE | Nullable(UInt32) | Response code from HTTP response |
TLS_SERVER_VERSION | Nullable(String) | TLS version supported by the server |
TLS_CLIENT_VERSION | Nullable(String) | TLS version supported by the client |
TLS_FLOW_VERSION | Nullable(String) | TLS version used |
TLS_SERVER_NAMES | Nullable(String) | Fully qualified domain name of the server |
TLS_CIPHER | Nullable(String) | TLS cipher used |
TLS_VALID | Nullable(String) | “No” if there is a TLS Alert Message or TLS server name is not supplied, otherwise “Yes” |
RTP_CONNECTION_ID | Nullable(String) | RTP connection ID |
DTMF_TONE_VOL_MIN | Nullable(UInt16) | Minimum volume level taken from RTP EVENT (RFC 2833) packets |
DTMF_TONE_VOL_AVG | Nullable(Float64) | Average volume level taken from RTP EVENT (RFC 2833) packets |
DTMF_TONE_VOL_MAX | Nullable(UInt16) | Maximum volume level taken from RTP EVENT (RFC 2833) packets |
SIP_CALL_ID | Nullable(String) | Call-ID taken from first SIP packet header |
SIP_TO_URI | Nullable(String) | To URI taken from SIP header |
SIP_FROM_URI | Nullable(String) | From URI taken from SIP header |
SIP_USER_AGENT | Nullable(String) | User-Agent taken from SIP header |
VOIP_CALL_ID | Nullable(String) | Call-ID used to correlate SIP/H343/H245/RTP/RTCP flows which are part of the same call |
VOIP_TYPE | Nullable(String) | VoIP control protocol (either sip or h323) |
VOIP_FROM_NAME | Nullable(String) | From name, taken from SIP or H323 |
VOIP_FROM_URI | Nullable(String) | From URI, taken from SIP or H323 |
VOIP_TO_URI | Nullable(String) | To URI, taken from SIP or H323 |
H323_CALL_ID | Nullable(String) | Call ID (callIdentifier) from H323 |
H323_SOURCE_ID | Nullable(String) | Source ID (h323-ID) from H323 |
H323_DESTINATION_IP_ADDRESS | Nullable(String) | Destination IP address (destCallSignalAddress) from H323 |