Filter definitions

IOTA allows quick filtering for various metrics, based on the metadata that is extracted from the captured network traffic. On this page, you can find the filter types and their definitions. The metadata fields described below can be used for filtering traffic in the IOTA GUI, or via the IOTA API.

Field Type Description
FLOW_ID UUID Unique flow identifier (randomly generated)
DATE_PKT_MS_FIRST DateTime64(3) Date/time (with nanosecond precision) of the first packet from flow
TIMESTAMP_FIRST_PKT_NS UInt64 Epoch timestamp (in nanoseconds) of the first packet from flow
ANALYSIS_SESSION_KEY_CUSTOM String User defined analysis session identifier, used to group records which are part of the same analysis session
ANALYSIS_SESSION_KEY_RANDOM String Automatically generated session identifier (format: YYYYMMDDhhmmss… in nanoseconds)
EVENT_DATE_MS DateTime64(3) Date/time (with millisecond precision) that the flow record was created
EVENT_TIMESTAMP_NS UInt64 Epoch timestamp (in nanoseconds) of the time the record was created
EVENT_TYPE String Flow record type, possible values: initial_dump, tcp_latencies_dump, application_dump, base_finish_dump
START_FILE_NAME Nullable(String) Filename of the first file processed in the analysis session
IP_SRC String IP source address of the first packet detected in the flow
IP_DST String IP destination address of the first packet detected in the flow
PORT_SRC Nullable(UInt16) L4 source port number
PORT_DST Nullable(UInt16) L4 destination port
PROTOCOL_NAME String Protocol name
PROTOCOL_TAG String Type of traffic, examples: Messaging, Network Management, VoIP, etc
IS_TUNNELED Nullable(Bool) Indicates if flow contains tunnel
TUNNEL_SRC_IP Nullable(String) IP source address of the outer IP header (only in the case of tunnel traffic, otherwise null)
TUNNEL_DST_IP Nullable(String) IP destination address of the outer IP header (only in the case of tunnel traffic, otherwise null)
TUNNEL_SRC_MAC Nullable(FixedString(17)) MAC source address of the outer Ethernet header (only in the case of tunnel traffic, otherwise null)
TUNNEL_DST_MAC Nullable(FixedString(17)) MAC destination address of the outer Ethernet header (only in the case of tunnel traffic, otherwise null)
TUNNEL_OUT_VLAN Nullable(UInt16) Outer VLAN ID (from 802.1ad tag if QinQ, otherwise from 802.1Q tag) of the outer Ethernet header (only in the case of tunnel traffic, with VLAN tag on the outer L2 header)
TUNNEL_OUT_MPLS Nullable(UInt16) Outer MPLS label number of the outer L2 MPLS header (only in the case of tunnel traffic)
TUNNEL_IN_VLAN Nullable(UInt16) Inner VLAN ID (802.1Q) of the outer Ethernet header (only in the case of tunnel traffic, with QinQ on the outer L2 header)
TUNNEL_IN_MPLS Nullable(UInt16) Inner MPLS label number of the outer L2 MPLS header (only in the case of tunnel traffic, with double MPLS at the outer L2 layer)
OUT_VLAN Nullable(UInt16) VLAN ID number
OUT_MPLS Nullable(UInt16) Outer MPLS header label number
IN_VLAN Nullable(UInt16) Inner VLAN ID number (only when QinQ is present)
IN_MPLS Nullable(UInt16) Inner MPLS header label number
FLOW_HASH_5TUPLE Nullable(UInt32) 5tuple identifies a flow by source and destination IP, L4 protocol, and L4 source and destination ports.
MAC_SRC FixedString(17) MAC source address
MAC_DST FixedString(17) MAC destination address
SRC_IP_COUNTRY Nullable(String) Country associated with source IP address (ISO 3166-1 alpha-2 codes)
SRC_IP_LOCATION_LONGITUDE Nullable(Float64) Longitude (geographic coordinate) associated with source IP address
SRC_IP_LOCATION_LATITUDE Nullable(Float64) Latitude (geographic coordinate) associated with source IP address
SERVER_HOST_ASNAME Nullable(String) AS (autonomos system) name associated with destination IP address
DST_IP_COUNTRY Nullable(String) Country associated with destination IP address (ISO 3166-1 alpha-2 codes)
DST_IP_LOCATION_LONGITUDE Nullable(Float64) Longitude (geographic coordinate) associated with destination IP address
DST_IP_LOCATION_LATITUDE Nullable(Float64) Latitude (geographic coordinate) associated with destination IP address
APPLICATION Nullable(String) Application in the flow (if undetectable, then it will be filled with value from PROTOCOL_NAME)
APPLICATION_TAG Nullable(String) Tag used to group applications/protocols
APPLICATION_SUB_TAG Nullable(String) Sub tag used to further group application/protocols
RTT_MS Nullable(Float64) Round trip time of the TCP 3-way handshake (in seconds, millisecond precision)
LATENCY_SYN_SYNACK_NSEC Nullable(UInt64) Time between SYN-SYNACK of the 3-way handshake (in nanoseconds)
LATENCY_SYNACK_ACK_NSEC Nullable(UInt64) Time between SYNACK-ACK of the 3-way handshake (in nanoseconds)
TCP_CLIENT_WS Nullable(UInt8) TCP window scale offered by the client
TCP_SERVER_WS Nullable(UInt8) TCP window scale offered by the server
TCP_CLIENT_SACK Nullable(Bool) TCP SACK supported by the client
TCP_SERVER_SACK Nullable(Bool) TCP SACK supported by the server
TCP_CLIENT_TS Nullable(Bool) TCP timestamp option supported by the client
TCP_SERVER_TS Nullable(Bool) TCP timestamp option supported by the server
TCP_CLIENT_MSS Nullable(UInt16) TCP maximum segment size supported by the client
TCP_SERVER_MSS Nullable(UInt16) TCP maximum segment size supported by the server
TIMESTAMP_LAST_PKT_NS Nullable(UInt64) Epoch timestamp (in nanoseconds) of the last packet from flow
DATE_PKT_MS_LAST Nullable(DateTime64(3)) Date/time (with nanosecond precision) of the last packet from flow
FLOW_DURATION_MILLISECONDS Nullable(UInt32) Flow duration (in milliseconds)
PROTOCOL_STACK Nullable(String) Order of protocol headers found in the flow, separated by “ | ”
HIGHEST_PROTOCOL Nullable(String) Highest layer protocol detected in the flow
TOTAL_IN_PACKETS Nullable(UInt64) Total packets from server to client
TOTAL_OUT_PACKETS Nullable(UInt64) Total packets from client to server
TOTAL_IN_BYTES Nullable(UInt64) Total bytes from server to client
TOTAL_OUT_BYTES Nullable(UInt64) Total bytes from client to server
PAYLOAD_BYTES Nullable(UInt64) Total size of payloads from all packets
TOTAL_TRANSACTION_COUNT Nullable(UInt32) Total number of TCP transaction measured
TOTAL_TRANSACTION_TIME_MS Nullable(Float64) Sum of all TCP transactions (in seconds, millisecond precision)
TOTAL_TRANSACTION_TIME_MS_MIN Nullable(Float64) Smallest TCP transaction time measured (in seconds, millisecond precision)
TOTAL_TRANSACTION_TIME_MS_AVG Nullable(Float64) Average of all TCP transactions (in seconds, millisecond precision)
TOTAL_TRANSACTION_TIME_MS_MAX Nullable(Float64) Longest TCP transaction time measured (in seconds, millisecond precision)
APP_LATENCY_MS Nullable(Float64) Sum of all TCP application latency measurements (in seconds, millisecond precision)
APP_LATENCY_MS_MIN Nullable(Float64) Smallest TCP application latency time measured (in seconds, millisecond precision)
APP_LATENCY_MS_AVG Nullable(Float64) Average of all TCP application latency measurements (in seconds, millisecond precision)
APP_LATENCY_MS_MAX Nullable(Float64) Longest TCP application latency time measured (in seconds, millisecond precision)
TCP_CLIENT_SYN Nullable(UInt16) Number of TCP packets with the SYN flag set and originating from the client side
TCP_SERVER_SYNACK Nullable(UInt16) Number of TCP packets with the SYN and ACK flags set and originating from the server side
TCP_ACK_SUM Nullable(UInt16) Number of TCP packets with ACK set
TCP_RST_SUM Nullable(UInt16) Number of TCP packets with RST set
TCP_FIN_SUM Nullable(UInt16) Number of TCP packets with FIN set
TCP_CLIENT_TOTAL_ZERO_WINDOW_DURATION Nullable(UInt64) Total TCP zero window duration forced by the client side (in nanoseconds)
TCP_SERVER_TOTAL_ZERO_WINDOW_DURATION Nullable(UInt64) Total TCP zero window duration forced by the server side (in nanoseconds)
CLIENT_HOST_NAME Nullable(String) Client hostname taken from DNS, DHCP, DHCPv6, mDNS, or NETBIOS (in that order or priority)
SERVER_HOST_NAME Nullable(String) Server hostname taken from DNS, DHCP, DHCPv6, mDNS, or NETBIOS (in that order or priority)
CLIENT_HOST_NAME_DNS Nullable(String) Client hostname gathered from DNS
SERVER_HOST_NAME_DNS Nullable(String) Server hostname gathered from DNS
CLIENT_HOST_NAME_DHCP Nullable(String) Client hostname gathered from DHCP
SERVER_HOST_NAME_DHCP Nullable(String) Server hostname gathered from DHCP
CLIENT_HOST_NAME_DHCPV6 Nullable(String) Client hostname gathered from DHCP.6
SERVER_HOST_NAME_DHCPV6 Nullable(String) Server hostname gathered from DHCPv6
CLIENT_HOST_NAME_MDNS Nullable(String) Client hostname gathered from mDNS
SERVER_HOST_NAME_MDNS Nullable(String) Server hostname gathered from mDNS
CLIENT_HOST_NAME_NETBIOS Nullable(String) Client hostname gathered from NETBIOS
SERVER_HOST_NAME_NETBIOS Nullable(String) Server hostname gathered from NETBIOS
OS_NAME Nullable(String) Client operating system name
OS_VERSION Nullable(String) Client operating system version
BROWSER_NAME Nullable(String) Client browser name
BROWSER_VERSION Nullable(String) Client browser version
HTTP_REQUEST_HOST Nullable(String) Host value from HTTP request header
HTTP_REQUEST_URL Nullable(String) URL from HTTP request header
HTTP_REQUEST_USERAGENT Nullable(String) User agent string from HTTP request header
HTTP_REQUEST_X_FORWARDED_FOR Nullable(String) X-Forwarded-For value from HTTP request header
HTTP_REQUEST_X_SESSION_TYPE Nullable(String) X-Session-Type value from HTTP request header
HTTP_REQUEST_X_STREAM_TYPE Nullable(String) X-Stream-Type value from HTTP request header
HTTP_REQUEST_X_ONLINE_HOST Nullable(String) X-Online-Host value from HTTP request header
HTTP_REQUEST_X_REQUESTED_WITH Nullable(String) X-Requested-Wish value from HTTP request header
HTTP_RESPONSE_CODE Nullable(UInt32) Response code from HTTP response
TLS_SERVER_VERSION Nullable(String) TLS version supported by the server
TLS_CLIENT_VERSION Nullable(String) TLS version supported by the client
TLS_FLOW_VERSION Nullable(String) TLS version used
TLS_SERVER_NAMES Nullable(String) Fully qualified domain name of the server
TLS_CIPHER Nullable(String) TLS cipher used
TLS_VALID Nullable(String) “No” if there is a TLS Alert Message or TLS server name is not supplied, otherwise “Yes”
RTP_CONNECTION_ID Nullable(String) RTP connection ID
DTMF_TONE_VOL_MIN Nullable(UInt16) Minimum volume level taken from RTP EVENT (RFC 2833) packets
DTMF_TONE_VOL_AVG Nullable(Float64) Average volume level taken from RTP EVENT (RFC 2833) packets
DTMF_TONE_VOL_MAX Nullable(UInt16) Maximum volume level taken from RTP EVENT (RFC 2833) packets
SIP_CALL_ID Nullable(String) Call-ID taken from first SIP packet header
SIP_TO_URI Nullable(String) To URI taken from SIP header
SIP_FROM_URI Nullable(String) From URI taken from SIP header
SIP_USER_AGENT Nullable(String) User-Agent taken from SIP header
VOIP_CALL_ID Nullable(String) Call-ID used to correlate SIP/H343/H245/RTP/RTCP flows which are part of the same call
VOIP_TYPE Nullable(String) VoIP control protocol (either sip or h323)
VOIP_FROM_NAME Nullable(String) From name, taken from SIP or H323
VOIP_FROM_URI Nullable(String) From URI, taken from SIP or H323
VOIP_TO_URI Nullable(String) To URI, taken from SIP or H323
H323_CALL_ID Nullable(String) Call ID (callIdentifier) from H323
H323_SOURCE_ID Nullable(String) Source ID (h323-ID) from H323
H323_DESTINATION_IP_ADDRESS Nullable(String) Destination IP address (destCallSignalAddress) from H323
  • Last modified: June 6, 2024