Filter definitions
IOTA allows quick filtering for various metrics, based on the metadata that is extracted from the captured network traffic. On this page, you can find the filter types and their definitions. The metadata fields described below can be used for filtering traffic in the IOTA GUI, or via the IOTA API.
| Field | Type | Description |
|---|---|---|
| ANALYSIS_SESSION_KEY_CUSTOM | String | User defined analysis session identifier, used to group records which are part of the same analysis session |
| ANALYSIS_SESSION_KEY_RANDOM | String | Automatically generated session identifier (format: YYYYMMDDhhmmss… in nanoseconds) |
| APP_LATENCY_MS | Nullable(Float64) | Sum of all TCP application latency measurements (in seconds, millisecond precision) |
| APP_LATENCY_MS_AVG | Nullable(Float64) | Average of all TCP application latency measurements (in seconds, millisecond precision) |
| APP_LATENCY_MS_MAX | Nullable(Float64) | Longest TCP application latency time measured (in seconds, millisecond precision) |
| APP_LATENCY_MS_MIN | Nullable(Float64) | Smallest TCP application latency time measured (in seconds, millisecond precision) |
| APPLICATION | Nullable(String) | Application in the flow (if undetectable, then it will be filled with value from PROTOCOL_NAME) |
| APPLICATION_SUB_TAG | Nullable(String) | Sub tag used to further group application/protocols |
| APPLICATION_TAG | Nullable(String) | Tag used to group applications/protocols |
| BROWSER_NAME | Nullable(String) | Client browser name |
| BROWSER_VERSION | Nullable(String) | Client browser version |
| CLIENT_HOST_NAME | Nullable(String) | Client hostname taken from DNS, DHCP, DHCPv6, mDNS, or NETBIOS (in that order or priority) |
| CLIENT_HOST_NAME_DHCP | Nullable(String) | Client hostname gathered from DHCP |
| CLIENT_HOST_NAME_DHCPV6 | Nullable(String) | Client hostname gathered from DHCP.6 |
| CLIENT_HOST_NAME_DNS | Nullable(String) | Client hostname gathered from DNS |
| CLIENT_HOST_NAME_MDNS | Nullable(String) | Client hostname gathered from mDNS |
| CLIENT_HOST_NAME_NETBIOS | Nullable(String) | Client hostname gathered from NETBIOS |
| DATE_PKT_MS_FIRST | DateTime64(3) | Date/time (with nanosecond precision) of the first packet from flow |
| DATE_PKT_MS_LAST | Nullable(DateTime64(3)) | Date/time (with nanosecond precision) of the last packet from flow |
| DST_IP_COUNTRY | Nullable(String) | Country associated with destination IP address (ISO 3166-1 alpha-2 codes) |
| DST_IP_LOCATION_LATITUDE | Nullable(Float64) | Latitude (geographic coordinate) associated with destination IP address |
| DST_IP_LOCATION_LONGITUDE | Nullable(Float64) | Longitude (geographic coordinate) associated with destination IP address |
| DTMF_TONE_VOL_AVG | Nullable(Float64) | Average volume level taken from RTP EVENT (RFC 2833) packets |
| DTMF_TONE_VOL_MAX | Nullable(UInt16) | Maximum volume level taken from RTP EVENT (RFC 2833) packets |
| DTMF_TONE_VOL_MIN | Nullable(UInt16) | Minimum volume level taken from RTP EVENT (RFC 2833) packets |
| EVENT_DATE_MS | DateTime64(3) | Date/time (with millisecond precision) that the flow record was created |
| EVENT_TIMESTAMP_NS | UInt64 | Epoch timestamp (in nanoseconds) of the time the record was created |
| EVENT_TYPE | String | Flow record type, possible values: initial_dump, tcp_latencies_dump, application_dump, base_finish_dump |
| FLOW_DURATION_MILLISECONDS | Nullable(UInt32) | Flow duration (in milliseconds) |
| FLOW_HASH_5TUPLE | Nullable(UInt32) | 5tuple identifies a flow by source and destination IP, L4 protocol, and L4 source and destination ports. |
| FLOW_ID | UUID | Unique flow identifier (randomly generated) |
| H323_CALL_ID | Nullable(String) | Call ID (callIdentifier) from H323 |
| H323_DESTINATION_IP_ADDRESS | Nullable(String) | Destination IP address (destCallSignalAddress) from H323 |
| H323_SOURCE_ID | Nullable(String) | Source ID (h323-ID) from H323 |
| HIGHEST_PROTOCOL | Nullable(String) | Highest layer protocol detected in the flow |
| HTTP_REQUEST_HOST | Nullable(String) | Host value from HTTP request header |
| HTTP_REQUEST_URL | Nullable(String) | URL from HTTP request header |
| HTTP_REQUEST_USERAGENT | Nullable(String) | User agent string from HTTP request header |
| HTTP_REQUEST_X_FORWARDED_FOR | Nullable(String) | X-Forwarded-For value from HTTP request header |
| HTTP_REQUEST_X_ONLINE_HOST | Nullable(String) | X-Online-Host value from HTTP request header |
| HTTP_REQUEST_X_REQUESTED_WITH | Nullable(String) | X-Requested-Wish value from HTTP request header |
| HTTP_REQUEST_X_SESSION_TYPE | Nullable(String) | X-Session-Type value from HTTP request header |
| HTTP_REQUEST_X_STREAM_TYPE | Nullable(String) | X-Stream-Type value from HTTP request header |
| HTTP_RESPONSE_CODE | Nullable(UInt32) | Response code from HTTP response |
| IN_MPLS | Nullable(UInt16) | Inner MPLS header label number |
| IN_VLAN | Nullable(UInt16) | Inner VLAN ID number (only when QinQ is present) |
| IP_DST | String | IP destination address of the first packet detected in the flow |
| IP_SRC | String | IP source address of the first packet detected in the flow |
| IS_TUNNELED | Nullable(Bool) | Indicates if flow contains tunnel |
| LATENCY_SYN_SYNACK_NSEC | Nullable(UInt64) | Time between SYN-SYNACK of the 3-way handshake (in nanoseconds) |
| LATENCY_SYNACK_ACK_NSEC | Nullable(UInt64) | Time between SYNACK-ACK of the 3-way handshake (in nanoseconds) |
| MAC_DST | FixedString(17) | MAC destination address |
| MAC_SRC | FixedString(17) | MAC source address |
| OS_NAME | Nullable(String) | Client operating system name |
| OS_VERSION | Nullable(String) | Client operating system version |
| OUT_MPLS | Nullable(UInt16) | Outer MPLS header label number |
| OUT_VLAN | Nullable(UInt16) | VLAN ID number |
| PAYLOAD_BYTES | Nullable(UInt64) | Total size of payloads from all packets |
| PORT_DST | Nullable(UInt16) | L4 destination port |
| PORT_SRC | Nullable(UInt16) | L4 source port number |
| PROTOCOL_NAME | String | Protocol name |
| PROTOCOL_STACK | Nullable(String) | Order of protocol headers found in the flow, separated by “ | ” |
| PROTOCOL_TAG | String | Type of traffic, examples: Messaging, Network Management, VoIP, etc |
| RTP_CONNECTION_ID | Nullable(String) | RTP connection ID |
| RTT_MS | Nullable(Float64) | Round trip time of the TCP 3-way handshake (in seconds, millisecond precision) |
| SERVER_HOST_ASNAME | Nullable(String) | AS (autonomos system) name associated with destination IP address |
| SERVER_HOST_NAME | Nullable(String) | Server hostname taken from DNS, DHCP, DHCPv6, mDNS, or NETBIOS (in that order or priority) |
| SERVER_HOST_NAME_DHCP | Nullable(String) | Server hostname gathered from DHCP |
| SERVER_HOST_NAME_DHCPV6 | Nullable(String) | Server hostname gathered from DHCPv6 |
| SERVER_HOST_NAME_DNS | Nullable(String) | Server hostname gathered from DNS |
| SERVER_HOST_NAME_MDNS | Nullable(String) | Server hostname gathered from mDNS |
| SERVER_HOST_NAME_NETBIOS | Nullable(String) | Server hostname gathered from NETBIOS |
| SIP_CALL_ID | Nullable(String) | Call-ID taken from first SIP packet header |
| SIP_FROM_URI | Nullable(String) | From URI taken from SIP header |
| SIP_TO_URI | Nullable(String) | To URI taken from SIP header |
| SIP_USER_AGENT | Nullable(String) | User-Agent taken from SIP header |
| SRC_IP_COUNTRY | Nullable(String) | Country associated with source IP address (ISO 3166-1 alpha-2 codes) |
| SRC_IP_LOCATION_LATITUDE | Nullable(Float64) | Latitude (geographic coordinate) associated with source IP address |
| SRC_IP_LOCATION_LONGITUDE | Nullable(Float64) | Longitude (geographic coordinate) associated with source IP address |
| START_FILE_NAME | Nullable(String) | Filename of the first file processed in the analysis session |
| TCP_ACK_SUM | Nullable(UInt16) | Number of TCP packets with ACK set |
| TCP_CLIENT_MSS | Nullable(UInt16) | TCP maximum segment size supported by the client |
| TCP_CLIENT_SACK | Nullable(Bool) | TCP SACK supported by the client |
| TCP_CLIENT_SYN | Nullable(UInt16) | Number of TCP packets with the SYN flag set and originating from the client side |
| TCP_CLIENT_TOTAL_ZERO_WINDOW_DURATION | Nullable(UInt64) | Total TCP zero window duration forced by the client side (in nanoseconds) |
| TCP_CLIENT_TS | Nullable(Bool) | TCP timestamp option supported by the client |
| TCP_CLIENT_WS | Nullable(UInt8) | TCP window scale offered by the client |
| TCP_FIN_SUM | Nullable(UInt16) | Number of TCP packets with FIN set |
| TCP_SERVER_MSS | Nullable(UInt16) | TCP maximum segment size supported by the server |
| TCP_SERVER_SACK | Nullable(Bool) | TCP SACK supported by the server |
| TCP_SERVER_SYNACK | Nullable(UInt16) | Number of TCP packets with the SYN and ACK flags set and originating from the server side |
| TCP_SERVER_TOTAL_ZERO_WINDOW_DURATION | Nullable(UInt64) | Total TCP zero window duration forced by the server side (in nanoseconds) |
| TCP_SERVER_TS | Nullable(Bool) | TCP timestamp option supported by the server |
| TCP_SERVER_WS | Nullable(UInt8) | TCP window scale offered by the server |
| TCP_RST_SUM | Nullable(UInt16) | Number of TCP packets with RST set |
| TIMESTAMP_FIRST_PKT_NS | UInt64 | Epoch timestamp (in nanoseconds) of the first packet from flow |
| TIMESTAMP_LAST_PKT_NS | Nullable(UInt64) | Epoch timestamp (in nanoseconds) of the last packet from flow |
| TLS_CIPHER | Nullable(String) | TLS cipher used |
| TLS_CLIENT_VERSION | Nullable(String) | TLS version supported by the client |
| TLS_FLOW_VERSION | Nullable(String) | TLS version used |
| TLS_SERVER_NAMES | Nullable(String) | Fully qualified domain name of the server |
| TLS_SERVER_VERSION | Nullable(String) | TLS version supported by the server |
| TLS_VALID | Nullable(String) | “No” if there is a TLS Alert Message or TLS server name is not supplied, otherwise “Yes” |
| TOTAL_IN_BYTES | Nullable(UInt64) | Total bytes from server to client |
| TOTAL_IN_PACKETS | Nullable(UInt64) | Total packets from server to client |
| TOTAL_OUT_BYTES | Nullable(UInt64) | Total bytes from client to server |
| TOTAL_OUT_PACKETS | Nullable(UInt64) | Total packets from client to server |
| TOTAL_TRANSACTION_COUNT | Nullable(UInt32) | Total number of TCP transaction measured |
| TOTAL_TRANSACTION_TIME_MS | Nullable(Float64) | Sum of all TCP transactions (in seconds, millisecond precision) |
| TOTAL_TRANSACTION_TIME_MS_AVG | Nullable(Float64) | Average of all TCP transactions (in seconds, millisecond precision) |
| TOTAL_TRANSACTION_TIME_MS_MAX | Nullable(Float64) | Longest TCP transaction time measured (in seconds, millisecond precision) |
| TOTAL_TRANSACTION_TIME_MS_MIN | Nullable(Float64) | Smallest TCP transaction time measured (in seconds, millisecond precision) |
| TUNNEL_DST_IP | Nullable(String) | IP destination address of the outer IP header (only in the case of tunnel traffic, otherwise null) |
| TUNNEL_DST_MAC | Nullable(FixedString(17)) | MAC destination address of the outer Ethernet header (only in the case of tunnel traffic, otherwise null) |
| TUNNEL_IN_MPLS | Nullable(UInt16) | Inner MPLS label number of the outer L2 MPLS header (only in the case of tunnel traffic, with double MPLS at the outer L2 layer) |
| TUNNEL_IN_VLAN | Nullable(UInt16) | Inner VLAN ID (802.1Q) of the outer Ethernet header (only in the case of tunnel traffic, with QinQ on the outer L2 header) |
| TUNNEL_OUT_MPLS | Nullable(UInt16) | Outer MPLS label number of the outer L2 MPLS header (only in the case of tunnel traffic) |
| TUNNEL_OUT_VLAN | Nullable(UInt16) | Outer VLAN ID (from 802.1ad tag if QinQ, otherwise from 802.1Q tag) of the outer Ethernet header (only in the case of tunnel traffic, with VLAN tag on the outer L2 header) |
| TUNNEL_SRC_IP | Nullable(String) | IP source address of the outer IP header (only in the case of tunnel traffic, otherwise null) |
| TUNNEL_SRC_MAC | Nullable(FixedString(17)) | MAC source address of the outer Ethernet header (only in the case of tunnel traffic, otherwise null) |
| VOIP_CALL_ID | Nullable(String) | Call-ID used to correlate SIP/H343/H245/RTP/RTCP flows which are part of the same call |
| VOIP_FROM_NAME | Nullable(String) | From name, taken from SIP or H323 |
| VOIP_FROM_URI | Nullable(String) | From URI, taken from SIP or H323 |
| VOIP_TO_URI | Nullable(String) | To URI, taken from SIP or H323 |
| VOIP_TYPE | Nullable(String) | VoIP control protocol (either sip or h323) |