Network Flow Log
Created:2024-06-01 Last Modified:2024-06-24
This document was translated by ChatGPT
Without inserting any code into the application, DeepFlow automatically generates network flow logs for all services.
Database table name: flow_log.l4_flow_log.
#1. Tags
List of automatically injected tags: IP, protocol, port, network header fields, collection location, cloud resources, K8s resources, K8s custom labels. Detailed field descriptions are as follows.
| Name | DisplayName | Description |
|---|---|---|
| _id | UID | |
| time | Time | Round end_time to seconds. |
| region | Region | |
| az | Availability Zone | |
| host | VM Hypervisor | Host running virtual machine. |
| chost | Cloud Host | Including virtual machines |
| vpc | VPC | |
| l2_vpc | Forwarding VPC | VPC where the MAC address is located. |
| subnet | Subnet | |
| router | Router | |
| dhcpgw | DHCP Gateway | |
| lb | Load Balancer | |
| lb_listener | Load Balancer Listener | |
| natgw | NAT Gateway | |
| redis | Redis | |
| rds | RDS | |
| pod_cluster | K8s Cluster | |
| pod_ns | K8s Namespace | |
| pod_node | K8s Node | |
| pod_ingress | K8s Ingress | |
| pod_service | K8s Service | |
| pod_group_type | K8s Workload Type | |
| pod_group | K8s Workload | Such as Deployment |
| pod | K8s POD | |
| service | Service | Deprecated,please use pod_service |
| auto_instance_type | Auto Instance Type | The type of 'auto_instance'. |
| auto_instance | Auto Instance Tag | The instance of IP |
| auto_service_type | Auto Service Type | The type of 'auto_service'. |
| auto_service | Auto Service Tag | On the basis of 'auto_instance' |
| gprocess | Process | |
| tap_port_host | Tap Port Host | Deprecated,please use capture_nic_host. |
| tap_port_chost | Tap Port Cloud Host | Deprecated,please use capture_nic_chost. |
| tap_port_pod_node | Tap Port K8s Node | Deprecated,please use capture_nic_pod_node. |
| capture_nic_host | Host of Capture NIC | |
| capture_nic_chost | Cloud Host of Capture NIC | |
| capture_nic_pod_node | K8s Node of Capture NIC | |
| host_ip | VM Hypervisor | The management IP address of VM Hypervisor. |
| host_hostname | VM Hypervisor | The hostname of VM Hypervisor. |
| chost_ip | Cloud Host | The primary IP address of Cloud Host. |
| chost_hostname | Cloud Host | The hostname of Cloud Host. |
| pod_node_ip | K8s Node | The primary IP address of K8s Node. |
| pod_node_hostname | K8s Node | The hostname of K8s Node. |
| k8s.label | K8s Label | |
| k8s.annotation | K8s Annotation | |
| k8s.env | K8s Env | |
| cloud.tag | Cloud Tag | |
| os.app | OS APP | |
| biz_service.group | Biz Service Group | |
| eth_type | Ether Type | |
| vlan | VLAN TAG | |
| mac | MAC Address | |
| ip | IP Address | |
| is_ipv4 | IPv4 Flag | |
| is_internet | Internet IP Flag | Whether the IP address is an external Internet address. |
| province | Province | The province to which the Internet IP address belongs. |
| protocol | Network Protocol | |
| tunnel_tier | Tunnel Tiers | |
| tunnel_type | Tunnel Type | |
| tunnel_tx_id | TX Tunnel ID | |
| tunnel_rx_id | RX Tunnel ID | |
| tunnel_tx_ip | TX Tunnel IP Address | |
| tunnel_tx_ip_0 | TX Tunnel src IP Address | |
| tunnel_tx_ip_1 | TX Tunnel dst IP Address | |
| tunnel_rx_ip | RX Tunnel IP Address | |
| tunnel_rx_ip_0 | RX Tunnel src IP Address | |
| tunnel_rx_ip_1 | RX Tunnel dst IP Address | |
| tunnel_tx_mac | TX Tunnel MAC Address | |
| tunnel_tx_mac_0 | TX Tunnel src MAC Address | |
| tunnel_tx_mac_1 | TX Tunnel dst MAC Address | |
| tunnel_rx_mac | RX Tunnel MAC Address | |
| tunnel_rx_mac_0 | RX Tunnel src MAC Address | |
| tunnel_rx_mac_1 | RX Tunnel dst MAC Address | |
| client_port | Client Port | |
| server_port | Server Port | |
| tcp_flags_bit | TCP Flag Set | The set of TCP flags in all packets in the current natural minute. |
| syn_seq | Seq no. of SYN Packet | |
| syn_ack_seq | Seq no. of SYN-ACK Packet | |
| last_keepalive_seq | Seq no. of Heartbeat Packet | Seq number in the most recent heartbeat packet. |
| last_keepalive_ack | Ack no. of Heartbeat Packet | Ack number in the most recent heartbeat packet. |
| l7_protocol | Application Protocol | |
| request_domain | Request Domain | |
| flow_id | Flow ID | |
| aggregated_flow_ids | Aggregated Flow IDs | |
| start_time | Start Time | Unit: microseconds. Indicates the start time of the flow within the current natural minute |
| end_time | End Time | Unit: microseconds. Indicates the end time of the flow within the current natural minute. If the flow is closed within this minute |
| close_type | Flow Close Type | |
| status | Status | Determined by the close_type and protocol: Normal/ForceReport/Non-TCP timeout/Disconnected* = Normal |
| is_new_flow | New Flow Flag | |
| init_ipid | Initial IPID | |
| signal_source | Signal Source | |
| tap | Traffic Access Point | Deprecated,please use capture_network_type. |
| capture_network_type | Network Location | The network location for capturing traffic uses a fixed value (Cloud Network) to represent intra-cloud traffic |
| vtap | DeepFlow Agent | Deprecated,please use agent. |
| agent | DeepFlow Agent | |
| nat_source | NAT Source | |
| tap_port | TAP Port Identifier | Deprecated |
| tap_port_name | TAP Port Name | Deprecated |
| tap_port_type | TAP Port Type | Deprecated |
| capture_nic | Capture NIC ID | When the value of tap_port_type is 'Local NIC' |
| capture_nic_name | Capture NIC Name | When the value of tap_port_type is 'Local NIC' |
| capture_nic_type | Capture NIC Type | Indicates the type of traffic collection location |
| tap_side | TAP Side | Deprecated |
| observation_point | Observation Point | The logical location of the collection location in the traffic path |
| l2_end | Boundary of L2 Network | Indicates whether the traffic is collected on the client NIC or the server NIC. |
| l3_end | Boundary of L3 Network | Indicates whether the traffic is collected in the Layer 2 network where the client or server is located. |
| has_pcap | PCAP File | Whether the PCAP file is stored |
| nat_real_ip | NAT IP Address | The real IP address before (after) NAT |
| nat_real_port | NAT Port | The real port number before NAT works |
generate from csv file: l4_flow_log.en
#2. Metrics
List of metrics: throughput, load, latency, TCP anomalies, retransmissions, zero window. Detailed field descriptions are as follows.
| Field | DisplayName | Unit | Description |
|---|---|---|---|
| byte | Byte | Byte | |
| byte_tx | Byte TX | Byte | |
| byte_rx | Byte RX | Byte | |
| total_byte_tx | Total Byte TX | Byte | |
| total_byte_rx | Total Byte RX | Byte | |
| packet | Packet | Packet | |
| packet_tx | Packet TX | Packet | |
| packet_rx | Packet RX | Packet | |
| total_packet_tx | Total Packet TX | Packet | |
| total_packet_rx | Total Packet RX | Packet | |
| l3_byte | L3 Payload | Byte | |
| l3_byte_tx | L3 Payload TX | Byte | |
| l3_byte_rx | L3 Payload RX | Byte | |
| bpp | Bytes per Packet | Byte | |
| bpp_tx | Bytes per Packet TX | Byte | |
| bpp_rx | Bytes per Packet RX | Byte | |
| new_flow | New Flow | Flow | |
| closed_flow | Closed Flow | Flow | |
| syn_count | SYN Packet | Packet | |
| synack_count | SYN-ACK Packet | Packet | |
| l4_byte | L4 Payload | Byte | |
| l4_byte_tx | L4 Payload TX | Byte | |
| l4_byte_rx | L4 Payload RX | Byte | |
| direction_score | Direction Score | The higher the score | |
| log_count | Log Count | ||
| fin_count | TCP FIN Packets | Packet | |
| retrans_syn | SYN Retransmission | Packet | |
| retrans_synack | SYN-ACK Retransmission | Packet | |
| retrans | TCP Retransmission | Packet | |
| retrans_tx | TCP Client Retransmission | Packet | |
| retrans_rx | TCP Server Retransmission | Packet | |
| zero_win | TCP ZeroWindow | Packet | |
| zero_win_tx | TCP Client ZeroWindow | Packet | |
| zero_win_rx | TCP Server ZeroWindow | Packet | |
| retrans_syn_ratio | SYN Retrans. % | % | |
| retrans_synack_ratio | SYN-ACK Retrans. % | % | |
| retrans_ratio | TCP Retrans. % | % | |
| retrans_tx_ratio | TCP Client Retrans. % | % | |
| retrans_rx_ratio | TCP Server Retrans. % | % | |
| zero_win_ratio | TCP ZeroWindow % | % | |
| zero_win_tx_ratio | TCP Client ZeroWindow % | % | |
| zero_win_rx_ratio | TCP Server ZeroWindow % | % | |
| tcp_establish_fail | Error | Flow | |
| client_establish_fail | Client Error | Flow | |
| server_establish_fail | Server Error | Flow | |
| tcp_establish_fail_ratio | Error % | % | |
| client_establish_fail_ratio | Client Error % | % | |
| server_establish_fail_ratio | Client Error % | % | |
| tcp_transfer_fail | Transfer Error | Flow | All transfer errors. |
| tcp_transfer_fail_ratio | Transfer Error % | % | |
| tcp_rst_fail | RST | Flow | All RST errors. |
| tcp_rst_fail_ratio | RST % | % | |
| client_source_port_reuse | Est. - Client Port Reuse | Flow | |
| server_syn_miss | Est. - Server SYN Miss | Flow | |
| client_establish_other_rst | Est. - Client Other RST | Flow | |
| client_ack_miss | Est. - Client ACK Miss | Flow | |
| server_reset | Est. - Server Direct RST | Flow | |
| server_establish_other_rst | Est. - Server Other RST | Flow | |
| client_rst_flow | Transfer - Client RST | Flow | |
| server_rst_flow | Transfer - Server RST | Flow | |
| server_queue_lack | Transfer - Server Queue Overflow | Flow | |
| tcp_timeout | Transfer - TCP Timeout | Flow | |
| client_half_close_flow | Close - Client Half Close | Flow | |
| server_half_close_flow | Close - Server Half Close | Flow | |
| ooo | TCP Out-of-order | Packet | |
| ooo_tx | TCP TX Out-of-order | Packet | |
| ooo_rx | TCP RX Out-of-order | Packet | |
| rtt | Avg TCP Est. Delay | us | |
| tls_rtt | Avg TLS Est. Delay | us | |
| rtt_client | Avg TCP Est. Client Delay | us | |
| rtt_server | Avg TCP Est. Server Delay | us | |
| srt | Avg TCP/ICMP ACK Delay | us | |
| art | Avg Data Delay | us | |
| cit | Avg Client Idle Delay | us | |
| rtt_max | Max TCP Est. Delay | us | |
| tls_rtt_max | Max TLS Est. Delay | us | |
| rtt_client_max | Max TCP Est. Client Delay | us | |
| rtt_server_max | Max TCP Est. Server Delay | us | |
| srt_max | Max TCP/ICMP ACK Delay | us | |
| art_max | Max Data Delay | us | |
| cit_max | Max Client Idle Delay | us | |
| srt_sum | Total TCP/ICMP ACK Delay | us | |
| srt_count | TCP TCP/ICMP Delay Count | ||
| art_sum | Total Data Delay | us | |
| art_count | Data Delay Count | ||
| cit_sum | Total Client Idle Delay | us | |
| cit_count | Client Idele Delay Count | ||
| duration | Duration | us | The duration from start_time to the last packet (not end_time). |
| l7_request | Request | ||
| l7_response | Response | ||
| rrt | Avg App. Delay | us | |
| rrt_sum | Total App. Delay | us | |
| rrt_count | App. Delay Count | ||
| rrt_max | Max App. Delay | us | |
| l7_error | App. Error | ||
| l7_client_error | App. Client Error | ||
| l7_server_error | App. Server Error | ||
| l7_server_timeout | App. Server Timeout | ||
| l7_error_ratio | App. Error % | % | |
| l7_client_error_ratio | App. Client Error % | % | |
| l7_server_error_ratio | App. Server Error % | % | |
| l7_parse_failed | L7 Protocol Parse Failed | Packet | Cumulative number of application protocol parsing failures |
| row | Row Count |
generate from csv file: l4_flow_log.en
#3. Grafana Dashboard
Based on the above data, you can build rich dashboards using Grafana. We have pre-configured a Network - Flow Log dashboard in Grafana, as shown below:
Network Flow Log
You can also visit DeepFlow Online Demo (opens new window) to see the effect.