The flows Task

Type

Source

Output

Flow

flows is a network flow capture Task. Flows are capture at flow creation time and on flow end. At creation time, the flow does not contain any statistics, whereas the flow will contain flow metrics on flow end.

Configuration options

flows has the following optional configuration options.

filter

filter accepts a subset of classic BPF syntax to filter which flows to capture. It supports [src|dst] host, [ip|ip6] [src|dst] port and [ip|ip6] [src|dst] portrange.

For example, to get flows with one of the ports on 444:

filter:port 444
fullContainer

default false Publish the full container metadata, including labels and annotations.

For example:

fullContainer:true

Conditions

flows will be produced by default for all processes. flows can be limited to processes with one of the following Conditions:

process.pid

Filtering flows to collect by Process PID.

process.name

Filtering flows to collect by Process Name.

container.name

Filtering flows to collect by Container Name.

container.label

Filtering flows to collect by Container Label value.

Output

flow

map Hold the flow output.

flow.state

string State of the connection. Possible values: +

  • started: Started is emitted when the flow starts and not data has yet been transmitted.

  • ongoing: Ongoing is emitted during the lifetime of the flow.

  • ended: Ended is emitted when the flow is close.

flow.ts

uint64 Nanosecond-precision relative timestamp of when the event was produced. It is not an absolute timestamp (not Epoch), but it can still be used for precise timestamp comparison.

flow.startedAt

string Time when the flow started.

flow.endedAt

string Time when the flow ended.

flow.bytesRX

uint64 bytes received according to RFC4898 tcpEStatsAppHCThruOctetsReceived sum(delta(rcv_nxt)), or how many bytes were acked.

flow.bytesTX

uint64 bytes sent according to RFC4898 tcpEStatsPerfHCDataOctetsOut total number of data bytes sent.

flow.retransTX

uint32 Retransmitted packets out

flow.segsRX

uint32 RFC4898 tcpEStatsPerfSegsIn total number of segments in.

flow.segsTX

uint32 RFC4898 tcpEStatsPerfSegsOut The total number of segments sent.

flow.sRTT

uint32 Smoothed round trip time << 3 in usecs.

flow.rttVar

uint32 Smoothed mdev_max.

flow.rateDelivered

uint32 Saved rate sample: packets delivered.

flow.rateInterval

uint32 Saved rate sample: time elapsed.

flow.lostTX

uint32 Lost packets.

flow.windowRX

uint32 Current receiver window.

flow.oooPacketsRX

uint32 Received out-of-order packets, for tcpinfo.

flow.net.srcAddr

string Source IP address.

flow.net.dstAddr

string Destination IP address.

flow.net.srcPort

uint16 Source port.

flow.net.dstPort

uint16 Destination port.

flow.process

map Holds the Process information.

flow.process.pid

uint32 Process PID.

flow.process.ppid

uint32 Process Parent PID.

flow.process.name

string Process name.

flow.process.cmd

string Command line string.

flow.process.exe

string Executable name.

flow.process.uids

array of int32 User IDs.

flow.process.gids

array of int32 Groups IDs.

flow.process.ns

string Namespace in the format of {device ID}-{inode number}.

flow.process.startedAt

string Time the process started.

flow.process.endedat

string Time the process ended.

flow.process.container

map Container information for process (if it is a container).

flow.process.container.ID

string ID of Container.

flow.process.container.Name

string Name of Container.

flow.process.container.Labels

map Map of string to string containing the Container labels.

flow.process.container.Image

string Name of Container Image.