Table 2.
The description of flow data fields in CSV files.
| Column Name | Column Description |
|---|---|
| ID | Unique identifier |
| SRC_IP | Source IP address |
| DST_IP | Destination IP address |
| DST_ASN | Destination autonomous system number |
| SRC_PORT | Source port |
| DST_PORT | Destination port |
| PROTOCOL | Transport protocola |
| FLAG_CWR | TCP CWR flag presence in client to server transmission |
| FLAG_CWR_REV | TCP CWR flag presence in server to client transmission |
| FLAG_ECE | TCP ECE flag presence in client to server transmission |
| FLAG_ECE_REV | TCP ECE flag presence in server to client transmission |
| FLAG_URG | TCP URG flag presence in client to server transmission |
| FLAG_URG_REV | TCP URG flag presence in server to client transmission |
| FLAG_ACK | TCP ACK flag presence in client to server transmission |
| FLAG_ACK_REV | TCP ACK flag presence in server to client transmission |
| FLAG_PSH | TCP PSH flag presence in client to server transmission |
| FLAG_PSH_REV | TCP PSH flag presence in server to client transmission |
| FLAG_RST | TCP RST flag presence in client to server transmission |
| FLAG_RST_REV | TCP RST flag presence in server to client transmission |
| FLAG_SYN | TCP SYN flag presence in client to server transmission |
| FLAG_SYN_REV | TCP SYN flag presence in server to client transmission |
| FLAG_FIN | TCP FIN flag presence in client to server transmission |
| FLAG_FIN_REV | TCP FIN flag presence in server to client transmission |
| TLS_SNI | Server Name Indication domain |
| TLS_JA3 | JA3 fingerprint of TLS client |
| TIME_FIRST | Timestamp of the first packet in format YYYY-MM-DDTHH-MM-SS.ffffff |
| TIME_LAST | Timestamp of the last packet in format YYYY-MM-DDTHH-MM-SS.ffffff |
| DURATION | Duration of the flow in seconds |
| BYTES | Number of transmitted bytes from client to server |
| BYTES_REV | Number of transmitted bytes from server to client |
| PACKETS | Number of packets transmitted from client to server |
| PACKETS_REV | Number of packets transmitted from server to client |
| PPI b | Packet sequence in the format: [[inter-packet times], [packet diretions], [packet sizes]] |
| PPI_LEN | Number of packets in the PPI sequence |
| PPI_DURATION | Duration of the PPI sequence in seconds |
| PPI_ROUNDTRIPS | Number of roundtrips in the PPI sequence |
| PHIST_SRC_SIZES | Histogram of packet sizes from client to server |
| PHIST_DST_SIZES | Histogram of packet sizes from server to client |
| PHIST_SRC_IPT | Histogram of inter-packet times from client to server |
| PHIST_DST_IPT | Histogram of inter-packet times from server to client |
| APP | Web service label |
| CATEGORY | Service category |
| FLOW_ENDREASON_IDLE | Flow was terminated because it was idle |
| FLOW_ENDREASON_ACTIVE | Flow was terminated because it reached the active timeout |
| FLOW_ENDREASON_END | Flow ended with the TCP connection termination |
| FLOW_ENDREASON_OTHER | Flow was terminated for other reasons |
aTLS uses TCP as the transport protocol.
bPPI in field names stands for per-packet information, which is another common name for the packet sequences data.