Network flows format reference

These are the specifications for network flows format, used both internally and when exporting flows to Kafka.

Network Flows format reference

This is the specification of the network flows format, used both internally and when exporting flows to Kafka.

The document is organized in two main categories: Labels and regular Fields. This distinction only matters when querying Loki. This is because Labels, unlike Fields, must be used in stream selectors.

If you are reading this specification as a reference for the Kafka export feature, you must treat all Labels and Fields as regular fields and ignore any distinctions between them that are specific to Loki.

Labels

SrcK8S_Namespace

  • Optional SrcK8S_Namespace: string

Source namespace

DstK8S_Namespace

  • Optional DstK8S_Namespace: string

Destination namespace

SrcK8S_OwnerName

  • Optional SrcK8S_OwnerName: string

Source owner, such as Deployment, StatefulSet, etc.

DstK8S_OwnerName

  • Optional DstK8S_OwnerName: string

Destination owner, such as Deployment, StatefulSet, etc.

FlowDirection

  • FlowDirection: FlowDirection (see the following section, Enumeration: FlowDirection)

Flow direction from the node observation point

_RecordType

  • Optional _RecordType: RecordType

Type of record: ‘flowLog’ for regular flow logs, or ‘allConnections’, ‘newConnection’, ‘heartbeat’, ‘endConnection’ for conversation tracking

Fields

SrcAddr

  • SrcAddr: string

Source IP address (ipv4 or ipv6)

DstAddr

  • DstAddr: string

Destination IP address (ipv4 or ipv6)

SrcMac

  • SrcMac: string

Source MAC address

DstMac

  • DstMac: string

Destination MAC address

SrcK8S_Name

  • Optional SrcK8S_Name: string

Name of the source matched Kubernetes object, such as Pod name, Service name, etc.

DstK8S_Name

  • Optional DstK8S_Name: string

Name of the destination matched Kubernetes object, such as Pod name, Service name, etc.

SrcK8S_Type

  • Optional SrcK8S_Type: string

Kind of the source matched Kubernetes object, such as Pod, Service, etc.

DstK8S_Type

  • Optional DstK8S_Type: string

Kind of the destination matched Kubernetes object, such as Pod name, Service name, etc.

SrcPort

  • Optional SrcPort: number

Source port

DstPort

  • Optional DstPort: number

Destination port

SrcK8S_OwnerType

  • Optional SrcK8S_OwnerType: string

Kind of the source Kubernetes owner, such as Deployment, StatefulSet, etc.

DstK8S_OwnerType

  • Optional DstK8S_OwnerType: string

Kind of the destination Kubernetes owner, such as Deployment, StatefulSet, etc.

SrcK8S_HostIP

  • Optional SrcK8S_HostIP: string

Source node IP

DstK8S_HostIP

  • Optional DstK8S_HostIP: string

Destination node IP

SrcK8S_HostName

  • Optional SrcK8S_HostName: string

Source node name

DstK8S_HostName

  • Optional DstK8S_HostName: string

Destination node name

Proto

  • Proto: number

L4 protocol

Interface

  • Optional Interface: string

Network interface

IfDirection

  • Optional IfDirection: InterfaceDirection (see the following section, Enumeration: InterfaceDirection)

Flow direction from the network interface observation point

Flags

  • Optional Flags: number

TCP flags

Packets

  • Optional Packets: number

Number of packets

Packets_AB

  • Optional Packets_AB: number

In conversation tracking, A to B packets counter per conversation

Packets_BA

  • Optional Packets_BA: number

In conversation tracking, B to A packets counter per conversation

Bytes

  • Optional Bytes: number

Number of bytes

Bytes_AB

  • Optional Bytes_AB: number

In conversation tracking, A to B bytes counter per conversation

Bytes_BA

  • Optional Bytes_BA: number

In conversation tracking, B to A bytes counter per conversation

IcmpType

  • Optional IcmpType: number

ICMP type

IcmpCode

  • Optional IcmpCode: number

ICMP code

PktDropLatestState

  • Optional PktDropLatestState: string

Pkt TCP state for drops

PktDropLatestDropCause

  • Optional PktDropLatestDropCause: string

Pkt cause for drops

PktDropLatestFlags

  • Optional PktDropLatestFlags: number

Pkt TCP flags for drops

PktDropPackets

  • Optional PktDropPackets: number

Number of packets dropped by the kernel

PktDropPackets_AB

  • Optional PktDropPackets_AB: number

In conversation tracking, A to B packets dropped counter per conversation

PktDropPackets_BA

  • Optional PktDropPackets_BA: number

In conversation tracking, B to A packets dropped counter per conversation

PktDropBytes

  • Optional PktDropBytes: number

Number of bytes dropped by the kernel

PktDropBytes_AB

  • Optional PktDropBytes_AB: number

In conversation tracking, A to B bytes dropped counter per conversation

PktDropBytes_BA

  • Optional PktDropBytes_BA: number

In conversation tracking, B to A bytes dropped counter per conversation

DnsId

  • Optional DnsId: number

DNS record id

DnsFlags

  • Optional DnsFlags: number

DNS flags for DNS record

DnsFlagsResponseCode

  • Optional DnsFlagsResponseCode: string

Parsed DNS header RCODEs name

DnsLatencyMs

  • Optional DnsLatencyMs: number

Calculated time between response and request, in milliseconds

TimeFlowStartMs

  • TimeFlowStartMs: number

Start timestamp of this flow, in milliseconds

TimeFlowEndMs

  • TimeFlowEndMs: number

End timestamp of this flow, in milliseconds

TimeReceived

  • TimeReceived: number

Timestamp when this flow was received and processed by the flow collector, in seconds

TimeFlowRttNs

  • Optional TimeFlowRttNs: number

Flow Round Trip Time (RTT) in nanoseconds

_HashId

  • Optional _HashId: string

In conversation tracking, the conversation identifier

_IsFirst

  • Optional _IsFirst: string

In conversation tracking, a flag identifying the first flow

numFlowLogs

  • Optional numFlowLogs: number

In conversation tracking, a counter of flow logs per conversation

Enumeration: FlowDirection

Ingress

  • Ingress = "0"

Incoming traffic, from the node observation point

Egress

  • Egress = "1"

Outgoing traffic, from the node observation point

Inner

  • Inner = "2"

Inner traffic, with the same source and destination node