These elements of a YAF record correspond to the flow generally or to the forward portion of the flow. Elements common to all network flow objects are defined in the NetworkFlowLabelType (src ip address, ingress/egress interface).
| Field Name | Type | Description |
|---|---|---|
| Flow_Start_Milliseconds0..1 | IntegerObjectPropertyType |
Flow start time in milliseconds since 1970-01-01 00:00:00 UTC. |
| Flow_End_Milliseconds0..1 | IntegerObjectPropertyType |
Flow end time in milliseconds since 1970-01-01 00:00:00 UTC. |
| Octet_Total_Count0..1 | IntegerObjectPropertyType |
Number of octets in packets in forward direction of flow. May be encoded in 4 octets using IPFIX reduced-length encoding. |
| Packet_Total_Count0..1 | IntegerObjectPropertyType |
Number of packets in forward direction of flow. |
| Flow_End_Reason0..1 | HexBinaryObjectPropertyType |
The reason for Flow termination. It may contain SiLK-specific tags. The range of values may include the following: 0x01: idle timeout (the Flow was terminated because it was considered to be idle). 0x02: active timeout (the Flow was terminated for reporting purposes while it was still active, for example, after the maximum lifetime of unreported Flows was reached). 0x03: end of Flow detected (the Flow was terminated because the Metering Process detected signals indicating the end of the Flow, for example, the TCP FIN flag.) 0x04: forced end (the Flow was terminated because of some external event, for example, a shutdown of the Metering Process initiated by a network management application.) 0x05: lack of resources (the Flow was terminated because of lack of resources available to the Metering Process and/or the Exporting Process.) See http://www.iana.org/assignments/ipfix/ipfix.xml for more information. |
| SiLK_App_Label0..1 | IntegerObjectPropertyType |
The SiLK_App_Label is the port number that is traditionally used for that type of traffic (see the /etc/services file on most UNIX systems). For example, traffic that the flow generator recognizes as FTP will have a value of 21, even if that traffic is being routed through the standard HTTP/web port (80). |
| Payload_Entropy0..1 | IntegerObjectPropertyType |
Shannon Entropy calculation of the forward payload data. The calculation generates a real number value between 0.0 and 8.0. That number is then converted into an 8-bit integer value between 0 and 255. Roughly, numbers above 230 are generally compressed (or encrypted) and numbers centered around approximately 140 are English text. Lower numbers carry even less information content. |
| ML_App_Label0..1 | HexBinaryObjectPropertyType |
Machine-learning app label. |
| TCP_Flow0..1 | YAFTCPFlowType |
Contains TCP-related information of the network flow. |
| Vlan_ID_MAC_Addr0..1 | AddressObjectType |
The MAC address. |
| Passive_OS_Fingerprinting0..1 | PlatformSpecificationType |
OS name and version. |
| First_Packet_Banner0..1 | HexBinaryObjectPropertyType |
First forward packet IP payload. |
| Second_Packet_Banner0..1 | HexBinaryObjectPropertyType |
Second forward packet IP payload. |
| N_Bytes_Payload0..1 | HexBinaryObjectPropertyType |
Initial n bytes of forward direction of applications payload. |