How do we interpret in a document the value of dest.stats.net_packets_total vs source.stats.net_packets_total ?
Is it the total packets received at destination IP and total packets sent from source IP?
Or
Total packets sent to destination IP and total packets received from source IP?
Very confusing. Please help me to understand this.
You can find the documentation here: https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-flows_event.html
I agree it's somewhat confusing in the docs. The source.stats namespace contains metrics on event produced by the source. That is source.stats.net_packets_total is the total number of packets send by the source.ip. The dest.stats.net_packets_total is the total number of packets send by the dest.ip.
So dest.stats.net_packets_total is the total packets sent by dest.ip ?
If the packets are sent by dest.ip, shouldn't it be recorded as source.ip since it is the "source".
In addition, in the packetbeat documents we can see some source.ip and dest.ip with the same IP.
How do we differentiate what is source and dest since dest.ip can be the one sending the packets too?
Confusing...
If the packets are sent by dest.ip, shouldn't it be recorded as source.ip since it is the "source".
As packetbeat collects stats for the biflow (stats in both directions) on can argue about naming in either direction. Here I'd say no, as IP and stats of packets produced by that IP should be stored in the same namespace (in this case dest).
The source and destination IPs (ports) are determined by the first packets seen. If IPs are the same, also check the port numbers.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.