CONN Protocol Fields

conn_state

Captures the state of the connection based on the protocol in use.

• UDP: States include CLT_SRV_UDP_SEEN (packets from both client and server observed), CLT_UDP_SEEN (only client packets observed), and SRV_UDP_SEEN (only server packets observed).

• TCP: Tracks the client and server states independently using prefixes CLT_ (client) and SRV_ (server), reflecting the TCP state machine per RFC standards, with additional states for mid-stream activity (TCP_MID_STREAM_SENT, TCP_MID_STREAM_REC) and TCP_STATE_NONE.

• Other traffic: Indicates non-UDP and non-TCP traffics or error cases.

duration

The duration of the connection, in seconds.

history

A code that indicates the event sequence of the connection. Each letter in the code represents a specific event, with uppercase letters indicating client-side events and lowercase letters representing server-side events. Events are recorded only once per direction. For UDP, events include d (packet with payload). For TCP, events include s (SYN), h (SYN-ACK), a (pure ACK or PUSH), d (packet with payload), f (FIN), and r (reset).

orig_bytes

The total number of TCP/UDP payload bytes transmitted by the client during the connection.

orig_pkts

The number of packets sent by the originator.

proto

The transport layer protocol of a connection, for example, IP, ICMP, TCP, or UDP.

resp_bytes

The total number of TCP/UDP payload bytes transmitted by the server during the connection.

resp_pkts

The number of packets sent by the responder.

service

A connection's application protocol. This value indicates the last detected service on the traffic flow.