Format for flow_turn


#1

Wondering if anyone has created the Record format for the FLOW_TURN ?
and possible the Flow_Tick.

Also it seems like the contents of the FLOW_TURN could be under-reported because of what was mentioned about the Flow_Tick.

This is the Doc in the 7.5 Trigger API Reference :

FLOW_TICK
Enables you to record information about a flow per amount of data or per turn. The FLOW_TICK event will run on every FLOW_TURN or every 128 packets, whichever occurs first. Also, L2 data is reset on every FLOW_TICK event which enables you to add data together at each tick. If counting throughput, collect data from FLOW_TICK events which provide more complete metrics than FLOW_TURN.

FLOW_TICK provides a means to periodically check for certain conditions on the flow, such as zero windows and Nagle delays, and then take an action, such as initiating a packet capture or sending a syslog message.

The following is an example of FLOW_TICK:

log("RTT " + Flow.roundTripTime);
Remote.Syslog.info(
  " eh_event=FLOW_TICK" +
  " ClientIP="+Flow.client.ipaddr+
  " ServerIP="+Flow.server.ipaddr+
  " ServerPort="+Flow.server.port+
  " ServerName="+Flow.server.device.dnsNames[0]+
  " RTT="+Flow.roundTripTime);

#2

Do you mind sharing a bit more about what you’re trying to accomplish?

If you’re trying to create records from flows, we’d suggest using the FLOW_RECORD trigger event.