gnat_model_list

Synopsis

[UNDER CONSTRUCTION]

Feature Categories

IP Address

IP address fields are used to identify the source and destination network addresses in a flow record.

Field	Description
saddr	Source IP address
daddr	Destination IP address

Numbers

Number fields are used to represent various measurement numbers associated with the flow record.

Field	Description
dur	UINTEGER
rtt	UINTEGER
ssmallpktcnt	UINTEGER
dsmallpktcnt	UINTEGER
slargepktcnt	UINTEGER
dlargepktcnt	UINTEGER
snonemptypktcnt	UINTEGER
dnonemptypktcnt	UINTEGER
sfirstnonemptycnt	USMALLINT
dfirstnonemptycnt	USMALLINT
smaxpktsize	USMALLINT
dmaxpktsize	USMALLINT
sstdevpayload	USMALLINT
dstdevpayload	USMALLINT

Numerical

Numerical values are used to represent numerical categories associated with the flow record.

Field	Description
sport	Source port number
dport	Destination port number
sentropy	Destination IP address
dentropy	Destination IP address
dvlan	Destination IP address
svlan	Destination IP address
sasn	Destination IP address
dasn	Destination IP address
pcr	producer/consumer ratio of payload data

String

String fields are used to represent textual information associated with the flow record.

Field	Description
proto	Source IP address
iflags	Destination IP address
uflags	Destination IP address
scountry	Destination IP address
dcountry	Destination IP address
spd	Destination IP address
ndpi_appid	Destination IP address
ndpi_category	Destination IP address
orien	Destination IP address

Timestamp

Timestamp fields are used to represent time-related information associated with the flow record.

Field	Description
stime	Start time of the flow

---

Field	Type	Description

Protocol and Network Information

---

Field	Type	Description
proto	VARCHAR	Protocol type (TCP, UDP, ICMP, etc.)
saddr	VARCHAR	Source IP address
daddr	VARCHAR	Destination IP address
sport	USMALLINT	Source port number
dport	USMALLINT	Destination port number

TCP-Specific Fields

---

Field	Type	Description
iflags	VARCHAR	Initial TCP flags observed in the flow
uflags	VARCHAR	Union of all TCP flags seen during the flow
stcpseq	UINTEGER	Source TCP sequence number
dtcpseq	UINTEGER	Destination TCP sequence number
stcpurg	UINTEGER	Source TCP urgent pointer count
dtcpurg	UINTEGER	Destination TCP urgent pointer count

VLAN Information

---

Field	Type	Description
svlan	USMALLINT	Source VLAN ID
dvlan	USMALLINT	Destination VLAN ID

Traffic Statistics

---

Field	Type	Description
spkts	UBIGINT	Number of packets from source to destination
dpkts	UBIGINT	Number of packets from destination to source
sbytes	UBIGINT	Number of bytes from source to destination
dbytes	UBIGINT	Number of bytes from destination to source

Entropy and Timing Analysis

---

Field	Type	Description
sentropy	UTINYINT	Source payload entropy (randomness measure)
dentropy	UTINYINT	Destination payload entropy (randomness measure)
siat	UBIGINT	Source inter-arrival time statistics
diat	UBIGINT	Destination inter-arrival time statistics
sstdev	UBIGINT	Source standard deviation of inter-arrival times
dstdev	UBIGINT	Destination standard deviation of inter-arrival times

Flow Classification

---

Field	Type	Description
spd	VARCHAR	Speed or rate classification
orient	VARCHAR	Flow orientation or direction classification

Hardware Addresses

---

Field	Type	Description
smac	VARCHAR	Source MAC address
dmac	VARCHAR	Destination MAC address

Geographical and ASN Information

Field	Type	Description
scountry	VARCHAR	Source IP country code
dcountry	VARCHAR	Destination IP country code
sasn	UINTEGER	Source Autonomous System Number
dasn	UINTEGER	Destination Autonomous System Number
sasnorg	VARCHAR	Source ASN organization name
dasnorg	VARCHAR	Destination ASN organization name

Deep Packet Inspection (nDPI)

---

Field	Type	Description
ndpi_appid	VARCHAR	Application ID identified by nDPI
ndpi_category	VARCHAR	Application category from nDPI classification

See Also

• gnat_command
• gnat_rule