3. Flow Checks

The Flows Checks API is only available from the Flow Checks Hooks.

Functions

function getStatus()

Get the complete status bitmap of the flow, which includes all the current problems of the flow.

Return
the flow status bitmap

function setStatus(table flow_status_type, int flow_score, int cli_score, int srv_score)

Set a bit into the flow status bitmap, effectively marking the flow as misbehaving.

Return
true if the flow status was updated, false if the flow status is unchanged.
Parameters
  • flow_status_type: the flow status to set. The possible values can be obtained by printing flow_consts.status_types
  • flow_score: the score (a quantitative indicator of the problem) to associate to this status
  • cli_score: the score increment on the client host.
  • srv_score: the score increment on the server host.

function clearStatus(table flow_status_type)

Clear a bit into the flow status bitmap.

Parameters
  • flow_status_type: the flow status to clear. The possible values can be obtained by printing flow_consts.status_types

function triggerStatus(table flow_status_type, table status_info, int flow_score, int cli_score, int srv_score)

Set a bit into the flow status bitmap, and trigger an alert.

Parameters
  • flow_status_type: the flow status to set. The possible values can be obtained by printing flow_consts.status_types
  • status_info: a string message or lua table to associate to this status
  • flow_score: the score (a quantitative indicator of the problem) to associate to this status
  • cli_score: the score increment on the client host.
  • srv_score: the score increment on the server host.

function isStatusSet(int status_key)

Check if a a bit into the flow status bitmap is set.

Return
true if the provided status is set, false otherwise
Parameters
  • status_key: the numberic ID of the status, e.g. flow_consts.status_types.status_blacklisted.status_key

function getFullInfo()

Get full information about the flow.

Return
a table with flow information, see Flow::lua
Note
This call is expensive and should be avoided. Use the other API methods when possible.

function isClientUnicast()

Check if the client of the flow is a unicast IP address.

Return
true if the client is unicast, false otherwise

function isServerUnicast()

Check if the server of the flow is a unicast IP address.

Return
true if the server is unicast, false otherwise

function isUnicast()

Check if both the client and the server of the flow are unicast IP addresses.

Return
true if the flow is unicast, false otherwise

function isRemoteToRemote()

Check if both the client and the server are remote hosts.

Return
true if the flow is remote to remote, false otherwise

function isLocalToRemote()

Check if the client is a local host and the server is a remote host.

Return
true if the flow is local to remote, false otherwise

function isRemoteToLocal()

Check if the client is a remote host and the server is a local host.

Return
true if the flow is remote to local, false otherwise

function isLocal()

Check if both the client and the server are local hosts.

Return
true if the flow is local, false otherwise

function isBlacklisted()

Check if the flow is blacklisted.

Return
true if blacklisted, false otherwise

function isTwhOK()

Check if the flow is TCP and the three way handshake is completed.

Return
true if the flow is TCP and the 3WH is completed, false otherwise

function isBidirectional()

Check if the flow has seen packets in both the directions.

Return
true if the flow is bidirectional, false otherwise

function getKey()

Get the unique flow key.

Return
the unique flow key.

function getFirstSeen()

Get the flow start Unix timestamp.

Return
the flow first seen.

function getLastSeen()

Get the Unix timestamp of the last time traffic for the flow was seen.

Return
the flow last seen.

function getDuration()

Get the total duration in seconds of the flow.

Return
the flow duration.

function getPacketsSent()

Get the client to server packets sent.

Return
the packets sent.

function getPacketsRcvd()

Get the client to server packets received.

Return
the packets received.

function getPackets()

Get the total packets seen for the flow.

Return
the total flow packets.

function getBytesSent()

Get the client to server bytes sent.

Return
the bytes sent.

function getBytesRcvd()

Get the client to server bytes received.

Return
the bytes received.

function getBytes()

Get the total bytes seen for the flow.

Return
the total flow bytes.

function getGoodputBytes()

Get the total goodput bytes seen for the flow.

Return
the total goodput flow bytes.

function getClientKey()

Get the unique key of the client.

Return
the client key.

function getServerKey()

Get the unique key of the server.

Return
the server key.

function getnDPICategoryName()

Get the detected nDPI category name of the flow.

Return
the flow nDPI category name.

function getnDPIProtocolName()

Get the detected nDPI protocol name of the flow.

Return
the flow nDPI protocol name.

function getnDPICategoryId()

Get the detected nDPI category ID of the flow.

Return
the flow nDPI category ID.

function getnDPIMasterProtoId()

Get the detected nDPI master protocol ID of the flow.

Return
the flow nDPI master protocol ID.

function getnDPIAppProtoId()

Get the detected nDPI application protocol ID of the flow.

Return
the flow nDPI application protocol ID.

function getDnsQuery()

Get the DNS query of the flow.

Return
the flow DNS query if found, an empty string otherwise.

function getClientCountry()

Get the client country code.

Return
the client country code if detected, nil otherwise.

function getServerCountry()

Get the server country code.

Return
the server country code if detected, nil otherwise.

function getTLSVersion()

Get the TLS version as number.

Return
the TLS version number if detected, 0 otherwise.

function getnDPIMatchPacket()

Get the nDPI matching packet.

Return
the lenght and payload of the packet matching nDPI

function getScore()

Get the total flow score (see flow.setStatus).

Return
the flow score.

function isPassVerdict()

Check if the flow traffic is not blocked.

Return
true if the flow traffic is not blocked, false otherwise.
Note
This requires nEdge.