CONN protocol fields

Conn protocol fields capture various aspects of network connections, including state, duration, event history, byte counts, packet counts, transport protocol, and application service information.

Fields available in the CONN protocol for connection analysis:


Field	Description
conn_state	Captures the state of the connection based on the protocol in use. UDP: States include CLT_SRV_UDP_SEEN (packets from both client and server observed), CLT_UDP_SEEN (only client packets observed), and SRV_UDP_SEEN (only server packets observed). TCP: Tracks the client and server states independently using prefixes CLT_ (client) and SRV_ (server), reflecting the TCP STATE machine per RFC standards, with additional states for MID-STREAM activity (TCP_MID_STREAM_SENT, TCP_MID_STREAM_REC) and TCP_STATE_NONE. Other traffic: Indicates non-UDP and non-TCP traffic or error cases.
duration	The duration of the connection, in seconds.
history	A code that indicates the event sequence of the connection. Each letter in the history code represents a specific event. Uppercase letters indicate client-side events, and lowercase letters indicate server-side events. Events are recorded only once per direction. For UDP, events include: `d` (packet with payload). For TCP, events include: `s` (SYN) `h` (SYN-ACK) `a` (pure ACK or PUSH) `d` (packet with payload) `f` (FIN) `r` (reset)
orig_bytes	The total number of TCP or UDP payload bytes transmitted by the client during the connection.
orig_pkts	The number of packets sent by the originator.
proto	The transport layer protocol of a connection, for example, IP, ICMP, TCP, or UDP.
resp_bytes	The total number of TCP or UDP payload bytes transmitted by the server during the connection.
resp_pkts	The number of packets sent by the responder.
service	A connection's application protocol. This value indicates the last detected service on the traffic flow.