Implementation
The flow flex string version of the filter will provide the similar filtering capability as the updated display filter. The following are examples of the syntax used for the new filter:
|
Type
|
Syntax
|
Description
|
|---|---|---|
|
Exact Match
|
• flow.tcpFlags=ACK,FIN
• flow.tcpFlags.cwr=false & flow.tcpFlags.ece=false & flow.tcpFlags.urg=false & flow.tcpFlags.ack=true & flow.tcpFlags.psh=false & flow.tcpFlags.rst=false & flow.tcpFlags.syn=false & flow.tcpFlags.fin=true
|
• The TCP flags field must only contain the ACK and FIN flags.
• With the second form of the filter string all of the TCP flags must be specified.
• Drill downs on the TCP flags field will us
|
|
Exact Match
|
flow.tcpFlags=””
|
The TCP flags field must contain no TCP flags.
|
|
Contains Any
|
flow.tcpFlags.ack=true | flow.tcpFlags.fin=true
|
• The TCP flags field must contain the ACK or FIN flag. Note that flags set to false will be ignored when OR’ed together.
• Equivalent to the “contains any” display filter
|
|
Contains All
|
flow.tcpFlags.ack=true & flow.tcpFlags.fin=true
|
• The TCP flags field must contain both the ACK or FIN flags, but could contain other flags.
• Equivalent to the “contains all” display filter
|
|
Mixed
|
flow.tcpFlags.urg=false & flow.tcpFlags.ack=true & flow.tcpFlags.fin=true
|
• The TCP flags field must contain both the ACK or FIN flags, but could contain other flags except for the URG flag.
• The display filter does not support this type of matching
|
|
Mixed
|
flow.tcpFlags.ack= true | flow.tcpFlags.syn=true & flow.tcpFlags.fin=true
|
This is equivalent to flow.tcpFlags.ack= true | (flow.tcpFlags.syn=true & flow.tcpFlags.fin=true).
The TCP flags field must contain either the ACK flag or both SYN and FIN flags.
|
The values following the equals sign should be a non-case sensitive comma delimited list (with no spaces) consisting of the three character TCP flag values:
◦ CWR
◦ ECE
◦ URG
◦ ACK
◦ PSH
◦ RST
◦ SYN
◦ FIN
Generally, this filter should be AND’ed with the “flow.protocol=TCP” filter to ensure that this filter is only applied to TCP flows.
◦ Note that almost all TCP flags filtering will be using the raw flow store v1 because it is not a key in any long-term aggregated standard report. Currently, the only case where the long-term store might be used is with a custom report where the TCP flags field is the only key and the custom report is enabled for long-term aggregation.
◦ Support for this filter has not been added to the ClickHouse report filtering and there are no currently plans to do this.
Most reports do not display the “TCP Flags” field, although the TCP flags filter can be used with almost any flow report using the raw flow store v1 since most raw basic flow records contain the field. The only places the TCP flags field might be displayed are in the following:
◦ Top Analysis report
◦ Custom report with the TCP flags field added
◦ Engineering Console flow device view