Powered by Zoomin Software. For more details please contactZoomin

Flowmon User Guide

Table of Contents

Flow Database Fields

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 6 minute read
    • Flowmon Products
    • Flowmon
    • Documentation

This page contains descriptions of fields that can be saved and displayed on the Flowmon Collector.


TLS Main

All these fields are processed in protocol versions from SSL 3.0 up to TLS 1.2. For SSL 2.0 only the Server version is processed. Some fields are not processed for TLS 1.3 and above, see the "Notes" section of each field.


Content type

Description: Contains Content types of all TLS messages in a flow.

Structure: flags

Example: CCS-ALERT-HS-DATA

Filter: Filter Syntax

Possible values: Possible values

Source IPFIX element: FLOWMON_TLS_CONTENT_TYPE, pen=39499, id=330

Depends on monitoring port extension: TLS main


Handshake type

Description: Every TLS Handshake message has some Handshake type value. This field contains Handshake types of all TLS Handshake messages.

Structure: flags

Example: CH-SH-CER-SHD-NST

Filter: Filter Syntax

Possible values: Possible values

Source IPFIX element: FLOWMON_TLS_HANDSHAKE_TYPE, pen=39499, id=331

Depends on monitoring port extension: TLS main


Setup time

Description: Duration of TLS Handshake in milliseconds.

Structure: number of milliseconds

Example: 3.123 ms

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_SETUP_TIME, pen=39499, id=332

Depends on monitoring port extension: TLS main

Notes: For protocol version TLS 1.2 and below (except SSL 2.0), the setup time is computed as the difference between ClientHello message arrival time and client (or server) ChangeCipherSpec message arrival time (the latter one). For protocol version TLS 1.3 it is computed as the difference between the ClientHello message arrival time and the arrival time of the first ApplicationData message from the client after the first ApplicationData message from the server was received.


Server version

Description: Version of TLS protocol used in communication. It is chosen by the server and sent in the ServerHello message.

Structure: string or hexadecimal number

Example: TLS 1.3

Filter: Filter Syntax

Possible values: Possible values

Source IPFIX element: FLOWMON_TLS_SERVER_VERSION, pen=39499, id=333

Depends on monitoring port extension: TLS main


Server random ID

Description: Value of the field called “Random” in ServerHello message.

Structure: byte array

Example: 50839c9fe3bf7e9175dce3716adb1be4c8169f24f7c4a0122cb45fdfb52fd776

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_SERVER_RANDOM, pen=39499, id=334

Depends on monitoring port extension: TLS main


Server session ID

Description: Session ID value from the ServerHello message.

Structure: byte array

Example: 98a0e4c3c67b22caf4af26022bd98b44b005dfd53b90b0a840902c47dcbe2330

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_SERVER_SESSION_ID, pen=39499, id=335

Depends on monitoring port extension: TLS main


Server cipher suite

Description: Cipher suite used in communication. It is selected by the server and sent in the ServerHello message.

Structure: string or hexadecimal number

Example: RSA_WITH_AES_128_CBC_SHA

Filter: Filter Syntax

Possible values: Possible values

Source IPFIX element: FLOWMON_TLS_CIPHER_SUITE, pen=39499, id=336

Depends on monitoring port extension: TLS main


L7 protocol negotiation

Description: Application protocol contained in the TLS session (the upper layer protocol). It is sent in ALPN extenion (16) in the ServerHello message.

Structure: string

Example: http/1.1

Filter: Filter Syntax

Possible values: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids

Source IPFIX element: FLOWMON_TLS_ALPN, pen=39499, id=337

Depends on monitoring port extension: TLS main

Notes: It is not possible to obtain the TLS protocol version 1.3 and above because it is encrypted.


Server name (SNI)

Description: The n ame of the server the client is connecting to. It is sent in the ClientHello message in the server_name extension (0).

Structure: string

Example: server.example.com

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_SNI, pen=39499, id=338

Notes: The maximal length of the string is 63 characters. Longer strings are cut off from the right.

Depends on monitoring port extension: TLS main


Server name length

Description: Full length of the Server name (SNI) value.

Structure: number

Example: 25

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_SNI_LENGTH, pen=39499, id=339

Depends on monitoring port extension: TLS main


TLS Client


Client version

Description: Highest (or preferred) protocol version the client offered to use in communication.

Structure: string or hexadecimal number

Example: TLS 1.3


Filter: Filter Syntax

Possible values: Possible values

Source IPFIX element: FLOWMON_TLS_CLIENT_VERSION, pen=39499, id=340

Depends on monitoring port extension: TLS client

Notes: In TLS version 1.2 and below, the value is sent in the ClientHello message header. In TLS version 1.3 the value is sent in the ClientHello message in the supported_versions extension (43).


Cipher suites

Description: First 8 cipher suites offered by the client in the ClientHello message.

Structure: list of hexadecimal numbers

Example: 0x12AB,0x4321,0x54AB

Filter: Filter Syntax

Possible values: Possible values

Source IPFIX element: FLOWMON_TLS_CIPHER_SUITES, pen=39499, id=341

Depends on monitoring port extension: TLS client


Client random ID

Description: Value of the field called “Random” in ClientHello message.

Structure: byte array

Example: 50839c9fe3bf7e9175dce3716adb1be4c8169f24f7c4a0122cb45fdfb52fd776

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_CLIENT_RANDOM, pen=39499, id=342

Depends on monitoring port extension: TLS client


Client session ID

Description: Session ID value from the ClientHello message.

Structure: byte array

Example: 98a0e4c3c67b22caf4af26022bd98b44b005dfd53b90b0a840902c47dcbe2330

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_CLIENT_SESSION_ID, pen=39499, id=343

Depends on monitoring port extension: TLS client


Extension types

Description: The first 28 extension types send in the ClientHello message.

Structure: list of numbers

Example: 0,43,11

Filter: Filter Syntax

Possible values: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml

Source IPFIX element: FLOWMON_TLS_EXTENSION_TYPES, pen=39499, id=344

Depends on monitoring port extension: TLS client


Extension lengths

Description: The first 28 lengths of extensions send in the ClientHello message.

Structure: list of numbers

Example: 124,53,25

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_EXTENSION_LENGTHS, pen=39499, id=345

Depends on monitoring port extension: TLS client


Elliptic curves

Description: The first 8 elliptic curves offered in the ClientHello message in supported_groups extension (10)

Structure: list of strings or hexadecimal numbers

Example: x25519,secp224k1,ffdhe2048

Filter: Filter Syntax

Possible values: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8

Source IPFIX element: FLOWMON_TLS_ELLIPTIC_CURVES, pen=39499, id=346

Depends on monitoring port extension: TLS client


Elliptic curve point formats

Description: Elliptic curve point formats offered in ClientHello message in ec_point_formats extension (11).

Structure: list of strings or numbers

Example: uncompressed,ansiX962_compressed_prime

Filter: Filter Syntax

Possible values: Possible values

Source IPFIX element: FLOWMON_TLS_EC_POINT_FORMATS, pen=39499, 347

Depends on monitoring port extension: TLS client


Client key length

Description: The length of the client’s public key used during the Key Exchange phase.

Structure: number of bits

Example: 256

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_CLIENT_KEY_LENGTH, pen=39499, id=348

Depends on monitoring port extension: TLS client

Notes: In TLS version 1.2 and below, it is the length of the public key structure sent in the ClientKeyExchange handshake message. In TLS 1.3 it is the length of the chosen key exchange structure taken from the key_share extension (51).


TLS Certificate

The following fields are being taken from the first certificate sent by the server in the Certificate message. It is not possible to obtain these fields in TLS protocol version 1.3 and above because they are encrypted.


Issuer common name

Description: Common name of the certificate’s issuer.

Structure: string

Example: Google Internet Authority G3

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_ISSUER_CN, pen=39499, id=349

Depends on monitoring port extension: TLS certificate


Subject common name

Description: Common name of the certificate’s subject.

Structure: string

Example: server.example.com

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_SUBJECT_CN, pen=39499, id=350

Depends on monitoring port extension: TLS certificate


Subject organization name

Description: Organization name of the certificate’s subject.

Structure: string

Example: Example Organization

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_SUBJECT_ON, pen=39499, id=351

Depends on monitoring port extension: TLS certificate


Certificate validity from

Description: Date and time from which the certificate is valid.

Structure: timestamp

Example: 2018-09-13 10:47:00

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_VALIDITY_NOT_BEFORE, pen=39499, id=352

Depends on monitoring port extension: TLS certificate


Certificate validity to

Description: Date and time to which the certificate is valid.

Structure: timestamp

Example: 2018-09-13 10:47:00

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_VALIDITY_NOT_AFTER, pen=39499, id=353

Depends on monitoring port extension: TLS certificates


Signature algorithm

Description: Certificate’s signature algorithm.

Structure: string

Example: sha512WithRSAEncryption

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_SIGNATURE_ALG, pen=39499, id=354

Depends on monitoring port extension: TLS certificate


Public key algorithm

Description: Algorithm of the certificate’s public key.

Structure: string

Example: rsaEncryption

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_PUBLIC_KEY_ALG, pen=39499, id=355

Depends on monitoring port extension: TLS certificate


Public key length

Description: Length of the certificate’s public key.

Structure: number of bits

Example: 256

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_PUBLIC_KEY_LENGTH, pen=39499, id=356

Depends on monitoring port extension: TLS certificate


TLS JA3


JA3 fingerprint

Description: JA3 fingerprint of a client.

Structure: byte array

Example: 50839c9fe3bf7e9175dce3716adb1be4

Filter: Filter Syntax

Source IPFIX element: FLOWMON_TLS_JA3_FINGERPRINT, pen=39499, id=357

Depends on monitoring port extension: TLS certificate

TitleResults for “How to create a CRG?”Also Available inAlert