AppRF Streaming Event

AppRF stream is the flow of all the client sessions, that is intra-internet bound happening in the network. Deep packet inspection on each client session is carried out and the sessions are classified into well-known application, application category, web category and web reputation. In addition, client's association details such as device type, client MAC on which the session happened, SSID and user role to which the client is associated with are available in the Apprf event messages.

In order for the AppRF Streaming Topic to have detailed messages, Deep Packet Inspection (DPI) configuration needs to be enabled for the devices. An AppRF message contains a list of all the client sessions for a given device (Instant AP).

AppRF Streaming Topic Protocol Buffer File

package Apprf;

message mac_address
{ 
    optional bytes addr = 1;
}

message ip_address
{
    enum addr_family
    {
        ADDR_FAMILY_UNSPEC = 0;
        ADDR_FAMILY_INET = 1;
        ADDR_FAMILY_INET6 = 2;
    }
    optional addr_family af = 1;
    optional bytes addr = 2;
}

message apprf_session 
    {
    optional string customer_id = 1;
    optional uint64 timestamp = 2;
    optional string serial_number = 3;
    repeated client_firewall_session client_firewall_session = 4;
    repeated url_detail_record url_detail_record = 5;
    optional string ap_name = 6;
    optional uint32 session_duration = 7;
    }

message client_firewall_session 
    { 
    optional ip_address client_ip = 1;
    optional mac_address client_mac = 2;
    optional ip_address dest_ip = 3;
    optional ingress_type_t ingress_type = 4;
    enum ingress_type_t 
    {
        INGRESS_WLAN  = 0;
        INGRESS_WIRED = 1;
        INGRESS_VPN  = 2;
    }
    optional uint32 ip_proto = 5; 
    optional string vlan = 6;  
    optional uint32 uplink_id = 7;  
    optional string uplink_name = 8;
    optional uint32 app_id = 9;
    optional string app_name = 10;
    optional uint32 app_cat_id = 11;
    optional string app_cat = 12;
    optional uint32 web_cat_id = 13;
    optional string web_cat = 14;
    optional uint32 web_rep_score = 15;
    optional string web_rep = 16;
    optional string dest_url_prefix = 17;  
    optional string domain = 18; 
    enum app_enforcement_status
    {
        ENF_PERMIT = 0;
        ENF_DENY = 1;
    }
    optional app_enforcement_status session_flags = 19;
    optional uint64 tx_bytes = 20;
    optional uint64 rx_bytes = 21;
    optional uint64 rtt = 22;   
    optional uint64 c2s_rtt = 23; 
    optional uint64 s2c_rtt = 24;
    optional uint64 packet_loss = 25;  
    optional uint64 c2s_packet_loss = 26;
    optional uint64 s2c_packet_loss = 27;
    optional string ssid = 28;
    optional string user_name = 29;
    optional string user_role = 30;
    optional string device_type = 31;
    optional uint64 timestamp = 32;
    optional bool preauth_flag = 33;
    optional unit32 dest_port = 34;

message url_detail_record 
   {
    enum url_http_method
    {
        NON_HTTP = 1;
        HTTP_GET = 2;
        HTTP_PUT = 3;
        HTTP_POST = 4;
        HTTP_HEAD = 5;
    }
    required ip_address client_ip = 1;
    required ip_address dest_ip = 2;
    required mac_address client_mac = 3;
    optional bytes dest_url_prefix = 4;
    optional uint32 hit_count = 5;
    optional url_http_method http_method = 6;
    optional uint64 last_hit_timestamp = 7;
}

Parameters Descriptions

The following table lists the field, type, rule, and descriptions of the above mentioned protobuf definition

Field

Type

Rule

Description

addr

bytes

Optional

Indicates the address field in bytes.

addr_family

enum

Indicates the enum address family. Contains one of the following:

  • ADDR_FAMILY_UNSPEC— Indicates that the IP Version is unspecified.
  • ADDR_FAMILY_INET— Indicates that the IP Version is IPv4.
  • ADDR_FAMILY_INET6— Indicates that the IP Version is IPv6.

af

addr_family

Optional

Indicates the IP version.

customer ID

string

Optional

Indicates the customer ID.

timestamp

uint64

Optional

Indicates the time of the session.

serial_number

string

Optional

Indicates the serial number of the client.

client_firewall_session

message

Repeated

Indicates the client sessions data.

url_detail_record

message

Repeated

Indicates the visited url information.

ap_name

string

Optional

Indicates the name of the access point.

session_duration

uint32

Optional

Indicates the duration of the client session.

client_ip

ip_address

Optional

Indicates the IP information of the user who has triggered the event. This is determined by the client IP address.

client_mac

mac_address

Optional

Indicates the MAC address of the client.

dest_ip

ip_address

Optional

Indicates the destination IP address of the client.

ingress_type_t

enum

Indicates the client connection type, Wireless (WLAN) or Wired (WIRED). It contains any one of the following:

  • INGRESS_WLAN is wireless connection.
  • INGRESS_WIRED is wired connection.
  • INGRESS_VPN are the sessions coming from VIA VPN clients in the network.

ip_proto

uint32

Optional

Indicates the network protocol.

vlan

uint32

Optional

Indicates the customer configured user role.

uplink_id

uint32

Optional

Indicates the device uplink ID of the session.

uplink_name

string

Optional

Indicates the device uplink name of the session.

app_id

uint32

Optional

Indicates the app unique ID. AppRF supports 500+ apps and each each one has an unique ID.

app_name

string

Optional

Indicates the app name. AppRF supports 500+ apps.

app_cat_id

uint32

Optional

Indicates app category ID. AppRF supports 500+ apps and each one is assigned an app category ID.

app_cat

string

Optional

Indicates the App category. AppRF supports 500+ apps and each app is assigned a category.

web_cat_id

uint32

Optional

Indicates the web ID for the destination visited.

web_cat

string

Optional

Indicates the web category.

web_rep_score

uint32

Optional

Indicates the web reputation score for the destination visited.

web_rep

string

Optional

Indicates the web reputation for the destination visited, which is mapped using the web_rep_score.

dest_url_prefix

string

Optional

Indicates the URL link in the session, where the client made access.

app_enforcement_status

enum

Indicates the app enforcement status. It contains the following:

  • ENF_PERMIT— Client session that connected successfully.
  • ENF_DENY— Client session that is blocked by device.

session_flags

app_enforcement_status

Optional

Indicates the app enforcement status. It contains the enum app_enforcement_status.

tx_bytes

uint64

Optional

Indicates the number of bytes transmitted.

rx_bytes

uint64

Optional

Indicates the number of bytes of received.

rtt

uint64

Optional

Indicates the round trip time of the associated session.

c2s_rt

uint64

Optional

Indicates the client to server round trip time. This field is only supported in BGW messages.

s2c_rtt

uint64

Optional

Indicates the server to client round trip time. This field is only supported in BGW messages.

packet_loss

uint64

Optional

Indicates packet loss during communication. This field is only supported in BGW messages.

c2s_packet_loss

uint64

Optional

Indicates the client to server packet loss in the network.

s2c_packet_loss

uint64

Optional

Indicates the server to client packet loss in the network.

ssid

string

Optional

Indicates the client SSID.

username

string

Optional

Indicates the client name in the network.

user_role

string

Optional

Indicates the customer configured user role.

device_type

string

Optional

Indicates the client device type.

preauth_flag

bool

Optional

Indicates customer to filter out any blocked session that has preauth_flag = true.

dest_port

unit32

Optional

Indicates the destination port of the streamed AppRF sessions. The session in the streaming API is an aggregate of all the sessions of the client for the same application for 14 minutes.
For some applications, multiple destination ports are used for a set of actual sessions that were combined to a single aggregate session. In such a case the destination port is set to a value in one of the sessions.

url_http_method

enum

Indicates the enum fields that classify the HTTP Requests, which can be one of the following:

  • NON_HTTP
  • HTTP_GET
  • HTTP_PUT
  • HTTP_POST
  • HTTP_HEAD

dest_url_prefix

bytes

Optional

Indicates the URL that the client visited.

hit_count

uint32

Optional

Indicates the number of visits (hits) that the client URL has.

http_method

url_http_method

Optional

Indicates the HTTP properties of the client URL.

last_hit_timestamp

uint64

Optional

Indicates the last visited timestamp of the URL in the session.

Examples for the AppRF Message

The .proto file shown above consists of many messages. But, the message "apprf_session" contains all other messages nested in it. Therefore, the message apprf_session should be used to deserialize the AppRF events.

Following are the sample events received for the AppRF Streaming Topic:

  • IAP Message
customer_id: "6e81148a580444c0a3aa1e24171151d9"
timestamp: 1613616317
serial_number: "CNDRJSSCFT"

client_firewall_session {
client_ip {
af: ADDR_FAMILY_INET
addr: "\300\250\024\025"
}
dest_ip {
af: ADDR_FAMILY_INET
addr: "\254\331\244n"
}
ingress_type: INGRESS_WLAN
ip_proto: 0
app_id: 240
app_cat_id: 1
web_cat_id: 25
web_rep_score: 5
dest_url_prefix: "youtube.com"
session_flags: ENF_PERMIT
tx_bytes: 6918
rx_bytes: 111964
rtt: 0
packet_loss: 0
ssid: "NA"
user_role: "UD"
device_type: "Others"
timestamp: 1607041697
}
  • BWG Event
customer_id: "111952018"
timestamp: 1615322941
serial_number: "MCD1360044"

client_firewall_session {
client_ip {
af: ADDR_FAMILY_INET
addr: "\300\250\n\001"
}
dest_ip {
af: ADDR_FAMILY_INET
addr: "\n,\021\361"
}
ingress_type: INGRESS_WIRED
ip_proto: 17
vlan: Engineer
app_id: 10000
app_cat_id: 6
web_cat_id: 100
web_rep_score: 0
session_flags: ENF_PERMIT
tx_bytes: 588115
rx_bytes: 809977
rtt: 1
c2s_rtt: 3
s2c_rtt: 0
packet_loss: 2423
c2s_packet_loss: 4847
s2c_packet_loss: 0
ssid: "NA"
user_role: "UD"
device_type: "Others"
timestamp: 1607040992
}

Did this page help you?