all versions

An entry will be added to dfwpktlogs.log if logging is enabled and when a new flow is detected, and the hit count will be incremented.    At times, a network device will revalidate a flow rather than create a new flow.   In this case, the hit count is incremented but a new log entry is NOT created.

The hit count, byte count, and packet count can be seen two ways

1. In the NSX UI by clicking on this icon on the far left side of the DFW rule.  
2. In the ESXi host by using vsipioctl getrules -f <filter> -s | grep <rule_id>

The flow ID can be seen on the ESXi host by running either of the two following commands

1. vsipioctl getflows -f <filter id>
2. vsipioctl getconnections -f <filter id>

NOTE: find the filter ID by running the command summarize-dvfilter, locate the correct "slot 2" filter by finding the correct vm name / vnic combination.

world xxxxxxxx vmm0:vm1 vcUuid:'xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx'
 port xxxxxxxx vm1.eth0
  vNic slot 2
   name: nic-xxxxxxxx-eth0-vmware-sfw.2
   agentName: vmware-sfw
   state: IOChain Attached
   vmState: Attached
   failurePolicy: failClosed
   serviceVMID: 2
   filter source: Dynamic Filter Creation
   moduleName: nsxt-vsip-xxxxxxxx

Sample of where the flow ID and "reval" counters are located.

## vsipioctl getflows -f nic-xxxxxxxx-eth0-vmware-sfw.2
Count retrieved from kernel active=1, inactive=0, drop=0
<flow ID> Active udp 0800 IN 2 (ids-rule : <rule id>)  0 0 (D) xxx.xxx.xxx.xxx:netbios-ns(137) -> yyy.yyy.yyy.yyy:netbios-ns(137)  468 0 6 0 tmo 2 (28) ref#: 4 reval 3


## vsipioctl getconnections -f nic-xxxxxxxx-eth0-vmware-sfw.2
<flow ID> Active udp 0800 OUT 4072 (ids-rule : <rule ID>)  0 0 (D) xxx.xxx.xxx.xxx:Unknown(55390) -> yyy.yyy.yyy.yyy:domain(53)  448 1400 8 10 tmo 29 (1) ref#: 4 reval 3

This is a revalidation of an existing flow if the hit count increases but the flow ID remains the same plus "reval" increments, and it is normal to not see a new entry in dfwpktlogs.log