Update KFL2 documentation with new variables added since Jan 30

[alongir]

Description

The KFL2 reference page (src/pages/en/v2/kfl2.md) was last updated on 2026-01-30 and the Display Filters overview (src/pages/en/display_filters.md) on 2026-02-05. Since then, significant KFL2 variables and capabilities have been added but are not reflected in the documentation.

The kfl2 library README (in kubeshark/kfl2) serves as the source of truth for supported variables and is ahead of the docs.

What's Missing

GraphQL Variables (merged 2026-03-04)

• gql, gqlv1, gqlv2 — boolean protocol detection for GraphQL (sub-protocol of HTTP)
• Refs: hub#597, kfl2#8, front#1070

L4 Connection Tracking Variables (merged 2026-02-11)

• conn, conn_state, conn_local_pkts, conn_local_bytes, conn_remote_pkts, conn_remote_bytes, conn_l7_detected, conn_group_id
• tcp_conn, udp_conn — protocol-specific connection booleans
• Refs: kfl2#7, front#1015

L4 Flow Tracking Variables (merged 2026-02-11)

• flow, flow_state, flow_local_pkts, flow_local_bytes, flow_remote_pkts, flow_remote_bytes, flow_local_pps, flow_local_bps, flow_remote_pps, flow_remote_bps, flow_l7_detected, flow_group_id
• tcp_flow, udp_flow — protocol-specific flow booleans
• Refs: kfl2#7

Cross-Reference Variables

• conn_id, flow_id — identifiers linking L4 connections/flows to L7 entries
• has_pcap — boolean indicating whether an entry has associated PCAP data

Resolution Status Variables

• local_resolution_status, remote_resolution_status

General / Index Variables

• index, stream — for identifying specific entries
• worker — worker node identifier
• Refs: kfl2#10, hub#646 (merged 2026-03-11)

Node Variables (under-documented)

• node, node.name, node.ip, local_node_name, remote_node_name

Protocol-Specific Variables (missing or under-documented)

• WebSocket: ws_opcode, ws_request, ws_response, ws_request_payload_data, ws_request_payload_length, ws_response_payload_length
• RADIUS: radius_code, radius_code_name, radius_request, radius_response, radius_request_authenticator, radius_request_length, radius_response_length, radius_total_size
• Diameter: diameter_method, diameter_summary, diameter_request, diameter_response, diameter_request_length, diameter_response_length, diameter_total_size
• LDAP: ldap_type, ldap_summary, ldap_request, ldap_response, ldap_request_length, ldap_response_length, ldap_total_size
• AMQP: amqp_method, amqp_summary, amqp_request, amqp_response, amqp_request_length, amqp_response_length, amqp_total_size
• SCTP: sctp_checksum, sctp_chunk_type, sctp_length
• ICMP: icmp_type, icmp_version, icmp_length
• UDP: udp_length, udp_checksum, udp_payload
• TCP details: tcp_method, tcp_payload, tcp_error_type, tcp_error_message

Capture Source Variables

• capture_source, capture_backend, capture_source_code, capture

Size Variables (various protocols)

• *_total_size, *_request_length, *_response_length for DNS, TLS, Redis, Kafka

Approach

• Use the kfl2 library README as the authoritative source for all supported variables
• Update src/pages/en/v2/kfl2.md with the new variable categories and examples
• Update src/pages/en/display_filters.md if relevant quick examples are needed
• Add practical filter examples for the new L4 conn/flow variables (e.g., conn && !conn_l7_detected to find connections without L7 traffic)

Why Is This Needed

Users relying on the docs for KFL2 filter syntax are missing ~40+ variables that have been added over the last 6 weeks. The L4 flow/connection filters in particular are important for the new three-level hierarchy (flows → connections → L7 entries).