List of output fields
plugins
Contents
- tranalyzer2
- arpDecode
- basicFlow
- basicStats
- bayesClassifier
- bgpDecode
- bitForensic
- cdpDecode
- connStat
- covertChannels
- descriptiveStats
- dfft
- dhcpDecode
- dnsDecode
- entropy
- fnameLabel
- ftpDecode
- geoip
- gquicDecode
- gsmDecode
- gtpDecode
- httpSniffer
- icmpDecode
- igmpDecode
- ircDecode
- ldapDecode
- lldpDecode
- macRecorder
- mndpDecode
- modbus
- mqttDecode
- nDPI
- nFrstPkts
- ntlmsspDecode
- ntpDecode
- ospfDecode
- p0f
- payloadDumper
- pktSIATHisto
- popDecode
- portClassifier
- pwX
- quicDecode
- radiusDecode
- regexHyperscan
- regex_pcre
- regex_re2
- sctpDecode
- smbDecode
- smtpDecode
- snmpDecode
- sshDecode
- sslDecode
- stpDecode
- stunDecode
- syslogDecode
- tcpFlags
- tcpStates
- telegram
- telnetDecode
- tftpDecode
- torDetector
- tp0f
- voipDetector
- vrrpDecode
- vtpDecode
- wavelet
tranalyzer2
Flow output
| Name | Description |
|---|---|
| dir | Flow direction |
| flowInd | Flow index |
Packet output
| Name | Description |
|---|---|
| pktNo | Packet number |
| flowInd | Flow index |
| hexContent | Content in hexadecimal |
| hexLsbContent | Content (least significant bit first) in hexadecimal |
| hexNsContent | Content (nibble swapped) in hexadecimal |
| hexLsbNsContent | Content (least significant bit first and nibble swapped) in hexadecimal |
| lsbContent | Content (least significant bit first) |
| nsContent | Content (nibble swapped) |
| content | Content |
| l2HexContent | Content from layer 2 in hexadecimal |
| l2HexLsbContent | Content from layer 2 (least significant bit first) in hexadecimal |
| l2HexNsContent | Content from layer 2 (nibble swapped) in hexadecimal |
| l2HexLsbNsContent | Content from layer 2 (least significant bit first and nibble swapped) in hexadecimal |
| l3HexContent | Content from layer 3 in hexadecimal |
| l3HexLsbContent | Content from layer 3 (least significant bit first) in hexadecimal |
| l3HexNsContent | Content from layer 3 (nibble swapped) in hexadecimal |
| l3HexLsbNsContent | Content from layer 3 (least significant bit first and nibble swapped) in hexadecimal |
| l4HexContent | Content from layer 4 in hexadecimal |
| l4HexLsbContent | Content from layer 4 (least significant bit first) in hexadecimal |
| l4HexNsContent | Content from layer 4 (nibble swapped) in hexadecimal |
| l4HexLsbNsContent | Content from layer 4 (least significant bit first and nibble swapped) in hexadecimal |
| l7HexContent | Content from layer 7 in hexadecimal |
| l7HexLsbContent | Content from layer 7 (least significant bit first) in hexadecimal |
| l7HexNsContent | Content from layer 7 (nibble swapped) in hexadecimal |
| l7HexLsbNsContent | Content from layer 7 (least significant bit first and nibble swapped) in hexadecimal |
arpDecode
ARP: Address Resolution Protocol
Flow output
| Name | Description |
|---|---|
| arpStat | ARP status |
| arpHwType | ARP hardware type |
| arpOpcode | ARP operational code |
| arpIpMacCnt | ARP number of distinct MAC/IP pairs |
| arpMac_Ip_Cnt | ARP MAC/IP pairs found and number of times the pair |
Packet output
| Name | Description |
|---|---|
| arpStat | ARP status |
| arpHwType | ARP hardware type |
| arpProtoType | ARP protocol type |
| arpHwSize | ARP hardware size |
| arpProtoSize | ARP protocol size |
| arpOpcode | ARP operational code |
| arpSenderMAC | ARP sender MAC address |
| arpSenderIP | ARP sender IP address |
| arpTargetMAC | ARP target MAC address |
| arpTargetIP | ARP target IP address |
basicFlow
Overall flow information
Flow output
| Name | Description |
|---|---|
| sensorID | Sensor ID |
| flowStat | Flow status and warnings |
| timeFirst | Date time of first packet |
| timeLast | Date time of last packet |
| duration | Flow duration |
| numHdrDesc | Number of different headers descriptions |
| numHdrs | Number of headers (depth) in hdrDesc |
| hdrDesc | Headers descriptions |
| hdrDesc_pktCnt | Headers descriptions and packet count |
| srcMAC | Source MAC address |
| dstMAC | Destination MAC address |
| ethType | Ethernet type |
| vlanTPID_PCP_DEI_VID | VLAN tag protocol identifier (TPID), priority code point (PCP), drop eligible indicator (DEI), VLAN identifier (VID) |
| vlanHdr | VLAN headers (hexadecimal) |
| vlanID | VLAN IDs |
| mplsLabel_ToS_S_TTL | MPLS headers details |
| mplsHdrsHex | MPLS headers (hexadecimal) |
| mplsLabelsHex | MPLS labels (hexadecimal) |
| mplsLabels | MPLS labels |
| pppHdr | PPP header |
| lapdSAPI | LAPD Service Access Point Identifier (SAPI) |
| lapdTEI | LAPD Terminal Endpoint Identifier (TEI) |
| l2tpHdr | L2TP header |
| l2tpTID | L2TPv2 tunnel ID |
| l2tpSID | L2TPv2 session ID |
| l2tpCCSID | L2TPv3 control connection/session ID |
| l2tpSrcIP | L2TP source IP address |
| l2tpSrcIPASN | L2TP source ASN |
| l2tpSrcIPCOC | L2TP source IP country organization code |
| l2tpSrcIPCC | L2TP source IP country |
| l2tpSrcIPCnty | L2TP source IP county |
| l2tpSrcIPCity | L2TP source IP city |
| l2tpSrcIPOrg | L2TP source IP organization |
| l2tpSrcIPLat_Lng_relP | L2TP source IP latitude, longitude, reliability |
| l2tpDstIP | L2TP destination IP address |
| l2tpDstIPASN | L2TP destination ASN |
| l2tpDstIPCOC | L2TP destination IP country organization code |
| l2tpDstIPCC | L2TP destination IP country |
| l2tpDstIPCnty | L2TP destination IP county |
| l2tpDstIPCity | L2TP destination IP city |
| l2tpDstIPOrg | L2TP destination IP organization |
| l2tpDstIPLat_Lng_relP | L2TP destination IP latitude, longitude, reliability |
| greHdr | GRE header |
| greSrcIP | GRE source IP address |
| greSrcIPASN | GRE source ASN |
| greSrcIPCOC | GRE source IP country organization code |
| greSrcIPCC | GRE source IP country |
| greSrcIPCnty | GRE source IP county |
| greSrcIPCity | GRE source IP city |
| greSrcIPOrg | GRE source IP organization |
| greSrcIPLat_Lng_relP | GRE source IP latitude, longitude, reliability |
| greDstIP | GRE destination IP address |
| greDstIPASN | GRE destination ASN |
| greDstIPCOC | GRE destination IP country organization code |
| greDstIPCC | GRE destination IP country |
| greDstIPCnty | GRE destination IP county |
| greDstIPCity | GRE destination IP city |
| greDstIPOrg | GRE destination IP organization |
| greDstIPLat_Lng_relP | GRE destination IP latitude, longitude, reliability |
| trdoDstIP | Teredo IPv4 address |
| trdoDstIPASN | Teredo IPv4 ASN |
| trdoDstIPCOC | Teredo IPv4 country organization code |
| trdoDstIPCC | Teredo IPv4 country |
| trdoDstIPCnty | Teredo IPv4 county |
| trdoDstIPCity | Teredo IPv4 city |
| trdoDstIPOrg | Teredo IPv4 organization |
| trdoDstIPLat_Lng_relP | Teredo IPv4 latitude, longitude, reliability |
| trdoDstPort | Teredo destination port |
| trdo6SrcFlgs | Teredo IPv6 source address decode: Flags |
| trdo6SrcSrvIP4 | Teredo IPv6 source address decode: Server IPv4 |
| trdo6SrcSrvIP4ASN | Teredo IPv6 source address decode: Server IPv4 ASN |
| trdo6SrcSrvIP4COC | Teredo IPv6 source address decode: Server IPv4 country organization code |
| trdo6SrcSrvIP4CC | Teredo IPv6 source address decode: Server IPv4 country |
| trdo6SrcSrvIP4Cnty | Teredo IPv6 source address decode: Server IPv4 county |
| trdo6SrcSrvIP4City | Teredo IPv6 source address decode: Server IPv4 city |
| trdo6SrcSrvIP4Org | Teredo IPv6 source address decode: Server IPv4 organization |
| trdo6SrcSrvIP4Lat_Lng_relP | Teredo IPv6 source address decode: Server IPv4 latitude, longitude, reliability |
| trdo6SrcCPIP4 | Teredo IPv6 source address decode: Client public IPv4 |
| trdo6SrcCPIP4ASN | Teredo IPv6 source address decode: Client public IPv4 ASN |
| trdo6SrcCPIP4COC | Teredo IPv6 source address decode: Client public IPv4 country organization code |
| trdo6SrcCPIP4CC | Teredo IPv6 source address decode: Client public IPv4 country |
| trdo6SrcCPIP4Cnty | Teredo IPv6 source address decode: Client public IPv4 county |
| trdo6SrcCPIP4City | Teredo IPv6 source address decode: Client public IPv4 city |
| trdo6SrcCPIP4Org | Teredo IPv6 source address decode: Client public IPv4 organization |
| trdo6SrcCPIP4Lat_Lng_relP | Teredo IPv6 source address decode: Client public IPv4 latitude, longitude, reliability |
| trdo6SrcCPPort | Teredo IPv6 source address decode: Client public port |
| trdo6DstFlgs | Teredo IPv6 destination address decode: Flags |
| trdo6DstSrvIP4 | Teredo IPv6 destination address decode: Server IPv4 |
| trdo6DstSrvIP4ASN | Teredo IPv6 destination address decode: Server IPv4 ASN |
| trdo6DstSrvIP4COC | Teredo IPv6 destination address decode: Server IPv4 country organization code |
| trdo6DstSrvIP4CC | Teredo IPv6 destination address decode: Server IPv4 country |
| trdo6DstSrvIP4Cnty | Teredo IPv6 destination address decode: Server IPv4 county |
| trdo6DstSrvIP4City | Teredo IPv6 destination address decode: Server IPv4 city |
| trdo6DstSrvIP4Org | Teredo IPv6 destination address decode: Server IPv4 organization |
| trdo6DstSrvIP4Lat_Lng_relP | Teredo IPv6 destination address decode: Server IPv4 latitude, longitude, reliability |
| trdo6DstCPIP4 | Teredo IPv6 destination address decode: Client public IPv4 |
| trdo6DstCPIP4ASN | Teredo IPv6 destination address decode: Client public IPv4 ASN |
| trdo6DstCPIP4COC | Teredo IPv6 destination address decode: Client public IPv4 country organization code |
| trdo6DstCPIP4CC | Teredo IPv6 destination address decode: Client public IPv4 country |
| trdo6DstCPIP4Cnty | Teredo IPv6 destination address decode: Server IPv4 county |
| trdo6DstCPIP4City | Teredo IPv6 destination address decode: Server IPv4 city |
| trdo6DstCPIP4Org | Teredo IPv6 destination address decode: Client public IPv4 organization |
| trdo6DstCPIP4Lat_Lng_relP | Teredo IPv6 destination address decode: Client public IPv4 latitude, longitude, reliability |
| trdo6DstCPPort | Teredo IPv6 destination address decode: Client public port |
| srcIP | Source IP address(es) |
| srcIPASN | Source ASN |
| srcIPCOC | Source IP country organization code |
| srcIPCC | Source IP country |
| srcIPCnty | Source IP county |
| srcIPCity | Source IP city |
| srcIPOrg | Source IP organization |
| srcIPLat_Lng_relP | Source IP latitude, longitude, reliability |
| srcPort | Source port |
| dstIP | Destination IP address(es) |
| dstIPASN | Destination ASN |
| dstIPCOC | Destination IP country organization code |
| dstIPCC | Destination IP country |
| dstIPCnty | Destination IP county |
| dstIPCity | Destination IP city |
| dstIPOrg | Destination IP organization |
| dstIPLat_Lng_relP | Destination IP latitude, longitude, reliability |
| dstPort | Destination port |
| l4Proto | Layer 4 protocol |
Packet output
| Name | Description |
|---|---|
| flowStat | Flow status and warnings |
| relTime | Duration since start of pcap or interface sniffing |
| time | Date time of packet |
| pktIAT | Packet inter-arrival time (IAT) |
| pktTrip | Packet round-trip time |
| flowDuration | Flow duration |
| numHdrs | Number of headers (depth) in hdrDesc |
| hdrDesc | Headers descriptions |
| vlanEthType_pri_dei_id | VLAN ethertype, priority, Drop Eligible Indicator (DEI), ID |
| vlanHdr | VLAN headers (hexadecimal) |
| vlanID | VLAN IDs |
| mplsLabel_ToS_S_TTL | MPLS headers details |
| mplsHdrsHex | MPLS headers (hexadecimal) |
| mplsLabelsHex | MPLS labels (hexadecimal) |
| mplsLabels | MPLS labels |
| srcMac | Source MAC address |
| dstMac | Destination MAC address |
| ethType | Ethernet type |
| lapdSAPI | LAPD Service Access Point Identifier (SAPI) |
| lapdTEI | LAPD Terminal Endpoint Identifier (TEI) |
| lapdFType | LAPD frame type |
| lapdFunc | LAPD command (U-Frame) or supervisory frame type |
| lapdNR | LAPD receive sequence number |
| lapdNS | LAPD send sequence number |
| srcIP | Source IP address(es) |
| srcIPCC | Source IP country |
| srcIPOrg | Source IP organization |
| srcPort | Source port |
| dstIP | Destination IP address(es) |
| dstIPCC | Destination IP country |
| dstIPOrg | Destination IP organization |
| dstPort | Destination port |
| l4Proto | Layer 4 protocol |
basicStats
Basic statistics
Flow output
| Name | Description |
|---|---|
| pktsSnt | Number of transmitted packets |
| pktsRcvd | Number of received packets |
| pktsRTAggr | Number of received + transmitted packets |
| padBytesSnt | Number of transmitted padding bytes |
| l2BytesSnt | Number of transmitted layer 2 bytes |
| l3BytesSnt | Number of transmitted layer 3 bytes |
| l4BytesSnt | Number of transmitted layer 4 bytes |
| l7BytesSnt | Number of transmitted layer 7 bytes |
| l2BytesRcvd | Number of received layer 2 bytes |
| l3BytesRcvd | Number of received layer 3 bytes |
| l4BytesRcvd | Number of received layer 4 bytes |
| l7BytesRcvd | Number of received layer 7 bytes |
| l2BytesRTAggr | Number of received + transmitted layer 2 bytes |
| l3BytesRTAggr | Number of received + transmitted layer 3 bytes |
| l4BytesRTAggr | Number of received + transmitted layer 4 bytes |
| l7BytesRTAggr | Number of received + transmitted layer 7 bytes |
| minL2PktSz | Minimum layer 2 packet size |
| minL3PktSz | Minimum layer 3 packet size |
| minL4PktSz | Minimum layer 4 packet size |
| minL7PktSz | Minimum layer 7 packet size |
| maxL2PktSz | Maximum layer 2 packet size |
| maxL3PktSz | Maximum layer 3 packet size |
| maxL4PktSz | Maximum layer 4 packet size |
| maxL7PktSz | Maximum layer 7 packet size |
| avgL2PktSz | Average layer 2 packet size |
| avgL3PktSz | Average layer 3 packet size |
| avgL4PktSz | Average layer 4 packet size |
| avgL7PktSz | Average layer 7 packet size |
| stdL2PktSz | Standard deviation layer 2 packet size |
| stdL3PktSz | Standard deviation layer 3 packet size |
| stdL4PktSz | Standard deviation layer 4 packet size |
| stdL7PktSz | Standard deviation layer 7 packet size |
| varL2PktSz | Variance layer 2 packet size |
| varL3PktSz | Variance layer 3 packet size |
| varL4PktSz | Variance layer 4 packet size |
| varL7PktSz | Variance layer 7 packet size |
| skewL2PktSz | Skewness layer 2 packet size |
| skewL3PktSz | Skewness layer 3 packet size |
| skewL4PktSz | Skewness layer 4 packet size |
| skewL7PktSz | Skewness layer 7 packet size |
| kurL2PktSz | Kurtosis layer 2 packet size |
| kurL3PktSz | Kurtosis layer 3 packet size |
| kurL4PktSz | Kurtosis layer 4 packet size |
| kurL7PktSz | Kurtosis layer 7 packet size |
| minIAT | Minimum inter-arrival time (IAT) |
| maxIAT | Maximum inter-arrival time (IAT) |
| avgIAT | Average inter-arrival time (IAT) |
| stdIAT | Standard deviation inter-arrival time (IAT) |
| varIAT | Variance inter-arrival time (IAT) |
| skewIAT | Skewness inter-arrival time (IAT) |
| kurIAT | Kurtosis inter-arrival time (IAT) |
| pktps | Sent packets per second |
| bytps | Sent bytes per second |
| pktAsm | Packet stream asymmetry |
| bytAsm | Byte stream asymmetry |
Packet output
| Name | Description |
|---|---|
| pktLen | Packet size on the wire |
| udpLen | Length in UDP/UDP-Lite header |
| l7Len | Layer 7 length |
| pktLenMod | Modulo factor of packet length |
| padLen | Number of padding bytes |
bayesClassifier
Classification using Naive Bayes
Flow output
| Name | Description |
|---|---|
| bayesClass | Naive Bayes class name |
bgpDecode
BGP: Border Gateway Protocol
Flow output
| Name | Description |
|---|---|
| bgpStat | BGP status |
| bgpAFlgs | BGP anomaly flags |
| bgpMsgT | BGP message types |
| bgpNOpen_Upd_Notif_KeepAl_RteRefr | BGP number of messages: OPEN, UPDATE, NOTIFICATION, KEEPALIVE and ROUTE-REFRESH |
| bgpVersion | BGP version |
| bgpSrcAS_dstAS | BGP source and destination Autonomous System (AS) |
| bgpSrcId_dstId | BGP source and destination ID |
| bgpHTime | BGP hold time (sec) |
| bgpCaps | BGP capabilities |
| bgpPAttr | BGP path attributes |
| bgpNAdver | BGP total number of advertised routes |
| bgpNWdrwn | BGP total number of withdrawn routes |
| bgpMaxAdver | BGP maximum number of advertised routes per record |
| bgpAvgAdver | BGP average number of advertised routes per record |
| bgpMaxWdrwn | BGP maximum number of withdrawn routes per record |
| bgpAvgWdrwn | BGP average number of withdrawn routes per record |
| bgpAdvPref | BGP advertised prefixes |
| bgpWdrnPref | BGP withdrawn prefixes |
| bgpNIGP_EGP_INC | BGP number of routes from origin IGP, EGP, INCOMPLETE |
| bgpMinASPLen | BGP minimum AS path length |
| bgpMaxASPLen | BGP maximum AS path length |
| bgpAvgASPLen | BGP average AS path length |
| bgpMaxNPrepAS | BGP maximum number of prepended AS |
| bgpMinIatUp | BGP minimum inter-arrival time for update messages |
| bgpMaxIatUp | BGP maximum inter-arrival time for update messages |
| bgpAvgIatUp | BGP average inter-arrival time for update messages |
| bgpMinIatKA | BGP minimum inter-arrival time for keep-alive messages |
| bgpMaxIatKA | BGP maximum inter-arrival time for keep-alive messages |
| bgpAvgIatKA | BGP average inter-arrival time for keep-alive messages |
| bgpNotifCode_Subcode | BGP notification (fatal error) code and subcode |
bgp_anom.txt file
| Name | Description |
|---|---|
| Anomaly | Anomaly |
| flowInd | Flow index |
| pktNo | Packet number |
| RecNum | Record number |
| ASorNet | AS number or network |
| RepsOrMask | Number or repetitions or mask |
| NewMask | New mask |
bgp_moas.txt file
| Name | Description |
|---|---|
| Network | Network |
| Mask | Mask |
| OldOrigAS | Old originator AS number |
| NewOrigAS | New originator AS number |
| flowInd | Flow index |
| pktNo | Packet number |
| RecNum | Record number |
bgp.txt file
| Name | Description |
|---|---|
| NLRI | Network Layer Reachability Information (NLRI) |
| AS | AS number |
| NextHop | Next hop |
| MED | Multi Exit Discriminator (MED) |
| LocPref | Local prefix |
| Origin | Origin |
| OriginatorID | Originator ID |
| OriginAS | Origin AS |
| UpstreamAS | Upstream AS |
| DestAS | Destination AS |
| Aggregator | Aggregator |
| ASPath | AS path |
| ASPathLen | AS path length |
| MaxNPrepAS | Maximum number of prepended AS |
| ClusterList | Cluster list |
| ClusterListLen | Cluster list length |
| Communities | Communities |
| WithdrawnRoutes | Withdrawn routes |
| flowInd | Flow index |
| pktNo | Packet number |
| recNum | Record number |
| time | Timestamp |
bitForensic
Search packets for specific bits patterns
Flow output
| Name | Description |
|---|---|
| bfStat | bitForensic Status |
| bfPDPos | Pattern detect position |
Packet output
| Name | Description |
|---|---|
| bfStat | bitForensic Status |
| bfPDPos | Pattern detect position |
cdpDecode
CDP: Cisco Discovery Protocol
Flow output
| Name | Description |
|---|---|
| cdpStat | CDP status |
| cdpVer | CDP version |
| cdpTTL | CDP Time To Live (sec) |
| cdpTLVTypes | CDP TLV types |
| cdpDevice | CDP device ID |
| cdpPlatform | CDP platform |
| cdpSWVersion | CDP Software Version |
| cdpPortID | CDP port ID |
| cdpCaps | CDP capabilities |
| cdpDuplex | CDP duplex |
| cdpNVLAN | CDP native VLAN |
| cdpVoipVLAN | CDP VoIP VLAN |
| cdpVTPMngmtDmn | CDP VTP management domain |
| cdpMAddrs | CDP management addresses |
| cdpAddrs | CDP addresses |
| cdpIPPref_cdr | CDP IP prefix, CIDR |
Packet output
| Name | Description |
|---|---|
| cdpStat | CDP status |
| cdpVer | CDP version |
| cdpTTL | CDP Time To Live (sec) |
| cdpTLVTypes | CDP TLV types |
| cdpDevice | CDP device ID |
| cdpPlatform | CDP platform |
| cdpPortID | CDP port ID |
| cdpCaps | CDP capabilities |
| cdpDuplex | CDP duplex |
| cdpNVLAN | CDP native VLAN |
| cdpVoipVLAN | CDP VoIP VLAN |
| cdpVTPMngmtDmn | CDP VTP management domain |
| cdpMAddrs | CDP management addresses |
| cdpAddrs | CDP addresses |
connStat
Connection statistics
Flow output
| Name | Description |
|---|---|
| connSip | Number of unique source IPs |
| connDip | Number of unique destination IPs |
| connSipDip | Number of connections between source and destination IP |
| connSipDprt | Number of connections between source IP and destination port |
| connMacSpf | Number of MAC addresses per source IP |
| connF | The ‘f’ number: connSipDprt / connSip [EXPERIMENTAL] |
| connG | The ‘g’ number: connSipDprt / connSipDip [EXPERIMENTAL] |
| connNumPCnt | Number of unique IP’s source packet count |
| connNumBCnt | Number of unique IP’s source byte count |
covertChannels
Covert channel detection
Flow output
| Name | Description |
|---|---|
| covertChannels | Detected covert channels |
descriptiveStats
Descriptive statistics
Flow output
| Name | Description |
|---|---|
| dsMinPl | Minimum packet length |
| dsMaxPl | Maximum packet length |
| dsMeanPl | Mean packet length |
| dsLowQuartilePl | Lower quartile of packet lengths |
| dsMedianPl | Median of packet lengths |
| dsUppQuartilePl | Upper quartile of packet lengths |
| dsIqdPl | Inter quartile distance of packet lengths |
| dsModePl | Mode of packet lengths |
| dsRangePl | Range of packet lengths |
| dsStdPl | Standard deviation of packet lengths |
| dsRobStdPl | Robust standard deviation of packet lengths |
| dsSkewPl | Skewness of packet lengths |
| dsExcPl | Excess of packet lengths |
| dsMinIat | Minimum inter arrival time |
| dsMaxIat | Maximum inter arrival time |
| dsMeanIat | Mean inter arrival time |
| dsLowQuartileIat | Lower quartile of inter arrival times |
| dsMedianIat | Median inter arrival times |
| dsUppQuartileIat | Upper quartile of inter arrival times |
| dsIqdIat | Inter quartile distance of inter arrival times |
| dsModeIat | Mode of inter arrival times |
| dsRangeIat | Range of inter arrival times |
| dsStdIat | Standard deviation of inter arrival times |
| dsRobStdIat | Robust standard deviation of inter arrival times |
| dsSkewIat | Skewness of inter arrival times |
| dsExcIat | Excess of inter arrival times |
dfft
Discrete Fast Fourier Transform
Flow output
| Name | Description |
|---|---|
| dfftStat | DFFT status |
dhcpDecode
DHCP: Dynamic Host Configuration Protocol
Flow output
| Name | Description |
|---|---|
| dhcpStat | DHCP status |
| dhcpMTypeBF | DHCP message type bitfield |
| dhcpMType | DHCP message types |
| dhcpMTypeNms | DHCP message type names |
| dhcpHWType | DHCP hardware type |
| dhcpCHWAdd_HWCnt | DHCP client hardware addresses and count |
| dhcpCHWAdd | DHCP client hardware addresses |
| dhcpNetmask | DHCP network mask |
| dhcpGWIP | DHCP gateway IP |
| dhcpDnsIP | DHCP DNS |
| dhcpHopCnt | DHCP hop count |
| dhcpSrvName | DHCP server host name |
| dhcpBootFile | DHCP boot file name |
| dhcpOptCnt | DHCP option count |
| dhcpOptBF1_BF2_BF3 | DHCP options bitfield |
| dhcpOpts | DHCP options |
| dhcpOptNms | DHCP option names |
| dhcpHosts_HCnt | DHCP hosts and count |
| dhcpHosts | DHCP hosts |
| dhcpDomains_DCnt | DHCP domains and count |
| dhcpDomains | DHCP domains |
| dhcpMaxSecEl | DHCP maximum seconds elapsed |
| dhcpLeaseT | DHCP lease time (seconds) |
| dhcpRenewT | DHCP renewal time (seconds) |
| dhcpRebindT | DHCP rebind time (seconds) |
| dhcpReqIP | DHCP requested IP |
| dhcpCliIP | DHCP client IP |
| dhcpYourIP | DHCP your (client) IP |
| dhcpNextServer | DHCP next server IP |
| dhcpRelay | DHCP relay agent IP |
| dhcpSrvId | DHCP server identifier |
| dhcpMsg | DHCP message |
| dhcpLFlow | DHCP linked flow |
| dhcpSrcMac | DHCP source MAC address |
| dhcpDstMac | DHCP destination MAC address |
Packet output
| Name | Description |
|---|---|
| dhcpStat | DHCP status |
| dhcpMTypeBF | DHCP message type bitfield |
| dhcpMType | DHCP message types |
| dhcpMTypeNms | DHCP message type names |
| dhcpHops | DHCP number of hops |
| dhcpHWType | DHCP hardware type |
| dhcpTransID | DHCP transaction identifier |
| dhcpOptBF1_BF2_BF3 | DHCP options bitfield |
| dhcpOpts | DHCP options |
| dhcpOptNms | DHCP option names |
| dhcpLFlow | DHCP linked flow |
dnsDecode
DNS: Domain Name System
Flow output
| Name | Description |
|---|---|
| dnsStat | DNS status, warnings and errors |
| dnsHdrOPField | DNS last header field |
| dnsHFlg_OpC_RetC | DNS aggregated header flags, operational and return code |
| dnsHFlg | DNS aggregated header flags |
| dnsOpC | DNS operational code |
| dnsRetC | DNS return code |
| dnsOpN | DNS operational string |
| dnsRetN | DNS return string |
| dnsCntQu_Asw_Aux_Add | DNS number of question, answer, auxiliary and additional records |
| dnsAAAqF | DNS DDOS AAA / query factor |
| dnsTypeBF3_BF2_BF1_BF0 | DNS type bitfields |
| dnsQname | DNS query name |
| dnsMalCnt | DNS domain malware count |
| dnsMalType | DNS domain malware type |
| dnsMalCode | DNS domain malware code |
| dnsAname | DNS answer name record |
| dnsAPname | DNS name CNAME entries |
| dns4Aaddress | DNS address entries IPv4 |
| dns4CC_Org | DNS IPv4 country and organization |
| dns6Aaddress | DNS address entries IPv6 |
| dns6CC_Org | DNS IPv6 country and organization |
| dnsIPMalCode | DNS IP malware code |
| dnsQTypeN | DNS query record type names |
| dnsQType | DNS query record type entries |
| dnsQClass | DNS query record class entries |
| dnsATypeN | DNS answer record type names |
| dnsAType | DNS answer record type entries |
| dnsAClass | DNS answer record class entries |
| dnsATTL | DNS answer record TTL entries |
| dnsMXpref | DNS MX record preference entries |
| dnsSRVprio | DNS SRV record priority entries |
| dnsSRVwgt | DNS SRV record weight entries |
| dnsSRVprt | DNS SRV record port entries |
| dnsOptStat | DNS option status |
Packet output
| Name | Description |
|---|---|
| dnsIPs | DNS IP addresses (A or AAAA records) |
| dnsIPs_cntry_org | DNS IP addresses, countries and organizations (A or AAAA records) |
| dnsStat | DNS status, warnings and errors |
| dnsHdr | DNS header field of packet |
| dnsHFlg_OpC_RetC | DNS aggregated header flags, operational and return code |
| dnsHFlg_OpN_RetN | DNS aggregated header flags, operational and return strings |
| dnsCntQu_Asw_Aux_Add | DNS number of question, answer, auxiliary and additional records |
entropy
Entropy
Flow output
| Name | Description |
|---|---|
| PyldEntropy | Payload entropy |
| PyldChRatio | Payload character ratio |
| PyldBinRatio | Payload binary ratio |
| NumBin0 | Number of 0 count bins |
| Corr | Entropy correction |
| PyldLen | Payload length |
| PyldHisto | Payload histogram |
fnameLabel
Classification based on filename
Flow output
| Name | Description |
|---|---|
| fnLabel | FNL_IDX letter of filename |
| fnHash | Hash of filename |
| fnName | Filename |
Packet output
| Name | Description |
|---|---|
| fnLabel | FNL_IDX letter of filename |
| fnHash | Hash of filename |
| fnName | Filename |
ftpDecode
FTP: File Transfer Protocol
Flow output
| Name | Description |
|---|---|
| ftpStat | FTP status |
| ftpCDFindex | FTP command/data findex link |
| ftpCBF | FTP command bitfield |
| ftpCC | FTP command codes |
| ftpRC | FTP response codes |
| ftpNumUser | FTP number of users |
| ftpUser | FTP users |
| ftpNumPass | FTP number of passwords |
| ftpPass | FTP passwords |
| ftpNumCP | FTP number of command parameters |
| ftpCP | FTP command parameters |
| ftpPLen | FTP passive file length |
Packet output
| Name | Description |
|---|---|
| ftpStat | FTP status |
geoip
Classification based on IP address location
Flow output
| Name | Description |
|---|---|
| srcIpContinent | IP source continent |
| srcIpCountry | IP source country |
| srcIpRegion | IP source region |
| srcIpCity | IP source city |
| srcIpPostcode | IP source postcode |
| srcIpAccuracy | IP source accuracy |
| srcIpLat | IP source latitude |
| srcIpLong | IP source longitude |
| srcIpMetroCode | IP source metro (dma) code |
| srcIpAreaCode | IP source area code |
| srcIpNetmask | IP source netmask |
| srcIpTimeZone | IP source time zone |
| srcIpOrg | IP source organization |
| srcIpISP | IP source ISP |
| srcIpASN | IP source AS number |
| srcIpASName | IP source AS name |
| srcIpConnT | IP source connection type |
| srcIpUsrT | IP source user type |
| dstIpContinent | IP destination continent |
| dstIpCountry | IP destination country |
| dstIpRegion | IP destination region |
| dstIpCity | IP destination city |
| dstIpPostcode | IP destination postcode |
| dstIpAccuracy | IP destination accuracy |
| dstIpLat | IP destination latitude |
| dstIpLong | IP destination longitude |
| dstIpMetroCode | IP destination metro (dma) code |
| dstIpAreaCode | IP destination area code |
| dstIpNetmask | IP destination netmask |
| dstIpTimeZone | IP destination time zone |
| dstIpOrg | IP destination organization |
| dstIpISP | IP destination ISP |
| dstIpASN | IP destination AS number |
| dstIpASName | IP destination AS name |
| dstIpConnT | IP destination connection type |
| dstIpUsrT | IP destination user type |
| geoStat | GeoIP status |
gquicDecode
GQUIC: Google Quick UDP Internet Connections
Flow output
| Name | Description |
|---|---|
| gquicStat | GQUIC status |
| gquicPubFlags | GQUIC Public Flags |
| gquicFrameTypes | GQUIC Frame Types |
| gquicCID | GQUIC Connection ID |
| gquicSNI | GQUIC Server Name Indication (SNI) |
| gquicUAID | GQUIC Client’s User Agent ID (UAID) |
Packet output
| Name | Description |
|---|---|
| gquicPubFlags | GQUIC Public Flags |
| gquicCID | GQUIC Connection ID |
| gquicVersion | GQUIC version |
| gquicPktNo | GQUIC packet number |
gsmDecode
GSM: Global System for Mobile Communications
Flow output
| Name | Description |
|---|---|
| gsmStat | GSM status |
| gsmLapdSAPI | GSM LAPD Service Access Point Identifier (SAPI) |
| gsmLapdTEI | GSM LAPD Terminal Endpoint Identifier (TEI) |
| gsmRslTN | GSM RSL Timeslot Numbers |
| gsmAMRDuration | GSM Duration of AMR conversation (seconds) |
| gsmNumAMRGood_bad | GSM Number of AMR good/bad frames |
Packet output
| Name | Description |
|---|---|
| gsmStat | GSM status |
| gsmLapdSAPI | GSM LAPD Service Access Point Identifier (SAPI) |
| gsmLapdTEI | GSM LAPD Terminal Endpoint Identifier (TEI) |
| gsmRslMsgType | GSM RSL Message type |
| gsmRslTN | GSM RSL Timeslot Number |
| gsmRslSubCh | GSM RSL Subchannel Number |
| gsmRslChannel | GSM RSL Channel |
| gsmDtapTN | GSM A-I/F DTAP Timeslot Number |
| gsmDtapChannel | GSM A-I/F DTAP Channel |
| gsmHandoverRef | Handover reference |
| gsmLAIMCC | LAI: Mobile Country Code (MCC) |
| gsmLAIMCCCountry | LAI: Mobile Country Code (MCC) country |
| gsmLAIMNC | LAI: Mobile Network Code (MNC) |
| gsmLAIMNCOperator | LAI: Mobile Network Code (MNC) operator |
| gsmLAILAC | LAI: Location Area Code (LAC) |
| gsmEncryption | Encryption algorithm |
| gsmContent | Content (voice or signalling) |
| gsmAMRCMR | AMR codec mode request (CMR) |
| gsmAMRFrameType | AMR frame type |
| gsmAMRFrameQ | AMR frame quality |
gsm_arfcn.txt file
| Name | Description |
|---|---|
| pktNo | Packet number |
| flowInd | Flow index |
| time | Timestamp |
| vlanID | VLAN IDs |
| lapdTEI | LAPD Terminal Endpoint Identifier (TEI) |
| gsmRslTN | GSM RSL Timeslot Numbers (TN) |
| gsmRslSubCh | GSM RSL Subchannel Number |
| gsmRslChannel | GSM RSL Channel |
| gsmDtapTN | GSM A-I/F DTAP Timeslot Number (TN) |
| gsmDtapChannel | GSM A-I/F DTAP Channel |
| gsmARFCN | GSM Absolute Radio-Frequency Channel Number (ARFCN) |
| gsmBand | GSM Band |
| gsmUpFreqMHz | GSM Uplink Frequency (MHz) |
| gsmDownFreqMHz | GSM Downlink Frequency (MHz) |
gsm_calls.txt file
| Name | Description |
|---|---|
| pktNo | Packet number |
| flowInd | Flow index |
| time | Timestamp |
| vlanID | VLAN IDs |
| lapdTEI | LAPD Terminal Endpoint Identifier (TEI) |
| gsmMsgType | GSM message type |
| gsmCause | GSM cause |
| gsmRslTN | GSM RSL Timeslot Numbers |
| gsmRslSubCh | GSM RSL Subchannel Number |
| gsmRslChannel | GSM RSL Channel |
| gsmCaller | GSM caller |
| gsmCallerCountry | GSM caller country |
| gsmCallee | GSM callee |
| gsmCalleeCountry | GSM callee country |
gsm_channels.txt file
| Name | Description |
|---|---|
| pktNo | Packet number |
| flowInd | Flow index |
| time | Timestamp |
| vlanID | VLAN IDs |
| lapdTEI | LAPD Terminal Endpoint Identifier (TEI) |
| gsmMsgType | GSM message type |
| gsmCause | GSM cause |
| gsmRslTN | GSM RSL Timeslot Numbers |
| gsmRslSubCh | GSM RSL Subchannel Number |
| gsmRslChannel | GSM RSL Channel |
| gsmChannelType | GSM channel type |
| gsmHandoverRef | Handover reference |
| gsmFrameNumberT1 | GSM Frame Number (T1) |
| gsmFrameNumberT2 | GSM Frame Number (T2) |
| gsmFrameNumberT3 | GSM Frame Number (T3) |
| gsmFrameNumber | GSM Frame Number |
| gsmChannelInfo | GSM Channel Info |
gsm_imm_ass.txt file
| Name | Description |
|---|---|
| pktNo | Packet number |
| flowInd | Flow index |
| time | Timestamp |
| vlanID | VLAN IDs |
| lapdTEI | LAPD Terminal Endpoint Identifier (TEI) |
| gsmMsgType | GSM message type |
| gsmCause | GSM cause |
| gsmRslTN | GSM RSL Timeslot Numbers |
| gsmRslSubCh | GSM RSL Subchannel Number |
| gsmRslChannel | GSM RSL Channel |
| gsmDtapTN | GSM A-I/F DTAP Timeslot Number |
| gsmDtapChannel | GSM A-I/F DTAP Channel |
| gsmTSC | GSM Training Sequence Code (TSC) |
| gsmHoppingChannel | GSM hopping channel |
| gsmARFCN | GSM Absolute Radio-Frequency Channel Number (ARFCN) |
| gsmBand | GSM Band |
| gsmUpFreqMHz | GSM Uplink Frequency (MHz) |
| gsmDownFreqMHz | GSM Downlink Frequency (MHz) |
| gsmMAIO | GSM Mobile Allocation Index Offset (MAIO) |
| gsmHoppingSeqNum | GSM hopping sequence number |
| gsmRandomAccessInfo | GSM random access info |
| gsmRequestRefT1 | GSM request reference (T1) |
| gsmRequestRefT2 | GSM request reference (T2) |
| gsmRequestRefT3 | GSM request reference (T3) |
| gsmRequestRefRFN | GSM request reference (RFN) |
| gsmTimingAdvance | GSM timing advance |
| gsmDistanceFromBTS | GSM distance from Base Transceiver Station (BTS) |
| gsmChannelMode | GSM channel mode |
| gsmMultiRateConfig | GSM Adaptive Multi-Rate (AMR) configuration |
gsm_imsi.txt file
| Name | Description |
|---|---|
| pktNo | Packet number |
| flowInd | Flow index |
| time | Timestamp |
| vlanID | VLAN IDs |
| lapdTEI | LAPD Terminal Endpoint Identifier (TEI) |
| gsmRslTN | GSM RSL Timeslot Numbers |
| gsmRslSubCh | GSM RSL Subchannel Number |
| gsmRslChannel | GSM RSL Channel |
| gsmMobileIdentityType | GSM Mobile Identity Type |
| gsmIMSI | GSM International Mobile Subscriber Identity (IMSI) |
| gsmIMEITACManuf | GSM International Mobile Equipment Identity (IMEI) Type Allocation Code (TAC) manufacturer |
| gsmIMEITACModel | GSM International Mobile Equipment Identity (IMEI) Type Allocation Code (TAC) model |
| gsmIMSIMCC | GSM International Mobile Subscriber Identity (IMSI) Mobile Country Code (MCC) |
| gsmIMSIMCCCountry | GSM International Mobile Subscriber Identity (IMSI) Mobile Country Code (MCC) |
| gsmIMSIMNC | GSM International Mobile Subscriber Identity (IMSI) Mobile Network Code (MNC) |
| gsmIMSIMNCOperator | GSM International Mobile Subscriber Identity (IMSI) Mobile Network Code (MNC) |
| gsmLAIMCC | LAI: Mobile Country Code (MCC) |
| gsmLAIMCCCountry | LAI: Mobile Country Code (MCC) country |
| gsmLAIMNC | LAI: Mobile Network Code (MNC) |
| gsmLAIMNCOperator | LAI: Mobile Network Code (MNC) operator |
| gsmLAILAC | LAI: Location Area Code (LAC) |
gsm_operators.txt file
| Name | Description |
|---|---|
| pktNo | Packet number |
| flowInd | Flow index |
| time | Timestamp |
| vlanID | VLAN IDs |
| lapdTEI | LAPD Terminal Endpoint Identifier (TEI) |
| gsmRslTN | GSM RSL Timeslot Numbers |
| gsmRslSubCh | GSM RSL Subchannel Number |
| gsmRslChannel | GSM RSL Channel |
| gsmFullNetworkName | GSM full network name |
| gsmShortNetworkName | GSM short network name |
| gsmTimeZone | GSM time zone |
| gsmTimeAndTimeZone | GSM time and time zone |
gsm_sms.txt file
| Name | Description |
|---|---|
| pktNo | Packet number |
| flowInd | Flow index |
| time | Timestamp |
| vlanID | VLAN IDs |
| lapdTEI | LAPD Terminal Endpoint Identifier (TEI) |
| direction | Direction: MS->SC (Mobile Station to Service Centre) or SC->MS (Service Centre to Mobile Station) |
| gsmRslTN | GSM RSL Timeslot Numbers |
| gsmRslSubCh | GSM RSL Subchannel Number |
| gsmRslChannel | GSM RSL Channel |
| smsMsgType | GSM SMS message type |
| serviceCenterTimeStamp | GSM Service Center Timestamp |
| rpOriginatorAddr | GSM RP Originator address |
| rpOriginatorAddrCountry | GSM RP Originator address country |
| rpDestinationAddr | GSM RP Destination address |
| rpDestinationAddrCountry | GSM RP Destination address country |
| tpOriginatingAddr | GSM TP Originating address |
| tpOriginatingAddrCountry | GSM TP Originating address country |
| tpDestinationAddr | GSM TP Destination address |
| tpDestinationAddrCountry | GSM TP Destination address country |
| tpRecipientAddr | GSM TP Recipient address |
| tpRecipientAddrCountry | GSM TP Recipient address country |
| smsMsgRef | GSM SMS message reference |
| smsMsgId | GSM SMS message ID |
| smsMsgPart | GSM SMS message part |
| smsMsg | GSM SMS message |
gtpDecode
GTP: GPRS Tunneling Protocol
Flow output
| Name | Description |
|---|---|
| gtpStat | GTP status |
Packet output
| Name | Description |
|---|---|
| gtpFlags | GTP flags |
| gtpMsgT | GTP message type |
| gtpLen | GTP length |
| gtpTEID | GTP tunnel identifier (TEID) |
| gtpSeqNum | GTP sequence number |
| gtpIMSI | GTP International Mobile Subscriber Identity (IMSI) |
httpSniffer
HTTP: HyperText Transfer Protocol
Flow output
| Name | Description |
|---|---|
| httpStat | HTTP status |
| httpAFlags | HTTP anomaly flags |
| httpMethods | HTTP methods in flow |
| httpHeadMimes | HTTP HEADMIME-TYPES in flow |
| httpCFlags | HTTP content info in flow |
| httpGet_Post | HTTP number of GET and POST requests |
| httpRSCnt | HTTP response status count |
| httpRSCode | HTTP response status code |
| httpURL_Via_Loc_Srv_Pwr_UAg_XFr_Ref_Cky_Mim | HTTP number of URLs, Via, Location, Server, Powered By, User-Agent, X-Forwarded-For, Referer, Cookie and Mime-Type |
| httpImg_Vid_Aud_Msg_Txt_App_Unk | HTTP number of images, videos, audios, messages, texts, applications and unknown |
| httpHosts | HTTP Host names |
| httpURL | HTTP URLs |
| httpMimes | HTTP MIME-types |
| httpCookies | HTTP cookies |
| httpImages | HTTP images |
| httpVideos | HTTP videos |
| httpAudios | HTTP audios |
| httpMsgs | HTTP messages |
| httpAppl | HTTP applications |
| httpText | HTTP texts |
| httpPunk | HTTP payload unknown |
| httpBdyURL | HTTP body: Refresh, Set-Cookie URL |
| httpUsrAg | HTTP User-Agent |
| httpXFor | HTTP X-Forwarded-For |
| httpRefrr | HTTP Referer |
| httpVia | HTTP Via (Proxy) |
| httpLoc | HTTP Location (Redirection) |
| httpServ | HTTP Server |
| httpPwr | HTTP Powered By |
| httpAvastCid | HTTP Avast Client ID |
| httpEsetUid | HTTP ESET Update ID |
Packet output
| Name | Description |
|---|---|
| httpStat | HTTP status |
| httpAFlags | HTTP anomaly flags |
| httpMethods | HTTP methods in flow |
| httpHeadMimes | HTTP HEADMIME-TYPES in flow |
| httpCFlags | HTTP content info in flow |
icmpDecode
ICMP: Internet Control Message Protocol
Flow output
| Name | Description |
|---|---|
| icmpStat | ICMP status |
| icmpTCcnt | ICMP type code count |
| icmpType_Code | ICMP type and code fields |
| icmpBFTypH_TypL_Code | ICMP Aggregated type H (IPv6>128, IPv4>31), L (<32) and code bitfields |
| icmpTmGtw | ICMP time/gateway |
| icmpEchoSuccRatio | ICMP Echo reply/request success ratio |
| icmpPFindex | ICMP parent flow index |
Packet output
| Name | Description |
|---|---|
| icmpStat | ICMP status |
| icmpType | ICMP message type |
| icmpCode | ICMP message code |
| icmpID | ICMP identifier |
| icmpSeq | ICMP sequence number |
| icmpPFindex | ICMP parent flow index |
igmpDecode
IGMP: Internet Group Management Protocol
Flow output
| Name | Description |
|---|---|
| igmpStat | IGMP status |
| igmpVersion | IGMP version |
| igmpAType | IGMP aggregated type |
| igmpMCastAddr | IGMP multicast address |
| igmpNRec | IGMP number of records |
ircDecode
IRC: Internet Relay Chat
Flow output
| Name | Description |
|---|---|
| ircStat | IRC status |
| ircCBF | IRC commands |
| ircCC | IRC command codes |
| ircRC | IRC response codes |
| ircNumUser | IRC number of users |
| ircUser | IRC users |
| ircNumPass | IRC number of passwords |
| ircPass | IRC passwords |
| ircNumNick | IRC number of nicknames |
| ircNick | IRC nicknames |
| ircNumC | IRC number of parameters |
| ircC | IRC content |
ldapDecode
LDAP: Lightweight Directory Access Protocol
Flow output
| Name | Description |
|---|---|
| ldapStat | LDAP status |
| ldapCodeNm | LDAP code names |
| ldapCodes | LDAP codes |
| ldapOPF | LDAP operations as flags |
| ldapSrchNm | LDAP search names |
Packet output
| Name | Description |
|---|---|
| ldapStat | LDAP status |
| ldapVer | LDAP version |
| ldapCodeNm | LDAP code names |
| ldapCodes | LDAP codes |
| ldapOPF | LDAP operations as flags |
lldpDecode
LLDP: Link Layer Discovery Protocol
Flow output
| Name | Description |
|---|---|
| lldpStat | LLDP status |
| lldpTTL | LLDP Time To Live (sec) |
| lldpTLVTypes | LLDP TLV types |
| lldpChassis | LLDP chassis ID |
| lldpPort | LLDP port ID |
| lldpPortDesc | LLDP port description |
| lldpSysName | LLDP system name |
| lldpSysDesc | LLDP system description |
| lldpCaps_enCaps | LLDP supported and enabled capabilities |
| lldpMngmtAddr | LLDP management address |
Packet output
| Name | Description |
|---|---|
| lldpStat | LLDP status |
| lldpTTL | LLDP Time To Live (sec) |
| lldpTLVTypes | LLDP TLV types |
| lldpChassis | LLDP chassis ID |
| lldpPort | LLDP port ID |
| lldpPortDesc | LLDP port description |
| lldpSysName | LLDP system name |
| lldpCaps_enCaps | LLDP supported and enabled capabilities |
| lldpMngmtAddr | LLDP management address |
macRecorder
MAC addresses and manufacturers
Flow output
| Name | Description |
|---|---|
| macStat | macRecorder status |
| macPairs | Number of distinct source/destination MAC addresses pairs |
| srcMac_dstMac_numP | Source/destination MAC address, number of packets of MAC address combination |
| srcMacLbl_dstMacLbl | Source/destination MAC label |
Packet output
| Name | Description |
|---|---|
| srcMacLbl | Source MAC label |
| dstMacLbl | Destination MAC label |
mndpDecode
MNDP: MikroTik Neighbor Discovery Protocol
Flow output
| Name | Description |
|---|---|
| mndpStat | MNDP status |
| mndpMAC | MNDP MAC-Address |
| mndpIdentity | MNDP Identity |
| mndpVersion | MNDP Version |
| mndpPlatform | MNDP Platform |
| mndpSoftwareID | MNDP Software-ID |
| mndpBoard | MNDP Board |
| mndpUnpack | MNDP Unpack |
| mndpIface | MNDP Interface name |
| mndpIPv4 | MNDP IPv4-Address |
| mndpIPv6 | MNDP IPv6-Address |
Packet output
| Name | Description |
|---|---|
| mndpStat | MNDP status |
| mndpSeqNo | MNDP Sequence Number |
| mndpMAC | MNDP MAC-Address |
| mndpIdentity | MNDP Identity |
| mndpVersion | MNDP Version |
| mndpPlatform | MNDP Platform |
| mndpUptime | MNDP Uptime |
| mndpSoftwareID | MNDP Software-ID |
| mndpBoard | MNDP Board |
| mndpUnpack | MNDP Unpack |
| mndpIface | MNDP Interface name |
| mndpIPv4 | MNDP IPv4-Address |
| mndpIPv6 | MNDP IPv6-Address |
modbus
Modbus
Flow output
| Name | Description |
|---|---|
| modbusStat | Modbus status |
| modbusUID | Modbus unit identifier |
| modbusNPkts | Modbus number of packets |
| modbusNumEx | Modbus number of exceptions |
| modbusFCBF | Modbus aggregated function codes |
| modbusFC | Modbus list of function codes |
| modbusFExBF | Modbus aggregated function codes which caused exceptions |
| modbusFEx | Modbus list of function codes which caused exceptions |
| modbusExCBF | Modbus aggregated exception codes |
| modbusExC | Modbus list of exception codes |
Packet output
| Name | Description |
|---|---|
| mbTranId | Modbus transaction identifier |
| mbProtId | Modbus protocol identifier |
| mbLen | Modbus length |
| mbUnitId | Modbus unit identifier |
| mbFuncCode | Modbus function code |
mqttDecode
MQTT: MQ Telemetry Transport Protocol
Flow output
| Name | Description |
|---|---|
| mqttStat | MQTT status |
| mqttCPT | MQTT control packet types |
| mqttProto | MQTT protocol name |
| mqttProtoLevel | MQTT protocol level |
| mqttClientID | MQTT client ID |
| mqttConAck | MQTT connection status |
| mqttTopic | MQTT topic |
Packet output
| Name | Description |
|---|---|
| mqttStat | MQTT status |
mqtt_msg.txt file
| Name | Description |
|---|---|
| pktNo | Packet number |
| flowInd | Flow index |
| mqttTopic | MQTT topic |
| mqttMsg | MQTT message |
nDPI
Classification based on content analysis
Flow output
| Name | Description |
|---|---|
| nDPIMstrProto | nDPI numerical master protocol |
| nDPISubProto | nDPI numerical sub protocol |
| nDPIclass | nDPI based protocol classification |
Packet output
| Name | Description |
|---|---|
| nDPIMstrProto | nDPI numerical master protocol |
| nDPISubProto | nDPI numerical sub protocol |
| nDPIclass | nDPI based protocol classification |
nFrstPkts
Statistics over the first N packets
Flow output
| Name | Description |
|---|---|
| nFpCnt | Number of signal samples |
| HD3l_HD4l_L2L3L4Pl_Iat_nP | L3 and L4 header length, L2/L3/L4/Payload (s. PACKETLENGTH in packetCapture.h) length, IAT and pulse for the N first packets |
| HD3l_HD4l_L2L3L4Pl_Iat | L3 and L4 header length, L2/L3/L4/Payload (s. PACKETLENGTH in packetCapture.h) length and IAT for the N first packets |
| L2L3L4Pl_Iat_nP | L2/L3/L4/Payload (s. PACKETLENGTH in packetCapture.h) length, IAT and pulse for the N first packets |
| L2L3L4Pl_Iat | L2/L3/L4/Payload (s. PACKETLENGTH in packetCapture.h) length and IAT for the N first packets |
ntlmsspDecode
NTLMSSP: NT LAN Manager (NTLM) Security Support Provider
Flow output
| Name | Description |
|---|---|
| ntlmsspStat | NTLMSSP status |
| ntlmsspTarget | NTLMSSP target name |
| ntlmsspDomain | NTLMSSP domain name |
| ntlmsspUser | NTLMSSP username |
| ntlmsspHost | NTLMSSP host/workstation |
| ntlmsspNegotiateFlags | NTLMSSP Negotiate Flags |
| ntlmsspSessKey | NTLMSSP session key |
| ntlmsspNTProofStr | NTLMSSP NT proof string |
| ntlmsspServChallenge | NTLMSSP server challenge |
| ntlmsspCliChallenge | NTLMSSP client challenge |
| ntlmsspVersion | NTLMSSP version |
| ntlmsspVersionMajor_Minor_Build_Rev | NTLMSSP version (Major Version, Minor Version, Build Number and NTLM Current Revision) |
| ntlmsspNbComputer | NTLMSSP NetBIOS computer name |
| ntlmsspNbDomain | NTLMSSP NetBIOS domain name |
| ntlmsspDnsComputer | NTLMSSP DNS computer name |
| ntlmsspDnsDomain | NTLMSSP DNS domain name |
| ntlmsspDnsTree | NTLMSSP DNS tree name |
| ntlmsspAttrTarget | NTLMSSP Attribute Target Name |
| ntlmsspTimestamp | NTLMSSP timestamp |
ntpDecode
NTP: Network Time Protocol
Flow output
| Name | Description |
|---|---|
| ntpStat | NTP status, warnings and errors |
| ntpLiVM | NTP leap indicator, version number and mode |
| ntpLi_V_M | NTP leap indicator, version number and mode |
| ntpStrat | NTP stratum |
| ntpRefClkId | NTP root reference clock ID (stratum >= 2) |
| ntpRefStrId | NTP root reference string (stratum <= 1) |
| ntpPollInt | NTP poll interval |
| ntpPrec | NTP precision |
| ntpRtDelMin | NTP root delay minimum |
| ntpRtDelMax | NTP root delay maximum |
| ntpRtDispMin | NTP root dispersion minimum |
| ntpRtDispMax | NTP root dispersion maximum |
| ntpRefTS | NTP reference timestamp |
| ntpOrigTS | NTP originate timestamp |
| ntpRecTS | NTP receive timestamp |
| ntpTranTS | NTP transmit timestamp |
ospfDecode
OSPF: Open Shortest Path First
Flow output
| Name | Description |
|---|---|
| ospfStat | OSPF status |
| ospfVersion | OSPF version |
| ospfType | OSPF message type |
| ospfLSType | OSPF Update LS type |
| ospfAuType | OSPF authentication type |
| ospfAuPass | OSPF authentication password |
| ospfArea | OSPF Area ID |
| ospfSrcRtr | OSPF Hello source router |
| ospfBkupRtr | OSPF Hello backup router |
| ospfNeighbors | OSPF Hello neighbor routers |
Packet output
| Name | Description |
|---|---|
| ospfStat | OSPF status |
| ospfVersion | OSPF version |
| ospfArea | OSPF Area ID |
| ospfType | OSPF message type |
| ospfLSType | OSPF Update LS type |
ospf2Msg.txt file
| Name | Description |
|---|---|
| pktNo | Packet number |
| Ver | OSPF version |
| Area | Area ID |
| MsgType | Message type |
| LSType | LS Type |
| srcIP | Source IP |
| LSLinkID | LS Link ID |
| NetmaskOrRouterIP | Netmask or Router IP |
| ADVRouter | Advertising router |
| LSAOpt | LSA options |
| LnkType | Link type |
| Metric | Metric |
| IfaceType | Interface type |
| LSFlgs | LS flags |
| AttchRtrs | Attached routers |
| FwdIP | Forwarding IP |
| ExtRtTag | External Route Tag |
ospf3Msg.txt file
| Name | Description |
|---|---|
| pktNo | Packet number |
| Ver | OSPF version |
| Area | Area ID |
| MsgType | Message type |
| LSType | LS Type |
| srcIP | Source IP |
| dstIP | Destination IP |
| LSAAdvRtr | LSA Advertising router |
| LSAOpts | LSA options |
| LSLinkID | LS Link ID |
| IntID | Interface ID |
| NeighIntID | Neighbor Interface ID |
| RefAdvRtrOrAttchRtrs | Reference advertising router or Attached routers |
| Type | Type |
| PrefOpts | Preference options |
| Metric | Metric |
| RefLSA | Reference LSA |
| RefPrefix | Reference prefix |
| LnkLclIPOrFwdIP | Link-local interface address or Forwarding IP |
| ExtRtTag | External Route Tag |
ospfDBD.txt file
| Name | Description |
|---|---|
| pktNo | Packet number |
| Ver | OSPF version |
| AreaID | Area ID |
| RtrID | Router ID |
| LSLinkID | LS Link ID |
| ADVRouter | Advertising Router |
| Dna | Do Not Age |
| Age | Age |
| SeqNum | Sequence number |
| Checksum | Checksum |
| MTU | MTU |
| Flags | Flags |
| LSType | LS Type |
| tlvType | TLV Type |
| tlvValOpt | TLV options |
ospfHello.txt file
| Name | Description |
|---|---|
| pktNo | Packet number |
| Ver | OSPF version |
| AreaID | Area ID |
| SrcOSPRtr | Source router |
| srcIP | Source IP |
| Netmask | Network mask |
| Network | Network |
| IntID | Interface ID |
| RtrPrio | Router priority |
| Opt | Options |
| HelloInt | Hello interval |
| RtrDInt | Router dead interval |
| DRtr | Destination router |
| BkupRtr | Backup router |
| NumNeigh | Number of neighbors |
| Neighbors | Neighbors |
p0f
OS classification based on content analysis (SSL/TLS)
Flow output
| Name | Description |
|---|---|
| p0fSSLRule | p0f SSL fingerprint rule number |
| p0fSSLOS | p0f SSL OS fingerprint |
| p0fSSLOS2 | p0f SSL OS fingerprint (2) |
| p0fSSLBrowser | p0f SSL browser fingerprint |
| p0fSSLComment | p0f SSL fingerprint comment |
payloadDumper
Dump the payload of TCP/UDP flows to files (similar to tcpflow)
Flow output
| Name | Description |
|---|---|
| pldStat | payloadDumper status |
Packet output
| Name | Description |
|---|---|
| pldStat | payloadDumper status |
pktSIATHisto
Histograms of packet size and inter-arrival times
Flow output
| Name | Description |
|---|---|
| tCnt | Number of tree entries |
| Ps_IatBin_Cnt_PsCnt_IatCnt | Packet size (PS) and inter-arrival time (IAT) of bin histogram |
| Ps_Iat_Cnt_PsCnt_IatCnt | Packet size (PS) and min inter-arrival time (IAT) of bin histogram |
popDecode
POP: Post Office Protocol
Flow output
| Name | Description |
|---|---|
| popStat | POP status |
| popCBF | POP command codes bitfield |
| popCC | POP command codes |
| popRM | POP response #mail |
| popUsrNum | POP number of users |
| popUsr | POP users |
| popPwNum | POP number of passwords |
| popPw | POP passwords |
| popCNum | POP number of parameters |
| popC | POP content |
Packet output
| Name | Description |
|---|---|
| popStat | POP status |
portClassifier
Classification based on port numbers
Flow output
| Name | Description |
|---|---|
| dstPortClassN | Port based classification of the destination port number |
| dstPortClass | Port based classification of the destination port name |
Packet output
| Name | Description |
|---|---|
| dstPortClassN | Port based classification of the destination port number |
| dstPortClass | Port based classification of the destination port name |
pwX
Password extractor
Flow output
| Name | Description |
|---|---|
| pwxType | Authentication type of the extracted username/password |
| pwxUser | Extracted username |
| pwxPass | Extracted password |
| pwxStatus | Authentication status |
quicDecode
QUIC (IETF): Quick UDP Internet Connections
Flow output
| Name | Description |
|---|---|
| quicStat | QUIC Status |
| quicVersion | QUIC Version |
| quicFlags | QUIC Flags |
| quicPktTypes | QUIC Packet Types |
| quicDCID | QUIC Destination Connection ID |
| quicSCID | QUIC Source Connection ID |
| quicODCID | QUIC Original Destination Connection ID (Retry) |
Packet output
| Name | Description |
|---|---|
| quicStat | QUIC Status |
| quicFlags | QUIC Flags |
| quicPktType | QUIC Packet Type |
| quicVersion | QUIC Version |
| quicDCID | QUIC Destination Connection ID |
| quicSCID | QUIC Source Connection ID |
| quicODCID | QUIC Original Destination Connection ID (Retry) |
| quicPktNum | QUIC Packet Number |
radiusDecode
RADIUS: Remote Authentication Dial-In User Service
Flow output
| Name | Description |
|---|---|
| radiusStat | RADIUS status |
| radiusAxsReq_Acc_Rej_Chal | RADIUS Access-Request/Accept/Reject/Challenge |
| radiusAccReq_Resp | RADIUS Accounting-Request/Response |
| radiusAccStart_Stop | RADIUS Accounting Start/Stop |
| radiusCodeNms | RADIUS code names |
| radiusCodes | RADIUS codes |
| radiusAVPTypeNms | RADIUS Attribute Value Pair Type Names |
| radiusAVPTypes | RADIUS Attribute Value Pair Types |
| radiusUser | RADIUS username |
| radiusPW | RADIUS password |
| radiusServiceType | RADIUS service type |
| radiusLoginService | RADIUS login-service |
| radiusVendor | RADIUS vendor ID (SMI) |
| radiusNasId | RADIUS NAS Identifier |
| radiusNasIp | RADIUS NAS IP address |
| radiusNasPort | RADIUS NAS IP port |
| radiusNasPortTypeNm | RADIUS NAS Port Type Name |
| radiusNasPortType | RADIUS NAS Port Type |
| radiusNasPortId | RADIUS NAS Port ID |
| radiusFramedIp | RADIUS framed IP address |
| radiusFramedMask | RADIUS framed IP netmask |
| radiusFramedProto | RADIUS framed protocol |
| radiusFramedComp | RADIUS framed compression |
| radiusFramedMtu | RADIUS framed MTU |
| radiusTunnel_Medium | RADIUS tunnel type and medium type |
| radiusTunnelCli | RADIUS tunnel client endpoint |
| radiusTunnelSrv | RADIUS tunnel server endpoint |
| radiusTunnelCliAId | RADIUS tunnel client authentication Id |
| radiusTunnelSrvAId | RADIUS tunnel server authentication Id |
| radiusTunnelPref | RADIUS tunnel preference |
| radiusAcctSessId | RADIUS Accounting Session Id |
| radiusAcctSessTime | RADIUS Accounting Session Time (seconds) |
| radiusAcctStatType | RADIUS Accounting Status Type |
| radiusAcctTerm | RADIUS Accounting Terminate Cause |
| radiusAcctInOct_OutOct | RADIUS Accounting Input/Output Octets |
| radiusAcctInPkt_OutPkt | RADIUS Accounting Input/Output Packets |
| radiusAcctInGw_OutGw | RADIUS Accounting Input/Output Gigawords |
| radiusConnInfo | RADIUS user connection info |
| radiusFilterId | RADIUS filter Identifier |
| radiusCalledId | RADIUS Called Station Identifier |
| radiusCallingId | RADIUS Calling Station Identifier |
| radiusReplyMsg | RADIUS reply message |
Packet output
| Name | Description |
|---|---|
| radiusStat | RADIUS status |
| radiusCodeNm | RADIUS code name |
| radiusCode | RADIUS code |
| radiusAVPTypeNms | RADIUS Attribute Value Pair Type Names |
| radiusAVPTypes | RADIUS Attribute Value Pair Types |
regexHyperscan
Hyperscan regular expressions
Flow output
| Name | Description |
|---|---|
| hsregexes | Hyperscan regex matches |
regex_pcre
PCRE: Perl Compatible Regular Expressions
Flow output
| Name | Description |
|---|---|
| rgxCnt | Regex match count |
| rgxRID_cType_sev_pktN_bPos_time | Regex ID, class type, severity, time, packet number, byte position and time |
| rgxRID_cType_sev_pktN_bPos | Regex ID, class type, severity, packet number and byte position |
| rgxRID_cType_sev | Regex ID, class type and severity |
Packet output
| Name | Description |
|---|---|
| rgxCnt | Regex match count |
| rgxRID_cType_sev | Regex ID, class type and severity |
regex_re2
RE2 regular expressions
Flow output
| Name | Description |
|---|---|
| re2match | re2 regex matches |
sctpDecode
SCTP: Stream Control Transmission Protocol
Flow output
| Name | Description |
|---|---|
| sctpStat | SCTP status |
| sctpDSNum | SCTP data stream number |
| sctpMaxDSNum | SCTP max number of data streams |
| sctpPID | SCTP Payload ID |
| sctpVTag | SCTP verification tag |
| sctpTypeN | SCTP unique types name |
| sctpType | SCTP unique types values |
| sctpTypeBF | SCTP aggregated type bit field |
| sctpCntD_I_A | SCTP DATA, INIT and ABORT count |
| sctpCFlags | SCTP aggregated chunk flags |
| sctpCCBF | SCTP aggregated error cause code bit field |
| sctpASIP4 | SCTP ASCONF IPv4 |
| sctpASIP6 | SCTP ASCONF IPv6 |
| sctpIS | SCTP inbound streams |
| sctpOS | SCTP outbound streams |
| sctpIARW | SCTP Initial Advertised Receiver Window |
| sctpIARWMin | SCTP Initial Advertised Receiver Window Minimum |
| sctpIARWMax | SCTP Initial Advertised Receiver Window Maximum |
| sctpARW | SCTP Advertised Receiver Window |
Packet output
| Name | Description |
|---|---|
| sctpVTag | SCTP verification tag |
| sctpChkSum | SCTP checksum |
| sctpCalCRCChkSum | SCTP computed CRC checksum |
| sctpCalADLChkSum | SCTP computed ADLER32 checksum |
| sctpChunkType_sid_flags_cflags_numDPkts_len_pid | SCTP chunk type, stream identifier, chunk flags, DATA count, chunk length, payload ID |
| sctpNChunks | SCTP number of chunks |
| sctpCCBF | SCTP aggregated error cause code bit field |
| sctpARW | SCTP Advertised Receiver Window |
| sctpPID | SCTP Payload ID |
| sctpStat | SCTP status |
| sctpTSN | SCTP Transmission Sequence Number (TSN) |
| sctpTSNAck | SCTP Transmission Sequence Number (TSN) Acknowledgement |
| sctpRelTSN | SCTP relative Transmission Sequence Number (TSN) |
| sctpRelTSNAck | SCTP relative Transmission Sequence Number (TSN) Acknowledgement |
| sctpASIP4 | SCTP ASCONF IPv4 |
| sctpASIP6 | SCTP ASCONF IPv6 |
smbDecode
SMB: Server Message Block
Flow output
| Name | Description |
|---|---|
| smbStat | SMB status |
| smb1NDialects | SMB1 number of requested dialects |
| smb1Dialects | SMB1 requested dialects |
| smb2NDialects | SMB2 number of dialects |
| smb2Dialects | SMB2 dialect revision |
| smbNHdrStat | SMB2 number of unique SMB2 header status values |
| smbHdrStat | SMB2 list of unique header status |
| smbOpcodes | SMB opcodes |
| smbNOpcodes | SMB number of opcodes |
| smbPrevSessId | SMB previous session ID |
| smbNativeOS | SMB native OS |
| smbNativeLanMan | SMB native LAN Manager |
| smbPrimDom | SMB primary domain |
| smbTargName | SMB target name |
| smbDomName | SMB domain name |
| smbUserName | SMB user name |
| smbHostName | SMB host name |
| smbNTLMServChallenge | SMB NTLM server challenge |
| smbNTProofStr | SMB NT proof string |
| smbSessionKey | SMB session key |
| smbGUID | SMB client/server GUID |
| smbSFlags_secM_caps | SMB session flags, security mode and capabilities |
| smbBootT | SMB server start time |
| smbMaxSizeT_R_W | SMB max transaction/read/write size |
| smbPath | SMB full share path name |
| smbShareT | SMB type of share being accessed |
| smbShareF_caps_acc | SMB share flags, capabilities and access mask |
| smbNFiles | SMB number of accessed files |
| smbFiles | SMB accessed files |
smtpDecode
SMTP: Simple Mail Transfer Protocol
Flow output
| Name | Description |
|---|---|
| smtpStat | SMTP status |
| smtpCBF | SMTP command codes bitfield |
| smtpCC | SMTP command codes |
| smtpRC | SMTP response codes |
| smtpUsr | SMTP users |
| smtpPW | SMTP passwords |
| smtpSANum | SMTP number of server addresses |
| smtpESANum | SMTP number of email sender addresses |
| smtpERANum | SMTP number of email receiver addresses |
| smtpSA | SMTP server send addresses |
| smtpESA | SMTP email send addresses |
| smtpERA | SMTP email receive addresses |
Packet output
| Name | Description |
|---|---|
| smtpStat | SMTP status |
snmpDecode
SNMP: Simple Network Management Protocol
Flow output
| Name | Description |
|---|---|
| snmpStat | SNMP status |
| snmpVersion | SNMP version |
| snmpCommunity | SNMP community |
| snmpUser | SNMP username |
| snmpMsgT | SNMP message types bitfield |
| snmpNumReq_Next_Resp_Set_Trap1_Bulk_Info_Trap2_Rep | SNMP number of GetRequest, GetNextRequest, GetResponse, SetRequest, Trapv1, GetBulkRequest, InformRequest, Trapv2, and Report packets |
Packet output
| Name | Description |
|---|---|
| snmpVersion | SNMP version |
| snmpCommunity | SNMP community |
| snmpUser | SNMP username |
| snmpType | SNMP message type |
sshDecode
SSH: Secure Shell
Flow output
| Name | Description |
|---|---|
| sshStat | SSH status |
| sshVersion | SSH version and software |
| sshHostKeyType | SSH host key type |
| sshFingerprint | SSH public key fingerprint |
| sshCookie | SSH cookie |
| sshKEX | SSH chosen KEX algorithm |
| sshSrvHKeyAlgo | SSH chosen server host key algorithm |
| sshEncCS | SSH chosen encryption algorithm client to server |
| sshEncSC | SSH chosen encryption algorithm server to client |
| sshMacCS | SSH chosen MAC algorithm client to server |
| sshMacSC | SSH chosen MAC algorithm server to client |
| sshCompCS | SSH chosen compression algorithm client to server |
| sshCompSC | SSH chosen compression algorithm server to client |
| sshLangCS | SSH chosen language client to server |
| sshLangSC | SSH chosen language server to client |
| sshKEXList | SSH KEX algorithms |
| sshSrvHKeyAlgoList | SSH server host key algorithms |
| sshEncCSList | SSH encryption algorithms client to server |
| sshEncSCList | SSH encryption algorithms server to client |
| sshMacCSList | SSH MAC algorithms client to server |
| sshMacSCList | SSH MAC algorithms server to client |
| sshCompCSList | SSH compression algorithms client to server |
| sshCompSCList | SSH compression algorithms server to client |
| sshLangCSList | SSH languages client to server |
| sshLangSCList | SSH languages server to client |
| sshHassh | SSH HASSH fingerprint |
| sshHasshDesc | SSH HASSH description |
| sshHasshStr | SSH HASSH string |
Packet output
| Name | Description |
|---|---|
| sshStat | SSH status |
sslDecode
SSL/TLS (Secure Socket Layer/Transport Layer Security, OpenVPN
Flow output
| Name | Description |
|---|---|
| sslStat | SSL status |
| sslProto | SSL proto |
| ovpnType | OpenVPN message types |
| ovpnSessionID | OpenVPN session ID |
| sslFlags | SSL flags |
| sslVersion | SSL version |
| sslNumRecVer | SSL number of record versions |
| sslRecVer | SSL record version |
| sslNumHandVer | SSL number of handshake versions |
| sslHandVer | SSL handshake version |
| sslVuln | SSL vulnerabilities |
| sslAlert | SSL alert |
| sslCipher | SSL preferred (Client) / negotiated (Server) cipher |
| sslNumExt | SSL number of extensions |
| sslExtList | SSL list of extensions |
| sslNumSuppVer | SSL number of supported versions |
| sslSuppVer | SSL list of supported versions (client), negotiated version (server) |
| sslNumSigAlg | SSL number of signature algorithms |
| sslSigAlg | SSL list of signature algorithms |
| sslNumECPt | SSL number of EC points |
| sslECPt | SSL list of EC points |
| sslNumECFormats | SSL number of EC point formats |
| sslECFormats | SSL list of EC point formats |
| sslNumALPN | SSL number of protocols (ALPN) |
| sslALPNList | SSL list of protocols (ALPN) |
| sslNumALPS | SSL number of protocols (ALPS) |
| sslALPSList | SSL list of protocols (ALPS) |
| sslNumNPN | SSL number of protocols (NPN) |
| sslNPNList | SSL list of protocols (NPN) |
| sslNumCipher | SSL number of supported ciphers |
| sslCipherList | SSL list of supported cipher |
| sslNumCC_A_H_AD_HB | SSL number of change_cipher, alert, handshake, application data, heartbeat records |
| sslSessIdLen | SSL Session ID length |
| sslGMTTime | SSL GMT Unix Time |
| sslServerName | SSL server name |
| sslCertVersion | SSL certificate version |
| sslCertSerial | SSL certificate serial number |
| sslCertMd5FP | SSL certificate MD5 fingerprint |
| sslCertSha1FP | SSL certificate SHA1 fingerprint |
| sslCNotValidBefore_after_lifetime | SSL certificate validity period (not valid before/after, lifetime (seconds)) |
| sslCSigAlg | SSL certificate signature algorithm |
| sslCKeyAlg | SSL certificate public key algorithm |
| sslCPKeyType_Size | SSL certificate public key type, size (bits) |
| sslCSubject | SSL certificate subject |
| sslCSubjectCommonName | SSL certificate subject common name |
| sslCSubjectOrgName | SSL certificate subject organization name |
| sslCSubjectOrgUnit | SSL certificate subject organizational unit name |
| sslCSubjectLocality | SSL certificate subject locality name |
| sslCSubjectState | SSL certificate subject state or province name |
| sslCSubjectCountry | SSL certificate subject country name |
| sslCIssuer | SSL certificate issuer |
| sslCIssuerCommonName | SSL certificate issuer common name |
| sslCIssuerOrgName | SSL certificate issuer organization name |
| sslCIssuerOrgUnit | SSL certificate issuer organizational unit name |
| sslCIssuerLocality | SSL certificate issuer locality name |
| sslCIssuerState | SSL certificate issuer state or province name |
| sslCIssuerCountry | SSL certificate issuer country name |
| sslBlistCat | SSL blacklisted certificate category |
| sslJA3Hash | SSL JA3 fingerprint |
| sslJA3Desc | SSL JA3 description |
| sslJA3Str | SSL JA3 string |
| sslJA4 | SSL JA4/JA4S fingerprint |
| sslJA4Desc | SSL JA4/JA4S description |
| sslJA4O | SSL JA4_o fingerprint (original order) |
| sslJA4R | SSL JA4_r fingerprint (raw) |
| sslJA4RO | SSL JA4_o fingerprint (raw, original order) |
| sslTorFlow | SSL Tor flow |
stpDecode
STP: Spanning Tree Protocol
Flow output
| Name | Description |
|---|---|
| stpStat | STP status |
| stpVer | STP protocol version identifier |
| stpType | STP aggregated BPDU types |
| stpFlags | STP aggregated BPDU flags |
| stpRtCst | STP root cost |
| stpRtPrio | STP root priority |
| stpRtExt | STP root extension (VLAN) |
| stpRtMAC | STP root MAC |
| stpBrdgPrio | STP bridge priority |
| stpBrdgExt | STP bridge extension (VLAN) |
| stpBrdgMAC | STP bridge MAC |
| stpRtBID | STP root bridge ID |
| stpBrdgID | STP bridge ID |
| stpFrwrd | STP forward delay |
Packet output
| Name | Description |
|---|---|
| stpStat | STP status |
| stpProto | STP protocol identifier |
| stpVer | STP protocol version identifier |
| stpType | STP BPDU type |
| stpFlags | STP BPDU flags |
| stpRtCst | STP root cost |
| stpRtBID | STP root bridge ID |
| stpBrdgID | STP bridge ID |
| stpRtPrio | STP root priority |
| stpRtExt | STP root extension (VLAN) |
| stpRtMAC | STP root MAC |
| stpBrdgPrio | STP bridge priority |
| stpBrdgExt | STP bridge extension (VLAN) |
| stpBrdgMAC | STP bridge MAC |
| stpPort | STP port identifier |
| stpMsgAge | STP message age |
| stpMaxAge | STP max age |
| stpHello | STP hello time |
| stpFrwrd | STP forward delay |
| stpPvstOrigVlan | STP originating VLAN (PVSTP+) |
stunDecode
STUN, TURN, ICE and NAT-PMP
Flow output
| Name | Description |
|---|---|
| natStat | NAT status |
| natErr | NAT error code |
| natMCReq_Ind_Succ_Err | NAT message class (REQ, INDIC, SUCC RESP, ERR RESP) (STUN) |
| natAddr_Port | NAT mapped address and port (STUN) |
| natXAddr_Port | NAT xor mapped address and port (STUN) |
| natPeerAddr_Port | NAT xor peer address and port (TURN) |
| natOrigAddr_Port | NAT response origin address and port (STUN) |
| natRelayAddr_Port | NAT relayed address and port (TURN) |
| natDstAddr_Port | NAT destination address and port (TURN) |
| natOtherAddr_Port | NAT other address and port (STUN) |
| natLifetime | NAT binding lifetime [seconds] (STUN) |
| natUser | NAT username (STUN) |
| natPass | NAT password (STUN) |
| natRealm | NAT realm (STUN) |
| natSoftware | NAT software (STUN) |
| natPMPReqEA_MU_MT | NAT-PMP number of requests (External Address, Map UDP, Map TCP) |
| natPMPRespEA_MU_MT | NAT-PMP number of responses (External Address, Map UDP, Map TCP) |
| natPMPSSSOE | NAT-PMP seconds since start of epoch |
syslogDecode
Syslog
Flow output
| Name | Description |
|---|---|
| syslogStat | Syslog status |
| syslogMCnt | Syslog message count |
| syslogSev_Fac_Cnt | Syslog number of severity/facility messages |
Packet output
| Name | Description |
|---|---|
| syslogStat | Syslog status |
| syslogSev | Syslog severity |
| syslogFac | Syslog facility |
tcpFlags
IP and TCP flags
Flow output
| Name | Description |
|---|---|
| tcpFStat | tcpFlags status |
| ipMindIPID | IP minimum delta IP ID |
| ipMaxdIPID | IP maximum delta IP ID |
| ipMinTTL | IP minimum TTL |
| ipMaxTTL | IP maximum TTL |
| ipTTLChg | IP TTL change count |
| ipToSPrec_ecn | IP Type of Service: Precedence and ECN |
| ipToSDscp_ecn | IP Type of Service: DSCP and ECN decimal |
| ipToS | IP Type of Service hex |
| ipFlags | IP aggregated flags |
| ipOptCnt | IP options count |
| ipOptCpCl_Num | IP aggregated options, copy-class and number |
| ip6OptCntHH_D | IPv6 Hop-by-Hop destination option counts |
| ip6OptHH_D | IPv6 aggregated Hop-by-Hop destination options |
| tcpISeqN | TCP initial sequence number |
| tcpPSeqCnt | TCP packet seq count |
| tcpSeqSntBytes | TCP sent seq diff bytes |
| tcpSeqFaultCnt | TCP sequence number fault count |
| tcpPAckCnt | TCP packet ACK count |
| tcpFlwLssAckRcvdBytes | TCP flawless ACK received bytes |
| tcpAckFaultCnt | TCP ACK number fault count |
| tcpBFlgtMx | TCP Bytes in Flight MAX |
| tcpInitWinSz | TCP initial effective window size |
| tcpAvgWinSz | TCP average effective window size |
| tcpMinWinSz | TCP minimum effective window size |
| tcpMaxWinSz | TCP maximum effective window size |
| tcpWinSzDwnCnt | TCP effective window size change down count |
| tcpWinSzUpCnt | TCP effective window size change up count |
| tcpWinSzChgDirCnt | TCP effective window size direction change count |
| tcpWinSzThRt | TCP packet count ratio below window size WINMIN threshold |
| tcpFlags | TCP aggregated protocol flags (FINACK, SYNACK, RSTACK, CWR, ECE, URG, ACK, PSH, RST, SYN, FIN) |
| tcpAnomaly | TCP aggregated header anomaly flags |
| tcpCntF_S_R_P_A_U_E_C_FA_SA_RA_N_SF_SFR_RF_X | TCP flags counts (FIN, SYN, RST, PSH, ACK, URG, ECE, CWR, FIN-ACK, SYN-ACK, RST-ACK, none, SYN-FIN, SYN-FIN-RST, RST-FIN, Xmas (FIN-PSH-URG) |
| tcpJA4T | TCP JA4T/JA4TS fingerprint |
| tcpOptPktCnt | TCP options packet count |
| tcpOptCnt | TCP options count |
| tcpOptions | TCP aggregated options |
| tcpMSS | TCP maximum segment size |
| tcpWS | TCP window scale |
| tcpMPTBF | TCP MPTCP type bitfield |
| tcpMPF | TCP MPTCP flags |
| tcpMPAID | TCP MPTCP address ID |
| tcpMPDSSF | TCP MPTCP DSS flags |
| tcpTmS | TCP time stamp |
| tcpTmER | TCP time echo reply |
| tcpEcI | TCP estimated counter increment |
| tcpUtm | TCP estimated up time |
| tcpBtm | TCP estimated boot time |
| tcpSSASAATrip | TCP trip time (A: SYN, SYN-ACK, B: SYN-ACK, ACK) |
| tcpRTTAckTripMin | TCP ACK trip min |
| tcpRTTAckTripMax | TCP ACK trip max |
| tcpRTTAckTripAvg | TCP ACK trip average |
| tcpRTTAckTripJitAvg | TCP ACK trip jitter average |
| tcpRTTSseqAA | TCP round trip time (A: SYN, SYN-ACK, ACK, B: ACK-ACK) |
| tcpRTTAckJitAvg | TCP ACK round trip average jitter |
Packet output
| Name | Description |
|---|---|
| ipToSPrec_ecn | IP Type of Service: Precedence and ECN |
| ipToSDscp_ecn | IP Type of Service: DSCP and ECN decimal |
| ipToS | IP Type of Service hex |
| ipID | IP ID |
| ipIDDiff | IP ID difference |
| ipFrag | IP fragment |
| ipTTL | IP TTL |
| ipHdrChkSum | IP header checksum |
| ipCalChkSum | IP header computed checksum |
| l4HdrChkSum | Layer 4 header checksum |
| l4CalChkSum | Layer 4 header computed checksum |
| ipFlags | IP flags |
| ip6HHOptLen | IPv6 Hop-by-Hop options length |
| ip6HHOpts | IPv6 Hop-by-Hop options |
| ip6DOptLen | IPv6 Destination options length |
| ip6DOpts | IPv6 Destination options |
| ipOptLen | IPv4 options length |
| ipOpts | IPv4 options |
| seq | Sequence number |
| ack | Acknowledgement number |
| seqMax | Sequence number max |
| seqDiff | Sequence number diff |
| ackDiff | Acknowledgement number diff |
| seqLen | Sequence length |
| ackLen | Acknowledgement length |
| seqFlowLen | Sequence flow length |
| ackFlowLen | Acknowledgement flow length |
| tcpMLen | Aggregated valid bytes transmitted so far |
| tcpBFlgt | Number of bytes in flight (not acknowledge) |
| tcpFStat | TCP aggregated protocol flags + combinations (CWR, ACK, PSH, RST, SYN, FIN, …) |
| tcpFlags | TCP flags |
| tcpAnomaly | TCP aggregated header anomaly flags |
| tcpWin | TCP window size |
| tcpWS | TCP window scale factor |
| tcpMSS | TCP maximum segment size |
| tcpTmS | TCP time stamp |
| tcpTmER | TCP time echo reply |
| tcpMPTyp | MPTCP type |
| tcpMPF | MPTCP flags |
| tcpMPAID | MPTCP address ID |
| tcpMPdssF | MPTCP DSS flags |
| tcpOptLen | TCP options length |
| tcpOpts | TCP options |
tcpStates
TCP connection tracker
Flow output
| Name | Description |
|---|---|
| tcpStatesAFlags | TCP state machine anomalies |
Packet output
| Name | Description |
|---|---|
| tcpStatesAFlags | TCP state machine anomalies |
telegram
Telegram
Flow output
| Name | Description |
|---|---|
| tgStat | telegram status |
| tgAuthKeyId | telegram auth key id |
Packet output
| Name | Description |
|---|---|
| tgStat | telegram status |
telnetDecode
Telnet
Flow output
| Name | Description |
|---|---|
| telStat | Telnet status |
| telCmdBF | Telnet commands |
| telOptBF | Telnet options |
| telUsr | Telnet user |
| telPW | Telnet password |
| telCCnt | Telnet command count |
| telCmdS | Telnet command names |
| telCmdC | Telnet command codes |
| telOCnt | Telnet option count |
| telOptS | Telnet option names |
| telOptC | Telnet option codes |
Packet output
| Name | Description |
|---|---|
| telStat | Telnet status |
| telCmdS | Telnet command name |
| telOptS | Telnet option name |
| telCmdC | Telnet command code |
| telOptC | Telnet option code |
tftpDecode
TFTP: Trivial File Transfer Protocol
Flow output
| Name | Description |
|---|---|
| tftpStat | TFTP status |
| tftpPFlow | TFTP parent flow |
| tftpOpCBF | TFTP opcode bitfield |
| tftpErrCBF | TFTP error Code bitfield |
| tftpNumOpcode | TFTP number of opcodes |
| tftpOpcode | TFTP opcodes |
| tftpNumParam | TFTP number of parameters |
| tftpParam | TFTP parameters |
| tftpNumErr | TFTP number of errors |
| tftpErrC | TFTP error codes |
Packet output
| Name | Description |
|---|---|
| tftpStat | TFTP status |
| tftpOpcode | TFTP opcode |
torDetector
Tor: The Onion Router
Flow output
| Name | Description |
|---|---|
| torStat | Tor status |
Packet output
| Name | Description |
|---|---|
| torStat | Tor status |
tp0f
OS classification based on layer 3/4 (IP/TCP) analysis
Flow output
| Name | Description |
|---|---|
| tp0fStat | tp0f status |
| tp0fDis | tp0f TTL distance |
| tp0fRN | tp0f rule number |
| tp0fClass | tp0f class |
| tp0fProg | tp0f program |
| tp0fVer | tp0f version |
| tp0fClName | tp0f OS class name |
| tp0fPrName | tp0f OS/program name |
| tp0fVerName | tp0f OS/program version name |
Packet output
| Name | Description |
|---|---|
| tp0fStat | tp0f status |
| tp0fDis | tp0f TTL distance |
| tp0fPrName | tp0f OS/program name |
| tp0fVerName | tp0f OS/program version name |
voipDetector
VoIP: Voice over IP
Flow output
| Name | Description |
|---|---|
| voipStat | VoIP status |
| voipType | VoIP RTP / RTCP Type |
| voipSSRC | VoIP RTP / RTCP Synchronization Source Identifier |
| voipCSRC | VoIP RTP / RTCP Contributing Sources |
| voipSRCnt | VoIP RTP SID / RTCP record count |
| rtpPMCnt | VoIP RTP packet miss count |
| rtpPMr | VoIP RTP packet miss ratio |
| sipMethods | VoIP SIP methods |
| sipStatCnt | VoIP SIP stat count |
| sipReqCnt | VoIP SIP request count |
| sipUsrAgnt | VoIP SIP User-Agent |
| sipRealIP | VoIP SIP X-Real-IP |
| sipFrom | VoIP SIP Caller |
| sipTo | VoIP SIP Callee |
| sipCallID | VoIP SIP Call-ID |
| sipContact | VoIP SIP Contact |
| sipStat | VoIP SIP stat |
| sipReq | VoIP SIP request |
| sdpSessID | VoIP SDP session ID |
| sdpRFAdd | VoIP SDP RTP audio/video flow address |
| sdpRAFPrt | VoIP SDP RTP audio flow port |
| sdpRVFPrt | VoIP SDP RTP video flow port |
| sdpRTPMap | VoIP SIP SDP rtpmap |
| voipFindex | VoIP SIP RTP findex |
| rtcpTPCnt | VoIP RTCP cumulated transmitter packet count |
| rtcpTBCnt | VoIP RTCP cumulated transmitter byte count |
| rtcpFracLst | VoIP RTCP cumulated fraction lost |
| rtcpCPMCnt | VoIP RTCP cumulated packet miss count |
| rtcpMaxIAT | VoIP RTCP max inter-arrival time |
| voipFname | VoIP RTP content filename |
Packet output
| Name | Description |
|---|---|
| voipStat | VoIP status |
| voipType | VoIP RTP / RTCP Type |
| voipSeqN | VoIP RTP / RTCP sequence number |
| voipTs | VoIP RTP / RTCP timestamp |
| voipTsDiff | VoIP RTP / RTCP timestamp difference |
| voipSSRC | VoIP RTP / RTCP Synchronization Source Identifier |
vrrpDecode
VRRP: Virtual Router Redundancy Protocol
Flow output
| Name | Description |
|---|---|
| vrrpStat | VRRP status |
| vrrpVer | VRRP version |
| vrrpType | VRRP type |
| vrrpVRIDCnt | VRRP virtual router ID count |
| vrrpVRID | VRRP virtual router ID |
| vrrpMinPri | VRRP minimum priority |
| vrrpMaxPri | VRRP maximum priority |
| vrrpMinAdvInt | VRRP minimum advertisement interval (seconds) |
| vrrpMaxAdvInt | VRRP maximum advertisement interval (seconds) |
| vrrpAuthType | VRRP authentication type |
| vrrpAuth | VRRP authentication string |
| vrrpIPCnt | VRRP IP address count |
| vrrpIP | VRRP IP addresses |
vrrp.txt file
| Name | Description |
|---|---|
| VirtualRtrID | Virtual router ID |
| Priority | Priority |
| SkewTime | Skew time (seconds) |
| MasterDownInterval | Master down interval (seconds) |
| AddrCount | Number of addresses |
| Addresses | List of addresses |
| Version | VRRP version |
| Type | Message type |
| AdverInt | Advertisement interval (seconds) |
| AuthType | Authentication type |
| AuthString | Authentication string |
| Checksum | Stored checksum |
| CalcChecksum | Calculated checksum |
| flowInd | Flow index |
vtpDecode
VTP: VLAN Trunking Protocol
Flow output
| Name | Description |
|---|---|
| vtpStat | VTP status |
| vtpVer | VTP version |
| vtpCodeBF | VTP aggregated codes |
| vtpVlanTypeBF | VTP aggregated VLAN types |
| vtpDomain | VTP Management Domain |
| vtpNumUpdId | VTP number Updater Identity |
| vtpUpdId | VTP Updater Identity |
| vtpFirstUpdTS | VTP Timestamp of first update |
| vtpLastUpdTS | VTP Timestamp of last update |
Packet output
| Name | Description |
|---|---|
| vtpStat | VTP status |
| vtpVer | VTP version |
| vtpCode | VTP code |
| vtpDomain | VTP Management Domain |
| vtpVlanTypeBF | VTP aggregated VLAN types |
vtp.txt file
| Name | Description |
|---|---|
| pktNo | Packet number |
| flowInd | Flow index |
| srcMac | MAC address which issued this advertisement |
| vtpVer | VTP version |
| vtpDomain | VTP Management Domain |
| vtpRevNum | VTP Configuration Revision Number |
| vtpVlanType | Aggregated VLAN type |
| vtpVlanID | ISL VLAN ID |
| vtpVlanName | VLAN Name |
| vtpVlanSAID | 802.10 Index (IEEE 802.10 security association identifier for this VLAN) |
| vtpVlanMTU | MTU Size |
| vtpVlanSuspended | State of the VLAN (suspended or not) |
wavelet
Wavelet
Flow output
| Name | Description |
|---|---|
| waveNumPnts | Wavelet number of points |
| waveSig | Wavelet signal |
| waveNumLvl | Number of wavelet levels |
| waveCoefDetailDB1 | Daubechies 1 (DB1) wavelet detail coefficients |
| waveCoefDetailDB2 | Daubechies 2 (DB2) wavelet detail coefficients |
| waveCoefDetailDB3 | Daubechies 3 (DB3) wavelet detail coefficients |
| waveCoefDetailDB4 | Daubechies 4 (DB4) wavelet detail coefficients |
| waveCoefApprox | Wavelet approximation coefficients |