List of output fields

plugins

Contents

tranalyzer2

Flow output

Name Description
dir Flow direction
flowInd Flow index

Packet output

Name Description
pktNo Packet number
flowInd Flow index
content Content
hexContent Content in hexadecimal
hexLsbContent Content (least significant bit first) in hexadecimal
hexLsbNsContent Content (least significant bit first and nibble swapped) in hexadecimal
hexNsContent Content (nibble swapped) in hexadecimal
l2Content Content from layer 2
l2HexContent Content from layer 2 in hexadecimal
l2HexLsbContent Content from layer 2 (least significant bit first) in hexadecimal
l2HexLsbNsContent Content from layer 2 (least significant bit first and nibble swapped) in hexadecimal
l2HexNsContent Content from layer 2 (nibble swapped) in hexadecimal
l2LsbContent Content from layer 2 (least significant bit first) in hexadecimal
l2LsbNsContent Content from layer 2 (least significant bit first and nibble swapped)
l2NsContent Content from layer 2 (nibble swapped)
l3Content Content from layer 3
l3HexContent Content from layer 3 in hexadecimal
l3HexLsbContent Content from layer 3 (least significant bit first) in hexadecimal
l3HexNsContent Content from layer 3 (nibble swapped) in hexadecimal
l3HexLsbNsContent Content from layer 3 (least significant bit first and nibble swapped) in hexadecimal
l3LsbContent Content from layer 3 (least significant bit first) in hexadecimal
l3LsbNsContent Content from layer 3 (least significant bit first and nibble swapped)
l3NsContent Content from layer 3 (nibble swapped)
l4Content Content from layer 4
l4HexContent Content from layer 4 in hexadecimal
l4HexLsbContent Content from layer 4 (least significant bit first) in hexadecimal
l4HexNsContent Content from layer 4 (nibble swapped) in hexadecimal
l4HexLsbNsContent Content from layer 4 (least significant bit first and nibble swapped) in hexadecimal
l4LsbContent Content from layer 4 (least significant bit first) in hexadecimal
l4LsbNsContent Content from layer 4 (least significant bit first and nibble swapped)
l4NsContent Content from layer 4 (nibble swapped)
l7Content Content from layer 7
l7HexContent Content from layer 7 in hexadecimal
l7HexLsbContent Content from layer 7 (least significant bit first) in hexadecimal
l7HexNsContent Content from layer 7 (nibble swapped) in hexadecimal
l7HexLsbNsContent Content from layer 7 (least significant bit first and nibble swapped) in hexadecimal
l7LsbContent Content from layer 7 (least significant bit first) in hexadecimal
l7LsbNsContent Content from layer 7 (least significant bit first and nibble swapped)
l7NsContent Content from layer 7 (nibble swapped)
lsbContent Content (least significant bit first)
lsbNsContent Content (least significant bit first and nibble swapped)
nsContent Content (nibble swapped)

arpDecode

ARP: Address Resolution Protocol

Flow output

Name Description
arpStat ARP status
arpHwType ARP hardware type
arpOpcode ARP operational code
arpIpMacCnt ARP number of distinct MAC/IP pairs
arpMac_Ip_Cnt ARP MAC/IP pairs found and number of times the pair

Packet output

Name Description
arpStat ARP status
arpHwType ARP hardware type
arpProtoType ARP protocol type
arpHwSize ARP hardware size
arpProtoSize ARP protocol size
arpOpcode ARP operational code
arpSenderMAC ARP sender MAC address
arpSenderIP ARP sender IP address
arpTargetMAC ARP target MAC address
arpTargetIP ARP target IP address

basicFlow

Overall flow information

Flow output

Name Description
sensorID Sensor ID
flowStat Flow status and warnings
timeFirst Date time of first packet
timeLast Date time of last packet
duration Flow duration
numHdrDesc Number of different headers descriptions
numHdrs Number of headers (depth) in hdrDesc
hdrDesc Headers descriptions
hdrDesc_pktCnt Headers descriptions and packet count
srcMAC Source MAC address
dstMAC Destination MAC address
ethType Ethernet type
vlanTPID_PCP_DEI_VID VLAN tag protocol identifier (TPID), priority code point (PCP), drop eligible indicator (DEI), VLAN identifier (VID)
vlanHdr VLAN headers (hexadecimal)
vlanID VLAN IDs
mplsLabel_ToS_S_TTL MPLS headers details
mplsHdrsHex MPLS headers (hexadecimal)
mplsLabelsHex MPLS labels (hexadecimal)
mplsLabels MPLS labels
pppHdr PPP header
lapdSAPI LAPD Service Access Point Identifier (SAPI)
lapdTEI LAPD Terminal Endpoint Identifier (TEI)
l2tpHdr L2TP header
l2tpTID L2TPv2 tunnel ID
l2tpSID L2TPv2 session ID
l2tpCCSID L2TPv3 control connection/session ID
l2tpSrcIP L2TP source IP address
l2tpSrcIPASN L2TP source ASN
l2tpSrcIPCOC L2TP source IP country organization code
l2tpSrcIPCC L2TP source IP country
l2tpSrcIPCnty L2TP source IP county
l2tpSrcIPCity L2TP source IP city
l2tpSrcIPOrg L2TP source IP organization
l2tpSrcIPLat_Lng_relP L2TP source IP latitude, longitude, reliability
l2tpDstIP L2TP destination IP address
l2tpDstIPASN L2TP destination ASN
l2tpDstIPCOC L2TP destination IP country organization code
l2tpDstIPCC L2TP destination IP country
l2tpDstIPCnty L2TP destination IP county
l2tpDstIPCity L2TP destination IP city
l2tpDstIPOrg L2TP destination IP organization
l2tpDstIPLat_Lng_relP L2TP destination IP latitude, longitude, reliability
greHdr GRE header
greSrcIP GRE source IP address
greSrcIPASN GRE source ASN
greSrcIPCOC GRE source IP country organization code
greSrcIPCC GRE source IP country
greSrcIPCnty GRE source IP county
greSrcIPCity GRE source IP city
greSrcIPOrg GRE source IP organization
greSrcIPLat_Lng_relP GRE source IP latitude, longitude, reliability
greDstIP GRE destination IP address
greDstIPASN GRE destination ASN
greDstIPCOC GRE destination IP country organization code
greDstIPCC GRE destination IP country
greDstIPCnty GRE destination IP county
greDstIPCity GRE destination IP city
greDstIPOrg GRE destination IP organization
greDstIPLat_Lng_relP GRE destination IP latitude, longitude, reliability
trdoDstIP Teredo IPv4 address
trdoDstIPASN Teredo IPv4 ASN
trdoDstIPCOC Teredo IPv4 country organization code
trdoDstIPCC Teredo IPv4 country
trdoDstIPCnty Teredo IPv4 county
trdoDstIPCity Teredo IPv4 city
trdoDstIPOrg Teredo IPv4 organization
trdoDstIPLat_Lng_relP Teredo IPv4 latitude, longitude, reliability
trdoDstPort Teredo destination port
trdo6SrcFlgs Teredo IPv6 source address decode: Flags
trdo6SrcSrvIP4 Teredo IPv6 source address decode: Server IPv4
trdo6SrcSrvIP4ASN Teredo IPv6 source address decode: Server IPv4 ASN
trdo6SrcSrvIP4COC Teredo IPv6 source address decode: Server IPv4 country organization code
trdo6SrcSrvIP4CC Teredo IPv6 source address decode: Server IPv4 country
trdo6SrcSrvIP4Cnty Teredo IPv6 source address decode: Server IPv4 county
trdo6SrcSrvIP4City Teredo IPv6 source address decode: Server IPv4 city
trdo6SrcSrvIP4Org Teredo IPv6 source address decode: Server IPv4 organization
trdo6SrcSrvIP4Lat_Lng_relP Teredo IPv6 source address decode: Server IPv4 latitude, longitude, reliability
trdo6SrcCPIP4 Teredo IPv6 source address decode: Client public IPv4
trdo6SrcCPIP4ASN Teredo IPv6 source address decode: Client public IPv4 ASN
trdo6SrcCPIP4COC Teredo IPv6 source address decode: Client public IPv4 country organization code
trdo6SrcCPIP4CC Teredo IPv6 source address decode: Client public IPv4 country
trdo6SrcCPIP4Cnty Teredo IPv6 source address decode: Client public IPv4 county
trdo6SrcCPIP4City Teredo IPv6 source address decode: Client public IPv4 city
trdo6SrcCPIP4Org Teredo IPv6 source address decode: Client public IPv4 organization
trdo6SrcCPIP4Lat_Lng_relP Teredo IPv6 source address decode: Client public IPv4 latitude, longitude, reliability
trdo6SrcCPPort Teredo IPv6 source address decode: Client public port
trdo6DstFlgs Teredo IPv6 destination address decode: Flags
trdo6DstSrvIP4 Teredo IPv6 destination address decode: Server IPv4
trdo6DstSrvIP4ASN Teredo IPv6 destination address decode: Server IPv4 ASN
trdo6DstSrvIP4COC Teredo IPv6 destination address decode: Server IPv4 country organization code
trdo6DstSrvIP4CC Teredo IPv6 destination address decode: Server IPv4 country
trdo6DstSrvIP4Cnty Teredo IPv6 destination address decode: Server IPv4 county
trdo6DstSrvIP4City Teredo IPv6 destination address decode: Server IPv4 city
trdo6DstSrvIP4Org Teredo IPv6 destination address decode: Server IPv4 organization
trdo6DstSrvIP4Lat_Lng_relP Teredo IPv6 destination address decode: Server IPv4 latitude, longitude, reliability
trdo6DstCPIP4 Teredo IPv6 destination address decode: Client public IPv4
trdo6DstCPIP4ASN Teredo IPv6 destination address decode: Client public IPv4 ASN
trdo6DstCPIP4COC Teredo IPv6 destination address decode: Client public IPv4 country organization code
trdo6DstCPIP4CC Teredo IPv6 destination address decode: Client public IPv4 country
trdo6DstCPIP4Cnty Teredo IPv6 destination address decode: Server IPv4 county
trdo6DstCPIP4City Teredo IPv6 destination address decode: Server IPv4 city
trdo6DstCPIP4Org Teredo IPv6 destination address decode: Client public IPv4 organization
trdo6DstCPIP4Lat_Lng_relP Teredo IPv6 destination address decode: Client public IPv4 latitude, longitude, reliability
trdo6DstCPPort Teredo IPv6 destination address decode: Client public port
srcIP Source IP address(es)
srcIPASN Source ASN
srcIPCOC Source IP country organization code
srcIPCC Source IP country
srcIPCnty Source IP county
srcIPCity Source IP city
srcIPOrg Source IP organization
srcIPLat_Lng_relP Source IP latitude, longitude, reliability
srcPort Source port
dstIP Destination IP address(es)
dstIPASN Destination ASN
dstIPCOC Destination IP country organization code
dstIPCC Destination IP country
dstIPCnty Destination IP county
dstIPCity Destination IP city
dstIPOrg Destination IP organization
dstIPLat_Lng_relP Destination IP latitude, longitude, reliability
dstPort Destination port
l4Proto Layer 4 protocol

Packet output

Name Description
flowStat Flow status and warnings
relTime Duration since start of pcap or interface sniffing
time Date time of packet
pktIAT Packet inter-arrival time (IAT)
pktTrip Packet round-trip time
flowDuration Flow duration
numHdrs Number of headers (depth) in hdrDesc
hdrDesc Headers descriptions
vlanEthType_pri_dei_id VLAN ethertype, priority, Drop Eligible Indicator (DEI), ID
vlanHdr VLAN headers (hexadecimal)
vlanID VLAN IDs
mplsLabel_ToS_S_TTL MPLS headers details
mplsHdrsHex MPLS headers (hexadecimal)
mplsLabelsHex MPLS labels (hexadecimal)
mplsLabels MPLS labels
srcMac Source MAC address
dstMac Destination MAC address
ethType Ethernet type
lapdSAPI LAPD Service Access Point Identifier (SAPI)
lapdTEI LAPD Terminal Endpoint Identifier (TEI)
lapdFType LAPD frame type
lapdFunc LAPD command (U-Frame) or supervisory frame type
lapdNR LAPD receive sequence number
lapdNS LAPD send sequence number
srcIP Source IP address(es)
srcIPCC Source IP country
srcIPOrg Source IP organization
srcPort Source port
dstIP Destination IP address(es)
dstIPCC Destination IP country
dstIPOrg Destination IP organization
dstPort Destination port
l4Proto Layer 4 protocol

basicStats

Basic statistics

Flow output

Name Description
pktsSnt Number of transmitted packets
pktsRcvd Number of received packets
pktsRTAggr Number of received + transmitted packets
padBytesSnt Number of transmitted padding bytes
l2BytesSnt Number of transmitted layer 2 bytes
l3BytesSnt Number of transmitted layer 3 bytes
l4BytesSnt Number of transmitted layer 4 bytes
l7BytesSnt Number of transmitted layer 7 bytes
l2BytesRcvd Number of received layer 2 bytes
l3BytesRcvd Number of received layer 3 bytes
l4BytesRcvd Number of received layer 4 bytes
l7BytesRcvd Number of received layer 7 bytes
l2BytesRTAggr Number of received + transmitted layer 2 bytes
l3BytesRTAggr Number of received + transmitted layer 3 bytes
l4BytesRTAggr Number of received + transmitted layer 4 bytes
l7BytesRTAggr Number of received + transmitted layer 7 bytes
minL2PktSz Minimum layer 2 packet size
minL3PktSz Minimum layer 3 packet size
minL4PktSz Minimum layer 4 packet size
minL7PktSz Minimum layer 7 packet size
maxL2PktSz Maximum layer 2 packet size
maxL3PktSz Maximum layer 3 packet size
maxL4PktSz Maximum layer 4 packet size
maxL7PktSz Maximum layer 7 packet size
avgL2PktSz Average layer 2 packet size
avgL3PktSz Average layer 3 packet size
avgL4PktSz Average layer 4 packet size
avgL7PktSz Average layer 7 packet size
stdL2PktSz Standard deviation layer 2 packet size
stdL3PktSz Standard deviation layer 3 packet size
stdL4PktSz Standard deviation layer 4 packet size
stdL7PktSz Standard deviation layer 7 packet size
varL2PktSz Variance layer 2 packet size
varL3PktSz Variance layer 3 packet size
varL4PktSz Variance layer 4 packet size
varL7PktSz Variance layer 7 packet size
skewL2PktSz Skewness layer 2 packet size
skewL3PktSz Skewness layer 3 packet size
skewL4PktSz Skewness layer 4 packet size
skewL7PktSz Skewness layer 7 packet size
kurL2PktSz Kurtosis layer 2 packet size
kurL3PktSz Kurtosis layer 3 packet size
kurL4PktSz Kurtosis layer 4 packet size
kurL7PktSz Kurtosis layer 7 packet size
minIAT Minimum inter-arrival time (IAT)
maxIAT Maximum inter-arrival time (IAT)
avgIAT Average inter-arrival time (IAT)
stdIAT Standard deviation inter-arrival time (IAT)
varIAT Variance inter-arrival time (IAT)
skewIAT Skewness inter-arrival time (IAT)
kurIAT Kurtosis inter-arrival time (IAT)
pktps Sent packets per second
bytps Sent bytes per second
pktAsm Packet stream asymmetry
bytAsm Byte stream asymmetry

Packet output

Name Description
pktLen Packet size on the wire
udpLen Length in UDP/UDP-Lite header
l7Len Layer 7 length
pktLenMod Modulo factor of packet length
padLen Number of padding bytes

bayesClassifier

Classification using Naive Bayes

Flow output

Name Description
bayesClass Naive Bayes class name

bgpDecode

BGP: Border Gateway Protocol

Flow output

Name Description
bgpStat BGP status
bgpAFlgs BGP anomaly flags
bgpMsgT BGP message types
bgpNOpen_Upd_Notif_KeepAl_RteRefr BGP number of messages: OPEN, UPDATE, NOTIFICATION, KEEPALIVE and ROUTE-REFRESH
bgpVersion BGP version
bgpSrcAS_dstAS BGP source and destination Autonomous System (AS)
bgpSrcId_dstId BGP source and destination ID
bgpHTime BGP hold time (sec)
bgpCaps BGP capabilities
bgpPAttr BGP path attributes
bgpNAdver BGP total number of advertised routes
bgpNWdrwn BGP total number of withdrawn routes
bgpMaxAdver BGP maximum number of advertised routes per record
bgpAvgAdver BGP average number of advertised routes per record
bgpMaxWdrwn BGP maximum number of withdrawn routes per record
bgpAvgWdrwn BGP average number of withdrawn routes per record
bgpAdvPref BGP advertised prefixes
bgpWdrnPref BGP withdrawn prefixes
bgpNIGP_EGP_INC BGP number of routes from origin IGP, EGP, INCOMPLETE
bgpMinASPLen BGP minimum AS path length
bgpMaxASPLen BGP maximum AS path length
bgpAvgASPLen BGP average AS path length
bgpMaxNPrepAS BGP maximum number of prepended AS
bgpMinIatUp BGP minimum inter-arrival time for update messages
bgpMaxIatUp BGP maximum inter-arrival time for update messages
bgpAvgIatUp BGP average inter-arrival time for update messages
bgpMinIatKA BGP minimum inter-arrival time for keep-alive messages
bgpMaxIatKA BGP maximum inter-arrival time for keep-alive messages
bgpAvgIatKA BGP average inter-arrival time for keep-alive messages
bgpNotifCode_Subcode BGP notification (fatal error) code and subcode

bgp_anom.txt file

Name Description
Anomaly Anomaly
flowInd Flow index
pktNo Packet number
RecNum Record number
ASorNet AS number or network
RepsOrMask Number or repetitions or mask
NewMask New mask

bgp_moas.txt file

Name Description
Network Network
Mask Mask
OldOrigAS Old originator AS number
NewOrigAS New originator AS number
flowInd Flow index
pktNo Packet number
RecNum Record number

bgp.txt file

Name Description
NLRI Network Layer Reachability Information (NLRI)
AS AS number
NextHop Next hop
MED Multi Exit Discriminator (MED)
LocPref Local prefix
Origin Origin
OriginatorID Originator ID
OriginAS Origin AS
UpstreamAS Upstream AS
DestAS Destination AS
Aggregator Aggregator
ASPath AS path
ASPathLen AS path length
MaxNPrepAS Maximum number of prepended AS
ClusterList Cluster list
ClusterListLen Cluster list length
Communities Communities
WithdrawnRoutes Withdrawn routes
flowInd Flow index
pktNo Packet number
recNum Record number
time Timestamp

bitForensic

Search packets for specific bits patterns

Flow output

Name Description
bfStat bitForensic Status
bfPDPos Pattern detect position

Packet output

Name Description
bfStat bitForensic Status
bfPDPos Pattern detect position

cdpDecode

CDP: Cisco Discovery Protocol

Flow output

Name Description
cdpStat CDP status
cdpVer CDP version
cdpTTL CDP Time To Live (sec)
cdpTLVTypes CDP TLV types
cdpDevice CDP device ID
cdpPlatform CDP platform
cdpSWVersion CDP Software Version
cdpPortID CDP port ID
cdpCaps CDP capabilities
cdpDuplex CDP duplex
cdpNVLAN CDP native VLAN
cdpVoipVLAN CDP VoIP VLAN
cdpVTPMngmtDmn CDP VTP management domain
cdpMAddrs CDP management addresses
cdpAddrs CDP addresses
cdpIPPref_cdr CDP IP prefix, CIDR

Packet output

Name Description
cdpStat CDP status
cdpVer CDP version
cdpTTL CDP Time To Live (sec)
cdpTLVTypes CDP TLV types
cdpDevice CDP device ID
cdpPlatform CDP platform
cdpPortID CDP port ID
cdpCaps CDP capabilities
cdpDuplex CDP duplex
cdpNVLAN CDP native VLAN
cdpVoipVLAN CDP VoIP VLAN
cdpVTPMngmtDmn CDP VTP management domain
cdpMAddrs CDP management addresses
cdpAddrs CDP addresses

connStat

Connection statistics

Flow output

Name Description
connSip Number of unique source IPs
connDip Number of unique destination IPs
connSipDip Number of connections between source and destination IP
connSipDprt Number of connections between source IP and destination port
connMacSpf Number of MAC addresses per source IP
connF The ‘f’ number: connSipDprt / connSip [EXPERIMENTAL]
connG The ‘g’ number: connSipDprt / connSipDip [EXPERIMENTAL]
connNumPCnt Number of unique IP’s source packet count
connNumBCnt Number of unique IP’s source byte count

covertChannels

Covert channel detection

Flow output

Name Description
covertChannels Detected covert channels

descriptiveStats

Descriptive statistics

Flow output

Name Description
dsMinPl Minimum packet length
dsMaxPl Maximum packet length
dsMeanPl Mean packet length
dsLowQuartilePl Lower quartile of packet lengths
dsMedianPl Median of packet lengths
dsUppQuartilePl Upper quartile of packet lengths
dsIqdPl Inter quartile distance of packet lengths
dsModePl Mode of packet lengths
dsRangePl Range of packet lengths
dsStdPl Standard deviation of packet lengths
dsRobStdPl Robust standard deviation of packet lengths
dsSkewPl Skewness of packet lengths
dsExcPl Excess of packet lengths
dsMinIat Minimum inter arrival time
dsMaxIat Maximum inter arrival time
dsMeanIat Mean inter arrival time
dsLowQuartileIat Lower quartile of inter arrival times
dsMedianIat Median inter arrival times
dsUppQuartileIat Upper quartile of inter arrival times
dsIqdIat Inter quartile distance of inter arrival times
dsModeIat Mode of inter arrival times
dsRangeIat Range of inter arrival times
dsStdIat Standard deviation of inter arrival times
dsRobStdIat Robust standard deviation of inter arrival times
dsSkewIat Skewness of inter arrival times
dsExcIat Excess of inter arrival times

dfft

Discrete Fast Fourier Transform

Flow output

Name Description
dfftStat DFFT status

dhcpDecode

DHCP: Dynamic Host Configuration Protocol

Flow output

Name Description
dhcpStat DHCP status
dhcpMTypeBF DHCP message type bitfield
dhcpMType DHCP message types
dhcpMTypeNms DHCP message type names
dhcpHWType DHCP hardware type
dhcpCHWAdd_HWCnt DHCP client hardware addresses and count
dhcpCHWAdd DHCP client hardware addresses
dhcpNetmask DHCP network mask
dhcpGWIP DHCP gateway IP
dhcpDnsIP DHCP DNS
dhcpHopCnt DHCP hop count
dhcpSrvName DHCP server host name
dhcpBootFile DHCP boot file name
dhcpOptCnt DHCP option count
dhcpOptBF1_BF2_BF3 DHCP options bitfield
dhcpOpts DHCP options
dhcpOptNms DHCP option names
dhcpHosts_HCnt DHCP hosts and count
dhcpHosts DHCP hosts
dhcpDomains_DCnt DHCP domains and count
dhcpDomains DHCP domains
dhcpMaxSecEl DHCP maximum seconds elapsed
dhcpLeaseT DHCP lease time (seconds)
dhcpRenewT DHCP renewal time (seconds)
dhcpRebindT DHCP rebind time (seconds)
dhcpReqIP DHCP requested IP
dhcpCliIP DHCP client IP
dhcpYourIP DHCP your (client) IP
dhcpNextServer DHCP next server IP
dhcpRelay DHCP relay agent IP
dhcpSrvId DHCP server identifier
dhcpMsg DHCP message
dhcpLFlow DHCP linked flow
dhcpSrcMac DHCP source MAC address
dhcpDstMac DHCP destination MAC address

Packet output

Name Description
dhcpStat DHCP status
dhcpMTypeBF DHCP message type bitfield
dhcpMType DHCP message types
dhcpMTypeNms DHCP message type names
dhcpHops DHCP number of hops
dhcpHWType DHCP hardware type
dhcpTransID DHCP transaction identifier
dhcpOptBF1_BF2_BF3 DHCP options bitfield
dhcpOpts DHCP options
dhcpOptNms DHCP option names
dhcpLFlow DHCP linked flow

dnsDecode

DNS: Domain Name System

Flow output

Name Description
dnsStat DNS status, warnings and errors
dnsHdrOPField DNS last header field
dnsHFlg_OpC_RetC DNS aggregated header flags, operational and return code
dnsHFlg DNS aggregated header flags
dnsOpC DNS operational code
dnsRetC DNS return code
dnsOpN DNS operational string
dnsRetN DNS return string
dnsCntQu_Asw_Aux_Add DNS number of question, answer, auxiliary and additional records
dnsAAAqF DNS DDOS AAA / query factor
dnsTypeBF3_BF2_BF1_BF0 DNS type bitfields
dnsQname DNS query name
dnsMalCnt DNS domain malware count
dnsMalType DNS domain malware type
dnsMalCode DNS domain malware code
dnsAname DNS answer name record
dnsAPname DNS name CNAME entries
dns4Aaddress DNS address entries IPv4
dns4CC_Org DNS IPv4 country and organization
dns6Aaddress DNS address entries IPv6
dns6CC_Org DNS IPv6 country and organization
dnsIPMalCode DNS IP malware code
dnsQTypeN DNS query record type names
dnsQType DNS query record type entries
dnsQClass DNS query record class entries
dnsATypeN DNS answer record type names
dnsAType DNS answer record type entries
dnsAClass DNS answer record class entries
dnsATTL DNS answer record TTL entries
dnsMXpref DNS MX record preference entries
dnsSRVprio DNS SRV record priority entries
dnsSRVwgt DNS SRV record weight entries
dnsSRVprt DNS SRV record port entries
dnsOptStat DNS option status

Packet output

Name Description
dnsIPs DNS IP addresses (A or AAAA records)
dnsIPs_cntry_org DNS IP addresses, countries and organizations (A or AAAA records)
dnsStat DNS status, warnings and errors
dnsHdr DNS header field of packet
dnsHFlg_OpC_RetC DNS aggregated header flags, operational and return code
dnsHFlg_OpN_RetN DNS aggregated header flags, operational and return strings
dnsCntQu_Asw_Aux_Add DNS number of question, answer, auxiliary and additional records

entropy

Entropy

Flow output

Name Description
PyldEntropy Payload entropy
PyldChRatio Payload character ratio
PyldBinRatio Payload binary ratio
NumBin0 Number of 0 count bins
Corr Entropy correction
PyldLen Payload length
PyldHisto Payload histogram

fnameLabel

Classification based on filename

Flow output

Name Description
fnLabel FNL_IDX letter of filename
fnHash Hash of filename
fnName Filename

Packet output

Name Description
fnLabel FNL_IDX letter of filename
fnHash Hash of filename
fnName Filename

ftpDecode

FTP: File Transfer Protocol

Flow output

Name Description
ftpStat FTP status
ftpCDFindex FTP command/data findex link
ftpCBF FTP command bitfield
ftpCC FTP command codes
ftpRC FTP response codes
ftpNumUser FTP number of users
ftpUser FTP users
ftpNumPass FTP number of passwords
ftpPass FTP passwords
ftpNumCP FTP number of command parameters
ftpCP FTP command parameters
ftpPLen FTP passive file length

Packet output

Name Description
ftpStat FTP status

geoip

Classification based on IP address location

Flow output

Name Description
srcIpContinent IP source continent
srcIpCountry IP source country
srcIpRegion IP source region
srcIpCity IP source city
srcIpPostcode IP source postcode
srcIpAccuracy IP source accuracy
srcIpLat IP source latitude
srcIpLong IP source longitude
srcIpMetroCode IP source metro (dma) code
srcIpAreaCode IP source area code
srcIpNetmask IP source netmask
srcIpTimeZone IP source time zone
srcIpOrg IP source organization
srcIpISP IP source ISP
srcIpASN IP source AS number
srcIpASName IP source AS name
srcIpConnT IP source connection type
srcIpUsrT IP source user type
dstIpContinent IP destination continent
dstIpCountry IP destination country
dstIpRegion IP destination region
dstIpCity IP destination city
dstIpPostcode IP destination postcode
dstIpAccuracy IP destination accuracy
dstIpLat IP destination latitude
dstIpLong IP destination longitude
dstIpMetroCode IP destination metro (dma) code
dstIpAreaCode IP destination area code
dstIpNetmask IP destination netmask
dstIpTimeZone IP destination time zone
dstIpOrg IP destination organization
dstIpISP IP destination ISP
dstIpASN IP destination AS number
dstIpASName IP destination AS name
dstIpConnT IP destination connection type
dstIpUsrT IP destination user type
geoStat GeoIP status

gquicDecode

GQUIC: Google Quick UDP Internet Connections

Flow output

Name Description
gquicStat GQUIC status
gquicPubFlags GQUIC Public Flags
gquicFrameTypes GQUIC Frame Types
gquicCID GQUIC Connection ID
gquicSNI GQUIC Server Name Indication (SNI)
gquicUAID GQUIC Client’s User Agent ID (UAID)

Packet output

Name Description
gquicPubFlags GQUIC Public Flags
gquicCID GQUIC Connection ID
gquicVersion GQUIC version
gquicPktNo GQUIC packet number

gsmDecode

GSM: Global System for Mobile Communications

Flow output

Name Description
gsmStat GSM status
gsmLapdSAPI GSM LAPD Service Access Point Identifier (SAPI)
gsmLapdTEI GSM LAPD Terminal Endpoint Identifier (TEI)
gsmRslTN GSM RSL Timeslot Numbers
gsmAMRDuration GSM Duration of AMR conversation (seconds)
gsmNumAMRGood_bad GSM Number of AMR good/bad frames

Packet output

Name Description
gsmStat GSM status
gsmLapdSAPI GSM LAPD Service Access Point Identifier (SAPI)
gsmLapdTEI GSM LAPD Terminal Endpoint Identifier (TEI)
gsmRslMsgType GSM RSL Message type
gsmRslTN GSM RSL Timeslot Number
gsmRslSubCh GSM RSL Subchannel Number
gsmRslChannel GSM RSL Channel
gsmDtapTN GSM A-I/F DTAP Timeslot Number
gsmDtapChannel GSM A-I/F DTAP Channel
gsmHandoverRef Handover reference
gsmLAIMCC LAI: Mobile Country Code (MCC)
gsmLAIMCCCountry LAI: Mobile Country Code (MCC) country
gsmLAIMNC LAI: Mobile Network Code (MNC)
gsmLAIMNCOperator LAI: Mobile Network Code (MNC) operator
gsmLAILAC LAI: Location Area Code (LAC)
gsmEncryption Encryption algorithm
gsmContent Content (voice or signalling)
gsmAMRCMR AMR codec mode request (CMR)
gsmAMRFrameType AMR frame type
gsmAMRFrameQ AMR frame quality

gsm_arfcn.txt file

Name Description
pktNo Packet number
flowInd Flow index
time Timestamp
vlanID VLAN IDs
lapdTEI LAPD Terminal Endpoint Identifier (TEI)
gsmRslTN GSM RSL Timeslot Numbers (TN)
gsmRslSubCh GSM RSL Subchannel Number
gsmRslChannel GSM RSL Channel
gsmDtapTN GSM A-I/F DTAP Timeslot Number (TN)
gsmDtapChannel GSM A-I/F DTAP Channel
gsmARFCN GSM Absolute Radio-Frequency Channel Number (ARFCN)
gsmBand GSM Band
gsmUpFreqMHz GSM Uplink Frequency (MHz)
gsmDownFreqMHz GSM Downlink Frequency (MHz)

gsm_calls.txt file

Name Description
pktNo Packet number
flowInd Flow index
time Timestamp
vlanID VLAN IDs
lapdTEI LAPD Terminal Endpoint Identifier (TEI)
gsmMsgType GSM message type
gsmCause GSM cause
gsmRslTN GSM RSL Timeslot Numbers
gsmRslSubCh GSM RSL Subchannel Number
gsmRslChannel GSM RSL Channel
gsmCaller GSM caller
gsmCallerCountry GSM caller country
gsmCallee GSM callee
gsmCalleeCountry GSM callee country

gsm_channels.txt file

Name Description
pktNo Packet number
flowInd Flow index
time Timestamp
vlanID VLAN IDs
lapdTEI LAPD Terminal Endpoint Identifier (TEI)
gsmMsgType GSM message type
gsmCause GSM cause
gsmRslTN GSM RSL Timeslot Numbers
gsmRslSubCh GSM RSL Subchannel Number
gsmRslChannel GSM RSL Channel
gsmChannelType GSM channel type
gsmHandoverRef Handover reference
gsmFrameNumberT1 GSM Frame Number (T1)
gsmFrameNumberT2 GSM Frame Number (T2)
gsmFrameNumberT3 GSM Frame Number (T3)
gsmFrameNumber GSM Frame Number
gsmChannelInfo GSM Channel Info

gsm_imm_ass.txt file

Name Description
pktNo Packet number
flowInd Flow index
time Timestamp
vlanID VLAN IDs
lapdTEI LAPD Terminal Endpoint Identifier (TEI)
gsmMsgType GSM message type
gsmCause GSM cause
gsmRslTN GSM RSL Timeslot Numbers
gsmRslSubCh GSM RSL Subchannel Number
gsmRslChannel GSM RSL Channel
gsmDtapTN GSM A-I/F DTAP Timeslot Number
gsmDtapChannel GSM A-I/F DTAP Channel
gsmTSC GSM Training Sequence Code (TSC)
gsmHoppingChannel GSM hopping channel
gsmARFCN GSM Absolute Radio-Frequency Channel Number (ARFCN)
gsmBand GSM Band
gsmUpFreqMHz GSM Uplink Frequency (MHz)
gsmDownFreqMHz GSM Downlink Frequency (MHz)
gsmMAIO GSM Mobile Allocation Index Offset (MAIO)
gsmHoppingSeqNum GSM hopping sequence number
gsmRandomAccessInfo GSM random access info
gsmRequestRefT1 GSM request reference (T1)
gsmRequestRefT2 GSM request reference (T2)
gsmRequestRefT3 GSM request reference (T3)
gsmRequestRefRFN GSM request reference (RFN)
gsmTimingAdvance GSM timing advance
gsmDistanceFromBTS GSM distance from Base Transceiver Station (BTS)
gsmChannelMode GSM channel mode
gsmMultiRateConfig GSM Adaptive Multi-Rate (AMR) configuration

gsm_imsi.txt file

Name Description
pktNo Packet number
flowInd Flow index
time Timestamp
vlanID VLAN IDs
lapdTEI LAPD Terminal Endpoint Identifier (TEI)
gsmRslTN GSM RSL Timeslot Numbers
gsmRslSubCh GSM RSL Subchannel Number
gsmRslChannel GSM RSL Channel
gsmMobileIdentityType GSM Mobile Identity Type
gsmIMSI GSM International Mobile Subscriber Identity (IMSI)
gsmIMEITACManuf GSM International Mobile Equipment Identity (IMEI) Type Allocation Code (TAC) manufacturer
gsmIMEITACModel GSM International Mobile Equipment Identity (IMEI) Type Allocation Code (TAC) model
gsmIMSIMCC GSM International Mobile Subscriber Identity (IMSI) Mobile Country Code (MCC)
gsmIMSIMCCCountry GSM International Mobile Subscriber Identity (IMSI) Mobile Country Code (MCC)
gsmIMSIMNC GSM International Mobile Subscriber Identity (IMSI) Mobile Network Code (MNC)
gsmIMSIMNCOperator GSM International Mobile Subscriber Identity (IMSI) Mobile Network Code (MNC)
gsmLAIMCC LAI: Mobile Country Code (MCC)
gsmLAIMCCCountry LAI: Mobile Country Code (MCC) country
gsmLAIMNC LAI: Mobile Network Code (MNC)
gsmLAIMNCOperator LAI: Mobile Network Code (MNC) operator
gsmLAILAC LAI: Location Area Code (LAC)

gsm_operators.txt file

Name Description
pktNo Packet number
flowInd Flow index
time Timestamp
vlanID VLAN IDs
lapdTEI LAPD Terminal Endpoint Identifier (TEI)
gsmRslTN GSM RSL Timeslot Numbers
gsmRslSubCh GSM RSL Subchannel Number
gsmRslChannel GSM RSL Channel
gsmFullNetworkName GSM full network name
gsmShortNetworkName GSM short network name
gsmTimeZone GSM time zone
gsmTimeAndTimeZone GSM time and time zone

gsm_sms.txt file

Name Description
pktNo Packet number
flowInd Flow index
time Timestamp
vlanID VLAN IDs
lapdTEI LAPD Terminal Endpoint Identifier (TEI)
direction Direction: MS->SC (Mobile Station to Service Centre) or SC->MS (Service Centre to Mobile Station)
gsmRslTN GSM RSL Timeslot Numbers
gsmRslSubCh GSM RSL Subchannel Number
gsmRslChannel GSM RSL Channel
smsMsgType GSM SMS message type
serviceCenterTimeStamp GSM Service Center Timestamp
rpOriginatorAddr GSM RP Originator address
rpOriginatorAddrCountry GSM RP Originator address country
rpDestinationAddr GSM RP Destination address
rpDestinationAddrCountry GSM RP Destination address country
tpOriginatingAddr GSM TP Originating address
tpOriginatingAddrCountry GSM TP Originating address country
tpDestinationAddr GSM TP Destination address
tpDestinationAddrCountry GSM TP Destination address country
tpRecipientAddr GSM TP Recipient address
tpRecipientAddrCountry GSM TP Recipient address country
smsMsgRef GSM SMS message reference
smsMsgId GSM SMS message ID
smsMsgPart GSM SMS message part
smsMsg GSM SMS message

gtpDecode

GTP: GPRS Tunneling Protocol

Flow output

Name Description
gtpStat GTP status

Packet output

Name Description
gtpFlags GTP flags
gtpMsgT GTP message type
gtpLen GTP length
gtpTEID GTP tunnel identifier (TEID)
gtpSeqNum GTP sequence number
gtpIMSI GTP International Mobile Subscriber Identity (IMSI)

httpSniffer

HTTP: HyperText Transfer Protocol

Flow output

Name Description
httpStat HTTP status
httpAFlags HTTP anomaly flags
httpMethods HTTP methods in flow
httpHeadMimes HTTP HEADMIME-TYPES in flow
httpCFlags HTTP content info in flow
httpGet_Post HTTP number of GET and POST requests
httpRSCnt HTTP response status count
httpRSCode HTTP response status code
httpURL_Via_Loc_Srv_Pwr_UAg_XFr_Ref_Cky_Mim HTTP number of URLs, Via, Location, Server, Powered By, User-Agent, X-Forwarded-For, Referer, Cookie and Mime-Type
httpImg_Vid_Aud_Msg_Txt_App_Unk HTTP number of images, videos, audios, messages, texts, applications and unknown
httpHosts HTTP Host names
httpURL HTTP URLs
httpMimes HTTP MIME-types
httpCookies HTTP cookies
httpImages HTTP images
httpVideos HTTP videos
httpAudios HTTP audios
httpMsgs HTTP messages
httpAppl HTTP applications
httpText HTTP texts
httpPunk HTTP payload unknown
httpBdyURL HTTP body: Refresh, Set-Cookie URL
httpUsrAg HTTP User-Agent
httpXFor HTTP X-Forwarded-For
httpRefrr HTTP Referer
httpVia HTTP Via (Proxy)
httpLoc HTTP Location (Redirection)
httpServ HTTP Server
httpPwr HTTP Powered By
httpAvastCid HTTP Avast Client ID
httpEsetUid HTTP ESET Update ID

Packet output

Name Description
httpStat HTTP status
httpAFlags HTTP anomaly flags
httpMethods HTTP methods in flow
httpHeadMimes HTTP HEADMIME-TYPES in flow
httpCFlags HTTP content info in flow

icmpDecode

ICMP: Internet Control Message Protocol

Flow output

Name Description
icmpStat ICMP status
icmpTCcnt ICMP type code count
icmpType_Code ICMP type and code fields
icmpBFTypH_TypL_Code ICMP Aggregated type H (IPv6>128, IPv4>31), L (<32) and code bitfields
icmpTmGtw ICMP time/gateway
icmpEchoSuccRatio ICMP Echo reply/request success ratio
icmpPFindex ICMP parent flow index

Packet output

Name Description
icmpStat ICMP status
icmpType ICMP message type
icmpCode ICMP message code
icmpID ICMP identifier
icmpSeq ICMP sequence number
icmpPFindex ICMP parent flow index

igmpDecode

IGMP: Internet Group Management Protocol

Flow output

Name Description
igmpStat IGMP status
igmpVersion IGMP version
igmpAType IGMP aggregated type
igmpMCastAddr IGMP multicast address
igmpNRec IGMP number of records

ircDecode

IRC: Internet Relay Chat

Flow output

Name Description
ircStat IRC status
ircCBF IRC commands
ircCC IRC command codes
ircRC IRC response codes
ircNumUser IRC number of users
ircUser IRC users
ircNumPass IRC number of passwords
ircPass IRC passwords
ircNumNick IRC number of nicknames
ircNick IRC nicknames
ircNumC IRC number of parameters
ircC IRC content

ldapDecode

LDAP: Lightweight Directory Access Protocol

Flow output

Name Description
ldapStat LDAP status
ldapCodeNm LDAP code names
ldapCodes LDAP codes
ldapOPF LDAP operations as flags
ldapSrchNm LDAP search names

Packet output

Name Description
ldapStat LDAP status
ldapVer LDAP version
ldapCodeNm LDAP code names
ldapCodes LDAP codes
ldapOPF LDAP operations as flags

lldpDecode

LLDP: Link Layer Discovery Protocol

Flow output

Name Description
lldpStat LLDP status
lldpTTL LLDP Time To Live (sec)
lldpTLVTypes LLDP TLV types
lldpChassis LLDP chassis ID
lldpPort LLDP port ID
lldpPortDesc LLDP port description
lldpSysName LLDP system name
lldpSysDesc LLDP system description
lldpCaps_enCaps LLDP supported and enabled capabilities
lldpMngmtAddr LLDP management address

Packet output

Name Description
lldpStat LLDP status
lldpTTL LLDP Time To Live (sec)
lldpTLVTypes LLDP TLV types
lldpChassis LLDP chassis ID
lldpPort LLDP port ID
lldpPortDesc LLDP port description
lldpSysName LLDP system name
lldpCaps_enCaps LLDP supported and enabled capabilities
lldpMngmtAddr LLDP management address

macRecorder

MAC addresses and manufacturers

Flow output

Name Description
macStat macRecorder status
macPairs Number of distinct source/destination MAC addresses pairs
srcMac_dstMac_numP Source/destination MAC address, number of packets of MAC address combination
srcMacLbl_dstMacLbl Source/destination MAC label

Packet output

Name Description
srcMacLbl Source MAC label
dstMacLbl Destination MAC label

mndpDecode

MNDP: MikroTik Neighbor Discovery Protocol

Flow output

Name Description
mndpStat MNDP status
mndpMAC MNDP MAC-Address
mndpIdentity MNDP Identity
mndpVersion MNDP Version
mndpPlatform MNDP Platform
mndpSoftwareID MNDP Software-ID
mndpBoard MNDP Board
mndpUnpack MNDP Unpack
mndpIface MNDP Interface name
mndpIPv4 MNDP IPv4-Address
mndpIPv6 MNDP IPv6-Address

Packet output

Name Description
mndpStat MNDP status
mndpSeqNo MNDP Sequence Number
mndpMAC MNDP MAC-Address
mndpIdentity MNDP Identity
mndpVersion MNDP Version
mndpPlatform MNDP Platform
mndpUptime MNDP Uptime
mndpSoftwareID MNDP Software-ID
mndpBoard MNDP Board
mndpUnpack MNDP Unpack
mndpIface MNDP Interface name
mndpIPv4 MNDP IPv4-Address
mndpIPv6 MNDP IPv6-Address

modbus

Modbus

Flow output

Name Description
modbusStat Modbus status
modbusUID Modbus unit identifier
modbusNPkts Modbus number of packets
modbusNumEx Modbus number of exceptions
modbusFCBF Modbus aggregated function codes
modbusFC Modbus list of function codes
modbusFExBF Modbus aggregated function codes which caused exceptions
modbusFEx Modbus list of function codes which caused exceptions
modbusExCBF Modbus aggregated exception codes
modbusExC Modbus list of exception codes

Packet output

Name Description
mbTranId Modbus transaction identifier
mbProtId Modbus protocol identifier
mbLen Modbus length
mbUnitId Modbus unit identifier
mbFuncCode Modbus function code

mqttDecode

MQTT: MQ Telemetry Transport Protocol

Flow output

Name Description
mqttStat MQTT status
mqttCPT MQTT control packet types
mqttProto MQTT protocol name
mqttProtoLevel MQTT protocol level
mqttClientID MQTT client ID
mqttConAck MQTT connection status
mqttTopic MQTT topic

Packet output

Name Description
mqttStat MQTT status

mqtt_msg.txt file

Name Description
pktNo Packet number
flowInd Flow index
mqttTopic MQTT topic
mqttMsg MQTT message

nDPI

Classification based on content analysis

Flow output

Name Description
nDPIMstrProto nDPI numerical master protocol
nDPISubProto nDPI numerical sub protocol
nDPIclass nDPI based protocol classification

Packet output

Name Description
nDPIMstrProto nDPI numerical master protocol
nDPISubProto nDPI numerical sub protocol
nDPIclass nDPI based protocol classification

nFrstPkts

Statistics over the first N packets

Flow output

Name Description
nFpCnt Number of signal samples
HD3l_HD4l_L2L3L4Pl_Iat_nP L3 and L4 header length, L2/L3/L4/Payload (s. PACKETLENGTH in packetCapture.h) length, IAT and pulse for the N first packets
HD3l_HD4l_L2L3L4Pl_Iat L3 and L4 header length, L2/L3/L4/Payload (s. PACKETLENGTH in packetCapture.h) length and IAT for the N first packets
L2L3L4Pl_Iat_nP L2/L3/L4/Payload (s. PACKETLENGTH in packetCapture.h) length, IAT and pulse for the N first packets
L2L3L4Pl_Iat L2/L3/L4/Payload (s. PACKETLENGTH in packetCapture.h) length and IAT for the N first packets

ntlmsspDecode

NTLMSSP: NT LAN Manager (NTLM) Security Support Provider

Flow output

Name Description
ntlmsspStat NTLMSSP status
ntlmsspTarget NTLMSSP target name
ntlmsspDomain NTLMSSP domain name
ntlmsspUser NTLMSSP username
ntlmsspHost NTLMSSP host/workstation
ntlmsspNegotiateFlags NTLMSSP Negotiate Flags
ntlmsspSessKey NTLMSSP session key
ntlmsspNTProofStr NTLMSSP NT proof string
ntlmsspServChallenge NTLMSSP server challenge
ntlmsspCliChallenge NTLMSSP client challenge
ntlmsspVersion NTLMSSP version
ntlmsspVersionMajor_Minor_Build_Rev NTLMSSP version (Major Version, Minor Version, Build Number and NTLM Current Revision)
ntlmsspNbComputer NTLMSSP NetBIOS computer name
ntlmsspNbDomain NTLMSSP NetBIOS domain name
ntlmsspDnsComputer NTLMSSP DNS computer name
ntlmsspDnsDomain NTLMSSP DNS domain name
ntlmsspDnsTree NTLMSSP DNS tree name
ntlmsspAttrTarget NTLMSSP Attribute Target Name
ntlmsspTimestamp NTLMSSP timestamp

ntpDecode

NTP: Network Time Protocol

Flow output

Name Description
ntpStat NTP status, warnings and errors
ntpLiVM NTP leap indicator, version number and mode
ntpLi_V_M NTP leap indicator, version number and mode
ntpStrat NTP stratum
ntpRefClkId NTP root reference clock ID (stratum >= 2)
ntpRefStrId NTP root reference string (stratum <= 1)
ntpPollInt NTP poll interval
ntpPrec NTP precision
ntpRtDelMin NTP root delay minimum
ntpRtDelMax NTP root delay maximum
ntpRtDispMin NTP root dispersion minimum
ntpRtDispMax NTP root dispersion maximum
ntpRefTS NTP reference timestamp
ntpOrigTS NTP originate timestamp
ntpRecTS NTP receive timestamp
ntpTranTS NTP transmit timestamp

ospfDecode

OSPF: Open Shortest Path First

Flow output

Name Description
ospfStat OSPF status
ospfVersion OSPF version
ospfType OSPF message type
ospfLSType OSPF Update LS type
ospfAuType OSPF authentication type
ospfAuPass OSPF authentication password
ospfArea OSPF Area ID
ospfSrcRtr OSPF Hello source router
ospfBkupRtr OSPF Hello backup router
ospfNeighbors OSPF Hello neighbor routers

Packet output

Name Description
ospfStat OSPF status
ospfVersion OSPF version
ospfArea OSPF Area ID
ospfType OSPF message type
ospfLSType OSPF Update LS type

ospf2Msg.txt file

Name Description
pktNo Packet number
Ver OSPF version
Area Area ID
MsgType Message type
LSType LS Type
srcIP Source IP
LSLinkID LS Link ID
NetmaskOrRouterIP Netmask or Router IP
ADVRouter Advertising router
LSAOpt LSA options
LnkType Link type
Metric Metric
IfaceType Interface type
LSFlgs LS flags
AttchRtrs Attached routers
FwdIP Forwarding IP
ExtRtTag External Route Tag

ospf3Msg.txt file

Name Description
pktNo Packet number
Ver OSPF version
Area Area ID
MsgType Message type
LSType LS Type
srcIP Source IP
dstIP Destination IP
LSAAdvRtr LSA Advertising router
LSAOpts LSA options
LSLinkID LS Link ID
IntID Interface ID
NeighIntID Neighbor Interface ID
RefAdvRtrOrAttchRtrs Reference advertising router or Attached routers
Type Type
PrefOpts Preference options
Metric Metric
RefLSA Reference LSA
RefPrefix Reference prefix
LnkLclIPOrFwdIP Link-local interface address or Forwarding IP
ExtRtTag External Route Tag

ospfDBD.txt file

Name Description
pktNo Packet number
Ver OSPF version
AreaID Area ID
RtrID Router ID
LSLinkID LS Link ID
ADVRouter Advertising Router
Dna Do Not Age
Age Age
SeqNum Sequence number
Checksum Checksum
MTU MTU
Flags Flags
LSType LS Type
tlvType TLV Type
tlvValOpt TLV options

ospfHello.txt file

Name Description
pktNo Packet number
Ver OSPF version
AreaID Area ID
SrcOSPRtr Source router
srcIP Source IP
Netmask Network mask
Network Network
IntID Interface ID
RtrPrio Router priority
Opt Options
HelloInt Hello interval
RtrDInt Router dead interval
DRtr Destination router
BkupRtr Backup router
NumNeigh Number of neighbors
Neighbors Neighbors

p0f

OS classification based on content analysis (SSL/TLS)

Flow output

Name Description
p0fSSLRule p0f SSL fingerprint rule number
p0fSSLOS p0f SSL OS fingerprint
p0fSSLOS2 p0f SSL OS fingerprint (2)
p0fSSLBrowser p0f SSL browser fingerprint
p0fSSLComment p0f SSL fingerprint comment

payloadDumper

Dump the payload of TCP/UDP flows to files (similar to tcpflow)

Flow output

Name Description
pldStat payloadDumper status

Packet output

Name Description
pldStat payloadDumper status

pktSIATHisto

Histograms of packet size and inter-arrival times

Flow output

Name Description
tCnt Number of tree entries
Ps_IatBin_Cnt_PsCnt_IatCnt Packet size (PS) and inter-arrival time (IAT) of bin histogram
Ps_Iat_Cnt_PsCnt_IatCnt Packet size (PS) and min inter-arrival time (IAT) of bin histogram

popDecode

POP: Post Office Protocol

Flow output

Name Description
popStat POP status
popCBF POP command codes bitfield
popCC POP command codes
popRM POP response #mail
popUsrNum POP number of users
popUsr POP users
popPwNum POP number of passwords
popPw POP passwords
popCNum POP number of parameters
popC POP content

Packet output

Name Description
popStat POP status

portClassifier

Classification based on port numbers

Flow output

Name Description
dstPortClassN Port based classification of the destination port number
dstPortClass Port based classification of the destination port name

Packet output

Name Description
dstPortClassN Port based classification of the destination port number
dstPortClass Port based classification of the destination port name

pwX

Password extractor

Flow output

Name Description
pwxType Authentication type of the extracted username/password
pwxUser Extracted username
pwxPass Extracted password
pwxStatus Authentication status

quicDecode

QUIC (IETF): Quick UDP Internet Connections

Flow output

Name Description
quicStat QUIC Status
quicVersion QUIC Version
quicFlags QUIC Flags
quicPktTypes QUIC Packet Types
quicDCID QUIC Destination Connection ID
quicSCID QUIC Source Connection ID
quicODCID QUIC Original Destination Connection ID (Retry)

Packet output

Name Description
quicStat QUIC Status
quicFlags QUIC Flags
quicPktType QUIC Packet Type
quicVersion QUIC Version
quicDCID QUIC Destination Connection ID
quicSCID QUIC Source Connection ID
quicODCID QUIC Original Destination Connection ID (Retry)
quicPktNum QUIC Packet Number

radiusDecode

RADIUS: Remote Authentication Dial-In User Service

Flow output

Name Description
radiusStat RADIUS status
radiusAxsReq_Acc_Rej_Chal RADIUS Access-Request/Accept/Reject/Challenge
radiusAccReq_Resp RADIUS Accounting-Request/Response
radiusAccStart_Stop RADIUS Accounting Start/Stop
radiusCodeNms RADIUS code names
radiusCodes RADIUS codes
radiusAVPTypeNms RADIUS Attribute Value Pair Type Names
radiusAVPTypes RADIUS Attribute Value Pair Types
radiusUser RADIUS username
radiusPW RADIUS password
radiusServiceType RADIUS service type
radiusLoginService RADIUS login-service
radiusVendor RADIUS vendor ID (SMI)
radiusNasId RADIUS NAS Identifier
radiusNasIp RADIUS NAS IP address
radiusNasPort RADIUS NAS IP port
radiusNasPortTypeNm RADIUS NAS Port Type Name
radiusNasPortType RADIUS NAS Port Type
radiusNasPortId RADIUS NAS Port ID
radiusFramedIp RADIUS framed IP address
radiusFramedMask RADIUS framed IP netmask
radiusFramedProto RADIUS framed protocol
radiusFramedComp RADIUS framed compression
radiusFramedMtu RADIUS framed MTU
radiusTunnel_Medium RADIUS tunnel type and medium type
radiusTunnelCli RADIUS tunnel client endpoint
radiusTunnelSrv RADIUS tunnel server endpoint
radiusTunnelCliAId RADIUS tunnel client authentication Id
radiusTunnelSrvAId RADIUS tunnel server authentication Id
radiusTunnelPref RADIUS tunnel preference
radiusAcctSessId RADIUS Accounting Session Id
radiusAcctSessTime RADIUS Accounting Session Time (seconds)
radiusAcctStatType RADIUS Accounting Status Type
radiusAcctTerm RADIUS Accounting Terminate Cause
radiusAcctInOct_OutOct RADIUS Accounting Input/Output Octets
radiusAcctInPkt_OutPkt RADIUS Accounting Input/Output Packets
radiusAcctInGw_OutGw RADIUS Accounting Input/Output Gigawords
radiusConnInfo RADIUS user connection info
radiusFilterId RADIUS filter Identifier
radiusCalledId RADIUS Called Station Identifier
radiusCallingId RADIUS Calling Station Identifier
radiusReplyMsg RADIUS reply message

Packet output

Name Description
radiusStat RADIUS status
radiusCodeNm RADIUS code name
radiusCode RADIUS code
radiusAVPTypeNms RADIUS Attribute Value Pair Type Names
radiusAVPTypes RADIUS Attribute Value Pair Types

regexHyperscan

Hyperscan regular expressions

Flow output

Name Description
hsregexes Hyperscan regex matches

regex_pcre

PCRE: Perl Compatible Regular Expressions

Flow output

Name Description
rgxCnt Regex match count
rgxRID_cType_sev_pktN_bPos_time Regex ID, class type, severity, time, packet number, byte position and time
rgxRID_cType_sev_pktN_bPos Regex ID, class type, severity, packet number and byte position
rgxRID_cType_sev Regex ID, class type and severity

Packet output

Name Description
rgxCnt Regex match count
rgxRID_cType_sev Regex ID, class type and severity

regex_re2

RE2 regular expressions

Flow output

Name Description
re2match re2 regex matches

sctpDecode

SCTP: Stream Control Transmission Protocol

Flow output

Name Description
sctpStat SCTP status
sctpDSNum SCTP data stream number
sctpMaxDSNum SCTP max number of data streams
sctpPID SCTP Payload ID
sctpVTag SCTP verification tag
sctpTypeN SCTP unique types name
sctpType SCTP unique types values
sctpTypeBF SCTP aggregated type bit field
sctpCntD_I_A SCTP DATA, INIT and ABORT count
sctpCFlags SCTP aggregated chunk flags
sctpCCBF SCTP aggregated error cause code bit field
sctpASIP4 SCTP ASCONF IPv4
sctpASIP6 SCTP ASCONF IPv6
sctpIS SCTP inbound streams
sctpOS SCTP outbound streams
sctpIARW SCTP Initial Advertised Receiver Window
sctpIARWMin SCTP Initial Advertised Receiver Window Minimum
sctpIARWMax SCTP Initial Advertised Receiver Window Maximum
sctpARW SCTP Advertised Receiver Window

Packet output

Name Description
sctpVTag SCTP verification tag
sctpChkSum SCTP checksum
sctpCalCRCChkSum SCTP computed CRC checksum
sctpCalADLChkSum SCTP computed ADLER32 checksum
sctpChunkType_sid_flags_cflags_numDPkts_len_pid SCTP chunk type, stream identifier, chunk flags, DATA count, chunk length, payload ID
sctpNChunks SCTP number of chunks
sctpCCBF SCTP aggregated error cause code bit field
sctpARW SCTP Advertised Receiver Window
sctpPID SCTP Payload ID
sctpStat SCTP status
sctpTSN SCTP Transmission Sequence Number (TSN)
sctpTSNAck SCTP Transmission Sequence Number (TSN) Acknowledgement
sctpRelTSN SCTP relative Transmission Sequence Number (TSN)
sctpRelTSNAck SCTP relative Transmission Sequence Number (TSN) Acknowledgement
sctpASIP4 SCTP ASCONF IPv4
sctpASIP6 SCTP ASCONF IPv6

smbDecode

SMB: Server Message Block

Flow output

Name Description
smbStat SMB status
smb1NDialects SMB1 number of requested dialects
smb1Dialects SMB1 requested dialects
smb2NDialects SMB2 number of dialects
smb2Dialects SMB2 dialect revision
smbNHdrStat SMB2 number of unique SMB2 header status values
smbHdrStat SMB2 list of unique header status
smbOpcodes SMB opcodes
smbNOpcodes SMB number of opcodes
smbPrevSessId SMB previous session ID
smbNativeOS SMB native OS
smbNativeLanMan SMB native LAN Manager
smbPrimDom SMB primary domain
smbTargName SMB target name
smbDomName SMB domain name
smbUserName SMB user name
smbHostName SMB host name
smbNTLMServChallenge SMB NTLM server challenge
smbNTProofStr SMB NT proof string
smbSessionKey SMB session key
smbGUID SMB client/server GUID
smbSFlags_secM_caps SMB session flags, security mode and capabilities
smbBootT SMB server start time
smbMaxSizeT_R_W SMB max transaction/read/write size
smbPath SMB full share path name
smbShareT SMB type of share being accessed
smbShareF_caps_acc SMB share flags, capabilities and access mask
smbNFiles SMB number of accessed files
smbFiles SMB accessed files

smtpDecode

SMTP: Simple Mail Transfer Protocol

Flow output

Name Description
smtpStat SMTP status
smtpCBF SMTP command codes bitfield
smtpCC SMTP command codes
smtpRC SMTP response codes
smtpUsr SMTP users
smtpPW SMTP passwords
smtpSANum SMTP number of server addresses
smtpESANum SMTP number of email sender addresses
smtpERANum SMTP number of email receiver addresses
smtpSA SMTP server send addresses
smtpESA SMTP email send addresses
smtpERA SMTP email receive addresses

Packet output

Name Description
smtpStat SMTP status

snmpDecode

SNMP: Simple Network Management Protocol

Flow output

Name Description
snmpStat SNMP status
snmpVersion SNMP version
snmpCommunity SNMP community
snmpUser SNMP username
snmpMsgT SNMP message types bitfield
snmpNumReq_Next_Resp_Set_Trap1_Bulk_Info_Trap2_Rep SNMP number of GetRequest, GetNextRequest, GetResponse, SetRequest, Trapv1, GetBulkRequest, InformRequest, Trapv2, and Report packets

Packet output

Name Description
snmpVersion SNMP version
snmpCommunity SNMP community
snmpUser SNMP username
snmpType SNMP message type

sshDecode

SSH: Secure Shell

Flow output

Name Description
sshStat SSH status
sshVersion SSH version and software
sshHostKeyType SSH host key type
sshFingerprint SSH public key fingerprint
sshCookie SSH cookie
sshKEX SSH chosen KEX algorithm
sshSrvHKeyAlgo SSH chosen server host key algorithm
sshEncCS SSH chosen encryption algorithm client to server
sshEncSC SSH chosen encryption algorithm server to client
sshMacCS SSH chosen MAC algorithm client to server
sshMacSC SSH chosen MAC algorithm server to client
sshCompCS SSH chosen compression algorithm client to server
sshCompSC SSH chosen compression algorithm server to client
sshLangCS SSH chosen language client to server
sshLangSC SSH chosen language server to client
sshKEXList SSH KEX algorithms
sshSrvHKeyAlgoList SSH server host key algorithms
sshEncCSList SSH encryption algorithms client to server
sshEncSCList SSH encryption algorithms server to client
sshMacCSList SSH MAC algorithms client to server
sshMacSCList SSH MAC algorithms server to client
sshCompCSList SSH compression algorithms client to server
sshCompSCList SSH compression algorithms server to client
sshLangCSList SSH languages client to server
sshLangSCList SSH languages server to client
sshHassh SSH HASSH fingerprint
sshHasshDesc SSH HASSH description
sshHasshStr SSH HASSH string

Packet output

Name Description
sshStat SSH status

sslDecode

SSL/TLS (Secure Socket Layer/Transport Layer Security, OpenVPN

Flow output

Name Description
sslStat SSL status
sslProto SSL proto
ovpnType OpenVPN message types
ovpnSessionID OpenVPN session ID
sslFlags SSL flags
sslVersion SSL version
sslNumRecVer SSL number of record versions
sslRecVer SSL record version
sslNumHandVer SSL number of handshake versions
sslHandVer SSL handshake version
sslVuln SSL vulnerabilities
sslAlert SSL alert
sslCipher SSL preferred (Client) / negotiated (Server) cipher
sslNumExt SSL number of extensions
sslExtList SSL list of extensions
sslNumSuppVer SSL number of supported versions
sslSuppVer SSL list of supported versions (client), negotiated version (server)
sslNumSigAlg SSL number of signature algorithms
sslSigAlg SSL list of signature algorithms
sslNumECPt SSL number of EC points
sslECPt SSL list of EC points
sslNumECFormats SSL number of EC point formats
sslECFormats SSL list of EC point formats
sslNumALPN SSL number of protocols (ALPN)
sslALPNList SSL list of protocols (ALPN)
sslNumALPS SSL number of protocols (ALPS)
sslALPSList SSL list of protocols (ALPS)
sslNumNPN SSL number of protocols (NPN)
sslNPNList SSL list of protocols (NPN)
sslNumCipher SSL number of supported ciphers
sslCipherList SSL list of supported cipher
sslNumCC_A_H_AD_HB SSL number of change_cipher, alert, handshake, application data, heartbeat records
sslSessIdLen SSL Session ID length
sslGMTTime SSL GMT Unix Time
sslServerName SSL server name
sslNumCerts SSL number of processed TLS certificates
sslCertChainLength SSL length of all TLS certificates in the whole chain
sslCertVersion SSL certificate version
sslCertSerial SSL certificate serial number
sslCertMd5FP SSL certificate MD5 fingerprint
sslCertSha1FP SSL certificate SHA1 fingerprint
sslCNotValidBefore_after_lifetime SSL certificate validity period (not valid before/after, lifetime (seconds))
sslCSigAlg SSL certificate signature algorithm
sslCKeyAlg SSL certificate public key algorithm
sslCPKeyType_Size SSL certificate public key type, size (bits)
sslCSubject SSL certificate subject
sslCSubjectCommonName SSL certificate subject common name
sslCSubjectOrgName SSL certificate subject organization name
sslCSubjectOrgUnit SSL certificate subject organizational unit name
sslCSubjectLocality SSL certificate subject locality name
sslCSubjectState SSL certificate subject state or province name
sslCSubjectCountry SSL certificate subject country name
sslCIssuer SSL certificate issuer
sslCIssuerCommonName SSL certificate issuer common name
sslCIssuerOrgName SSL certificate issuer organization name
sslCIssuerOrgUnit SSL certificate issuer organizational unit name
sslCIssuerLocality SSL certificate issuer locality name
sslCIssuerState SSL certificate issuer state or province name
sslCIssuerCountry SSL certificate issuer country name
sslBlistCat SSL blacklisted certificate category
sslJA3Hash SSL JA3 fingerprint
sslJA3Desc SSL JA3 description
sslJA3Str SSL JA3 string
sslJA4 SSL JA4/JA4S fingerprint
sslJA4Desc SSL JA4/JA4S description
sslJA4O SSL JA4_o fingerprint (original order)
sslJA4R SSL JA4_r fingerprint (raw)
sslJA4RO SSL JA4_o fingerprint (raw, original order)
sslJA4X SSL JA4X fingerprint
sslJA4XDesc SSL JA4X description
sslTorFlow SSL Tor flow

stpDecode

STP: Spanning Tree Protocol

Flow output

Name Description
stpStat STP status
stpVer STP protocol version identifier
stpType STP aggregated BPDU types
stpFlags STP aggregated BPDU flags
stpRtCst STP root cost
stpRtPrio STP root priority
stpRtExt STP root extension (VLAN)
stpRtMAC STP root MAC
stpBrdgPrio STP bridge priority
stpBrdgExt STP bridge extension (VLAN)
stpBrdgMAC STP bridge MAC
stpRtBID STP root bridge ID
stpBrdgID STP bridge ID
stpFrwrd STP forward delay

Packet output

Name Description
stpStat STP status
stpProto STP protocol identifier
stpVer STP protocol version identifier
stpType STP BPDU type
stpFlags STP BPDU flags
stpRtCst STP root cost
stpRtBID STP root bridge ID
stpBrdgID STP bridge ID
stpRtPrio STP root priority
stpRtExt STP root extension (VLAN)
stpRtMAC STP root MAC
stpBrdgPrio STP bridge priority
stpBrdgExt STP bridge extension (VLAN)
stpBrdgMAC STP bridge MAC
stpPort STP port identifier
stpMsgAge STP message age
stpMaxAge STP max age
stpHello STP hello time
stpFrwrd STP forward delay
stpPvstOrigVlan STP originating VLAN (PVSTP+)

stunDecode

STUN, TURN, ICE and NAT-PMP

Flow output

Name Description
natStat NAT status
natErr NAT error code
natMCReq_Ind_Succ_Err NAT message class (REQ, INDIC, SUCC RESP, ERR RESP) (STUN)
natAddr_Port NAT mapped address and port (STUN)
natXAddr_Port NAT xor mapped address and port (STUN)
natPeerAddr_Port NAT xor peer address and port (TURN)
natOrigAddr_Port NAT response origin address and port (STUN)
natRelayAddr_Port NAT relayed address and port (TURN)
natDstAddr_Port NAT destination address and port (TURN)
natOtherAddr_Port NAT other address and port (STUN)
natLifetime NAT binding lifetime [seconds] (STUN)
natUser NAT username (STUN)
natPass NAT password (STUN)
natRealm NAT realm (STUN)
natSoftware NAT software (STUN)
natPMPReqEA_MU_MT NAT-PMP number of requests (External Address, Map UDP, Map TCP)
natPMPRespEA_MU_MT NAT-PMP number of responses (External Address, Map UDP, Map TCP)
natPMPSSSOE NAT-PMP seconds since start of epoch

syslogDecode

Syslog

Flow output

Name Description
syslogStat Syslog status
syslogMCnt Syslog message count
syslogSev_Fac_Cnt Syslog number of severity/facility messages

Packet output

Name Description
syslogStat Syslog status
syslogSev Syslog severity
syslogFac Syslog facility

tcpFlags

IP and TCP flags

Flow output

Name Description
tcpFStat tcpFlags status
ipMindIPID IP minimum delta IP ID
ipMaxdIPID IP maximum delta IP ID
ipMinTTL IP minimum TTL
ipMaxTTL IP maximum TTL
ipTTLChg IP TTL change count
ipToSPrec_ecn IP Type of Service: Precedence and ECN
ipToSDscp_ecn IP Type of Service: DSCP and ECN decimal
ipToS IP Type of Service hex
ipFlags IP aggregated flags
ipOptCnt IP options count
ipOptCpCl_Num IP aggregated options, copy-class and number
ip6OptCntHH_D IPv6 Hop-by-Hop destination option counts
ip6OptHH_D IPv6 aggregated Hop-by-Hop destination options
tcpISeqN TCP initial sequence number
tcpPSeqCnt TCP packet seq count
tcpSeqSntBytes TCP sent seq diff bytes
tcpSeqFaultCnt TCP sequence number fault count
tcpPAckCnt TCP packet ACK count
tcpFlwLssAckRcvdBytes TCP flawless ACK received bytes
tcpAckFaultCnt TCP ACK number fault count
tcpBFlgtMx TCP Bytes in Flight MAX
tcpInitWinSz TCP initial effective window size
tcpAvgWinSz TCP average effective window size
tcpMinWinSz TCP minimum effective window size
tcpMaxWinSz TCP maximum effective window size
tcpWinSzDwnCnt TCP effective window size change down count
tcpWinSzUpCnt TCP effective window size change up count
tcpWinSzChgDirCnt TCP effective window size direction change count
tcpWinSzThRt TCP packet count ratio below window size WINMIN threshold
tcpFlags TCP aggregated protocol flags (FINACK, SYNACK, RSTACK, CWR, ECE, URG, ACK, PSH, RST, SYN, FIN)
tcpAnomaly TCP aggregated header anomaly flags
tcpCntF_S_R_P_A_U_E_C_FA_SA_RA_N_SF_SFR_RF_X TCP flags counts (FIN, SYN, RST, PSH, ACK, URG, ECE, CWR, FIN-ACK, SYN-ACK, RST-ACK, none, SYN-FIN, SYN-FIN-RST, RST-FIN, Xmas (FIN-PSH-URG)
tcpJA4T TCP JA4T/JA4TS fingerprint
tcpOptPktCnt TCP options packet count
tcpOptCnt TCP options count
tcpOptions TCP aggregated options
tcpMSS TCP maximum segment size
tcpWS TCP window scale
tcpMPTBF TCP MPTCP type bitfield
tcpMPF TCP MPTCP flags
tcpMPAID TCP MPTCP address ID
tcpMPDSSF TCP MPTCP DSS flags
tcpTmS TCP time stamp
tcpTmER TCP time echo reply
tcpEcI TCP estimated counter increment
tcpUtm TCP estimated up time
tcpBtm TCP estimated boot time
tcpSSASAATrip TCP trip time (A: SYN, SYN-ACK, B: SYN-ACK, ACK)
tcpRTTAckTripMin TCP ACK trip min
tcpRTTAckTripMax TCP ACK trip max
tcpRTTAckTripAvg TCP ACK trip average
tcpRTTAckTripJitAvg TCP ACK trip jitter average
tcpRTTSseqAA TCP round trip time (A: SYN, SYN-ACK, ACK, B: ACK-ACK)
tcpRTTAckJitAvg TCP ACK round trip average jitter

Packet output

Name Description
ipToSPrec_ecn IP Type of Service: Precedence and ECN
ipToSDscp_ecn IP Type of Service: DSCP and ECN decimal
ipToS IP Type of Service hex
ipID IP ID
ipIDDiff IP ID difference
ipFrag IP fragment
ipTTL IP TTL
ipHdrChkSum IP header checksum
ipCalChkSum IP header computed checksum
l4HdrChkSum Layer 4 header checksum
l4CalChkSum Layer 4 header computed checksum
ipFlags IP flags
ip6HHOptLen IPv6 Hop-by-Hop options length
ip6HHOpts IPv6 Hop-by-Hop options
ip6DOptLen IPv6 Destination options length
ip6DOpts IPv6 Destination options
ipOptLen IPv4 options length
ipOpts IPv4 options
seq Sequence number
ack Acknowledgement number
seqMax Sequence number max
seqDiff Sequence number diff
ackDiff Acknowledgement number diff
seqLen Sequence length
ackLen Acknowledgement length
seqFlowLen Sequence flow length
ackFlowLen Acknowledgement flow length
tcpMLen Aggregated valid bytes transmitted so far
tcpBFlgt Number of bytes in flight (not acknowledge)
tcpFStat TCP aggregated protocol flags + combinations (CWR, ACK, PSH, RST, SYN, FIN, …)
tcpFlags TCP flags
tcpAnomaly TCP aggregated header anomaly flags
tcpWin TCP window size
tcpWS TCP window scale factor
tcpMSS TCP maximum segment size
tcpTmS TCP time stamp
tcpTmER TCP time echo reply
tcpMPTyp MPTCP type
tcpMPF MPTCP flags
tcpMPAID MPTCP address ID
tcpMPdssF MPTCP DSS flags
tcpOptLen TCP options length
tcpOpts TCP options

tcpStates

TCP connection tracker

Flow output

Name Description
tcpStatesAFlags TCP state machine anomalies

Packet output

Name Description
tcpStatesAFlags TCP state machine anomalies

telegram

Telegram

Flow output

Name Description
tgStat telegram status
tgAuthKeyId telegram auth key id

Packet output

Name Description
tgStat telegram status

telnetDecode

Telnet

Flow output

Name Description
telStat Telnet status
telCmdBF Telnet commands
telOptBF Telnet options
telUsr Telnet user
telPW Telnet password
telCCnt Telnet command count
telCmdS Telnet command names
telCmdC Telnet command codes
telOCnt Telnet option count
telOptS Telnet option names
telOptC Telnet option codes

Packet output

Name Description
telStat Telnet status
telCmdS Telnet command name
telOptS Telnet option name
telCmdC Telnet command code
telOptC Telnet option code

tftpDecode

TFTP: Trivial File Transfer Protocol

Flow output

Name Description
tftpStat TFTP status
tftpPFlow TFTP parent flow
tftpOpCBF TFTP opcode bitfield
tftpErrCBF TFTP error Code bitfield
tftpNumOpcode TFTP number of opcodes
tftpOpcode TFTP opcodes
tftpNumParam TFTP number of parameters
tftpParam TFTP parameters
tftpNumErr TFTP number of errors
tftpErrC TFTP error codes

Packet output

Name Description
tftpStat TFTP status
tftpOpcode TFTP opcode

torDetector

Tor: The Onion Router

Flow output

Name Description
torStat Tor status

Packet output

Name Description
torStat Tor status

tp0f

OS classification based on layer 3/4 (IP/TCP) analysis

Flow output

Name Description
tp0fStat tp0f status
tp0fDis tp0f TTL distance
tp0fRN tp0f rule number
tp0fClass tp0f class
tp0fProg tp0f program
tp0fVer tp0f version
tp0fClName tp0f OS class name
tp0fPrName tp0f OS/program name
tp0fVerName tp0f OS/program version name

Packet output

Name Description
tp0fStat tp0f status
tp0fDis tp0f TTL distance
tp0fPrName tp0f OS/program name
tp0fVerName tp0f OS/program version name

voipDetector

VoIP: Voice over IP

Flow output

Name Description
voipStat VoIP status
voipType VoIP RTP / RTCP Type
voipSSRC VoIP RTP / RTCP Synchronization Source Identifier
voipCSRC VoIP RTP / RTCP Contributing Sources
voipSRCnt VoIP RTP SID / RTCP record count
rtpPMCnt VoIP RTP packet miss count
rtpPMr VoIP RTP packet miss ratio
sipMethods VoIP SIP methods
sipStatCnt VoIP SIP stat count
sipReqCnt VoIP SIP request count
sipUsrAgnt VoIP SIP User-Agent
sipRealIP VoIP SIP X-Real-IP
sipFrom VoIP SIP Caller
sipTo VoIP SIP Callee
sipCallID VoIP SIP Call-ID
sipContact VoIP SIP Contact
sipStat VoIP SIP stat
sipReq VoIP SIP request
sdpSessID VoIP SDP session ID
sdpRFAdd VoIP SDP RTP audio/video flow address
sdpRAFPrt VoIP SDP RTP audio flow port
sdpRVFPrt VoIP SDP RTP video flow port
sdpRTPMap VoIP SIP SDP rtpmap
voipFindex VoIP SIP RTP findex
rtcpTPCnt VoIP RTCP cumulated transmitter packet count
rtcpTBCnt VoIP RTCP cumulated transmitter byte count
rtcpFracLst VoIP RTCP cumulated fraction lost
rtcpCPMCnt VoIP RTCP cumulated packet miss count
rtcpMaxIAT VoIP RTCP max inter-arrival time
voipFname VoIP RTP content filename

Packet output

Name Description
voipStat VoIP status
voipType VoIP RTP / RTCP Type
voipSeqN VoIP RTP / RTCP sequence number
voipTs VoIP RTP / RTCP timestamp
voipTsDiff VoIP RTP / RTCP timestamp difference
voipSSRC VoIP RTP / RTCP Synchronization Source Identifier

vrrpDecode

VRRP: Virtual Router Redundancy Protocol

Flow output

Name Description
vrrpStat VRRP status
vrrpVer VRRP version
vrrpType VRRP type
vrrpVRIDCnt VRRP virtual router ID count
vrrpVRID VRRP virtual router ID
vrrpMinPri VRRP minimum priority
vrrpMaxPri VRRP maximum priority
vrrpMinAdvInt VRRP minimum advertisement interval (seconds)
vrrpMaxAdvInt VRRP maximum advertisement interval (seconds)
vrrpAuthType VRRP authentication type
vrrpAuth VRRP authentication string
vrrpIPCnt VRRP IP address count
vrrpIP VRRP IP addresses

vrrp.txt file

Name Description
VirtualRtrID Virtual router ID
Priority Priority
SkewTime Skew time (seconds)
MasterDownInterval Master down interval (seconds)
AddrCount Number of addresses
Addresses List of addresses
Version VRRP version
Type Message type
AdverInt Advertisement interval (seconds)
AuthType Authentication type
AuthString Authentication string
Checksum Stored checksum
CalcChecksum Calculated checksum
flowInd Flow index

vtpDecode

VTP: VLAN Trunking Protocol

Flow output

Name Description
vtpStat VTP status
vtpVer VTP version
vtpCodeBF VTP aggregated codes
vtpVlanTypeBF VTP aggregated VLAN types
vtpDomain VTP Management Domain
vtpNumUpdId VTP number Updater Identity
vtpUpdId VTP Updater Identity
vtpFirstUpdTS VTP Timestamp of first update
vtpLastUpdTS VTP Timestamp of last update

Packet output

Name Description
vtpStat VTP status
vtpVer VTP version
vtpCode VTP code
vtpDomain VTP Management Domain
vtpVlanTypeBF VTP aggregated VLAN types

vtp.txt file

Name Description
pktNo Packet number
flowInd Flow index
srcMac MAC address which issued this advertisement
vtpVer VTP version
vtpDomain VTP Management Domain
vtpRevNum VTP Configuration Revision Number
vtpVlanType Aggregated VLAN type
vtpVlanID ISL VLAN ID
vtpVlanName VLAN Name
vtpVlanSAID 802.10 Index (IEEE 802.10 security association identifier for this VLAN)
vtpVlanMTU MTU Size
vtpVlanSuspended State of the VLAN (suspended or not)

wavelet

Wavelet

Flow output

Name Description
waveNumPnts Wavelet number of points
waveSig Wavelet signal
waveNumLvl Number of wavelet levels
waveCoefDetailDB1 Daubechies 1 (DB1) wavelet detail coefficients
waveCoefDetailDB2 Daubechies 2 (DB2) wavelet detail coefficients
waveCoefDetailDB3 Daubechies 3 (DB3) wavelet detail coefficients
waveCoefDetailDB4 Daubechies 4 (DB4) wavelet detail coefficients
waveCoefApprox Wavelet approximation coefficients