Plugins overview

plugins

Global plugins

protoStats Overall statistics about protocols

Basic plugins

basicFlow Overall flow information
basicStats Basic statistics
connStat Connection statistics
macRecorder MAC addresses and manufacturers
portClassifier Classification based on port numbers

Layer 2 plugins

arpDecode ARP: Address Resolution Protocol
cdpDecode CDP: Cisco Discovery Protocol
lldpDecode LLDP: Link Layer Discovery Protocol
stpDecode STP: Spanning Tree Protocol
vtpDecode VTP: VLAN Trunking Protocol

Layer 3/4 plugins

icmpDecode ICMP: Internet Control Message Protocol
igmpDecode IGMP: Internet Group Management Protocol
ospfDecode OSPF: Open Shortest Path First
sctpDecode SCTP: Stream Control Transmission Protocol
tcpFlags IP and TCP flags
tcpStates TCP connection tracker
vrrpDecode VRRP: Virtual Router Redundancy Protocol

Layer 7 plugins

bgpDecode BGP: Border Gateway Protocol
dhcpDecode DHCP: Dynamic Host Configuration Protocol
dnsDecode DNS: Domain Name System
ftpDecode FTP: File Transfer Protocol
gtpDecode GTP: GPRS Tunneling Protocol
gquicDecode GQUIC: Google Quick UDP Internet Connections
gtpDecode GTP: GPRS Tunneling Protocol
httpSniffer HTTP: HyperText Transfer Protocol
ircDecode IRC: Internet Relay Chat
ldapDecode LDAP: Lightweight Directory Access Protocol
mndpDecode MNDP: MikroTik Neighbor Discovery Protocol
modbus Modbus
mqttDecode MQTT: MQ Telemetry Transport Protocol
ntlmsspDecode NTLMSSP: NT LAN Manager (NTLM) Security Support Provider
ntpDecode NTP: Network Time Protocol
popDecode POP: Post Office Protocol
quicDecode QUIC (IETF): Quick UDP Internet Connections
radiusDecode RADIUS: Remote Authentication Dial-In User Service
smbDecode SMB: Server Message Block
smtpDecode SMTP: Simple Mail Transfer Protocol
snmpDecode SNMP: Simple Network Management Protocol
sshDecode SSH: Secure Shell
sslDecode SSL/TLS (Secure Socket Layer/Transport Layer Security, OpenVPN
stunDecode STUN, TURN, ICE and NAT-PMP
syslogDecode Syslog
telnetDecode Telnet
tftpDecode TFTP: Trivial File Transfer Protocol

Applications plugins

bitForensic Search packets for specific bits patterns
covertChannels Covert channel detection
gsmDecode GSM: Global System for Mobile Communications
pwX Password extractor
regexHyperscan Hyperscan regular expressions
regex_pcre PCRE: Perl Compatible Regular Expressions
regex_re2 RE2 regular expressions
telegram Telegram
torDetector Tor: The Onion Router
voipDetector VoIP: Voice over IP
wechatDecode WeChat

Math plugins

centrality Centrality
descriptiveStats Descriptive statistics
dfft Discrete Fast Fourier Transform
entropy Entropy
nFrstPkts Statistics over the first N packets
pktSIATHisto Histograms of packet size and inter-arrival times
wavelet Wavelet

Classifier plugins

bayesClassifier Classification using Naive Bayes
fnameLabel Classification based on filename
geoip Classification based on IP address location
nDPI Classification based on content analysis
p0f OS classification based on content analysis (SSL/TLS)
tp0f OS classification based on layer 3/4 (IP/TCP) analysis

Output (sink) plugins

binSink Binary output into a flow file
clickhouseSink Output into a ClickHouse database
findexer Produce a binary index mapping flow index and packets
jsonSink Produce a JSON file
kafkaSink Output into an Apache Kafka event streaming platform
liveXtr Extract flagged flows in pcap files during processing
mongoSink Output into a MongoDB database
mysqlSink Output into a MariaDB/MySQL database
netflowSink NetFlow output format for existing Cisco tools
payloadDumper Dump the payload of TCP/UDP flows to files (similar to tcpflow)
pcapd Store packets from specific flows in pcap files
psqlSink Output into a PostgreSQL database
socketSink Binary output into a TCP/UDP socket
sqliteSink Output into a SQLite database
txtSink Text output into a flow file