Supported protocols
For instructions on configuring data capture for supported protocols, see "Use the Streams Config UI" in this manual.
Splunk App for Stream supports capture of these network data protocols on Linux, Mac, and Windows:
AMQP
Name | Description | Term |
---|---|---|
major_version | Major version of the protocol | amqp.major-version |
method | Command launched | amqp.method |
minor_version | Minor version of the protocol | amqp.minor-version |
response_time | Server response time (microseconds) | amqp.response-time |
bytes | The total number of bytes transferred | flow.bytes |
src_ip | Client IP Address | flow.c-ip |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
src_port | Client port number | flow.c-port |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
dest_ip | Server IP Address | flow.s-ip |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
dest_port | Server port number | flow.s-port |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
transport | Transport level protocol | flow.transport |
DHCP
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport level protocol | flow.transport |
opcode | Type of DHCP message | dhcp.message-type |
file | Name of boot file used during initialization | dhcp.filename |
chaddr | Client Hardware address | dhcp.client-mac |
ciaddr | Client IP address | dhcp.current-client-ip |
dns_server | DNS server ip | dhcp.dns-ip |
giaddr | Relay agent IP address | dhcp.relay-ip |
ip_lease_time | Specifies lease time DHCP server is willing to offer | dhcp.lease-time |
siaddr | IP address of the next server (used when booting via a server) | dhcp.server-ip |
sname | Host name of next server | dhcp.server-name |
yiaddr | New ip address attributed to the client | dhcp.new-client-ip |
subnetmask | Subnet mask assigned to the client | dhcp.new-client-subnet |
router | IP addr of the gateway | dhcp.gateway-ip |
DIAMETER
Name | Description | Term |
---|---|---|
bytes | The total number of bytes transferred | flow.bytes |
src_ip | Client IP Address | flow.c-ip |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
src_port | Client port number | flow.c-port |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
dest_ip | Server IP Address | flow.s-ip |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
dest_port | Server port number | flow.s-port |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
transport | Transport level protocol | flow.transport |
acct_input_octets | Indicates how many octets have been received from the port over the course of this service being provided | diameter.acct-input-octets |
acct_multi_session_id | Link between multiple accounting sessions | diameter.acct-multi-session-id |
acct_output_octets | Indicates how many octets have been sent to the port in the course of delivering this service | diameter.acct-output-octets |
acct_record_number | Unique identifier for one record within a session | diameter.acct-record-number |
acct_record_type | Record type | diameter.acct-record-type |
acct_session_id | Accounting session ID | diameter.acct-session-id |
acct_sub_session_id | Sub-session identifier | diameter.acct-sub-session-id |
application_id | Identify which application the message is applicable for | diameter.application-id |
auth_request_type | Requested authentication type | diameter.auth-request-type |
called_station_id | The phone number that the user called, using Dialed Number Identification (DNIS) or similar technology | diameter.called-station-id |
calling_station_id | Client id | diameter.calling-station-id |
command_code | Command associated with the Diameter request | diameter.command-code |
command_flags | Bitfield which defines some attributes of a command on one byte as follows: [RPE.....] ('R'equest/answer, 'P'roxiable, 'E'rror) | diameter.command-flags |
destination_host | Destination Diameter host for the current message | diameter.destination-host |
end_to_end_id | Used to detect duplicate messages | diameter.end-to-end-id |
framed_ip | IP address | diameter.framed-ip |
hop_by_hop_id | Used to match Diameter request and reply messages | diameter.hop-by-hop-id |
login | User's login string | diameter.login |
nas_id | Unique identifier of NAS originating access request | diameter.nas-id |
nas_ip | IP address of of NAS originating access request | diameter.nas-ip |
nas_port | Physical port number of the user on the NAS | diameter.nas-port |
nas_port_id | Identifies the NAS | diameter.nas-port-id |
nas_port_type | Indicates the type of physical port NAS is using to authenticate the user | diameter.nas-port-type |
origin_host | Source Diameter host for the current message | diameter.origin-host |
result_code | Indicates whether a particular Diameter request was completed successfully or not | diameter.result-code |
session_id | Uniquely identifies the current user session | diameter.session-id |
terminate_cause | This attribute indicates how the session was terminated | diameter.terminate-cause |
DNS
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
ancount | The number of resource records in the answer section | dns.ancount |
arcount | Number of additional answers | dns.arcount |
hostname | Host name | dns.host |
host_addr | Host IP address | dns.host-addr |
host_type | DNS host type | dns.host-type |
message_type | DNS Message Type | dns.message-type |
name | Name of the request | dns.name |
nscount | Number of answers in the 'authority' section | dns.nscount |
qdcount | Number of queries | dns.qdcount |
query | DNS Query sent | dns.query |
query_type | DNS Query type | dns.query-type |
reply_code | Return message | dns.reply-code |
response_time | Elapsed time between sending of the dns request and reception of its response, in microseconds | dns.response-time |
reverse_addr | IP address returned to the PTR request | dns.reverse-addr |
transaction_id | DNS transaction identifier | dns.transaction-id |
ttl | Time (in seconds) a DNS information returned by the server will be kept in cache | dns.ttl |
FTP
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
login | User's login string | ftp.login |
loadway | The file transfer way (Upload vs Download) | ftp.loadway |
method | Contains the FTP command sent | ftp.method |
filename | Name of the transferred file | ftp.filename |
filesize | Size (byte) of the transferred file | ftp.filesize |
data_port | Data connection TCP port | ftp.data-port |
content_type | The content type of transferred file | ftp.content-type |
greeting | First line of the server banner | ftp.greeting-message |
offset | Start offset of the file transfer | ftp.offset |
password | User's password string | ftp.password |
reply_code | FTP server reply code | ftp.reply-code |
reply_content | FTP server response message content | ftp.reply-content |
inherent_parent | Parent inheritance key, stored in an hashtable and kept until parent session expiration. | ftp.inherent-parent |
transfer_duration | Transfer duration | ftp.transfer-duration |
ftp_index | Identifier of the request and response in a FTP flow. | ftp.index |
HTTP
Name | Description | Term |
---|---|---|
bytes | Total number of bytes transferred | flow.bytes |
bytes_in | Number of bytes sent from client to server | flow.cs-bytes |
bytes_out | Number of bytes sent from server to client | flow.sc-bytes |
cookie | Cookie HTTP request header | http.cookie |
dest_ip | IP address of server in dot-quad notation | flow.s-ip |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
dest_port | Server port number | flow.s-port |
form_data | A url-encoded string represent | flow.s-ip |
http_comment | The HTTP status message returned to the client | http.comment |
http_content_length | HTTP response content length | http.content-length |
http_content_type | The Content-Type HTTP response header | http.content-type |
http_method | The HTTP method of the request (GET, POST, etc.) | http.method |
http_referrer | The Referer HTTP request header | http.referer |
http_user_agent | The User-Agent HTTP request header | http.useragent |
server | The Server HTTP response header | http.server |
site | The Host HTTP request header | http.host |
src_ip | IP address of the client in dot-quad notation. Contains the value of X-Forwarded-For header or equal to flow.c-ip is X-Forwarded-For is not set. | http.c-ip |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
src_port | Client port number | flow.c-port |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
status | The HTTP status code returned to the client | http.status |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
title | Page title, extracted from HTML content | http.page-title |
transport | Transport layer protocol (udp or tcp) | flow.transport |
uri_parm | The parameters portion of the requested resource | http.uri-parm |
uri_path | The requested resource (excluding query) | http.uri-stem |
uri_query | The query portion of the requested resource | http.uri-query |
accept | The Accept HTTP request header | http.accept |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
allow | The Allow HTTP response header | http.allow |
c_ip | IP address of the client in dot-quad notation | flow.c-ip |
cached | 1 if the response was cached, 0 if it was not | http.cached |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
content_location | The Content-Location HTTP response header | http.content-location |
cs_content_length | HTTP request content length | http.cs-content-length |
cs_content_type | The Content-Type HTTP request header | http.cs-content-type |
cs_version | The protocol version that the client used | http.cs-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
dest_content | All HTTP payload content sent from server to client | http.sc-content |
dest_headers | All HTTP headers sent from server to client | http.sc-headers |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
location | The Location HTTP response header | http.location |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
refused | Number of requests that were refused by the server | flow.refused |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
request | The request line exactly as it came from the client | http.request |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
set_cookie | The Set-Cookie HTTP response header | http.set-cookie |
src_content | All HTTP payload content sent from client to server | http.cs-content |
src_headers | All HTTP headers sent from client to server | http.cs-headers |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
cp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
transfer_encoding | The Transfer-Encoding HTTP response header | http.transfer-encoding |
uri | The requested resource (including query) | http.uri |
user | The username as which the user has authenticated himself | http.authuser |
IMAP
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport level protocol | flow.transport |
attach_content_decoded | Decoded attached files content | email.attach-content-decoded |
attach_filename | Attachment name | email.attach-filename |
attach_transfer_encoding | Contains the encoding of the attached content | email.attach-transfer-encoding |
attach_type | Content type of the sent attached file | email.attach-type |
content_transfer_encoding | Transfer-encoding used on the e-mail message | email.content-transfer-encoding |
date | Message date | email.date |
email_index | Index of the request which the email is attached to | email.email-index |
greeting | Contains the greeting message of the server | email.greeting-message |
login | User's login string | email.login |
login_server | Concatenated login and server: <login>@<server>, string | email.login-server |
method | Command sent by the client | email.method |
mime_type | Content-type of the e-mail message | email.mime-type |
msg_id | Unique identifier for the e-mail message | email.message-id |
received_by_ip | Contains the IP address of the receiving host name | email.received-by-ip |
received_by_name | Contains the receiving host name | email.received-by-name |
received_date | Date when the transport service relayed the message | email.received-date |
received_from_ip | Contains the IP address of the sending host name | email.received-from-ip |
received_from_name | Contains the sending host name | email.received-from-name |
received_server_agent | Contains the name of the sever agent | email.received-server-agent |
received_with | Contains the software used to send the email | email.received-with |
receiver | Full address of email receiver (including cc and bcc receivers) | email.receiver |
receiver_alias | Name of email receiver (included cc and bcc receivers) | email.receiver-alias |
receiver_email | E-mail address of the message recipient | email.receiver-email |
receiver_type | Type of the email receiver | email.receiver-type |
reply_to | Email address to use in a reply for this message | email.reply-to |
sender | Full address of email sender (alias followed by email address) | email.sender |
sender_alias | Name of the email sender | email.sender-alias |
sender_email | Email address of the email sender | email.sender-email |
server_response | The return code of the server | email.server-response |
subject | Subject of the e-mail message | email.subject |
useragent | Name of the client software used | email.user-agent |
IRC
Name | Description | Term |
---|---|---|
bytes | The total number of bytes transferred | flow.bytes |
c_ip | IP address of the client in dot-quad notation | flow.c-ip |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
src_port | Client port number | flow.c-port |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
refused | Number of requests that were refused by the server | flow.refused |
dest_ip | IP address of the server in dot-quad notation | flow.s-ip |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
dest_port | Server port number | flow.s-port |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
transport | Transport layer protocol (udp or tcp) | flow.transport |
chat_room_name | Chat room name | irc.channel |
channel_name | Name of the irc channel | irc.channel-name |
file_identifier | File correlation key | irc.file-id |
filename | Name of the transferred file | irc.filename |
login | User's login string | irc.login |
login_server | Concatenated login and server | irc.login-server |
message | Contains the chat message | irc.message |
mode | Status of the irc channel | irc.mode-status |
nickname | User's alias | irc.nick-name |
receiver | Contains the identity of the receiver for a chat message or a file transfer | irc.receiver |
sender | Contains the identity of the sender of a chat session or a file transfer | irc.sender |
server | Server name to which the user is connected | irc.server |
LDAP
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
assertion_value | Filter expression second operand, which is an assertion value | ldap.assertion-value |
assertion_description | Filter expression first operand, which is an attribute description | ldap.attribute-description |
contains_sasl | Indicates whether the authentication is done using SASL mechanism | ldap.contains-sasl |
hostname | Hostname extracted from a logon response to a CLDAP searchRequest | ldap.hostname |
message_id | Message identification | ldap.message-id |
message_type | Message type | ldap.message-type |
elements | LDAP element, map containing name-value pairs with nested elements | ldap.elements |
MAPI
Name | Description | Term |
---|---|---|
action | Indicates if the message is read (Read) or composed (Compose) | email.action |
attach_filename | Attachment file name | email.attach-filename |
reply_to | Attachment file size | email.attach-size |
contact_alias | Contains the name of the sever agent | email.contact-alias |
contact_email | Email address of the email receiver | email.contact-email |
content | Content of the message | email.content |
importance | Indicates if the email has been marked by the user | email.importance |
login | User's login string | email.login |
login_server | Concatenated login and server: <login>@<server>, string | email.login-server |
msglist_receiver | Full address of email receiver in a message list | email.msglist-receiver |
receiver_email | Contains the IP address of the sending host name | email.msglist-receiver-email |
msglist_sender | Full address of email sender (alias and email address) (UTF-16) | email.msglist-sender |
msglist_size | Message size in a message list | email.msglist-size |
msglist_subject | Message subject in a message list (UTF-16) | email.msglist-subject |
receiver | Full address of email receiver (including cc and bcc receivers) | email.receiver |
receiver_alias | Name of email receiver (included cc and bcc receivers) | email.receiver-alias |
receiver_email | E-mail address of the message recipient | email.receiver-email |
sender | Full address of email sender (alias followed by email address) | email.sender |
sender_alias | Name of the email sender | email.sender-alias |
sender_email | Email address of the email sender | email.sender-email |
subject | Subject of the e-mail message | email.subject |
bytes | The total number of bytes transferred | flow.bytes |
src_ip | Client IP Address | flow.c-ip |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
src_port | Client port number | flow.c-port |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
refused | Number of requests that were refused by the server | flow.refused |
dest_ip | Server IP Address | flow.s-ip |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
dest_port | Server port number | flow.s-port |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
transport | Transport level protocol | flow.transport |
auth_type | Authentication type used | mapi.authtype |
date | Message date number of 100-nanosecond intervals since January 1, 1601 | mapi.date |
domain | Network domain of the client | mapi.domain |
email_type | email type | mapi.email-type |
host | Clients host name | mapi.host |
received_with | Sensibility of the message | mapi.msg-sensibility |
size | Message size | mapi.size |
MYSQL Database Commands
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
dbname | Database name | mysql.dbname |
login | User's login string | mysql.login |
query | Query String | mysql.query |
MYSQL Database Logins
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
dbname | Database name | mysql.dbname |
login | User's login string | mysql.login |
query | Query String | mysql.query |
MYSQL Database Queries
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
dbname | Database name | mysql.dbname |
login | User's login string | mysql.login |
query | Query String | mysql.query |
NFS
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
content | File content | nfs.content |
file-handle | Unique identifier for a file | nfs.file-handle |
filename | Accessed, written or read file name | nfs.filename |
filesize | Size of the file | nfs.filesize |
gid | Identifier of the file owner's group | nfs.gid |
mode | Protection mode bits | nfs.mode |
offset | Offset of the written/read file | nfs.offset |
command | Procedure or command set | nfs.command |
status | Response status for a request | nfs.status |
type | File type | nfs.type |
uid | Generic user Id | nfs.uid |
version | Used version | nfs.version |
POP3
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
attach_content_decoded | Decoded attached files content | email.attach-content-decoded |
attach_disposition | Attached file disposition, inline vs attachment | email.attach-disposition |
attach_filename | Attachment name | email.attach-filename |
attach_transfer_encoding | Contains the encoding of the attached content | email.attach-transfer-encoding |
attach_type | Content type of the sent attached file | email.attach-type |
content_body | Data containing body | email.content-body |
content_transfer_encoding | Transfer-encoding used on the e-mail message | email.content-transfer-encoding |
date | Message date | email.date |
email_index | Index of the request which the email is attached to | email.email-index |
greeting | Contains the greeting message of the server | email.greeting-message |
login | User's login string | email.login |
login_servier | Concatenated login and server: <login>@<server>, string | email.login-server |
method | Command sent by the client | email.method |
mime_type | Content-type of the e-mail message | email.mime-type |
msg_id | Unique identifier for the e-mail message | email.message-id |
password | User's password string | email.password |
received_by_ip | Contains the IP address of the receiving host name | email.received-by-ip |
received_by_name | Contains the receiving host name | email.received-by-name |
received_date | Date when the transport service relayed the message | email.received-date |
received_from_ip | Contains the IP address of the sending host name | email.received-from-ip |
received_from_name | Contains the sending host name | email.received-from-name |
received_server_agent | Contains the name of the sever agent | email.received-server-agent |
received_with | Contains the software used to send the email | email.received-with |
receiver | Full address of email receiver (including cc and bcc receivers) | email.receiver |
receiver_alias | Name of email receiver (included cc and bcc receivers) | email.receiver-alias |
receiver_email | E-mail address of the message recipient | email.receiver-email |
receiver_type | Type of the email receiver | email.receiver-type |
reply_to | Email address to use in a reply for this message | email.reply-to |
sender | Full address of email sender (alias followed by email address) | email.sender |
sender_alias | Name of the email sender | email.sender-alias |
sender_email | Email address of the email sender | email.sender-email |
server_response | The return code of the server | email.server-response |
subject | Subject of the e-mail message | email.subject |
useragent | Name of the client software used | email.user-agent |
Postgres
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
auth_type | Authentication method requested by the server | postgres.auth-type |
dbname | Database name | postgres.dbname |
error | Error message | postgres.error |
login | User's login string | postgres.login |
password | User's password string | postgres.password |
proto_version | Protocol version | postgres.proto-version |
query | Query sent | postgres.query |
server_version | Server version | postgres.server-version |
RADIUS
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport level protocol | flow.transport |
id | Packet Identifier | radius.id |
code | Radius message code | radius.code |
status | Status | radius.status |
login | User login string | radius.login |
login_ipv6_host | Indicates the system with which to connect the user | radius.login-ipv6-host |
session_timeout | Maximum duration of session in seconds | radius.session-timeout |
idle_timeout | Maximum idle duration of session in seconds | radius.idle-timeout |
nas_id | Unique identifier of NAS originating access request | radius.nas-id |
nas_ip | IP address of of NAS originating access request | radius.nas-ip |
nas_ipv6 | IPV6 address of of NAS originating access request | radius.nas-ipv6 |
nas_port | Physical port number of the user on the NAS | radius.nas-port |
nas_port_id | Identifies the NAS | radius.nas-port-id |
nas_port_type | Indicates the type of physical port NAS is using to authenticate the user | radius.nas-port-type |
start_time | Indicates the beginning of the user service | radius.start-time |
stop_time | Indicates the end of the user service | radius.stop-time |
terminate_cause | Indicates how the session was terminated | radius.terminate-cause |
framed_ip | Indicates the IP address to be configured for the user | radius.framed-ip |
framed_ipv6_route | Indicates the routing information to be configured for the user on the NAS | radius.framed-ipv6-route |
framed_ipv6_pool | Indicates the name of an assigned pool that should be used to assign an IPv6 prefix for the user | radius.framed-ipv6-pool |
callback_number | Indicates the dialing string to be used for callback | radius.callback-number |
called_station_id | Indicates the phone number that the user called | radius.called-station-id |
vendor_id | Indicates the SMI Network Management Private Enterprise Code of the Vendor | radius.vendor-id |
acct_session_id | Indicates the accounting session id | radius.account-session-id |
sgsn_address | Indicates the IP address of the SGSN | radius.sgsn-ip |
sgsn_mcc_mnc | Indicates the SGSN MCC and MNC | radius.sgsn-mcc |
SIP
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
accept_language | Indicates the preferred languages | sip.accept-language |
alert_info | Specifies an alternative ring tone | sip.alert-info |
call_duration | Call duration in seconds | sip.call-duration |
call_id | Call id, extracted for each call | sip.call-id |
call_info | Provides additional information about the caller or callee | sip.call-info |
callee | Contains the identity of the called party for a call | sip.callee |
callee_addr | IPv4 address which could be used by the called party | sip.callee-addr |
callee_addr_v6 | IPv6 address which could be used by the called party | sip.callee-addr-v6 |
callee_domain | Callee's domain | sip.callee-domain |
callee_e164 | Format of the callee's telephone numbers | sip.callee-e164 |
callee_nickname | Callee nickname | sip.callee-nickname |
callee_port | Port which could be used by the callee | sip.callee-port |
callee_server_agent | Server's software in the callee way | sip.callee-server-agent |
callee_user_agent | Client's software used by the callee | sip.callee-user-agent |
callee_user_phone | Callee's phone presence flag | sip.callee-user-phone |
caller | Contains the identity of the initiator of the call | sip.caller |
caller_addr | IPv4 address which could be used by the initiator of the call | sip.caller-addr |
caller_addr_v6 | IPv6 address which could be used by the initiator of the call | sip.caller-addr-v6 |
caller_domain | Caller's domain | sip.caller-domain |
caller_e164 | Format of the caller's telephone numbers | sip.caller-e164 |
caller_nickname | Caller nickname | sip.caller-nickname |
caller_port | Port which could be used by the caller | sip.caller-port |
caller_server_agent | Server's software in the caller way | sip.caller-server-agent |
caller_user_agent | Client's software in the caller way | sip.caller-user-agent |
caller_user_phone | Caller's phone presence flag | sip.caller-user-phone |
confcall_callee | Callee's name, in a confcall | sip.confcall-callee |
confcall_caller | Caller's name, in a confcall | sip.confcall-caller |
connection_info_addr | Connection IPv4 address | sip.connection-info-addr |
connection_info_addr_type | Connection address type | sip.connection-info-addr-type |
connection_info_addr_v6 | Connection IPv6 address | sip.connection-info-addr-v6 |
connection_info_net_type | Network type for the connection | sip.connection-info-net-type |
contact | The Contact header field provides a SIP or SIPS URI that can be used to contact that specific instance of the UA for subsequent requests | sip.contact |
cseq | Sequence number | sip.cseq |
data_port | Data port for client's protocol | sip.data-port |
date | Contains the date and time | sip.date |
end_status | Status of the call end | sip.end-status |
from | The initiator of the request | sip.from |
from_tag | A globally unique id of the caller | sip.from-tag |
media_attr | Media attributes | sip.media-attr |
media_attr_addr | The mentioned IPv4 address to be used | sip.media-attr-addr |
media_attr_addr_v6 | The mentioned IPv6 address to be used | sip.media-attr-addr-v6 |
media_attr_channel | The channel value | sip.media-attr-channel |
media_attr_encoding | The encoding of media data | sip.media-attr-encoding |
media_attr_label | The label for media data | sip.media-attr-label |
media_attr_param | The param information of media data | sip.media-attr-param |
media_attr_port | The transport port to be used | sip.media-attr-port |
media_attr_rate | The encoding rate | sip.media-attr-rate |
media_attr_type | Contains the media type (audio or video) | sip.media-attr-type |
media_attr_value | XXX | sip.media-attr-value |
media_format | Client's protocol formats available | sip.media-format |
media_proto | Protocol used in client stream | sip.media-proto |
media_type | Contains the media type | sip.media-type |
method | The command | sip.method |
mime_type | Data type | sip.mime-type |
p_asserted_id | Indicates the identity of the trusted SIP server | sip.p-asserted-id |
proxy_authorization | Allows the client to identify itself (or its user) to a proxy that requires authentication | sip.proxy-authorization |
reason | The reason a Session Initiation Protocol request was issued | sip.reason |
record_route | The Record-Route header field is inserted by proxies in a request to force future requests in the dialog to be routed through the proxy | sip.record-route |
remote_party_id | The IP address of the remote party | sip.remote-party-id |
reply_code | Return status code | sip.reply-code |
request_call_id | Call's id extracted for each sip request | sip.request-call-id |
server_agent | Server's software | sip.server-agent |
session_duration | Session duration in seconds | sip.session-duration |
setup_delay | Call setup delay in microseconds | sip.setup-delay |
start_time | Start date of the call | sip.start-time |
subject | The subject header present in the SIP packet | sip.subject |
time_before_spk | Waiting delay before speak in microseconds | sip.time-before-spk |
to | The recipient of the request | sip.to |
to_tag | A globally unique id of the callee | sip.to-tag |
uri | Contains the URI (similar to To: field) | sip.uri |
useragent | Client's software | sip.user-agent |
user_id | Client identifier used for his registering with a SIP server | sip.user-id |
via | The Via header field indicates the transport used for the transaction and identifies the location where the response is to be sent | sip.via |
www_authenticate | Contains an authentication challenge | sip.www-authenticate |
SMB
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
login | User's login string | smb.login |
command | Command string | smb.command |
dialect | The version of the SMB Protocol | smb.dialect |
domain | Domain name | smb.domain |
filename | Name of the transferred file | smb.filename |
filesize | Size (byte) of the transferred file | smb.filesize |
native_os | Client's operating system | smb.native-os |
nt_status | NT error code | smb.nt-status |
path | The server/share name of the resource to which the client attempts to connect | smb.path |
search_attributes | An attribute mask used to specify the standard attributes a file must have in order to match the search | smb.search-attributes |
search_pattern | The file pattern to search for | smb.search-pattern |
service | The type of resource that the client intends to access | smb.service |
user_id | User identifier (SMB usmb_v1 only) | smb.user-id |
SMPP
Name | Description | Term |
---|---|---|
content | Content of the Short Message | smpp.content |
receiver | Receiver's address | smpp.receiver |
sender | Sender's address | smpp.sender |
bytes | The total number of bytes transferred | flow.bytes |
src_ip | Client IP Address | flow.c-ip |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
src_port | Client port number | flow.c-port |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
dest_ip | Server IP Address | flow.s-ip |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
dest_port | Server port number | flow.s-port |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
transport | Transport level protocol | flow.transport |
SMTP
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
attach_content_decoded | Decoded attached files content | email.attach-content-decoded |
attach_disposition | Attached file disposition, inline vs attachment | email.attach-disposition |
attach_filename | Attachment name | email.attach-filename |
attach_size | Attachment MIME size | email.attach-size |
attach_transfer_encoding | Contains the encoding of the attached content | email.attach-transfer-encoding |
attach_type | Content type of the sent attached file | email.attach-type |
content_body | Data containing body | email.content-body |
content_transfer_encoding | Transfer-encoding used on the e-mail message | email.content-transfer-encoding |
date | Message date | email.date |
email_index | Index of the request which the email is attached to | email.email-index |
greeting | Contains the greeting message of the server | email.greeting-message |
login | User's login string | email.login |
method | Command sent by the client | email.method |
mime_type | Content-type of the e-mail message | email.mime-type |
msg_id | Unique identifier for the e-mail message | email.message-id |
password | User's password string | email.password |
received_by_ip | Contains the IP address of the receiving host name | email.received-by-ip |
received_by_name | Contains the receiving host name | email.received-by-name |
received_date | Date when the transport service relayed the message | email.received-date |
received_from_ip | Contains the IP address of the sending host name | email.received-from-ip |
received_from_name | Contains the sending host name | email.received-from-name |
received_server_agent | Contains the name of the sever agent | email.received-server-agent |
received_with | Contains the software used to send the email | email.received-with |
receiver | Full address of email receiver (including cc and bcc receivers) | email.receiver |
receiver_alias | Name of email receiver (included cc and bcc receivers) | email.receiver-alias |
receiver_email | E-mail address of the message recipient | email.receiver-email |
receiver_type | Type of the email receiver | email.receiver-type |
reply_to | Email address to use in a reply for this message | email.reply-to |
sender | Full address of email sender (alias followed by email address) | email.sender |
sender_alias | Name of the email sender | email.sender-alias |
sender_email | Email address of the email sender | email.sender-email |
server_response | The return code of the server | email.server-response |
subject | Subject of the e-mail message | email.subject |
useragent | Name of the client software used | email.user-agent |
duration | Duration of the SMTP session in seconds | smtp.duration |
receiver_rcpt_to | Recipient's email address (used by RCPT TO method) | smtp.receiver-rcpt-to |
response_code | Return code | smtp.response-code |
sender_mail_from | Sender's email address (used by MAIL FROM method) | smtp.sender-mail-from |
sender_server | Contains the name of the used smtp server | smtp.sender-server |
server_agent | The software name used by the email server | smtp.server-agent |
start_time | Starting time of SMTP session | smtp.start-time |
stop_time | Ending time of SMTP session | smtp.stop-time |
SNMP
Name | Description | Term |
---|---|---|
bytes | The total number of bytes transferred | flow.bytes |
c_ip | IP address of the client in dot-quad notation | flow.c-ip |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
src_port | Client port number | flow.c-port |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
dest_ip | IP address of the server in dot-quad notation | flow.s-ip |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
dest_port | Server port number | flow.s-port |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
transport | Transport layer protocol (udp or tcp) | flow.transport |
community | Community name | snmp.community |
method | SNMP request type | snmp.method |
name | Name of the user | snmp.name |
request_id | Request Identifier | snmp.request-id |
varbind_list | JSON array of {"oid":varbind_oid, "value":varbind_value, "type": varbind_value_type} | snmp.varbind_list |
version | SNMP Version | snmp.version |
TCP
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
ssl_session_id | SSL session id | flow.ssl-session-id |
ssl_cert_md5 | md5 of SSL certificate | flow.ssl-cert-md5 |
ssl_commonname | Common name with domain name of subject in SSL certificate | flow.ssl-cert-subject-commonname |
ssl_orgname | Organization name of subject in SSL certificate | flow.ssl-cert-subject-orgname |
ssl_issuer | Organization name of issuer in SSL certificate | flow.ssl-cert-issuer-orgname |
ssl_serialnumber | Serial number of SSL certificate | flow.ssl-cert-serialnumber |
ssl_validity_end | SSL certifiate's validity end date | flow.ssl-cert-validity-not-after |
ssl_validity_start | SSL certifiate's validity start date | flow.ssl-cert-validity-not-before |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
TDS (Sybase/SQL Database Events)
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
application | Name of application used to connect to the database | tds.application |
dbname | Name of the used database | tds.dbname |
hostname | Name of workstation communicating with the SQL server | tds.hostname |
language | User locale | tds.language |
library | Name of network dynamic-link library used | tds.library |
login | User's login string | tds.login |
password | User's password string | tds.password |
query | SQL query sent by the user | tds.query |
server | Name of server hosting the SQL Server | tds.server |
TNS (ORACLE Database Events)
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
data_center_time | Number of microseconds from the last request packet to the last response packet | flow.data-center-time |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
refused | Number of requests that were refused by the server | flow.refused |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
dbname | Name of accessed database | tns.dbname |
client_hostname | Client machine hostname | tns.client-hostname |
client_os | Client machine operating system | tns.client-os |
client_program_name | Client program name | tns.client-program-name |
client_program_path | Client program absolute path | tns.client-program-path |
login | User's login string | tns.login |
password | User's password string | tns.password |
query | Database query | tns.query |
hostname | Database server hostname | tns.server-hostname |
server_os | Database server operating system | tns.server-os |
version | Version number of Oracle server | tns.version |
UDP
Name | Description | Term |
---|---|---|
src_ip | Client IP Address | flow.c-ip |
dest_ip | Server IP Address | flow.s-ip |
src_port | Client port number | flow.c-port |
dest_port | Server port number | flow.s-port |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
bytes | The total number of bytes transferred | flow.bytes |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
protocol | Level 7 protocol name (http, ftp, etc.) | flow.protocol |
transport | Transport layer protocol (udp or tcp) | flow.transport |
XMPP
Name | Description | Term |
---|---|---|
bytes | The total number of bytes transferred | flow.bytes |
c_ip | IP address of the client in dot-quad notation | flow.c-ip |
src_mac | Client packets MAC address in hexadecimal format | flow.c-mac |
src_port | Client port number | flow.c-port |
canceled | Number of HTTP responses that were canceled early by the client | flow.canceled |
connection | TCP session server endpoint (IP address and TCP port) | flow.connection |
client_rtt | Average round trip time in microseconds from the client to the point of capture | flow.cp-rtt |
client_rtt_packets | Number of round trip measurements from the client to the point of capture | flow.cp-rtt-packets |
client_rtt_sum | Sum of all round trip time measurements from the client to the point of capture | flow.cp-rtt-sum |
ack_packets_in | The number of acknowledgement packets sent from client to server | flow.cs-ack-packets |
request_ack_time | Number of microseconds that it took the server to acknowledge receipt of the request | flow.cs-ack-time |
bytes_in | The number of bytes sent from client to server | flow.cs-bytes |
data_packets_in | The number of data packets sent from client to server | flow.cs-data-packets |
duplicate_packets_in | The number of duplicate packets sent from client to server | flow.cs-duplicate-packets |
missing_packets_in | The number of missing packet gaps detected within the request | flow.cs-missing-packets |
packets_in | The total number of packets sent from client to server | flow.cs-packets |
request_time | Number of microseconds that it took the client to send a request | flow.cs-send-time |
server_rtt | Average round trip time in microseconds from the server to the point of capture | flow.ps-rtt |
server_rtt_packets | Number of round trip measurements from the server to the point of capture | flow.ps-rtt-packets |
server_rtt_sum | Sum of all round trip time measurements from the server to the point of capture | flow.ps-rtt-sum |
refused | Number of requests that were refused by the server | flow.refused |
dest_ip | IP address of the server in dot-quad notation | flow.s-ip |
dest_mac | Server packets MAC address in hexadecimal format | flow.s-mac |
dest_port | Server port number | flow.s-port |
ack_packets_out | The number of acknowledgement packets sent from server to client | flow.sc-ack-packets |
response_ack_time | Number of microseconds that it took the client to acknowledge receipt of the response | flow.sc-ack-time |
bytes_out | The number of bytes sent from server to client | flow.sc-bytes |
data_packets_out | The number of data packets sent from server to client | flow.sc-data-packets |
duplicate_packets_out | The number of duplicate packets sent from server to client | flow.sc-duplicate-packets |
missing_packets_out | The number of missing packet gaps detected within the response | flow.sc-missing-packets |
packets_out | The total number of packets sent from server to client | flow.sc-packets |
reply_time | Number of microseconds that it took the server to start replying to a request | flow.sc-reply-time |
response_time | Number of microseconds that it took the server to send a response | flow.sc-send-time |
ssl_time | Number of microseconds that it took to negotiate an SSL handshake | flow.ssl-time |
ssl_version | SSL protocol version used for encryption, or undefined if not encrypted | flow.ssl-version |
tcp_status | TCP handshake status (0=OK, 1=RESET, 2=IGNORED) | flow.tcp-status |
time_taken | Number of microseconds that it took to complete a flow event, from the end user's perspective | flow.time-taken |
transport | Transport layer protocol (udp or tcp) | flow.transport |
call_duration | Contains call duration in microseconds | xmpp.call-duration |
call_id | Contains call id, extracted for each call | xmpp.call-id |
callee | Contains the identity (or the phone number) of the called party for a call | xmpp.callee |
callee_addr | Contains address which could be used by the called party | xmpp.callee-address |
callee_port | Contains port on which the callee could receive a call | xmpp.callee-port |
caller | Contains the identity (or the phone number) of the initiator of the call | xmpp.caller |
caller_addr | Contains address which could be used by the initiator of the call | xmpp.caller-address |
caller_port | Contains port on which the caller could start the call | xmpp.caller-port |
os | Contains the client operating system | xmpp.client-os |
contact_login | Contact login | xmpp.contact-login |
contact_name | Contact name | xmpp.contact-name |
contact_status | Contact status | xmpp.contact-status |
file_chunk_content | Contains content of the transferred data | xmpp.file-chunk-content |
file_chunk_len | Contains size of the transferred piece | xmpp.file-chunk-length |
file_chunk_sid | Transferred file identifier | xmpp.file-chunk-sid |
file_sender | Contains the identity of the sender of a file transfer | xmpp.file-sender |
file_sid | Contains transferred file identifier | xmpp.file-sid |
filesize | Contains size (byte) of the transferred file | xmpp.file-size |
filename | Contains the name of the transferred file | xmpp.filename |
login | User's login string | xmpp.login |
message | Contains the chat message | xmpp.message |
encoding | Message encoding | xmpp.message-encoding |
nickname | Used user name | xmpp.nickname |
receiver | Contains the identity of the receiver for a chat message or a file transfer | xmpp.receiver |
sender | Contains the identity of the sender of a chat session or a file transfer | xmpp.sender |
start_time | Contains start date of the call | xmpp.start-time |
version | JABBER software version | xmpp.version |
For instructions on configuring data capture for supported protocols, see "Use the Streams Config UI."
Protocol detection
Splunk App for Stream can detect additional wire data protocols, including:
- TOR
- BitTorrent
- Skype
These protocols are classification only, not attribute extraction. Thus there are no "TOR" or "BitTorrent" event types, only app=tor
, app=bittorrent
or app=skype
fields in the tcp event.
To detect these protocols, run a search that specifies the protocol classification in the tcp stream. For example:
sourcetype=stream:tcp app=TOR
(or optionally app=*
)
Note: These protocols are not available for selection in the Streams Config UI and you cannot add them independently to your stream capture configuration. To identify this protocol data you must run a search using the appropriate sourcetype that specifies the protocol classification.
Performance test results and recommendations | Supported protocols that map to Splunk CIM |
This documentation applies to the following versions of Splunk Stream™: 6.3.0, 6.3.1, 6.3.2
Feedback submitted, thanks!