Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Supported protocols

For instructions on configuring passive capture of supported protocol data, see "Configure Streams" in the Splunk App for Stream User Manual .

Splunk App for Stream supports capture of these network data protocols on Linux, Mac, and Windows:

AMQP

Name Description Term
major_version Major version of the protocol amqp.major-version
method Command launched amqp.method
minor_version Minor version of the protocol amqp.minor-version
response_time Server response time (microseconds) amqp.response-time
bytes The total number of bytes transferred flow.bytes
src_ip Client IP Address flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
bytes_in The number of bytes sent from client to server flow.cs-bytes
packets_in The total number of packets sent from client to server flow.cs-packets
dest_ip Server IP Address flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
bytes_out The number of bytes sent from server to client flow.sc-bytes
packets_out The total number of packets sent from server to client flow.sc-packets
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
transport Transport level protocol flow.transport

DHCP

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport level protocol flow.transport
opcode Type of DHCP message dhcp.message-type
file Name of boot file used during initialization dhcp.filename
chaddr Client Hardware address dhcp.client-mac
ciaddr Client IP address dhcp.current-client-ip
dns_server DNS server ip dhcp.dns-ip
giaddr Relay agent IP address dhcp.relay-ip
ip_lease_time Specifies lease time DHCP server is willing to offer dhcp.lease-time
siaddr IP address of the next server (used when booting via a server) dhcp.server-ip
sname Host name of next server dhcp.server-name
yiaddr New ip address attributed to the client dhcp.new-client-ip
subnetmask Subnet mask assigned to the client dhcp.new-client-subnet
router IP addr of the gateway dhcp.gateway-ip

DIAMETER

Name Description Term
bytes The total number of bytes transferred flow.bytes
src_ip Client IP Address flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
bytes_in The number of bytes sent from client to server flow.cs-bytes
packets_in The total number of packets sent from client to server flow.cs-packets
dest_ip Server IP Address flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
bytes_out The number of bytes sent from server to client flow.sc-bytes
packets_out The total number of packets sent from server to client flow.sc-packets
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
transport Transport level protocol flow.transport
acct_input_octets Indicates how many octets have been received from the port over the course of this service being provided diameter.acct-input-octets
acct_multi_session_id Link between multiple accounting sessions diameter.acct-multi-session-id
acct_output_octets Indicates how many octets have been sent to the port in the course of delivering this service diameter.acct-output-octets
acct_record_number Unique identifier for one record within a session diameter.acct-record-number
acct_record_type Record type diameter.acct-record-type
acct_session_id Accounting session ID diameter.acct-session-id
acct_sub_session_id Sub-session identifier diameter.acct-sub-session-id
application_id Identify which application the message is applicable for diameter.application-id
auth_request_type Requested authentication type diameter.auth-request-type
called_station_id The phone number that the user called, using Dialed Number Identification (DNIS) or similar technology diameter.called-station-id
calling_station_id Client id diameter.calling-station-id
command_code Command associated with the Diameter request diameter.command-code
command_flags Bitfield which defines some attributes of a command on one byte as follows: [RPE.....] ('R'equest/answer, 'P'roxiable, 'E'rror) diameter.command-flags
destination_host Destination Diameter host for the current message diameter.destination-host
end_to_end_id Used to detect duplicate messages diameter.end-to-end-id
framed_ip IP address diameter.framed-ip
hop_by_hop_id Used to match Diameter request and reply messages diameter.hop-by-hop-id
login User's login string diameter.login
nas_id Unique identifier of NAS originating access request diameter.nas-id
nas_ip IP address of of NAS originating access request diameter.nas-ip
nas_port Physical port number of the user on the NAS diameter.nas-port
nas_port_id Identifies the NAS diameter.nas-port-id
nas_port_type Indicates the type of physical port NAS is using to authenticate the user diameter.nas-port-type
origin_host Source Diameter host for the current message diameter.origin-host
result_code Indicates whether a particular Diameter request was completed successfully or not diameter.result-code
session_id Uniquely identifies the current user session diameter.session-id
terminate_cause This attribute indicates how the session was terminated diameter.terminate-cause

DNS

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
ancount The number of resource records in the answer section dns.ancount
arcount Number of additional answers dns.arcount
hostname Host name dns.host
host_addr Host IP address dns.host-addr
host_type DNS host type dns.host-type
message_type DNS Message Type dns.message-type
name Name of the request dns.name
nscount Number of answers in the 'authority' section dns.nscount
qdcount Number of queries dns.qdcount
query DNS Query sent dns.query
query_type DNS Query type dns.query-type
reply_code Return message dns.reply-code
response_time Elapsed time between sending of the dns request and reception of its response, in microseconds dns.response-time
reverse_addr IP address returned to the PTR request dns.reverse-addr
transaction_id DNS transaction identifier dns.transaction-id
ttl Time (in seconds) a DNS information returned by the server will be kept in cache dns.ttl

FTP

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
login User's login string ftp.login
loadway The file transfer way (Upload vs Download) ftp.loadway
method Contains the FTP command sent ftp.method
filename Name of the transferred file ftp.filename
filesize Size (byte) of the transferred file ftp.filesize
data_port Data connection TCP port ftp.data-port
content_type The content type of transferred file ftp.content-type
greeting First line of the server banner ftp.greeting-message
offset Start offset of the file transfer ftp.offset
password User's password string ftp.password
reply_code FTP server reply code ftp.reply-code
reply_content FTP server response message content ftp.reply-content
inherent_parent Parent inheritance key, stored in an hashtable and kept until parent session expiration. ftp.inherent-parent
transfer_duration Transfer duration ftp.transfer-duration
ftp_index Identifier of the request and response in a FTP flow. ftp.index

HTTP

Name Description Term
bytes Total number of bytes transferred flow.bytes
bytes_in Number of bytes sent from client to server flow.cs-bytes
bytes_out Number of bytes sent from server to client flow.sc-bytes
cookie Cookie HTTP request header http.cookie
dest_ip IP address of server in dot-quad notation flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
form_data A url-encoded string represent flow.s-ip
http_comment The HTTP status message returned to the client http.comment
http_content_length HTTP response content length http.content-length
http_content_type The Content-Type HTTP response header http.content-type
http_method The HTTP method of the request (GET, POST, etc.) http.method
http_referrer The Referer HTTP request header http.referer
http_user_agent The User-Agent HTTP request header http.useragent
server The Server HTTP response header http.server
site The Host HTTP request header http.host
src_ip IP address of the client in dot-quad notation. Contains the value of X-Forwarded-For header or equal to flow.c-ip is X-Forwarded-For is not set. http.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
status The HTTP status code returned to the client http.status
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
title Page title, extracted from HTML content http.page-title
transport Transport layer protocol (udp or tcp) flow.transport
uri_parm The parameters portion of the requested resource http.uri-parm
uri_path The requested resource (excluding query) http.uri-stem
uri_query The query portion of the requested resource http.uri-query
accept The Accept HTTP request header http.accept
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
allow The Allow HTTP response header http.allow
c_ip IP address of the client in dot-quad notation flow.c-ip
cached 1 if the response was cached, 0 if it was not http.cached
canceled Number of HTTP responses that were canceled early by the client flow.canceled
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
connection TCP session server endpoint (IP address and TCP port) flow.connection
content_location The Content-Location HTTP response header http.content-location
cs_content_length HTTP request content length http.cs-content-length
cs_content_type The Content-Type HTTP request header http.cs-content-type
cs_version The protocol version that the client used http.cs-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
dest_content All HTTP payload content sent from server to client http.sc-content
dest_headers All HTTP headers sent from server to client http.sc-headers
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
location The Location HTTP response header http.location
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
refused Number of requests that were refused by the server flow.refused
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
request The request line exactly as it came from the client http.request
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
set_cookie The Set-Cookie HTTP response header http.set-cookie
src_content All HTTP payload content sent from client to server http.cs-content
src_headers All HTTP headers sent from client to server http.cs-headers
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
cp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
transfer_encoding The Transfer-Encoding HTTP response header http.transfer-encoding
uri The requested resource (including query) http.uri
user The username as which the user has authenticated himself http.authuser


IMAP

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport level protocol flow.transport
attach_content_decoded Decoded attached files content email.attach-content-decoded
attach_filename Attachment name email.attach-filename
attach_transfer_encoding Contains the encoding of the attached content email.attach-transfer-encoding
attach_type Content type of the sent attached file email.attach-type
content_transfer_encoding Transfer-encoding used on the e-mail message email.content-transfer-encoding
date Message date email.date
email_index Index of the request which the email is attached to email.email-index
greeting Contains the greeting message of the server email.greeting-message
login User's login string email.login
login_server Concatenated login and server: <login>@<server>, string email.login-server
method Command sent by the client email.method
mime_type Content-type of the e-mail message email.mime-type
msg_id Unique identifier for the e-mail message email.message-id
received_by_ip Contains the IP address of the receiving host name email.received-by-ip
received_by_name Contains the receiving host name email.received-by-name
received_date Date when the transport service relayed the message email.received-date
received_from_ip Contains the IP address of the sending host name email.received-from-ip
received_from_name Contains the sending host name email.received-from-name
received_server_agent Contains the name of the sever agent email.received-server-agent
received_with Contains the software used to send the email email.received-with
receiver Full address of email receiver (including cc and bcc receivers) email.receiver
receiver_alias Name of email receiver (included cc and bcc receivers) email.receiver-alias
receiver_email E-mail address of the message recipient email.receiver-email
receiver_type Type of the email receiver email.receiver-type
reply_to Email address to use in a reply for this message email.reply-to
sender Full address of email sender (alias followed by email address) email.sender
sender_alias Name of the email sender email.sender-alias
sender_email Email address of the email sender email.sender-email
server_response The return code of the server email.server-response
subject Subject of the e-mail message email.subject
useragent Name of the client software used email.user-agent

IRC

Name Description Term
bytes The total number of bytes transferred flow.bytes
c_ip IP address of the client in dot-quad notation flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
bytes_in The number of bytes sent from client to server flow.cs-bytes
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
packets_in The total number of packets sent from client to server flow.cs-packets
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
refused Number of requests that were refused by the server flow.refused
dest_ip IP address of the server in dot-quad notation flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
bytes_out The number of bytes sent from server to client flow.sc-bytes
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
packets_out The total number of packets sent from server to client flow.sc-packets
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
transport Transport layer protocol (udp or tcp) flow.transport
chat_room_name Chat room name irc.channel
channel_name Name of the irc channel irc.channel-name
file_identifier File correlation key irc.file-id
filename Name of the transferred file irc.filename
login User's login string irc.login
login_server Concatenated login and server irc.login-server
message Contains the chat message irc.message
mode Status of the irc channel irc.mode-status
nickname User's alias irc.nick-name
receiver Contains the identity of the receiver for a chat message or a file transfer irc.receiver
sender Contains the identity of the sender of a chat session or a file transfer irc.sender
server Server name to which the user is connected irc.server

LDAP

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
assertion_value Filter expression second operand, which is an assertion value ldap.assertion-value
assertion_description Filter expression first operand, which is an attribute description ldap.attribute-description
contains_sasl Indicates whether the authentication is done using SASL mechanism ldap.contains-sasl
hostname Hostname extracted from a logon response to a CLDAP searchRequest ldap.hostname
message_id Message identification ldap.message-id
message_type Message type ldap.message-type
elements LDAP element, map containing name-value pairs with nested elements ldap.elements

MAPI

Name Description Term
action Indicates if the message is read (Read) or composed (Compose) email.action
attach_filename Attachment file name email.attach-filename
reply_to Attachment file size email.attach-size
contact_alias Contains the name of the sever agent email.contact-alias
contact_email Email address of the email receiver email.contact-email
content Content of the message email.content
importance Indicates if the email has been marked by the user email.importance
login User's login string email.login
login_server Concatenated login and server: <login>@<server>, string email.login-server
msglist_receiver Full address of email receiver in a message list email.msglist-receiver
receiver_email Contains the IP address of the sending host name email.msglist-receiver-email
msglist_sender Full address of email sender (alias and email address) (UTF-16) email.msglist-sender
msglist_size Message size in a message list email.msglist-size
msglist_subject Message subject in a message list (UTF-16) email.msglist-subject
receiver Full address of email receiver (including cc and bcc receivers) email.receiver
receiver_alias Name of email receiver (included cc and bcc receivers) email.receiver-alias
receiver_email E-mail address of the message recipient email.receiver-email
sender Full address of email sender (alias followed by email address) email.sender
sender_alias Name of the email sender email.sender-alias
sender_email Email address of the email sender email.sender-email
subject Subject of the e-mail message email.subject
bytes The total number of bytes transferred flow.bytes
src_ip Client IP Address flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
bytes_in The number of bytes sent from client to server flow.cs-bytes
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
packets_in The total number of packets sent from client to server flow.cs-packets
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
refused Number of requests that were refused by the server flow.refused
dest_ip Server IP Address flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
bytes_out The number of bytes sent from server to client flow.sc-bytes
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
packets_out The total number of packets sent from server to client flow.sc-packets
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
transport Transport level protocol flow.transport
auth_type Authentication type used mapi.authtype
date Message date number of 100-nanosecond intervals since January 1, 1601 mapi.date
domain Network domain of the client mapi.domain
email_type email type mapi.email-type
host Clients host name mapi.host
received_with Sensibility of the message mapi.msg-sensibility
size Message size mapi.size

MYSQL Database Commands

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
dbname Database name mysql.dbname
login User's login string mysql.login
query Query String mysql.query

MYSQL Database Logins

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
dbname Database name mysql.dbname
login User's login string mysql.login
query Query String mysql.query

MYSQL Database Queries

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
dbname Database name mysql.dbname
login User's login string mysql.login
query Query String mysql.query

NFS

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
content File content nfs.content
file-handle Unique identifier for a file nfs.file-handle
filename Accessed, written or read file name nfs.filename
filesize Size of the file nfs.filesize
gid Identifier of the file owner's group nfs.gid
mode Protection mode bits nfs.mode
offset Offset of the written/read file nfs.offset
command Procedure or command set nfs.command
status Response status for a request nfs.status
type File type nfs.type
uid Generic user Id nfs.uid
version Used version nfs.version

POP3

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
attach_content_decoded Decoded attached files content email.attach-content-decoded
attach_disposition Attached file disposition, inline vs attachment email.attach-disposition
attach_filename Attachment name email.attach-filename
attach_transfer_encoding Contains the encoding of the attached content email.attach-transfer-encoding
attach_type Content type of the sent attached file email.attach-type
content_body Data containing body email.content-body
content_transfer_encoding Transfer-encoding used on the e-mail message email.content-transfer-encoding
date Message date email.date
email_index Index of the request which the email is attached to email.email-index
greeting Contains the greeting message of the server email.greeting-message
login User's login string email.login
login_servier Concatenated login and server: <login>@<server>, string email.login-server
method Command sent by the client email.method
mime_type Content-type of the e-mail message email.mime-type
msg_id Unique identifier for the e-mail message email.message-id
password User's password string email.password
received_by_ip Contains the IP address of the receiving host name email.received-by-ip
received_by_name Contains the receiving host name email.received-by-name
received_date Date when the transport service relayed the message email.received-date
received_from_ip Contains the IP address of the sending host name email.received-from-ip
received_from_name Contains the sending host name email.received-from-name
received_server_agent Contains the name of the sever agent email.received-server-agent
received_with Contains the software used to send the email email.received-with
receiver Full address of email receiver (including cc and bcc receivers) email.receiver
receiver_alias Name of email receiver (included cc and bcc receivers) email.receiver-alias
receiver_email E-mail address of the message recipient email.receiver-email
receiver_type Type of the email receiver email.receiver-type
reply_to Email address to use in a reply for this message email.reply-to
sender Full address of email sender (alias followed by email address) email.sender
sender_alias Name of the email sender email.sender-alias
sender_email Email address of the email sender email.sender-email
server_response The return code of the server email.server-response
subject Subject of the e-mail message email.subject
useragent Name of the client software used email.user-agent

Postgres

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
auth_type Authentication method requested by the server postgres.auth-type
dbname Database name postgres.dbname
error Error message postgres.error
login User's login string postgres.login
password User's password string postgres.password
proto_version Protocol version postgres.proto-version
query Query sent postgres.query
server_version Server version postgres.server-version


RADIUS

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport level protocol flow.transport
id Packet Identifier radius.id
code Radius message code radius.code
status Status radius.status
login User login string radius.login
login_ipv6_host Indicates the system with which to connect the user radius.login-ipv6-host
session_timeout Maximum duration of session in seconds radius.session-timeout
idle_timeout Maximum idle duration of session in seconds radius.idle-timeout
nas_id Unique identifier of NAS originating access request radius.nas-id
nas_ip IP address of of NAS originating access request radius.nas-ip
nas_ipv6 IPV6 address of of NAS originating access request radius.nas-ipv6
nas_port Physical port number of the user on the NAS radius.nas-port
nas_port_id Identifies the NAS radius.nas-port-id
nas_port_type Indicates the type of physical port NAS is using to authenticate the user radius.nas-port-type
start_time Indicates the beginning of the user service radius.start-time
stop_time Indicates the end of the user service radius.stop-time
terminate_cause Indicates how the session was terminated radius.terminate-cause
framed_ip Indicates the IP address to be configured for the user radius.framed-ip
framed_ipv6_route Indicates the routing information to be configured for the user on the NAS radius.framed-ipv6-route
framed_ipv6_pool Indicates the name of an assigned pool that should be used to assign an IPv6 prefix for the user radius.framed-ipv6-pool
callback_number Indicates the dialing string to be used for callback radius.callback-number
called_station_id Indicates the phone number that the user called radius.called-station-id
vendor_id Indicates the SMI Network Management Private Enterprise Code of the Vendor radius.vendor-id
acct_session_id Indicates the accounting session id radius.account-session-id
sgsn_address Indicates the IP address of the SGSN radius.sgsn-ip
sgsn_mcc_mnc Indicates the SGSN MCC and MNC radius.sgsn-mcc

SIP

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
accept_language Indicates the preferred languages sip.accept-language
alert_info Specifies an alternative ring tone sip.alert-info
call_duration Call duration in seconds sip.call-duration
call_id Call id, extracted for each call sip.call-id
call_info Provides additional information about the caller or callee sip.call-info
callee Contains the identity of the called party for a call sip.callee
callee_addr IPv4 address which could be used by the called party sip.callee-addr
callee_addr_v6 IPv6 address which could be used by the called party sip.callee-addr-v6
callee_domain Callee's domain sip.callee-domain
callee_e164 Format of the callee's telephone numbers sip.callee-e164
callee_nickname Callee nickname sip.callee-nickname
callee_port Port which could be used by the callee sip.callee-port
callee_server_agent Server's software in the callee way sip.callee-server-agent
callee_user_agent Client's software used by the callee sip.callee-user-agent
callee_user_phone Callee's phone presence flag sip.callee-user-phone
caller Contains the identity of the initiator of the call sip.caller
caller_addr IPv4 address which could be used by the initiator of the call sip.caller-addr
caller_addr_v6 IPv6 address which could be used by the initiator of the call sip.caller-addr-v6
caller_domain Caller's domain sip.caller-domain
caller_e164 Format of the caller's telephone numbers sip.caller-e164
caller_nickname Caller nickname sip.caller-nickname
caller_port Port which could be used by the caller sip.caller-port
caller_server_agent Server's software in the caller way sip.caller-server-agent
caller_user_agent Client's software in the caller way sip.caller-user-agent
caller_user_phone Caller's phone presence flag sip.caller-user-phone
confcall_callee Callee's name, in a confcall sip.confcall-callee
confcall_caller Caller's name, in a confcall sip.confcall-caller
connection_info_addr Connection IPv4 address sip.connection-info-addr
connection_info_addr_type Connection address type sip.connection-info-addr-type
connection_info_addr_v6 Connection IPv6 address sip.connection-info-addr-v6
connection_info_net_type Network type for the connection sip.connection-info-net-type
contact The Contact header field provides a SIP or SIPS URI that can be used to contact that specific instance of the UA for subsequent requests sip.contact
cseq Sequence number sip.cseq
data_port Data port for client's protocol sip.data-port
date Contains the date and time sip.date
end_status Status of the call end sip.end-status
from The initiator of the request sip.from
from_tag A globally unique id of the caller sip.from-tag
media_attr Media attributes sip.media-attr
media_attr_addr The mentioned IPv4 address to be used sip.media-attr-addr
media_attr_addr_v6 The mentioned IPv6 address to be used sip.media-attr-addr-v6
media_attr_channel The channel value sip.media-attr-channel
media_attr_encoding The encoding of media data sip.media-attr-encoding
media_attr_label The label for media data sip.media-attr-label
media_attr_param The param information of media data sip.media-attr-param
media_attr_port The transport port to be used sip.media-attr-port
media_attr_rate The encoding rate sip.media-attr-rate
media_attr_type Contains the media type (audio or video) sip.media-attr-type
media_attr_value XXX sip.media-attr-value
media_format Client's protocol formats available sip.media-format
media_proto Protocol used in client stream sip.media-proto
media_type Contains the media type sip.media-type
method The command sip.method
mime_type Data type sip.mime-type
p_asserted_id Indicates the identity of the trusted SIP server sip.p-asserted-id
proxy_authorization Allows the client to identify itself (or its user) to a proxy that requires authentication sip.proxy-authorization
reason The reason a Session Initiation Protocol request was issued sip.reason
record_route The Record-Route header field is inserted by proxies in a request to force future requests in the dialog to be routed through the proxy sip.record-route
remote_party_id The IP address of the remote party sip.remote-party-id
reply_code Return status code sip.reply-code
request_call_id Call's id extracted for each sip request sip.request-call-id
server_agent Server's software sip.server-agent
session_duration Session duration in seconds sip.session-duration
setup_delay Call setup delay in microseconds sip.setup-delay
start_time Start date of the call sip.start-time
subject The subject header present in the SIP packet sip.subject
time_before_spk Waiting delay before speak in microseconds sip.time-before-spk
to The recipient of the request sip.to
to_tag A globally unique id of the callee sip.to-tag
uri Contains the URI (similar to To: field) sip.uri
useragent Client's software sip.user-agent
user_id Client identifier used for his registering with a SIP server sip.user-id
via The Via header field indicates the transport used for the transaction and identifies the location where the response is to be sent sip.via
www_authenticate Contains an authentication challenge sip.www-authenticate

SMB

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
login User's login string smb.login
command Command string smb.command
dialect The version of the SMB Protocol smb.dialect
domain Domain name smb.domain
filename Name of the transferred file smb.filename
filesize Size (byte) of the transferred file smb.filesize
native_os Client's operating system smb.native-os
nt_status NT error code smb.nt-status
path The server/share name of the resource to which the client attempts to connect smb.path
search_attributes An attribute mask used to specify the standard attributes a file must have in order to match the search smb.search-attributes
search_pattern The file pattern to search for smb.search-pattern
service The type of resource that the client intends to access smb.service
user_id User identifier (SMB usmb_v1 only) smb.user-id

SMPP

Name Description Term
content Content of the Short Message smpp.content
receiver Receiver's address smpp.receiver
sender Sender's address smpp.sender
bytes The total number of bytes transferred flow.bytes
src_ip Client IP Address flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
bytes_in The number of bytes sent from client to server flow.cs-bytes
packets_in The total number of packets sent from client to server flow.cs-packets
dest_ip Server IP Address flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
bytes_out The number of bytes sent from server to client flow.sc-bytes
packets_out The total number of packets sent from server to client flow.sc-packets
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
transport Transport level protocol flow.transport

SMTP

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
attach_content_decoded Decoded attached files content email.attach-content-decoded
attach_disposition Attached file disposition, inline vs attachment email.attach-disposition
attach_filename Attachment name email.attach-filename
attach_size Attachment MIME size email.attach-size
attach_transfer_encoding Contains the encoding of the attached content email.attach-transfer-encoding
attach_type Content type of the sent attached file email.attach-type
content_body Data containing body email.content-body
content_transfer_encoding Transfer-encoding used on the e-mail message email.content-transfer-encoding
date Message date email.date
email_index Index of the request which the email is attached to email.email-index
greeting Contains the greeting message of the server email.greeting-message
login User's login string email.login
method Command sent by the client email.method
mime_type Content-type of the e-mail message email.mime-type
msg_id Unique identifier for the e-mail message email.message-id
password User's password string email.password
received_by_ip Contains the IP address of the receiving host name email.received-by-ip
received_by_name Contains the receiving host name email.received-by-name
received_date Date when the transport service relayed the message email.received-date
received_from_ip Contains the IP address of the sending host name email.received-from-ip
received_from_name Contains the sending host name email.received-from-name
received_server_agent Contains the name of the sever agent email.received-server-agent
received_with Contains the software used to send the email email.received-with
receiver Full address of email receiver (including cc and bcc receivers) email.receiver
receiver_alias Name of email receiver (included cc and bcc receivers) email.receiver-alias
receiver_email E-mail address of the message recipient email.receiver-email
receiver_type Type of the email receiver email.receiver-type
reply_to Email address to use in a reply for this message email.reply-to
sender Full address of email sender (alias followed by email address) email.sender
sender_alias Name of the email sender email.sender-alias
sender_email Email address of the email sender email.sender-email
server_response The return code of the server email.server-response
subject Subject of the e-mail message email.subject
useragent Name of the client software used email.user-agent
duration Duration of the SMTP session in seconds smtp.duration
receiver_rcpt_to Recipient's email address (used by RCPT TO method) smtp.receiver-rcpt-to
response_code Return code smtp.response-code
sender_mail_from Sender's email address (used by MAIL FROM method) smtp.sender-mail-from
sender_server Contains the name of the used smtp server smtp.sender-server
server_agent The software name used by the email server smtp.server-agent
start_time Starting time of SMTP session smtp.start-time
stop_time Ending time of SMTP session smtp.stop-time


SNMP

Name Description Term
bytes The total number of bytes transferred flow.bytes
c_ip IP address of the client in dot-quad notation flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
bytes_in The number of bytes sent from client to server flow.cs-bytes
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
packets_in The total number of packets sent from client to server flow.cs-packets
dest_ip IP address of the server in dot-quad notation flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
bytes_out The number of bytes sent from server to client flow.sc-bytes
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
packets_out The total number of packets sent from server to client flow.sc-packets
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
transport Transport layer protocol (udp or tcp) flow.transport
community Community name snmp.community
method SNMP request type snmp.method
name Name of the user snmp.name
request_id Request Identifier snmp.request-id
varbind_list JSON array of {"oid":varbind_oid, "value":varbind_value, "type": varbind_value_type} snmp.varbind_list
version SNMP Version snmp.version

TCP

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
ssl_session_id SSL session id flow.ssl-session-id
ssl_cert_md5 md5 of SSL certificate flow.ssl-cert-md5
ssl_commonname Common name with domain name of subject in SSL certificate flow.ssl-cert-subject-commonname
ssl_orgname Organization name of subject in SSL certificate flow.ssl-cert-subject-orgname
ssl_issuer Organization name of issuer in SSL certificate flow.ssl-cert-issuer-orgname
ssl_serialnumber Serial number of SSL certificate flow.ssl-cert-serialnumber
ssl_validity_end SSL certifiate's validity end date flow.ssl-cert-validity-not-after
ssl_validity_start SSL certifiate's validity start date flow.ssl-cert-validity-not-before
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport

TDS (Sybase/SQL Database Events)

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
application Name of application used to connect to the database tds.application
dbname Name of the used database tds.dbname
hostname Name of workstation communicating with the SQL server tds.hostname
language User locale tds.language
library Name of network dynamic-link library used tds.library
login User's login string tds.login
password User's password string tds.password
query SQL query sent by the user tds.query
server Name of server hosting the SQL Server tds.server


TNS (ORACLE Database Events)

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
data_center_time Number of microseconds from the last request packet to the last response packet flow.data-center-time
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
refused Number of requests that were refused by the server flow.refused
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport
dbname Name of accessed database tns.dbname
client_hostname Client machine hostname tns.client-hostname
client_os Client machine operating system tns.client-os
client_program_name Client program name tns.client-program-name
client_program_path Client program absolute path tns.client-program-path
login User's login string tns.login
password User's password string tns.password
query Database query tns.query
hostname Database server hostname tns.server-hostname
server_os Database server operating system tns.server-os
version Version number of Oracle server tns.version

UDP

Name Description Term
src_ip Client IP Address flow.c-ip
dest_ip Server IP Address flow.s-ip
src_port Client port number flow.c-port
dest_port Server port number flow.s-port
src_mac Client packets MAC address in hexadecimal format flow.c-mac
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
packets_in The total number of packets sent from client to server flow.cs-packets
packets_out The total number of packets sent from server to client flow.sc-packets
bytes_in The number of bytes sent from client to server flow.cs-bytes
bytes_out The number of bytes sent from server to client flow.sc-bytes
bytes The total number of bytes transferred flow.bytes
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
protocol Level 7 protocol name (http, ftp, etc.) flow.protocol
transport Transport layer protocol (udp or tcp) flow.transport

XMPP

Name Description Term
bytes The total number of bytes transferred flow.bytes
c_ip IP address of the client in dot-quad notation flow.c-ip
src_mac Client packets MAC address in hexadecimal format flow.c-mac
src_port Client port number flow.c-port
canceled Number of HTTP responses that were canceled early by the client flow.canceled
connection TCP session server endpoint (IP address and TCP port) flow.connection
client_rtt Average round trip time in microseconds from the client to the point of capture flow.cp-rtt
client_rtt_packets Number of round trip measurements from the client to the point of capture flow.cp-rtt-packets
client_rtt_sum Sum of all round trip time measurements from the client to the point of capture flow.cp-rtt-sum
ack_packets_in The number of acknowledgement packets sent from client to server flow.cs-ack-packets
request_ack_time Number of microseconds that it took the server to acknowledge receipt of the request flow.cs-ack-time
bytes_in The number of bytes sent from client to server flow.cs-bytes
data_packets_in The number of data packets sent from client to server flow.cs-data-packets
duplicate_packets_in The number of duplicate packets sent from client to server flow.cs-duplicate-packets
missing_packets_in The number of missing packet gaps detected within the request flow.cs-missing-packets
packets_in The total number of packets sent from client to server flow.cs-packets
request_time Number of microseconds that it took the client to send a request flow.cs-send-time
server_rtt Average round trip time in microseconds from the server to the point of capture flow.ps-rtt
server_rtt_packets Number of round trip measurements from the server to the point of capture flow.ps-rtt-packets
server_rtt_sum Sum of all round trip time measurements from the server to the point of capture flow.ps-rtt-sum
refused Number of requests that were refused by the server flow.refused
dest_ip IP address of the server in dot-quad notation flow.s-ip
dest_mac Server packets MAC address in hexadecimal format flow.s-mac
dest_port Server port number flow.s-port
ack_packets_out The number of acknowledgement packets sent from server to client flow.sc-ack-packets
response_ack_time Number of microseconds that it took the client to acknowledge receipt of the response flow.sc-ack-time
bytes_out The number of bytes sent from server to client flow.sc-bytes
data_packets_out The number of data packets sent from server to client flow.sc-data-packets
duplicate_packets_out The number of duplicate packets sent from server to client flow.sc-duplicate-packets
missing_packets_out The number of missing packet gaps detected within the response flow.sc-missing-packets
packets_out The total number of packets sent from server to client flow.sc-packets
reply_time Number of microseconds that it took the server to start replying to a request flow.sc-reply-time
response_time Number of microseconds that it took the server to send a response flow.sc-send-time
ssl_time Number of microseconds that it took to negotiate an SSL handshake flow.ssl-time
ssl_version SSL protocol version used for encryption, or undefined if not encrypted flow.ssl-version
tcp_status TCP handshake status (0=OK, 1=RESET, 2=IGNORED) flow.tcp-status
time_taken Number of microseconds that it took to complete a flow event, from the end user's perspective flow.time-taken
transport Transport layer protocol (udp or tcp) flow.transport
call_duration Contains call duration in microseconds xmpp.call-duration
call_id Contains call id, extracted for each call xmpp.call-id
callee Contains the identity (or the phone number) of the called party for a call xmpp.callee
callee_addr Contains address which could be used by the called party xmpp.callee-address
callee_port Contains port on which the callee could receive a call xmpp.callee-port
caller Contains the identity (or the phone number) of the initiator of the call xmpp.caller
caller_addr Contains address which could be used by the initiator of the call xmpp.caller-address
caller_port Contains port on which the caller could start the call xmpp.caller-port
os Contains the client operating system xmpp.client-os
contact_login Contact login xmpp.contact-login
contact_name Contact name xmpp.contact-name
contact_status Contact status xmpp.contact-status
file_chunk_content Contains content of the transferred data xmpp.file-chunk-content
file_chunk_len Contains size of the transferred piece xmpp.file-chunk-length
file_chunk_sid Transferred file identifier xmpp.file-chunk-sid
file_sender Contains the identity of the sender of a file transfer xmpp.file-sender
file_sid Contains transferred file identifier xmpp.file-sid
filesize Contains size (byte) of the transferred file xmpp.file-size
filename Contains the name of the transferred file xmpp.filename
login User's login string xmpp.login
message Contains the chat message xmpp.message
encoding Message encoding xmpp.message-encoding
nickname Used user name xmpp.nickname
receiver Contains the identity of the receiver for a chat message or a file transfer xmpp.receiver
sender Contains the identity of the sender of a chat session or a file transfer xmpp.sender
start_time Contains start date of the call xmpp.start-time
version JABBER software version xmpp.version

For instructions on configuring passive capture of supported protocol data, see "Configure Streams" in the Splunk App for Stream User Manual .

Protocol detection

Splunk App for Stream can detect additional wire data protocols, including:

  • TOR
  • BitTorrent
  • Skype

Protocol detection provides protocol classification only, not attribute extraction. There are no "TOR" or "BitTorrent" event types, only app=tor, app=bittorrent or app=skype fields in the tcp event.

To detect these protocols, run a search that specifies the protocol classification in the tcp stream. For example:

sourcetype=stream:tcp app=TOR (or optionally app=*)

Note: These protocols are not available for selection in the Configure Streams UI and you cannot add them independently to your stream capture configuration. To identify this protocol data you must run a search using the appropriate source type that specifies the protocol classification.

Last modified on 20 October, 2015
Network collection architectures   Protocols that map to Splunk CIM

This documentation applies to the following versions of Splunk Stream: 6.4.0, 6.4.1, 6.4.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters