Supported protocols
This topic lists network protocols that Splunk App for Stream supports for detection and field extraction.
Protocol detection refers to protocol classification at the transport layer only. For example, there are no Tor event types, only an app=tor
field in the TCP event, which indicates Tor protocol at the application layer.
To detect protocols, run a search that specifies the protocol classification in the tcp stream. For example:
sourcetype=stream:tcp app=tor
Or, to detect all protocol classifications in the tcp and udp streams:
(sourcetype=stream:tcp OR sourcetype=stream:udp) | stats count by app
Protocol field extraction refers to the ability to parse protocol data for specific event types, such as bytes_in, bytes_out, status, src_ip, time_taken, and so on.
Splunk App for Stream supports protocol detection and protocol field extraction, as follows:
Protocol | Detection | Field extraction |
---|---|---|
AIM (AOL Instant Messenger) | ✔ | |
AMQP (Advanced Messaging Queuing Protocol | ✔ | ✔ |
BGP (Border Gateway Protocol) | ✔ | |
BitTorrent | ✔ | |
DB2 | ✔ | |
DCERPC (Distributed Computing Environment/Remote Procedure Calls) | ✔ | |
DHCP (Dynamic Host Configuration Protocol) | ✔ | ✔ |
DIAMETER | ✔ | ✔ |
DNS (Domain Name Service) | ✔ | ✔ |
FTP (File Transfer Protocol) | ✔ | ✔ |
gmail | ✔ | |
google_gen (Google Generic) | ✔ | |
GRE (Generic Routing Encapsulation) | ✔ | |
GTP (GPRS Tunneling Protocol) | ✔ | |
GTPv2 (GPRS Tunneling Protocol v2) | ✔ | |
HTTP (Hypertext Transfer Protocol) | ✔ | ✔ |
HTTP_tunnel | ✔ | |
ICA (Independent Computing Architecture) | ✔ | |
IMAP (INTERNET MESSAGE ACCESS PROTOCOL) | ✔ | ✔ |
Informix | ✔ | |
IRC (Internet Relay Chat) | ✔ | ✔ |
krb5 (Kerberos Network Authentication Service v5) | ✔ | |
LDAP (Lightweight Directory Access Protocol) | ✔ | ✔ |
MAPI (Messaging Application Programming Interface) | ✔ | ✔ |
MSN (Mobile Status Notification) | ✔ | |
MSRPC (Microsoft RPC) | ✔ | |
MOUNT | ✔ | |
MySQL (MySQL client/server protocol) | ✔ | ✔ |
NetBIOS (Network Basic Input/Output System) | ✔ | |
NetFlow | ✔ | |
NFS (Network File System) | ✔ | ✔ |
POP3 (Post Office Protocol v3) | ✔ | ✔ |
Postgres (PostgreSQL) | ✔ | ✔ |
RADIUS (Remote Authentication Dial In User Service) | ✔ | ✔ |
RDP (Remote Desktop Protocol) | ✔ | |
RIP1 (Routing Information Protocol 1) | ✔ | |
RPC (Remote Procedure Call) | ✔ | |
RTP (Real-time Transport Protocol) | ✔ | ✔ |
SIP (Session Initiation Protocol) | ✔ | ✔ |
Skype | ✔ | |
SMB (Server Message Block) | ✔ | ✔ |
SMPP (Short Message Peer to Peer) | ✔ | ✔ |
SNMP (Simple Network Management Protocol) | ✔ | ✔ |
SOCKS4 (SOCKet Secure 4) | ✔ | |
SOCKS5 (SOCKet Secure 5) | ✔ | |
SSH (Secure Shell) | ✔ | |
SSL (Secure Sockets Layer) | ✔ | |
STUN (Session Traversal Utilities for NAT) | ✔ | |
Syslog | ✔ | |
TCP (Transmission Control Protocol) | ✔ | ✔ |
TDS (Tabular Data Stream - Sybase/MSSQL) | ✔ | ✔ |
Telnet | ✔ | |
TFTP (Trivial File Transfer Protocol) | ✔ | |
TNS Transparent Network Substrate (Oracle) | ✔ | ✔ |
Tor | ✔ | |
UDP (User Datagram Protocol) | ✔ | ✔ |
WINS (Windows Internet Name Service) | ✔ | |
XMPP (Extensible Messaging and Presence Protocol) | ✔ | ✔ |
Source and sourcetype syntax | Authentication |
This documentation applies to the following versions of Splunk Stream™: 6.5.0, 6.5.1
Feedback submitted, thanks!