Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Supported protocols

This topic lists network protocols that Splunk App for Stream supports for detection and field extraction.

Protocol detection refers to protocol classification at the transport layer only. For example, there are no Tor event types, only an app=tor field in the TCP event, which indicates Tor protocol at the application layer.

To detect protocols, run a search that specifies the protocol classification in the tcp stream. For example:

sourcetype=stream:tcp app=tor

Or, to detect all protocol classifications in the tcp and udp streams:

(sourcetype=stream:tcp OR sourcetype=stream:udp) | stats count by app

Protocol field extraction refers to the ability to parse protocol data for specific event types, such as bytes_in, bytes_out, status, src_ip, time_taken, and so on.

Splunk App for Stream supports protocol detection and protocol field extraction, as follows:

Protocol Detection Field extraction
AIM (AOL Instant Messenger)
AMQP (Advanced Messaging Queuing Protocol
BGP (Border Gateway Protocol)
BitTorrent
DB2
DCERPC (Distributed Computing Environment/Remote Procedure Calls)
DHCP (Dynamic Host Configuration Protocol)
DIAMETER
DNS (Domain Name Service)
FTP (File Transfer Protocol)
gmail
google_gen (Google Generic)
GRE (Generic Routing Encapsulation)
GTP (GPRS Tunneling Protocol)
GTPv2 (GPRS Tunneling Protocol v2)
HTTP (Hypertext Transfer Protocol)
HTTP_tunnel
ICA (Independent Computing Architecture)
IMAP (INTERNET MESSAGE ACCESS PROTOCOL)
Informix
IRC (Internet Relay Chat)
krb5 (Kerberos Network Authentication Service v5)
LDAP (Lightweight Directory Access Protocol)
MAPI (Messaging Application Programming Interface)
MSN (Mobile Status Notification)
MSRPC (Microsoft RPC)
MOUNT
MySQL (MySQL client/server protocol)
NetBIOS (Network Basic Input/Output System)
NetFlow
NFS (Network File System)
POP3 (Post Office Protocol v3)
Postgres (PostgreSQL)
RADIUS (Remote Authentication Dial In User Service)
RDP (Remote Desktop Protocol)
RIP1 (Routing Information Protocol 1)
RPC (Remote Procedure Call)
RTP (Real-time Transport Protocol)
SIP (Session Initiation Protocol)
Skype
SMB (Server Message Block)
SMPP (Short Message Peer to Peer)
SNMP (Simple Network Management Protocol)
SOCKS4 (SOCKet Secure 4)
SOCKS5 (SOCKet Secure 5)
SSH (Secure Shell)
SSL (Secure Sockets Layer)
STUN (Session Traversal Utilities for NAT)
Syslog
TCP (Transmission Control Protocol)
TDS (Tabular Data Stream - Sybase/MSSQL)
Telnet
TFTP (Trivial File Transfer Protocol)
TNS Transparent Network Substrate (Oracle)
Tor
UDP (User Datagram Protocol)
WINS (Windows Internet Name Service)
XMPP (Extensible Messaging and Presence Protocol)
Note: Protocols that are available for detection only cannot be selected in the Configure Streams UI and cannot be added to a stream configuration. To detect these protocols, you must run a search using the appropriate sourcetype and protocol classification.
Last modified on 08 June, 2016
Source and sourcetype syntax   Authentication

This documentation applies to the following versions of Splunk Stream: 6.5.0, 6.5.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters