Splunk Stream

Installation and Configuration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Supported protocols

Splunk Stream Forwarder utilizes deep packet inspection to interpret protocol attributes from packet data collected on the wire.

For each supported protocol there are many different attributes. A common attribute is protocol_stack, which is a list of network layers that apply to the protocol that is being decoded.

Splunk Stream Forwarder starts to interpret protocols at the third layer, which is the network layer. Splunk Stream Forwarder can then interpret protocol layers up to layer seven, which is the application layer.

There are some instances where Stream is unable to interpret all of the network layers for the protocol. In this case, the protocol_stack field will only include the layers that can be decoded. An empty protocol_stack field indicates and unsupported protocol or a protocal with malformed data.

An example of a protocol_stack for Splunk network traffic would be:

IP:TCP:SSL:SPLUNK

An example of a mysql protocol_stack would be:

IP:TCP:MYSQL

Supported protocols for field extraction

Protocol field extraction parses protocol data for specific event types, such as bytes_in, bytes_out, status, src_ip, and time_taken. You can add any protocols supported for field extraction to any stream configuration in the Configure Streams UI.

Stream supports the following protocols for field extraction:

Protocol Description
AMQP Advanced Messaging Queuing Protocol
DHCP Dynamic Host Configuration Protocol
DIAMETER
DNS Domain Name Service
FTP File Transfer Protocol
HTTP Hypertext Transfer Protocol
ICMP Internet Control Message Protocol
IMAP INTERNET MESSAGE ACCESS PROTOCOL
IP Internet Protocol
IRC Internet Relay Chat
LDAP Lightweight Directory Access Protocol
MAPI Messaging Application Programming Interface
MySQL MySQL client/server protocol
NetBIOS Network Basic Input/Output System
NFS Network File System
POP3 Post Office Protocol v3
Postgres PostgreSQL
RADIUS Remote Authentication Dial In User Service
RTCP Real-time Transport Control Protocol. Used in conjunction with RTP protocol (Real-Time transport protocol).
RTP Real-time Transport Protocol.
SIP Session Initiation Protocol
SMB Server Message Block
SMPP Short Message Peer to Peer
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
TCP Transmission Control Protocol
TDS Tabular Data Stream - Sybase/MSSQL Tabular Data Stream - Sybase/MSSQL
TNS Transparent Network Substrate (Oracle)
UDP User Datagram Protocol
XMPP Extensible Messaging and Presence Protocol

Protocol supported for detection only

Protocol detection refers to protocol classification at the transport layer only. For example, there are no Tor event types, only an app=tor field in the TCP event, which indicates Tor protocol at the application layer.

Protocols available only for detection cannot be selected in the Configure Streams UI and cannot be added to a stream configuration. To detect these protocols, you must run a search using the appropriate sourcetype and protocol classification.

How to detect protocols

To detect protocols, run a search that specifies the protocol classification in the tcp stream. For example:

sourcetype=stream:tcp app=tor

To detect all protocol classifications in the tcp and udp streams:

(sourcetype=stream:tcp OR sourcetype=stream:udp) | stats count by app

Stream supports the following protocols for detection only:

Protocol Description
flashplugin_update Flash exchanges plug-in version numbers with Adobe servers.
adobe_update The Adobe Update Manager maintains up-to-date versions of Adobe Acrobat Reader software.
aim_express AOL Instant Messaging Express supports many of the standard features included in AIM, but does not provide advanced features like file transfer, audio chat, or video conferencing
aim_transfer AIM is an instant messaging protocol
allmusic Allmusic is an online music guide service website. This plug-in classifies navigation on the AllMusic web service, and MP3 music playback. Video clip streaming is handled by YouTube.
altiris Altiris provides service-oriented management solutions for IT infrastructure management.
amazon_adsystem This protocol plug-in classifies the traffic related to Amazon advertising services.
amazon_cloud_drive Amazon Cloud Drive is a cloud application which allows photos and videos storage.
amazon This protocol plug-in classifies the generic web traffic related to Amazon services.
amazon_mp3 Amazon MP3 is an online music store owned and operated by Amazon.com.
amazon_video Amazon Video is an online video on demand service owned and operated by Amazon.com.
amazon_aws Amazon AWS is a cloud-computing platform offered by Amazon. It includes Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3).
android_cnxmgr Android connectivity manager is used by an android device to periodically check and manage internet connection.
aol This protocol plug-in classifies the traffic related to the AOL portal.
aim AIM (originally AOL Instant Messenger) is an instant messaging application. The protocol name is OSCAR (Open System for CommunicAtion in Realtime) and is used in both ICQ and AIM services. [ aim is also known as oscar.] Note: In Basic-DPI, Partial classification over http.
apple_airplay Apple airplay is a protocol for display picture and video to a connected TV from a device connected to the same private network
apple_airport Apple Airport is a protocol that helps to configure a wireless device.
apple_airprint Apple Airprint is a network printing feature for Apple systems. It's based on the Dns Service Discovery protocol and IPP(needs URF format support). Note: In Basic-DPI, partial classification over http/ipp.
appstore The Apple App Store is a digital application distribution platform for iOS developed and maintained by Apple Inc.
facetime FaceTime is an Apple video calling software which runs on iOS based mobile devices. Note: In Basic-DPI, Partial classification of SIP audio call sessions.
apple This protocol plug-in classifies the generic traffic related to Apple's web portal and content delivery services.
apple_hls Apple implementation of the HTTP Live Streaming IETF draft. Used on Apple iOS devices.
apple_location Apple Location is used to provide information about the location of an Apple device.
apple_maps Apple Maps is a proprietary map application for iOS 6 devices.
apple_music Apple Music is an on-demand music streaming service by Apple.
apns Apple Push Notification Service is an Apple service which forwards notifications from the servers of third-party applications to iOS devices.
apple_siri Advanced voice recognition system used on some Apple iPhone devices.
apple_update Apple_update is the protocol used for Apple software updates.
asproxy ASProxy is a free and open-source web proxy that allows the user to surf the internet anonymously. This plug-in classifies the usage of this proxy for web browsing as a fallback to other recognized applications/protocols.
atlassian Atlassian is an Australian enterprise software company that develops products geared towards software developers and project managers.
bits Background Intelligent Transfer Service (BITS) transfers files (downloads or uploads) between a client and server and provides progress information related to the transfers.
baidu_player BaiduPlayer is a video player that can play local, online, and OnDemand videos.
baidu_wallet Baidu Wallet is a money management application.
baidu Baidu is a Chinese search engine for websites, audio files, and images. Note: In Basic-DPI, Partial classification of image and video searches.
bet365 ONline betting site ( http://www.bet365.com )
bitcoin Bitcoin is a distributed payment system.
bittorrent BitTorrent is a peer-to-peer protocol. [ bittorrent is also known as kadmelia.] Note: In Basic-DPI, Partial classification on certain file-download sessions using encryption.
bittorrent_application BitTorrent Apps web access from the BitTorrent application.
bleep Bleep is a fully encrypted and distributed instant messaging protocol created by the BitTorrent team. This protocol plug-in supports both text and voice discussions.
blackberry_locate This protocol refers to all Blackberry mobile device communications about localization over wifi.
bbm BBM is the messenger/voip/Video protocol for blackberry. This plug-in classifies the audio and video data flows of BlackBerry Messenger.
bbm_audio bbm_audio is the voip layer of the blackberry's messenger. Note: In Basic-DPI, Partial classification over stun/bbm.
bbm_video BBM_video is the video layer of the blackberry's messenger. Note: In Basic-DPI, Partial classification over stun.
blackberry This protocol refers to all Blackberry mobile device communications over wifi. This includes the chat flows of BlackBerry Messenger.
bgp Border Gateway Protocol (BGP) is an inter Autonomous Systems routing protocol used by most ISPs.
carbonite Carbonite is a service that manages online backups.
ccproxy CCProxy is a windows based software proxy.
chat_on ChatON is a global mobile communication service introduced by Samsung Electronics.
chatroulette Chatroulette is an online chat website. ( http://chatroulette.com )
chrome_update Chrome Update is the protocol for the updates of the Google chrome browser.
cdp Cisco Discovery Protocol (CDP) is a layer 2 protocol used by Cisco network equipment to discover other Cisco network equipment present on a link.
meetingplace MeetingPlace is a protocol used by the Cisco Unified MeetingPlace suite of voice, web, and video conferencing products.
netflow NetFlow is a Cisco protocol that provides nearly real-time traffic monitoring, aggregation and statistic evaluation, multi-criteria data flow selection, using source/destination IP addresses, protocols, etc.
cups The Common Unix Printer System (CUPS) protocol is a cross-platform printing solution for UNIX environments. It is based on the "Internet Printing Protocol" and it is compatible with Microsoft operating systems Windows 2000 and later.
crackle crackle is an entertainment network and studio that distributes free movies, television shows, and original programming.
craigslist Online classified ads mostly used in the US and Canada
dsi The Data Stream Interface (DSI) is a session layer that carries Apple Filing Protocol traffic over Transmission Control Protocol (TCP).
db2 DB2 is a relational model database server from IBM. It runs on IBM mainframes and is also available for Linux/Unix/Windows.
debian_update Update protocol of APT, the Debian/Ubuntu packet manager.
dropbox Dropbox is a free service that provides both web and smart application interfaces.
dropbox_download Dropbox's file download service.
dropbox_upload Dropbox's file upload service.
ebay Online auction and shopping website.
edonkey Edonkey is a peer-to-peer protocol. Classification is not guaranteed when the protocol obfuscation feature is enabled (feature appeared in eMule version 0.47b). [ edonkey is also known as kadmelia and emule.]
evernote Web-based notes tool.
everquest Everquest is a 3D multiplayer online role-playing game (MMORPG) for Windows platforms.
facebook Facebook is a social network.
facebook_messenger Facebook Messenger is a text and voice messaging application for mobile devices.
farmville FarmVille is a farming simulation social network game developed by Zynga.
find_my_iphone Application developed by Apple to find a lost iOS device.
firefox_update Mozilla Firefox update protocol for the browser and its plugins. This only applies to updates made from the browser. This does not apply to manually downloaded updates.
flickr Image hosting and sharing website with social and blogging services.
gre The Generic Routing Encapsulation protocol (GRE) is used to generically encapsulate one protocol into another protocol.
github Web-based code repository for open source software development.
gmail_basic Gmail basic is the HTML version of the Google Webmail service. Encrypted traffic is classified as Gmail.
gmail_drive GMAIL Drive is a Shell Namespace Extension that creates a virtual file system around a Google Mail account, allowing Gmail as a storage medium. GMAIL Drive is only classified over http and not over https.
gmail_mobile Google webmail for mobile phones. This protocol decodes only the non-ciphered version.
gnunet Framework for secure peer-to-peer networking mainly used for anonymous file sharing. It is part of the GNU project.
gnutella Gnutella is a peer-to-peer protocol. [ gnutella is also known as kadmelia.] Note: In Basic-DPI, Partial classification during file download on Android.
google_accounts Detects SSL access to the Google Accounts server.
google_analytics Google Analytics is the enterprise-class web analytics solution that gives you rich insights into your website traffic and marketing effectiveness.
google_appengine Google App Engine is a platform as a service (PaaS) cloud computing platform for developing and hosting web applications in Google-managed data centers.
google_cache Google Cache saves a copy of the webpages found by the Google search engine.
google_calendar Google Calendar is a free online calendar.
gmail_chat Google chat is an online messaging tool.
gcm Data exchange service between third-party server applications and Android client applications. This plug-in classifies the messages exchanged between the CCS 3rd party server and the GCM cloud servers, as well as the messages exchanged between the GCM cloud servers and the client Android device.
gcs Online file storage web service for applications by Google. This plug-in classifies unsecured Client-to-Google servers web communications only.
google_docs On-line file storage and sharing web-service. Most of the traffic is encrypted with generic Google certificates, and cannot be classified. Classification is correct for traffic under a proxy and some limited workflows. [ google_docs is also known as google_drive.]
google_earth Google Earth is a program used to view a virtual Earth in 3D.
google_gen This protocol is a generic layer used as a base for all the Google protocols. Note: In Basic-DPI, Partial classification over http.
google_groups Google groups
gstatic GStatic is a download server providing static resources (like CSS) or scripts for Google web applications.
gtalk Google Hangouts is an instant messaging service available on desktop and mobile devices. The former Google Talk version uses XMPP, and provides both text and voice communication. This plug-in also classifies RTP Audio/Video streams of Google Hangouts using DNS Caching. [ gtalk is also known as google_hangouts.]
gmail Gmail is the Google Webmail service. In Basic-DPI, gmail is sometimes classified as gmail_chat.
google_maps A web service that lets users calculate routes and look at maps. The encrypted traffic is classified as google.
google_picasa Google Picasa is a digital photo and video organizer used to edit and synchronize pictures or videos over the web.
google_play_music Google Play Music is a music streaming service and online music locker.
google_play Google Play Store (formerly Android Market) is an online software store developed by Google for Android OS devices.
google_plus Google Plus is a social network. It is classified when sharing from an external link. Other traffic is classified as google or google_cache.
google_safebrowsing Google Safe Browsing is a web-service and API for checking web pages against threats. This signature detects a Google Safebrowse Submission.
google_tags Google Tag Manager is a tag manager for website and mobile applications.
google_toolbar The Google Toolbar is an extension for Internet Explorer and Mozilla Firefox that provides features that include a search box, a pop-up blocker, and a translator.
google_translate Google Translate is the Google translation tool.
google This protocol is used for sending user queries to the Google search engine.
gotodevice GoToDevice is a remote control and administration tool.
gotomeeting GoToMeeting is an online meeting service developed by Citrix. In Basic-DPI, Partial classification over https.
gotomypc Citrix GoToMyPC is a secured web-based remote access solution that lets a user take control of a PC/MAC from a web browser.
gtp The GPRS Tunneling Protocol (GTP) is used to create a tunnel between the SGSN and GGSNs of a mobile operator network, thus allowing mobile station data to be transmitted.
gtpv2 The GPRS Tunneling Protocol (GTP) version 2 is used in G4 mobile networks (LTE). It exchanges control messages between the MME, the SGW, and the PGW.
halflife Half-Life and Half-Life 2 are first-person shooter video games developed by Valve Corporation.
hi5 Hi5 is a social networking website.
high_entropy High Entropy is a virtual protocol that detects potentially encrypted payloads for unknown sessions over tcp and udp. The classification of this layer is effective since the 4.18.0 version of the ixEngine framework. The classification is based on two methods: entropy value computation and printable strings detection.
hsrp The Cisco Hot Standby Router Protocol (HSRP) lets you manage router redundancy in a network.
jetdirect The Jetdirect protocol is used by HP network printers.
hulu Hulu is a free Video-On-Demand and video sharing service.
http2 HTTP/2 is the second major version of the HTTP network protocol used by the World Wide Web.
i2p I2P (Invisible Internet Project) is an anonymous overlay network - a network within a network. It is intended to protect communication from dragnet surveillance and monitoring by third parties such as ISPs.
informix Informix is a family of relational database management systems. It runs on IBM mainframes and is also available for Linux/Unix/Windows.
lotus_sametime IBM Lotus Sametime is a client-server application and middleware platform that provides real-time, unified communications, and collaboration for enterprises.
lotus_live Lotus live, now IBM SmartCloud, is a web-based collaborative suite of applications for enterprise, including mail, file transfer, meetings, and forms.
mq Mq (IBM Websphere MQ) is an inter-application communication protocol.
icloud iCloud is a cloud computing service developed by Apple Inc. that lets users store and share data.
iheartradio iHeartRadio is an Internet radio service owned by iHeartMedia.
imessage_file_download Apple Web Service that retrieves video messages sent between two iOS devices via the iMessage application. This signature only classifies video downloaded from the message receiver device. The video upload from the sender is classified as apns (Apple Push Notification)
imgur A free online image hosting service.
ica ICA (Independent Computing Architecture) is a communication protocol and property of the Citrix Company. In Basic-DPI, Partial classification over http.
instagram Instagram is an online mobile photo-sharing and social networking service.
igmp The Internet Group Management Protocol (IGMP) lets IP hosts report their multicast group membership to routers.
ipp Internet Printing Protocol (IPP) is a standard for remote printing using Internet tools and technologies.
isakmp The Internet Security Association and Key Management Protocol (ISAKMP) defines procedures and packet formats to establish, negotiate, modify, and delete Security Associations (SA).
iscsi Internet Small Computer Systems Interface (iSCSI) as described in RFC3720.
ios_ota_update iOS OTA Update is the protocol used for iOS updates Over The Air.
ipcomp The ipcomp protocol (IP Payload Compression Protocol) is found over the IP layer (IANA protocol number: 108).
ip_in_ip The ip_in_ip protocol (IP_within_IP Encapsulation Protocol) is found over the IP layer (IANA protocol number: 94).
ipsec IPSec protocol provides services for securing hosts communications. IPsec provides two security services: Authentication Header (AH), which allows authentication of the sender, and Encapsulating Security Payload (ESP), which allows both authentication of the sender and encryption of data.
irc_transfer This protocol transportsa data in IRC file transfer.
itunes iTunes is an Apple proprietary digital media player application used for playing and organizing digital music and video files.
jabber_transfer Jabber transfer is an open standard to transfer file between two Jabber clients.
java_update Java Update is the protocol for update to the Java Virtual Machine (JVM).
jedi JEDI is the name of the CITRIX streaming connection protocol. Note: In Basic-DPI, Partial classification over https.
kazaa KaZaA is a peer-to-peer protocol. [ kazaa is also known as fasttrack.]
kik KIK Messenger is a Chinese Instant Messaging service.
king King is a mobile game editor. This plug-in handles King games content delivery traffic and King.com website access.
linkedin LinkedIn is professional social network.
livemail_mobile Livemail_mobile, now named Outlook, is the webmail for mobile phones. Encrypted traffic is classified as windowslive or live_hotmail.
mogulus This protocol plug-in classifies the http traffic to the hosts livestream.com and a749.g.akamai.net. It also classifies the ssl traffic to the Common Name livestream.com.
logmein_rescue Remote PC assistance software, accessible from a web browser using a proprietary plug-in.
magicjack MagicJack is a VoIP service for home and business use, available as a mobile application and also with a proprietary device (magicJack PLUS).
mailru_agent Mail.ru Agent is a cross-platform mobile messaging application that supports text, audio, and video. It is featured by Mail.ru.
maktoob Maktoob is a webmail protocol.
mgcp MGCP protocol is a signaling protocol for voice IP applications.
msrp Message Session Relay Protocol (MSRP) is a protocol for transmitting instant messages, defined by RFC 4975.
activesync Microsoft ActiveSync is a mobile data synchronization technology and protocol developed by Microsoft.
lync Microsoft Lync IM, VoIP and desktop sharing services (Lync Server and Lync Online are supported).
lync_online On-line version of the Microsoft Lync IM and VoIP services (included in Office 365).
office365 Office 365 is a Microsoft on-line service which gives access to Office applications from the internet.
msrpc Microsoft Remote Procedure Call (MSRPC) is the Microsoft implementation of the DCE RPC mechanism.
svcctl This protocol is used to control remotely Windows services. Also known as MS-SCMR (Service Control Manager Remote Protocol). For further information, see https://msdn.microsoft.com/en-us/library/cc245832.aspx.
sharepoint SharePoint is a web application platform designed as a centralized replacement for multiple web applications such as content management and document management systems.
sharepoint_admin SharePoint is a web application platform designed as a centralized replacement for multiple web applications, like content management and document management systems. This plug-in classifies the administration back-end of SharePoint. Note: In Basic-DPI, Partial classification over http/sharepoint.
sharepoint_blog SharePoint is a web application platform designed as a centralized replacement for multiple web applications such as content management and document management systems. This plug-in classifies the blog management module of SharePoint.
sharepoint_calendar SharePoint is a web application platform designed as a centralized replacement for multiple web applications such as content management and document management systems. This plug-in classifies the calendar management module of SharePoint.
sharepoint_document SharePoint is a web application platform designed as a centralized replacement for multiple web applications such as content management and document management systems. This plug-in classifies the document management module of SharePoint. Note: In Basic-DPI, Partial classification over http/sharepoint.
mpls_in_ip The mpls_in_ip protocol (Multi Protocol Label Switching data-carrying mechanism) is found over the IP layer (IANA protocol number: 137).
nrdp Nagios Remote Data Processor (NDRP) is a flexible data transport mechanism and processor for Nagios.
nrpe Nagios Remote Plugin Executor (NRPE) is a Nagios agent that allows remote system monitoring using scripts that are hosted on the remote systems.
nspi Name Service Provider Interface is a protocol used by Exchange.
netflix Netflix is a site using Silverlight protocol to stream videos. Note: In Basic-DPI, Netflix is sometimes classified as http.
netmeeting_ils Netmeeting ILS is the protocol used between Netmeeting and Internet Locator Servers (ILS). Netmeeting is a VoIP and multi-point videoconferencing client included in many versions of Microsoft Windows. An Internet Locator Server (ILS) is a directory used to find other users and facilitate rendezvous.
ntp Network Time Protocol (NTP) is a time-synchronization system for computer clocks through the Internet network.
wfc Wi-Fi Connection (WFC) is the Nintendo on-line gaming service for the Wii and DS video game systems.
sonmp Nortel/SynOptics Network Management Protocol is a proprietary Nortel Networks management protocol.
okcupid OkCupid is an online dating website. This plug-in both classifies browsing and file upload workflows.
ocsp This network protocol is used for validating certificates.
oovoo oovoo is an instant messenger application, with audio/video support.
ospf OSPF (Open Short Path First) is a link state routing protocol used within large autonomous system networks.
opera_update Opera Update is the protocol used for the update of the Opera browser. Note: In Basic-DPI, Partial classification over https.
orkut Orkut is a social networking website competing with Facebook or Twitter, popular in Brazil and now owned and operated by Google Inc.
outlook On-line Microsoft Outlook encrypted service, from the Office 365 productivity suite.
owa Outlook Web App is used to access e-mail (including support for S/MIME), calendars, contacts, tasks, documents (used with SharePoint or in 2010 Office Web Apps), and other mailbox content when access to the Microsoft Outlook desktop application is unavailable. Note: In Basic-DPI, Partial classification over http.
paltalk Paltalk is an instant messaging protocol.
paltalk_audio Proprietary protocol used by Paltalk in audio chats.
paltalk_transfer Paltalk is an instant messaging protocol
paltalk_video Proprietary protocol used by Paltalk in video.
pandora Pandora is a customizable music streaming service in the United States.
pastebin A pastebin is a type of web application where anyone can store plain text. They are most commonly used to share short source code snippets for code review via Internet Relay Chat.
pastebin_posting Pastebin_posting is used to classify posting workflow of the pastebin.com website
pcanywhere PCAnywhere is a remote control solution. It can manage both Windows and Linux systems. Enhanced video performance and built-in AES 256-bit encryption help make communications fast and secure. PCAnywhere also features powerful file-transfer capabilities.
photobucket Photo sharing web-service, with advanced editing features, available for desktop and mobile devices.
pinterest On-line service that allows users to attach personal elements on an internet pinboard.
psn PlayStation Network (PSN) is the on-line gaming service for consoles made by Sony.
plentyoffish Free online dating site that is popular primarily in Canada, the UK, Australia, and the United States. This plug-in classifies both browsing and file upload workflows.
qik_video QIK is a PC/smartphone application allowing live and VOD streaming from the web. The video chat additional feature is not supported yet.
qq QQ is the most popular free instant messaging computer program in China. Note: In Basic-DPI, Partial classification over https.
qq_transfer File transfer over QQ
qq_games Tencent game portal providing game reviews, forum, news.
qq_mail Tencent Webmail.
qq_weibo QQ WeiBo is a Chinese Twitter-like micro-blogging website. It is part of Tencent's QQ.
qq_web QQ.com is a multi-service Chinese web portal hosted by Tencent. Wechat traffic could appears on QQ Web
qqdownload QQDownload is a Chinese download manager. Its purpose is to download files quickly using HTTP or the BitTorrent protocol.
qqlive QQLive is an application intended to watch TV in Peer-to-Peer mode.
qqmusic QQMusic is a Chinese peer-to-peer file sharing software for downloading and streaming audio files.
qqstream QQStream is a Chinese peer-to-peer file sharing software. QQstream is a meta protocol which contains data stream of QQLive and QQMusic.
quake Quake is a protocol allowing communication between Quake Clients and Quake servers.
quic QUIC is an open networking protocol developed primarily at Google for transporting web content.
qvod QVOD is a peer-to-peer based Video-On-Demand player.
rapidshare RapidShare is an online solution to store, send and share files
rtsp The Real Time Streaming Protocol (RTSP) is an application-level protocol for control over the delivery of data with real-time properties. RTSP provides an extensible framework to enable controlled, on-demand delivery of real-time data such as audio and video.
rdp A key component of Terminal Server is the Remote Desktop Protocol, it allows a thin client to communicate with the Terminal Server over the network. This protocol is based on International Telecommunications Union's (ITU) T.120 protocol, an international, standard multichannel conferencing protocol currently used in the Microsoft NetMeeting conferencing software product. It is tuned for high-bandwidth enterprise environments and will also support encrypted sessions.
rpc RPC (Remote Procedure Call) is a paradigm for implementing the client-server model of distributed computing. A request is sent to a remote system to execute a designated procedure using arguments supplied and the result is returned to the caller.
retroshare Retroshare is a communication and file-sharing Open Source platform that is secured and decentralized.
rip1 RIP1 (Routing Information Protocol Version 1) is a Distance Vector routing protocol used in Inter Autonomous Systems.
rip2 RIP2 (Routing Information Protocol Version 2) is an enhancement of the Version 1 of the protocol. The main differences are the use of multicast instead of broadcast, and the support of variable length subnet mask networks, since subnets are now sent inside the updates.
ripng1 RIPng (RIP New Generation) is intended to allow routers to exchange information for computing routes through an IPv6-based network. RIPng is a distance vector protocol. RIPng should be implemented only in routers since IPv6 provides other mechanisms for router discovery.
rovio Rovio is a mobile game editor. This plug-in handles Rovio games content delivery traffic and Rovio website access.
rss RSS is a family of web feed formats used to publish frequently updated works in a standardized format. Note: In Basic-DPI, Partial classification over http.
salesforce Salesforce is an on-line customer relationship management web product.
sap SAP is both a protocol and the name of an ERP application used by most companies.
secondlife Secondlife is is an Internet-based virtual world which lets users interact with each other through motional avatars.
ssh Secure Shell (SSH), sometimes known as Secure Socket Shell, is a UNIX-based command interface and a protocol for obtaining secure access to a remote computer. Note: In Basic-DPI, Partial classification over http.
stun STUN (Session Traversal Utilities for NAT) allows a client behind a NAT to establish UDP tunnels between two hosts.
sharepoint_online On-line version of the Microsoft Sharepoint services (included in Office 365).
silverlight Silverlight is a Microsoft web browser plugin designed to render programable animations and to stream videos. It is similar to Adobe Flash: animated vector graphics, H264 video streaming. This plug-in classifies the Silverlight applications download over HTTP, and the HTTP video streaming from these applications (known as Microsoft Smooth Streaming).
soap SOAP is a lightweight protocol based on XML, for exchanging structured information in a decentralized, distributed environment. Note: this protocol can be found in HTTP requests, but it won't be classified if some known web application or service was classified instead. Note: In Basic-DPI, Partial classification over http.
sccp Skinny Client Control Protocol (SCCP) is a Cisco proprietary protocol used between Cisco Call Manager and Cisco VOIP phones. It is also supported by some other vendors.
slacker Slacker Radio is an online music streaming service available from web browser and mobile application.
slingbox Slingbox is a streaming protocol over the Internet used to watch and control TV shows received from your home devices.
snapchat Snapchat is a photo/video sharing service.
socks5 Socks 5 is an authentication protocol.
somud SoMud is a BitTorrent client. This signature classifies BitTorrent tracker streams over http specific to the SoMud client. Data streams will be classified as bittorrent only.
soundcloud SoundCloud is an online audio distribution platform where users can upload, promote and share their sounds with others.
sourceforge Sourceforge is a web-based code repository for open source software development.
spdy SPDY is an open networking protocol developed primarily at Google for transporting web content. Note: In Basic-DPI, Partial classification over https.
spotify Spotify is an application of musical streaming. Note: In Basic-DPI, Partial classification over http.
squirrelmail SquirrelMail is a web-based email application written in the PHP scripting language.
steam Steam is a digital distribution, digital rights management, multiplayer and communications platform developed by Valve Corporation.
norton_update Virus definitions and engine updates for the Symantec Norton anti-virus.
syslog Syslog protocol is used for the transmission of event notification messages across networks between a client and a server.
sna SNA (Systems Network Architecture) is IBM's mainframe network standards.
teamspeak The proprietary TeamSpeak2 protocol is used by gamers and oriented TeamSpeak2 VoIP software.
teamspeak_v3 TeamSpeak 3 continues the legacy of the original TeamSpeak communication system. TeamSpeak 3 is not merely an extension of its predecessors but rather a complete rewrite in C++ of its proprietary protocol and core technology.
teamviewer TeamViewer is an application that enables a connection to a remote computer in order to perform maintenance operations. It is also possible to show the current display to a remote computer, to transfer files, and to create a VPN tunnel.
telnet Telnet provides a fairly general, bi-directional, eight-bit byte oriented communications facility. Its primary aim is to provide a standard method of interfacing between terminal devices and terminal-oriented processes.
teredo The Teredo protocol enables IPv6 tunnelling over UDP, traversing NATs, and with minimum over-head.
tacacs_plus TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco Systems proprietary protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers.
tibcordv This protocol is used in the bank sector.
tor2web Tor2web is a project intended to give Internet users access to Tor Onion Services without the need to use Tor Browser.
tumblr Tumblr is a social networking and microblogging platform allowing users to publish blog posts and multimedia content.
twitch Twitch.tv is a live video streaming service focused on video games.
twitpic Photo sharing web service dedicated to Twitter. This service enable users to share photos with their Twitter followers on web browser and mobile devices.
twitter Online microblogging service that enables its users to read and send short text-based messages.
ustream Ustream is a live video broadcasting webservice available on PC and mobile platforms.
utorrent uTorrent is a closed source BitTorrent client. This plugin classifies the traffic to the software company. The generated traffic by this software is classified as bittorrent.
utp BitTorrent transport layer.
uusee Uusee is a peer-to-peer TV software, using the BitTorrent peer-to-peer technology. It uses the network coding technology. Note: In Basic-DPI, Partial classification over http.
vevo VEVO is a music video streaming platform sponsored by Google, Universal Music Group, and Sony Music Entertainment.
viber Viber is a free embedded voice over-ip application for smartphones.
vimeo Vimeo is a high definition video streaming platform, to be accessed from a web browser or mobile applications.
vine Vine is a short-form video sharing service.
vrrp Virtual Router Redundancy Protocol (VRRP) is a protocol designed to eliminate the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.
vmware VMWare is a protocol used by the VMWare application, allowing it to have network interfaces and remote access to a virtual machine.
vmware_horizon_view Vmware Horizon View is a commercial desktop-virtualization product developed by VMware. This plugin classifies pcoip streams over UDP between virtual machines and Mac/Windows clients
waze Waze is a community-based mapping, traffic, and navigation app.
webex WebEx is an online meeting, videoconferencing, and collaborative application
whatsapp WhatsApp Messenger is a cross-platform, instant, mobile messaging application that lets users exchange messages without having to pay for SMS. WhatsApp Messenger is available for iPhone, BlackBerry, Android, and Nokia.
whois WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, and a wider range of other information.
wiiconnect24 WiiConnect24 is an asynchronous communication protocol implemented on the Nintendo Wii gaming system. It is used by some information channels and services embedded in the console, and by some games.
wikipedia Wikipedia is the biggest multilingual free-content encyclopedia on the Internet.
windows_azure This protocol plug-in classifies the ssl traffic to the Common Name msecnd.net.
wins WINS (Windows Internet Naming Service) is Microsoft's implementation of NetBIOS Name Service (NBNS), which is a name server and service for NetBIOS computer names. This plug-in classifies replication flows between servers. Client-to-Server flows are handled by the nbns plug-in.
live_storage Windows Live File Storage is a Microsoft web service designed to be used by other Microsoft web services that may need storage, for example MSN and Skydrive.
live_groups Windows Live Groups is an online service by Microsoft that lets users create their social groups for sharing, discussion, and coordination.
live_hotmail Windows Live Hotmail is a free webmail service operated by Microsoft. The service is now named Outlook.
livemail_attach Detection of the Windows Live Mail File attachment uploads.
skydrive This protocol plug-in classifies the ssl traffic to the Common Names live.com.nsatc.net, Skydrive, skydrive.wns.windows.com, skydrivesync.policies.live.net, gateway.edge.messenger.live.com, skyapi.live.net, skydrive.live.com, onedrive.live.com, and storage.live.com.
skydrive_login On-line file storage service owned by Microsoft.
windows_marketplace Windows Marketplace is a service by Microsoft for its Windows Phone 7/8 and Microsoft Windows 8 platforms that allows users to browse and download applications developed by third-parties. The website for Microsoft Store retail stores is also classified.
windows_update Windows_update is the protocol used for windows system updates.
wordpress WordPress is a popular blogging system. This plug-in classifies the usage of Wordpress.com blog hosting online service.
wow WOW is an online role-playing game.
xboxlive Online multiplayer gaming and digital media delivery service created and operated by Microsoft Corporation.
xboxlive_marketplace Xbox Live Marketplace is a service where users can purchase and download games and multimedia.
xbox_music Xbox Music is an online service for music.
xbox_video Microsoft Movies and TV is an online service to watch movies, tv shows, and series.
xhamster Pornographic videos streaming platform.
yahoo_groups Yahoo! Groups offers free mailing lists, photo and file sharing, group calendars, and more.
ymail_classic Yahoo! Mail Classic was the original interface for Yahoo! Mail.
ymail2 This protocol is the ajax-based version of Webmail Yahoo. Note: In Basic-DPI, Partial classification over http.
ymsg Yahoo Messenger is used by the Yahoo Instant Messenger application to send instant messages, files, and emails between users.
ymsg_conf Please note that since version 11.5.0, voice calls are not supported, therefore rtp inheritance is deprecated.
ymsg_transfer This protocol is used for file tranfers over ymsg.
ymsg_video (versions prior to 10.0.0.270) This protocol is used by Yahoo Messenger for video conversations.
yahoo_search This protocol is used to send queries to the Yahoo search engine.
ymail_mobile_new Yahoo Mail Mobile_new is the new yahoo.com webmail adapted to mobiles.
ymsg_webmessenger Yahoo webmessenger.
yahoo Yahoo is a pseudo-protocol which classifies generic web services related to Yahoo. Note: In Basic-DPI, Partial classification over http.
ypbind The ypbind utility is the process that maintains NIS binding information. At startup, it searches for an NIS server responsible for serving the system's default domain (as set by the domainname(1) command) using net-work broadcasts
yppasswd The Yellow Page Password protocol enables the modification of logins and passwords in Network Interface System cards.
ypserv Yellow Pages Server is a protocol used to distribute NIS databases to client systems within an NIS domain.
youtube Youtube is a website where users send or watch videos.
Last modified on 24 September, 2021
PREVIOUS
Configure 10Gbps network capture
  NEXT
Authentication

This documentation applies to the following versions of Splunk Stream: 7.3.0, 7.4.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters