- JSON representation
- Direction
- IpProtocol
- ApplicationProtocol
- Ftp
- Dns
- Question
- ResourceRecord
- Dhcp
- OpCode
- Option
- MessageType
- Http
- UserAgentProto
- Family
- Annotation
- Tls
- Client
- Certificate
- Server
- Smtp
A network event.
| JSON representation |
|---|
{ "sent_bytes": string, "received_bytes": string, "sent_packets": string, "received_packets": string, "session_duration": string, "session_id": string, "parent_session_id": string, "application_protocol_version": string, "community_id": string, "direction": enum ( |
| Fields | |
|---|---|
sent_ |
The number of bytes sent. |
received_ |
The number of bytes received. |
sent_ |
The number of packets sent. |
received_ |
The number of packets received. |
session_ |
The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. A duration in seconds with up to nine fractional digits, ending with ' |
session_ |
The ID of the network session. |
parent_ |
The ID of the parent network session. |
application_ |
The version of the application protocol. e.g. "1.1, 2.0" |
community_ |
Community ID network flow value. |
direction |
The direction of network traffic. |
ip_ |
The IP protocol. |
application_ |
The application protocol. |
ftp |
FTP info. |
email |
Email info for the sender/recipient. |
dns |
DNS info. |
dhcp |
DHCP info. |
http |
HTTP info. |
tls |
TLS info. |
smtp |
SMTP info. Store fields specific to SMTP not covered by Email. |
asn |
Autonomous system number. |
dns_ |
DNS domain name. |
carrier_ |
Carrier identification. |
organization_ |
Organization name (e.g Google). |
ip_ |
Associated human-readable IP subnet range (e.g. 10.1.2.0/24). |
Direction
A network traffic direction.
| Enums | |
|---|---|
UNKNOWN_DIRECTION |
The default direction. |
INBOUND |
An inbound request. |
OUTBOUND |
An outbound request. |
BROADCAST |
A broadcast. |
IpProtocol
An IP protocol.
| Enums | |
|---|---|
UNKNOWN_IP_PROTOCOL |
The default protocol. |
ICMP |
ICMP. |
IGMP |
IGMP |
TCP |
TCP. |
UDP |
UDP. |
IP6IN4 |
IPv6 Encapsulation |
GRE |
Generic Routing Encapsulation |
ESP |
Encapsulating Security Payload |
ICMP6 |
ICMPv6 |
EIGRP |
Enhanced Interior Gateway Routing |
ETHERIP |
Ethernet-within-IP Encapsulation |
PIM |
Protocol Independent Multicast |
VRRP |
Virtual Router Redundancy Protocol |
SCTP |
Stream Control Transmission Protocol |
ApplicationProtocol
A network application protocol.
| Enums | |
|---|---|
UNKNOWN_APPLICATION_PROTOCOL |
The default application protocol. |
AFP |
Apple Filing Protocol. |
APPC |
Advanced Program-to-Program Communication. |
AMQP |
Advanced Message Queuing Protocol. |
ATOM |
Publishing Protocol. |
BEEP |
Block Extensible Exchange Protocol. |
BITCOIN |
Crypto currency protocol. |
BIT_TORRENT |
Peer-to-peer file sharing. |
CFDP |
Coherent File Distribution Protocol. |
CIP |
Common Industrial Protocol. |
COAP |
Constrained Application Protocol. |
COTP |
Connection Oriented Transport Protocol. |
DCERPC |
DCE/RPC. |
DDS |
Data Distribution Service. |
DEVICE_NET |
Automation industry protocol. |
DHCP |
DHCP. |
DICOM |
Digital Imaging and Communications in Medicine Protocol. |
DNP3 |
Distributed Network Protocol 3 (DNP3) |
DNS |
DNS. |
E_DONKEY |
Classic file sharing protocol. |
ENRP |
Endpoint Handlespace Redundancy Protocol. |
FAST_TRACK |
Filesharing peer-to-peer protocol. |
FINGER |
User Information Protocol. |
FREENET |
Censorship resistant peer-to-peer network. |
FTAM |
File Transfer Access and Management. |
GOOSE |
GOOSE Protocol. |
GOPHER |
Gopher protocol. |
GRPC |
gRPC Remote Procedure Call. |
HL7 |
Health Level Seven. |
H323 |
Packet-based multimedia communications system. |
HTTP |
HTTP. |
HTTPS |
HTTPS. |
IEC104 |
IEC 60870-5-104 (IEC 104) Protocol. |
IRCP |
Internet Relay Chat Protocol. |
KADEMLIA |
Peer-to-peer hashtables. |
KRB5 |
Kerberos 5. |
LDAP |
Lightweight Directory Access Protocol. |
LPD |
Line Printer Daemon Protocol. |
MIME |
Multipurpose Internet Mail Extensions and Secure MIME. |
MMS |
Multimedia Messaging Service. |
MODBUS |
Serial communications protocol. |
MQTT |
Message Queuing Telemetry Transport. |
NETCONF |
Network Configuration. |
NFS |
Network File System. |
NIS |
Network Information Service. |
NNTP |
Network News Transfer Protocol. |
NTCIP |
National Transportation Communications for Intelligent Transportation System. |
NTP |
Network Time Protocol. |
OSCAR |
AOL Instant Messenger Protocol. |
PNRP |
Peer Name Resolution Protocol. |
PTP |
Precision Time Protocol. |
QUIC |
QUIC. |
RDP |
Remote Desktop Protocol. |
RELP |
Reliable Event Logging Protocol. |
RIP |
Routing Information Protocol. |
RLOGIN |
Remote Login in UNIX Systems. |
RPC |
Remote Procedure Call. |
RTMP |
Real Time Messaging Protocol. |
RTP |
Real-time Transport Protocol. |
RTPS |
Real Time Publish Subscribe. |
RTSP |
Real Time Streaming Protocol. |
SAP |
Session Announcement Protocol. |
SDP |
Session Description Protocol. |
SIP |
Session Initiation Protocol. |
SLP |
Service Location Protocol. |
SMB |
Server Message Block. |
SMTP |
Simple Mail Transfer Protocol. |
SNMP |
Simple Network Management Protocol. |
SNTP |
Simple Network Time Protocol. |
SSH |
Secure Shell. |
SSMS |
Secure SMS Messaging Protocol. |
STYX |
Styx/9P - Plan 9 from Bell Labs distributed file system protocol. |
SV |
Sampled Values Protocol. |
TCAP |
Transaction Capabilities Application Part. |
TDS |
Tabular Data Stream. |
TOR |
Anonymity network. |
TSP |
Time Stamp Protocol. |
VTP |
Virtual Terminal Protocol. |
WHOIS |
Remote Directory Access Protocol. |
WEB_DAV |
Web Distributed Authoring and Versioning. |
X400 |
Message Handling Service Protocol. |
X500 |
Directory Access Protocol (DAP). |
XMPP |
Extensible Messaging and Presence Protocol. |
Ftp
FTP info.
| JSON representation |
|---|
{ "command": string } |
| Fields | |
|---|---|
command |
The FTP command. |
Email info.
| JSON representation |
|---|
{ "from": string, "reply_to": string, "to": [ string ], "cc": [ string ], "bcc": [ string ], "mail_id": string, "subject": [ string ], "bounce_address": string } |
| Fields | |
|---|---|
from |
The 'from' address. |
reply_ |
The 'reply to' address. |
to[] |
A list of 'to' addresses. |
cc[] |
A list of 'cc' addresses. |
bcc[] |
A list of 'bcc' addresses. |
mail_ |
The mail (or message) ID. |
subject[] |
The subject line(s) of the email. |
bounce_ |
The envelope from address. https://en.wikipedia.org/wiki/Bounce_address |
Dns
DNS information.
| JSON representation |
|---|
{ "id": integer, "response": boolean, "opcode": integer, "authoritative": boolean, "truncated": boolean, "recursion_desired": boolean, "recursion_available": boolean, "response_code": integer, "questions": [ { object ( |
| Fields | |
|---|---|
id |
DNS query id. |
response |
Set to true if the event is a DNS response. See QR field from RFC1035. |
opcode |
The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). |
authoritative |
Other DNS header flags. See RFC1035, section 4.1.1. |
truncated |
Whether the DNS response was truncated. |
recursion_ |
Whether a recursive DNS lookup is desired. |
recursion_ |
Whether a recursive DNS lookup is available. |
response_ |
Response code. See RCODE from RFC1035. |
questions[] |
A list of domain protocol message questions. |
answers[] |
A list of answers to the domain name query. |
authority[] |
A list of domain name servers which verified the answers to the domain name queries. |
additional[] |
A list of additional domain name servers that can be used to verify the answer to the domain. |
Question
DNS Questions. See RFC1035, section 4.1.2.
| JSON representation |
|---|
{
"name": string,
"type": integer,
"class": integer,
"prevalence": {
object ( |
| Fields | |
|---|---|
name |
The domain name. |
type |
The code specifying the type of the query. |
class |
The code specifying the class of the query. |
prevalence |
The prevalence of the domain within the customer's environment. |
ResourceRecord
DNS Resource Records. See RFC1035, section 4.1.3.
| JSON representation |
|---|
{ "name": string, "type": integer, "class": integer, "ttl": integer, "data": string, "binary_data": string } |
| Fields | |
|---|---|
name |
The name of the owner of the resource record. |
type |
The code specifying the type of the resource record. |
class |
The code specifying the class of the resource record. |
ttl |
The time interval for which the resource record can be cached before the source of the information should again be queried. |
data |
The payload or response to the DNS question for all responses encoded in UTF-8 format |
binary_ |
The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. A base64-encoded string. |
Dhcp
DHCP information.
| JSON representation |
|---|
{ "opcode": enum ( |
| Fields | |
|---|---|
opcode |
The BOOTP op code. |
htype |
Hardware address type. |
hlen |
Hardware address length. |
hops |
Hardware ops. |
transaction_ |
Transaction ID. |
seconds |
Seconds elapsed since client began address acquisition/renewal process. |
flags |
Flags. |
ciaddr |
Client IP address (ciaddr). |
yiaddr |
Your IP address (yiaddr). |
siaddr |
IP address of the next bootstrap server. |
giaddr |
Relay agent IP address (giaddr). |
chaddr |
Client hardware address (chaddr). |
sname |
Server name that the client wishes to boot from. |
file |
Boot image filename. |
options[] |
List of DHCP options. |
type |
DHCP message type. |
lease_ |
Lease time in seconds. See RFC2132, section 9.2. |
client_ |
Client hostname. See RFC2132, section 3.14. |
client_ |
Client identifier. See RFC2132, section 9.14. A base64-encoded string. |
requested_ |
Requested IP address. See RFC2132, section 9.1. |
OpCode
BOOTP op code. See RFC951, section 3.
| Enums | |
|---|---|
UNKNOWN_OPCODE |
Default opcode. |
BOOTREQUEST |
Request. |
BOOTREPLY |
Reply. |
Option
DHCP options.
| JSON representation |
|---|
{ "code": integer, "data": string } |
| Fields | |
|---|---|
code |
Code. See RFC1533. |
data |
Data. A base64-encoded string. |
MessageType
DHCP message type. See RFC2131, section 3.1.
| Enums | |
|---|---|
UNKNOWN_MESSAGE_TYPE |
Default message type. |
DISCOVER |
DHCPDISCOVER. |
OFFER |
DHCPOFFER. |
REQUEST |
DHCPREQUEST. |
DECLINE |
DHCPDECLINE. |
ACK |
DHCPACK. |
NAK |
DHCPNAK. |
RELEASE |
DHCPRELEASE. |
INFORM |
DHCPINFORM. |
WIN_DELETED |
Microsoft Windows DHCP "lease deleted". |
WIN_EXPIRED |
Microsoft Windows DHCP "lease expired". |
Http
Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target".
| JSON representation |
|---|
{
"method": string,
"referral_url": string,
"user_agent": string,
"response_code": integer,
"parsed_user_agent": {
object ( |
| Fields | |
|---|---|
method |
The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). |
referral_ |
The URL for the HTTP referer. |
user_ |
The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. |
response_ |
The response status code, for example 200, 302, 404, or 500. |
parsed_ |
The parsed user_agent string. |
UserAgentProto
| JSON representation |
|---|
{ "family": enum ( |
| Fields | |
|---|---|
family |
User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. |
sub_ |
Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. |
platform |
The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. |
device |
(Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints. |
device_ |
(Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints. |
carrier |
Mobile specific: name of mobile carrier |
security |
Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints. |
locale |
Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints. |
os |
Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints. |
os_ |
Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints. |
browser |
Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. |
browser_ |
Minor and lower versions unavailable with reduced User-Agent and no client hints. |
browser_ |
Version of the rendering engine e.g. "8.01" for "Opera/8.01" |
google_ |
Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. |
java_ |
Mobile specific: e.g. Profile/MIDP-2.0 |
java_ |
|
java_ |
Mobile specific: e.g. Configuration/CLDC-1.1 |
java_ |
|
messaging |
Mobile specific: e.g. MMP/2.0 |
messaging_ |
|
annotation[] |
|
Family
LINT.IfChange
| Enums | |
|---|---|
USER_DEFINED |
Used to represent new families supported by user-defined parsers |
MSIE |
Desktop user agent families |
GECKO |
|
APPLEWEBKIT |
WebKit based browsers e.g. Safari |
OPERA |
|
KHTML |
e.g. Konqueror |
OTHER |
Mobile and non-browser user agent families UA's w/o enough data to fit into a family |
APPLE |
Apple apps e.g. YouTube on iPhone |
BLACKBERRY |
|
DOCOMO |
|
GOOGLE |
Google Earth, Sketchup, UpdateChecker etc... |
OPENWAVE |
UP.Browser |
POLARIS |
|
OBIGO |
|
TELECA |
|
MICROSOFT |
Windows Media Player, RSS platform etc... |
NOKIA |
|
NETFRONT |
|
SEMC |
Sony Ericsson Mobile Communications |
SMIT |
|
KOREAN |
SKT, LGT |
CLIENT_HINTS |
Constructed from UA-CH instead of UserAgent string. |
Annotation
Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents.
The following keys are modified with reduced User-Agent and no client hints: * "Chrome" (see browser_version) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see os) * "Rest" (unavailable) * "misc" (see device)
| JSON representation |
|---|
{ "key": string, "value": string } |
| Fields | |
|---|---|
key |
|
value |
|
Tls
Transport Layer Security (TLS) information.
| JSON representation |
|---|
{ "client": { object ( |
| Fields | |
|---|---|
client |
Certificate information for the client certificate. |
server |
Certificate information for the server certificate. |
cipher |
Cipher used during the connection. |
curve |
Elliptical curve used for a given cipher. |
version |
TLS version. |
version_ |
Protocol. |
established |
Indicates whether the TLS negotiation was successful. |
next_ |
Protocol to be used for tunnel. |
resumed |
Indicates whether the TLS connection was resumed from a previous TLS negotiation. |
Client
Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash).
| JSON representation |
|---|
{
"certificate": {
object ( |
| Fields | |
|---|---|
certificate |
Client certificate. |
ja3 |
JA3 hash from the TLS ClientHello, as a hex-encoded string. |
server_ |
Host name of the server, that the client is connecting to. |
supported_ |
Ciphers supported by the client during client hello. |
Certificate
Certificate information
| JSON representation |
|---|
{ "version": string, "serial": string, "subject": string, "issuer": string, "md5": string, "sha1": string, "sha256": string, "not_before": string, "not_after": string } |
| Fields | |
|---|---|
version |
Certificate version. |
serial |
Certificate serial number. |
subject |
Subject of the certificate. |
issuer |
Issuer of the certificate. |
md5 |
The MD5 hash of the certificate, as a hex-encoded string. |
sha1 |
The SHA1 hash of the certificate, as a hex-encoded string. |
sha256 |
The SHA256 hash of the certificate, as a hex-encoded string. |
not_ |
Indicates when the certificate is first valid. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
not_ |
Indicates when the certificate is no longer valid. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
Server
Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash).
| JSON representation |
|---|
{
"certificate": {
object ( |
| Fields | |
|---|---|
certificate |
Server certificate. |
ja3s |
JA3 hash from the TLS ServerHello, as a hex-encoded string. |
Smtp
SMTP info. See RFC 2821.
| JSON representation |
|---|
{ "helo": string, "mail_from": string, "rcpt_to": [ string ], "server_response": [ string ], "message_path": string, "is_webmail": boolean, "is_tls": boolean } |
| Fields | |
|---|---|
helo |
The client's 'HELO'/'EHLO' string. |
mail_ |
The client's 'MAIL FROM' string. |
rcpt_ |
The client's 'RCPT TO' string(s). |
server_ |
The server's response(s) to the client. |
message_ |
The message's path (extracted from the headers). |
is_ |
If the message was sent via a webmail client. |
is_ |
If the connection switched to TLS. |