Network

A network event.

JSON representation 
{
  "sentBytes": string,
  "receivedBytes": string,
  "sentPackets": string,
  "receivedPackets": string,
  "sessionDuration": string,
  "sessionId": string,
  "parentSessionId": string,
  "applicationProtocolVersion": string,
  "communityId": string,
  "direction": enum (Direction),
  "ipProtocol": enum (IpProtocol),
  "applicationProtocol": enum (ApplicationProtocol),
  "ftp": {
    object (Ftp)
  },
  "email": {
    object (Email)
  },
  "dns": {
    object (Dns)
  },
  "dhcp": {
    object (Dhcp)
  },
  "http": {
    object (Http)
  },
  "tls": {
    object (Tls)
  },
  "smtp": {
    object (Smtp)
  },
  "asn": string,
  "dnsDomain": string,
  "carrierName": string,
  "organizationName": string,
  "ipSubnetRange": string,
  "isProxy": boolean,
  "proxyInfo": {
    object (ProxyInfo)
  }
}
Fields
sentBytes

string

The number of bytes sent.
receivedBytes

string

The number of bytes received.
sentPackets

string (int64 format)

The number of packets sent.
receivedPackets

string (int64 format)

The number of packets received.
sessionDuration

string (Duration format)

The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".
sessionId

string

The ID of the network session.
parentSessionId

string

The ID of the parent network session.
applicationProtocolVersion

string

The version of the application protocol. e.g. "1.1, 2.0"
communityId

string

Community ID network flow value.
direction

enum (Direction)

The direction of network traffic.
ipProtocol

enum (IpProtocol)

The IP protocol.
applicationProtocol

enum (ApplicationProtocol)

The application protocol.
ftp

object (Ftp)

FTP info.
email

object (Email)

Email info for the sender/recipient.
dns

object (Dns)

DNS info.
dhcp

object (Dhcp)

DHCP info.
http

object (Http)

HTTP info.
tls

object (Tls)

TLS info.
smtp

object (Smtp)

SMTP info. Store fields specific to SMTP not covered by Email.
asn

string

Autonomous system number.
dnsDomain

string

DNS domain name.
carrierName

string

Carrier identification.
organizationName

string

Organization name (e.g Google).
ipSubnetRange

string

Associated human-readable IP subnet range (e.g. 10.1.2.0/24).
isProxy

boolean

Whether the IP address is a known proxy.
proxyInfo

object (ProxyInfo)

Proxy information. Only set if isProxy is true.

Direction

A network traffic direction.

Enums
UNKNOWN_DIRECTION The default direction.
INBOUND An inbound request.
OUTBOUND An outbound request.
BROADCAST A broadcast.

IpProtocol

An IP protocol.

Enums
UNKNOWN_IP_PROTOCOL The default protocol.
ICMP ICMP.
IGMP IGMP
TCP TCP.
UDP UDP.
IP6IN4 IPv6 Encapsulation
GRE Generic Routing Encapsulation
ESP Encapsulating Security Payload
ICMP6 ICMPv6
EIGRP Enhanced Interior Gateway Routing
ETHERIP Ethernet-within-IP Encapsulation
PIM Protocol Independent Multicast
VRRP Virtual Router Redundancy Protocol
SCTP Stream Control Transmission Protocol

ApplicationProtocol

A network application protocol.

Enums
UNKNOWN_APPLICATION_PROTOCOL The default application protocol.
AFP Apple Filing Protocol.
APPC Advanced Program-to-Program Communication.
AMQP Advanced Message Queuing Protocol.
ATOM Publishing Protocol.
BEEP Block Extensible Exchange Protocol.
BITCOIN Crypto currency protocol.
BIT_TORRENT Peer-to-peer file sharing.
CFDP Coherent File Distribution Protocol.
CIP Common Industrial Protocol.
COAP Constrained Application Protocol.
COTP Connection Oriented Transport Protocol.
DCERPC DCE/RPC.
DDS Data Distribution Service.
DEVICE_NET Automation industry protocol.
DHCP DHCP.
DICOM Digital Imaging and Communications in Medicine Protocol.
DNP3 Distributed Network Protocol 3 (DNP3)
DNS DNS.
E_DONKEY Classic file sharing protocol.
ENRP Endpoint Handlespace Redundancy Protocol.
FAST_TRACK Filesharing peer-to-peer protocol.
FINGER User Information Protocol.
FREENET Censorship resistant peer-to-peer network.
FTAM File Transfer Access and Management.
GOOSE GOOSE Protocol.
GOPHER Gopher protocol.
GRPC gRPC Remote Procedure Call.
HL7 Health Level Seven.
H323 Packet-based multimedia communications system.
HTTP HTTP.
HTTPS HTTPS.
IEC104 IEC 60870-5-104 (IEC 104) Protocol.
IRCP Internet Relay Chat Protocol.
KADEMLIA Peer-to-peer hashtables.
KRB5 Kerberos 5.
LDAP Lightweight Directory Access Protocol.
LPD Line Printer Daemon Protocol.
MIME Multipurpose Internet Mail Extensions and Secure MIME.
MMS Multimedia Messaging Service.
MODBUS Serial communications protocol.
MQTT Message Queuing Telemetry Transport.
NETCONF Network Configuration.
NFS Network File System.
NIS Network Information Service.
NNTP Network News Transfer Protocol.
NTCIP National Transportation Communications for Intelligent Transportation System.
NTP Network Time Protocol.
OSCAR AOL Instant Messenger Protocol.
PNRP Peer Name Resolution Protocol.
PTP Precision Time Protocol.
QUIC QUIC.
RDP Remote Desktop Protocol.
RELP Reliable Event Logging Protocol.
RIP Routing Information Protocol.
RLOGIN Remote Login in UNIX Systems.
RPC Remote Procedure Call.
RTMP Real Time Messaging Protocol.
RTP Real-time Transport Protocol.
RTPS Real Time Publish Subscribe.
RTSP Real Time Streaming Protocol.
SAP Session Announcement Protocol.
SDP Session Description Protocol.
SIP Session Initiation Protocol.
SLP Service Location Protocol.
SMB Server Message Block.
SMTP Simple Mail Transfer Protocol.
SNMP Simple Network Management Protocol.
SNTP Simple Network Time Protocol.
SSH Secure Shell.
SSMS Secure SMS Messaging Protocol.
STYX Styx/9P - Plan 9 from Bell Labs distributed file system protocol.
SV Sampled Values Protocol.
TCAP Transaction Capabilities Application Part.
TDS Tabular Data Stream.
TOR Anonymity network.
TSP Time Stamp Protocol.
VTP Virtual Terminal Protocol.
WHOIS Remote Directory Access Protocol.
WEB_DAV Web Distributed Authoring and Versioning.
X400 Message Handling Service Protocol.
X500 Directory Access Protocol (DAP).
XMPP Extensible Messaging and Presence Protocol.

Ftp

FTP info.

JSON representation 
{
  "command": string
}
Fields
command

string

The FTP command.

Email

Email info.

JSON representation 
{
  "from": string,
  "replyTo": string,
  "to": [
    string
  ],
  "cc": [
    string
  ],
  "bcc": [
    string
  ],
  "mailId": string,
  "subject": [
    string
  ],
  "bounceAddress": string
}
Fields
from

string

The 'from' address.
replyTo

string

The 'reply to' address.
to[]

string

A list of 'to' addresses.
cc[]

string

A list of 'cc' addresses.
bcc[]

string

A list of 'bcc' addresses.
mailId

string

The mail (or message) ID.
subject[]

string

The subject line(s) of the email.
bounceAddress

string

The envelope from address. https://en.wikipedia.org/wiki/Bounce_address

Dns

DNS information.

JSON representation 
{
  "id": integer,
  "response": boolean,
  "opcode": integer,
  "authoritative": boolean,
  "truncated": boolean,
  "recursionDesired": boolean,
  "recursionAvailable": boolean,
  "responseCode": integer,
  "questions": [
    {
      object (Question)
    }
  ],
  "answers": [
    {
      object (ResourceRecord)
    }
  ],
  "authority": [
    {
      object (ResourceRecord)
    }
  ],
  "additional": [
    {
      object (ResourceRecord)
    }
  ]
}
Fields
id

integer (uint32 format)

DNS query id.
response

boolean

Set to true if the event is a DNS response. See QR field from RFC1035.
opcode

integer (uint32 format)

The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS).
authoritative

boolean

Other DNS header flags. See RFC1035, section 4.1.1.
truncated

boolean

Whether the DNS response was truncated.
recursionDesired

boolean

Whether a recursive DNS lookup is desired.
recursionAvailable

boolean

Whether a recursive DNS lookup is available.
responseCode

integer (uint32 format)

Response code. See RCODE from RFC1035.
questions[]

object (Question)

A list of domain protocol message questions.
answers[]

object (ResourceRecord)

A list of answers to the domain name query.
authority[]

object (ResourceRecord)

A list of domain name servers which verified the answers to the domain name queries.
additional[]

object (ResourceRecord)

A list of additional domain name servers that can be used to verify the answer to the domain.

Question

DNS Questions. See RFC1035, section 4.1.2.

JSON representation 
{
  "name": string,
  "type": integer,
  "class": integer,
  "prevalence": {
    object (Prevalence)
  }
}
Fields
name

string

The domain name.
type

integer (uint32 format)

The code specifying the type of the query.
class

integer (uint32 format)

The code specifying the class of the query.
prevalence

object (Prevalence)

The prevalence of the domain within the customer's environment.

ResourceRecord

DNS Resource Records. See RFC1035, section 4.1.3.

JSON representation 
{
  "name": string,
  "type": integer,
  "class": integer,
  "ttl": integer,
  "data": string,
  "binaryData": string
}
Fields
name

string

The name of the owner of the resource record.
type

integer (uint32 format)

The code specifying the type of the resource record.
class

integer (uint32 format)

The code specifying the class of the resource record.
ttl

integer (uint32 format)

The time interval for which the resource record can be cached before the source of the information should again be queried.
data

string

The payload or response to the DNS question for all responses encoded in UTF-8 format
binaryData

string (bytes format)

The raw bytes of any non-UTF8 strings that might be included as part of a DNS response.

A base64-encoded string.

Dhcp

DHCP information.

JSON representation 
{
  "opcode": enum (OpCode),
  "htype": integer,
  "hlen": integer,
  "hops": integer,
  "transactionId": integer,
  "seconds": integer,
  "flags": integer,
  "ciaddr": string,
  "yiaddr": string,
  "siaddr": string,
  "giaddr": string,
  "chaddr": string,
  "sname": string,
  "file": string,
  "options": [
    {
      object (Option)
    }
  ],
  "type": enum (MessageType),
  "leaseTimeSeconds": integer,
  "clientHostname": string,
  "clientIdentifier": string,
  "requestedAddress": string,
  "clientIdentifierString": string
}
Fields
opcode

enum (OpCode)

The BOOTP op code.
htype

integer (uint32 format)

Hardware address type.
hlen

integer (uint32 format)

Hardware address length.
hops

integer (uint32 format)

Hardware ops.
transactionId

integer (uint32 format)

Transaction ID.
seconds

integer (uint32 format)

Seconds elapsed since client began address acquisition/renewal process.
flags

integer (uint32 format)

Flags.
ciaddr

string

Client IP address (ciaddr).
yiaddr

string

Your IP address (yiaddr).
siaddr

string

IP address of the next bootstrap server.
giaddr

string

Relay agent IP address (giaddr).
chaddr

string

Client hardware address (chaddr).
sname

string

Server name that the client wishes to boot from.
file

string

Boot image filename.
options[]

object (Option)

List of DHCP options.
type

enum (MessageType)

DHCP message type.
leaseTimeSeconds

integer (uint32 format)

Lease time in seconds. See RFC2132, section 9.2.
clientHostname

string

Client hostname. See RFC2132, section 3.14.
clientIdentifier

string (bytes format)

Client identifier. See RFC2132, section 9.14. Note: Make sure to update the clientIdentifierString field as well if you update this field.

A base64-encoded string.
requestedAddress

string

Requested IP address. See RFC2132, section 9.1.
clientIdentifierString

string

Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the clientIdentifier.

OpCode

BOOTP op code. See RFC951, section 3.

Enums
UNKNOWN_OPCODE Default opcode.
BOOTREQUEST Request.
BOOTREPLY Reply.

Option

DHCP options.

JSON representation 
{
  "code": integer,
  "data": string
}
Fields
code

integer (uint32 format)

Code. See RFC1533.
data

string (bytes format)

Data.

A base64-encoded string.

MessageType

DHCP message type. See RFC2131, section 3.1.

Enums
UNKNOWN_MESSAGE_TYPE Default message type.
DISCOVER DHCPDISCOVER.
OFFER DHCPOFFER.
REQUEST DHCPREQUEST.
DECLINE DHCPDECLINE.
ACK DHCPACK.
NAK DHCPNAK.
RELEASE DHCPRELEASE.
INFORM DHCPINFORM.
WIN_DELETED Microsoft Windows DHCP "lease deleted".
WIN_EXPIRED Microsoft Windows DHCP "lease expired".

Http

Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target".

JSON representation 
{
  "method": string,
  "referralUrl": string,
  "userAgent": string,
  "responseCode": integer,
  "parsedUserAgent": {
    object (UserAgentProto)
  }
}
Fields
method

string

The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE").
referralUrl

string

The URL for the HTTP referer.
userAgent

string

The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
responseCode

integer

The response status code, for example 200, 302, 404, or 500.
parsedUserAgent

object (UserAgentProto)

The parsed userAgent string.

UserAgentProto

JSON representation 
{
  "family": enum (Family),
  "subFamily": string,
  "platform": string,
  "device": string,
  "deviceVersion": string,
  "carrier": string,
  "security": string,
  "locale": string,
  "os": string,
  "osVariant": string,
  "browser": string,
  "browserVersion": string,
  "browserEngineVersion": string,
  "googleToolbarVersion": string,
  "javaProfile": string,
  "javaProfileVersion": string,
  "javaConfiguration": string,
  "javaConfigurationVersion": string,
  "messaging": string,
  "messagingVersion": string,
  "annotation": [
    {
      object (Annotation)
    }
  ]
}
Fields
family

enum (Family)

User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc..
subFamily

string

Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier.
platform

string

The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm.
device

string

(Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/).
deviceVersion

string

(Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/).
carrier

string

Mobile specific: name of mobile carrier
security

string

Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/).
locale

string

Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/).
os

string

Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/).
osVariant

string

Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/).
browser

string

Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents.
browserVersion

string

Minor and lower versions unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/).
browserEngineVersion

string

Version of the rendering engine e.g. "8.01" for "Opera/8.01"
googleToolbarVersion

string

Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time.
javaProfile

string

Mobile specific: e.g. Profile/MIDP-2.0
javaProfileVersion

string
javaConfiguration

string

Mobile specific: e.g. Configuration/CLDC-1.1
javaConfigurationVersion

string
messaging

string

Mobile specific: e.g. MMP/2.0
messagingVersion

string
annotation[]

object (Annotation)

Family

LINT.IfChange

Enums
USER_DEFINED Used to represent new families supported by user-defined parsers
MSIE Desktop user agent families
GECKO
APPLEWEBKIT WebKit based browsers e.g. Safari
OPERA
KHTML e.g. Konqueror
OTHER Mobile and non-browser user agent families UA's w/o enough data to fit into a family
APPLE Apple apps e.g. YouTube on iPhone
BLACKBERRY
DOCOMO
GOOGLE Google Earth, Sketchup, UpdateChecker etc...
OPENWAVE UP.Browser
POLARIS
OBIGO
TELECA
MICROSOFT Windows Media Player, RSS platform etc...
NOKIA
NETFRONT
SEMC Sony Ericsson Mobile Communications
SMIT
KOREAN SKT, LGT
CLIENT_HINTS Constructed from UA-CH instead of UserAgent string.

Annotation

Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents.

The following keys are modified with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/): * "Chrome" (see browserVersion) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see os) * "Rest" (unavailable) * "misc" (see device)

JSON representation 
{
  "key": string,
  "value": string
}
Fields
key

string
value

string

Tls

Transport Layer Security (TLS) information.

JSON representation 
{
  "client": {
    object (Client)
  },
  "server": {
    object (Server)
  },
  "cipher": string,
  "curve": string,
  "version": string,
  "versionProtocol": string,
  "established": boolean,
  "nextProtocol": string,
  "resumed": boolean
}
Fields
client

object (Client)

Certificate information for the client certificate.
server

object (Server)

Certificate information for the server certificate.
cipher

string

Cipher used during the connection.
curve

string

Elliptical curve used for a given cipher.
version

string

TLS version.
versionProtocol

string

Protocol.
established

boolean

Indicates whether the TLS negotiation was successful.
nextProtocol

string

Protocol to be used for tunnel.
resumed

boolean

Indicates whether the TLS connection was resumed from a previous TLS negotiation.

Client

Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash).

JSON representation 
{
  "certificate": {
    object (Certificate)
  },
  "ja3": string,
  "serverName": string,
  "supportedCiphers": [
    string
  ]
}
Fields
certificate

object (Certificate)

Client certificate.
ja3

string

JA3 hash from the TLS ClientHello, as a hex-encoded string.
serverName

string

Host name of the server, that the client is connecting to.
supportedCiphers[]

string

Ciphers supported by the client during client hello.

Certificate

Certificate information

JSON representation 
{
  "version": string,
  "serial": string,
  "subject": string,
  "issuer": string,
  "md5": string,
  "sha1": string,
  "sha256": string,
  "notBefore": string,
  "notAfter": string
}
Fields
version

string

Certificate version.
serial

string

Certificate serial number.
subject

string

Subject of the certificate.
issuer

string

Issuer of the certificate.
md5

string

The MD5 hash of the certificate, as a hex-encoded string.
sha1

string

The SHA1 hash of the certificate, as a hex-encoded string.
sha256

string

The SHA256 hash of the certificate, as a hex-encoded string.
notBefore

string (Timestamp format)

Indicates when the certificate is first valid.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
notAfter

string (Timestamp format)

Indicates when the certificate is no longer valid.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Server

Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash).

JSON representation 
{
  "certificate": {
    object (Certificate)
  },
  "ja3s": string
}
Fields
certificate

object (Certificate)

Server certificate.
ja3s

string

JA3 hash from the TLS ServerHello, as a hex-encoded string.

Smtp

SMTP info. See RFC 2821.

JSON representation 
{
  "helo": string,
  "mailFrom": string,
  "rcptTo": [
    string
  ],
  "serverResponse": [
    string
  ],
  "messagePath": string,
  "isWebmail": boolean,
  "isTls": boolean
}
Fields
helo

string

The client's 'HELO'/'EHLO' string.
mailFrom

string

The client's 'MAIL FROM' string.
rcptTo[]

string

The client's 'RCPT TO' string(s).
serverResponse[]

string

The server's response(s) to the client.
messagePath

string

The message's path (extracted from the headers).
isWebmail

boolean

If the message was sent via a webmail client.
isTls

boolean

If the connection switched to TLS.

ProxyInfo

Proxy information.

JSON representation 
{
  "anonymous": boolean,
  "anonymousVpn": boolean,
  "publicProxy": boolean,
  "torExitNode": boolean,
  "smartDnsProxy": boolean,
  "hostingProvider": boolean,
  "vpnDatacenter": boolean,
  "residentialProxy": boolean,
  "vpnServiceName": string,
  "proxyOverVpn": boolean,
  "relayProxy": boolean
}
Fields
anonymous

boolean

Whether the IP address is anonymous.
anonymousVpn

boolean

Whether the IP address is an anonymous VPN.
publicProxy

boolean

Whether the IP address is a public proxy.
torExitNode

boolean

Whether the IP address is a tor exit node.
smartDnsProxy

boolean

Whether the IP address is a smart DNS proxy.
hostingProvider

boolean

Whether the IP address is a hosting provider.
vpnDatacenter

boolean

Whether the IP address is a VPN datacenter.
residentialProxy

boolean

Whether the IP address is a residential proxy.
vpnServiceName

string

The name of the VPN service.
proxyOverVpn

boolean

Whether the IP address is a proxy over VPN.
relayProxy

boolean

Whether the IP address is a relay proxy.