forked from CESNET/ipfixcol2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
unirec-elements.txt
149 lines (139 loc) · 10.7 KB
/
unirec-elements.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# This file is part of Unirec output plugin for IPFIXcol2
#
# Entries in this file show mapping from IPFIX Information Elements to UniRec
# fields. You can change setting by editing this file. Each entry consists
# of the following parameters:
# - UniRec field name
# - UniRec data type (int{8,16,32,64}, uint{8,16,32,64}, float, double, time,
# ipaddr, macaddr, char, string, bytes)
# - Comma separated list of IPFIX Information Elements identifiers
# ("eXXidYY" where XX is Private Enterprise Number and YY is field ID)
#
# See ipfixcol2-unirec-output(1) for details
#
# Note:
# IPFIX IEs "_internal_dbf_" and "_internal_lbf_" represents internal
# conversion functions of UniRec plugin.
#UNIREC NAME UNIREC TYPE IPFIX IEs DESCRIPTION
# --- Basic fields ---
SRC_IP ipaddr e0id8,e0id27 # IPv4 or IPv6 source address
DST_IP ipaddr e0id12,e0id28 # IPv4 or IPv6 destination address
SRC_PORT uint16 e0id7 # Transport protocol source port
DST_PORT uint16 e0id11 # Transport protocol destination port
PROTOCOL uint8 e0id4 # Transport protocol
TCP_FLAGS uint8 e0id6 # TCP flags
BYTES uint64 e0id1 # Number of bytes in flow
PACKETS uint32 e0id2 # Number of packets in flow
TTL uint8 e0id192 # IP time to live
TOS uint8 e0id5 # IP type of service
TIME_FIRST time e0id150,e0id152,e0id154,e0id156 # Time of the first packet of a flow
TIME_LAST time e0id151,e0id153,e0id155,e0id157 # Time of the last packet of a flow
DIR_BIT_FIELD uint8 _internal_dbf_ # Bit field used for determining incoming/outgoing flow (1 => Incoming, 0 => Outgoing)
LINK_BIT_FIELD uint64 _internal_lbf_ # Bit field of links on which was flow seen
# --- DNS specific fields ---
DNS_ANSWERS uint16 e8057id0 # DNS answers
DNS_RCODE uint8 e8057id1 # DNS rcode
DNS_NAME string e8057id2 # DNS name
DNS_QTYPE uint16 e8057id3 # DNS qtype
DNS_CLASS uint16 e8057id4 # DNS class
DNS_RR_TTL uint32 e8057id5 # DNS rr ttl
DNS_RLENGTH uint16 e8057id6 # DNS rlenght
DNS_RDATA bytes e8057id7 # DNS rdata
DNS_PSIZE uint16 e8057id8 # DNS payload size
DNS_DO uint8 e8057id9 # DNS DNSSEC OK bit
DNS_ID uint16 e8057id10 # DNS transaction id
# --- SMTP specific fields ---
#SMTP_FLAGS uint8 e8057id200 # SMTP flags
SMTP_COMMAND_FLAGS uint32 e8057id810 # SMTP command flags
SMTP_MAIL_CMD_COUNT uint32 e8057id811 # SMTP MAIL command count
SMTP_RCPT_CMD_COUNT uint32 e8057id812 # SMTP RCPT command count
SMTP_FIRST_SENDER string e8057id813 # SMTP first sender
SMTP_FIRST_RECIPIENT string e8057id814 # SMTP first recipient
SMTP_STAT_CODE_FLAGS uint32 e8057id815 # SMTP status code flags
SMTP_2XX_STAT_CODE_COUNT uint32 e8057id816 # SMTP 2XX status code count
SMTP_3XX_STAT_CODE_COUNT uint32 e8057id817 # SMTP 3XX status code count
SMTP_4XX_STAT_CODE_COUNT uint32 e8057id818 # SMTP 4XX status code count
SMTP_5XX_STAT_CODE_COUNT uint32 e8057id819 # SMTP 5XX status code count
SMTP_DOMAIN string e8057id820 # SMTP domain
# --- SIP specific fields ---
SIP_MSG_TYPE uint16 e8057id100 # SIP message type
SIP_STATUS_CODE uint16 e8057id101 # SIP status code
SIP_CALL_ID string e8057id102 # SIP call id
SIP_CALLING_PARTY string e8057id103 # SIP from
SIP_CALLED_PARTY string e8057id104 # SIP to
SIP_VIA string e8057id105 # SIP VIA
SIP_USER_AGENT string e8057id106 # SIP user agent
SIP_REQUEST_URI string e8057id107 # SIP request uri
SIP_CSEQ string e8057id108 # SIP CSeq
# --- HTTP elements --- (Flowmon HTTP plugin in MUNI PEN, and CESNET sdm-http(s) plugin in CESNET PEN)
HTTP_REQUEST_METHOD_ID uint32 e16982id500,e8057id800 # HTTP request method id
HTTP_REQUEST_HOST string e16982id501,e8057id801,e8057id808 # HTTP(S) request host
HTTP_REQUEST_URL string e16982id502,e8057id802 # HTTP request url
HTTP_REQUEST_AGENT_ID uint32 e16982id503 # HTTP request agent id
HTTP_REQUEST_AGENT string e16982id504,e8057id804 # HTTP request agent
HTTP_REQUEST_REFERER string e16982id505,e8057id803 # HTTP referer
HTTP_RESPONSE_STATUS_CODE uint32 e16982id506,e8057id805 # HTTP response status code
HTTP_RESPONSE_CONTENT_TYPE string e16982id507,e8057id806 # HTTP response content type
HTTP_REQUEST_RANGE bytes e8057id821 # HTTP range
HTTP_RESPONSE_TIME uint64 e8057id807,e8057id809 # HTTP(S) application response time
# --- Flowmon (former Invea) specific fields
INVEA_VOIP_PACKET_TYPE uint8 e39499id32 # VOIP packet type
INVEA_SIP_CALL_ID string e39499id33 # SIP call ID
INVEA_SIP_CALLING_PARTY string e39499id34 # SIP calling party
INVEA_SIP_CALLED_PARTY string e39499id35 # SIP called party
INVEA_SIP_VIA string e39499id36 # SIP VIA
INVEA_SIP_INVITE_RINGING_TIME time e39499id37 # SIP INVITE ringing time
INVEA_SIP_OK_TIME time e39499id38 # SIP OK time
INVEA_SIP_BYE_TIME time e39499id39 # SIP BYE time
INVEA_SIP_RTP_IP4 ipaddr e39499id40 # SIP RTP IPv4
INVEA_SIP_RTP_IP6 ipaddr e39499id41 # SIP RTP IPv6
INVEA_SIP_RTP_AUDIO uint16 e39499id42 # SIP RTP audio
INVEA_SIP_RTP_VIDEO uint16 e39499id43 # SIP RTP video
INVEA_SIP_STATS uint64 e39499id44 # SIP stats
INVEA_RTP_CODEC uint8 e39499id45 # RTP codec
INVEA_RTP_JITTER uint32 e39499id46 # RTP jitter
INVEA_RTCP_LOST uint32 e39499id47 # RTCP lost
INVEA_RTCP_PACKETS uint64 e39499id48 # RTCP packets
INVEA_RTCP_OCTETS uint64 e39499id49 # RTCP octets
INVEA_RTCP_SOURCE_COUNT uint8 e39499id50 # RTCP source count
INVEA_SIP_USER_AGENT string e39499id51 # SIP User Agent
INVEA_SIP_REQUEST_URI string e39499id52 # SIP Request-URI
# --- Heartbeat detection fields ---
HB_TYPE uint8 e8057id700 # TLS content type
HB_DIR uint8 e8057id701 # Heartbeat request/response byte
HB_SIZE_MSG uint16 e8057id702 # Heartbeat message size
HB_SIZE_PAYLOAD uint16 e8057id703 # Heartbeat payload size
# --- Other fields ---
#FLOWDIR_SYN uint8 e8057id299 # Packet with SYN flag only flag
VENOM uint8 e8057id1001 # Venom rootkit detection
IPV6_TUN_TYPE uint8 e16982id405 # IPv6 tunnel type
APP_ID bytes e0id95 # Application ID from libprotoident / NBAR2 / Flowmon's NBAR plugin
# --- Flowmon TLS fields
TLS_CONTENT_TYPE uint8 flowmon:tlsContentType # tlsContentType
TLS_HANDSHAKE_TYPE uint32 flowmon:tlsHandshakeType # https://tools.ietf.org/html/rfc5246#appendix-A.4
TLS_SETUP_TIME uint64 flowmon:tlsSetupTime # tlsSetupTime
TLS_SERVER_VERSION uint16 flowmon:tlsServerVersion # 8b major and 8b minor, 0x0303 ~ TLS1.2
TLS_SERVER_RANDOM bytes flowmon:tlsServerRandom # tlsServerRandom
TLS_SERVER_SESSIONID bytes flowmon:tlsServerSessionId # tlsServerSessionId
TLS_CIPHER_SUITE uint16 flowmon:tlsCipherSuite # https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
TLS_ALPN string flowmon:tlsAlpn # TLS Application-Layer Protocol Negotiation https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
TLS_SNI string flowmon:tlsSni # Server Name Indication https://en.wikipedia.org/wiki/Server_Name_Indication
TLS_SNI_LENGTH uint16 flowmon:tlsSniLength # Length of TLS_SNI field
TLS_CLIENT_VERSION uint16 flowmon:tlsClientVersion # tlsClientVersion
TLS_CIPHER_SUITES bytes flowmon:tlsCipherSuites # List of 2B ciphers, beware of network byte order. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
TLS_CLIENT_RANDOM bytes flowmon:tlsClientRandom # tlsClientRandom
TLS_CLIENT_SESSIONID bytes flowmon:tlsClientSessionId # tlsClientSessionId
TLS_EXTENSION_TYPES bytes flowmon:tlsExtensionTypes # tlsExtensionTypes
TLS_EXTENSION_LENGTHS bytes flowmon:tlsExtensionLengths # tlsExtensionLengths
TLS_ELLIPTIC_CURVES bytes flowmon:tlsEllipticCurves # tlsEllipticCurves
TLS_EC_POINTFORMATS bytes flowmon:tlsEcPointFormats # tlsEcPointFormats
TLS_CLIENT_KEYLENGTH int32 flowmon:tlsClientKeyLength # Length of client's key
TLS_ISSUER_CN string flowmon:tlsIssuerCn # Common name of certificate issuer
TLS_SUBJECT_CN string flowmon:tlsSubjectCn # Certificate Common Name
TLS_SUBJECT_ON string flowmon:tlsSubjectOn # Certificate Organization Name
TLS_VALIDITY_NOTBEFORE int64 flowmon:tlsValidityNotBefore # UNIX timestamp of certificate creation
TLS_VALIDITY_NOTAFTER int64 flowmon:tlsValidityNotAfter # UNIX timestamp of certificate expiration
TLS_SIGNATURE_ALG uint16 flowmon:tlsSignatureAlg # tlsSignatureAlg
TLS_PUBLIC_KEYALG uint16 flowmon:tlsPublicKeyAlg # tlsPublicKeyAlg
TLS_PUBLIC_KEYLENGTH int32 flowmon:tlsPublicKeyLength # tlsPublicKeyLength
TLS_JA_3FINGERPRINT bytes flowmon:tlsJa3Fingerprint # tlsJa3Fingerprint