================================================================================ DC Engine Technical Reference Version v1.13.12+511c79e 15.04.2026 ================================================================================ Table of Contents 1. Requirements .......................................................... 2. Version and Dependencies .............................................. 3. Configuration Summary ................................................. 4. Protocols ............................................................. 4.1 Built-in Protocols ............................................... 4.2 Configuration Protocols .......................................... 4.3 Fields ........................................................... 4.3.1 arp ....................................................... 4.3.2 bittorrent ................................................ 4.3.3 bittorrent_dht ............................................ 4.3.4 bittorrent_tracker ........................................ 4.3.5 bittorrent_utp ............................................ 4.3.6 dns ....................................................... 4.3.7 dropbox_lan_sync .......................................... 4.3.8 dropbox_lan_sync_discovery ................................ 4.3.9 dtls ...................................................... 4.3.10 ethernet .................................................. 4.3.11 ftp ....................................................... 4.3.12 gre ....................................................... 4.3.13 gtp ....................................................... 4.3.14 http ...................................................... 4.3.15 http2 ..................................................... 4.3.16 icmp ...................................................... 4.3.17 icmpv6 .................................................... 4.3.18 igmp ...................................................... 4.3.19 imap ...................................................... 4.3.20 ipv4 ...................................................... 4.3.21 ipv6 ...................................................... 4.3.22 isakmp .................................................... 4.3.23 l2tp ...................................................... 4.3.24 mdns ...................................................... 4.3.25 ntp ....................................................... 4.3.26 openvpn ................................................... 4.3.27 ospf ...................................................... 4.3.28 payload ................................................... 4.3.29 pop3 ...................................................... 4.3.30 ppp ....................................................... 4.3.31 pppoe ..................................................... 4.3.32 pptp ...................................................... 4.3.33 quic ...................................................... 4.3.34 rarp ...................................................... 4.3.35 rtcp ...................................................... 4.3.36 rtp ....................................................... 4.3.37 sftp ...................................................... 4.3.38 sip ....................................................... 4.3.39 smtp ...................................................... 4.3.40 socks ..................................................... 4.3.41 srtcp ..................................................... 4.3.42 srtp ...................................................... 4.3.43 ssdp ...................................................... 4.3.44 ssh ....................................................... 4.3.45 stun ...................................................... 4.3.46 tcp ....................................................... 4.3.47 telnet .................................................... 4.3.48 teredo .................................................... 4.3.49 tls ....................................................... 4.3.50 udp ....................................................... 4.3.51 vlan_c_tag ................................................ 4.3.52 websocket ................................................. 4.3.53 wireguard ................................................. 4.4 Decoders ......................................................... 4.5 Info Tables ...................................................... 5. Extensions ............................................................ 6. Classification ........................................................ 6.1 Categories ....................................................... 6.2 Workflow ......................................................... 6.3 Metadata ......................................................... 6.4 Services ......................................................... 7. Performance ........................................................... ================================================================================ 1. Requirements ──────────────────────────────────────────────────────────────────────────────── os os | status ------------|------- unix-like | + macos | + windows | + dev name | description ------------|------------ compiler | clang language | c++ glibc | 2.39 standard | c++17 build | cmake 2. Version and Dependencies ──────────────────────────────────────────────────────────────────────────────── product : dc engine release : v1.13.12+511c79e dependencies name version ---------------------- ------------------------------ pcap libpcap version 1.10.4 (with TPACKET_V3) nlohmann_json 3.12.0 re2 9.0.0 openssl 3.2.1 tcmalloc 2.17.2 3. Configuration Summary ──────────────────────────────────────────────────────────────────────────────── parameter value ----------------------------------- ------------ active tags 565 inactive tags 1 expressions 17 classifier tags 553 no-offload protocols 6 domains 62,886 ipv4 cidr entries 405,078 ipv6 cidr entries 627,757 ipv4 socket entries 0 ipv6 socket entries 0 dns cache tags 1 session cache tags 0 longest domain path 8 session storage elements 0 4. Protocols ──────────────────────────────────────────────────────────────────────────────── 4.1 Built-in Protocols each entry lists the protocol name, its osi layer, known ports, and optional payload patterns used for identification. arp osi layer : data-link ports : - patterns : - bittorrent osi layer : application ports : tcp: 6889, 6888, 6884, 6883, 6885, 6887, 6886, 6882, 6881 patterns : - bittorrent_dht osi layer : application ports : - patterns : d1:ad, d1:rd, d2:ip, d1:el bittorrent_tracker osi layer : application ports : - patterns : - bittorrent_utp osi layer : transport ports : - patterns : - dns osi layer : application ports : tcp: 53; udp: 53 patterns : - dropbox_lan_sync osi layer : application ports : tcp: 17500 patterns : - dropbox_lan_sync_discovery osi layer : application ports : udp: 17500 patterns : {\"host_int\" dtls osi layer : transport ports : udp: 443 patterns : - ethernet osi layer : data-link ports : - patterns : - ftp osi layer : application ports : tcp: 21 patterns : - gre osi layer : data-link ports : - patterns : - gtp osi layer : transport ports : udp: 2152, 2123 patterns : - http osi layer : application ports : tcp: 80 patterns : HTTP/1.1, HTTP/1.0, GET, POST, HEAD, PUT, DELETE, CONNECT, OPTIONS, TRACE, COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, SEARCH, UNLOCK, BIND, REBIND, UNBIND, ACL, REPORT, MKACTIVITY, CHECKOUT, MERGE, PATCH, PURGE, MKCALENDAR, LINK, UNLINK, SOURCE http2 osi layer : application ports : tcp: 80 patterns : PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n http3 osi layer : application ports : - patterns : - icmp osi layer : network ports : - patterns : - icmpv6 osi layer : network ports : - patterns : - igmp osi layer : network ports : - patterns : - imap osi layer : application ports : tcp: 143 patterns : - ipv4 osi layer : network ports : - patterns : - ipv6 osi layer : network ports : - patterns : - isakmp osi layer : session ports : udp: 500 patterns : - l2tp osi layer : session ports : udp: 1701 patterns : - mdns osi layer : application ports : tcp: 5353; udp: 5353 patterns : - ntp osi layer : application ports : udp: 123 patterns : - openvpn osi layer : network ports : tcp: 1194; udp: 1194 patterns : - ospf osi layer : network ports : - patterns : - payload osi layer : undefined ports : - patterns : - pop3 osi layer : application ports : tcp: 25 patterns : - ppp osi layer : session ports : - patterns : - pppoe osi layer : data-link ports : - patterns : - pptp osi layer : data-link ports : - patterns : - quic osi layer : transport ports : udp: 443 patterns : - rarp osi layer : data-link ports : - patterns : - rtcp osi layer : session ports : - patterns : - rtp osi layer : application ports : - patterns : - sftp osi layer : application ports : tcp: 115 patterns : - sip osi layer : application ports : tcp: 5060; udp: 5060 patterns : INVITE, ACK, BYE, CANCEL, REGISTER, OPTIONS, INFO, PRACK, PUBLISH, REFER, SUBSCRIBE, UPDATE, SIP/2.0 smtp osi layer : application ports : tcp: 587, 110 patterns : - socks osi layer : session ports : tcp: 1080 patterns : - srtcp osi layer : session ports : - patterns : - srtp osi layer : application ports : - patterns : - ssdp osi layer : application ports : udp: 1900 patterns : HTTP/1.1, HTTP/1.0, M-SEARCH, NOTIFY, SUBSCRIBE, SSDPC ssh osi layer : application ports : tcp: 22 patterns : - stun osi layer : application ports : tcp: 3478; udp: 3478 patterns : - tcp osi layer : transport ports : - patterns : - telnet osi layer : application ports : tcp: 23 patterns : - teredo osi layer : network ports : tcp: 1723; udp: 3544 patterns : - tls osi layer : session ports : tcp: 995, 993, 443 patterns : - udp osi layer : transport ports : - patterns : - vlan_c_tag osi layer : data-link ports : - patterns : - websocket osi layer : application ports : - patterns : - wireguard osi layer : network ports : udp: 51820 patterns : - 4.2 Configuration Protocols the following protocol tags extend built-in detection with classifier-defined entries. all entries are marked [cfg]. 4.3 Fields each protocol exposes a set of typed fields for packet inspection. fields marked (*) may appear more than once per packet. 4.3.1 arp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : htype type : uint16 length : 2 multiple : false desc : Hardware type. (Network link protocol type) field : ptype type : uint16 length : 2 multiple : false desc : Protocol type. Specifies internetwork protocol. field : hlen type : uint8 length : 1 multiple : false desc : Hardware address length. (in octets) field : plen type : uint8 length : 1 multiple : false desc : Protocol length. (Internetwork addresses length; in octets) field : op type : uint16 length : 2 multiple : false desc : Operation. 1: request, 2: reply. field : sha type : byte-sequence length : variable multiple : false desc : Sender hardware address. In request, indicates the address of the host sending the request. In reply, indicates the address of the host that the request was looking for. field : spa type : byte-sequence length : variable multiple : false desc : Sender protocol address. (Internetwork address of the sender) field : tha type : byte-sequence length : variable multiple : false desc : Target hardware address. In request, this field is not used. In reply, indicates the address of the host that originated the ARP request. field : tpa type : byte-sequence length : variable multiple : false desc : Target protocol address. (Internetwork address of the intended receiver) field : data type : byte-sequence length : variable multiple : false desc : The unmapped data which is following after ARP header. 4.3.2 bittorrent ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. 4.3.3 bittorrent_dht ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : ip type : uint32 length : 4 multiple : true desc : The value of 'ip' key. IP address. field : ip_port type : uint16 length : 2 multiple : true desc : The value of 'ip' key. Port number. field : nodes type : byte-sequence length : variable multiple : true desc : The value of 'nodes' key. field : node type : byte-sequence length : variable multiple : true desc : The value of 'nodes' array. field : node_id type : byte-sequence length : 20 multiple : true desc : The node id. field : node_ip type : uint32 length : 4 multiple : true desc : The node ip. field : node_port type : uint16 length : 2 multiple : true desc : The node port. field : nodes6 type : byte-sequence length : variable multiple : true desc : The value of 'nodes6' key. field : node6 type : byte-sequence length : variable multiple : true desc : The value of 'nodes6' array. field : node6_id type : byte-sequence length : 20 multiple : true desc : The node6 id. field : node6_ip type : byte-sequence length : variable multiple : true desc : The node6 ip. field : node6_port type : uint16 length : 2 multiple : true desc : The node6 port. 4.3.4 bittorrent_tracker ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. 4.3.5 bittorrent_utp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. 4.3.6 dns ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : dns_message_length type : uint16 length : 2 multiple : false desc : Dns message length - is presented only for tcp transport. field : id type : uint16 length : 2 multiple : false desc : A 16 bit identifier assigned by the program that generates any kind of query. This identifier is copied the corresponding reply and can be used by the requester to match up replies to outstanding queries. field : qr type : 16-bit-field length : 2 multiple : false desc : Bit specifies message type. Query (0), response (1). field : opcode type : 16-bit-field length : 2 multiple : false desc : A four bit field that specifies kind of query in this message. This value is set by the originator of a query and copied into the response. The values are: 0 (standard query), 1 (inverse query), 2 (server status request), 3-15 (reserved for future use). field : aa type : 16-bit-field length : 2 multiple : false desc : Authoritative Answer - this bit is valid in responses, and specifies that the responding name server is an authority for the domain name in question section. field : tc type : 16-bit-field length : 2 multiple : false desc : TrunCation - specifies that this message was truncated due to length greater than that permitted on the transmission channel. field : rd type : 16-bit-field length : 2 multiple : false desc : Recursion Desired - this bit may be set in a query and is copied into the response. If RD is set, it directs the name server to pursue the query recursively. Recursive query support is optional. field : ra type : 16-bit-field length : 2 multiple : false desc : Recursion Available - this be is set or cleared in a response, and denotes whether recursive query support is available in the name server. field : z type : 16-bit-field length : 2 multiple : false desc : Reserved for future use. Must be zero in all queries and responses. field : rcode type : 16-bit-field length : 2 multiple : false desc : Response code - this 4 bit field is set as part of responses. The values have the following interpretation:0 (No error condition), 1 (Format error - The name server was unable to interpret the query), 2 (Server failure - The name server was unable to process this query due to a problem with the name server), 3 (Name Error - Meaningful only for responses from an authoritative name server, this code signifies that the domain name referenced in the query does not exist), 4 (Not Implemented - The name server does not support the requested kind of query), 5 (Refused - The name server refuses to perform the specified operation for policy reasons. For example, a name server may not wish to provide the information to the particular requester, or a name server may not wish to perform a particular operation (e.g., zone transfer) for particular data), 6-15 (Reserved for future use). field : qdcount type : uint16 length : 2 multiple : false desc : An unsigned 16 bit integer specifying the number of entries in the question section. field : ancount type : uint16 length : 2 multiple : false desc : An unsigned 16 bit integer specifying the number of resource records in the answer section. field : nscount type : uint16 length : 2 multiple : false desc : An unsigned 16 bit integer specifying the number of name server resource records in the authority records section. field : arcount type : uint16 length : 2 multiple : false desc : An unsigned 16 bit integer specifying the number of resource records in the additional records section. field : queries type : byte-sequence length : variable multiple : false desc : Question section. field : query type : byte-sequence length : variable multiple : true desc : Query record. field : qname type : byte-sequence length : variable multiple : true desc : A domain name represented as a sequence of labels, where each label consists of a length octet followed by that number of octets. The domain name terminates with the zero length octet for the null label of the root. Note that this field may be an odd number of octets; no padding is used. field : qtype type : uint16 length : 2 multiple : true desc : A two octet code which specifies the type of the query. The values for this field include all codes valid for a TYPE field, together with some more general codes which can match more than one type of RR. field : qclass type : uint16 length : 2 multiple : true desc : A two octet code that specifies the class of the query. For example, the QCLASS field is IN for the Internet. field : answers type : byte-sequence length : variable multiple : false desc : Answer section. field : authority_records type : byte-sequence length : variable multiple : false desc : Authority records section. field : additional_records type : byte-sequence length : variable multiple : false desc : Additional records section. field : record type : byte-sequence length : variable multiple : true desc : Resource record. field : domain_name type : byte-sequence length : variable multiple : true desc : A domain name to which this resource record pertains. field : domain_name_label_length type : uint8 length : 1 multiple : true desc : A domain name label length. field : domain_name_label type : ascii-string length : variable multiple : true desc : A domain name label. field : domain_name_pointer type : uint16 length : 2 multiple : true desc : A domain name pointer. field : domain_name_offset type : 16-bit-field length : 2 multiple : true desc : A domain name offset. field : rdata_type type : uint16 length : 2 multiple : true desc : Specifies the meaning of the data in the rdata. field : rdata_class type : uint16 length : 2 multiple : true desc : Specifies the class of the data in the rdata. field : ttl type : uint32 length : 4 multiple : true desc : Specifies the time interval (in seconds) that the resource record may be cached before it should be discarded. field : rd_length type : uint16 length : 2 multiple : true desc : Specifies the length in octets of the rdata. field : rdata type : byte-sequence length : variable multiple : true desc : A variable length string of octets that describes the resource. field : nsdname type : byte-sequence length : variable multiple : true desc : A domain name which specifies a host which should be authoritative for the specified class and domain. field : mb_madname type : byte-sequence length : variable multiple : true desc : A domain name which specifies a host which has the specified mailbox. field : md_madname type : byte-sequence length : variable multiple : true desc : A domain name which specifies a host which has a mail agent for the domain which should be able to deliver mail for the domain. field : mf_madname type : byte-sequence length : variable multiple : true desc : A domain name which specifies a host which has a mail agent for the domain which will accept mail for forwarding to the domain. field : cname type : byte-sequence length : variable multiple : true desc : A domain name which specifies the canonical or primaryname for the owner. field : mgname type : byte-sequence length : variable multiple : true desc : A domain name which specifies a mailbox which is a member of the mail group specified by the domain name. field : newname type : byte-sequence length : variable multiple : true desc : A domain name which specifies a mailbox which is the proper rename of the specified mailbox. field : ptrdname type : byte-sequence length : variable multiple : true desc : A domain name which points to some location in the domain name space. field : preference type : uint16 length : 2 multiple : true desc : Specifies the preference given to this RR among others at the same owner. field : exchange type : byte-sequence length : variable multiple : true desc : A domain name which specifies a host willing to act as mail exchange for the owner name. field : rmailbx type : byte-sequence length : variable multiple : true desc : A domain name which specifies a mailbox which is responsible for the mailing list or mailbox. field : emailbx type : byte-sequence length : variable multiple : true desc : A domain name which specifies a mailbox which is to receive error messages related to the mailing list or mailbox specified by the owner of the MINFO RR. field : txt_length type : uint8 length : 1 multiple : true desc : Txt string length. field : txt type : ascii-string length : variable multiple : true desc : One or more character string(s). are used to hold descriptive text. the semantics of the text depends on the domain where it is found. field : mname type : byte-sequence length : variable multiple : true desc : A domain name of the name server that was the original or primary source of data for this zone. field : rname type : byte-sequence length : variable multiple : true desc : A domain name which specifies the mailbox of the person responsible for this zone. field : serial type : uint32 length : 4 multiple : true desc : Version number of the original copy of the zone. zone transfers preserve this value. field : refresh type : uint32 length : 4 multiple : true desc : Time interval before the zone should be refreshed. field : retry type : uint32 length : 4 multiple : true desc : Time interval that should elapse before a failed refresh should be retried. field : expire type : uint32 length : 4 multiple : true desc : Time value that specifies the upper limit on the time interval that can elapse before the zone is no longer authoritative. field : minimum type : uint32 length : 4 multiple : true desc : Minimum ttl field that should be exported with any RR from this zone. field : address type : uint32 length : 4 multiple : true desc : Internet address. field : null_data type : byte-sequence length : variable multiple : true desc : Any data. Null section. field : cpu_length type : uint8 length : 1 multiple : true desc : CPU string length. field : cpu type : ascii-string length : variable multiple : true desc : A character-string which specifies the cpu type. field : os_length type : uint8 length : 1 multiple : true desc : OS string length. field : os type : ascii-string length : variable multiple : true desc : A character-string which specifies the operating system type. field : wks_address type : uint32 length : 4 multiple : true desc : Internet address. field : protocol type : uint8 length : 1 multiple : true desc : IP protocol number. field : bit_mask type : byte-sequence length : variable multiple : true desc : Bit map has one bit per port of the specified protocol. field : aaaa type : byte-sequence length : 16 multiple : true desc : A 128 bit IPv6 address in network byte order (high-order byte first). field : prefix_length type : uint8 length : 1 multiple : true desc : A prefix length, encoded as an eight-bit unsigned integer with value between 0 and 128 inclusive. field : address_suffix type : byte-sequence length : 16 multiple : true desc : An IPv6 address suffix, encoded in network order (high-order octet first). field : prefix_name type : byte-sequence length : variable multiple : true desc : The name of the prefix, encoded as a domain name. field : svc_priority type : uint16 length : 2 multiple : true desc : The priority of the record (relative to others, with lower values preferred). A value of 0 indicates AliasMode. field : target_name type : byte-sequence length : variable multiple : true desc : The domain name of either the alias target (for AliasMode) or the alternative endpoint (for ServiceMode). field : svc_param type : byte-sequence length : variable multiple : true desc : A list of key=value pairs describing the alternative endpoint at TargetName (only used in ServiceMode and otherwise ignored). field : svc_param_key type : uint16 length : 2 multiple : true desc : The SVC paramater key. The key specifies the param value format. field : svc_param_value_length type : uint16 length : 2 multiple : true desc : The length of param value data section. field : svc_param_value type : byte-sequence length : variable multiple : true desc : The param value data section. field : alpn_length type : uint8 length : 1 multiple : true desc : The ALPN value length. field : alpn type : ascii-string length : variable multiple : true desc : The Application-Layer Protocol Negotiation (ALPN) protocol identifiers [ALPN] and associated transport protocols supported by this service endpoint. field : port type : uint16 length : 2 multiple : true desc : The TCP or UDP port that should be used to reach this alternative endpoint. If this key is not present, clients SHALL use the authority endpoint's port number. field : ipv4 type : uint32 length : 4 multiple : true desc : The IPv4 address that clients MAY use to reach the service. field : ipv6 type : byte-sequence length : 16 multiple : true desc : The IPv6 address that clients MAY use to reach the service. 4.3.7 dropbox_lan_sync ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : type type : uint8 length : 1 multiple : false desc : The type field. Configuration (0x16), Data (0x17). field : magic type : uint16 length : 2 multiple : false desc : Magic number. Usually has 0x0301 value. field : data_length type : uint16 length : 2 multiple : false desc : The data length. field : data type : byte-sequence length : variable multiple : false desc : The payload data. 4.3.8 dropbox_lan_sync_discovery ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : data type : byte-sequence length : variable multiple : false desc : Data payload (it should have json format with 'host_int', 'version', 'displayname', 'port', 'namespaces' fields). 4.3.9 dtls ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : record type : byte-sequence length : variable multiple : true desc : Record layer. field : record_content_type type : uint8 length : 1 multiple : true desc : The higher-level protocol used to process the enclosed fragment/message. field : record_connection_id type : byte-sequence length : variable multiple : true desc : The connection identificator. The field is presented when fixed bits (3 higher bits) of record content type is equal to 1 and when previous session packets have been processed. field : record_protocol_version type : uint16 length : 2 multiple : true desc : The version of the protocol being employed. field : record_protocol_major_version type : uint8 length : 1 multiple : true desc : The major number of protocol version. field : record_protocol_minor_version type : uint8 length : 1 multiple : true desc : The minor number of protocol version. field : record_epoch type : uint16 length : 2 multiple : true desc : A counter value that is incremented on every cipher state change. field : record_sequence_number type : byte-sequence length : variable multiple : true desc : The sequence number for this record. The length of the field depends on record content type. field : record_message_length type : uint16 length : 2 multiple : true desc : The length (in bytes) of the following TLSPlaintext.fragment. The length MUST NOT exceed 2^14. field : record_message type : byte-sequence length : variable multiple : true desc : The application data. This data is transparent and treated as an independent block to be deal with by the higher-level protocol specified by the type field. For DTLS v1.3 protocol that field might contain encrypted data if fixed bits (3 higher bits) of record content type is equal to 1. field : heartbeat_message_type type : uint8 length : 1 multiple : true desc : The message type, either heartbeat_request (1) or heartbeat_response (2). field : heartbeat_payload_length type : uint16 length : 2 multiple : true desc : The length of the payload. field : heartbeat_payload type : byte-sequence length : variable multiple : true desc : The payload consists of arbitrary content. field : heartbeat_padding type : byte-sequence length : variable multiple : true desc : The padding is random content that MUST be ignored by the receiver. The padding_length MUST be at least 16. field : signature_scheme type : uint16 length : 2 multiple : true desc : The field specifies hash and signature algorithm. The field can exist only for tls v1.3 sessions. field : change_cipher_spec_type type : uint8 length : 1 multiple : true desc : The change cipher spec protocol exists to signal transitions in ciphering strategies. The protocol consists of a single message, which is encrypted and compressed under the current (not the pending) connection state. The message consists of a single byte of value 1. field : alert_level type : uint8 length : 1 multiple : true desc : Alert message level. field : alert_description type : uint8 length : 1 multiple : true desc : Alert message description. field : record_numbers_length type : uint16 length : 2 multiple : true desc : The record numbers length of ACK record. field : record_numbers type : byte-sequence length : variable multiple : true desc : A list of the records containing handshake messages in the current flight which the endpoint has received and either processed or buffered, in numerically increasing order. field : record_number type : byte-sequence length : 16 multiple : true desc : The structure: epoch:sequence_number. Each field is occupied 64 bits. This 128-bit value is used in the ACK message as well as in the "record_sequence_number" input to the Authenticated Encryption with Associated Data (AEAD) function. field : handshake_header type : byte-sequence length : variable multiple : true desc : The header of handshake protocol. The TLS Handshake Protocol is one of the defined higher-level clients of the TLS Record Protocol. This protocol is used to negotiate the secure attributes of a session. Handshake messages are supplied to the TLS record layer, where they are encapsulated within one or more TLSPlaintext structures, which are processed and transmitted as specified by the current active session state. field : handshake_type type : 32-bit-field length : 4 multiple : true desc : The handshake message type: 0 (hello_request), 1 (client_hello), 2 (server_hello), 11 (certificate), 12 (server_key_exchange), 13 (certificate_request), 14 (server_hello_done), 15 (certificate_verify), 16 (client_key_exchange), 20 (finished), 255. field : handshake_message_sequence type : 64-bit-field length : 8 multiple : true desc : The message sequence number. field : handshake_fragment_offset type : 64-bit-field length : 8 multiple : true desc : The fragment offset. field : handshake_fragment_length type : 64-bit-field length : 8 multiple : true desc : The fragment length. field : handshake_message_length type : 32-bit-field length : 4 multiple : true desc : The length of handshake message. field : handshake_message type : byte-sequence length : variable multiple : true desc : The handshake message. field : server_protocol_version type : uint16 length : 2 multiple : true desc : The version of the protocol being employed. HelloVerifyRequest message. field : server_protocol_major_version type : uint8 length : 1 multiple : true desc : The major number of protocol version. HelloVerifyRequest message. field : server_protocol_minor_version type : uint8 length : 1 multiple : true desc : The minor number of protocol version. HelloVerifyRequest message. field : server_cookie_length type : uint8 length : 1 multiple : true desc : The server cookie value length. HelloVerifyRequest message. field : server_cookie type : byte-sequence length : variable multiple : true desc : The server cookie value. HelloVerifyRequest message. field : client_version type : uint16 length : 2 multiple : true desc : The version of the TLS protocol by which the client wishes to communicate during this session. field : client_major_version type : uint8 length : 1 multiple : true desc : The major number of client TLS protocol. field : client_minor_version type : uint8 length : 1 multiple : true desc : The minor number of client TLS client protocol. field : server_version type : uint16 length : 2 multiple : true desc : This field will contain the lower of that suggested by the client in the client hello and the highest supported by the server. field : server_major_version type : uint8 length : 1 multiple : true desc : The major number of server TLS protocol. field : server_minor_version type : uint8 length : 1 multiple : true desc : The minor number of server TLS protocol. field : random type : byte-sequence length : 32 multiple : true desc : A client/server generated random structure. The structure which is generated by the server MUST be independently generated from the ClientHello.random. (Client/Server handshake header field) field : random_gmt_unix_time type : uint32 length : 4 multiple : true desc : The current time and date in standard UNIX 32-bit format (seconds since the midnight starting Jan 1, 1970, UTC, ignoring leap seconds) according to the sender's internal clock. (Client/Server handshake header field) field : random_bytes type : byte-sequence length : 28 multiple : true desc : 28 bytes generated by a secure random number generator. (Client/Server handshake header field) field : session_id_length type : uint8 length : 1 multiple : true desc : The length of session id. (Client/Server handshake header field) field : session_id type : byte-sequence length : variable multiple : true desc : Id of the session corresponding to this connection. (Client/Server handshake header field) field : cookie_length type : uint8 length : 1 multiple : true desc : The cookie value length. ClientHello message. field : cookie type : byte-sequence length : variable multiple : true desc : The cookie value. ClientHello message. field : cipher_suites_length type : uint16 length : 2 multiple : true desc : The length of cipher suites field. (Client handshake header field) field : cipher_suites type : uint-16-array length : variable multiple : true desc : This is a list of the cryptographic options supported by the client, with the client's first preference first. (Client handshake header field) field : cipher_suite type : uint16 length : 2 multiple : true desc : For client: an element of cipher suites. For server: the single cipher suite selected by the server from the client cipher suite list. (Client/Server handshake header field) field : compression_methods_length type : uint8 length : 1 multiple : true desc : The length of compression methods field. (Client handshake header field) field : compression_methods type : uint-8-array length : variable multiple : true desc : This is a list of the compression methods supported by the client, sorted by client preference. (Client handshake header field) field : compression_method type : uint8 length : 1 multiple : true desc : For client: an element of compression methods. For server: the single compression algorithm selected by the server from the client compression method list. (Client/Server handshake header field) field : extensions type : byte-sequence length : variable multiple : true desc : A list of extensions. Clients MAY request extended functionality from servers by sending data in the extensions field. Note that only extensions offered by the client can appear in the server's list. (Client/Server handshake header field) field : extensions_length type : uint16 length : 2 multiple : true desc : The length of extensions field. field : extension type : byte-sequence length : variable multiple : true desc : Extension record/unit. field : extension_type type : uint16 length : 2 multiple : true desc : The field identifies the particular extension type. A part of extension header. (Client/Server handshake header field) field : extension_length type : uint16 length : 2 multiple : true desc : The length of extension data. (Client/Server handshake header field) field : server_name_list_length type : uint16 length : 2 multiple : true desc : The length of server name list field : server_name_list type : byte-sequence length : variable multiple : true desc : The list of server name elements. field : server_name_type type : uint8 length : 1 multiple : true desc : The type of server name: 0 (hostname), 255. field : server_name_length type : uint16 length : 2 multiple : true desc : The length of server name. field : server_name type : ascii-string length : variable multiple : true desc : The server name string. field : protocol_name_list_length type : uint16 length : 2 multiple : true desc : The length of protocol name list. field : protocol_name_list type : byte-sequence length : variable multiple : true desc : The list contains the list of protocols advertised by the client, in descending order of preference. field : protocol_name_length type : uint8 length : 1 multiple : true desc : The length of protocol name. field : protocol_name type : ascii-string length : variable multiple : true desc : The protocol name string. field : supported_versions_length type : uint8 length : 1 multiple : true desc : The length of supported versions field : supported_versions type : byte-sequence length : variable multiple : true desc : The list of supported versions in preference order, with the most preferred version first. field : supported_version type : uint16 length : 2 multiple : true desc : A supported version. field : connection_id_length type : uint8 length : 1 multiple : true desc : The length of connection_id field data. field : connection_id type : byte-sequence length : variable multiple : true desc : The connection identificator. field : quic_transport_parameter type : byte-sequence length : variable multiple : true desc : The quic transport parameter section. field : quic_transport_parameter_id type : byte-sequence length : variable multiple : true desc : The identificator of quic transport parameter. field : quic_transport_parameter_length type : byte-sequence length : variable multiple : true desc : The field contains the length of the Transport Parameter Value field in bytes. field : quic_transport_parameter_value type : byte-sequence length : variable multiple : true desc : The quic transport parameter value. field : srtp_protection_profiles type : byte-sequence length : variable multiple : true desc : The list indicates the SRTP protection profiles that the client is willing to support, listed in descending order of preference. field : srtp_protection_profiles_length type : uint16 length : 2 multiple : true desc : The length of protection files list. field : srtp_protection_profile type : uint16 length : 2 multiple : true desc : The protection Profile defines the parameters and options that are in effect for the SRTP processing. field : srtp_mki_length type : uint8 length : 1 multiple : true desc : The mki length. field : srtp_mki type : byte-sequence length : variable multiple : true desc : The value contains the SRTP Master Key Identifier (MKI) value (if any) that the client will use for his SRTP packets. If this field is of zero length, then no MKI will be used. field : supported_groups_length type : uint16 length : 2 multiple : true desc : The length of supported_groups field data. field : supported_groups type : byte-sequence length : variable multiple : true desc : The supported groups (supported elliptic curves). field : supported_group type : uint16 length : 2 multiple : true desc : The supported group identificator (elliptic curve). field : ec_point_formats_length type : uint8 length : 1 multiple : true desc : The length of ec_point_formats field data. field : ec_point_formats type : byte-sequence length : variable multiple : true desc : The suppoted ec point formats. field : ec_point_format type : uint8 length : 1 multiple : true desc : The EC Point Format identificator. field : signature_and_hash_algorithms_length type : uint16 length : 2 multiple : true desc : The length of signature and hash algorithms field. field : signature_and_hash_algorithms type : byte-sequence length : variable multiple : true desc : Signature and hash algorithm elements. field : signature_and_hash_algorithm type : uint16 length : 2 multiple : true desc : The hash and signature algorithm pair. field : signature_length type : uint16 length : 2 multiple : true desc : The length of signature field. field : signature type : byte-sequence length : variable multiple : true desc : A digital signature using algorithms over the contents of the element. field : num_cids type : uint8 length : 1 multiple : true desc : The number of CIDs desired. field : cids_length type : uint16 length : 2 multiple : true desc : The length of cids field data. field : cids type : byte-sequence length : variable multiple : true desc : Indicates the set of CIDs that the sender wishes the peer to use. field : new_connection_id_length type : uint8 length : 1 multiple : true desc : The length of connection_id field data. The part of NewConnectionId message. field : new_connection_id type : byte-sequence length : variable multiple : true desc : The connection identificator. The part of NewConnectionId message. field : connection_id_usage type : uint8 length : 1 multiple : true desc : Indicates whether the new CIDs should be used immediately or are spare. If usage is set to "cid_immediate", then one of the new CIDs MUST be used immediately for all future records. If it is set to "cid_spare", then either an existing or new CID MAY be used. field : request_update type : uint8 length : 1 multiple : true desc : If the request_update field is set to update_requested (0), then the receiver MUST send a KeyUpdate of its own with request_update set to update_not_requested (1) prior to sending its next Application Data record. field : verify_data type : byte-sequence length : variable multiple : true desc : The part of finished message. For tls v1.0 the length is fixed. field : md5_hash type : byte-sequence length : 16 multiple : true desc : The part of finished message. The field can exist only for ssl v3.0 sessions. The length is fixed. field : sha_hash type : byte-sequence length : 20 multiple : true desc : The part of finished message. The field can exist only for ssl v3.0 sessions. The length is fixed. field : session_ticket_lifetime type : uint32 length : 4 multiple : true desc : Indicates the lifetime in seconds as a 32-bit unsigned integer in network byte order from the time of ticket issuance. field : session_ticket_length type : uint16 length : 2 multiple : true desc : The length of session ticket field. field : session_ticket type : byte-sequence length : variable multiple : true desc : The session ticket field. field : message_hash_data type : byte-sequence length : variable multiple : true desc : The data section of message hash handshake protocol. field : certificate_list_length type : byte-sequence length : 3 multiple : true desc : The length of certificate list field. field : certificate_list type : byte-sequence length : variable multiple : true desc : The certificate list data. The certificate list can contain more than one certificate. field : certificate_length type : byte-sequence length : 3 multiple : true desc : The length of certificate. field : certificate type : byte-sequence length : variable multiple : true desc : The certificate data. field : premaster_key_length type : uint16 length : 2 multiple : true desc : The length of premaster key. field : premaster_key type : byte-sequence length : variable multiple : true desc : The value which client generates and sends as encrypted premaster secret message. The field exists only for RSA key agreement. field : dh_public_key_length type : uint16 length : 2 multiple : true desc : Client Diffie-Hellman public value length. field : dh_public_key type : byte-sequence length : variable multiple : true desc : Client Diffie-Hellman public value. field : dhe_public_key_length type : uint16 length : 2 multiple : true desc : Client Ephemeral Diffie-Hellman public value length field : dhe_public_key type : byte-sequence length : variable multiple : true desc : Client Ephemeral Diffie-Hellman public value. field : ecdhe_public_key_length type : uint8 length : 1 multiple : true desc : Client Elliptic Curve Ephemeral Diffie-Hellman public value length. field : ecdhe_public_key type : byte-sequence length : variable multiple : true desc : Client Elliptic Curve Ephemeral Diffie-Hellman public value. field : ecdh_public_key_length type : uint8 length : 1 multiple : true desc : Client/Server Elliptic Curve Diffie-Hellman public value length. For Server Key Exchange maessage that field exists only when 'curve_type' has 'named_curve'(3) value. field : ecdh_public_key type : byte-sequence length : variable multiple : true desc : Client/Server Elliptic Curve Diffie-Hellman public value. For Server Key Exchange maessage that field exists only when 'curve_type' has 'named_curve'(3) value. field : fortezza_yc_length type : uint8 length : 1 multiple : true desc : The client's Yc value (public key) length. field : fortezza_yc type : byte-sequence length : variable multiple : true desc : The client's Yc value (public key) for the KEA calculation. field : fortezza_rc type : byte-sequence length : 128 multiple : true desc : The client's Rc value for the KEA calculation. field : fortezza_yc_signature type : byte-sequence length : 40 multiple : true desc : The tsignature of the KEA public key, signed with the client's DSS private key. field : fortezza_wrapped_client_write_key type : byte-sequence length : 12 multiple : true desc : This is the client's write key, wrapped by the TEK. field : fortezza_wrapped_server_write_key type : byte-sequence length : 12 multiple : true desc : This is the server's write key, wrapped by the TEK. field : fortezza_client_write_iv type : byte-sequence length : 24 multiple : true desc : The IV for the client write key. field : fortezza_server_write_iv type : byte-sequence length : 24 multiple : true desc : The IV for the server write key. field : fortezza_master_write_iv type : byte-sequence length : 24 multiple : true desc : This is the IV for the TEK used to encrypt the premaster secret. field : fortezza_encrypted_pre_master_secret type : byte-sequence length : 48 multiple : true desc : A random value, generated by the client and used to generate the master secret. field : dh_p_length type : uint16 length : 2 multiple : true desc : The prime modulus field length. field : dh_p type : byte-sequence length : variable multiple : true desc : The prime modulus used for the Diffie-Hellman operation. field : dh_g_length type : uint16 length : 2 multiple : true desc : The generator field length. field : dh_g type : byte-sequence length : variable multiple : true desc : The generator used for the Diffie-Hellman operation. field : dh_ys_length type : uint16 length : 2 multiple : true desc : The server's Diffie-Hellman public value field length. field : dh_ys type : byte-sequence length : variable multiple : true desc : The server's Diffie-Hellman public value (g^X mod p). field : dh_signature_and_hash_algorithm type : uint16 length : 2 multiple : true desc : The dh hash and signature algorithm pair. field : dh_signature_length type : uint16 length : 2 multiple : true desc : The length of dh signature field. field : dh_signature type : byte-sequence length : variable multiple : true desc : The dh signature. field : rsa_modulus_length type : uint16 length : 2 multiple : true desc : The length of rsa modulus field. field : rsa_modulus type : byte-sequence length : variable multiple : true desc : The modulus of the server's temporary RSA key. field : rsa_exponent_length type : uint16 length : 2 multiple : true desc : The length of rsa exponent field. field : rsa_exponent type : byte-sequence length : variable multiple : true desc : The public exponent of the server's temporary RSA key. field : fortezza_rs type : byte-sequence length : 128 multiple : true desc : Server random number for FORTEZZA KEA (Key Exchange Algorithm). field : curve_type type : uint8 length : 1 multiple : true desc : The field identifies the type of the elliptic curve domain parameters. field : named_curve type : uint16 length : 2 multiple : true desc : The field specifies a recommended set of elliptic curve domain parameters. All those values of NamedCurve are allowed that refer to a specific curve. field : ecdh_signature_and_hash_algorithm type : uint16 length : 2 multiple : true desc : The ecdh hash and signature algorithm pair. field : ecdh_signature_length type : uint16 length : 2 multiple : true desc : The length of ecdh signature field. field : ecdh_signature type : byte-sequence length : variable multiple : true desc : The ecdh signature. field : ecdh_prime_length type : uint8 length : 1 multiple : true desc : The odd prime value length. The field exists only for 'explicit_prime' curve_type. field : ecdh_prime type : byte-sequence length : variable multiple : true desc : The odd prime defining the field Fp. The field exists only for 'explicit_prime' curve_type. field : ecdh_m type : uint16 length : 2 multiple : true desc : The degree of the characteristic-2 field F2^m. The field exists only for 'explicit_char2' curve_type. field : ecdh_basis type : uint8 length : 1 multiple : true desc : The basis type. Possible values: 'ec_basis_trinomial'(1), 'ec_basis_pentanomial'(2). The field exists only for 'explicit_char2' curve_type. field : ecdh_k_length type : uint8 length : 1 multiple : true desc : The exponent k value length. field : ecdh_k type : byte-sequence length : variable multiple : true desc : The exponent k for the trinomial basis representation x^m + x^k + 1. The field exists for 'explicit_char2' curve_type and 'ec_trinomial' basis. field : ecdh_k1_length type : uint8 length : 1 multiple : true desc : The exponent k1 value length. field : ecdh_k1 type : byte-sequence length : variable multiple : true desc : The exponents for the pentanomial representation x^m + x^k3 + x^k2 + x^k1 + 1 (such that k3 > k2 > k1). The field exists only for 'explicit_char2' curve_type and 'ec_pentanomial' basis. field : ecdh_k2_length type : uint8 length : 1 multiple : true desc : The exponent k2 value length. field : ecdh_k2 type : byte-sequence length : variable multiple : true desc : The exponents for the pentanomial representation x^m + x^k3 + x^k2 + x^k1 + 1 (such that k3 > k2 > k1). The field exists only for 'explicit_char2' curve_type and 'ec_pentanomial' basis. field : ecdh_k3_length type : uint8 length : 1 multiple : true desc : The exponent k value length. field : ecdh_k3 type : byte-sequence length : variable multiple : true desc : The exponents for the pentanomial representation x^m + x^k3 + x^k2 + x^k1 + 1 (such that k3 > k2 > k1). The field exists only for 'explicit_char2' curve_type and 'ec_pentanomial' basis. field : ecdh_curve type : byte-sequence length : variable multiple : true desc : The field specifies the coefficients a and b of the elliptic curve E. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_curve_a_length type : uint8 length : 1 multiple : true desc : The 'a' value of the elliptic curve length. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_curve_a type : byte-sequence length : variable multiple : true desc : The 'a' value of the elliptic curve. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_curve_b_length type : uint8 length : 1 multiple : true desc : The 'b' value of the elliptic curve length. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_curve_b type : byte-sequence length : variable multiple : true desc : The 'b' value of the elliptic curve. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_base_length type : uint8 length : 1 multiple : true desc : The field specifies the base point G value length. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_base type : byte-sequence length : variable multiple : true desc : The field specifies the base point G on the elliptic curve. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_order_length type : uint8 length : 1 multiple : true desc : The field specifies the order n of the base point value length. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_order type : byte-sequence length : variable multiple : true desc : The field specifies the order n of the base point. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_cofactor_length type : uint8 length : 1 multiple : true desc : The field specifies the cofactor h value length. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_cofactor type : byte-sequence length : variable multiple : true desc : The field specifies the cofactor h = #E(Fq)/n, where #E(Fq) represents the number of points on the elliptic curve E defined over the field Fq (either Fp or F2^m). The field exists for 'explicit_prime' or 'explicit_char2' curve_type. 4.3.10 ethernet ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : src_mac type : byte-sequence length : 6 multiple : false desc : Source MAC address. field : dst_mac type : byte-sequence length : 6 multiple : false desc : Destination MAC address. field : ethernet_type type : uint16 length : 2 multiple : false desc : Two-octet field which is used to indicate which protocol is encapsulated in the payload of the frame. 0x0000 - 0x05DC - IEEE802.3 length Field. 0x0101-0x01FF - experimental. 4.3.11 ftp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : command type : ascii-string length : variable multiple : false desc : The command name. field : command_argument type : ascii-string length : variable multiple : false desc : The command argument. (Might be absent if command name doesn't require it) field : code type : ascii-string length : variable multiple : false desc : The code. field : code_text type : ascii-string length : variable multiple : false desc : The code text. field : retr_pathname type : ascii-string length : variable multiple : false desc : Pathname value of RETR (retrieve) command. field : stat_pathname type : ascii-string length : variable multiple : false desc : Pathname value of STAT (status) command. field : size_pathname type : ascii-string length : variable multiple : false desc : Pathname value of SIZE (size) command. field : username type : ascii-string length : variable multiple : false desc : Username value of USER (user) command. field : password type : ascii-string length : variable multiple : false desc : Password value of PASS (password) command. field : file_status type : ascii-string length : variable multiple : false desc : The value 213 code reply. field : data type : ascii-string length : variable multiple : false desc : Not dissected data. 4.3.12 gre ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : checksum_flag type : 16-bit-field length : 2 multiple : false desc : If the Checksum Present bit is set to one, then the Checksum and the Reserved1 fields are present and the Checksum field contains valid information. field : reserved0 type : 16-bit-field length : 2 multiple : false desc : A receiver MUST discard a packet where any of bits 1-5 are non-zero, unless that receiver implements RFC 1701. Bits 6-12 are reserved for future use. field : version type : 16-bit-field length : 2 multiple : false desc : The Version Number field MUST contain the value zero. field : protocol_type type : uint16 length : 2 multiple : false desc : The Protocol Type field contains the protocol type of the payload packet. These Protocol Types are defined in [RFC1700] as "ETHER TYPES" and in [ETYPES]. field : checksum type : uint16 length : 2 multiple : false desc : The Checksum field contains the IP (one's complement) checksum sum of the all the 16 bit words in the GRE header and the payload packet. field : reserved1 type : uint16 length : 2 multiple : false desc : The Reserved1 field is reserved for future use, and if present, MUST be transmitted as zero. 4.3.13 gtp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : version type : uint8 length : 1 multiple : false desc : GTP protocol version. field : protocol_type type : uint8 length : 1 multiple : false desc : Protocol type flag: 0 for GTP, 1 for GTP'. field : reserved type : uint8 length : 1 multiple : false desc : Reserved flag for future use, must be 0. field : extension_header_flag type : uint8 length : 1 multiple : false desc : Indicates if extension header is present (1) or not (0). field : sequence_number_flag type : uint8 length : 1 multiple : false desc : Indicates if sequence number field is present (1) or not (0). field : npdu_number_flag type : uint8 length : 1 multiple : false desc : Indicates if N-PDU number field is present (1) or not (0). field : message_type type : uint8 length : 1 multiple : false desc : GTP message type (e.g., 255 for G-PDU, 254 for Echo Request, etc.). field : length type : uint16 length : 2 multiple : false desc : Length of the payload in bytes (excluding mandatory header). field : teid type : uint32 length : 4 multiple : false desc : Tunnel Endpoint Identifier for user data tunneling. field : sequence_number type : uint16 length : 2 multiple : false desc : Sequence number for GTP packets (enabled by sequence flag). field : npdu_number type : uint8 length : 1 multiple : false desc : N-PDU number used for packet data convergence protocol (enabled by N-PDU flag). field : extension type : byte-sequence length : variable multiple : true desc : Extension element includes type, length, content. The field is presented when extension header flag is set. field : extension_header_type type : uint8 length : 1 multiple : true desc : Type of extension header (0 for no more extensions). field : extension_header_length type : uint8 length : 1 multiple : true desc : Length of extension header content in 4-octet units. field : extension_header_content type : byte-sequence length : variable multiple : true desc : Extension header specific content and parameters. field : data type : byte-sequence length : variable multiple : false desc : Undissected data section. 4.3.14 http ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : method type : ascii-string length : variable multiple : false desc : The method token indicates the method to be performed on the resource identified by the Request-URI. field : uri type : ascii-string length : variable multiple : false desc : The part of HTTP request line which describes the exact location of a page, post, file, or other asset with request parameters. field : url type : ascii-string length : variable multiple : false desc : The part of HTTP request line which describes the exact location of a page, post, file, or other asset without request parameters. field : status_code type : ascii-string length : variable multiple : false desc : The part of HTTP response status line which is presented as a 3-digit integer number of the attempt to understand and satisfy the request. field : reason_phrase type : ascii-string length : variable multiple : false desc : The part of HTTP response status line which describes status code. field : version type : ascii-string length : variable multiple : false desc : The version of an HTTP message. field : header type : ascii-string length : variable multiple : true desc : An HTTP header consists of its case-insensitive name followed by a colon ( : ), then by its value. The fields pass additional context and metadata about the request or response. field : content_length type : ascii-string length : variable multiple : true desc : The value of Content-Length header. field : content_type type : ascii-string length : variable multiple : true desc : The value of Content-Type header. field : upgrade type : ascii-string length : variable multiple : true desc : The value of Upgrade header. field : host type : ascii-string length : variable multiple : true desc : The value of Host header. field : proxy_authenticate type : ascii-string length : variable multiple : true desc : The value of Proxy-Authenticate header. field : proxy_authorization type : ascii-string length : variable multiple : true desc : The value of Proxy-Authorization header. field : referer type : ascii-string length : variable multiple : true desc : The value of Referer header. field : user_agent type : ascii-string length : variable multiple : true desc : The value of User-Agent header. field : content_disposition type : ascii-string length : variable multiple : true desc : The value of Content-Disposition header. field : file_type type : ascii-string length : variable multiple : true desc : The part of Content-Type value which specifies file type. field : file_name type : ascii-string length : variable multiple : true desc : The part of Content-Disposition value which specifies file name. field : via type : ascii-string length : variable multiple : true desc : The value of Via header. field : from type : ascii-string length : variable multiple : true desc : The value of From header. field : from_user type : ascii-string length : variable multiple : true desc : The user value of SIP URL part of From header value. field : from_host type : ascii-string length : variable multiple : true desc : The host value of SIP URL part of From header value. field : from_ip type : ascii-string length : variable multiple : true desc : The IP value of SIP URL part of From header value. The value is presented if host value has IP format. field : from_phone type : ascii-string length : variable multiple : true desc : The phone value of SIP URL part of From header value. The value is presented if host value has phone format (contains only digits, '+' sign is allowed at the begging of the value). field : to type : ascii-string length : variable multiple : true desc : The value of To header. field : to_user type : ascii-string length : variable multiple : true desc : The user value of SIP URL part of To header value. field : to_host type : ascii-string length : variable multiple : true desc : The host value of SIP URL part of To header value. field : to_ip type : ascii-string length : variable multiple : true desc : The IP value of SIP URL part of To header value. The value is presented if host value has IP format. field : to_phone type : ascii-string length : variable multiple : true desc : The phone value of SIP URL part of To header value. The value is presented if host value has phone format (contains only digits, '+' sign is allowed at the begging of the value). field : cseq type : ascii-string length : variable multiple : true desc : The value of CSeq header. field : cseq_number type : ascii-string length : variable multiple : true desc : The sequence number (MUST be expressible as a 32-bit unsigned integer). field : cseq_method type : ascii-string length : variable multiple : true desc : The method part of CSeq (case-sensitive). field : body type : ascii-string length : variable multiple : false desc : HTTP message body. field : chunk type : ascii-string length : variable multiple : true desc : The part of HTTP body. The field is presented when Transfer-Encoding header has 'chunked' value. field : chunk_size type : ascii-string length : variable multiple : true desc : The string of hex digits indicating the size of the chunk. field : chunk_extension type : ascii-string length : variable multiple : true desc : The part of chunk size line. Optional field. field : chunk_data type : ascii-string length : variable multiple : true desc : The data part of chunk. field : trailer type : ascii-string length : variable multiple : true desc : The trailer field allows the sender to include additional HTTP header fields at the end of the message. field : sdp_line type : ascii-string length : variable multiple : true desc : A single line in an SDP message, formatted as =. field : sdp_protocol_version type : ascii-string length : variable multiple : true desc : SDP protocol version (v=). Must be 0. field : sdp_origin type : ascii-string length : variable multiple : true desc : Origin (o=). Identifies the creator of the session. field : sdp_origin_username type : ascii-string length : variable multiple : true desc : Origin username. The user's login on the originating host. field : sdp_origin_session_id type : ascii-string length : variable multiple : true desc : Origin session ID. A numeric string to uniquely identify the session. field : sdp_origin_session_version type : ascii-string length : variable multiple : true desc : Origin session version. Version number for this session description. field : sdp_origin_net_type type : ascii-string length : variable multiple : true desc : Origin network type (e.g., 'IN' for Internet). field : sdp_origin_address_type type : ascii-string length : variable multiple : true desc : Origin address type (e.g., 'IP4' or 'IP6'). field : sdp_origin_unicast_address type : ascii-string length : variable multiple : true desc : Origin unicast address. The IP address of the machine from which the session was created. field : sdp_session_name type : ascii-string length : variable multiple : true desc : Session Name (s=). A textual session name. field : sdp_session_information type : ascii-string length : variable multiple : true desc : Session Information (i=). A textual description of the session. field : sdp_uri type : ascii-string length : variable multiple : true desc : URI (u=). A URI containing more information about the session. field : sdp_email type : ascii-string length : variable multiple : true desc : Email Address (e=). Email of the person responsible for the conference. field : sdp_phone_number type : ascii-string length : variable multiple : true desc : Phone Number (p=). Phone number of the person responsible for the conference. field : sdp_connection_data type : ascii-string length : variable multiple : true desc : Connection Data (c=). Specifies the network and address for the session. field : sdp_connection_data_net_type type : ascii-string length : variable multiple : true desc : Connection Data network type (e.g., 'IN' for Internet). field : sdp_connection_data_address_type type : ascii-string length : variable multiple : true desc : Connection Data address type (e.g., 'IP4' or 'IP6'). field : sdp_connection_data_connection_address type : ascii-string length : variable multiple : true desc : Connection Data address. The base IP address for the media connection. field : sdp_bandwitdth type : ascii-string length : variable multiple : true desc : Bandwidth (b=). Specifies the proposed bandwidth to be used by the session or media. field : sdp_timing type : ascii-string length : variable multiple : true desc : Timing (t=). Specifies the start and stop times for a session. field : sdp_start_time type : ascii-string length : variable multiple : true desc : Timing start time. The time the session is scheduled to start (NTP timestamp). field : sdp_stop_time type : ascii-string length : variable multiple : true desc : Timing stop time. The time the session is scheduled to end (NTP timestamp). field : sdp_repeat_time type : ascii-string length : variable multiple : true desc : Repeat Times (r=). Specifies repeat intervals for the session. field : sdp_repeat_interval type : ascii-string length : variable multiple : true desc : Repeat interval. The time between the start times of two successive repetitions. field : sdp_active_duration type : ascii-string length : variable multiple : true desc : Active duration. How long each repetition of the session lasts. field : sdp_offset_from_start type : ascii-string length : variable multiple : true desc : Offset from start. A list of offsets from the start time for each repetition. field : sdp_time_zone type : ascii-string length : variable multiple : true desc : Time Zones (z=). Lists time zone adjustments for recurring sessions. field : sdp_time_zone_adjustment_time type : ascii-string length : variable multiple : true desc : Time Zone adjustment time. The time when the adjustment happens. field : sdp_time_zone_offset type : ascii-string length : variable multiple : true desc : Time Zone offset. The offset from UTC that applies after the adjustment time. field : sdp_encryption_key type : ascii-string length : variable multiple : true desc : Encryption Keys (k=). Specifies a key for encrypting the media. field : sdp_attribute type : ascii-string length : variable multiple : true desc : Attribute (a=). A session or media-level attribute for extended information. field : sdp_media_description type : ascii-string length : variable multiple : true desc : Media Description (m=). Defines a media stream within a session. field : sdp_media_type type : ascii-string length : variable multiple : true desc : Media type (e.g., 'audio', 'video', 'text', 'application'). field : sdp_media_port type : ascii-string length : variable multiple : true desc : Media port. The transport port to which the media stream is sent. field : sdp_media_proto type : ascii-string length : variable multiple : true desc : Media protocol (e.g., 'RTP/AVP', 'RTP/SAVPF', 'TCP', 'UDP'). field : sdp_media_fmt type : ascii-string length : variable multiple : true desc : Media format. A list of media format identifiers (e.g., payload type numbers). 4.3.15 http2 ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : preface type : ascii-string length : variable multiple : false desc : The client connection preface. field : frame type : byte-sequence length : variable multiple : true desc : The frame data. field : frame_length type : byte-sequence length : 3 multiple : true desc : The length of the frame payload expressed as an unsigned 24-bit integer in units of octets. The 9 octets of the frame header are not included in this value. field : frame_type type : uint8 length : 1 multiple : true desc : The 8-bit type of the frame. The frame type determines the format and semantics of the frame. field : frame_flags type : uint8 length : 1 multiple : true desc : An 8-bit field reserved for boolean flags specific to the frame type. Flags are assigned semantics specific to the indicated frame type. Unused flags are those that have no defined semantics for a particular frame type. field : data_unused0_flags type : 8-bit-field length : 1 multiple : true desc : The unused bits. field : data_padded_flag type : 8-bit-field length : 1 multiple : true desc : When set, the PADDED flag indicates that the Pad Length field and any padding that it describes are present. field : data_unused1_flags type : 8-bit-field length : 1 multiple : true desc : The unused bits. field : data_end_stream_flag type : 8-bit-field length : 1 multiple : true desc : When set, the END_STREAM flag indicates that this frame is the last that the endpoint will send for the identified stream. field : headers_unused0_flags type : 8-bit-field length : 1 multiple : true desc : The unused bits. field : headers_priority_flag type : 8-bit-field length : 1 multiple : true desc : When set, the PRIORITY flag indicates that the Exclusive, Stream Dependency, and Weight fields are present. field : headers_unused1_flag type : 8-bit-field length : 1 multiple : true desc : The unused bits. field : headers_padded_flag type : 8-bit-field length : 1 multiple : true desc : When set, the PADDED flag indicates that the Pad Length field and any padding that it describes are present. field : headers_end_headers_flag type : 8-bit-field length : 1 multiple : true desc : When set, the END_HEADERS flag indicates that this frame contains an entire field block and is not followed by any CONTINUATION frames. HEADERS frame without the END_HEADERS flag set MUST be followed by a CONTINUATION frame for the same stream. field : headers_unused2_flag type : 8-bit-field length : 1 multiple : true desc : The unused bits. field : headers_end_stream_flag type : 8-bit-field length : 1 multiple : true desc : When set, the END_STREAM flag indicates that the field block is the last that the endpoint will send for the identified stream. A HEADERS frame with the END_STREAM flag set signals the end of a stream. However, a HEADERS frame with the END_STREAM flag set can be followed by CONTINUATION frames on the same stream. Logically, the CONTINUATION frames are part of the HEADERS frame. field : settings_unused_flags type : 8-bit-field length : 1 multiple : true desc : The unused bits. field : settings_ack_flag type : 8-bit-field length : 1 multiple : true desc : The ack flag. field : push_promise_unused0_flags type : 8-bit-field length : 1 multiple : true desc : The unused bits. field : push_promise_padded_flag type : 8-bit-field length : 1 multiple : true desc : An 8-bit field containing the length of the frame padding in units of octets. This field is only present if the PADDED flag is set. field : push_promise_end_header_flag type : 8-bit-field length : 1 multiple : true desc : When set, the END_HEADERS flag indicates that this frame contains an entire field block and is not followed by any CONTINUATION frames. A PUSH_PROMISE frame without the END_HEADERS flag set MUST be followed by a CONTINUATION frame for the same stream. field : push_promise_unused1_flags type : 8-bit-field length : 1 multiple : true desc : The unused bits. field : ping_unused_flags type : 8-bit-field length : 1 multiple : true desc : The unused bits. field : ping_ack_flag type : 8-bit-field length : 1 multiple : true desc : When set, the ACK flag indicates that this PING frame is a PING response. An endpoint MUST set this flag in PING responses. An endpoint MUST NOT respond to PING frames containing this flag. field : continuation_unused0_flags type : 8-bit-field length : 1 multiple : true desc : The unused bits. field : continuation_end_header_flag type : 8-bit-field length : 1 multiple : true desc : When set, the END_HEADERS flag indicates that this frame ends a field block. field : continuation_unused1_flags type : 8-bit-field length : 1 multiple : true desc : The unused bits. field : frame_stream_identifier_data type : uint32 length : 4 multiple : true desc : The field covers reserved and stream identifier fields. field : frame_reserved_bit type : 32-bit-field length : 4 multiple : true desc : A reserved 1-bit field. The semantics of this bit are undefined, and the bit MUST remain unset (0x00) when sending and MUST be ignored when receiving. field : frame_stream_identifier type : 32-bit-field length : 4 multiple : true desc : A stream identifier expressed as an unsigned 31-bit integer. The value 0x00 is reserved for frames that are associated with the connection as a whole as opposed to an individual stream. field : frame_payload type : byte-sequence length : variable multiple : true desc : The frame payload data. field : data_pad_length type : uint8 length : 1 multiple : true desc : An 8-bit field containing the length of the frame padding in units of octets. This field is conditional and is only present if the PADDED flag is set. field : data_data type : byte-sequence length : variable multiple : true desc : Application data. The amount of data is the remainder of the frame payload after subtracting the length of the other fields that are present. field : data_padding type : byte-sequence length : variable multiple : true desc : Padding octets that contain no application semantic value. Padding octets MUST be set to zero when sending. field : headers_pad_length type : uint8 length : 1 multiple : true desc : An 8-bit field containing the length of the frame padding in units of octets. This field is only present if the PADDED flag is set. field : headers_exclusive type : 32-bit-field length : 4 multiple : true desc : A single-bit flag. This field is only present if the PRIORITY flag is set. Priority signals in HEADERS frames are deprecated. field : headers_stream_dependency type : 32-bit-field length : 4 multiple : true desc : A 31-bit stream identifier. This field is only present if the PRIORITY flag is set. field : headers_weight type : uint8 length : 1 multiple : true desc : An unsigned 8-bit integer. This field is only present if the PRIORITY flag is set. field : headers_field_block_fragment type : byte-sequence length : variable multiple : true desc : A field block fragment. field : headers_padding type : byte-sequence length : variable multiple : true desc : Padding octets that contain no application semantic value. Padding octets MUST be set to zero when sending. field : priority_exclusive type : 32-bit-field length : 4 multiple : true desc : A single-bit flag. field : priority_stream_dependency type : 32-bit-field length : 4 multiple : true desc : A 31-bit stream identifier. field : priority_weight type : uint8 length : 1 multiple : true desc : An unsigned 8-bit integer. field : rst_stream_error_code type : uint32 length : 4 multiple : true desc : The error code indicates why the stream is being terminated. field : settings_setting type : byte-sequence length : variable multiple : true desc : The setting data. The field includes id and value fields. field : setting_identifier type : uint16 length : 2 multiple : true desc : A 16-bit setting identifier. field : setting_value type : uint32 length : 4 multiple : true desc : A 32-bit value for the setting. field : push_promise_pad_length type : uint8 length : 1 multiple : true desc : An 8-bit field containing the length of the frame padding in units of octets. This field is only present if the PADDED flag is set. field : push_promise_reserved type : 32-bit-field length : 4 multiple : true desc : The reserved bit. field : push_promise_stream_id type : 32-bit-field length : 4 multiple : true desc : An unsigned 31-bit integer that identifies the stream that is reserved by the PUSH_PROMISE. The promised stream identifier MUST be a valid choice for the next stream sent by the sender. field : push_promise_field_block_fragment type : byte-sequence length : variable multiple : true desc : A field block fragment containing the request control data and a header section. field : push_promise_padding type : byte-sequence length : variable multiple : true desc : Padding octets that contain no application semantic value. Padding octets MUST be set to zero when sending. field : ping_opaque_data type : byte-sequence length : variable multiple : true desc : Opaque data. A sender can include any value it chooses and use those octets in any fashion. field : go_away_reserved type : 32-bit-field length : 4 multiple : true desc : The reserved bit. field : go_away_last_stream_id type : 32-bit-field length : 4 multiple : true desc : The last stream identifier in the GOAWAY frame contains the highest-numbered stream identifier for which the sender of the GOAWAY frame might have taken some action on or might yet take action on. field : go_away_error_code type : uint32 length : 4 multiple : true desc : A 32-bit error code that contains the reason for closing the connection. field : go_away_additional_debug_data type : byte-sequence length : variable multiple : true desc : Additional debug data is intended for diagnostic purposes only and carries no semantic value. Debug information could contain security- or privacy-sensitive data. Logged or otherwise persistently stored debug data MUST have adequate safeguards to prevent unauthorized access. field : window_update_reserved type : 32-bit-field length : 4 multiple : true desc : The reserved bit. field : window_update_window_size_increment type : 32-bit-field length : 4 multiple : true desc : The window size increment. field : continuation_field_block_fragment type : byte-sequence length : variable multiple : true desc : A field block fragment. 4.3.16 icmp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : type type : uint8 length : 1 multiple : false desc : Type of message. field : code type : uint8 length : 1 multiple : false desc : Additional context information for the message. The code description depends on ICMP type. field : checksum type : uint16 length : 2 multiple : false desc : The 16-bit ones's complement of the one's complement sum of the ICMP message starting with the ICMP Type. field : header_data type : uint32 length : 4 multiple : false desc : Four-byte field, contents vary based on the ICMP type and code. field : data type : byte-sequence length : variable multiple : false desc : The ICMP message data. 4.3.17 icmpv6 ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : type type : uint8 length : 1 multiple : false desc : Type of message. field : code type : uint8 length : 1 multiple : false desc : Additional context information for the message. The code description depends on ICMP type. field : checksum type : uint16 length : 2 multiple : false desc : The 16-bit ones's complement of the one's complement sum of the ICMP message starting with the ICMP Type. field : header_data type : uint32 length : 4 multiple : false desc : Four-byte field, contents vary based on the ICMP type and code. field : data type : byte-sequence length : variable multiple : false desc : The ICMP message data. 4.3.18 igmp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : type type : uint8 length : 1 multiple : false desc : Type of message. 4.3.19 imap ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. 4.3.20 ipv4 ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : ip_version type : 8-bit-field length : 1 multiple : false desc : The Version field indicates the format of the internet header. field : ihl type : 8-bit-field length : 1 multiple : false desc : Internet Header Length is the length of the internet header in 32 bit words, and thus points to the beginning of the data. field : tos type : uint8 length : 1 multiple : false desc : Type of Service provides an indication of the abstract parameters of the quality of service desired. field : dscp type : 8-bit-field length : 1 multiple : false desc : Differentiated Services Code Point. field : ecn type : 8-bit-field length : 1 multiple : false desc : Explicit Congestion Notification. field : total_length type : uint16 length : 2 multiple : false desc : Total Length is the length of the datagram, measured in octets, including internet header and data. field : id type : uint16 length : 2 multiple : false desc : An identifying value assigned by the sender to aid in assembling the fragments of a datagram. field : reserved_flag type : 16-bit-field length : 2 multiple : false desc : Reserved bit. Must be zero. field : dm_flag type : 16-bit-field length : 2 multiple : false desc : 0 (may fragment), 1 (don't fragment). field : mf_flag type : 16-bit-field length : 2 multiple : false desc : 0 (last fragment), 1 (more fragments). field : fragment_offset type : 16-bit-field length : 2 multiple : false desc : This field indicates where in the datagram this fragment belongs. field : ttl type : uint8 length : 1 multiple : false desc : This field indicates the maximum time the datagram is allowed to remain in the internet system. field : protocol type : uint8 length : 1 multiple : false desc : This field indicates the next level protocol used in the data portion of the internet datagram. field : checksum type : uint16 length : 2 multiple : false desc : A checksum on the header only. field : address type : uint32 length : 4 multiple : true desc : The source/destination address. field : src_ip type : uint32 length : 4 multiple : false desc : The source address. field : dst_ip type : uint32 length : 4 multiple : false desc : The destination address. field : options type : byte-sequence length : variable multiple : false desc : The options section. 4.3.21 ipv6 ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : version type : uint32 length : 4 multiple : false desc : TheInternet Protocol version number = 6. field : traffic_class type : uint32 length : 4 multiple : false desc : The traffic Class field in the IPv6 header is used by the network for traffic management. field : flow_label type : uint32 length : 4 multiple : false desc : The flow Label field in the IPv6 header is used by a source to label sequences of packets to be treated in the network as a single flow. field : payload_length type : uint16 length : 2 multiple : false desc : The length of the IPv6 payload, i.e., the rest of the packet following this IPv6 header, in octets. (Note that any extension headers present are considered part of the payload, i.e., included in the length count.) field : next_header type : uint8 length : 1 multiple : false desc : Identifies the type of header immediately following the IPv6 header. Uses the same values as the IPv4 Protocol field. field : hop_limit type : uint8 length : 1 multiple : false desc : Decremented by 1 by each node that forwards the packet. When forwarding, the packet is discarded if Hop Limit was zero when received or is decremented to zero. A node that is the destination of a packet should not discard a packet with Hop Limit equal to zero; it should process the packet normally. field : address type : byte-sequence length : 16 multiple : true desc : The source/destination address. field : source_address type : byte-sequence length : 16 multiple : false desc : 128-bit address of the originator of the packet. field : destination_address type : byte-sequence length : 16 multiple : false desc : 128-bit address of the intended recipient of the packet (possibly not the ultimate recipient, if a Routing header is present). field : extension type : byte-sequence length : variable multiple : true desc : The extension data. field : ext_next_header type : uint8 length : 1 multiple : true desc : Identifies the type of header immediately following the extension header. Uses the same values as the IPv4 Protocol field. field : ext_header_length type : uint8 length : 1 multiple : true desc : Length of the extension header in 8-octet units, not including the first 8 octets. field : hop_by_hop_options type : byte-sequence length : variable multiple : true desc : Variable-length field, of length such that the complete Hop-by-Hop Options header is an integer multiple of 8 octets long. Contains one or more TLV-encoded options. field : routing_type type : uint8 length : 1 multiple : true desc : The identifier of a particular Routing header variant. field : segments_left type : uint8 length : 1 multiple : true desc : The number of route segments remaining, i.e., number of explicitly listed intermediate nodes still to be visited before reaching the final destination. field : routing_data type : byte-sequence length : variable multiple : true desc : Variable-length field, of format determined by the Routing Type, and of length such that the complete Routing header is an integer multiple of 8 octets long. field : fragment_reserved type : uint8 length : 1 multiple : true desc : 8-bit reserved field. Initialized to zero for transmission; ignored on reception. field : fragment_offset type : 16-bit-field length : 2 multiple : true desc : 13-bit unsigned integer. The offset, in 8-octet units, of the data following this header, relative to the start of the Fragmentable Part of the original packet. field : fragment_res type : 16-bit-field length : 2 multiple : true desc : 2-bit reserved field. Initialized to zero for transmission; ignored on reception. field : fragment_m type : 16-bit-field length : 2 multiple : true desc : 1 = more fragments; 0 = last fragment. field : fragment_id type : uint32 length : 4 multiple : true desc : The identification value. field : esp_security_parameters_index type : uint32 length : 4 multiple : true desc : The identifier of a particular Routing header variant. field : esp_sequence_number type : uint32 length : 4 multiple : true desc : The number of route segments remaining, i.e., number of explicitly listed intermediate nodes still to be visited before reaching the final destination. field : esp_data type : byte-sequence length : variable multiple : true desc : Variable-length field, of format determined by the Routing Type, and of length such that the complete Routing header is an integer multiple of 8 octets long. field : destination_options type : byte-sequence length : variable multiple : true desc : Variable-length field, of length such that the complete Destination Options header is an integer multiple of 8 octets long. Contains one or more TLV-encoded options. field : auth_reserved type : uint16 length : 2 multiple : true desc : This 16-bit field is reserved for future use. It MUST be set to "zero" by the sender, and it SHOULD be ignored by the recipient. (Note that the value is included in the ICV calculation, but is otherwise ignored by the recipient.) field : auth_security_parameters_index type : uint32 length : 4 multiple : true desc : The SPI is an arbitrary 32-bit value that is used by a receiver to identify the SA to which an incoming packet is bound. field : auth_sequence_number type : uint32 length : 4 multiple : true desc : This unsigned 32-bit field contains a counter value that increases by one for each packet sent, i.e., a per-SA packet sequence number. field : auth_integrity_check_value_icv type : byte-sequence length : variable multiple : true desc : The variable-length field that contains the Integrity Check Value (ICV) for this packet. The field must be an integral multiple of 32 bits (IPv4 or IPv6) in length. field : mobility_mh_type type : uint8 length : 1 multiple : true desc : Identifies the particular mobility message in question. field : mobility_reserved type : uint8 length : 1 multiple : true desc : 8-bit field reserved for future use. The value MUST be initialized to zero by the sender, and MUST be ignored by the receiver. field : mobility_checksum type : uint16 length : 2 multiple : true desc : 16-bit unsigned integer. This field contains the checksum of the Mobility Header. The checksum is calculated from the octet string consisting of a "pseudo-header" followed by the entire Mobility Header starting with the Payload Proto field. The checksum is the 16-bit one's complement of the one's complement sum of this string. field : mobility_message_data type : byte-sequence length : variable multiple : true desc : A variable length field containing the data specific to the indicated Mobility Header type. field : hip_unset_bit type : uint8 length : 1 multiple : true desc : The reserved bit. Must be 0. field : hip_packet_type type : uint8 length : 1 multiple : true desc : The Packet Type indicates the HIP packet type. The individual packet types are defined in the relevant sections. field : hip_version type : uint8 length : 1 multiple : true desc : The HIP Version field is four bits. he version number is expected to be incremented only if there are incompatible changes to the protocol. field : hip_res type : uint8 length : 1 multiple : true desc : The reserved bits. field : hip_set_bit type : uint8 length : 1 multiple : true desc : The reserved bit. field : hip_checksum type : uint16 length : 2 multiple : true desc : Since the checksum covers the source and destination addresses in the IP header, it MUST be recomputed on HIP-aware NAT devices. field : hip_controls type : uint16 length : 2 multiple : true desc : The HIP Controls field conveys information about the structure of the packet and capabilities of the host. field : hip_data type : byte-sequence length : variable multiple : true desc : The data sections includes the following fields: Sender's Host Identity Tag (HIT), Receiver's Host Identity Tag (HIT), HIP Parameters. field : shim_data type : byte-sequence length : variable multiple : true desc : The data section of shim extension. 4.3.22 isakmp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : initiator_spi type : byte-sequence length : 8 multiple : false desc : The value chosen by the initiator to identify a unique IKE security association. field : responder_spi type : byte-sequence length : 8 multiple : false desc : The value chosen by the responder to identify a unique IKE security association. field : next_payload type : uint8 length : 1 multiple : false desc : The value indicates the type of payload that immediately follows the header. field : version type : uint8 length : 1 multiple : false desc : ISAKMP version. field : major_version type : uint8 length : 1 multiple : false desc : The value indicates the major version of the IKE protocol in use. field : minor_version type : uint8 length : 1 multiple : false desc : The value indicates the minor version of the IKE protocol in use. field : exchange_type type : uint8 length : 1 multiple : false desc : The value indicates the type of exchange being used. field : flags type : uint8 length : 1 multiple : false desc : The value indicates specific options that are set for the message. field : message_id type : uint32 length : 4 multiple : false desc : The message identifier used to control retransmission of lost packets and matching of requests and responses. field : length type : uint32 length : 4 multiple : false desc : The length of total message (header + payloads) in octets. 4.3.23 l2tp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : zero type : uint32 length : 4 multiple : false desc : L2TP over IP uses the reserved Session ID of zero (0) when sending control messages. field : flags type : uint16 length : 2 multiple : false desc : The flags value. field : type_bit type : uint16 length : 2 multiple : false desc : The Type (T) bit indicates the type of message. It is set to 0 for a data message and 1 for a control message. field : length_bit type : uint16 length : 2 multiple : false desc : If the Length (L) bit is 1, the Length field is present. This bit MUST be set to 1 for control messages. field : sequence_bit type : uint16 length : 2 multiple : false desc : If the Sequence (S) bit is set to 1 the Ns and Nr fields are present. The S bit MUST be set to 1 for control messages. field : offset_bit type : uint16 length : 2 multiple : false desc : If the Offset (O) bit is 1, the Offset Size field is present. The O bit MUST be set to 0 (zero) for control messages. field : priority_bit type : uint16 length : 2 multiple : false desc : If the Priority (P) bit is 1, this data message should receive preferential treatment in its local queuing and transmission. field : version type : uint16 length : 2 multiple : false desc : The protocol version. MUST be 2, indicating the version of the L2TP data message header described in this document. The value 1 is reserved field : length type : uint16 length : 2 multiple : false desc : The Length field indicates the total length of the message in octets, always calculated from the start of the control message header itself (beginning with the T bit). field : tunnel_id type : uint16 length : 2 multiple : false desc : The identifier for the control connection. L2TP tunnels are named by identifiers that have local significance only. field : control_connection_id type : uint32 length : 4 multiple : false desc : The identifier for the control connection. L2TP control connections are named by identifiers that have local significance only. field : ns type : uint16 length : 2 multiple : false desc : Ns indicates the sequence number for this control message, beginning at zero and incrementing by one (modulo 2**16) for each message sent. field : nr type : uint16 length : 2 multiple : false desc : Nr indicates the sequence number expected in the next control message to be received. field : offset type : uint16 length : 2 multiple : false desc : The value specifies the number of octets past the L2TP header at which the payload data is expected to start. field : offset_padding type : byte-sequence length : variable multiple : false desc : The padding data. field : reserved type : uint8 length : 1 multiple : false desc : The reserved field for future extensions. field : session_id type : byte-sequence length : variable multiple : false desc : The identifier for a session within a tunnel. L2TP sessions are named by identifiers that have local significance only. field : control_data type : byte-sequence length : variable multiple : false desc : The control data. field : data type : byte-sequence length : variable multiple : false desc : The L2TP payload data. 4.3.24 mdns ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : dns_message_length type : uint16 length : 2 multiple : false desc : Dns message length - is presented only for tcp transport. field : id type : uint16 length : 2 multiple : false desc : A 16 bit identifier assigned by the program that generates any kind of query. This identifier is copied the corresponding reply and can be used by the requester to match up replies to outstanding queries. field : qr type : 16-bit-field length : 2 multiple : false desc : Bit specifies message type. Query (0), response (1). field : opcode type : 16-bit-field length : 2 multiple : false desc : A four bit field that specifies kind of query in this message. This value is set by the originator of a query and copied into the response. The values are: 0 (standard query), 1 (inverse query), 2 (server status request), 3-15 (reserved for future use). field : aa type : 16-bit-field length : 2 multiple : false desc : Authoritative Answer - this bit is valid in responses, and specifies that the responding name server is an authority for the domain name in question section. field : tc type : 16-bit-field length : 2 multiple : false desc : TrunCation - specifies that this message was truncated due to length greater than that permitted on the transmission channel. field : rd type : 16-bit-field length : 2 multiple : false desc : Recursion Desired - this bit may be set in a query and is copied into the response. If RD is set, it directs the name server to pursue the query recursively. Recursive query support is optional. field : ra type : 16-bit-field length : 2 multiple : false desc : Recursion Available - this be is set or cleared in a response, and denotes whether recursive query support is available in the name server. field : z type : 16-bit-field length : 2 multiple : false desc : Reserved for future use. Must be zero in all queries and responses. field : rcode type : 16-bit-field length : 2 multiple : false desc : Response code - this 4 bit field is set as part of responses. The values have the following interpretation:0 (No error condition), 1 (Format error - The name server was unable to interpret the query), 2 (Server failure - The name server was unable to process this query due to a problem with the name server), 3 (Name Error - Meaningful only for responses from an authoritative name server, this code signifies that the domain name referenced in the query does not exist), 4 (Not Implemented - The name server does not support the requested kind of query), 5 (Refused - The name server refuses to perform the specified operation for policy reasons. For example, a name server may not wish to provide the information to the particular requester, or a name server may not wish to perform a particular operation (e.g., zone transfer) for particular data), 6-15 (Reserved for future use). field : qdcount type : uint16 length : 2 multiple : false desc : An unsigned 16 bit integer specifying the number of entries in the question section. field : ancount type : uint16 length : 2 multiple : false desc : An unsigned 16 bit integer specifying the number of resource records in the answer section. field : nscount type : uint16 length : 2 multiple : false desc : An unsigned 16 bit integer specifying the number of name server resource records in the authority records section. field : arcount type : uint16 length : 2 multiple : false desc : An unsigned 16 bit integer specifying the number of resource records in the additional records section. field : queries type : byte-sequence length : variable multiple : false desc : Question section. field : query type : byte-sequence length : variable multiple : true desc : Query record. field : qname type : byte-sequence length : variable multiple : true desc : A domain name represented as a sequence of labels, where each label consists of a length octet followed by that number of octets. The domain name terminates with the zero length octet for the null label of the root. Note that this field may be an odd number of octets; no padding is used. field : qtype type : uint16 length : 2 multiple : true desc : A two octet code which specifies the type of the query. The values for this field include all codes valid for a TYPE field, together with some more general codes which can match more than one type of RR. field : qclass type : 16-bit-field length : 2 multiple : true desc : 15 bits code that specifies the class of the query. For example, the QCLASS field is IN for the Internet. field : unicast_response type : 16-bit-field length : 2 multiple : true desc : 1 bit unicast response flag. When this bit is set in a question, it indicates that the querier is willing to accept unicast replies in response to this specific query, as well as the usual multicast responses. field : answers type : byte-sequence length : variable multiple : false desc : Answer section. field : authority_records type : byte-sequence length : variable multiple : false desc : Authority records section. field : additional_records type : byte-sequence length : variable multiple : false desc : Additional records section. field : record type : byte-sequence length : variable multiple : true desc : Resource record. field : domain_name type : byte-sequence length : variable multiple : true desc : A domain name to which this resource record pertains. field : domain_name_label_length type : uint8 length : 1 multiple : true desc : A domain name label length. field : domain_name_label type : ascii-string length : variable multiple : true desc : A domain name label. field : domain_name_pointer type : uint16 length : 2 multiple : true desc : A domain name pointer. field : domain_name_offset type : 16-bit-field length : 2 multiple : true desc : A domain name offset. field : rdata_type type : uint16 length : 2 multiple : true desc : Specifies the meaning of the data in the rdata. field : rdata_class type : 16-bit-field length : 2 multiple : true desc : Specifies the class of the data in the rdata. field : cache_flush type : 16-bit-field length : 2 multiple : true desc : Announcements to flush outdated cache entries. field : ttl type : uint32 length : 4 multiple : true desc : Specifies the time interval (in seconds) that the resource record may be cached before it should be discarded. field : rd_length type : uint16 length : 2 multiple : true desc : Specifies the length in octets of the rdata. field : rdata type : byte-sequence length : variable multiple : true desc : A variable length string of octets that describes the resource. field : nsdname type : byte-sequence length : variable multiple : true desc : A domain name which specifies a host which should be authoritative for the specified class and domain. field : mb_madname type : byte-sequence length : variable multiple : true desc : A domain name which specifies a host which has the specified mailbox. field : md_madname type : byte-sequence length : variable multiple : true desc : A domain name which specifies a host which has a mail agent for the domain which should be able to deliver mail for the domain. field : mf_madname type : byte-sequence length : variable multiple : true desc : A domain name which specifies a host which has a mail agent for the domain which will accept mail for forwarding to the domain. field : cname type : byte-sequence length : variable multiple : true desc : A domain name which specifies the canonical or primaryname for the owner. field : mgname type : byte-sequence length : variable multiple : true desc : A domain name which specifies a mailbox which is a member of the mail group specified by the domain name. field : newname type : byte-sequence length : variable multiple : true desc : A domain name which specifies a mailbox which is the proper rename of the specified mailbox. field : ptrdname type : byte-sequence length : variable multiple : true desc : A domain name which points to some location in the domain name space. field : preference type : uint16 length : 2 multiple : true desc : Specifies the preference given to this RR among others at the same owner. field : exchange type : byte-sequence length : variable multiple : true desc : A domain name which specifies a host willing to act as mail exchange for the owner name. field : rmailbx type : byte-sequence length : variable multiple : true desc : A domain name which specifies a mailbox which is responsible for the mailing list or mailbox. field : emailbx type : byte-sequence length : variable multiple : true desc : A domain name which specifies a mailbox which is to receive error messages related to the mailing list or mailbox specified by the owner of the MINFO RR. field : txt_length type : uint8 length : 1 multiple : true desc : Txt string length. field : txt type : ascii-string length : variable multiple : true desc : One or more character string(s). are used to hold descriptive text. the semantics of the text depends on the domain where it is found. field : mname type : byte-sequence length : variable multiple : true desc : A domain name of the name server that was the original or primary source of data for this zone. field : rname type : byte-sequence length : variable multiple : true desc : A domain name which specifies the mailbox of the person responsible for this zone. field : serial type : uint32 length : 4 multiple : true desc : Version number of the original copy of the zone. zone transfers preserve this value. field : refresh type : uint32 length : 4 multiple : true desc : Time interval before the zone should be refreshed. field : retry type : uint32 length : 4 multiple : true desc : Time interval that should elapse before a failed refresh should be retried. field : expire type : uint32 length : 4 multiple : true desc : Time value that specifies the upper limit on the time interval that can elapse before the zone is no longer authoritative. field : minimum type : uint32 length : 4 multiple : true desc : Minimum ttl field that should be exported with any RR from this zone. field : address type : uint32 length : 4 multiple : true desc : Internet address. field : null_data type : byte-sequence length : variable multiple : true desc : Any data. Null section. field : cpu_length type : uint8 length : 1 multiple : true desc : CPU string length. field : cpu type : ascii-string length : variable multiple : true desc : A character-string which specifies the cpu type. field : os_length type : uint8 length : 1 multiple : true desc : OS string length. field : os type : ascii-string length : variable multiple : true desc : A character-string which specifies the operating system type. field : wks_address type : uint32 length : 4 multiple : true desc : Internet address. field : protocol type : uint8 length : 1 multiple : true desc : IP protocol number. field : bit_mask type : byte-sequence length : variable multiple : true desc : Bit map has one bit per port of the specified protocol. field : aaaa type : byte-sequence length : 16 multiple : true desc : A 128 bit IPv6 address in network byte order (high-order byte first). field : prefix_length type : uint8 length : 1 multiple : true desc : A prefix length, encoded as an eight-bit unsigned integer with value between 0 and 128 inclusive. field : address_suffix type : byte-sequence length : 16 multiple : true desc : An IPv6 address suffix, encoded in network order (high-order octet first). field : prefix_name type : byte-sequence length : variable multiple : true desc : The name of the prefix, encoded as a domain name. field : svc_priority type : uint16 length : 2 multiple : true desc : The priority of the record (relative to others, with lower values preferred). A value of 0 indicates AliasMode. field : target_name type : byte-sequence length : variable multiple : true desc : The domain name of either the alias target (for AliasMode) or the alternative endpoint (for ServiceMode). field : svc_param type : byte-sequence length : variable multiple : true desc : A list of key=value pairs describing the alternative endpoint at TargetName (only used in ServiceMode and otherwise ignored). field : svc_param_key type : uint16 length : 2 multiple : true desc : The SVC paramater key. The key specifies the param value format. field : svc_param_value_length type : uint16 length : 2 multiple : true desc : The length of param value data section. field : svc_param_value type : byte-sequence length : variable multiple : true desc : The param value data section. field : alpn_length type : uint8 length : 1 multiple : true desc : The ALPN value length. field : alpn type : ascii-string length : variable multiple : true desc : The Application-Layer Protocol Negotiation (ALPN) protocol identifiers [ALPN] and associated transport protocols supported by this service endpoint. field : port type : uint16 length : 2 multiple : true desc : The TCP or UDP port that should be used to reach this alternative endpoint. If this key is not present, clients SHALL use the authority endpoint's port number. field : ipv4 type : uint32 length : 4 multiple : true desc : The IPv4 address that clients MAY use to reach the service. field : ipv6 type : byte-sequence length : 16 multiple : true desc : The IPv6 address that clients MAY use to reach the service. 4.3.25 ntp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. 4.3.26 openvpn ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : packet_length type : uint16 length : 2 multiple : false desc : The packet length field. Tcp transport only. Since TCP is a stream protocol, this packet length defines the packetization of the stream. field : opcode type : uint8 length : 1 multiple : false desc : The package message type. field : key_id type : uint8 length : 1 multiple : false desc : The value refers to an already negotiated TLS session. field : peer_id type : byte-sequence length : variable multiple : false desc : The unique peer identificator. field : session_id type : byte-sequence length : variable multiple : false desc : The random 64 bit value to identify TLS session. field : hmac type : byte-sequence length : variable multiple : false desc : HMAC signature of entire encapsulation header for HMAC firewall [only if –tls-auth is specified] (usually 16 or 20 bytes). field : packet_id type : uint32 length : 4 multiple : false desc : The value is used for replay protection. field : net_time type : uint32 length : 4 multiple : false desc : The net time value. field : message_packet_id_array_element_count type : uint8 length : 1 multiple : false desc : The acknowledgment packet-id array length. field : message_packet_id_array type : byte-sequence length : variable multiple : false desc : The acknowledgment packet-id array. field : message_packet_id_array_element type : uint32 length : 4 multiple : false desc : The acknowledgment packet-id array element. field : message_packet_id type : uint32 length : 4 multiple : false desc : The packet-id of this message. field : remote_session_id type : byte-sequence length : variable multiple : false desc : The acknowledgment remote session-id. field : data type : byte-sequence length : variable multiple : false desc : TLS payload ciphertext (n bytes) (only for P_CONTROL_V1). field : wkc_length type : uint16 length : 2 multiple : false desc : The wrapped client key length. field : wkc type : byte-sequence length : variable multiple : false desc : The wrapped client key. field : message_fragment type : byte-sequence length : variable multiple : false desc : The message fragment data. 4.3.27 ospf ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : version type : uint8 length : 1 multiple : false desc : The version number of the protocol. field : type type : uint8 length : 1 multiple : false desc : The type of OSPF packet, such as Link state Update or Hello Packet. field : packet_length type : uint16 length : 2 multiple : false desc : The length of the entire OSPF packet in bytes, including the standard OSPF packet header. field : router_id type : uint32 length : 4 multiple : false desc : The identity of the router itself (who is originating the packet). field : ared_id type : uint32 length : 4 multiple : false desc : The OSPF area that the packet is being sent into. field : checksum type : uint16 length : 2 multiple : false desc : The standard IP 16-bit one's complement checksum of the entire OSPF packet, excluding the 64-bit authentication field. field : au_type type : uint16 length : 2 multiple : false desc : The type of authentication used on the attached network/subnet. field : authentication_data type : uint64 length : 8 multiple : false desc : This configured data allows the authentication procedure to generate and/or verify OSPF protocol packets. field : instance_id type : uint8 length : 1 multiple : false desc : Enables multiple instances of OSPF to be run over a single link. Version 3 only. field : reserved0 type : uint8 length : 1 multiple : false desc : These fields are reserved. Version 3 only. field : data type : byte-sequence length : variable multiple : false desc : Undissected data section. 4.3.28 payload ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : data type : byte-sequence length : variable multiple : false desc : The payload data. 4.3.29 pop3 ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : command type : ascii-string length : variable multiple : false desc : The command name. field : command_argument type : ascii-string length : variable multiple : false desc : The command argument. (Might be absent if command name doesn't require it) field : response type : ascii-string length : variable multiple : false desc : The response pattern (+OK/-ERR). field : response_text type : ascii-string length : variable multiple : false desc : The response description text. field : response_multiline_text type : ascii-string length : variable multiple : false desc : The response multiline text that is located after the response status line. 4.3.30 ppp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : address type : uint8 length : 1 multiple : false desc : The address value. HDLC only. field : control type : uint8 length : 1 multiple : false desc : The control value. HDLC only. field : protocol type : uint16 length : 2 multiple : false desc : The protocol identificator. 4.3.31 pppoe ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : version type : uint16 length : 2 multiple : false desc : The protocol version. Must be set to 0x01. field : type type : uint16 length : 2 multiple : false desc : The type value. Must be set to 0x01. field : code type : uint16 length : 2 multiple : false desc : The code value. field : session_id type : uint16 length : 2 multiple : false desc : The session identificator. The value is used for discovery packets. field : length type : uint16 length : 2 multiple : false desc : The length of PPPoE payload. It does not include the length of the Ethernet or PPPoE headers. field : data type : byte-sequence length : variable multiple : false desc : The PPPoE payload data. 4.3.32 pptp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : length type : uint16 length : 2 multiple : false desc : Total length in octets of this PPTP message, including the entire PPTP header. field : message_type type : uint16 length : 2 multiple : false desc : The message type. Control/Management. field : magic_cookie type : uint32 length : 4 multiple : false desc : The Magic Cookie is always sent as the constant 0x1A2B3C4D. Its basic purpose is to allow the receiver to ensure that it is properly synchronized with the TCP data stream. field : control_message_type type : uint16 length : 2 multiple : false desc : The control connection message type. The value defines the message structure. field : reserved0 type : uint16 length : 2 multiple : false desc : The reserved field. 4.3.33 quic ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : header type : uint8 length : 1 multiple : false desc : Quic header. The structure of header can be different between different packet types. field : header_form type : 8-bit-field length : 1 multiple : false desc : The field specifies header type. It is set to 0 for short headers and is set to 1 for long headers. field : retry_unused type : 8-bit-field length : 1 multiple : false desc : Unused header bits of retry packet. field : version_negotiation_unused type : 8-bit-field length : 1 multiple : false desc : Unused header bits of version negotiation packet. field : spin_bit type : 8-bit-field length : 1 multiple : false desc : The latency spin bit, which is defined for 1-RTT packets, enables passive latency monitoring from observation points on the network path throughout the duration of a connection. field : fixed_bit type : 8-bit-field length : 1 multiple : false desc : Packets containing a zero value for this bit are not valid packets in this version and MUST be discarded. A value of 1 for this bit allows QUIC to coexist with other protocols; field : long_packet_type type : 8-bit-field length : 1 multiple : false desc : The field specifies packet type in the long header. Initial (0), 0-RTT (1), Handshake (2), Retry (3). field : protected_reserved_bits type : 8-bit-field length : 1 multiple : false desc : Reserved header bits of 0-RTT and Handshake packets. The field is protected. field : protected_1rtt_reserved_bits type : 8-bit-field length : 1 multiple : false desc : Reserved header bits of 1-RTT packet. The field is protected. field : protected_key_phase type : 8-bit-field length : 1 multiple : false desc : The field indicates the key phase, which allows a recipient of a packet to identify the packet protection keys that are used to protect the packet. The field is protected. field : protected_packet_number_length type : 8-bit-field length : 1 multiple : false desc : The field specifies the size of packet number length field. The field is protected. The field is protected. field : unprotected_reserved_bits type : 8-bit-field length : 1 multiple : false desc : Reserved header bits of 0-RTT and Handshake packets. The field is presented only inside a decrypted layer because the field data is protected. field : unprotected_1rtt_reserved_bits type : 8-bit-field length : 1 multiple : false desc : Reserved header bits of 1-RTT packet. The field is presented only inside a decrypted layer because the field data is protected. field : unprotected_key_phase type : 8-bit-field length : 1 multiple : false desc : The field indicates the key phase, which allows a recipient of a packet to identify the packet protection keys that are used to protect the packet. The field is presented only inside a decrypted layer because the field data is protected. field : unprotected_packet_number_length type : 8-bit-field length : 1 multiple : false desc : The field specifies the size of packet number length field. The field is presented only inside a decrypted layer because the field data is protected. field : version type : uint32 length : 4 multiple : false desc : The QUIC Version is a 32-bit field that follows the first byte. This field indicates the version of QUIC that is in use and determines how the rest of the protocol fields are interpreted. field : destination_connection_id_length type : byte-sequence length : variable multiple : false desc : The length of destination connection id field. field : destination_connection_id type : byte-sequence length : variable multiple : false desc : The destination connection id. field : source_connection_id_length type : byte-sequence length : variable multiple : false desc : The length of source connection id field. field : source_connection_id type : byte-sequence length : variable multiple : false desc : The source connection id. field : token_length type : byte-sequence length : variable multiple : false desc : A variable-length integer specifying the length of the Token field, in bytes. This value is 0 if no token is present. field : token type : byte-sequence length : variable multiple : false desc : The value of the token that was previously provided in a Retry packet or NEW_TOKEN frame. field : supported_version type : uint32 length : 4 multiple : false desc : Supported version. field : length type : byte-sequence length : variable multiple : false desc : This is the length of the remainder of the packet (that is, the Packet Number and Payload fields) in bytes, encoded as a variable-length integer. field : packet_data type : byte-sequence length : variable multiple : false desc : Packet data section - includes packet number and packet payload fields. field : packet_number type : byte-sequence length : variable multiple : false desc : This field is 1 to 4 bytes long. The field is presented only inside a decrypted layer because the field data is protected. field : protected_data type : byte-sequence length : variable multiple : false desc : The "abstract" field which is presented for the data section which cannot be dissected. E.g. when session context or Initial packet of the session are missed. field : retry_token type : byte-sequence length : variable multiple : false desc : An opaque token that the server can use to validate the client's address. field : retry_integrity_tag type : byte-sequence length : 16 multiple : false desc : The Retry Integrity Tag is a 128-bit field that is computed as the output of AEAD_AES_128_GCM. field : frame type : byte-sequence length : variable multiple : true desc : Frame section. The payload of QUIC packets, after removing packet protection, consists of a sequence of complete frames. field : frame_type type : byte-sequence length : variable multiple : true desc : Frame type. field : padding_data type : byte-sequence length : variable multiple : true desc : The field contains the bytes of padding frame types. The field exists for brevity purposes to not pollute padding fields. field : largest_acknowledged type : byte-sequence length : variable multiple : true desc : A variable-length integer representing the largest packet number the peer is acknowledging; this is usually the largest packet number that the peer has received prior to generating the ACK frame. field : ack_delay type : byte-sequence length : variable multiple : true desc : A variable-length integer encoding the acknowledgment delay in microseconds. field : ack_range_count type : byte-sequence length : variable multiple : true desc : A variable-length integer specifying the number of ACK Range fields in the frame. field : first_ack_range type : byte-sequence length : variable multiple : true desc : A variable-length integer indicating the number of contiguous packets preceding the Largest Acknowledged that are being acknowledged. field : ack_range type : byte-sequence length : variable multiple : true desc : Contains additional ranges of packets that are alternately not acknowledged (Gap) and acknowledged (ACK Range). field : gap type : byte-sequence length : variable multiple : true desc : A variable-length integer indicating the number of contiguous unacknowledged packets preceding the packet number one lower than the smallest in the preceding ACK Range. field : ack_range_length type : byte-sequence length : variable multiple : true desc : A variable-length integer indicating the number of contiguous acknowledged packets preceding the largest packet number, as determined by the preceding Gap. field : ecn_counts type : byte-sequence length : variable multiple : true desc : The three ECN counts. ECN counts are only present when the ACK frame type is 0x03. field : ect_0_count type : byte-sequence length : variable multiple : true desc : A variable-length integer representing the total number of packets received with the ECT(0) codepoint in the packet number space of the ACK frame. field : ect_1_count type : byte-sequence length : variable multiple : true desc : A variable-length integer representing the total number of packets received with the ECT(1) codepoint in the packet number space of the ACK frame. field : ecn_ce_count type : byte-sequence length : variable multiple : true desc : A variable-length integer representing the total number of packets received with the ECN-CE codepoint in the packet number space of the ACK frame. field : reset_stream_id type : byte-sequence length : variable multiple : true desc : A variable-length integer encoding of the stream ID of the stream being terminated. field : stop_stream_id type : byte-sequence length : variable multiple : true desc : A variable-length integer carrying the stream ID of the stream being ignored. field : max_data_stream_id type : byte-sequence length : variable multiple : true desc : The stream ID of the affected stream, encoded as a variable-length integer. field : blocked_stream_id type : byte-sequence length : variable multiple : true desc : A variable-length integer indicating the stream that is blocked due to flow control. field : stream_id type : byte-sequence length : variable multiple : true desc : A variable-length integer indicating the stream ID of the stream. field : reset_application_protocol_error_code type : byte-sequence length : variable multiple : true desc : A variable-length integer containing the application protocol error code (see Section 20.2) that indicates why the stream is being closed. field : stop_application_protocol_error_code type : byte-sequence length : variable multiple : true desc : A variable-length integer containing the application-specified reason the sender is ignoring the stream. field : final_size type : byte-sequence length : variable multiple : true desc : A variable-length integer indicating the final size of the stream by the RESET_STREAM sender, in units of bytes. field : crypto_offset type : byte-sequence length : variable multiple : true desc : A variable-length integer specifying the byte offset in the stream for the data in this CRYPTO frame. field : crypto_data_length type : byte-sequence length : variable multiple : true desc : A variable-length integer specifying the length of the Crypto Data field in this CRYPTO frame. field : crypto_data type : byte-sequence length : variable multiple : true desc : The cryptographic message data. field : maximum_data type : byte-sequence length : variable multiple : true desc : A variable-length integer indicating the maximum amount of data that can be sent on the entire connection, in units of bytes. field : blocked_maximum_data type : byte-sequence length : variable multiple : true desc : A variable-length integer indicating the connection-level limit at which blocking occurred. field : maximum_stream_data type : byte-sequence length : variable multiple : true desc : A variable-length integer indicating the maximum amount of data that can be sent on the identified stream, in units of bytes. field : blocked_maximum_stream_data type : byte-sequence length : variable multiple : true desc : A variable-length integer indicating the maximum amount of data that can be sent on the identified stream, in units of bytes. field : cumulative_maximum_streams type : byte-sequence length : variable multiple : true desc : A count of the cumulative number of streams of the corresponding type that can be opened over the lifetime of the connection. field : allowed_maximum_streams type : byte-sequence length : variable multiple : true desc : A count of the cumulative number of streams of the corresponding type that can be opened over the lifetime of the connection. field : retire_sequence_number type : byte-sequence length : variable multiple : true desc : The sequence number of the connection ID being retired. field : new_sequence_number type : byte-sequence length : variable multiple : true desc : The sequence number assigned to the connection ID by the sender, encoded as a variable-length integer. field : path_challenge_data type : byte-sequence length : 8 multiple : true desc : This 8-byte field contains arbitrary data. field : path_response_data type : byte-sequence length : 8 multiple : true desc : This 8-byte field contains arbitrary data. field : retire_prior_to type : byte-sequence length : variable multiple : true desc : An 8-bit unsigned integer containing the length of the connection ID. field : connection_id_length type : uint8 length : 1 multiple : true desc : An 8-bit unsigned integer containing the length of the connection ID. field : connection_id type : byte-sequence length : variable multiple : true desc : A connection ID of the specified length. field : stateless_reset_token type : byte-sequence length : 16 multiple : true desc : A 128-bit value that will be used for a stateless reset when the associated connection ID is used. field : stream_offset type : byte-sequence length : variable multiple : true desc : A variable-length integer specifying the byte offset in the stream for the data in this STREAM frame. This field is present when the OFF bit is set to 1. When the Offset field is absent, the offset is 0. field : stream_data_length type : byte-sequence length : variable multiple : true desc : A variable-length integer specifying the length of the Stream Data field in this STREAM frame. This field is present when the LEN bit is set to 1. When the LEN bit is set to 0, the Stream Data field consumes all the remaining bytes in the packet. field : stream_data type : byte-sequence length : variable multiple : true desc : The bytes from the designated stream to be delivered. field : error_code type : byte-sequence length : variable multiple : true desc : A variable-length integer that indicates the reason for closing this connection. Error codes for 0x1c and 0x1d frame types have different description. field : triggered_frame_type type : byte-sequence length : variable multiple : true desc : A variable-length integer encoding the type of frame that triggered the error. A value of 0 (equivalent to the mention of the PADDING frame) is used when the frame type is unknown. The field is presented only when frame type is 0x1d. field : reason_phrase_length type : byte-sequence length : variable multiple : true desc : A variable-length integer specifying the length of the reason phrase in bytes. field : reason_phrase type : byte-sequence length : variable multiple : true desc : Additional diagnostic information for the closure. This can be zero length if the sender chooses not to give details beyond the Error Code value. 4.3.34 rarp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : htype type : uint16 length : 2 multiple : false desc : Hardware type. (Network link protocol type) field : ptype type : uint16 length : 2 multiple : false desc : Protocol type. Specifies internetwork protocol. field : hlen type : uint8 length : 1 multiple : false desc : Hardware address length. (in octets) field : plen type : uint8 length : 1 multiple : false desc : Protocol length. (Internetwork addresses length; in octets) field : op type : uint16 length : 2 multiple : false desc : Operation. 1: request, 2: reply. field : sha type : byte-sequence length : variable multiple : false desc : Sender hardware address. In request, indicates the address of the host sending the request. In reply, indicates the address of the host that the request was looking for. field : spa type : byte-sequence length : variable multiple : false desc : Sender protocol address. (Internetwork address of the sender) field : tha type : byte-sequence length : variable multiple : false desc : Target hardware address. In request, this field is not used. In reply, indicates the address of the host that originated the ARP request. field : tpa type : byte-sequence length : variable multiple : false desc : Target protocol address. (Internetwork address of the intended receiver) field : data type : byte-sequence length : variable multiple : false desc : The unmapped data which is following after ARP header. 4.3.35 rtcp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : version type : uint8 length : 1 multiple : false desc : Identifies the version of RTP, which is the same in RTCP packets as in RTP data packets. field : padding_flag type : uint8 length : 1 multiple : false desc : If the padding bit is set, this individual RTCP packet contains some additional padding octets at the end which are not part of the control information but are included in the length field. field : count type : uint8 length : 1 multiple : false desc : For Sender/Receiver report - the number of reception report blocks contained in this packet. For Source Description - the number of SSRC/CSRC chunks contained in this SDES packet. For Goodbye - the number of SSRC/CSRC identifiers. field : sub_type type : uint8 length : 1 multiple : false desc : The field allows a set of APP packets to be defined under one unique name, or for any application-dependent data. field : reserved type : uint8 length : 1 multiple : false desc : The reserved value. field : packet_type type : uint8 length : 1 multiple : false desc : The packet type identifier. field : length type : uint16 length : 2 multiple : false desc : The packet type identifier. field : padding_length type : uint8 length : 1 multiple : false desc : The padding length value. field : padding type : byte-sequence length : variable multiple : false desc : The padding data field : ssrc type : uint32 length : 4 multiple : true desc : The synchronization source identifier for the originator of this SR packet. field : ntp_sec type : uint32 length : 4 multiple : false desc : NTP timestamp, most significant word. Indicates the wallclock time when this report was sent. field : ntp_frac type : uint32 length : 4 multiple : false desc : NTP timestamp, least significant word. Indicates the wallclock time when this report was sent. field : rtp_timestamp type : uint32 length : 4 multiple : false desc : Corresponds to the same time as the NTP timestamp, but in the same units and with the same random offset as the RTP timestamps in data packets. field : sender_packet_count type : uint32 length : 4 multiple : false desc : The total number of RTP data packets transmitted by the sender since starting transmission up until the time this SR packet was generated. field : sender_octet_count type : uint32 length : 4 multiple : false desc : The total number of payload octets (i.e., not including header or padding) transmitted in RTP data packets by the sender since starting transmission up until the time this SR packet was generated. field : profile_specific_extensions type : byte-sequence length : variable multiple : false desc : The Profile Specific Extensions data section. field : reception_report_block type : byte-sequence length : variable multiple : true desc : The reception report block data section field : reception_report_ssrc type : uint32 length : 4 multiple : true desc : The SSRC identifier of the source to which the information in this reception report block pertains. field : fraction type : uint8 length : 1 multiple : true desc : The fraction of RTP data packets from source SSRC_n lost since the previous SR or RR packet was sent, expressed as a fixed point number with the binary point at the left edge of the field. field : lost type : byte-sequence length : 3 multiple : true desc : The total number of RTP data packets from source SSRC that have been lost since the beginning of reception. Signed number. field : last_sequence type : uint32 length : 4 multiple : true desc : The low 16 bits contain the highest sequence number received in an RTP data packet from source SSRC_n, and the most significant 16 bits extend that sequence number with the corresponding count of sequence number cycles. field : jitter type : uint32 length : 4 multiple : true desc : An estimate of the statistical variance of the RTP data packet interarrival time, measured in timestamp units and expressed as an unsigned integer. field : lsr type : uint32 length : 4 multiple : true desc : The middle 32 bits out of 64 in the NTP timestamp received as part of the most recent RTCP sender report (SR) packet from source SSRC_n. If no SR has been received yet, the field is set to zero. field : dlsr type : uint32 length : 4 multiple : true desc : The delay, expressed in units of 1/65536 seconds, between receiving the last SR packet from source SSRC_n and sending this reception report block. field : chunk type : byte-sequence length : variable multiple : true desc : The chunk section. field : sdes type : byte-sequence length : variable multiple : true desc : The sdes items. field : sdes_type type : uint8 length : 1 multiple : true desc : The SDES item type. field : sdes_length type : uint8 length : 1 multiple : true desc : The SDES item length. field : sdes_data type : byte-sequence length : variable multiple : true desc : The SDES data. field : reason_length type : uint8 length : 1 multiple : false desc : The GoodBye reason length. field : reason type : ascii-string length : variable multiple : false desc : The GoodBye reason of leaving field : application_name type : ascii-string length : 4 multiple : false desc : A name chosen by the person defining the set of APP packets to be unique with respect to other APP packets this application might receive. field : application_data type : byte-sequence length : variable multiple : false desc : Application-dependent data may or may not appear in an APP packet. It is interpreted by the application and not RTP itself. It MUST be a multiple of 32 bits long. field : summarized_ssrc type : uint32 length : 4 multiple : false desc : The SSRC (of the Media Sender) of which this report contains a summary. field : sub_report_blocks type : byte-sequence length : variable multiple : false desc : The sub-report blocks section. field : data type : byte-sequence length : variable multiple : false desc : The data section of not dissected data, e.g. encrypted data of SRTCP. 4.3.36 rtp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : version type : uint8 length : 1 multiple : false desc : RTP version. field : padding_flag type : uint8 length : 1 multiple : false desc : If the padding bit is set, the packet contains one or more additional padding octets at the end which are not part of the payload. The last octet of the padding contains a count of how many padding octets should be ignored. field : extension_flag type : uint8 length : 1 multiple : false desc : If the extension bit is set, the fixed header is followed by exactly one header extension. field : csrc_count type : uint8 length : 1 multiple : false desc : The CSRC count contains the number of CSRC identifiers that follow the fixed header. field : marker type : uint8 length : 1 multiple : false desc : The interpretation of the marker is defined by a profile. It is intended to allow significant events such as frame boundaries to be marked in the packet stream. field : payload_type type : uint8 length : 1 multiple : false desc : This field identifies the format of the RTP payload and determines its interpretation by the application. A profile specifies a default static mapping of payload type codes to payload formats. Additional payload type codes may be defined dynamically through non-RTP means. field : sequence_number type : uint16 length : 2 multiple : false desc : The sequence number increments by one for each RTP data packet sent, and may be used by the receiver to detect packet loss and to restore packet sequence. field : timestamp type : uint32 length : 4 multiple : false desc : The timestamp reflects the sampling instant of the first octet in the RTP data packet. field : ssrc type : uint32 length : 4 multiple : false desc : Synchronization source identificator. This identifier is chosen randomly, with the intent that no two synchronization sources within the same RTP session will have the same SSRC identifier. field : csrc_list type : byte-sequence length : variable multiple : false desc : The CSRC list identifies the contributing sources for the payload contained in this packet. field : csrc type : uint32 length : 4 multiple : false desc : The contributing source identificator. field : extension type : byte-sequence length : variable multiple : false desc : The extension section. field : extension_profile type : uint16 length : 2 multiple : false desc : The defined by profile. field : extension_length type : uint16 length : 2 multiple : false desc : The extension data length. It specifies the count of 4 byte blocks. field : extension_data type : byte-sequence length : variable multiple : false desc : The extension data. field : data type : byte-sequence length : variable multiple : false desc : RTP packet data. field : padding type : byte-sequence length : variable multiple : false desc : RTP padding data. field : padding_length type : uint8 length : 1 multiple : false desc : RTP padding length. 4.3.37 sftp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : command type : ascii-string length : variable multiple : false desc : The command name. field : command_value type : ascii-string length : variable multiple : false desc : The command argument. (Might be absent if command name doesn't require it) field : retr_pathname type : ascii-string length : variable multiple : false desc : Pathname value of RETR (retrieve) command. field : username type : ascii-string length : variable multiple : false desc : Username value of USER (user) command. field : password type : ascii-string length : variable multiple : false desc : Password value of PASS (password) command. field : code type : ascii-string length : variable multiple : false desc : The response char indicator: +/-/ /!. field : code_value type : ascii-string length : variable multiple : false desc : The response code message. 4.3.38 sip ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : method type : ascii-string length : variable multiple : false desc : The method token indicates the method to be performed on the resource identified by the Request-URI. field : uri type : ascii-string length : variable multiple : false desc : The part of HTTP request line which describes the exact location of a page, post, file, or other asset with request parameters. field : url type : ascii-string length : variable multiple : false desc : The part of HTTP request line which describes the exact location of a page, post, file, or other asset without request parameters. field : status_code type : ascii-string length : variable multiple : false desc : The part of HTTP response status line which is presented as a 3-digit integer number of the attempt to understand and satisfy the request. field : reason_phrase type : ascii-string length : variable multiple : false desc : The part of HTTP response status line which describes status code. field : version type : ascii-string length : variable multiple : false desc : The version of an HTTP message. field : header type : ascii-string length : variable multiple : true desc : An HTTP header consists of its case-insensitive name followed by a colon ( : ), then by its value. The fields pass additional context and metadata about the request or response. field : content_length type : ascii-string length : variable multiple : true desc : The value of Content-Length header. field : content_type type : ascii-string length : variable multiple : true desc : The value of Content-Type header. field : upgrade type : ascii-string length : variable multiple : true desc : The value of Upgrade header. field : host type : ascii-string length : variable multiple : true desc : The value of Host header. field : proxy_authenticate type : ascii-string length : variable multiple : true desc : The value of Proxy-Authenticate header. field : proxy_authorization type : ascii-string length : variable multiple : true desc : The value of Proxy-Authorization header. field : referer type : ascii-string length : variable multiple : true desc : The value of Referer header. field : user_agent type : ascii-string length : variable multiple : true desc : The value of User-Agent header. field : content_disposition type : ascii-string length : variable multiple : true desc : The value of Content-Disposition header. field : file_type type : ascii-string length : variable multiple : true desc : The part of Content-Type value which specifies file type. field : file_name type : ascii-string length : variable multiple : true desc : The part of Content-Disposition value which specifies file name. field : via type : ascii-string length : variable multiple : true desc : The value of Via header. field : from type : ascii-string length : variable multiple : true desc : The value of From header. field : from_user type : ascii-string length : variable multiple : true desc : The user value of SIP URL part of From header value. field : from_host type : ascii-string length : variable multiple : true desc : The host value of SIP URL part of From header value. field : from_ip type : ascii-string length : variable multiple : true desc : The IP value of SIP URL part of From header value. The value is presented if host value has IP format. field : from_phone type : ascii-string length : variable multiple : true desc : The phone value of SIP URL part of From header value. The value is presented if host value has phone format (contains only digits, '+' sign is allowed at the begging of the value). field : to type : ascii-string length : variable multiple : true desc : The value of To header. field : to_user type : ascii-string length : variable multiple : true desc : The user value of SIP URL part of To header value. field : to_host type : ascii-string length : variable multiple : true desc : The host value of SIP URL part of To header value. field : to_ip type : ascii-string length : variable multiple : true desc : The IP value of SIP URL part of To header value. The value is presented if host value has IP format. field : to_phone type : ascii-string length : variable multiple : true desc : The phone value of SIP URL part of To header value. The value is presented if host value has phone format (contains only digits, '+' sign is allowed at the begging of the value). field : cseq type : ascii-string length : variable multiple : true desc : The value of CSeq header. field : cseq_number type : ascii-string length : variable multiple : true desc : The sequence number (MUST be expressible as a 32-bit unsigned integer). field : cseq_method type : ascii-string length : variable multiple : true desc : The method part of CSeq (case-sensitive). field : body type : ascii-string length : variable multiple : false desc : HTTP message body. field : chunk type : ascii-string length : variable multiple : true desc : The part of HTTP body. The field is presented when Transfer-Encoding header has 'chunked' value. field : chunk_size type : ascii-string length : variable multiple : true desc : The string of hex digits indicating the size of the chunk. field : chunk_extension type : ascii-string length : variable multiple : true desc : The part of chunk size line. Optional field. field : chunk_data type : ascii-string length : variable multiple : true desc : The data part of chunk. field : trailer type : ascii-string length : variable multiple : true desc : The trailer field allows the sender to include additional HTTP header fields at the end of the message. field : sdp_line type : ascii-string length : variable multiple : true desc : A single line in an SDP message, formatted as =. field : sdp_protocol_version type : ascii-string length : variable multiple : true desc : SDP protocol version (v=). Must be 0. field : sdp_origin type : ascii-string length : variable multiple : true desc : Origin (o=). Identifies the creator of the session. field : sdp_origin_username type : ascii-string length : variable multiple : true desc : Origin username. The user's login on the originating host. field : sdp_origin_session_id type : ascii-string length : variable multiple : true desc : Origin session ID. A numeric string to uniquely identify the session. field : sdp_origin_session_version type : ascii-string length : variable multiple : true desc : Origin session version. Version number for this session description. field : sdp_origin_net_type type : ascii-string length : variable multiple : true desc : Origin network type (e.g., 'IN' for Internet). field : sdp_origin_address_type type : ascii-string length : variable multiple : true desc : Origin address type (e.g., 'IP4' or 'IP6'). field : sdp_origin_unicast_address type : ascii-string length : variable multiple : true desc : Origin unicast address. The IP address of the machine from which the session was created. field : sdp_session_name type : ascii-string length : variable multiple : true desc : Session Name (s=). A textual session name. field : sdp_session_information type : ascii-string length : variable multiple : true desc : Session Information (i=). A textual description of the session. field : sdp_uri type : ascii-string length : variable multiple : true desc : URI (u=). A URI containing more information about the session. field : sdp_email type : ascii-string length : variable multiple : true desc : Email Address (e=). Email of the person responsible for the conference. field : sdp_phone_number type : ascii-string length : variable multiple : true desc : Phone Number (p=). Phone number of the person responsible for the conference. field : sdp_connection_data type : ascii-string length : variable multiple : true desc : Connection Data (c=). Specifies the network and address for the session. field : sdp_connection_data_net_type type : ascii-string length : variable multiple : true desc : Connection Data network type (e.g., 'IN' for Internet). field : sdp_connection_data_address_type type : ascii-string length : variable multiple : true desc : Connection Data address type (e.g., 'IP4' or 'IP6'). field : sdp_connection_data_connection_address type : ascii-string length : variable multiple : true desc : Connection Data address. The base IP address for the media connection. field : sdp_bandwitdth type : ascii-string length : variable multiple : true desc : Bandwidth (b=). Specifies the proposed bandwidth to be used by the session or media. field : sdp_timing type : ascii-string length : variable multiple : true desc : Timing (t=). Specifies the start and stop times for a session. field : sdp_start_time type : ascii-string length : variable multiple : true desc : Timing start time. The time the session is scheduled to start (NTP timestamp). field : sdp_stop_time type : ascii-string length : variable multiple : true desc : Timing stop time. The time the session is scheduled to end (NTP timestamp). field : sdp_repeat_time type : ascii-string length : variable multiple : true desc : Repeat Times (r=). Specifies repeat intervals for the session. field : sdp_repeat_interval type : ascii-string length : variable multiple : true desc : Repeat interval. The time between the start times of two successive repetitions. field : sdp_active_duration type : ascii-string length : variable multiple : true desc : Active duration. How long each repetition of the session lasts. field : sdp_offset_from_start type : ascii-string length : variable multiple : true desc : Offset from start. A list of offsets from the start time for each repetition. field : sdp_time_zone type : ascii-string length : variable multiple : true desc : Time Zones (z=). Lists time zone adjustments for recurring sessions. field : sdp_time_zone_adjustment_time type : ascii-string length : variable multiple : true desc : Time Zone adjustment time. The time when the adjustment happens. field : sdp_time_zone_offset type : ascii-string length : variable multiple : true desc : Time Zone offset. The offset from UTC that applies after the adjustment time. field : sdp_encryption_key type : ascii-string length : variable multiple : true desc : Encryption Keys (k=). Specifies a key for encrypting the media. field : sdp_attribute type : ascii-string length : variable multiple : true desc : Attribute (a=). A session or media-level attribute for extended information. field : sdp_media_description type : ascii-string length : variable multiple : true desc : Media Description (m=). Defines a media stream within a session. field : sdp_media_type type : ascii-string length : variable multiple : true desc : Media type (e.g., 'audio', 'video', 'text', 'application'). field : sdp_media_port type : ascii-string length : variable multiple : true desc : Media port. The transport port to which the media stream is sent. field : sdp_media_proto type : ascii-string length : variable multiple : true desc : Media protocol (e.g., 'RTP/AVP', 'RTP/SAVPF', 'TCP', 'UDP'). field : sdp_media_fmt type : ascii-string length : variable multiple : true desc : Media format. A list of media format identifiers (e.g., payload type numbers). 4.3.39 smtp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : command type : ascii-string length : variable multiple : false desc : The command name. field : command_argument type : ascii-string length : variable multiple : false desc : The command argument. (Might be absent if command name doesn't require it) field : code type : ascii-string length : variable multiple : false desc : The code. field : code_text type : ascii-string length : variable multiple : false desc : The code text. field : data type : ascii-string length : variable multiple : false desc : The multiline data section that is placed after DATA command. 4.3.40 socks ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : version type : uint8 length : 1 multiple : false desc : The SOCKS protocol version number. field : command_code type : uint8 length : 1 multiple : false desc : The SOCKS command code. field : destination_port type : uint16 length : 2 multiple : false desc : The destination port address. field : destination_ip type : byte-sequence length : variable multiple : false desc : The destination ip address. field : user_id type : byte-sequence length : variable multiple : false desc : The user id. field : destination_domain_name type : byte-sequence length : variable multiple : false desc : For version 4A, if the client cannot resolve the destination host's domain name to find its IP address, it should set the first three bytes of DSTIP to NULL and the last byte to a non-zero value. field : method_count type : uint8 length : 1 multiple : false desc : The number of method identifier octets that appear in the method field. field : method type : uint8 length : 1 multiple : true desc : The server selected method. field : reply type : uint8 length : 1 multiple : false desc : The reply code. field : reserved type : uint8 length : 1 multiple : false desc : The reserved value. field : atyp type : uint8 length : 1 multiple : false desc : The address type of following address. field : domain_name_length type : uint8 length : 1 multiple : false desc : The fully-qualified domain name length. The field depends on atyp value. field : domain_name type : byte-sequence length : variable multiple : false desc : The fully-qualified domain name. The field depends on atyp value. field : bind_address type : byte-sequence length : variable multiple : false desc : The bind adddress. IPv4 or IPv6. field : bind_port type : uint16 length : 2 multiple : false desc : The bind port. field : data type : byte-sequence length : variable multiple : false desc : The unmapped data. The field is presented when message structure detection is failed. field : reserved2 type : uint16 length : 2 multiple : false desc : The reserved value. Socks5 and udp only. field : fragment_number type : uint8 length : 1 multiple : false desc : The fragment number. field : user_data type : byte-sequence length : variable multiple : false desc : The user data. Socks5 and udp only. 4.3.41 srtcp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : version type : uint8 length : 1 multiple : false desc : Identifies the version of RTP, which is the same in RTCP packets as in RTP data packets. field : padding_flag type : uint8 length : 1 multiple : false desc : If the padding bit is set, this individual RTCP packet contains some additional padding octets at the end which are not part of the control information but are included in the length field. field : count type : uint8 length : 1 multiple : false desc : For Sender/Receiver report - the number of reception report blocks contained in this packet. For Source Description - the number of SSRC/CSRC chunks contained in this SDES packet. For Goodbye - the number of SSRC/CSRC identifiers. field : sub_type type : uint8 length : 1 multiple : false desc : The field allows a set of APP packets to be defined under one unique name, or for any application-dependent data. field : reserved type : uint8 length : 1 multiple : false desc : The reserved value. field : packet_type type : uint8 length : 1 multiple : false desc : The packet type identifier. field : length type : uint16 length : 2 multiple : false desc : The packet type identifier. field : padding_length type : uint8 length : 1 multiple : false desc : The padding length value. field : padding type : byte-sequence length : variable multiple : false desc : The padding data field : ssrc type : uint32 length : 4 multiple : true desc : The synchronization source identifier for the originator of this SR packet. field : ntp_sec type : uint32 length : 4 multiple : false desc : NTP timestamp, most significant word. Indicates the wallclock time when this report was sent. field : ntp_frac type : uint32 length : 4 multiple : false desc : NTP timestamp, least significant word. Indicates the wallclock time when this report was sent. field : rtp_timestamp type : uint32 length : 4 multiple : false desc : Corresponds to the same time as the NTP timestamp, but in the same units and with the same random offset as the RTP timestamps in data packets. field : sender_packet_count type : uint32 length : 4 multiple : false desc : The total number of RTP data packets transmitted by the sender since starting transmission up until the time this SR packet was generated. field : sender_octet_count type : uint32 length : 4 multiple : false desc : The total number of payload octets (i.e., not including header or padding) transmitted in RTP data packets by the sender since starting transmission up until the time this SR packet was generated. field : profile_specific_extensions type : byte-sequence length : variable multiple : false desc : The Profile Specific Extensions data section. field : reception_report_block type : byte-sequence length : variable multiple : true desc : The reception report block data section field : reception_report_ssrc type : uint32 length : 4 multiple : true desc : The SSRC identifier of the source to which the information in this reception report block pertains. field : fraction type : uint8 length : 1 multiple : true desc : The fraction of RTP data packets from source SSRC_n lost since the previous SR or RR packet was sent, expressed as a fixed point number with the binary point at the left edge of the field. field : lost type : byte-sequence length : 3 multiple : true desc : The total number of RTP data packets from source SSRC that have been lost since the beginning of reception. Signed number. field : last_sequence type : uint32 length : 4 multiple : true desc : The low 16 bits contain the highest sequence number received in an RTP data packet from source SSRC_n, and the most significant 16 bits extend that sequence number with the corresponding count of sequence number cycles. field : jitter type : uint32 length : 4 multiple : true desc : An estimate of the statistical variance of the RTP data packet interarrival time, measured in timestamp units and expressed as an unsigned integer. field : lsr type : uint32 length : 4 multiple : true desc : The middle 32 bits out of 64 in the NTP timestamp received as part of the most recent RTCP sender report (SR) packet from source SSRC_n. If no SR has been received yet, the field is set to zero. field : dlsr type : uint32 length : 4 multiple : true desc : The delay, expressed in units of 1/65536 seconds, between receiving the last SR packet from source SSRC_n and sending this reception report block. field : chunk type : byte-sequence length : variable multiple : true desc : The chunk section. field : sdes type : byte-sequence length : variable multiple : true desc : The sdes items. field : sdes_type type : uint8 length : 1 multiple : true desc : The SDES item type. field : sdes_length type : uint8 length : 1 multiple : true desc : The SDES item length. field : sdes_data type : byte-sequence length : variable multiple : true desc : The SDES data. field : reason_length type : uint8 length : 1 multiple : false desc : The GoodBye reason length. field : reason type : ascii-string length : variable multiple : false desc : The GoodBye reason of leaving field : application_name type : ascii-string length : 4 multiple : false desc : A name chosen by the person defining the set of APP packets to be unique with respect to other APP packets this application might receive. field : application_data type : byte-sequence length : variable multiple : false desc : Application-dependent data may or may not appear in an APP packet. It is interpreted by the application and not RTP itself. It MUST be a multiple of 32 bits long. field : summarized_ssrc type : uint32 length : 4 multiple : false desc : The SSRC (of the Media Sender) of which this report contains a summary. field : sub_report_blocks type : byte-sequence length : variable multiple : false desc : The sub-report blocks section. field : data type : byte-sequence length : variable multiple : false desc : The data section of not dissected data, e.g. encrypted data of SRTCP. 4.3.42 srtp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : version type : uint8 length : 1 multiple : false desc : RTP version. field : padding_flag type : uint8 length : 1 multiple : false desc : If the padding bit is set, the packet contains one or more additional padding octets at the end which are not part of the payload. The last octet of the padding contains a count of how many padding octets should be ignored. field : extension_flag type : uint8 length : 1 multiple : false desc : If the extension bit is set, the fixed header is followed by exactly one header extension. field : csrc_count type : uint8 length : 1 multiple : false desc : The CSRC count contains the number of CSRC identifiers that follow the fixed header. field : marker type : uint8 length : 1 multiple : false desc : The interpretation of the marker is defined by a profile. It is intended to allow significant events such as frame boundaries to be marked in the packet stream. field : payload_type type : uint8 length : 1 multiple : false desc : This field identifies the format of the RTP payload and determines its interpretation by the application. A profile specifies a default static mapping of payload type codes to payload formats. Additional payload type codes may be defined dynamically through non-RTP means. field : sequence_number type : uint16 length : 2 multiple : false desc : The sequence number increments by one for each RTP data packet sent, and may be used by the receiver to detect packet loss and to restore packet sequence. field : timestamp type : uint32 length : 4 multiple : false desc : The timestamp reflects the sampling instant of the first octet in the RTP data packet. field : ssrc type : uint32 length : 4 multiple : false desc : Synchronization source identificator. This identifier is chosen randomly, with the intent that no two synchronization sources within the same RTP session will have the same SSRC identifier. field : csrc_list type : byte-sequence length : variable multiple : false desc : The CSRC list identifies the contributing sources for the payload contained in this packet. field : csrc type : uint32 length : 4 multiple : false desc : The contributing source identificator. field : extension type : byte-sequence length : variable multiple : false desc : The extension section. field : extension_profile type : uint16 length : 2 multiple : false desc : The defined by profile. field : extension_length type : uint16 length : 2 multiple : false desc : The extension data length. It specifies the count of 4 byte blocks. field : extension_data type : byte-sequence length : variable multiple : false desc : The extension data. field : data type : byte-sequence length : variable multiple : false desc : RTP packet data. field : padding type : byte-sequence length : variable multiple : false desc : RTP padding data. field : padding_length type : uint8 length : 1 multiple : false desc : RTP padding length. 4.3.43 ssdp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : method type : ascii-string length : variable multiple : false desc : The method token indicates the method to be performed on the resource identified by the Request-URI. field : uri type : ascii-string length : variable multiple : false desc : The part of HTTP request line which describes the exact location of a page, post, file, or other asset with request parameters. field : url type : ascii-string length : variable multiple : false desc : The part of HTTP request line which describes the exact location of a page, post, file, or other asset without request parameters. field : status_code type : ascii-string length : variable multiple : false desc : The part of HTTP response status line which is presented as a 3-digit integer number of the attempt to understand and satisfy the request. field : reason_phrase type : ascii-string length : variable multiple : false desc : The part of HTTP response status line which describes status code. field : version type : ascii-string length : variable multiple : false desc : The version of an HTTP message. field : header type : ascii-string length : variable multiple : true desc : An HTTP header consists of its case-insensitive name followed by a colon ( : ), then by its value. The fields pass additional context and metadata about the request or response. field : content_length type : ascii-string length : variable multiple : true desc : The value of Content-Length header. field : content_type type : ascii-string length : variable multiple : true desc : The value of Content-Type header. field : upgrade type : ascii-string length : variable multiple : true desc : The value of Upgrade header. field : host type : ascii-string length : variable multiple : true desc : The value of Host header. field : proxy_authenticate type : ascii-string length : variable multiple : true desc : The value of Proxy-Authenticate header. field : proxy_authorization type : ascii-string length : variable multiple : true desc : The value of Proxy-Authorization header. field : referer type : ascii-string length : variable multiple : true desc : The value of Referer header. field : user_agent type : ascii-string length : variable multiple : true desc : The value of User-Agent header. field : content_disposition type : ascii-string length : variable multiple : true desc : The value of Content-Disposition header. field : file_type type : ascii-string length : variable multiple : true desc : The part of Content-Type value which specifies file type. field : file_name type : ascii-string length : variable multiple : true desc : The part of Content-Disposition value which specifies file name. field : via type : ascii-string length : variable multiple : true desc : The value of Via header. field : from type : ascii-string length : variable multiple : true desc : The value of From header. field : from_user type : ascii-string length : variable multiple : true desc : The user value of SIP URL part of From header value. field : from_host type : ascii-string length : variable multiple : true desc : The host value of SIP URL part of From header value. field : from_ip type : ascii-string length : variable multiple : true desc : The IP value of SIP URL part of From header value. The value is presented if host value has IP format. field : from_phone type : ascii-string length : variable multiple : true desc : The phone value of SIP URL part of From header value. The value is presented if host value has phone format (contains only digits, '+' sign is allowed at the begging of the value). field : to type : ascii-string length : variable multiple : true desc : The value of To header. field : to_user type : ascii-string length : variable multiple : true desc : The user value of SIP URL part of To header value. field : to_host type : ascii-string length : variable multiple : true desc : The host value of SIP URL part of To header value. field : to_ip type : ascii-string length : variable multiple : true desc : The IP value of SIP URL part of To header value. The value is presented if host value has IP format. field : to_phone type : ascii-string length : variable multiple : true desc : The phone value of SIP URL part of To header value. The value is presented if host value has phone format (contains only digits, '+' sign is allowed at the begging of the value). field : cseq type : ascii-string length : variable multiple : true desc : The value of CSeq header. field : cseq_number type : ascii-string length : variable multiple : true desc : The sequence number (MUST be expressible as a 32-bit unsigned integer). field : cseq_method type : ascii-string length : variable multiple : true desc : The method part of CSeq (case-sensitive). field : body type : ascii-string length : variable multiple : false desc : HTTP message body. field : chunk type : ascii-string length : variable multiple : true desc : The part of HTTP body. The field is presented when Transfer-Encoding header has 'chunked' value. field : chunk_size type : ascii-string length : variable multiple : true desc : The string of hex digits indicating the size of the chunk. field : chunk_extension type : ascii-string length : variable multiple : true desc : The part of chunk size line. Optional field. field : chunk_data type : ascii-string length : variable multiple : true desc : The data part of chunk. field : trailer type : ascii-string length : variable multiple : true desc : The trailer field allows the sender to include additional HTTP header fields at the end of the message. field : sdp_line type : ascii-string length : variable multiple : true desc : A single line in an SDP message, formatted as =. field : sdp_protocol_version type : ascii-string length : variable multiple : true desc : SDP protocol version (v=). Must be 0. field : sdp_origin type : ascii-string length : variable multiple : true desc : Origin (o=). Identifies the creator of the session. field : sdp_origin_username type : ascii-string length : variable multiple : true desc : Origin username. The user's login on the originating host. field : sdp_origin_session_id type : ascii-string length : variable multiple : true desc : Origin session ID. A numeric string to uniquely identify the session. field : sdp_origin_session_version type : ascii-string length : variable multiple : true desc : Origin session version. Version number for this session description. field : sdp_origin_net_type type : ascii-string length : variable multiple : true desc : Origin network type (e.g., 'IN' for Internet). field : sdp_origin_address_type type : ascii-string length : variable multiple : true desc : Origin address type (e.g., 'IP4' or 'IP6'). field : sdp_origin_unicast_address type : ascii-string length : variable multiple : true desc : Origin unicast address. The IP address of the machine from which the session was created. field : sdp_session_name type : ascii-string length : variable multiple : true desc : Session Name (s=). A textual session name. field : sdp_session_information type : ascii-string length : variable multiple : true desc : Session Information (i=). A textual description of the session. field : sdp_uri type : ascii-string length : variable multiple : true desc : URI (u=). A URI containing more information about the session. field : sdp_email type : ascii-string length : variable multiple : true desc : Email Address (e=). Email of the person responsible for the conference. field : sdp_phone_number type : ascii-string length : variable multiple : true desc : Phone Number (p=). Phone number of the person responsible for the conference. field : sdp_connection_data type : ascii-string length : variable multiple : true desc : Connection Data (c=). Specifies the network and address for the session. field : sdp_connection_data_net_type type : ascii-string length : variable multiple : true desc : Connection Data network type (e.g., 'IN' for Internet). field : sdp_connection_data_address_type type : ascii-string length : variable multiple : true desc : Connection Data address type (e.g., 'IP4' or 'IP6'). field : sdp_connection_data_connection_address type : ascii-string length : variable multiple : true desc : Connection Data address. The base IP address for the media connection. field : sdp_bandwitdth type : ascii-string length : variable multiple : true desc : Bandwidth (b=). Specifies the proposed bandwidth to be used by the session or media. field : sdp_timing type : ascii-string length : variable multiple : true desc : Timing (t=). Specifies the start and stop times for a session. field : sdp_start_time type : ascii-string length : variable multiple : true desc : Timing start time. The time the session is scheduled to start (NTP timestamp). field : sdp_stop_time type : ascii-string length : variable multiple : true desc : Timing stop time. The time the session is scheduled to end (NTP timestamp). field : sdp_repeat_time type : ascii-string length : variable multiple : true desc : Repeat Times (r=). Specifies repeat intervals for the session. field : sdp_repeat_interval type : ascii-string length : variable multiple : true desc : Repeat interval. The time between the start times of two successive repetitions. field : sdp_active_duration type : ascii-string length : variable multiple : true desc : Active duration. How long each repetition of the session lasts. field : sdp_offset_from_start type : ascii-string length : variable multiple : true desc : Offset from start. A list of offsets from the start time for each repetition. field : sdp_time_zone type : ascii-string length : variable multiple : true desc : Time Zones (z=). Lists time zone adjustments for recurring sessions. field : sdp_time_zone_adjustment_time type : ascii-string length : variable multiple : true desc : Time Zone adjustment time. The time when the adjustment happens. field : sdp_time_zone_offset type : ascii-string length : variable multiple : true desc : Time Zone offset. The offset from UTC that applies after the adjustment time. field : sdp_encryption_key type : ascii-string length : variable multiple : true desc : Encryption Keys (k=). Specifies a key for encrypting the media. field : sdp_attribute type : ascii-string length : variable multiple : true desc : Attribute (a=). A session or media-level attribute for extended information. field : sdp_media_description type : ascii-string length : variable multiple : true desc : Media Description (m=). Defines a media stream within a session. field : sdp_media_type type : ascii-string length : variable multiple : true desc : Media type (e.g., 'audio', 'video', 'text', 'application'). field : sdp_media_port type : ascii-string length : variable multiple : true desc : Media port. The transport port to which the media stream is sent. field : sdp_media_proto type : ascii-string length : variable multiple : true desc : Media protocol (e.g., 'RTP/AVP', 'RTP/SAVPF', 'TCP', 'UDP'). field : sdp_media_fmt type : ascii-string length : variable multiple : true desc : Media format. A list of media format identifiers (e.g., payload type numbers). 4.3.44 ssh ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. 4.3.45 stun ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : header type : byte-sequence length : variable multiple : false desc : STUN header data. field : message_type type : uint16 length : 2 multiple : false desc : The encoded STUN message type. field : message_length type : uint16 length : 2 multiple : false desc : The message length. field : magic_code type : uint32 length : 4 multiple : false desc : The magic cookie value. field : transaction_id type : byte-sequence length : 12 multiple : false desc : The transaction ID is a 96-bit identifier, used to uniquely identify STUN transactions. field : attribute type : byte-sequence length : variable multiple : true desc : The attribute data (header is included). field : attribute_type type : uint16 length : 2 multiple : true desc : The identificator of attribute type which specifies the value structure. field : attribute_length type : uint16 length : 2 multiple : true desc : The attribute value length. field : attribute_value type : byte-sequence length : variable multiple : true desc : The attribute value data. field : attribute_padding type : byte-sequence length : variable multiple : true desc : The padding data of attribute value. The attribute value length has to be aligned for 4 bytes. 4.3.46 tcp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : port type : uint16 length : 2 multiple : true desc : The port number (source, destination). field : src_port type : uint16 length : 2 multiple : false desc : The source port number. field : dst_port type : uint16 length : 2 multiple : false desc : The destination port number. field : sequence_number type : uint32 length : 4 multiple : false desc : The sequence number of the first data octet in this segment (except when SYN is present). field : ack_number type : uint32 length : 4 multiple : false desc : If the ACK control bit is set this field contains the value of the next sequence number the sender of the segment is expecting to receive. field : data_offset type : 8-bit-field length : 1 multiple : false desc : The number of 32 bit words in the TCP Header. field : reserved type : 8-bit-field length : 1 multiple : false desc : Reserved for future use. Must be zero. field : flags type : uint8 length : 1 multiple : false desc : The field which contains tcp flags which are used to indicate a particular state of connection. field : cwr type : 8-bit-field length : 1 multiple : false desc : Congestion Window Reduced flag. field : ece type : 8-bit-field length : 1 multiple : false desc : ECN-Echo flag. field : urg type : 8-bit-field length : 1 multiple : false desc : Urgent Pointer field significant. field : ack type : 8-bit-field length : 1 multiple : false desc : Acknowledgment field significant. field : psh type : 8-bit-field length : 1 multiple : false desc : Push Function. field : rst type : 8-bit-field length : 1 multiple : false desc : Reset the connection. field : syn type : 8-bit-field length : 1 multiple : false desc : Synchronize sequence numbers. field : fin type : 8-bit-field length : 1 multiple : false desc : No more data from sender. field : window_size type : uint16 length : 2 multiple : false desc : The number of data octets beginning with the one indicated in the acknowledgment field which the sender of this segment is willing to accept. field : checksum type : uint16 length : 2 multiple : false desc : The checksum field is the 16 bit one's complement of the one's complement sum of all 16 bit words in the header and text. field : urgent_pointer type : uint16 length : 2 multiple : false desc : This field communicates the current value of the urgent pointer as a positive offset from the sequence number in this segment. 4.3.47 telnet ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : data type : byte-sequence length : variable multiple : false desc : Stream data. 4.3.48 teredo ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : origin_indication type : byte-sequence length : variable multiple : false desc : The origin indication header section. field : origin_indication_byte0 type : uint8 length : 1 multiple : false desc : The first octet of origin indication header. It has to be 0. field : origin_indication_byte1 type : uint8 length : 1 multiple : false desc : The second octet of origin indication header. It has to be 0. field : origin_indication_port type : 16-bit-field length : 2 multiple : false desc : The obfuscated value of the port number from which the packet was received, in network byte order. Each bit in the port number is reversed. field : origin_indication_ipv4_address type : 32-bit-field length : 4 multiple : false desc : The obfuscated IPv4 address from which the packet was received, in network byte order. Each bit in the ip address is reversed. field : authentication type : byte-sequence length : variable multiple : false desc : The authentication header section. field : authentication_byte0 type : uint8 length : 1 multiple : false desc : The authentication octet of origin indication header. It has to be 0. field : authentication_byte1 type : uint8 length : 1 multiple : false desc : The authentication octet of origin indication header. It has to be 1. field : authentication_client_id_length type : uint8 length : 1 multiple : false desc : The client identifier value length. field : authentication_auth_length type : uint8 length : 1 multiple : false desc : The authentication value length. field : authentication_client_id type : byte-sequence length : variable multiple : false desc : The client identificator value. field : authentication_auth type : byte-sequence length : variable multiple : false desc : The authentication value. field : authentication_nonce type : byte-sequence length : 8 multiple : false desc : The 8-octet nonce value. (a random number which is picked by client) field : authentication_conf type : uint8 length : 1 multiple : false desc : The confirmation byte. The confirmation byte is set to 0 by the client. A null value returned by the server indicates that the client's key is still valid; a non-null value indicates that the client should obtain a new key. 4.3.49 tls ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : record type : byte-sequence length : variable multiple : true desc : Record layer. field : record_content_type type : uint8 length : 1 multiple : true desc : The higher-level protocol used to process the enclosed fragment/message. field : record_protocol_version type : uint16 length : 2 multiple : true desc : The version of the protocol being employed. field : record_protocol_major_version type : uint8 length : 1 multiple : true desc : The major number of protocol version. field : record_protocol_minor_version type : uint8 length : 1 multiple : true desc : The minor number of protocol version. field : record_message_length type : uint16 length : 2 multiple : true desc : The length (in bytes) of the following TLSPlaintext.fragment. The length MUST NOT exceed 2^14. field : record_message type : byte-sequence length : variable multiple : true desc : The application data. This data is transparent and treated as an independent block to be deal with by the higher-level protocol specified by the type field. For DTLS v1.3 protocol that field might contain encrypted data if fixed bits (3 higher bits) of record content type is equal to 1. field : heartbeat_message_type type : uint8 length : 1 multiple : true desc : The message type, either heartbeat_request (1) or heartbeat_response (2). field : heartbeat_payload_length type : uint16 length : 2 multiple : true desc : The length of the payload. field : heartbeat_payload type : byte-sequence length : variable multiple : true desc : The payload consists of arbitrary content. field : heartbeat_padding type : byte-sequence length : variable multiple : true desc : The padding is random content that MUST be ignored by the receiver. The padding_length MUST be at least 16. field : signature_scheme type : uint16 length : 2 multiple : true desc : The field specifies hash and signature algorithm. The field can exist only for tls v1.3 sessions. field : change_cipher_spec_type type : uint8 length : 1 multiple : true desc : The change cipher spec protocol exists to signal transitions in ciphering strategies. The protocol consists of a single message, which is encrypted and compressed under the current (not the pending) connection state. The message consists of a single byte of value 1. field : alert_level type : uint8 length : 1 multiple : true desc : Alert message level. field : alert_description type : uint8 length : 1 multiple : true desc : Alert message description. field : handshake_header type : byte-sequence length : variable multiple : true desc : The header of handshake protocol. The TLS Handshake Protocol is one of the defined higher-level clients of the TLS Record Protocol. This protocol is used to negotiate the secure attributes of a session. Handshake messages are supplied to the TLS record layer, where they are encapsulated within one or more TLSPlaintext structures, which are processed and transmitted as specified by the current active session state. field : handshake_type type : 32-bit-field length : 4 multiple : true desc : The handshake message type: 0 (hello_request), 1 (client_hello), 2 (server_hello), 11 (certificate), 12 (server_key_exchange), 13 (certificate_request), 14 (server_hello_done), 15 (certificate_verify), 16 (client_key_exchange), 20 (finished), 255. field : handshake_message_length type : 32-bit-field length : 4 multiple : true desc : The length of handshake message. field : handshake_message type : byte-sequence length : variable multiple : true desc : The handshake message. field : client_version type : uint16 length : 2 multiple : true desc : The version of the TLS protocol by which the client wishes to communicate during this session. field : client_major_version type : uint8 length : 1 multiple : true desc : The major number of client TLS protocol. field : client_minor_version type : uint8 length : 1 multiple : true desc : The minor number of client TLS client protocol. field : server_version type : uint16 length : 2 multiple : true desc : This field will contain the lower of that suggested by the client in the client hello and the highest supported by the server. field : server_major_version type : uint8 length : 1 multiple : true desc : The major number of server TLS protocol. field : server_minor_version type : uint8 length : 1 multiple : true desc : The minor number of server TLS protocol. field : random type : byte-sequence length : 32 multiple : true desc : A client/server generated random structure. The structure which is generated by the server MUST be independently generated from the ClientHello.random. (Client/Server handshake header field) field : random_gmt_unix_time type : uint32 length : 4 multiple : true desc : The current time and date in standard UNIX 32-bit format (seconds since the midnight starting Jan 1, 1970, UTC, ignoring leap seconds) according to the sender's internal clock. (Client/Server handshake header field) field : random_bytes type : byte-sequence length : 28 multiple : true desc : 28 bytes generated by a secure random number generator. (Client/Server handshake header field) field : session_id_length type : uint8 length : 1 multiple : true desc : The length of session id. (Client/Server handshake header field) field : session_id type : byte-sequence length : variable multiple : true desc : Id of the session corresponding to this connection. (Client/Server handshake header field) field : cipher_suites_length type : uint16 length : 2 multiple : true desc : The length of cipher suites field. (Client handshake header field) field : cipher_suites type : uint-16-array length : variable multiple : true desc : This is a list of the cryptographic options supported by the client, with the client's first preference first. (Client handshake header field) field : cipher_suite type : uint16 length : 2 multiple : true desc : For client: an element of cipher suites. For server: the single cipher suite selected by the server from the client cipher suite list. (Client/Server handshake header field) field : compression_methods_length type : uint8 length : 1 multiple : true desc : The length of compression methods field. (Client handshake header field) field : compression_methods type : uint-8-array length : variable multiple : true desc : This is a list of the compression methods supported by the client, sorted by client preference. (Client handshake header field) field : compression_method type : uint8 length : 1 multiple : true desc : For client: an element of compression methods. For server: the single compression algorithm selected by the server from the client compression method list. (Client/Server handshake header field) field : extensions type : byte-sequence length : variable multiple : true desc : A list of extensions. Clients MAY request extended functionality from servers by sending data in the extensions field. Note that only extensions offered by the client can appear in the server's list. (Client/Server handshake header field) field : extensions_length type : uint16 length : 2 multiple : true desc : The length of extensions field. field : extension type : byte-sequence length : variable multiple : true desc : Extension record/unit. field : extension_type type : uint16 length : 2 multiple : true desc : The field identifies the particular extension type. A part of extension header. (Client/Server handshake header field) field : extension_length type : uint16 length : 2 multiple : true desc : The length of extension data. (Client/Server handshake header field) field : server_name_list_length type : uint16 length : 2 multiple : true desc : The length of server name list field : server_name_list type : byte-sequence length : variable multiple : true desc : The list of server name elements. field : server_name_type type : uint8 length : 1 multiple : true desc : The type of server name: 0 (hostname), 255. field : server_name_length type : uint16 length : 2 multiple : true desc : The length of server name. field : server_name type : ascii-string length : variable multiple : true desc : The server name string. field : protocol_name_list_length type : uint16 length : 2 multiple : true desc : The length of protocol name list. field : protocol_name_list type : byte-sequence length : variable multiple : true desc : The list contains the list of protocols advertised by the client, in descending order of preference. field : protocol_name_length type : uint8 length : 1 multiple : true desc : The length of protocol name. field : protocol_name type : ascii-string length : variable multiple : true desc : The protocol name string. field : supported_versions_length type : uint8 length : 1 multiple : true desc : The length of supported versions field : supported_versions type : byte-sequence length : variable multiple : true desc : The list of supported versions in preference order, with the most preferred version first. field : supported_version type : uint16 length : 2 multiple : true desc : A supported version. field : quic_transport_parameter type : byte-sequence length : variable multiple : true desc : The quic transport parameter section. field : quic_transport_parameter_id type : byte-sequence length : variable multiple : true desc : The identificator of quic transport parameter. field : quic_transport_parameter_length type : byte-sequence length : variable multiple : true desc : The field contains the length of the Transport Parameter Value field in bytes. field : quic_transport_parameter_value type : byte-sequence length : variable multiple : true desc : The quic transport parameter value. field : srtp_protection_profiles type : byte-sequence length : variable multiple : true desc : The list indicates the SRTP protection profiles that the client is willing to support, listed in descending order of preference. field : srtp_protection_profiles_length type : uint16 length : 2 multiple : true desc : The length of protection files list. field : srtp_protection_profile type : uint16 length : 2 multiple : true desc : The protection Profile defines the parameters and options that are in effect for the SRTP processing. field : srtp_mki_length type : uint8 length : 1 multiple : true desc : The mki length. field : srtp_mki type : byte-sequence length : variable multiple : true desc : The value contains the SRTP Master Key Identifier (MKI) value (if any) that the client will use for his SRTP packets. If this field is of zero length, then no MKI will be used. field : supported_groups_length type : uint16 length : 2 multiple : true desc : The length of supported_groups field data. field : supported_groups type : byte-sequence length : variable multiple : true desc : The supported groups (supported elliptic curves). field : supported_group type : uint16 length : 2 multiple : true desc : The supported group identificator (elliptic curve). field : ec_point_formats_length type : uint8 length : 1 multiple : true desc : The length of ec_point_formats field data. field : ec_point_formats type : byte-sequence length : variable multiple : true desc : The suppoted ec point formats. field : ec_point_format type : uint8 length : 1 multiple : true desc : The EC Point Format identificator. field : signature_and_hash_algorithms_length type : uint16 length : 2 multiple : true desc : The length of signature and hash algorithms field. field : signature_and_hash_algorithms type : byte-sequence length : variable multiple : true desc : Signature and hash algorithm elements. field : signature_and_hash_algorithm type : uint16 length : 2 multiple : true desc : The hash and signature algorithm pair. field : signature_length type : uint16 length : 2 multiple : true desc : The length of signature field. field : signature type : byte-sequence length : variable multiple : true desc : A digital signature using algorithms over the contents of the element. field : request_update type : uint8 length : 1 multiple : true desc : If the request_update field is set to update_requested (0), then the receiver MUST send a KeyUpdate of its own with request_update set to update_not_requested (1) prior to sending its next Application Data record. field : verify_data type : byte-sequence length : variable multiple : true desc : The part of finished message. For tls v1.0 the length is fixed. field : md5_hash type : byte-sequence length : 16 multiple : true desc : The part of finished message. The field can exist only for ssl v3.0 sessions. The length is fixed. field : sha_hash type : byte-sequence length : 20 multiple : true desc : The part of finished message. The field can exist only for ssl v3.0 sessions. The length is fixed. field : session_ticket_lifetime type : uint32 length : 4 multiple : true desc : Indicates the lifetime in seconds as a 32-bit unsigned integer in network byte order from the time of ticket issuance. field : session_ticket_length type : uint16 length : 2 multiple : true desc : The length of session ticket field. field : session_ticket type : byte-sequence length : variable multiple : true desc : The session ticket field. field : message_hash_data type : byte-sequence length : variable multiple : true desc : The data section of message hash handshake protocol. field : certificate_list_length type : byte-sequence length : 3 multiple : true desc : The length of certificate list field. field : certificate_list type : byte-sequence length : variable multiple : true desc : The certificate list data. The certificate list can contain more than one certificate. field : certificate_length type : byte-sequence length : 3 multiple : true desc : The length of certificate. field : certificate type : byte-sequence length : variable multiple : true desc : The certificate data. field : premaster_key_length type : uint16 length : 2 multiple : true desc : The length of premaster key. field : premaster_key type : byte-sequence length : variable multiple : true desc : The value which client generates and sends as encrypted premaster secret message. The field exists only for RSA key agreement. field : dh_public_key_length type : uint16 length : 2 multiple : true desc : Client Diffie-Hellman public value length. field : dh_public_key type : byte-sequence length : variable multiple : true desc : Client Diffie-Hellman public value. field : dhe_public_key_length type : uint16 length : 2 multiple : true desc : Client Ephemeral Diffie-Hellman public value length field : dhe_public_key type : byte-sequence length : variable multiple : true desc : Client Ephemeral Diffie-Hellman public value. field : ecdhe_public_key_length type : uint8 length : 1 multiple : true desc : Client Elliptic Curve Ephemeral Diffie-Hellman public value length. field : ecdhe_public_key type : byte-sequence length : variable multiple : true desc : Client Elliptic Curve Ephemeral Diffie-Hellman public value. field : ecdh_public_key_length type : uint8 length : 1 multiple : true desc : Client/Server Elliptic Curve Diffie-Hellman public value length. For Server Key Exchange maessage that field exists only when 'curve_type' has 'named_curve'(3) value. field : ecdh_public_key type : byte-sequence length : variable multiple : true desc : Client/Server Elliptic Curve Diffie-Hellman public value. For Server Key Exchange maessage that field exists only when 'curve_type' has 'named_curve'(3) value. field : fortezza_yc_length type : uint8 length : 1 multiple : true desc : The client's Yc value (public key) length. field : fortezza_yc type : byte-sequence length : variable multiple : true desc : The client's Yc value (public key) for the KEA calculation. field : fortezza_rc type : byte-sequence length : 128 multiple : true desc : The client's Rc value for the KEA calculation. field : fortezza_yc_signature type : byte-sequence length : 40 multiple : true desc : The tsignature of the KEA public key, signed with the client's DSS private key. field : fortezza_wrapped_client_write_key type : byte-sequence length : 12 multiple : true desc : This is the client's write key, wrapped by the TEK. field : fortezza_wrapped_server_write_key type : byte-sequence length : 12 multiple : true desc : This is the server's write key, wrapped by the TEK. field : fortezza_client_write_iv type : byte-sequence length : 24 multiple : true desc : The IV for the client write key. field : fortezza_server_write_iv type : byte-sequence length : 24 multiple : true desc : The IV for the server write key. field : fortezza_master_write_iv type : byte-sequence length : 24 multiple : true desc : This is the IV for the TEK used to encrypt the premaster secret. field : fortezza_encrypted_pre_master_secret type : byte-sequence length : 48 multiple : true desc : A random value, generated by the client and used to generate the master secret. field : dh_p_length type : uint16 length : 2 multiple : true desc : The prime modulus field length. field : dh_p type : byte-sequence length : variable multiple : true desc : The prime modulus used for the Diffie-Hellman operation. field : dh_g_length type : uint16 length : 2 multiple : true desc : The generator field length. field : dh_g type : byte-sequence length : variable multiple : true desc : The generator used for the Diffie-Hellman operation. field : dh_ys_length type : uint16 length : 2 multiple : true desc : The server's Diffie-Hellman public value field length. field : dh_ys type : byte-sequence length : variable multiple : true desc : The server's Diffie-Hellman public value (g^X mod p). field : dh_signature_and_hash_algorithm type : uint16 length : 2 multiple : true desc : The dh hash and signature algorithm pair. field : dh_signature_length type : uint16 length : 2 multiple : true desc : The length of dh signature field. field : dh_signature type : byte-sequence length : variable multiple : true desc : The dh signature. field : rsa_modulus_length type : uint16 length : 2 multiple : true desc : The length of rsa modulus field. field : rsa_modulus type : byte-sequence length : variable multiple : true desc : The modulus of the server's temporary RSA key. field : rsa_exponent_length type : uint16 length : 2 multiple : true desc : The length of rsa exponent field. field : rsa_exponent type : byte-sequence length : variable multiple : true desc : The public exponent of the server's temporary RSA key. field : fortezza_rs type : byte-sequence length : 128 multiple : true desc : Server random number for FORTEZZA KEA (Key Exchange Algorithm). field : curve_type type : uint8 length : 1 multiple : true desc : The field identifies the type of the elliptic curve domain parameters. field : named_curve type : uint16 length : 2 multiple : true desc : The field specifies a recommended set of elliptic curve domain parameters. All those values of NamedCurve are allowed that refer to a specific curve. field : ecdh_signature_and_hash_algorithm type : uint16 length : 2 multiple : true desc : The ecdh hash and signature algorithm pair. field : ecdh_signature_length type : uint16 length : 2 multiple : true desc : The length of ecdh signature field. field : ecdh_signature type : byte-sequence length : variable multiple : true desc : The ecdh signature. field : ecdh_prime_length type : uint8 length : 1 multiple : true desc : The odd prime value length. The field exists only for 'explicit_prime' curve_type. field : ecdh_prime type : byte-sequence length : variable multiple : true desc : The odd prime defining the field Fp. The field exists only for 'explicit_prime' curve_type. field : ecdh_m type : uint16 length : 2 multiple : true desc : The degree of the characteristic-2 field F2^m. The field exists only for 'explicit_char2' curve_type. field : ecdh_basis type : uint8 length : 1 multiple : true desc : The basis type. Possible values: 'ec_basis_trinomial'(1), 'ec_basis_pentanomial'(2). The field exists only for 'explicit_char2' curve_type. field : ecdh_k_length type : uint8 length : 1 multiple : true desc : The exponent k value length. field : ecdh_k type : byte-sequence length : variable multiple : true desc : The exponent k for the trinomial basis representation x^m + x^k + 1. The field exists for 'explicit_char2' curve_type and 'ec_trinomial' basis. field : ecdh_k1_length type : uint8 length : 1 multiple : true desc : The exponent k1 value length. field : ecdh_k1 type : byte-sequence length : variable multiple : true desc : The exponents for the pentanomial representation x^m + x^k3 + x^k2 + x^k1 + 1 (such that k3 > k2 > k1). The field exists only for 'explicit_char2' curve_type and 'ec_pentanomial' basis. field : ecdh_k2_length type : uint8 length : 1 multiple : true desc : The exponent k2 value length. field : ecdh_k2 type : byte-sequence length : variable multiple : true desc : The exponents for the pentanomial representation x^m + x^k3 + x^k2 + x^k1 + 1 (such that k3 > k2 > k1). The field exists only for 'explicit_char2' curve_type and 'ec_pentanomial' basis. field : ecdh_k3_length type : uint8 length : 1 multiple : true desc : The exponent k value length. field : ecdh_k3 type : byte-sequence length : variable multiple : true desc : The exponents for the pentanomial representation x^m + x^k3 + x^k2 + x^k1 + 1 (such that k3 > k2 > k1). The field exists only for 'explicit_char2' curve_type and 'ec_pentanomial' basis. field : ecdh_curve type : byte-sequence length : variable multiple : true desc : The field specifies the coefficients a and b of the elliptic curve E. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_curve_a_length type : uint8 length : 1 multiple : true desc : The 'a' value of the elliptic curve length. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_curve_a type : byte-sequence length : variable multiple : true desc : The 'a' value of the elliptic curve. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_curve_b_length type : uint8 length : 1 multiple : true desc : The 'b' value of the elliptic curve length. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_curve_b type : byte-sequence length : variable multiple : true desc : The 'b' value of the elliptic curve. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_base_length type : uint8 length : 1 multiple : true desc : The field specifies the base point G value length. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_base type : byte-sequence length : variable multiple : true desc : The field specifies the base point G on the elliptic curve. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_order_length type : uint8 length : 1 multiple : true desc : The field specifies the order n of the base point value length. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_order type : byte-sequence length : variable multiple : true desc : The field specifies the order n of the base point. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_cofactor_length type : uint8 length : 1 multiple : true desc : The field specifies the cofactor h value length. The field exists for 'explicit_prime' or 'explicit_char2' curve_type. field : ecdh_cofactor type : byte-sequence length : variable multiple : true desc : The field specifies the cofactor h = #E(Fq)/n, where #E(Fq) represents the number of points on the elliptic curve E defined over the field Fq (either Fp or F2^m). The field exists for 'explicit_prime' or 'explicit_char2' curve_type. 4.3.50 udp ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : port type : uint16 length : 2 multiple : true desc : The port number (source, destination). field : src_port type : uint16 length : 2 multiple : false desc : Source port. field : dst_port type : uint16 length : 2 multiple : false desc : Destination port. field : length type : uint16 length : 2 multiple : false desc : Length is the length in octets of this user datagram including this header and the data. field : checksum type : uint16 length : 2 multiple : false desc : Checksum is the 16-bit one's complement of the one's complement sum of a pseudo header of information from the IP header, the UDP header, and the data, padded with zero octets at the end (if necessary) to make a multiple of two octets. 4.3.51 vlan_c_tag ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : tci type : uint16 length : 2 multiple : false desc : Tag control information. field : pcp type : 16-bit-field length : 2 multiple : false desc : Priority code point. field : dei type : 16-bit-field length : 2 multiple : false desc : Drop eligible indicator. field : vid type : 16-bit-field length : 2 multiple : false desc : VLAN identifier. field : ethernet_type type : uint16 length : 2 multiple : false desc : Two-octet field which is used to indicate which protocol is encapsulated in the payload of the frame. 0x0000 - 0x05DC - IEEE802.3 length Field. 0x0101-0x01FF - experimental. 4.3.52 websocket ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : fin type : uint16 length : 2 multiple : false desc : Indicates that this is the final fragment in a message. The first fragment MAY also be the final fragment. field : rsv1 type : uint16 length : 2 multiple : false desc : MUST be 0 unless an extension is negotiated that defines meanings for non-zero values. If a nonzero value is received and none of the negotiated extensions defines the meaning of such a nonzero value, the receiving endpoint MUST _Fail the WebSocket Connection_. field : rsv2 type : uint16 length : 2 multiple : false desc : MUST be 0 unless an extension is negotiated that defines meanings for non-zero values. If a nonzero value is received and none of the negotiated extensions defines the meaning of such a nonzero value, the receiving endpoint MUST _Fail the WebSocket Connection_. field : rsv3 type : uint16 length : 2 multiple : false desc : MUST be 0 unless an extension is negotiated that defines meanings for non-zero values. If a nonzero value is received and none of the negotiated extensions defines the meaning of such a nonzero value, the receiving endpoint MUST _Fail the WebSocket Connection_. field : opcode type : uint16 length : 2 multiple : false desc : Defines the interpretation of the "Payload data". If an unknown opcode is received, the receiving endpoint MUST _Fail the WebSocket Connection_. The following values are defined. (%x0) denotes a continuation frame, (%x1) denotes a text frame, (%x2) denotes a binary frame, (%x3-7) are reserved for further non-control frames, (%x8) denotes a connection close, (%x9) denotes a ping, (%xA) denotes a pong, (%xB-F) are reserved for further control frames. field : mask type : uint16 length : 2 multiple : false desc : The length of the "Payload data", in bytes: if 0-125, that is the payload length. If 126, the following 2 bytes interpreted as a 16-bit unsigned integer are the payload length. If 127, the following 8 bytes interpreted as a 64-bit unsigned integer (the most significant bit MUST be 0) are the payload length. field : payload_length type : uint16 length : 2 multiple : false desc : The extended payload data length. field : extended_payload_length type : byte-sequence length : variable multiple : false desc : All frames sent from the client to the server are masked by a 32-bit value that is contained within the frame. field : masking_key type : uint32 length : 4 multiple : false desc : The data section that included 'Extension data' and 'Payload data'. field : data type : byte-sequence length : variable multiple : false desc : The data section that included 'Extension data' and 'Payload data'. 4.3.53 wireguard ────────────────────────────────────────────────────────────────────────── field : root type : uint8 length : 1 multiple : false desc : Layer presented flag. field : raw_data type : byte-sequence length : variable multiple : false desc : Layer data. field : raw_data_length type : uint64 length : 8 multiple : false desc : Layer data length. field : payload_data type : byte-sequence length : variable multiple : false desc : The payload data - data which is placed right after the layer data. field : payload_data_length type : uint64 length : 8 multiple : false desc : The payload data length. field : message_type type : uint8 length : 1 multiple : false desc : The message type: 1 (initiator to responder), 2 (responder to initiator), 3 (cookie reply), 4 (transport data). field : reserved type : byte-sequence length : 3 multiple : false desc : The reserved zero fields. field : sender type : uint32 length : 4 multiple : false desc : The sender value. field : receiver type : uint32 length : 4 multiple : false desc : The receiver value. field : ephemeral type : byte-sequence length : 32 multiple : false desc : The ephemeral key. field : empty type : byte-sequence length : 16 multiple : false desc : The encrypted empty value. field : static type : byte-sequence length : 48 multiple : false desc : The encrypted static public key. field : timestamp type : byte-sequence length : 28 multiple : false desc : The encrypted timestamp value. field : mac1 type : byte-sequence length : 16 multiple : false desc : The first MAC value. field : mac2 type : byte-sequence length : 16 multiple : false desc : The second MAC value. field : counter type : uint64 length : 8 multiple : false desc : The message counter. field : nonce type : byte-sequence length : 24 multiple : false desc : The encrypted nonce value. field : cookie type : byte-sequence length : 32 multiple : false desc : The encrypted cookie value. field : packet_data type : byte-sequence length : variable multiple : false desc : The encrypted packet data. 4.4 Decoders decoders translate raw field values (numeric, binary sequences, encoded strings, etc.) into human-readable representations. each entry shows the field path, decoding logic, and an example. field : flow.last_time desc : Timestamp number representation to string. [0x64772B771E98A33F <-> 1685531511.513319743] field : flow.duration desc : Timestamp number representation to string. [0x64772B771E98A33F <-> 1685531511.513319743] field : flow.start_time desc : Timestamp number representation to string. [0x64772B771E98A33F <-> 1685531511.513319743] field : pkt.gtp.extension_header_length desc : Decodes the length of a GPRS Tunnelling Protocol extension header. The value represents the number of 4-byte words; the total size in bytes is calculated as field_value * 4. [4 <-> 16; (4) * 4] field : pkt.rtcp.length desc : Decodes the 16-bit length field found in RTCP headers. The actual size in bytes is calculated as (field_value + 1) * 4, representing the total length of the packet including the header and padding. [6 <-> 28; (6 + 1) * 4] field : pkt.ospf.ared_id desc : Decodes a 4-byte (32-bit) unsigned integer into the standard dotted-quad notation, where each byte represents a decimal value from 0 to 255. [0x7F000001 <-> 127.0.0.1] field : pkt.teredo.origin_indication_ipv4_address desc : Decodes the 'Origin Indication' field by performing a bitwise NOT (one's complement) operation on the encoded 16-bit port or address fragments to retrieve the original obfuscated value. [0xF12A <-> 0x0ED5] field : pkt.tls.quic_transport_parameter_id desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.triggered_frame_type desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.stream_offset desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.retire_prior_to desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.retire_sequence_number desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.cumulative_maximum_streams desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.maximum_stream_data desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.maximum_data desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.crypto_data_length desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.final_size desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.reset_application_protocol_error_code desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.blocked_stream_id desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.stop_stream_id desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.ecn_ce_count desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.ect_0_count desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.ack_range_length desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.ack_range_count desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.largest_acknowledged desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.frame_type desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.token_length desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.source_connection_id_length desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.destination_connection_id_length desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.ipv4.src_ip desc : Decodes a 4-byte (32-bit) unsigned integer into the standard dotted-quad notation, where each byte represents a decimal value from 0 to 255. [0x7F000001 <-> 127.0.0.1] field : pkt.ospf.router_id desc : Decodes a 4-byte (32-bit) unsigned integer into the standard dotted-quad notation, where each byte represents a decimal value from 0 to 255. [0x7F000001 <-> 127.0.0.1] field : pkt.teredo.origin_indication_port desc : Decodes the 'Origin Indication' field by performing a bitwise NOT (one's complement) operation on the encoded 16-bit port or address fragments to retrieve the original obfuscated value. [0xF12A <-> 0x0ED5] field : pkt.tls.quic_transport_parameter_length desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.reason_phrase_length desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.error_code desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.stream_data_length desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.new_sequence_number desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.allowed_maximum_streams desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.blocked_maximum_stream_data desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.blocked_maximum_data desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.crypto_offset desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.stop_application_protocol_error_code desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.stream_id desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.max_data_stream_id desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.reset_stream_id desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.ect_1_count desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.gap desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.first_ack_range desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.ack_delay desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.quic.length desc : Decodes a value encoded using the QUIC variable-length format. The two most significant bits of the first byte determine the total length (1, 2, 4, or 8 bytes), and the remaining bits represent the integer value. [0x44d1 <-> 1233] field : pkt.dns.ipv4 desc : Decodes a 4-byte (32-bit) unsigned integer into the standard dotted-quad notation, where each byte represents a decimal value from 0 to 255. [0x7F000001 <-> 127.0.0.1] field : pkt.dns.wks_address desc : Decodes a 4-byte (32-bit) unsigned integer into the standard dotted-quad notation, where each byte represents a decimal value from 0 to 255. [0x7F000001 <-> 127.0.0.1] field : pkt.dns.address desc : Decodes a 4-byte (32-bit) unsigned integer into the standard dotted-quad notation, where each byte represents a decimal value from 0 to 255. [0x7F000001 <-> 127.0.0.1] field : pkt.ipv4.address desc : Decodes a 4-byte (32-bit) unsigned integer into the standard dotted-quad notation, where each byte represents a decimal value from 0 to 255. [0x7F000001 <-> 127.0.0.1] field : pkt.ipv4.dst_ip desc : Decodes a 4-byte (32-bit) unsigned integer into the standard dotted-quad notation, where each byte represents a decimal value from 0 to 255. [0x7F000001 <-> 127.0.0.1] field : pkt.timestamp desc : Timestamp number representation to string. [0x64772B771E98A33F <-> 1685531511.513319743] 4.5 Info Tables info tables map numeric field values to human-readable names. each table is associated with a specific field path. field : pkt.ethernet.ethernet_type desc : Link layer name table. field : pkt.ipv4.protocol desc : The IP (v4 and v6) protocol type. field : pkt.ipv6.next_header desc : The IP (v4 and v6) protocol type. field : pkt.ipv6.ext_next_header desc : The IP (v4 and v6) protocol type. field : pkt.igmp.type desc : The IGMP message type. field : pkt.icmp.type desc : The ICMP message type. field : pkt.icmpv6.type desc : The ICMP message type. field : pkt.dns.rcode desc : DNS response code name table. field : pkt.dns.opcode desc : DNS opcode name table. Opcode specifies kind of query. field : pkt.dns.rdata_type desc : DNS RData type name table. RData type specifies the meaning of the data in the rdata section. field : pkt.dns.qtype desc : DNS qtype name table. Qtype code that specifies the type of the query. field : pkt.dns.qclass desc : DNS qclass name table. QClass code that specifies the class of the query. field : pkt.dns.rdata_class desc : DNS rdata class name table. RData class specifies the meaning of the data in the rdata section. field : pkt.dns.svc_param_key desc : DNS svc parameter key name table. field : pkt.mdns.rcode desc : DNS response code name table. field : pkt.mdns.opcode desc : DNS opcode name table. Opcode specifies kind of query. field : pkt.mdns.rdata_type desc : DNS RData type name table. RData type specifies the meaning of the data in the rdata section. field : pkt.mdns.qtype desc : DNS qtype name table. Qtype code that specifies the type of the query. field : pkt.mdns.qclass desc : MDNS qclass name table. QClass code that specifies the class of the query. field : pkt.mdns.rdata_class desc : MDNS qclass name table. QClass code that specifies the class of the query. field : pkt.tls.record_protocol_version desc : TLS protocol version name table. field : pkt.tls.client_version desc : TLS protocol version name table. field : pkt.tls.server_version desc : TLS protocol version name table. field : pkt.tls.supported_version desc : TLS protocol version name table. field : pkt.tls.record_content_type desc : TLS record content type name table. field : pkt.tls.alert_level desc : TLS alert level name table. field : pkt.tls.alert_description desc : TLS alert description name table. field : pkt.tls.request_update desc : TLS request update name table. field : pkt.tls.heartbeat_message_type desc : TLS heartbeat message type name table. field : pkt.tls.change_cipher_spec_type desc : TLS change cipher spec type name table. field : pkt.tls.handshake_type desc : TLS handshake type name table. field : pkt.tls.extension_type desc : TLS extension type name table. field : pkt.tls.cipher_suite desc : TLS cipher suite name table. field : pkt.tls.client_certificate_type desc : TLS client certificate type name table. Currently that field is not supported. field : pkt.tls.hash_algorithm desc : TLS hash algorithm name table. field : pkt.tls.signature_algorithm desc : TLS hash signature name table. field : pkt.tls.signature_and_hash_algorithm desc : TLS signature and hash algorithm pair name table. That field have different meaning for tl1.2 and tls1.3. For tls1.2 see 'hash_algorithm' and 'signature_algorithm' pair, for tls1.3 that field is the same as 'signature_scheme'. If tls context is defined and tls1.3 is set - 'signature_scheme' field is presented. field : pkt.tls.signature_scheme desc : TLS signature scheme name table. field : pkt.tls.compression_method desc : TLS compression method name table. field : pkt.tls.server_name_type desc : TLS server type name table. field : pkt.tls.ecdh_basis desc : The type of the elliptic curve. The field is presented only for ecdh and ecdhe algorithms. field : pkt.tls.curve_type desc : The basis type. The field is presented only for ecdh and ecdhe algorithms. field : pkt.tls.quic_transport_parameter_id desc : The quic transport parameter identificators which are transmitted in tls extension. field : pkt.tls.connection_id_usage desc : Connection id usage text name table. field : pkt.tls.srtp_protection_profile desc : Tls use srtp profile set. field : pkt.tls.supported_group desc : Tls supported group identificator (elliptic curve). field : pkt.tls.ec_point_format desc : Tls EC point format identificator. field : pkt.dtls.record_protocol_version desc : TLS protocol version name table. field : pkt.dtls.client_version desc : TLS protocol version name table. field : pkt.dtls.server_version desc : TLS protocol version name table. field : pkt.dtls.supported_version desc : TLS protocol version name table. field : pkt.dtls.record_content_type desc : TLS record content type name table. field : pkt.dtls.alert_level desc : TLS alert level name table. field : pkt.dtls.alert_description desc : TLS alert description name table. field : pkt.dtls.request_update desc : TLS request update name table. field : pkt.dtls.heartbeat_message_type desc : TLS heartbeat message type name table. field : pkt.dtls.change_cipher_spec_type desc : TLS change cipher spec type name table. field : pkt.dtls.handshake_type desc : TLS handshake type name table. field : pkt.dtls.extension_type desc : TLS extension type name table. field : pkt.dtls.cipher_suite desc : TLS cipher suite name table. field : pkt.dtls.client_certificate_type desc : TLS client certificate type name table. Currently that field is not supported. field : pkt.dtls.hash_algorithm desc : TLS hash algorithm name table. field : pkt.dtls.signature_algorithm desc : TLS hash signature name table. field : pkt.dtls.signature_and_hash_algorithm desc : TLS signature and hash algorithm pair name table. That field have different meaning for tl1.2 and tls1.3. For tls1.2 see 'hash_algorithm' and 'signature_algorithm' pair, for tls1.3 that field is the same as 'signature_scheme'. If tls context is defined and tls1.3 is set - 'signature_scheme' field is presented. field : pkt.dtls.signature_scheme desc : TLS signature scheme name table. field : pkt.dtls.compression_method desc : TLS compression method name table. field : pkt.dtls.server_name_type desc : TLS server type name table. field : pkt.dtls.ecdh_basis desc : The type of the elliptic curve. The field is presented only for ecdh and ecdhe algorithms. field : pkt.dtls.curve_type desc : The basis type. The field is presented only for ecdh and ecdhe algorithms. field : pkt.dtls.quic_transport_parameter_id desc : The quic transport parameter identificators which are transmitted in tls extension. field : pkt.dtls.connection_id_usage desc : Connection id usage text name table. field : pkt.quic.long_packet_type desc : The long header packet type. The packet payload structure depends on this field. field : pkt.quic.frame_type desc : The frame type field. The frame payload structure depends on this field. field : pkt.quic.error_code desc : The error codes are used in connection close frames. field : pkt.http2.frame_type desc : The frame type name. The frame type determines the format and semantics of the frame. Each frame type serves a distinct purpose in the establishment and management of either the connection as a whole or individual streams. field : pkt.http2.rst_stream_error_code desc : The text description of error code that indicates why the stream is being terminated. field : pkt.http2.go_away_error_code desc : The text description of error code that contains the reason for closing the connection. field : pkt.http2.setting_identifier desc : The text name of setting identificator. field : pkt.wireguard.message_type desc : Wireguard message type name table. field : pkt.openvpn.opcode desc : OpenVPN message type name table. field : pkt.socks.command_code desc : Socks (version 4) command code name table. field : pkt.socks.method desc : Socks (version 5) method name table. field : pkt.socks.atyp desc : Socks address type name table. field : pkt.socks.reply desc : Socks (version 5) reply name table. field : pkt.rtp.payload_type desc : RTP payload type name table. field : pkt.rtcp.packet_type desc : RTCP packet type name table. field : pkt.rtcp.sdes_type desc : RTCP SDES element type name table. field : pkt.isakmp.payload_type desc : ISAKMP payload type name table. field : pkt.isakmp.exchange_type desc : ISAKMP exchange type name table. field : pkt.pptp.message_type desc : PPTP message type name table. field : pkt.pptp.control_message_type desc : PPTP control message type name table. field : pkt.ppp.type desc : PPP type name table. field : pkt.ospf.type desc : The OSPF message type. field : pkt.ospf.au_type desc : The OSPF authentication type. field : pkt.websocket.opcode desc : Defines the interpretation of the "Payload data". field : pkt.gtp.message_type desc : The message type name of GTP message. field : pkt.gtp.extension_header_type desc : The type name of extension. 5. Extensions ──────────────────────────────────────────────────────────────────────────────── extensions augment protocol parsing and classification with specialised logic: metadata extraction, caching, fingerprinting, and statistical classification. http_metadata Metadata extracting from an HTTP packet. For example: detects HTTP Pipeline, decodes the Authorization-Credentials header value, and so on. field type description ------------------------------ ------------------ ----------- is_processed uint8 The extension function calling flag. is_request uint8 It is set when http meessage is request. is_pipeline uint8 Multiple http requests to be sent over a single tcp connection. authorization_credentials ascii-string Base64 decoded value of Proxy-Authorization header value. hostname Hostname extracting for protocols such as SSDP, HTTP, HTTP/2, TLS, DTLS. field type description ------------------------------ ------------------ ----------- is_processed uint8 The extension function calling flag. host ascii-string Host name - extracted field value from TLS/DTLS SNI, HTTP/SSDP Host header, TLS Certificate Common Name, HTTP/2 authority header value. dns_response_name Domain names extracting from a DNS response. field type description ------------------------------ ------------------ ----------- is_processed uint8 The extension function calling flag. response_name ascii-string Processed dns response name - concatenated labels, resolving offsets, etc. tls_metadata The extension extracts additional information from TLS session - JA3/JA3S hashes, and so on. field type description ------------------------------ ------------------ ----------- is_processed uint8 The extension function calling flag. ja3 ascii-string JA3 fingerprinting the client's TLS handshake (Client Hello). ja3s ascii-string JA3s fingerprinting the server's response (Server Hello). ja4 ascii-string JA4 fingerprinting the client's TLS handshake (Client Hello). ja4s ascii-string JA4s fingerprinting the server's response (Server Hello). ja3_md5 ascii-string MD5 hash of JA3. Format: TLSVersion,Ciphers, Extensions, EllipticCurves, EllipticCurvePointFormat s. ja3s_md5 ascii-string MD5 hash of JA3S. Format:TLSVersion, Cipher,Extensions. tls_certificate common_name and dns_name extracting from a TLS certificate. field type description ------------------------------ ------------------ ----------- is_processed uint8 The extension function calling flag. common_name ascii-string The CommonName certificate field. general_dns_name ascii-string The dNSName certificate field. Belongs to extension section. ftp_cache IP address caching and port obtained from the FTP-CONTROL stream for subsequent classification of the FTP-DATA stream (file transfer). field type description ------------------------------ ------------------ ----------- is_processed uint8 The extension function calling flag. is_ftp_data uint8 The indicator of FTP data transmission. tree Decodes HTTP/2 headers (HPACK). field type description ------------------------------ ------------------ ----------- is_processed uint8 The extension function calling flag. http2_field_block Builds a chain of protocols. field type description ------------------------------ ------------------ ----------- is_processed uint8 The extension function calling flag. header_field ascii-string The http/2 protocol header block field: name:value. push_promise_field ascii-string The http/2 protocol push-promise block field: name:value. continuation_field ascii-string The http/2 protocol continuation block field: name:value. data_structure Checks an unrecognized protocol for various patterns, such as the first two bytes to determine the payload size. field type description ------------------------------ ------------------ ----------- is_processed uint8 The extension function calling flag. first_byte_payload_length uint64 The flag field. It is set when the first byte in the payload data specifies the length of the rest payload data. first_2byte_payload_length uint64 The flag field. It is set when the first 2 bytes in the payload data specifies the length of the rest payload data. (Little-Endian order) spid The extension is responsible to classify tags based on statistical characteristics such as average packet size, bitrate, etc. It helps to classify tags which cannot be fully rely on _explicit_ classification. field type description ------------------------------ ------------------ ----------- is_processed uint8 The extension function calling flag. spid_tag uint64 The classified SPID tag. is_final uint64 The final classification flag of SPID approach. classifier The extension classifies Internet services and allows user to configure a set of metrics and classification techniques for each individually. Also, the extension sets flags for the session, such as is_final_protocol, is_final_service, is_offload, and so on. field type description ------------------------------ ------------------ ----------- is_processed uint8 The extension function calling flag. tag uint64 The tag(s) which have been assigned by classifier extensions accordingly to configured rules. type uint64 The tag type: undefined (0), ipv4 (1), ipv6 (2), ipv4socket (3), ipv6socket (4), domain (5), dns_cache (6), session_cache (7). sip_cache The extension extracts additional information from SIP session and then classifies the child RTP/SRTP and RTCP/SRTCP flows assigning them tags of parent session. field type description ------------------------------ ------------------ ----------- is_processed uint8 The extension function calling flag. 6. Classification ──────────────────────────────────────────────────────────────────────────────── 6.1 Categories adult (adult) Adult content refers to material that is sexually explicit or intended for mature audiences, often restricted by age. advertisement (advertisement) Platforms and tools that help businesses promote products or services, track user engagement, and optimize marketing campaigns through analytics and targeted advertising. ai (ai) Applications that utilize machine learning or intelligent algorithms to automate tasks, provide insights, or enhance user experiences. airline (airline) A major form of mass travel in the world's transportation network, airlines are organizations of people, airplanes, equipment, and buildings for transporting passengers, freight, and mail by air between specified points. api (api) API services are digital interfaces provided by companies or platforms that allow software applications to communicate with each other and access specific functionalities, data, or tools without needing to build them from scratch. application store (application_store) Application Store is a digital platform that allows users to browse, download, and update software applications. These stores often include user ratings, reviews, and developer tools. Examples: Apple App Store, Google Play, Microsoft Store, Amazon Appstore. banking (banking) Banking services encompass the various financial products and activities offered by banks and other financial institutions. blog (blog) Platforms that enable individuals or organizations to create, publish, and manage written content online, often supporting multimedia and audience engagement. bookmaker (bookmaker) Bookmakers, also commonly referred to as betting agencies, are companies or individuals that facilitate betting on the outcome of various events, mostly sporting events. books (books) Services that provide access to physical or digital books, audiobooks, and literary content, including e-readers and online bookstores. cdn (cdn) CDN is a Content Delivery Network is a network of interconnected servers that speeds up webpage loading for data-heavy applications. The most popular services are Cloudflare, Google Cloud, Akamai, Fastly. clothes (clothes) Platforms focused on fashion and apparel, offering clothing, accessories, and styling tools, often with virtual fitting or customization options. cloud (cloud) Cloud is a set of services that offers server space on virtual machines, internal networks, VPN connections, disk storage, machine language SaaS (Software as a Service) applications, etc. Examples: Google Cloud, Digital Ocean, Yandex Cloud, Amazon AWS, etc. code (code) Code is a code management service, also known as source code management (SCM) or version control, is a system that tracks and manages changes to software code. crypto (crypto) Applications and platforms that facilitate cryptocurrency trading, investment, management, and blockchain-based financial services. delivery (delivery) Services that enable the transportation of goods from sellers or service providers to customers, typically including real-time tracking and logistics management. design (design) A Design service is a specialized online platform dedicated to the curation, presentation, discovery, and professional networking of creative visual work. It functions as a digital ecosystem for designers, artists, agencies, and clients, primarily serving as a portfolio showcase, inspiration hub, and talent marketplace. dns (dns) DNS or Domain Name System is a naming service that translates human-friendly domain names into machine-readable IP addresses. It enables users to access websites using names like example.com instead of numeric IPs. Popular services include Google DNS, Cloudflare (Cloudfront), etc. drive (drive) Drive is a set of services are digital platforms, usually mobile apps, that connect passengers with nearby drivers offering transportation on demand. e-commerce (ecommerce) A broad category of digital platforms that facilitate online buying and selling of products or services, including payment, logistics, and customer service integrations. ecosystem (ecosystem) Ecosystem in the context of network services refers to a complex network of interconnected services, applications, devices, and technologies that work together to create a comprehensive and integrated user experience. enterprise (enterprise) Enterprise services provide business-oriented tools for customer support, operations, collaboration, and resource management. These platforms are designed for scalability, security, and integration across large organizations. Examples include Zendesk, Salesforce, ServiceNow, Atlassian Jira, SAP. file storage (file_storage) File Storage is a type of cloud or networked storage system where data is stored and organized as files in directories. Examples: Microsoft SharePoint, Google Cloud, Dropbox, Google Drive, etc. food (food) Applications related to dining, recipes, food delivery, restaurant discovery, and culinary experiences. forum (forum) A forum service is an online platform where users can have structured, topic-driven discussions, ask questions, and share information. gaming (gaming) Gaming in the context of network services refers to set of services that are used to support users to play video/computer games. government (government) Government service portals are official platforms—usually online—that allow citizens to access public services without needing to visit government offices in person. health (health) A wide range of applications that are designed to support and improve users' health, well-being (mental and physical), and medical management. Medical apps, health and fitness apps, and health research apps are examples of health apps. helper (helper) Helper is not a service, but it covers the set of tags which help to classify the service. instant messenger (im) Instant Messenger is a real-time communication application that allows users to send text messages, images, videos, and other multimedia content to each other over the internet. These applications often include features such as group chats, voice and video calls, file sharing, and status updates. Examples of instant messaging apps include WhatsApp, Facebook Messenger, and Telegram. job (job) Services and applications that help users find employment, freelance work, or career opportunities, often including job listings, applications, and recruitment tools. knowledge (knowledge) Platforms that provide access to structured or crowd-sourced information, educational content, and reference materials for learning and research. mail (mail) Mail services provide electronic messaging functionality, enabling users to send, receive, and manage email communication over the internet. Common providers include Gmail, Outlook, Yahoo Mail, ProtonMail, Zoho Mail. maps (maps) Maps services provide geolocation, routing, and spatial data for navigation and location-based applications. They support real-time traffic, satellite views, and APIs. Key providers include Google Maps, Apple Maps, Mapbox, OpenStreetMap. marketplace (marketplace) Marketplace is an online platform where buyers and sellers can connect and conduct transactions for goods and services, e.g. Amazon, Ebay, AliExpress, etc. media (media) Media refers to the various channels and tools used to store, deliver, and communicate information or entertainment to the public. This can include traditional forms such as newspapers, television, and radio, as well as digital forms like websites, social media platforms, and streaming services. Media encompasses a broad range of content, including news, music, films, books, and more, delivered through various means of communication. meetings (meetings) Meetings platforms enable real-time audio, video, and screen-sharing communication for individuals or teams. These tools support remote collaboration, webinars, and virtual conferences. Common services include Zoom, Microsoft Teams, Google Meet, Webex, Skype. metadata (metadata) Metadata refers to auxiliary information about a service or data stream, often used for classification, routing, or analysis. In network contexts, this includes characteristics like data transmission protocols, TLS Encrypted Client Hello (ECH) usage, etc. mobile (mobile) The term mobile service refers to a type of radio communication that occurs between mobile stations (such as vehicles or portable devices) and land stations. It also includes communication among mobile stations themselves. music (music) Music services provide streaming, storage, and playback of audio content over the internet. These platforms allow users to access vast libraries of songs, albums, and podcasts on demand. Popular services include Spotify, Apple Music, YouTube Music, Amazon Music, SoundCloud. network service (network_service) Network Service refers to backend infrastructure components that provide connectivity and communication capabilities between devices. Examples include DNS servers, FTP servers, DHCP, NTP, VPN, and proxy services. news (news) Applications and services that deliver current events, articles, and updates from various sources, helping users stay informed about local, national, and global developments in real time. office (office) Office is a set of services that provides access to productivity tools typically associated with office work, such as word processing, spreadsheets, presentations, email, and more. online shop (online_shop) Digital storefronts that allow users to browse, purchase, and manage orders for a variety of goods or services through the internet. payment (payment) Payment services handle the processing of financial transactions online or in apps. They offer features like digital wallets, subscriptions, and checkout systems. Popular services: PayPal, Stripe, Apple Pay, Google Pay, Square. productivity (productivity) Applications designed to enhance personal or professional efficiency, including task management, note-taking, goal tracking, and workflow organization. protocol (protocol) Protocol is a a tag that implies usage a network protocol. push (push) Push services deliver real-time notifications or data updates from servers to client devices without a request. Used in messaging, alerts, and live data feeds. Common providers: Firebase Cloud Messaging, Apple Push Notification Service, Web Push API. real estate (real_estate) Platforms that facilitate buying, selling, renting, or managing properties, often providing listings, pricing insights, and agent connections. remote access (remote_access) Remote Access service (RAS) allows users to connect to a private network or computer from a different, remote location, giving them access to files, applications, and resources as if they were physically present search engine (search_engine) Applications that allow users to search for information on the internet, providing relevant results, indexing, and sometimes privacy-focused features. security (security) Services and applications focused on protecting digital data, accounts, and privacy, including password managers, encryption tools, and cybersecurity solutions. social network (social_network) Social Network refers to online platforms and applications that enable users to create, share, and interact with content and with each other. These platforms facilitate networking, communication, and the exchange of information through various formats, including text, images, videos, and live streams. Popular social media platforms include Facebook, Twitter, Instagram, and LinkedIn. sport (sport) Applications dedicated to sports-related content, including live scores, news, training tools, team management, and fan engagement. study (study) Applications and services designed to support learning and education, offering courses, lessons, and interactive tools for skill development, language learning, and academic improvement (e.g., Udemy, Duolingo). telecom (telecom) The provides telecommunications services such as telephony and data communications access, e.g. Telecommunications Service Provider (TSP) or Internet Service Provider (ISP). torrent (torrent) Downloading and sharing files directly with other users online through a peer-to-peer (P2P) networking system called the BitTorrent protocol. Instead of pulling the whole file from a central server, users exchange small pieces with each other until everyone has the complete file. travel (travel) Applications and services that help users plan, book, and manage trips, including flights, hotels, transportation, and travel experiences. update (update) Update services manage the distribution and installation of software or firmware improvements, patches, and security fixes. These services ensure systems remain up-to-date. Examples: Windows Update, Google Play System Update, macOS Software Update. vpn (vpn) VPN (Virtual Private Network) is a service that creates a secure, encrypted connection over a less secure network, such as the internet. VPNs are used to protect users' online privacy, mask their IP addresses, and allow them to access restricted content by routing their internet traffic through servers in different locations. web (web) Web is a general term for all Internet services. If the Internet tag/service cannot be explicitly assigned to other category it can be used as Web. workflow (workflow) Workflow describes the sequence and structure of actions or data exchanges that occur to complete a network-based task. It includes patterns like file transfer, audio/video calls, web page loading, and authentication flows, often involving multiple services and protocols in a defined order. 6.2 Workflow generic (generic) Connection establishing with remote server/service. incoming audio (incoming_audio) `Incoming audio` refers to sound or audio signals that are received by a device or system. Audio calls focus solely on the transmission of sound, enabling conversation without visual interaction. outgoing audio (outgoing_audio) `Outgoing audio` refers to sound or audio signals that are transmitted or sent out from a device or system. Audio calls focus solely on the transmission of sound, enabling conversation without visual interaction. audio (audio) `Audio` is a voice communication between two or more parties without involving video. Audio calls focus solely on the transmission of sound, enabling conversation without visual interaction. incoming video (incoming_video) `Incoming video` refers to video signals that are received by a device or system from an external source. This can include video feeds from a camera, a live stream, a video call, or any other video content being transmitted to the device. outgoing video (outgoing_video) `Outgoing video` refers to video signals that are transmitted or sent out from a device or system to an external destination. This can include video feeds from a camera, a live stream, a video call, or any other video content being transmitted to the device. video (video) `Video call` is a communication session between two or more parties where participants can see and hear each other in real-time. This type of call utilizes video and audio technology to transmit both the visual and auditory aspects of communication over the internet or telecommunication networks. chat (chat) `Chat` refers to a real-time text-based communication between two or more users over a network. This can occur in various forms, such as instant messaging, online chat rooms, or within social media platforms. incoming file transfer (incoming_file_transfer) `Incoming file transfer` refers to the process of receiving files from another device or system. This can involve various types of files such as documents, images, videos, or software being sent to a user's device over a network. outgoing file transfer (outgoing_file_transfer) `Outgoing file transfer` refers to the process of sending files from one device or system to another. This involves transmitting various types of files such as documents, images, videos, or software from the user's device to a recipient over a network file transfer (file_transfer) `File transfer` refers to the process of moving or copying digital files from one device or system to another. This can include both incoming and outgoing transfers, facilitating the exchange of data between users, computers, servers, or other digital storage devices. incoming landline (incoming_landline) `Incoming landline` refers to a telephone call that is received by a traditional wired telephone connected to the public switched telephone network (PSTN). This type of call originates from another telephone and is directed to the landline device. outgoing landline (outgoing_landline) `Outgoing landline` refers to a telephone call that is initiated from a traditional wired telephone connected to the public switched telephone network (PSTN). This call is made from the landline device to another telephone number. landline (landline) `Landline` refers to a traditional telephone system that uses a physical, wired connection for communication. This system operates through the public switched telephone network (PSTN) and involves the transmission of voice signals over copper or fiber-optic cables. 6.3 Metadata tag The tag which is assigned by classifier extension. tag_type The type of tag matching (IP, Domain, Cache, etc.). ech Encrypted Client Hello. The tag is presented only when ECH exists, but SNI doesn't exist. ftp_data FTP data trasnmission. dns_response_name Processed dns response name - concatenated labels, resolving offsets, etc. ja3 The fingerprinting the client's TLS handshake (Client Hello). ja3s The fingerprinting the server's response (Server Hello). ja3_hash MD5 hash of JA3. Format: TLSVersion,Ciphers,Extensions,EllipticCurves,EllipticCurvePointFormats. ja3_md5 MD5 hash of JA3. Format: TLSVersion,Ciphers,Extensions,EllipticCurves,EllipticCurvePointFormats. ja3s_md5 MD5 hash of JA3S. Format: TLSVersion,Cipher,Extensions. http2_header The http/2 protocol header block field: name:value. http2_push_promise_header The http/2 protocol push-promise block field: name:value. http2_continuation_header The http/2 protocol continuation block field: name:value. http_authorization_credentials Base64 decoded value of Proxy-Authorization header value. tls_certificate_common_name The CommonName certificate field. tls_certificate_general_dns_name The dNSName certificate field. Belongs to extension section. protocol_path Protocol path string (hierarchical chain of protocol that are used in a session). bitrate The bitrate is a measure of how much data is transferred over a network in a given period of time. Measured in bits per second (bps). average_packet_size Average packet size of processed packets. inter_arrival_time Inter-arrival Time is the difference in time between the arrival of two consecutive packets at a receiver. Measured in nanoseconds. For one flow packet avg iat is 0. flow_start_time Timestamp of the first flow packet.. flow_last_activity_time Timestamp of the last flow packet. flow_duration The flow duration time. 6.4 Services services are tags that do not fall under protocol, metadata, or helper categories. they represent real-world internet applications classified by the engine, grouped by primary category. adult [8 items] ────────────────────────────────────────────────────────────────────────── onlyfans name : onlyfans categories : adult, social network workflow : none description : OnlyFans is a subscription-based content sharing platform. pornhub name : pornhub categories : adult, media workflow : none description : Pornhub is an adult video streaming platform. redtube name : redtube categories : adult, media workflow : none description : RedTube is an adult video streaming website. xhamster name : xhamster categories : adult, media workflow : none description : xHamster is an adult content streaming website. xnxx name : xnxx categories : adult, media workflow : none description : XNXX is an adult video streaming platform. xvideos name : xvideos categories : adult, media workflow : none description : XVideos is an adult video hosting and streaming platform. youjizz name : youjizz categories : adult, media workflow : none description : YouJizz is an adult video sharing website. youporn name : youporn categories : adult, media workflow : none description : YouPorn is an adult video sharing website. advertisement [17 items] ────────────────────────────────────────────────────────────────────────── adobe_ads name : adobe ads categories : advertisement, enterprise workflow : none description : Adobe Advertising provides tools for digital ad buying, optimization, and measurement. appnexus name : appnexus categories : advertisement workflow : none description : AppNexus is a programmatic advertising and real-time bidding platform. comscore name : comscore categories : advertisement workflow : none description : Comscore provides media measurement and analytics for digital platforms. criteo name : criteo categories : advertisement, ecommerce workflow : none description : Criteo is a digital advertising company focused on performance marketing and retargeting. doubleverify name : doubleverify categories : advertisement, security workflow : none description : DoubleVerify provides digital media measurement and ad fraud prevention. heap name : heap categories : advertisement workflow : none description : Heap is a digital analytics platform that tracks user behavior automatically. hotjar name : hotjar categories : advertisement, web workflow : none description : Hotjar provides website analytics through heatmaps and user recordings. liftoff name : liftoff categories : advertisement workflow : none description : Liftoff is a mobile app marketing and user acquisition platform. moloco name : moloco categories : advertisement, ai workflow : none description : Moloco provides machine learning–based mobile advertising solutions. mopub name : mopub categories : advertisement workflow : none description : MoPub is a mobile advertising platform for app monetization. nielsen name : nielsen categories : advertisement workflow : none description : Nielsen provides audience measurement, analytics, and media research services. outbrain name : outbrain categories : advertisement, media workflow : none description : Outbrain provides content recommendation and native advertising services. pulsepoint name : pulsepoint categories : advertisement, enterprise workflow : none description : PulsePoint is a digital advertising and real-time bidding platform. taboola name : taboola categories : advertisement, media workflow : none description : Taboola is a content discovery and native advertising platform. the_trade_desk name : the trade desk categories : advertisement workflow : none description : The Trade Desk is a programmatic advertising platform for managing digital ad campaigns. weborama name : weborama categories : advertisement workflow : none description : Weborama provides digital advertising and audience data services. yieldmo name : yieldmo categories : advertisement workflow : none description : Yieldmo is a digital advertising platform specializing in mobile formats. ai [17 items] ────────────────────────────────────────────────────────────────────────── chatgpt name : chatgpt categories : ai workflow : none description : ChatGPT is a popular artificial intelligence (AI) chatbot developed by OpenAI that uses natural language processing to generate human-like text, hold conversations, and perform various tasks in response to user prompts. cursor name : cursor categories : ai, code workflow : none description : Cursor is an AI-assisted integrated development environment for Windows, macOS and Linux. deepseek name : deepseek categories : ai workflow : none description : DeepSeek is an open-source suite of artificial intelligence models, developed by a Chinese company also named DeepSeek. flux name : flux categories : ai workflow : none description : A leading AI model for image generation google_gemini name : google gemini categories : ai workflow : none description : Google Gemini is Google's family of multimodal large language models (LLMs) and the AI-powered chatbot that uses them to understand, generate, and combine different types of data like text, images, audio, video, and code. hailuoai name : hailuoai categories : ai workflow : none description : A Chinese AI platform offering chat and creation tools. hunyuan name : hunyuan categories : ai workflow : none description : A large AI model developed by Tencent for text and image generation. ideogram name : ideogram categories : ai workflow : none description : A popular AI image generation tool known for its effective text rendering within images. kling name : kling categories : ai workflow : none description : An AI model capable of generating video from text prompts. krea name : krea categories : ai workflow : none description : A platform for AI-powered image generation and real-time design. luma name : luma categories : ai workflow : none description : A company specializing in AI for 3D scene generation and visualization. pika name : pika categories : ai workflow : none description : An AI platform known for generating and editing videos from text or image prompts. runway_gen name : runway gen categories : ai workflow : none description : AI video editing and generation. seedance name : seedance categories : ai workflow : none description : An AI tool likely focused on creative generation. seedream name : seedream categories : ai workflow : none description : Another AI image generator. wan name : wan categories : ai workflow : none description : AI-driven video creation tool that can generate videos using text, images, and audio clips as input. windsurf name : windsurf categories : ai, code workflow : none description : Windsurf AI is an AI-powered integrated development environment (IDE) designed to help developers code more efficiently by providing advanced features like code generation, debugging, and project-wide context awareness. airline [10 items] ────────────────────────────────────────────────────────────────────────── aeroflot name : aeroflot categories : airline workflow : none description : The flag carrier and largest airline of Russia. american_airlines name : american airlines categories : airline workflow : none description : American Airlines is a major airline providing passenger and cargo transportation. emirates name : emirates categories : airline workflow : none description : A major international airline based in Dubai, United Arab Emirates. nordwind name : nordwind categories : airline workflow : none description : A Russian charter airline. pobeda name : pobeda categories : airline workflow : none description : A low-cost airline based in Russia, a subsidiary of Aeroflot Group. redwings name : redwings categories : airline workflow : none description : A Russian scheduled and charter airline. s7 name : s7 categories : airline workflow : none description : A leading Russian airline, based in Novosibirsk, and a member of the oneworld alliance. smartavia name : smartavia categories : airline workflow : none description : A Russian airline formerly known as Nordavia. ural_airlines name : ural airlines categories : airline workflow : none description : A Russian airline based in Yekaterinburg. utair name : utair categories : airline workflow : none description : A Russian airline with a focus on regional and charter flights, especially in Western Siberia. api [1 items] ────────────────────────────────────────────────────────────────────────── google_api name : google api categories : api workflow : none description : Google APIs are application programming interfaces (APIs) developed by Google which allow communication with Google Services and their integration to other services. application store [5 items] ────────────────────────────────────────────────────────────────────────── appgallery name : appgallery categories : application store workflow : none description : Huawei AppGallery is Huawei's official app distribution platform, functioning as a marketplace for users to discover, download, manage, and share apps on Huawei devices. appstore name : appstore categories : application store workflow : none description : App Store is a digital marketplace, like Apple's App Store or Google Play Store, where users can discover, download, and purchase software applications (apps) for their devices. galaxystore name : galaxystore categories : application store workflow : none description : The Galaxy Store is Samsung's app store, exclusively for Galaxy devices like smartphones, tablets, and smartwatches. google_play name : google play categories : application store workflow : none description : Google Play is a digital distribution service operated by Google. rustore name : rustore categories : application store workflow : none description : RuStore is the official Russian app store for Android devices. assistant [1 items] ────────────────────────────────────────────────────────────────────────── apple_siri name : apple siri categories : assistant, ai workflow : none description : Siri is a virtual assistant developed by Apple Inc. that uses voice commands and artificial intelligence to perform tasks, answer questions, and provide information on Apple devices like iPhones, iPads, and Macs. banking [7 items] ────────────────────────────────────────────────────────────────────────── alfabank name : alfabank categories : banking workflow : none description : Alfa Bank JSC is the largest of the private banks in Russia. american_express name : american express categories : banking, payment workflow : none description : American Express is a financial services company offering credit cards and payment solutions. raiffeisenbank name : raiffeisenbank categories : banking workflow : none description : Raiffeisen Bank International (RBI) is a key entity of the decentralized Raiffeisen Banking Group in Austria, acting both as the latter's domestic central financial entity and as the holding company for all the group's operations outside of Austria. revolut name : revolut categories : banking workflow : none description : Revolut is a British multinational neobank and fintech company that offers banking services for individuals and businesses. sberbank name : sberbank categories : banking workflow : none description : Sberbank is a large Russian banking and financial services company. tbank name : tbank categories : banking workflow : none description : TBank, formerly known as Tinkoff Bank is a Russian commercial bank. wells_fargo name : wells fargo categories : banking, payment workflow : none description : Wells Fargo is a multinational financial services company. blog [4 items] ────────────────────────────────────────────────────────────────────────── blogger name : blogger categories : blog workflow : none description : Blogger is a free, online service owned by Google that allows users to create and publish blogs. livejournal name : livejournal categories : blog workflow : none description : LiveJournal (LJ) is a blogging platform and social networking website that allows users to maintain an online diary or journal and connect with a community of friends and people who share common interests. medium name : medium categories : blog, news workflow : none description : Medium is an online publishing platform for articles and blogs. weibo name : weibo categories : blog, social network workflow : none description : Weibo is a leading Chinese microblogging platform that combines elements of Twitter, Facebook, and a comprehensive social media ecosystem. bookmaker [8 items] ────────────────────────────────────────────────────────────────────────── betboom name : betboom categories : bookmaker workflow : none description : A popular Russian online bookmaker and betting platform. betcity name : betcity categories : bookmaker workflow : none description : A Russian bookmaker. fonbet name : fonbet categories : bookmaker workflow : none description : One of Russia's largest and oldest betting companies, offering sports betting and casinos. leon name : leon categories : bookmaker workflow : none description : An international brand for online betting and casino games. ligastavok name : ligastavok categories : bookmaker workflow : none description : A major Russian bookmaker, now rebranded as Pari. olimpbet name : olimpbet categories : bookmaker workflow : none description : A Russian bookmaking company. pari name : pari categories : bookmaker workflow : none description : A leading Russian bookmaker, rebranded from Liga Stavok. winline name : winline categories : bookmaker workflow : none description : A major Russian bookmaker and betting company. books [2 items] ────────────────────────────────────────────────────────────────────────── bookmate name : bookmate categories : books workflow : none description : Bookmate is a social ebook subscription service, available primarily on mobile. scribd name : scribd categories : books workflow : none description : Scribd is a digital subscription service that offers a large collection of e-books, audiobooks, magazines, podcasts, and documents. cdn [5 items] ────────────────────────────────────────────────────────────────────────── amazon_cloudfront name : amazon cloudfront categories : cdn workflow : none description : Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. cloudinary name : cloudinary categories : cdn workflow : none description : Cloudinary is a cloud-based media experience platform that provides an end-to-end solution for managing and delivering images and videos. facebook_cdn name : facebook cdn categories : cdn workflow : none description : Facebook's CDN, also known as the Facebook Edge Network, is a distributed network of servers that stores and delivers content like images, videos, and scripts closer to users, optimizing content delivery and improving loading times. imgix name : imgix categories : cdn workflow : none description : Imgix is an image processing and optimization service delivered via CDN. yandex_cdn name : yandex cdn categories : cdn workflow : none description : Yandex Cloud CDN - a service for setting up Content Delivery Networks (CDN). Cloud CDN helps you streamline static content delivery for your web service, boost user loyalty, and improve your SEO ranking. clothes [3 items] ────────────────────────────────────────────────────────────────────────── nike name : nike categories : clothes, online shop, sport workflow : none description : Nike is a global brand specializing in athletic footwear and apparel. shein name : shein categories : clothes, online shop, ecommerce workflow : none description : SHEIN is an online fast-fashion retail platform. zalando name : zalando categories : clothes, online shop workflow : none description : Zalando is an online fashion retail platform. cloud [19 items] ────────────────────────────────────────────────────────────────────────── akamai name : akamai categories : cloud, cdn workflow : none description : Akamai is the cybersecurity and cloud computing company that powers and protects business online. alibaba_cloud name : alibaba cloud categories : cloud workflow : none description : Alibaba Cloud is a cloud computing platform providing infrastructure, platform, and data services. amazon_aws name : amazon aws categories : cloud workflow : none description : Amazon Web Services (AWS) is a comprehensive and widely adopted cloud computing platform offered by Amazon. cloudflare name : cloudflare categories : cloud, cdn workflow : none description : Cloudflare is an American company that provides content delivery network services, cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, ICANN-accredited domain registration, and other services. digital_ocean name : digital ocean categories : cloud workflow : none description : DigitalOcean is a cloud computing platform, specifically an infrastructure as a service (IaaS) provider, designed to offer developers, startups, and small to medium-sized businesses (SMBs) simple and affordable cloud solutions. fastly name : fastly categories : cloud, cdn workflow : none description : Fastly is an American company that provides content delivery network services, image optimization, and load balancing services. google_cloud name : google cloud categories : cloud workflow : none description : Google Cloud is a suite of cloud computing services that runs on the same infrastructure that Google uses internally for their own consumer products, such as Google Search, Gmail, and YouTube. heroku name : heroku categories : cloud, code workflow : none description : Heroku is a cloud platform for deploying and managing applications. hostgator name : hostgator categories : cloud, web workflow : none description : HostGator is a web hosting provider offering shared and cloud hosting. huawei_cloud name : huawei cloud categories : cloud workflow : none description : Huawei Cloud provides enterprise cloud infrastructure, AI services, and data platforms. ibm_cloud name : ibm cloud categories : cloud workflow : none description : IBM Cloud is a hybrid cloud platform designed for enterprise workloads and AI-driven applications. kingsoft name : kingsoft categories : cloud, cdn workflow : none description : Kingsoft is a Chinese software and internet services company that is known for its office suite, WPS Office, and its cloud computing services, Kingsoft Cloud. ms_azure name : ms azure categories : cloud workflow : none description : Microsoft Azure is the cloud computing platform developed by Microsoft. It has management, access and development of applications and services to individuals, companies, and governments through its global infrastructure. oracle_cloud name : oracle cloud categories : cloud workflow : none description : Oracle Cloud provides cloud infrastructure and enterprise applications. rackspace name : rackspace categories : cloud, enterprise workflow : none description : Rackspace provides managed cloud and hosting services. tencent_cloud name : tencent cloud categories : cloud workflow : none description : Tencent Cloud delivers cloud computing, big data, and AI services from Tencent. vmware name : vmware categories : cloud, enterprise workflow : none description : VMware develops virtualization and cloud infrastructure software. vultr name : vultr categories : cloud workflow : none description : Vultr is a cloud computing company that provides cloud infrastructure services, including cloud servers, cloud storage, and bare metal solutions. yandex_cloud name : yandex cloud categories : cloud workflow : none description : Yandex Cloud - a full-fledged cloud platform providing scalable infrastructure, storage, machine learning and development tools to build and enhance digital services and applications. code [17 items] ────────────────────────────────────────────────────────────────────────── bootstrap name : bootstrap categories : code, web workflow : none description : Bootstrap is a front-end framework for building responsive web interfaces. codility name : codility categories : code workflow : none description : A platform used by companies to test the coding skills of potential hires. docker name : docker categories : code workflow : none description : Docker is a platform for building, shipping, and running applications using containers. flutterflow name : flutterflow categories : code workflow : none description : A low-code visual builder for creating native mobile applications using Google's Flutter framework. gitbook name : gitbook categories : code workflow : none description : A modern documentation platform powered by Git, where teams can document knowledge and products. github name : github categories : code, social network workflow : none description : GitHub is a proprietary developer platform that allows developers to create, store, manage, and share their code. gitlab name : gitlab categories : code, social network workflow : none description : GitLab is a web-based DevOps platform that provides Git repository management, CI/CD, and other tools for software development and project management. jfrog name : jfrog categories : code workflow : none description : A global technology company providing a universal DevOps platform for binary repository management (Artifactory). jquery name : jquery categories : code, web workflow : none description : jQuery is a JavaScript library for simplifying HTML DOM manipulation. laravel name : laravel categories : code workflow : none description : A popular, elegant open-source PHP web framework for building web applications. leetcode name : leetcode categories : code workflow : none description : A global platform for practicing coding problems and preparing for technical interviews. redis_cloud name : redis cloud categories : code workflow : none description : Redis Cloud is a fully managed database-as-a-service that brings the speed and reliability of Redis to the cloud, offering seamless scalability. sourceforge name : sourceforge categories : code workflow : none description : A long-established web service for software developers to manage and distribute open-source software. tilda name : tilda categories : code workflow : none description : A popular Russian no-code website builder focused on creating beautiful landing pages and websites. ubuntu name : ubuntu categories : code workflow : none description : Ubuntu is a Linux-based operating system developed by Canonical. virtualbox name : virtualbox categories : code workflow : none description : VirtualBox is a virtualization software platform. weebly name : weebly categories : code, web workflow : none description : Weebly is a website builder and hosting service. crowdfunding [2 items] ────────────────────────────────────────────────────────────────────────── boosty name : boosty categories : crowdfunding workflow : none description : A Russian crowdfunding and subscription platform popular with content creators (bloggers, artists, musicians). kickstarter name : kickstarter categories : crowdfunding workflow : none description : A globally renowned American crowdfunding platform for creative projects. crypto [5 items] ────────────────────────────────────────────────────────────────────────── binance name : binance categories : crypto workflow : none description : Binance is the world's largest cryptocurrency exchange where users can buy, sell, and trade a wide variety of digital currencies like Bitcoin and Ethereum. coinbase name : coinbase categories : crypto workflow : none description : Coinbase is a cryptocurrency exchange and digital asset platform. ethereum name : ethereum categories : crypto workflow : none description : Ethereum is a decentralized blockchain platform supporting smart contracts. monero name : monero categories : crypto workflow : none description : Monero is a privacy-focused cryptocurrency designed for anonymous payments. z_cash name : z cash categories : crypto workflow : none description : Zcash is a cryptocurrency focused on privacy-preserving transactions. delivery [3 items] ────────────────────────────────────────────────────────────────────────── samokat name : samokat categories : delivery, food workflow : none description : Samokat is a Russian-founded instant delivery service that delivers groceries and household goods in approximately 15 minutes. ups name : ups categories : delivery workflow : none description : UPS is a logistics and package delivery company. yandex_lavka name : yandex lavka categories : delivery, food workflow : none description : Yandex Lavka is a Russian service for ordering prepared meals, groceries, and household goods from local warehouses via a mobile app or website. design [6 items] ────────────────────────────────────────────────────────────────────────── adobe name : adobe categories : design, productivity, ecosystem workflow : none description : Adobe is a software company providing creative, marketing, and document management solutions. behance name : behance categories : design, social network workflow : none description : Behance is an online platform for showcasing and discovering creative portfolios. canva name : canva categories : design workflow : none description : Canva is an online graphic design platform for creating visual content. dribbble name : dribbble categories : design, social network workflow : none description : A global online community and social platform for designers to showcase their work. figma name : figma categories : design workflow : none description : Figma is a collaborative interface design and prototyping platform. giphy name : giphy categories : design workflow : none description : Giphy is a searchable platform for animated GIFs and short video content. dns [3 items] ────────────────────────────────────────────────────────────────────────── cloudflare_dns name : cloudflare dns categories : dns, network service workflow : none description : Cloudflare DNS is a service that provides both authoritative DNS and a public DNS resolver for faster and more private internet browsing. nextdns name : nextdns categories : dns, security, network service workflow : none description : NextDNS offers DNS-based security, privacy, and content filtering services. yandex_dns name : yandex dns categories : dns, network service workflow : none description : Yandex DNS service. drive [9 items] ────────────────────────────────────────────────────────────────────────── belkacar name : belkacar categories : drive workflow : none description : Russian car-sharing service offering access to a fleet of vehicles for short- and medium-term use. citydrive name : citydrive categories : drive workflow : none description : Russian car-sharing service offering access to a fleet of vehicles for short- and medium-term use. citymobil name : citymobil categories : drive workflow : none description : Russian ride-hailing and taxi aggregation service that connects passengers with drivers via a mobile application. delimobil name : delimobil categories : drive workflow : none description : Car-sharing platform in Russia that enables users to rent vehicles for short trips using a smartphone app. lyft name : lyft categories : drive workflow : none description : Lyft is a ride-hailing and transportation services platform. uber name : uber categories : drive workflow : none description : Uber is a multinational technology company that connects users to on-demand transportation and delivery services through its smartphone app. urent name : urent categories : drive workflow : none description : An e-scooter and bike-sharing service provider of e-scooter and bikes for public transportation and urban mobility. whoosh name : whoosh categories : drive workflow : none description : A major Russian scooter and bicycle sharing service, similar to Bird or Lime in other countries. It is one of the largest micromobility operators in Russia and the CIS. yandex_drive name : yandex drive categories : drive workflow : none description : Russian car-sharing service that provides short-term vehicle rentals through a mobile application. ecommerce [10 items] ────────────────────────────────────────────────────────────────────────── alibaba name : alibaba categories : ecommerce, marketplace, ecosystem workflow : none description : Alibaba is a Chinese multinational technology company focused on e-commerce, cloud computing, logistics, and digital services. bigcommerce name : bigcommerce categories : ecommerce, online shop workflow : none description : BigCommerce is an e-commerce platform for building and scaling online stores. cloudtips name : cloudtips categories : ecommerce workflow : none description : A leading platform that lets your audience support you with one-click tips during live streams and on social media, turning engagement into earnings. netmonet name : netmonet categories : ecommerce workflow : none description : A Russian fintech platform for restaurants and service businesses that started as a QR-code based cashless tipping service but expanded to offer digital menus, online ordering, and bill payment, all integrated through QR codes for easy customer use and business management. patreon name : patreon categories : ecommerce workflow : none description : Patreon is a membership platform enabling creators to monetize content. paypal name : paypal categories : ecommerce workflow : none description : PayPal is an online payment system that allows you to send and receive money around the world. payproglobal name : paypro global categories : ecommerce workflow : none description : A global e-commerce and payment processing platform for software and digital goods companies. sber_tips name : sber tips categories : ecommerce workflow : none description : A seamless micro-donation service integrated into SberBank's ecosystem, enabling easy tips and donations to creators and charities directly from your bank account. shopify name : shopify categories : ecommerce, online shop workflow : none description : Shopify is an e-commerce platform for creating and managing online stores. woocommerce name : woocommerce categories : ecommerce, code workflow : none description : WooCommerce is an open-source e-commerce plugin for WordPress. ecosystem [6 items] ────────────────────────────────────────────────────────────────────────── apple name : apple categories : ecosystem workflow : none description : Apple Inc. is an American multinational corporation and technology company. google name : google categories : ecosystem workflow : none description : Google LLC is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial intelligence (AI). meta name : meta categories : ecosystem workflow : none description : Meta Platforms, Inc. is an American multinational technology company which owns and operates Facebook, Instagram, Threads, and WhatsApp, among other products and services. microsoft name : microsoft categories : ecosystem workflow : none description : Microsoft Public IP Space. yahoo name : yahoo categories : ecosystem workflow : none description : Yahoo is an American web portal and internet services provider that offers a wide range of online services, including the search engine Yahoo Search, Yahoo Mail, Yahoo News, and Yahoo Finance. yandex name : yandex categories : ecosystem workflow : none description : Yandex LLC is a Russian technology company that provides Internet-related products and services including a web browser, search engine, cloud computing, web mapping, online food ordering, streaming media, online shopping, and a ridesharing company. enterprise [27 items] ────────────────────────────────────────────────────────────────────────── amd name : amd categories : enterprise workflow : none description : AMD is a semiconductor company designing CPUs and GPUs for consumer and enterprise markets. anydesk name : anydesk categories : enterprise, remote access workflow : none description : AnyDesk is a remote desktop application that allows users to access and control another computer or device over a network, like the internet. atlassian name : atlassian categories : enterprise, productivity workflow : none description : Atlassian develops collaboration and project management software such as Jira and Confluence. datadog name : datadog categories : enterprise workflow : none description : Datadog is a cloud-based monitoring and observability platform for infrastructure and applications. dell name : dell categories : enterprise workflow : none description : Dell is a technology company producing computers, servers, and IT infrastructure. grafana name : grafana categories : enterprise, code workflow : none description : Grafana is an open-source platform for monitoring, visualization, and observability. hubspot name : hubspot categories : enterprise workflow : none description : A leading American developer of marketing, sales, and customer service software platforms. ibm name : ibm categories : enterprise, cloud, ecosystem workflow : none description : IBM is a global technology company offering enterprise software, hardware, cloud, and consulting services. intel name : intel categories : enterprise workflow : none description : Intel is a semiconductor company producing processors and computing technologies. jetbrains name : jetbrains categories : enterprise, it workflow : none description : A renowned global software development company creating IDEs like IntelliJ IDEA, PyCharm, and PhpStorm. new_relic name : new relic categories : enterprise workflow : none description : New Relic is an observability platform for monitoring application performance. nvidia name : nvidia categories : enterprise workflow : none description : NVIDIA designs GPUs and AI computing technologies. oracle name : oracle categories : enterprise workflow : none description : Oracle is an enterprise software company specializing in databases and cloud solutions. pendo name : pendo categories : enterprise workflow : none description : Pendo provides product analytics and user experience insights. qualcomm name : qualcomm categories : enterprise workflow : none description : Qualcomm is a semiconductor company specializing in wireless communication technologies and mobile processors. red_hat name : red hat categories : enterprise workflow : none description : Red Hat provides enterprise open-source software solutions. salesforce name : salesforce categories : enterprise workflow : none description : Salesforce is the world’s leading customer relationship management technology (What is CRM?), helping you build and improve your customer relationships. sap name : sap categories : enterprise workflow : none description : SAP provides enterprise software for business operations and analytics. servicenow name : servicenow categories : enterprise workflow : none description : ServiceNow is a cloud platform for IT service management and automation. sony name : sony categories : enterprise, media workflow : none description : Sony is a multinational corporation operating in electronics, gaming, and entertainment. splunk name : splunk categories : enterprise, security workflow : none description : Splunk is a data analytics platform for monitoring and searching machine data. tableau name : tableau categories : enterprise workflow : none description : Tableau is a data visualization and business intelligence platform. teamviewer name : teamviewer categories : enterprise, remote access workflow : none description : TeamViewer is a software application that enables remote access, control, and support for computers and other devices. tesla name : tesla categories : enterprise workflow : none description : Tesla is an electric vehicle and energy technology company. ubiquiti name : ubiquiti categories : enterprise workflow : none description : Ubiquiti develops networking hardware and wireless communication products. xiaomi name : xiaomi categories : enterprise, ecosystem workflow : none description : Xiaomi is a consumer electronics company producing smartphones and smart devices. zendesk name : zendesk categories : enterprise workflow : none description : Zendesk is a cloud-based customer service platform that helps businesses manage and streamline interactions with customers across various channels like email, chat, social media, and voice calls. file storage [6 items] ────────────────────────────────────────────────────────────────────────── dropbox name : dropbox categories : file storage workflow : none description : Dropbox is a cloud storage service that allows users to store, share, and sync files across multiple devices. google_drive name : google drive categories : file storage workflow : none description : Google Drive is a cloud-based service from Google that provides secure online storage for files, allowing users to access, organize, and share them from any device. icloud name : icloud categories : file storage workflow : none description : iCloud is Apple's cloud service that securely stores your data and keeps it synchronized across your Apple devices. mega name : mega categories : file storage workflow : none description : MEGA is a cloud storage service that provides secure, encrypted file storage, sharing, and collaboration tools. sharefile name : sharefile categories : file storage, enterprise workflow : none description : ShareFile is a secure file sharing and collaboration platform. wasabi name : wasabi categories : file storage workflow : none description : Wasabi provides cloud-based object storage services. food [3 items] ────────────────────────────────────────────────────────────────────────── doordash name : doordash categories : food, delivery workflow : none description : DoorDash is an online food ordering and delivery platform. instacart name : instacart categories : food, delivery workflow : none description : Instacart is an online grocery delivery and pickup service. zomato name : zomato categories : food, delivery workflow : none description : Zomato is an online restaurant discovery and food delivery platform. forum [1 items] ────────────────────────────────────────────────────────────────────────── discourse name : discourse categories : forum, web workflow : none description : Discourse is an open-source discussion and forum platform. gaming [15 items] ────────────────────────────────────────────────────────────────────────── chess_com name : chess com categories : gaming workflow : none description : Chess.com is the world's largest online chess platform. epic_games name : epic games categories : gaming, application store workflow : none description : Epic Games is a video game company known for Fortnite and Unreal Engine. minecraft name : minecraft categories : gaming workflow : none description : Minecraft is a sandbox video game developed by Mojang. moonton name : moonton categories : gaming workflow : none description : Moonton is a video game developer best known for mobile games. nintendo name : nintendo categories : gaming workflow : none description : Nintendo is a multinational consumer electronics and video game company. origin_ea name : origin ea categories : gaming, application store workflow : none description : Origin is EA’s digital distribution platform for video games. playstation name : playstation categories : gaming workflow : none description : PlayStation is Sony’s gaming platform and console ecosystem. roblox name : roblox categories : gaming workflow : none description : Roblox is an online game platform and game creation system developed by Roblox Corporation that allows users to program and play games created by themselves or other users. steam name : steam categories : gaming, application store, social network workflow : none description : Steam is a digital distribution platform for PC games. ubisoft name : ubisoft categories : gaming workflow : none description : Ubisoft is a video game publisher and developer. unity name : unity categories : gaming, code, design workflow : none description : Unity is a game development and real-time 3d engine. valorant name : valorant categories : gaming workflow : none description : Valorant is an online tactical shooter game developed by Riot Games. wargaming name : wargaming categories : gaming workflow : none description : Wargaming is a video game developer focused on online multiplayer games. xbox name : xbox categories : gaming workflow : none description : Xbox is Microsoft’s gaming console and online gaming platform. zynga name : zynga categories : gaming workflow : none description : Zynga is a mobile game developer and publisher. government [2 items] ────────────────────────────────────────────────────────────────────────── gosuslugi name : gosuslugi categories : government workflow : none description : Gosuslugi is a digital platform operated by the Russian government that providing individuals and legal entities with online access to information about state and municipal services. nalog_ru name : nalog ru categories : government workflow : none description : The official website of Russia's Federal Tax Service (FTS). health [2 items] ────────────────────────────────────────────────────────────────────────── fatsecret name : fatsecret categories : health, productivity workflow : none description : FatSecret is a global health tool. webmd name : webm categories : health, knowledge, news workflow : none description : WebMD provides health information and medical resources online. hosting [2 items] ────────────────────────────────────────────────────────────────────────── regru name : reg ru categories : hosting workflow : none description : A major Russian domain name registrar and web hosting provider. ru_center name : ru center categories : hosting workflow : none description : One of Russia's largest and oldest domain registrars and hosting providers. im [16 items] ────────────────────────────────────────────────────────────────────────── douyin name : douyin categories : im, social network workflow : none description : Douyin is Chinese version of the short-form video app TikTok. google_chat name : google chat categories : im workflow : none description : Google Chat is a free, secure Google service for instant messaging, group conversations, and team collaboration, integrated with other Google Workspace products like Gmail, Drive, and Meet. kakaotalk name : kakaotalk categories : im workflow : none description : KakaoTalk is South Korea's most popular messaging app, functioning as a "super-app" that goes beyond simple messaging to include a wide range of services like mobile payments, banking, and e-commerce. kik name : kik categories : im workflow : none description : Kik is a mobile messaging application. line name : line categories : im workflow : none description : LINE is a free communication and instant messaging (IM) application developed by Japan's LY Corporation. messenger name : messenger categories : im workflow : none description : Messenger is a free messaging app developed by Meta Platforms that lets users send instant messages, photos, videos, and make voice and video calls to friends and family. omegle name : omegle categories : im, social network workflow : none description : Omegle is an online chat platform that pairs users randomly. qq name : qq categories : im workflow : none description : QQ is an instant messaging platform operated by Tencent. signal name : signal categories : im, security workflow : none description : Signal is an encrypted messaging application focused on privacy. slack name : slack categories : im, office workflow : none description : Slack is a business communication and collaboration platform that centralizes conversations, apps, and files into one workspace to help teams stay organized and productive. snapchat name : snapchat categories : im workflow : none description : Snapchat is a mobile messaging and social media app, developed by Snap Inc., that allows users to send disappearing photos and videos called 'Snaps' to friends, along with text and drawings. telegram name : telegram categories : im workflow : none description : Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed. threema name : threema categories : im workflow : none description : Threema is an encrypted messaging application. viber name : viber categories : im workflow : none description : Viber is a cross-platform voice over IP (VoIP) and instant messaging (IM) software application owned by Japanese multinational company Rakuten, provided as freeware for the Google Android, iOS, Microsoft Windows, Apple macOS and Linux platforms. wechat name : wechat categories : im, social network workflow : none description : WeChat is a Chinese "super app" that combines messaging, social media, and payment services into a single platform. whatsapp name : whatsapp categories : im workflow : none description : WhatsApp is an instant messaging (IM) and voice-over-IP (VoIP) service owned by technology conglomerate Meta. job [1 items] ────────────────────────────────────────────────────────────────────────── profi_ru name : profi ru categories : job workflow : none description : A large Russian online platform for finding and hiring local service professionals (freelancers for repairs, tutoring, events, etc.). mail [5 items] ────────────────────────────────────────────────────────────────────────── apple_mail name : apple mail categories : mail workflow : none description : Apple Mail is Apple's built-in email client for its operating systems like macOS, iOS, iPadOS, watchOS, and visionOS. gmail name : gmail categories : mail workflow : none description : Gmail is a free, web-based email service provided by Google. protonmail name : protonmail categories : mail, security workflow : none description : Proton Mail is an encrypted email service emphasizing user privacy. sendgrid name : sendgrid categories : mail workflow : none description : SendGrid is an email delivery and marketing platform. yahoo_mail name : yahoo mail categories : mail workflow : none description : Yahoo Mail is a free, web-based email service provided by the company Yahoo! Inc.. maps [8 items] ────────────────────────────────────────────────────────────────────────── 2gis name : 2gis categories : maps workflow : none description : 2GIS is a free business listings app with a detailed 3D city map, contact details, and public transport routes. apple_maps name : apple maps categories : maps workflow : none description : Apple Maps is a navigation and mapping application developed by Apple, pre-installed on Apple devices like iPhones, iPads, Apple Watches, and Macs. flightradar24 name : flightradar24 categories : maps, travel workflow : none description : Flightradar24 is a real-time flight tracking service. google_maps name : google maps categories : maps workflow : none description : Google Maps is a web mapping service developed by Google, providing detailed geographical information and navigation tools. mapbox name : mapbox categories : maps workflow : none description : Mapbox is a cloud-based platform that provides developers with tools and services to create custom, interactive online maps for websites and applications. mapy name : mapy categories : maps workflow : none description : Mapy is an online mapping and navigation service, originally known as Mapy.cz. openstreetmap name : openstreetmap categories : maps workflow : none description : OpenStreetMap (OSM) is a collaborative, free, and open-source project to create a detailed map of the world. yandex_maps name : yandex maps categories : maps workflow : none description : Yandex Maps is a Russian web mapping service and app developed by Yandex. marketplace [14 items] ────────────────────────────────────────────────────────────────────────── aliexpress name : aliexpress categories : marketplace workflow : none description : AliExpress is an online retail marketplace connecting global buyers and sellers. amazon_com name : amazon com categories : marketplace workflow : none description : Amazon.com is the US-specific e-commerce website of the American multinational technology company, Amazon, Inc., a global leader in online retail, cloud computing, and digital streaming. avito name : avito categories : marketplace workflow : none description : Avito is a Russian classified advertisements website with sections devoted to general goods for sale, jobs, real estate, personals, cars for sale, and services. biggeek name : biggeek categories : marketplace workflow : none description : A Russian online retailer specializing in gadgets, electronics, and novelty tech items. ebay name : ebay categories : marketplace workflow : none description : eBay is a global e-commerce platform where users can buy and sell a vast range of new and used items, from collectibles to everyday goods. etsy name : etsy categories : marketplace, ecommerce workflow : none description : Etsy is an online marketplace for handmade and vintage goods. gumtree name : gumtree categories : marketplace, web workflow : none description : Gumtree is an online classifieds platform. ozon name : ozon categories : marketplace workflow : none description : Ozon is a leading multi-category e-commerce platform and one of the largest internet companies in Russia. shopee name : shopee categories : marketplace, ecommerce, online shop workflow : none description : Shopee is an e-commerce marketplace operating primarily in Asia. temu name : temu categories : marketplace, ecommerce, online shop workflow : none description : Temu is an online marketplace offering low-cost consumer goods. ticketmaster name : ticketmaster categories : marketplace workflow : none description : Ticketmaster is an online ticketing platform for events and entertainment. wildberries name : wildberries categories : marketplace workflow : none description : Wildberries is a major Russian e-commerce platform and online retailer. wish name : wish categories : marketplace, ecommerce workflow : none description : Wish is an ecommerce platform focused on discounted consumer goods. yandex_market name : yandex market categories : marketplace workflow : none description : Yandex Market is a large Russian e-commerce platform and online marketplace where customers can search for, compare, and buy millions of products from numerous online stores and sellers. media [27 items] ────────────────────────────────────────────────────────────────────────── amazon_video name : amazon video categories : media workflow : none description : Amazon Video, more formally known as Amazon Prime Video, is a subscription streaming service that offers a vast library of movies, TV shows, and live sports. amediateka name : amediateka categories : media workflow : none description : Amediateka is a Russian subscription-based streaming service for TV series and movies, featuring content from major studios like HBO, Showtime, and Sony Pictures. apple_tv name : apple tv categories : media workflow : none description : Apple TV is a digital media player and microconsole developed and sold by Apple Inc.. dailymotion name : dailymotion categories : media workflow : none description : Dailymotion is a global video-sharing platform, similar to YouTube, that allows users to upload, share, and watch videos on various topics like news, entertainment, and sports. disney_plus name : disney plus categories : media workflow : none description : Disney+ is an online streaming service offering movies, series, and documentaries from Disney, Pixar, Marvel, Star Wars, and National Geographic. flickr name : flickr categories : media, design, social network workflow : none description : Flickr is an online photo sharing and hosting platform. hbo name : hbo categories : media workflow : none description : HBO, which stands for Home Box Office, is an American premium television network and a streaming service known for its high-quality original programming. hulu name : hulu categories : media workflow : none description : Hulu is an American subscription streaming service that offers a wide variety of on-demand and live content, including popular TV shows, movies, and exclusive Hulu Originals. itunes name : itunes categories : media workflow : none description : iTunes is a media player, media library, and mobile device management (MDM) utility developed by Apple. ivi name : ivi categories : media workflow : none description : IVI Cinema is a Russian online video streaming service that offers a wide library of movies, TV shows, music videos, and other content, including its own original productions. netflix name : netflix categories : media workflow : none description : Netflix is an American subscription video on-demand over-the-top streaming service. okko name : okko categories : media workflow : none description : Okko is a Russian online cinema and streaming service that offers a large library of movies, TV series, cartoons, and live TV channels. premier name : premier categories : media workflow : none description : Premier is a Russian streaming service that offers films, series, and live TV channels with a focus on Russian content, including exclusive originals. roku name : roku categories : media workflow : none description : Roku provides streaming devices and a digital media platform. start name : start categories : media workflow : none description : Start is a subscription-based international streaming service available worldwide with Russian-based production. starz name : starz categories : media, music workflow : none description : Starz is a premium television network and streaming service. tubi name : tubi categories : media, advertisement workflow : none description : Tubi is a free ad-supported streaming television service. uplynk name : uplynk categories : media, cloud workflow : none description : Uplynk provides cloud-based video streaming and monetization services. vimeo name : vimeo categories : media workflow : none description : Vimeo is an online video hosting and sharing platform popular with creators for its high-quality, ad-free video hosting, and professional-grade features. viu name : viu categories : media, news workflow : none description : Viu is a video streaming service focused on Asian content. vix name : vix categories : media, news workflow : none description : ViX is a Spanish-language streaming service. wink name : wink categories : media workflow : none description : Wink is a Russian multimedia platform that provides interactive TV, online cinema, and other entertainment services. wistia name : wistia categories : media workflow : none description : Wistia provides video hosting and analytics for businesses. wurl name : wurl categories : media, advertisement workflow : none description : Wurl provides streaming distribution and monetization services. xumo name : xumo categories : media, advertisement workflow : none description : Xumo is a free ad-supported streaming television platform. youku name : youku categories : media, music workflow : none description : Youku is a Chinese video streaming service. zattoo name : zattoo categories : media, telecom workflow : none description : Zattoo is a live TV streaming service. meetings [5 items] ────────────────────────────────────────────────────────────────────────── adobe_connect name : adobe connect categories : meetings workflow : none description : Adobe Connect is a web conferencing and virtual classroom platform. facetime name : facetime categories : meetings workflow : none description : FaceTime is a video and audio call service developed by Apple. google_meet name : google meet categories : meetings workflow : none description : Google Meet is a secure video-communication service from Google that provides virtual meetings and calls through video, audio, and chat. webex name : webex categories : meetings workflow : none description : Webex is a comprehensive collaboration platform developed by Cisco. zoom name : zoom categories : meetings workflow : none description : Zoom is a cloud-based video conferencing platform that enables users to conduct online meetings, webinars, and live chats. metadata [2 items] ────────────────────────────────────────────────────────────────────────── ech name : ech categories : metadata workflow : none description : Encrypted Client Hello. The tag is presented only when ECH exists, but SNI doesn't exist. ftp_data name : ftp data categories : metadata workflow : none description : FTP data trasnmission. music [12 items] ────────────────────────────────────────────────────────────────────────── apple_music name : apple music categories : music, media workflow : none description : Apple Music is a subscription-based music and video streaming service offered by Apple Inc. deezer name : deezer categories : music, media workflow : none description : Deezer is a French music and podcast streaming service that offers access to over 90 million tracks. genius name : genius categories : music workflow : none description : Genius.com is a massive, community-driven digital platform and database for music knowledge, lyrics, and artist insights, allowing users to annotate songs, share stories, and get verified explanations directly from musicians. lastfm name : last.fm categories : music, media workflow : none description : Last.fm is a music streaming and discovery platform that tracks and records your listening habits through a feature called "scrobbling". mtv name : mtv categories : music, media workflow : none description : MTV is a media brand focused on music and entertainment content. shazam name : shazam categories : music workflow : none description : Shazam is an Apple-owned mobile application and service that identifies music, movies, television shows, and advertisements by listening to a short sample of their audio using a device's microphone. soundcloud name : soundcloud categories : music, media workflow : none description : SoundCloud is an online audio streaming and distribution platform that allows users to upload, stream, share, and listen to music and podcasts. spotify name : spotify categories : music, media workflow : none description : Spotify is a popular audio streaming service that provides access to millions of songs, podcasts, and other audio content. tidal name : tidal categories : music, media workflow : none description : Tidal is a music streaming service offering high-fidelity audio. vevo name : vevo categories : music, media workflow : none description : Vevo is a music video hosting and distribution platform. yandex_music name : yandex music categories : music, media workflow : none description : Yandex Music is a Russian music streaming service developed by Yandex. zvooq name : zvooq categories : music, media workflow : none description : Zvooq is an independent Russian music streaming service that offers a vast library of music and podcasts. news [38 items] ────────────────────────────────────────────────────────────────────────── 360ru name : 360ru categories : news workflow : none description : A Russian federal TV channel and news website. aif name : aif categories : news workflow : none description : A widely circulated Russian weekly newspaper known for its societal and political commentary. axios name : axios categories : news workflow : none description : Axios is a digital media company focused on news and analysis. baza_io name : baza categories : news workflow : none description : A Telegram-based news channel and outlet known for breaking news, often related to law enforcement. bbc name : bbc categories : news workflow : none description : The BBC is the world's leading public service broadcaster. bloomberg name : bloomberg categories : news workflow : none description : Bloomberg is a global provider of financial news and information, including real-time and historical price data, trading news, and analyst coverage. championat name : championat categories : news, sport workflow : none description : Championat is a Russian digital sports media platform providing comprehensive coverage of domestic and international sporting events. cnews name : cnews categories : news, it workflow : none description : A Russian media outlet and website specializing in news about information technology and business. daily_mail name : daily mail categories : news workflow : none description : The Daily Mail is a British daily newspaper, founded in 1896, that is right-wing and conservative. der_spiegel name : der spiegel categories : news workflow : none description : Der Spiegel is known in German-speaking countries mostly for its investigative journalism. digg name : digg categories : news workflow : none description : Digg is a content aggregation platform for news discovery. fontanka name : fontanka categories : news workflow : none description : A prominent news website based in Saint Petersburg, covering Northwestern Russia. forbes name : forbes categories : news workflow : none description : Forbes is an American media and publishing company, founded in 1917, that focuses on business, finance, and entrepreneurship. fox_news name : fox news categories : news workflow : none description : The Fox News Channel (FNC), commonly known as Fox News, is an American multinational conservative news and political commentary television channel and website. gazeta name : gazeta categories : news workflow : none description : A popular Russian online newspaper and news website covering general news. hacker_news name : hacker news categories : news, it workflow : none description : A social news website focused on computer science and entrepreneurship, run by Y Combinator. izvestiya name : izvestiya categories : news workflow : none description : A long-established Russian newspaper, now a daily broadsheet covering general news. kommersant name : kommersant categories : news workflow : none description : A respected Russian daily newspaper focusing on politics and business, known for its high-quality reporting. kp name : kp categories : news workflow : none description : One of Russia's most popular daily tabloid newspapers. lenta name : lenta categories : news workflow : none description : A major Russian online newspaper with sections on politics, business, and culture. liferu name : liferu categories : news workflow : none description : A Russian news website and former TV channel known for its sensationalist approach and crime reporting. marca name : marca categories : news, sport workflow : none description : A leading Spanish daily sports newspaper, famously focused on football. match_tv name : match tv categories : news, sport workflow : none description : Match TV is a Russian sports television network and digital platform that broadcasts live sporting events, sports news programs, and analytical shows. mk name : mk categories : news workflow : none description : A major Russian daily newspaper, known for its investigative journalism. newsru name : newsru categories : news workflow : none description : A Russian-language news website aggregating headlines from various sources. people name : people categories : news workflow : none description : People is an American weekly magazine that specializes in celebrity news and human-interest stories. pravda name : pravda categories : news workflow : none description : An online news portal, named after the historic Soviet newspaper, covering Russian and international news. rbc name : rbc categories : news workflow : none description : A leading Russian media group focusing on business, financial, and political news. russia_today name : russia today categories : news workflow : none description : A Russian state-controlled international television network and news website. sportbox name : sportbox categories : news, sport workflow : none description : Sportbox is a Russian sports information portal focused on live coverage, results, and multimedia content. sports name : sports categories : news, sport workflow : none description : Sports.ru is a major Russian online sports publication, founded in 1998, that provides news, broadcasts, analysis, and runs a social community for fans. tjournal name : tjournal categories : news, blog workflow : none description : A now-defunct Russian online publication that covered internet culture, social media, and technology. Its community and some projects live on. tmz name : tmz categories : news, media workflow : none description : TMZ is an entertainment news and celebrity gossip platform. toutiao name : toutiao categories : news, media workflow : none description : Toutiao is a Chinese news and content aggregation platform. ura_news name : ura news categories : news workflow : none description : A news agency based in Yekaterinburg, focusing on the Ural Federal District and national news. vice name : vice categories : news, media workflow : none description : VICE is a digital media company producing news and cultural content. wall_street_journal name : wall street journal categories : news workflow : none description : The Wall Street Journal (WSJ) is an American daily business and financial newspaper, and a global news organization, published by Dow Jones & Company. washington_post name : washington post categories : news workflow : none description : The Washington Post (WaPo or WP) is an American daily newspaper published in Washington, D.C., the national capital. office [8 items] ────────────────────────────────────────────────────────────────────────── docusign name : docusign categories : office workflow : none description : DocuSign enables electronic signatures and digital agreement workflows. ms365 name : ms365 categories : office workflow : none description : Microsoft 365 is a cloud-powered productivity platform which provides the access to the following applications: Microsoft Teams, Word, Excel, PowerPoint, Outlook, OneDrive, and so much more. ms_exchange name : ms exchange categories : office workflow : none description : Microsoft Exchange Service is Microsoft's email, calendaring, contact, scheduling and collaboration platform. ms_sharepoint name : ms sharepoint categories : office workflow : none description : SharePoint Online and OneDrive for Business. ms_teams name : ms teams categories : office workflow : none description : Microsoft Teams is a team collaboration application developed by Microsoft as part of the Microsoft 365 family of products, offering workspace chat and video conferencing, file storage, and integration of proprietary and third-party applications and services. myoffice name : myoffice categories : office workflow : none description : A Russian developer of office software suites, including word processing and spreadsheets. yandex360 name : yandex360 categories : office workflow : none description : The set of Yandex digital services such as mail, disk, telemost, calendar, notes, etc. zoho name : zoho categories : office, enterprise workflow : none description : Zoho provides a suite of cloud-based business applications. online shop [8 items] ────────────────────────────────────────────────────────────────────────── bestbuy name : bestbuy categories : online shop, ecommerce workflow : none description : Best Buy is a consumer electronics retailer operating online and physical stores. costco name : costco categories : online shop, ecommerce workflow : none description : Costco is a membership-based retail warehouse chain. ikea name : ikea categories : online shop, ecommerce workflow : none description : IKEA is a global furniture retailer offering home furnishings and accessories. shutterfly name : shutterfly categories : online shop, media workflow : none description : Shutterfly provides photo printing and personalized products. target name : target categories : online shop, ecommerce workflow : none description : Target is a retail corporation operating physical and online stores. tmall name : tmall categories : online shop, marketplace, ecommerce workflow : none description : Tmall is a Chinese online retail platform operated by Alibaba. walmart name : walmart categories : online shop workflow : none description : Walmart is a multinational retail corporation operating physical and online stores. wayfair name : wayfair categories : online shop workflow : none description : Wayfair is an online retailer specializing in home goods. onlineshop [1 items] ────────────────────────────────────────────────────────────────────────── lamoda name : lamoda categories : onlineshop, clothes workflow : none description : Lamoda is a major online fashion retailer and marketplace in Russia and the CIS, selling a wide range of clothing, shoes, accessories, cosmetics, and household goods from global brands. payment [11 items] ────────────────────────────────────────────────────────────────────────── adyen name : adyen categories : payment, ecommerce workflow : none description : Adyen is a global payment processing platform for online and in-store payments. afterpay name : afterpay categories : payment, ecommerce workflow : none description : Afterpay offers installment-based payment services for consumers. alipay name : alipay categories : payment, ecommerce workflow : none description : Alipay is a popular digital wallet and mobile payment app, primarily used in China, that facilitates online and in-store payments, money transfers, and various lifestyle services like booking taxis and paying bills. apple_pay name : apple pay categories : payment workflow : none description : Apple Pay is a mobile payment and digital wallet service developed by Apple, allowing users to make contactless payments using their Apple devices like iPhones, Apple Watches, iPads, and Macs. mastercard name : mastercard categories : payment, banking workflow : none description : Mastercard is a global payment network enabling electronic transactions. paytm name : paytm categories : payment workflow : none description : Paytm is a digital payments and financial services platform. razorpay name : razorpay categories : payment, ecommerce workflow : none description : Razorpay is a payment gateway and financial services platform. square name : square categories : payment workflow : none description : Square provides payment processing and point-of-sale solutions for businesses. stripe name : stripe categories : payment, ecommerce workflow : none description : Stripe is an online payment processing platform that allows businesses to accept payments online, send payouts, and manage their finances. visa name : visa categories : payment, banking workflow : none description : Visa is a global payments technology company facilitating digital payments. wise name : wise categories : payment workflow : none description : Wise is a financial technology company offering international money transfers. productivity [4 items] ────────────────────────────────────────────────────────────────────────── lifehacker name : lifehacker categories : productivity workflow : none description : The Russian edition of the popular productivity and lifestyle advice blog. miro name : miro categories : productivity workflow : none description : A leading online collaborative whiteboarding platform for remote and distributed teams. trello name : trello categories : productivity workflow : none description : Trello is a project management tool based on boards and cards. wondershare name : wondershare categories : productivity workflow : none description : Wondershare develops multimedia and productivity software. protocol [10 items] ────────────────────────────────────────────────────────────────────────── dns_over_quic name : dns over quic categories : protocol workflow : none description : Port based and ALPN signature classification for DNS Over QUIC. dns_over_tls name : dns over tls categories : protocol workflow : none description : Port based and ALPN signature classification for DNS Over TLS. dnscrypt name : dnscrypt categories : protocol workflow : none description : Port based and data signature classification for DNSCrypt. ftps name : ftps categories : protocol, network service, mail workflow : none description : Secured SMTPS. imaps name : imaps categories : protocol, network service, mail workflow : none description : Secured IMAP. nntps name : nntps categories : protocol, network service, mail workflow : none description : Secured NNTP. pop3s name : pop3s categories : protocol, network service, mail workflow : none description : Secured POP3. rtp_over_quic name : rtp over quic categories : protocol workflow : none description : ALPN signature classification for RTP Over QUIC. smtps name : smtps categories : protocol, network service, mail workflow : none description : Secured SMTPS. srtp_over_dtls name : srtp over dtls categories : protocol workflow : none description : SRTP Over DTLS. push [2 items] ────────────────────────────────────────────────────────────────────────── apple_push_notification name : apple push notification categories : push workflow : none description : Apple Push Notification service (APNs) is a cloud-based service provided by Apple that enables third-party developers to send notifications to Apple devices (iPhones, iPads, Macs, Apple Watches, and Apple TVs). urban_airship name : urban airship categories : push, mobile, web workflow : none description : Urban Airship provides mobile engagement and push notification services. railways [1 items] ────────────────────────────────────────────────────────────────────────── rzd name : rzd categories : railways workflow : none description : Russian Railways. The state-owned national railway company of Russia, operating passenger and freight services. real estate [2 items] ────────────────────────────────────────────────────────────────────────── cian name : cian categories : real estate workflow : none description : Cian.ru is Russia's leading online real estate platform, providing residential and commercial real estate sales and rentals. zillow name : zillow categories : real estate workflow : none description : Zillow is an online real estate marketplace. search engine [5 items] ────────────────────────────────────────────────────────────────────────── baidu name : baidu categories : search engine, ai, cloud, ecosystem workflow : none description : Baidu is a Chinese technology company focused on search, AI, and cloud computing. bing name : bing categories : search engine workflow : none description : Bing is a web search engine developed by Microsoft. duckduckgo name : duckduckgo categories : search engine workflow : none description : DuckDuckGo is a privacy-focused search engine and software company that protects user data by not tracking searches or collecting personal information. naver name : naver categories : search engine, media workflow : none description : Naver is a South Korean technology company operating search and digital platforms. shodan name : shodan categories : search engine workflow : none description : Shodan is a search engine for internet-connected devices, including computers, IoT devices, and industrial control systems, that scans and collects data about them. security [21 items] ────────────────────────────────────────────────────────────────────────── acronis name : acronis categories : security, file storage workflow : none description : Acronis provides backup, disaster recovery, and cyber protection solutions. auth0 name : auth0 categories : security workflow : none description : Auth0 is an identity management platform offering authentication and authorization services. avast name : avast categories : security workflow : none description : Avast provides cybersecurity software including antivirus and internet security. bitdefender name : bitdefender categories : security workflow : none description : Bitdefender provides cybersecurity solutions including antivirus and endpoint protection. checkpoint name : checkpoint categories : security workflow : none description : Check Point is a cybersecurity company specializing in network and cloud security. cisco name : cisco categories : security, enterprise workflow : none description : Cisco is a networking technology company providing hardware, software, and security solutions. digicert name : digicert categories : security workflow : none description : DigiCert provides digital certificates and public key infrastructure services. eset name : eset categories : security workflow : none description : ESET provides cybersecurity software including antivirus and endpoint protection. fortinet name : fortinet categories : security workflow : none description : Fortinet provides cybersecurity solutions including firewalls and network protection. kaspersky name : kaspersky categories : security workflow : none description : Kaspersky is a cybersecurity company that develops and sells a range of security products, including antivirus software, for individuals and businesses. malwarebytes name : malwarebytes categories : security workflow : none description : Malwarebytes develops software for malware detection and removal. mcafee name : mcafee categories : security workflow : none description : McAfee provides cybersecurity software for consumer and enterprise protection. microsoft_authentication name : microsoft authentication categories : security workflow : none description : Microsoft Authentication provides identity and access management services. okta name : okta categories : security, enterprise workflow : none description : Okta is an identity and access management platform for enterprises. ring name : ring categories : security workflow : none description : Ring develops smart home security and video doorbell products. sophos name : sophos categories : security workflow : none description : Sophos provides cybersecurity solutions for networks and endpoints. symantec name : symantec categories : security, enterprise workflow : none description : Symantec provides enterprise cybersecurity and threat protection solutions. tor name : tor categories : security workflow : none description : Tor is a privacy-focused network enabling anonymous internet communication. trend_micro name : trend micro categories : security workflow : none description : Trend Micro provides cybersecurity solutions for consumers and enterprises. veeam name : veeam categories : security, file storage, enterprise workflow : none description : Veeam provides backup, recovery, and data protection solutions. zscaler name : zscaler categories : security workflow : none description : Zscaler provides cloud-based security and zero-trust access services. social network [20 items] ────────────────────────────────────────────────────────────────────────── badoo name : badoo categories : social network workflow : none description : Badoo is an online dating-focused and social networking application. bytedance name : bytedance categories : social network, media workflow : none description : ByteDance is a technology company operating global content platforms including TikTok and Toutiao. discord name : discord categories : social network workflow : none description : Discord is a free communication app used by tens of millions of people to talk and hang out with their favorite creators, communities and friends. facebook name : facebook categories : social network workflow : none description : Facebook is a social media and social networking service owned by the American technology conglomerate Meta. hootsuite name : hootsuite categories : social network, advertisement workflow : none description : Hootsuite is a social media management and analytics platform. instagram name : instagram categories : social network workflow : none description : Instagram is a photo and video sharing social networking service owned by Meta Platforms. likee name : likee categories : social network workflow : none description : Likee is a short-video creation and sharing app, available for iOS and Android operating systems. linkedin name : linkedin categories : social network workflow : none description : LinkedIn is the world's largest professional network on the internet. mewe name : mewe categories : social network workflow : none description : MeWe is a social networking platform emphasizing privacy. nextdoor name : nextdoor categories : social network workflow : none description : Nextdoor is a social networking platform for neighbors that connects people in a specific geographical area, such as a town or a city. pinterest name : pinterest categories : social network workflow : none description : Pinterest is a visual discovery engine for finding ideas like recipes, home and style inspiration, and more. reddit name : reddit categories : social network, news workflow : none description : Reddit is an American proprietary social news aggregation and forum social media platform. sharethis name : sharethis categories : social network workflow : none description : ShareThis provides social sharing and audience data services. threads name : threads categories : social network workflow : none description : Threads is a social media app from Instagram developed by Meta, designed for public text-based conversations and sharing short updates. tiktok name : tiktok categories : social network workflow : none description : TikTok is a popular social media app owned by Chinese tech company ByteDance, where users create, share, and discover short-form videos ranging from a few seconds to 10 minutes long. tinder name : tinder categories : social network workflow : none description : Tinder is a popular, location-based mobile dating application that connects users with potential matches based on their profile and proximity. twitch name : twitch categories : social network workflow : none description : Twitch is an interactive livestreaming service for content spanning gaming, entertainment, sports, music, and more. twitter name : twitter categories : social network workflow : none description : Twitter is a social networking service that was rebranded in 2023 to create the social networking service X. vkontakte name : vkontakte categories : social network workflow : none description : VK (VKontakte) is a Russian online social media and social networking service based in Saint Petersburg. youtube name : youtube categories : social network workflow : none description : YouTube is an American social media and online video sharing platform owned by Google. sport [2 items] ────────────────────────────────────────────────────────────────────────── dazn name : dazn categories : sport, media workflow : none description : DAZN is a sports streaming service providing live and on-demand content. eurosport name : eurosport categories : sport, news, media workflow : none description : Eurosport is a European sports media company that runs pay-TV channels and streaming services, offering live broadcasts of major sporting events like Grand Slam tennis, cycling's Grand Tours, and the Olympics. study [7 items] ────────────────────────────────────────────────────────────────────────── coursera name : coursera categories : study workflow : none description : Coursera is an online learning platform featuring many different subjects across an array of learning formats, such as courses, Specializations, Professional Certificates, degrees, and tutorials. duolingo name : duolingo categories : study workflow : none description : Duolingo is a popular, free language-learning platform that offers bite-sized, game-like lessons to help users learn vocabulary, grammar, reading, writing, and speaking skills in over 40 languages through interactive exercises. edx name : edx categories : study workflow : none description : A massive open online course (MOOC) provider created by Harvard and MIT, hosting university-level courses. lingualeo name : lingualeo categories : study workflow : none description : A popular Russian online platform and app for learning English. skyeng name : skyeng categories : study workflow : none description : The largest online English language school in Russia and Eastern Europe. steipk name : steipk categories : study workflow : none description : A Russian online education platform with a wide range of courses, especially strong in programming and data science. udemy name : udemy categories : study workflow : none description : Udemy is a global online learning platform that functions as a marketplace for e-learning. telecom [17 items] ────────────────────────────────────────────────────────────────────────── at_and_t name : at&t categories : telecom, mobile workflow : none description : AT&T is a telecommunications company providing wireless and broadband services. beeline name : beeline categories : telecom, mobile workflow : none description : A key brand of VimpelCom, offering mobile, TV, and internet services across Russia. comcast name : comcast categories : telecom, media workflow : none description : Comcast is a telecommunications company offering internet, cable, and media services. huawei name : huawei categories : telecom, mobile, ecosystem, enterprise workflow : none description : Huawei is a multinational technology company specializing in telecommunications equipment and consumer electronics. megafon name : megafon categories : telecom, mobile workflow : none description : A major Russian telecommunications provider offering mobile, fixed-line, and internet services. optus name : optus categories : telecom, mobile workflow : none description : Optus is an Australian telecommunications provider. sber_mobile name : sber mobile categories : telecom, mobile, mvno workflow : none description : A mobile virtual network operator (MVNO) launched by SberBank, Russia's largest bank, offering telecom services to its customers. sky name : sky categories : telecom, media workflow : none description : Sky is a telecommunications and media company offering TV and broadband services. starhub name : starhub categories : telecom, mobile workflow : none description : StarHub is a telecommunications provider based in Singapore. t_mobile name : t mobile categories : telecom, mobile workflow : none description : T-Mobile is a mobile telecommunications provider. tele2 name : tele2 categories : telecom, mobile workflow : none description : A large, value-focused mobile operator in Russia, known for competitive pricing. telenor name : telenor categories : telecom, mobile workflow : none description : Telenor is a multinational telecommunications company. telia name : telia categories : telecom, mobile workflow : none description : Telia is a Nordic telecommunications and digital services provider. three name : three categories : telecom, mobile workflow : none description : Three is a mobile telecommunications provider. tinkoff_mobile name : tinkoff mobile categories : telecom, mobile, mvno workflow : none description : T-Mobile (formerly Tinkoff Mobile) is a Russian Mobile Virtual Network Operator (MVNO) that is part of the T-Bank (formerly Tinkoff Bank) ecosystem. verizon name : verizon categories : telecom, mobile workflow : none description : Verizon is a telecommunications company providing wireless and internet services. yota name : yota categories : telecom, mobile, mvno workflow : none description : A Russian mobile virtual network operator (MVNO) and internet service provider, often recognized for its 4G/LTE networks. torrent [2 items] ────────────────────────────────────────────────────────────────────────── rutracker name : rutracker categories : torrent workflow : none description : A very large and popular Russian-language BitTorrent tracker and forum. the_pirate_bay name : the pirate bay categories : torrent workflow : none description : The Pirate Bay is an online index for peer-to-peer file sharing. travel [11 items] ────────────────────────────────────────────────────────────────────────── airbnb name : airbnb categories : travel workflow : none description : Airbnb is an American company operating an online marketplace for short-and-long-term homestays, experiences and services in various countries and regions. aviasales name : aviasales categories : travel workflow : none description : Aviasales is a travel metasearch service that helps users find and compare the best prices for flight tickets by aggregating results from numerous airlines and travel agencies. blablacar name : blablacar categories : travel, drive workflow : none description : An international long-distance carpooling and ride-sharing service. booking name : booking categories : travel workflow : none description : Booking.com is a leading online travel platform that connects travelers with accommodations, flights, car rentals, and tours and activities worldwide. kayak name : kayak categories : travel workflow : none description : KAYAK is a travel search engine for flights, hotels, and car rentals. onetwotrip name : onetwotrip categories : travel workflow : none description : A major Russian online travel agency for booking flights, hotels, and other services. ostrovok name : ostrovok categories : travel workflow : none description : Ostrovok is a Russian online travel platform that allows users to book hotels, flights, apartments, and other accommodations worldwide. safetywing name : safetywing categories : travel, insurance workflow : none description : A global insurance company built for remote workers and nomads, offering travel medical insurance. skyscanner name : skyscanner categories : travel workflow : none description : Skyscanner is a global travel search engine that helps users find and compare prices for flights, hotels, and car rentals from various providers to book their trips. sutochno name : sutochno categories : travel workflow : none description : Sutochno.ru is a Russian online short-term rental accommodation booking service offering travelers apartments, houses, cottages, and rooms in Russia and other countries. tripadvisor name : tripadvisor categories : travel workflow : none description : TripAdvisor is a global travel research and booking company that provides a platform for users to find and share reviews for accommodations, restaurants, and activities. update [1 items] ────────────────────────────────────────────────────────────────────────── apple_updates name : apple updates categories : update workflow : none description : Apple Updates is a service provided for installing, restoring, and updating software on Apple devices: iOS, iPadOS, macOS, watchOS, and tvOS. vpn [11 items] ────────────────────────────────────────────────────────────────────────── cyberghostvpn name : cyberghostvpn categories : vpn workflow : none description : CyberGhost VPN provides encrypted VPN services for privacy and security. expressvpn name : expressvpn categories : vpn workflow : none description : ExpressVPN offers VPN services focused on privacy and secure internet access. hotspot_shield name : hotspot shield categories : vpn workflow : none description : Hotspot Shield is a VPN service providing encrypted internet access. icloud_private_relay name : icloud private relay categories : vpn workflow : none description : iCloud Private Relay — part of an iCloud+ subscription — helps protect your privacy when you browse the web in Safari. ivpn name : ivpn categories : vpn workflow : none description : IVPN provides privacy-focused virtual private network services. nordvpn name : nordvpn categories : vpn workflow : none description : NordVPN provides encrypted VPN services for privacy and security. privateinternetaccess name : privateinternetaccess categories : vpn workflow : none description : Private Internet Access is a VPN service focused on privacy and security. proton_vpn name : proton vpn categories : vpn workflow : none description : Proton VPN is a privacy-focused VPN service developed by Proton. surfshark name : surfshark categories : vpn workflow : none description : Surfshark provides VPN and online privacy services. urbanvpn name : urbanvpn categories : vpn workflow : none description : Urban VPN provides free VPN and privacy services. windscribe name : windscribe categories : vpn workflow : none description : Windscribe provides VPN and privacy protection services. web [67 items] ────────────────────────────────────────────────────────────────────────── 1password name : 1password categories : web, security workflow : none description : 1Password is a password manager that creates, stores, and securely manages passwords, financial information, and other sensitive data for individuals, families, and businesses. adobe_fonts name : adobe fonts categories : web workflow : none description : Adobe Fonts is a font subscription service integrated with Adobe Creative Cloud. amp name : amp categories : web workflow : none description : The AMP Project is an open-source initiative to create fast-loading, mobile-friendly web pages using a simplified HTML framework. answers name : answers categories : web, forum workflow : none description : Answers.com is a website that used to serve as a platform for users to ask questions and receive answers on a wide range of topics. bitly name : bitly categories : web workflow : none description : Bitly provides URL shortening and link analytics services. bitwarden name : bitwarden categories : web, security workflow : none description : Bitwarden is an open-source password manager that securely stores login credentials, credit card details, and other sensitive information in an encrypted vault. brave_browser name : brave browser categories : web, security workflow : none description : Brave Browser is a privacy-focused web browser with built-in ad and tracker blocking. bugcrowd name : bugcrowd categories : web, job workflow : none description : A major crowdsourced cybersecurity platform for vulnerability disclosure and bug bounty programs. careem name : careem categories : web, payment workflow : none description : Careem is 'the everything app' for the region, making it easier than ever to move around, order food and groceries, manage payments, and more. chat_ruletka name : chat ruletka categories : web workflow : none description : A globally known online platform for random video chatting with strangers. crunchbase name : crunchbase categories : web, enterprise workflow : none description : A platform for finding business information about private and public companies, focusing on startups and investments. dzen name : dzen categories : web, news workflow : none description : Dzen is a Russian news aggregator. espn name : espn categories : web, sports, news workflow : none description : ESPN is a global multiplatform sports media company, originally an acronym for Entertainment and Sports Programming Network. evernote name : evernote categories : web, productivity workflow : none description : Evernote is a note-taking and organization app that allows users to capture, organize, and find information across devices. firefox name : firefox categories : web workflow : none description : Firefox is an open-source web browser developed by Mozilla. freelancer name : freelancer categories : web, job workflow : none description : A freelancer is a self-employed individual who offers professional services to clients on a contract or project basis, rather than being a full-time employee. glassdoor name : glassdoor categories : web, job workflow : none description : Glassdoor is an American website and service where current and former employees can anonymously review companies, share salary information, and find job listings. godaddy name : godaddy categories : web, dns workflow : none description : GoDaddy provides domain registration and web hosting services. google_marketing_platform name : google marketing platform categories : web, advertisement workflow : none description : Google Marketing Platform, a unified marketing and analytics platform for smarter marketing measurement and better results. It includes: Google Analytics, Google Ads, etc. google_translate name : google translate categories : web workflow : none description : Google Translate is a free service from Google that translates text, speech, and images between over 200 languages. grammarly name : grammarly categories : web workflow : none description : A widely used AI-powered writing assistant that checks grammar, spelling, and style. gravatar name : gravatar categories : web workflow : none description : Gravatar provides globally recognized avatars linked to email addresses. gstatic name : gstatic categories : web workflow : none description : Gstatic is a legitimate Google service that acts as a content delivery network (CDN) to host and quickly deliver static content for Google's services, such as JavaScript, CSS files, and images. hackerone name : hackerone categories : web, job workflow : none description : A leading global cybersecurity platform that connects businesses with penetration testers and ethical hackers. headhunter name : headhunter categories : web, job workflow : none description : HeadHunter Russia, or HeadHunter (hh.ru), is Russia's largest online recruitment platform and one of the world's leading job and employee search sites. imdb name : imdb categories : web workflow : none description : IMDb, which stands for Internet Movie Database, is a comprehensive online database of information about movies, TV shows, video games, and celebrities. imgur name : imgur categories : web, file storage workflow : none description : Imgur is a free online image hosting service that allows users to upload and share photos, GIFs, and other media. indeed name : indeed categories : web, job workflow : none description : Indeed is a multinational employment website that functions as a job search engine and all-in-one hiring platform. kaggle name : kaggle categories : web, job workflow : none description : A global online community and platform for data scientists and machine learning competitions. lastpass name : lastpass categories : web, security workflow : none description : LastPass is a password manager that stores user credentials and sensitive information in an encrypted vault, requiring users to only remember one master password. lets_encrypt name : lets encrypt categories : web workflow : none description : Let's Encrypt is a non-profit organization that provides free, automated, and encrypted TLS certificates to enable HTTPS connections for websites. lucidchart name : lucidchart categories : web workflow : none description : An international cloud-based intelligent diagramming and visualization application. mozilla name : mozilla categories : web workflow : none description : Mozilla is an organization developing open-source internet technologies. namecheap name : namecheap categories : web, dns workflow : none description : Namecheap offers domain registration, hosting, and internet services. notion name : notion categories : web, productivity workflow : none description : Notion is a single workspace that combines note-taking, project management, wikis, and databases into one customizable application. obsidian name : obsidian categories : web, productivity workflow : none description : Obsidian is a note-taking app and personal knowledge base that works by storing your notes in local Markdown files. opera name : opera categories : web workflow : none description : Opera is a web browser offering built-in privacy and productivity features. pubnub name : pubnub categories : web workflow : none description : PubNub provides real-time data streaming and messaging services. quora name : quora categories : web, forum workflow : none description : Quora is a social question-and-answer website where users can ask questions, provide answers, and share knowledge on a wide range of topics. reverso_context name : reverso context categories : web workflow : none description : A translation tool providing translations in context with real-life example sentences. roboform name : roboform categories : web, security workflow : none description : RoboForm is a password manager and form-filling tool that creates, stores, and automatically fills in strong, unique passwords and personal information for websites and apps. speedtest name : speedtest categories : web workflow : none description : SpeedTest is a web service that provides free analysis of Internet access performance metrics, such as connection data rate and latency. squarespace name : squarespace categories : web workflow : none description : Squarespace is a website building and hosting platform. stackexchange name : stackexchange categories : web, forum workflow : none description : Stack Exchange is a network of question-and-answer (Q&A) websites on topics in diverse fields, each site covering a specific topic. stackoverflow name : stackoverflow categories : web, forum workflow : none description : Stack Overflow is a question and answer site for professional and enthusiast programmers. stackshare name : stackshare categories : web workflow : none description : A platform where developers and companies share the software tools and services they use in their tech stacks. toptal name : toptal categories : web, job workflow : none description : An exclusive global network that connects businesses with the top 3% of freelance talent in software development, design, and finance. tradingview name : tradingview categories : web, social network workflow : none description : A social network and charting platform for traders and investors in stocks, forex, and cryptocurrencies. tumblr name : tumblr categories : web, blog, social network workflow : none description : Tumblr is a social media and microblogging platform where users can post multimedia content like photos, text, GIFs, videos, and audio. umeng name : umeng categories : web workflow : none description : Umeng provides mobile analytics and developer services. upwork name : upwork categories : web, job workflow : none description : Upwork is the world's largest online freelancing platform that connects businesses with a global pool of independent professionals, or freelancers, for both short-term and long-term projects. urban_dictionary name : urban dictionary categories : web, knowledge workflow : none description : A crowdsourced online dictionary for slang words and phrases. userreport name : userreport categories : web workflow : none description : UserReport provides website analytics and user feedback tools. vox name : vox categories : web, news workflow : none description : Vox is a general interest news site for the 21st century. Its mission: to help everyone understand our complicated world, so that we can all help shape it. webflow name : webflow categories : web, design, code workflow : none description : Webflow is a visual web design and hosting platform. wikipedia name : wikipedia categories : web, knowledge workflow : none description : Wikipedia is a free, multilingual, online encyclopedia created and maintained by a community of volunteer editors. wix name : wix categories : web, code workflow : none description : Wix is a website building and hosting platform. wordpress name : wordpress categories : web, code workflow : none description : WordPress is an open-source content management system. workday name : workday categories : web, productivity workflow : none description : Workday provides cloud-based finance and human capital management software. yahoo_ads name : yahoo ads categories : web, advertisement workflow : none description : Yahoo Ads is an advertising platform where businesses can display ads across Yahoo's own properties, like its Mail, News, and Sports sites, as well as on other third-party websites, apps, and connected TVs. yandex_api name : yandex api categories : web, api workflow : none description : A Yandex API is a service that provides developers with programmatic access to Yandex's various platforms, such as its search engine, maps, and language models. yandex_mail name : yandex mail categories : web, mail workflow : none description : Yandex Mail is a free email service developed by the Russian technology company Yandex. yandex_marketing_platform name : yandex marketing platform categories : web, advertisement workflow : none description : The set of Yandex digital marketing services: Ads, Metrika, Direct, Webmaster, Audience. yastatic name : yastatic categories : web workflow : none description : Yandex Static is a content delivery network (CDN) operated by Yandex. yelp name : yelp categories : web workflow : none description : Yelp is an online platform for business reviews and recommendations. zapier name : zapier categories : web workflow : none description : Zapier automates workflows by connecting web applications. zhihu name : zhihu categories : web, forum workflow : none description : Zhihu is a Chinese social question and answer site and news aggregator. 7. Performance ──────────────────────────────────────────────────────────────────────────────── test environment ────────────────────────────────────────────────────────────────────────── traffic scheme +--------------+ | DPI Engine | +--------------+ | Worker 0 | +------+-------+ | v +--------------+ | Traffic dump | +--------------+ | RAM DISK | +--------------+ operating system .uname -a Linux sl-dev 6.8.0-100-generic #100-Ubuntu SMP PREEMPT_DYNAMIC Tue Jan 13 16:40:06 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux hardware lscpu -e=CPU,CORE,SOCKET,NODE,ONLINE CPU CORE SOCKET NODE ONLINE 0 0 0 0 yes 1 0 0 0 yes 2 1 0 0 yes 3 1 0 0 yes lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 40 bits physical, 57 bits virtual Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0-3 Vendor ID: GenuineIntel Model name: Intel Xeon Processor (Icelake) CPU family: 6 Model: 106 Thread(s) per core: 2 Core(s) per socket: 2 Socket(s): 1 Stepping: 0 BogoMIPS: 5999.99 Flags: ... Virtualization features: Hypervisor vendor: KVM Virtualization type: full Caches (sum of all): L1d: 128 KiB (4 instances) L1i: 128 KiB (4 instances) L2: 8 MiB (2 instances) L3: 16 MiB (1 instance) NUMA: NUMA node(s): 1 NUMA node0 CPU(s): 0-3 Vulnerabilities: Gather data sampling: Not affected Indirect target selection: Vulnerable Itlb multihit: Not affected L1tf: Not affected Mds: Not affected Meltdown: Not affected Mmio stale data: ... Reg file data sampling: Not affected Retbleed: Not affected Spec rstack overflow: Not affected ... hwinfo --short cpu: Intel Xeon Processor (Icelake), 3000 MHz Intel Xeon Processor (Icelake), 3000 MHz Intel Xeon Processor (Icelake), 3000 MHz Intel Xeon Processor (Icelake), 3000 MHz ... memory: Main Memory ... ram disk df -h /dev/shm test notes * Release build * Mobile traffic * RAM disk usage. pcap dump is placed in `/dev/shm/` to avoid disk read speed limitations * NUMA is not used * Trace is turned off * One worker thread with CPU affinity (CPU pinning) usage * tcmalloc (https://github.com/google/tcmalloc) is used results notes * Hardware characteristics: CPU (Clock Speed, Core, Cache, Vector Processor, etc.), RAM, Type * Allocator library usage tcmalloc (https://github.com/google/tcmalloc) * NUMA memory usage * Packet capturing library * Offload flows on NIC * Trace configuration (State, Journal Levels) * Service configuration (Domain names, IP CIDRs, Cache usage) * Traffic profile * Packet encapsulation benchmark results ────────────────────────────────────────────────────────────────────────── benchmarks are based on the configuration summarised in section 3. test: mobile traffic — no encapsulation ·········································································· flow count : 2,364,140 duration : 118 s (118,967 ms) packet count : 20,000,000 error traces : 0 critical traces : 0 max layer pool usage : no measurement max reassembler pool usage: 25,857 max flow pool usage : 122,858 max session pool usage : pool is turned off max dns cache usage : 12,139 max session cache usage : 0 max ftp cache usage : 0 max sip cache usage : 0 engine performance packets / sec : 168,113.587 pps throughput : 936.979 mbps throughput : 0.936979 gbps total packets : 20,000,000 total bytes : 13,933,720,300 offload performance packets / sec : 168,113.587 pps throughput : 936.979 mbps throughput : 0.936979 gbps test: mobile traffic — gtp-u encapsulation ·········································································· flow count : 2,410,914 duration : 167 s (167,366 ms) packet count : 20,000,000 error traces : 0 critical traces : 0 max layer pool usage : no measurement max reassembler pool usage: 27,910 max flow pool usage : 124,996 max session pool usage : pool is turned off max dns cache usage : 12,139 max session cache usage : 0 max ftp cache usage : 0 max sip cache usage : 0 engine performance packets / sec : 119,498.576 pps throughput : 718.254 mbps throughput : 0.718254 gbps total packets : 20,000,000 total bytes : 15,026,410,500 offload performance packets / sec : 119,498.576 pps throughput : 718.254 mbps throughput : 0.718254 gbps ================================================================================