Export data
Process plugins can export data. Export format of each plugin is described in this section
BSTATS
List of fields exported together with basic flow fields on the interface by BSTATS plugin. The plugin is compiled to export the first BSTATS_MAXELENCOUNT (15 by default) burst in each direction. The bursts are computed separately for each direction. Burst is defined by MINIMAL_PACKETS_IN_BURST (3 by default) and by MAXIMAL_INTERPKT_TIME (1000 ms by default) between packets to be included in a burst. When the flow contains less then MINIMAL_PACKETS_IN_BURST packets, the fields are not exported to reduce output bandwidth.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| SBI_BRST_PACKETS | uint32* | 0/291 | SRC->DST: Number of packets transmitted in ith burst |
| SBI_BRST_BYTES | uint32* | 0/291 | SRC->DST: Number of bytes transmitted in ith burst |
| SBI_BRST_TIME_START | time* | 0/291 | SRC->DST: Start time of the ith burst |
| SBI_BRST_TIME_STOP | time* | 0/291 | SRC->DST: End time of the ith burst |
| DBI_BRST_PACKETS | uint32* | 0/291 | DST->SRC: Number of packets transmitted in ith burst |
| DBI_BRST_BYTES | uint32* | 0/291 | DST->SRC: Number of bytes transmitted in ith burst |
| DBI_BRST_TIME_START | time* | 0/291 | DST->SRC: Start time of the ith burst |
| DBI_BRST_TIME_STOP | time* | 0/291 | DST->SRC: End time of the ith burst |
Basic
Basic unirec fields exported on interface with basic (pseudo) plugin. These fields are also exported on interfaces where HTTP, DNS, SIP and NTP plugins are active.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| DST_MAC | macaddr | 0/80 | destination MAC address |
| SRC_MAC | macaddr | 0/56 | source MAC address |
| DST_IP | ipaddr | 0/12 or 0/28 | destination IP address |
| SRC_IP | ipaddr | 0/8 or 0/27 | source IP address |
| BYTES | uint64 | 0/1 | number of bytes in data flow (src to dst) |
| BYTES_REV | uint64 | 29305/1 | number of bytes in data flow (dst to src) |
| LINK_BIT_FIELD or ODID | uint64 or uint32 | - | exporter identification |
| TIME_FIRST | time | 0/152 | first time stamp |
| TIME_LAST | time | 0/153 | last time stamp |
| PACKETS | uint32 | 0/2 | number of packets in data flow (src to dst) |
| PACKETS_REV | uint32 | 29305/2 | number of packets in data flow (dst to src) |
| DST_PORT | uint16 | 0/11 | transport layer destination port |
| SRC_PORT | uint16 | 0/7 | transport layer source port |
| DIR_BIT_FIELD | uint8 | 0/10 | bit field for determining outgoing/incoming traffic |
| PROTOCOL | uint8 | 0/60 | transport protocol |
| TCP_FLAGS | uint8 | 0/6 | TCP protocol flags (src to dst) |
| TCP_FLAGS_REV | uint8 | 29305/6 | TCP protocol flags (dst to src) |
Basic plus
List of unirec fields exported together with basic flow fields on interface by basicplus plugin. Fields without _REV suffix are fields from source flow. Fields with _REV are from the opposite direction.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| IP_TTL | uint8 | 0/192 | IP TTL field |
| IP_TTL_REV | uint8 | 29305/192 | IP TTL field |
| IP_FLG | uint8 | 0/197 | IP FLAGS |
| IP_FLG_REV | uint8 | 29305/197 | IP FLAGS |
| TCP_WIN | uint16 | 0/186 | TCP window size |
| TCP_WIN_REV | uint16 | 29305/186 | TCP window size |
| TCP_OPT | uint64 | 0/209 | TCP options bitfield |
| TCP_OPT_REV | uint64 | 29305/209 | TCP options bitfield |
| TCP_MSS | uint32 | 8057/900 | TCP maximum segment size |
| TCP_MSS_REV | uint32 | 8057/901 | TCP maximum segment size |
| TCP_SYN_SIZE | uint16 | 8057/902 | TCP SYN packet size |
DNS
List of unirec fields exported together with basic flow fields on interface by DNS plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| DNS_ID | uint16 | 8057/10 | transaction ID |
| DNS_ANSWERS | uint16 | 8057/14 | number of DNS answer records |
| DNS_RCODE | uint8 | 8057/1 | response code field |
| DNS_NAME | string | 8057/2 | question domain name |
| DNS_QTYPE | uint16 | 8057/3 | question type field |
| DNS_CLASS | uint16 | 8057/4 | class field of DNS question |
| DNS_RR_TTL | uint32 | 8057/5 | resource record TTL field |
| DNS_RLENGTH | uint16 | 8057/6 | length of DNS_RDATA |
| DNS_RDATA | bytes | 8057/7 | resource record specific data |
| DNS_PSIZE | uint16 | 8057/8 | requestor's payload size |
| DNS_DO | uint8 | 8057/9 | DNSSEC OK bit |
DNS-SD
List of unirec fields exported together with basic flow fields on interface by DNS-SD plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| DNSSD_QUERIES | string | 8057/826 | list of queries for services |
| DNSSD_RESPONSES | string | 8057/827 | list of advertised services |
Flow Hash
List of fields exported together with basic flow fields on interface by flow_hash plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| FLOW_ID | uint64 | 0/148 | Hash of the flow - unique flow id |
HTTP
List of unirec fields exported together with basic flow fields on interface by HTTP plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| HTTP_DOMAIN | string | 39499/1 | HTTP request host |
| HTTP_URI | string | 39499/2 | HTTP request url |
| HTTP_USERAGENT | string | 39499/20 | HTTP request user agent |
| HTTP_REFERER | string | 39499/3 | HTTP request referer |
| HTTP_STATUS | uint16 | 39499/12 | HTTP response code |
| HTTP_CONTENT_TYPE | string | 39499/10 | HTTP response content type |
| HTTP_METHOD | string | 39499/200 | HTTP request method |
| HTTP_SERVER | string | 39499/201 | HTTP response server |
| HTTP_SET_COOKIE_NAMES | string | 39499/202 | HTTP response all set-cookie names separated by a delimiter |
ICMP
List of fields exported together with basic flow fields on interface by icmp plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| L4_ICMP_TYPE_CODE | uint16 | 0/32 | ICMP type (MSB) and code (LSB) |
IDPContent
List of fields exported together with basic flow fields on the interface by IDPContent plugin. The plugin is compiled to export IDPCONTENT_SIZE (100 by default) bytes from the first data packet in SRC -> DST direction, and the first data packet in DST -> SRC direction.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| IDP_CONTENT | bytes | 8057/850 | Content of first data packet from SRC -> DST |
| IDP_CONTENT_REV | bytes | 8057/851 | Content of first data packet from DST -> SRC |
MPLS
List of fields exported together with basic flow fields on interface by mpls plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| MPLS_TOP_LABEL_STACK_SECTION | bytes | 0/70 | MPLS label section (without TTL), always 3 bytes |
MQTT
List of unirec fields exported together with basic flow fields on interface by MQTT plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| MQTT_TYPE_CUMULATIVE | uint16 | 8057/1033 | types of packets and session present flag cumulative |
| MQTT_VERSION | uint8 | 8057/1034 | MQTT version |
| MQTT_CONNECTION_FLAGS | uint8 | 8057/1035 | last CONNECT packet flags |
| MQTT_KEEP_ALIVE | uint16 | 8057/1036 | last CONNECT keep alive |
| MQTT_CONNECTION_RETURN_CODE | uint8 | 8057/1037 | last CONNECT return code |
| MQTT_PUBLISH_FLAGS | uint8 | 8057/1038 | cumulative of PUBLISH packet flags |
| MQTT_TOPICS | string | 8057/1039 | topics from PUBLISH packets headers |
NTP
List of unirec fields exported together with basic flow fields on interface by NTP plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| NTP_LEAP | uint8 | 8057/18 | NTP leap field |
| NTP_VERSION | uint8 | 8057/19 | NTP message version |
| NTP_MODE | uint8 | 8057/20 | NTP mode field |
| NTP_STRATUM | uint8 | 8057/21 | NTP stratum field |
| NTP_POLL | uint8 | 8057/22 | NTP poll interval |
| NTP_PRECISION | uint8 | 8057/23 | NTP precision field |
| NTP_DELAY | uint32 | 8057/24 | NTP root delay |
| NTP_DISPERSION | uint32 | 8057/25 | NTP root dispersion |
| NTP_REF_ID | string | 8057/26 | NTP reference ID |
| NTP_REF | string | 8057/27 | NTP reference timestamp |
| NTP_ORIG | string | 8057/28 | NTP origin timestamp |
| NTP_RECV | string | 8057/29 | NTP receive timestamp |
| NTP_SENT | string | 8057/30 | NTP transmit timestamp |
NetBIOS
List of fields exported together with basic flow fields on interface by NetBIOS plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| NB_NAME | string | 8057/831 | NetBIOS Name Service name |
| NB_SUFFIX | uint8 | 8057/832 | NetBIOS Name Service suffix |
NetTiSA
List of unirec fields exported together with NetTiSA flow fields on interface by nettisa plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| NTS_MEAN | float | 8057/1020 | The mean of the payload lengths of packets |
| NTS_MIN | uint16 | 8057/1021 | Minimal value from all packet payload lengths |
| NTS_MAX | uint16 | 8057/1022 | Maximum value from all packet payload lengths |
| NTS_STDEV | float | 8057/1023 | Represents a switching ratio between different values of the sequence of observation. |
| NTS_KURTOSIS | float | 8057/1024 | The standard deviation is measure of the variation of data from the mean. |
| NTS_ROOT_MEAN_SQUARE | float | 8057/1025 | The measure of the magnitude of payload lengths of packets. |
| NTS_AVERAGE_DISPERSION | float | 8057/1026 | The average absolute difference between each payload length of packet and the mean value. |
| NTS_MEAN_SCALED_TIME | float | 8057/1027 | The kurtosis is the measure describing the extent to which the tails of a distribution differ from the tails of a normal distribution. |
| NTS_MEAN_DIFFTIMES | float | 8057/1028 | The scaled times is defined as sequence s(t) = t1 − t1 , t2 − t1 , … , tn − t1 . We compute the mean of the value with same method as for feature Mean. |
| NTS_MIN_DIFFTIMES | float | 8057/1029 | The time differences is defined as sequence dt = tj - ti | j = i + 1, i in 1, 2, ... n - 1. We compute the mean of the value with same method as for feature Mean. |
| NTS_MAX_DIFFTIMES | float | 8057/1030 | Minimal value from all time differences, i.e., min space between packets. |
| NTS_TIME_DISTRIBUTION | float | 8057/1031 | Maximum value from all time differences, i.e., max space between packets. |
| NTS_SWITCHING_RATIO | float | 8057/1032 | Describes the distribution of time differences between individual packets. |
OSQUERY
List of unirec fields exported together with basic flow fields on interface by OSQUERY plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| PROGRAM_NAME | string | 8057/852 | The name of the program that handles the connection |
| USERNAME | string | 8057/853 | The name of the user who starts the process |
| OS_NAME | string | 8057/854 | Distribution or product name |
| OS_MAJOR | uint16 | 8057/855 | Major release version |
| OS_MINOR | uint16 | 8057/856 | Minor release version |
| OS_BUILD | string | 8057/857 | Optional build-specific or variant string |
| OS_PLATFORM | string | 8057/858 | OS Platform or ID |
| OS_PLATFORM_LIKE | string | 8057/859 | Closely related platforms |
| OS_ARCH | string | 8057/860 | OS Architecture |
| KERNEL_VERSION | string | 8057/861 | Kernel version |
| SYSTEM_HOSTNAME | string | 8057/862 | Network hostname including domain |
OVPN
List of fields exported together with basic flow fields on interface by OVPN plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| OVPN_CONF_LEVEL | uint8 | 8057/828 | level of confidence that the flow record is an OpenVPN tunnel |
PHISTS
List of fields exported together with basic flow fields on the interface by PHISTS plugin. The plugin exports the histograms of Payload sizes and Inter-Packet-Times for each direction. The histograms bins are scaled logarithmicaly and are shown in following table.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| D_PHISTS_IPT | uint32* | 0/291 | DST->SRC: Histogram of interpacket times |
| D_PHISTS_SIZES | uint32* | 0/291 | DST->SRC: Histogram of packet sizes |
| S_PHISTS_IPT | uint32* | 0/291 | SRC->DST: Histogram of interpacket times |
| S_PHISTS_SIZES | uint32* | 0/291 | SRC->DST: Histogram of packet sizes |
PSTATS
List of unirec fields exported on interface by PSTATS plugin. The plugin is compiled to gather statistics for the first PSTATS_MAXELEMCOUNT (30 by default) packets in the biflow record. Note: the following fields are UniRec arrays (or basicList in IPFIX).
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| PPI_PKT_LENGTHS | uint16* | 0/291 | sizes of the first packets |
| PPI_PKT_TIMES | time* | 0/291 | timestamps of the first packets |
| PPI_PKT_DIRECTIONS | int8* | 0/291 | directions of the first packets |
| PPI_PKT_FLAGS | uint8* | 0/291 | TCP flags for each packet |
PassiveDNS
List of unirec fields exported together with basic flow fields on interface by PassiveDNS plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| DNS_ID | uint16 | 8057/10 | transaction ID |
| DNS_ATYPE | uint8 | 8057/11 | response record type |
| DNS_NAME | string | 8057/2 | question domain name |
| DNS_RR_TTL | uint32 | 8057/5 | resource record TTL field |
QUIC
List of fields exported together with basic flow fields on interface by quic plugin. -with-quic-ch-full-tls-ext enables extraction of all TLS extensions in the Client Hello.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| QUIC_SNI | string | 8057/890 | Decrypted server name |
| QUIC_USER_AGENT | string | 8057/891 | Decrypted user agent |
| QUIC_VERSION | uint32 | 8057/892 | QUIC version from first server long header packets |
| QUIC_CLIENT_VERSION | uint32 | 8057/893 | QUIC version from first client long header packet |
| QUIC_TOKEN_LENGTH | uint64 | 8057/894 | Token length from Initial and Retry packets |
| QUIC_OCCID | bytes | 8057/895 | Source Connection ID from first client packet |
| QUIC_OSCID | bytes | 8057/896 | Destination Connection ID from first client packet |
| QUIC_SCID | bytes | 8057/897 | Source Connection ID from first server packet |
| QUIC_RETRY_SCID | bytes | 8057/898 | Source Connection ID from Retry packet |
| QUIC_MULTIPLEXED | uint8 | 8057/899 | > 0 if multiplexed (at least two different QUIC_OSCIDs or SNIs) |
| QUIC_ZERO_RTT | uint8 | 8057/889 | Number of 0-RTT packets in flow. |
| QUIC_SERVER_PORT | uint16 | 8057/887 | TODO Server Port determined by packet type and TLS message |
| QUIC_PACKETS | uint8* | 0/291 | QUIC long header packet type (v1 encoded), version negotiation, QUIC bit |
| QUIC_CH_PARSED | uint8 | 8057/886 | >0 if TLS Client Hello parsed without errors |
| QUIC_TLS_EXT_TYPE | uint16* | 0/291 | TLS extensions in the TLS Client Hello |
| QUIC_TLS_EXT_LEN | uint16* | 0/291 | Length of each TLS extension |
| QUIC_TLS_EXT | string | 8057/883 | Payload of all/application_layer_protocol_negotiation and quic_transport params TLS extension |
RTSP
List of unirec fields exported together with basic flow fields on interface by RTSP plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| RTSP_REQUEST_METHOD | string | 16982/600 | RTSP request method name |
| RTSP_REQUEST_AGENT | string | 16982/601 | RTSP request user agent |
| RTSP_REQUEST_URI | string | 16982/602 | RTSP request URI |
| RTSP_RESPONSE_STATUS_CODE | uint16 | 16982/603 | RTSP response status code |
| RTSP_RESPONSE_SERVER | string | 16982/605 | RTSP response server field |
| RTSP_RESPONSE_CONTENT_TYPE | string | 16982/604 | RTSP response content type |
SIP
List of unirec fields exported together with basic flow fields on interface by SIP plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| SIP_MSG_TYPE | uint16 | 8057/100 | SIP message code |
| SIP_STATUS_CODE | uint16 | 8057/101 | status of the SIP request |
| SIP_CSEQ | string | 8057/108 | CSeq field of SIP packet |
| SIP_CALLING_PARTY | string | 8057/103 | calling party (from) URI |
| SIP_CALLED_PARTY | string | 8057/104 | called party (to) URI |
| SIP_CALL_ID | string | 8057/102 | call ID |
| SIP_USER_AGENT | string | 8057/106 | user agent field of SIP packet |
| SIP_REQUEST_URI | string | 8057/107 | SIP request URI |
| SIP_VIA | string | 8057/105 | via field of SIP packet |
SMTP
List of unirec fields exported on interface by SMTP plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| SMTP_2XX_STAT_CODE_COUNT | uint32 | 8057/816 | number of 2XX status codes |
| SMTP_3XX_STAT_CODE_COUNT | uint32 | 8057/817 | number of 3XX status codes |
| SMTP_4XX_STAT_CODE_COUNT | uint32 | 8057/818 | number of 4XX status codes |
| SMTP_5XX_STAT_CODE_COUNT | uint32 | 8057/819 | number of 5XX status codes |
| SMTP_COMMAND_FLAGS | uint32 | 8057/810 | bit array of commands present |
| SMTP_MAIL_CMD_COUNT | uint32 | 8057/811 | number of MAIL commands |
| SMTP_RCPT_CMD_COUNT | uint32 | 8057/812 | number of RCPT commands |
| SMTP_STAT_CODE_FLAGS | uint32 | 8057/815 | bit array of status codes present |
| SMTP_DOMAIN | string | 8057/820 | domain name of the SMTP client |
| SMTP_FIRST_SENDER | string | 8057/813 | first sender in MAIL command |
| SMTP_FIRST_RECIPIENT | string | 8057/814 | first recipient in RCPT command |
SSADetector
List of fields exported together with basic flow fields on interface by ssadetector plugin. The detector search for the SYN SYN-ACK ACK pattern in packet lengths. Multiple occurrences of this pattern suggest a tunneled connection.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| SSA_CONF_LEVEL | uint8 | 8057/903 | 1 if SSA sequence detected, 0 otherwise |
SSDP
List of unirec fields exported together with basic flow fields on interface by SSDP plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| SSDP_LOCATION_PORT | uint16 | 8057/821 | service port |
| SSDP_NT | string | 8057/824 | list of advertised service urns |
| SSDP_SERVER | string | 8057/822 | server info |
| SSDP_ST | string | 8057/825 | list of queried service urns |
| SSDP_USER_AGENT | string | 8057/823 | list of user agents |
TLS
List of unirec fields exported together with basic flow fields on interface by TLS plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| TLS_SNI | string | 8057/808 | TLS server name indication field from client |
| TLS_ALPN | string | 39499/337 | TLS application protocol layer negotiation field from server |
| TLS_VERSION | uint16 | 39499/333 | TLS client protocol version |
| TLS_JA3 | string | 39499/357 | TLS client JA3 fingerprint |
| TLS_EXT_TYPE | uint16 | 0/291 | TLS extensions in the TLS Client Hello |
| TLS_EXT_LEN | uint16 | 0/291 | Length of each TLS extension |
VLAN
List of fields exported together with basic flow fields on the interface by VLAN plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| VLAN_ID | uint16 | 0/58 | Vlan ID (used in flow key) |
WG
List of fields exported together with basic flow fields on interface by WG plugin.
| Output field | Type | IPFIX Enterprise number/ID | Description |
|---|---|---|---|
| WG_CONF_LEVEL | uint8 | 8057/1100 | level of confidence that the flow record is a WireGuard tunnel |
| WG_SRC_PEER | uint32 | 8057/1101 | ephemeral SRC peer identifier |
| WG_DST_PEER | uint32 | 8057/1102 | ephemeral DST peer identifier |