| FileName | Attributes |
|---|---|
| Broker | ts, ty, ev, peer.address, peer.bound_port, message, peer |
| capture_loss | ts, ts_delta, peer, gaps, acks, percent_lost | conn | ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, proto, service, duration, orig_bytes, resp_bytes, conn_state, local_orig, local_resp, missed_bytes, history, orig_pkts, orig_ip_bytes, resp_pkts, resp_ip_bytes, community_id, id, tunnel_parents |
| dchp | ts, uids, client_addr, server_addr, mac, host_name, domain, assigned_addr, lease_time, msg_types, duration, requested_addr, client_port, server_port, client_fqdn, client_message, server_message, client_chaddr |
| dns | ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, proto, trans_id, query, qclass, qclass_name, qtype, qtype_name, rcode, rcode_name, AA, TC, RD, RA, Z, rejected, rtt, answers, TTLs, lass_name, qtype, qtype_name, rcode, rcode_name, AA, TC, RD, RA, Z, rejected, rtt, answers, TTLs, id, total_answers, total_replies, saw_query, saw_reply |
| files | ts, fuid, tx_hosts, rx_hosts, conn_uids, source, depth, analyzers, mime_type, filename, duration, local_orig, is_orig, seen_bytes, missing_bytes, overflow_bytes, timedout, md5, sha1, total_bytes, sha256, parent_fuid, global file_exists, global lookup_file, globalenable_reassembly, global disable_reassembly, global set_reassembly_buffer_size, globalset_timeout_interval, global enable_analyzer, global disable_analyzer, globalanalyzer_enabled, global add_analyzer, tag, args, global remove_analyzer, globalstop, global analyzer_name, global describe, typeProtoRegistration, get_file_handle, describe |
| http | ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, trans_depth, method, host, uri, version, user_agent, request_body_len, response_body_len, status_code, status_msg, tags, resp_fuids, resp_mime_types, proxied, id, referrer, origin, info_code, info_msg, username, password, capture_password, range_request |
| known_services | ts, host, port_num, port_proto, service |
| notice | ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, fuid, proto, note, msg, sub, src, dst, p, peer_descr, actions, suppress_for, id, conn, iconn, f, file_mime_type, file_desc, n, peer_name, email_dest, email_body_sections, email_delay_tokens, identifier |
| ntlm | ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, username, hostname, domainname, server_nb_computer_name, server_dns_computer_name, success, ts, uid, id, username, hostname, domainname , server_tree_name, success, done |
| ntp | ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, version, mode, stratum, poll, precision, root_delay, root_disp, ref_id, ref_time, org_time, rec_time, xmt_time, num_exts, id |
| smb_files | ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, action, name, size, times.modified, times.accessed, times.created, times.changed, path |
| smb_mapping | ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, path, share_type |
| software | ts, host, software_type, name, version.major, version.minor, version.minor2, version.minor3, version.addl, unparsed_version, host_p, version, force_log |
| ssl | ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, version, cipher, curve, server_name, resumed, established, ja3, ja3s, next_protocol, cert_chain_fuids, client_cert_chain_fuids, subject, issuer, validation_status, client_subject, client_issuer, id, version_num, session_id, client_ticket_empty_session_seen, client_key_exchange_seen, client_psk_seen, last_alert, analyzer_id, logged, ssl_history |
| stats | ts, peer, mem, pkts_proc, bytes_recv, events_proc, events_queued, active_tcp_conns, active_udp_conns, active_icmp_conns, tcp_conns, udp_conns, icmp_conns, timers, active_timers, files, active_files, dns_requests, active_dns_requests, reassem_tcp_size, reassem_file_size, reassem_frag_size, reassem_unknown_size, pkts_dropped, pkts_link, pkt_lag |
| syslog | ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, proto, facility, severity, message, id |
| tunnel | ts, id.orig_h, id.orig_p, id.resp_h, id.resp_p, tunnel_type, action, uid, id |
| weird | ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, name, notice, peer, addl, source, id, conn, identifier |
| X509 | ts, id, certificate.version, certificate.serial, certificate.subject, certificate.issuer, certificate.not_valid_before, certificate.not_valid_after, certificate.key_alg, certificate.sig_alg, certificate.key_type, certificate.key_length, certificate.curve, san.dns, basic_constraints.ca, certificate.exponent, san.uri, fingerprint, certificate, handle, extensions, san, basic_constraints, extensions_cache, host_cert, client_cert, deduplication_index |