Layers
HTTP / HTTPS#
Rules#
| Key | Type | Example |
|---|---|---|
http.uri |
complex | http.uri: |
http.body |
complex | http.body: |
http.headers |
complex | http.headers: |
http.method |
complex | http.method: |
http.proto |
complex | http.proto: |
http.tls |
bool | false |
Important
HTTP being an application protocol, the full packet is assembled from multiple frames and thus does not have its transport information embedded.
However, the reassembled packet data share its session with the TCP frames it comes from. You can link them together by looking up the session.
Note
HTTPS packets are captured via the webserver and not reassembled : they have their own session and are not linked with the source frames.
Log data#
Example
{
"http": {
"verb": "POST",
"proto": "HTTP/1.1",
"uri": "/",
"src_port": 51746,
"dst_host": "127.0.0.1",
"user_agent": "curl/7.58.0",
"headers": {
"Accept": "*/*",
"Content-Length": "14",
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "curl/7.58.0"
},
"headers_keys": [
"User-Agent",
"Accept",
"Content-Length",
"Content-Type"
],
"headers_values": [
"curl/7.58.0",
"*/*",
"14",
"application/x-www-form-urlencoded"
],
"errors": null,
"body": {
"content": "Enter my world",
"base64": "RW50ZXIgbXkgd29ybGQ=",
"truncated": false
},
"is_tls": false
},
"ip": null,
"timestamp": "2020-11-17T21:16:23.847161686+01:00",
"session": "buq2v5oo4skos28gfp20",
"type": "http",
"src_ip": "127.0.0.1",
"dst_port": 10080,
"matches": {},
"inline_matches": [],
"embedded": {}
}
Info
The errors field contains the error met while parsing the request body or the Host field.
TCP#
Rules#
| Key | Type | Example |
|---|---|---|
tcp.payload |
complex | tcp.payload: |
tcp.flags |
flags | tcp.flags: |
tcp.fragbits |
flags | tcp.fragbits: |
tcp.dsize |
number | tcp.dsize: 1234 |
tcp.seq |
number | tcp.seq: 4321 |
tcp.ack |
number | tcp.ack: 0 |
tcp.window |
number | tcp.window: 512 |
TCP flags values :
| Keyword | Name | Value |
|---|---|---|
F |
FIN | 0x01 |
S |
SYN | 0x02 |
R |
RST | 0x04 |
P |
PSH | 0x08 |
A |
ACK | 0x10 |
U |
URG | 0x20 |
E |
ECE | 0x40 |
C |
CWR | 0x80 |
0 |
NULL | 0x00 |
TCP fragbits values :
| Keyword | Name | Value |
|---|---|---|
M |
More Fragments | 0x01 |
D |
Don't Fragment | 0x02 |
R |
Reserved Bit | 0x04 |
Log data#
Example
{
"tcp": {
"window": 512,
"seq": 1906765553,
"ack": 2514263732,
"data_offset": 8,
"flags": "PA",
"urgent": 0,
"payload": {
"content": "I made a discovery today. I found a computer.\n",
"base64": "SSBtYWRlIGEgZGlzY292ZXJ5IHRvZGF5LiAgSSBmb3VuZCBhIGNvbXB1dGVyLgo=",
"truncated": false
}
},
"ip": {
"version": 4,
"ihl": 5,
"tos": 0,
"length": 99,
"id": 39114,
"fragbits": "DF",
"frag_offset": 0,
"ttl": 64,
"protocol": 6
},
"timestamp": "2020-11-16T15:50:01.277828+01:00",
"session": "bup9368o4skolf20rt8g",
"type": "tcp",
"src_ip": "127.0.0.1",
"dst_port": 1234,
"matches": {},
"inline_matches": [],
"embedded": {}
}
UDP#
Rules#
| Key | Type | Example |
|---|---|---|
udp.payload |
complex | udp.payload: |
udp.checksum |
number | udp.checksum: 0xfe37 |
udp.length |
number | udp.length: 36 |
udp.dsize |
number | udp.dsize: 28 |
Tip
udp.dsize check the payload size, while the udp.length check the UDP packet's length.
Log data#
Example
{
"udp": {
"payload": {
"content": "I made a discovery today. I found a computer.\n",
"base64": "SSBtYWRlIGEgZGlzY292ZXJ5IHRvZGF5LiBJIGZvdW5kIGEgY29tcHV0ZXIuCg==",
"truncated": false
},
"length": 54,
"checksum": 65097
},
"ip": {
"version": 4,
"ihl": 5,
"tos": 0,
"length": 74,
"id": 3230,
"fragbits": "DF",
"frag_offset": 0,
"ttl": 64,
"protocol": 17
},
"timestamp": "2020-11-17T19:02:12.90819+01:00",
"session": "buq1090o4sktrqnfoe6g",
"type": "udp",
"src_ip": "127.0.0.1",
"dst_port": 1234,
"matches": {},
"inline_matches": [],
"embedded": {}
}
ICMPv4#
Rules#
| Key | Type | Example |
|---|---|---|
icmpv4.payload |
complex | icmpv4.payload: |
icmpv4.typecode |
number | icmpv4.typecode: 2048 |
icmpv4.type |
number | icmpv4.type: 0x8 |
icmpv4.code |
number | icmpv4.code: 0 |
icmpv4.seq |
number | icmpv4.seq: 1 |
icmpv4.checksum |
number | icmpv4.checksum: 0x0416 |
Log data#
Example
{
"icmpv4": {
"type_code": 2048,
"type": 8,
"code": 0,
"type_code_name": "EchoRequest",
"checksum": 10240,
"id": 0,
"seq": 0,
"payload": {
"content": "the world of the electron and the switch",
"base64": "dGhlIHdvcmxkIG9mIHRoZSBlbGVjdHJvbiBhbmQgdGhlIHN3aXRjaA==",
"truncated": false
}
},
"ip": {
"version": 4,
"ihl": 5,
"tos": 0,
"length": 68,
"id": 1,
"fragbits": "",
"frag_offset": 0,
"ttl": 64,
"protocol": 1
},
"timestamp": "2020-11-18T12:47:25.101191+01:00",
"session": "n/a",
"type": "icmpv4",
"src_ip": "127.0.0.1",
"dst_port": 0,
"matches": {},
"inline_matches": [],
"embedded": {}
}
ICMPv6#
Rules#
| Key | Type | Example |
|---|---|---|
icmpv6.payload |
complex | icmpv6.payload: |
icmpv6.typecode |
number | icmpv6.typecode: 32768 |
icmpv6.type |
number | icmpv6.type: 0x80 |
icmpv6.code |
number | icmpv6.code: 0 |
icmpv6.checksum |
number | icmpv6.checksum: 0x275b |
Log data#
Example
{
"icmpv6": {
"type_code": 32768,
"type": 128,
"code": 0,
"type_code_name": "EchoRequest",
"checksum": 44947,
"payload": {
"content": "\u0000\u0000\u0000\u0000the world of the electron and the switch",
"base64": "AAAAAHRoZSB3b3JsZCBvZiB0aGUgZWxlY3Ryb24gYW5kIHRoZSBzd2l0Y2g=",
"truncated": false
}
},
"ip": {
"version": 6,
"length": 48,
"next_header": 58,
"next_header_name": "ICMPv6",
"traffic_class": 0,
"flow_label": 0,
"hop_limit": 64
},
"timestamp": "2020-11-18T12:42:47.461931+01:00",
"session": "n/a",
"type": "icmpv6",
"src_ip": "::1",
"dst_port": 0,
"matches": {},
"inline_matches": [],
"embedded": {}
}