IANA Protocol Number
The Internet Assigned Numbers Authority (IANA) Protocol Number represents the official registered ID for well-known network protocols. For more information, see RFC 5237 and RFC 7045.
Data Type
Integer (0 to 255)
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Known Application |
Client Console Short Name | Not applicable |
Web Console Tab/Name | Application |
Elasticsearch Field Name | application/protocolId/serviceName |
Rule Builder Column Name | Protnum |
Regex Pattern | <protnum> |
NetMon Name | Application (remapped by syslog parser) |
Field Relationships
- SIP
- SIPv4
- SIPv6
- SIPv6E
- Origin Hostname
- Origin Hostname or IP
- Origin NAT IP
- DIP
- DIPv4
- DIPv6
- DIPv6E
- Impacted Hostname
- Impacted Hostname or IP
- Impacted NAT IP
- Origin Port
- Origin NAT Port
- Impacted Port
- Impacted NAT Port
- Origin MAC Address
- Impacted MAC Address
- Origin Interface
- Impacted Interface
- Origin Domain
- Impacted Domain
- Origin Login
- Impacted Account
- IANA Protocol Name
Common Applications
- Firewalls
- IDS/IPS
Use Case
Classifying network traffic.
MPE/Data Masking Manipulations
Compares to a list of IANA Protocol Numbers and is shown in Known Application in the Client Console or Application in the Web Console.
Usage Standards
- Do not overload this field. It maps to a table in the SIEM (protocol).
- Only parse IANA Protocol Numbers in this field.
- If both the Protocol Number and Protocol Name are present in a log, parse the Protocol Number.
- For Protocol Names and Numbers, see https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.
Examples
- FortiGate
12 12 2016 12:18:55 1.1.1.1 <LOC7:ALRT> date=2016-12-12 time=12:18:55 devname=ABC-DEF-FORTIGATE-02 devid=FG000000000000 logid=042006385 type=utm subtype=ips eventtype=signature level=alert vd=root severity=low srcip=1.1.1.1 srccountry="Reserved" dstip=1.1.1.1 srcintf="WIFI_NETWORK" dstintf="VLAN" policyid=4 sessionid=5156446 action=dropped proto=1 service="PING" attack="Traceroute" icmpid=0x6425 icmptype=0x08 icmpcode=0x00 attackid=12466 profile="IPS_WEB_OUT" ref="http://Host1/ids/VID5555" incidentserialno=5000000000 msg="icmp: Traceroute," crscore=5 crlevel=low
Proto (short for protocol) typically indicates IANA Protocol Numbers or Protocol Names. In this case, proto represents a number. Proto=1 corresponds to ICMP (Ping). For more information, see http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.
- Cisco Netflow
02 19 2014 06:41:03 NetFlow V9 CONN_ID=- Src=1.1.1.1 SPort=57534 InIfc=4 Dst=1.1.1.1 DPort=8612 OutIfc=9 Prot=17 ICMP_IPV4_TYPE=- ICMP_IPV4_CODE=- XLATE_SRC_ADDR_IPV4=- XLATE_DST_ADDR_IPV4=- XLATE_SRC_PORT=- XLATE_DST_PORT=- FW_EVENT=- FW_EXT_EVENT=- EVENT_TIME_MSEC=- IN_PERMANENT_BYTES=- DETAILS=CONN_ID=1632425523 ICMP_IPV4_TYPE=0 ICMP_IPV4_CODE=0 XLATE_SRC_ADDR_IPV4=1.1.1.1 XLATE_DST_ADDR_IPV4=1.1.1.1 XLATE_SRC_PORT=57534 XLATE_DST_PORT=8612 FW_EVENT=2 FW_EXT_EVENT=2013 EVENT_TIME_MSEC=1392835263526 IN_PERMANENT_BYTES=16 DefaultDevice TemplateID=263
Prot indicates an IANA Protocol Number, corresponding to UDP. For more information, see http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.