Application Metadata Fields

This table lists the applications supported by the latest release of LogRhythm NetMon. An application can be a website that generates traffic (for example, Google or Gmail) or it can be the underlying protocol of the traffic (for example, IP or TCP).

You can perform in-depth analysis of specific application traffic in the NetMon interface. With this valuable data, you can locate suspicious data transfers, network policy violations, and advanced attacks.

Protocol Name	Long Protocol Name	Attribute Name	Full Attribute Name	Attribute Type	Attribute Description
Internal	Internal	session	Session	string	Session UUID.
Internal	Internal	srcmac	SrcMAC	uint64	Source MAC address.
Internal	Internal	destmac	DestMAC	uint64	Destination MAC address.
Internal	Internal	srcip	SrcIP	uint32	Source IP address.
Internal	Internal	destip	DestIP	uint32	Destination IP address.
Internal	Internal	packetpath	PacketPath	string	Packet path.
Internal	Internal	flowsessioncount	FlowSessionCount	uint32	Flow Session Count.
Internal	Internal	srcport	SrcPort	uint32	Source Port.
Internal	Internal	destport	DestPort	uint32	Destination Port.
Internal	Internal	flowcompleted	FlowCompleted	bool	Flow Completed flag.
Internal	Internal	delay	Delay	string	Delay.
Internal	Internal	protocol	Protocol	uint32	Protocol.
Internal	Internal	totalpackets	TotalPackets	uint64	Total packets in the session.
Internal	Internal	timestart	TimeStart	uint64	Start time of the flow.
Internal	Internal	timeupdated	TimeUpdated	uint64	Time updated.
Internal	Internal	destbytes	DestBytes	uint64	Destination bytes.
Internal	Internal	srcbytes	SrcBytes	uint64	Source bytes.
Internal	Internal	flowtype	FlowType	FlowType	Flow type.
Internal	Internal	packetsdelta	PacketsDelta	uint64	Packets delta between update.
Internal	Internal	timedelta	TimeDelta	uint64	Time delta between update.
Internal	Internal	destbytesdelta	DestBytesDelta	uint64	Destination byte delta between update.
Internal	Internal	srcbytesdelta	SrcBytesDelta	uint64	Source byte delta between update.
Internal	Internal	customapplication	CustomApplication	bytes	Custom Application.
Internal	Internal	flowstate	FlowState	FlowState	Flow State type.
Internal	Internal	captured	Captured	bool	Captured flag.
Internal	Internal	childflownumber	ChildFlowNumber	uint32	Child Flow number.
Internal	Internal	totalbytes	TotalBytes	uint64	Total bytes of the session.
Internal	Internal	totalbytesdelta	TotalBytesDelta	uint64	Total bytes delta between update.
Internal	Internal	application	Application	string	Application.
Internal	Internal	applicationpath	ApplicationPath	string	Application Path.
Internal	Internal	duration	Duration	uint64	Duration of the flow.
Internal	Internal	messagesize	MessageSize	uint64	Size of the DPI message.
Internal	Internal	threadid	ThreadID	uint32	Thread ID.
Internal	Internal	fieldcount	FieldCount	uint64	Total fields in DPI message.
Internal	Internal	debugmessage	DebugMessage	string	Debug message.
Internal	Internal	applicationid	ApplicationID	uint32	Application ID.
Internal	Internal	timeprevious	TimePrevious	uint64	Time Previous.
Internal	Internal	written	Written	bool	Capture written flag.
Internal	Internal	captureremoved	CaptureRemoved	bool	Capture removed flag.
Internal	Internal	srcip6	SrcIP6	uint32	Source IP6 address.
Internal	Internal	destip6	DestIP6	uint32	Destination IP6 address.
Internal	Internal	normalizedsyslogdata	NormalizedSyslogData	string	Normalized Syslog data.
Internal	Internal	timeend	TimeEnd	uint64	Time End.
Internal	Internal	headerwritten	HeaderWritten	bool	Header written flag.
Internal	Internal	connectionestablished	ConnectionEstablished	bool	Connection Established flag.
Internal	Internal	maxrepeatedfieldcount	MaxRepeatedFieldCount	uint32	Maximum number of fields indexed by ElasticSearch.
Internal	Internal	fieldcountindexed	FieldCountIndexed	uint32	Field count indexed by ElasticSearch.
Internal	Internal	emailAttachments	EmailAttachments	EmailAttach	Email attachment structure.
Internal	Internal	customfields	CustomFields	CustomField	Custom Fields.
Internal	Internal	repeatedfieldcount	RepeatedFieldCount	uint64	Total repeated fields in DPI message.
Internal	Internal	flowclassified	FlowClassified	bool	Flow Classified.
Internal	Internal	vlanid	VlanID	uint32	VLAN ID.
Internal	Internal	httpclientcontent	HttpClientContent	bytes	Http Client Content.
Internal	Internal	httpservercontent	HttpServerContent	bytes	Http Server Content.
Internal	Internal	replayed	Replayed	bool	Whether the session was replayed via PCAP.
Internal	Internal	pcapfilename	PcapFilename	string	Name of the PCAP file the session was replayed from.
Internal	Internal	blacklisted	Blacklisted	bool	Whether the session has been blacklisted from further processing and storage.
Internal	Internal	applicationtags	ApplicationTags	string	One or more sub-categories of a flow’s application.
Internal	Internal	applicationfamily	ApplicationFamily	string	Top level categorization of a flow’s application.
Internal	Internal	netmonhostname	NetmonHostname	string	The Network Monitor hostname that processed the flow.
0zz0	0zz0.com	login	loginq_proto_0zz0	bytes	User's login string.
0zz0	0zz0.com	action	actionq_proto_0zz0	bytes	Indicates the action executed by the user.
0zz0	0zz0.com	filename	filenameq_proto_0zz0	bytes	Name of the transferred file.
0zz0	0zz0.com	upload_description	upload_descriptionq_proto_0zz0	bytes	Description of the uploaded file.
0zz0	0zz0.com	email_address	email_addressq_proto_0zz0	bytes	User's email address.
0zz0	0zz0.com	download_url	download_urlq_proto_0zz0	bytes	Link of the downloaded file.
3gpp_li	3GPP LI	version	versionq_proto_3gpp_li	uint32	Version
flashplugin_update	Adobe Flash Plugin Update	new_version	new_versionq_proto_flashplugin_update	bytes	New version number, as returned by Adobe Web Server.
flashplugin_update	Adobe Flash Plugin Update	current_version	current_versionq_proto_flashplugin_update	bytes	Current flash-plugin version number installed on the client.
adobe_update	Adobe Update Manager	component_list_name	component_list_nameq_proto_adobe_update	bytes	Name of a piece of Adobe software we have a new version for.
adobe_update	Adobe Update Manager	component_list_desc	component_list_descq_proto_adobe_update	bytes	Short component update description, including version number.
adobe_update	Adobe Update Manager	component_list_version	component_list_versionq_proto_adobe_update	bytes	Last component version available."
adobe_update	Adobe Update Manager	component_list_url	component_list_urlq_proto_adobe_update	bytes	Component update download link."
adobe_update	Adobe Update Manager	update_manager	update_managerq_proto_adobe_update	bytes	Adobe Update Manager version and identifier.
adobe_update	Adobe Update Manager	product_name	product_nameq_proto_adobe_update	bytes	User's request for a product update.
adobe_update	Adobe Update Manager	action	actionq_proto_adobe_update	bytes	Indicates the action executed by the user.
amqp	Advance Message Queuing Protocol	major_version	major_versionq_proto_amqp	uint32	Major version of the protocol used by the client.
amqp	Advance Message Queuing Protocol	minor_version	minor_versionq_proto_amqp	uint32	Minor version of the protocol used by the client.
amqp	Advance Message Queuing Protocol	response_time	response_timeq_proto_amqp	string	Server response time during the connection procedure.
amqp	Advance Message Queuing Protocol	exchange_type	exchange_typeq_proto_amqp	bytes	Mode of AMQP exchange.
amqp	Advance Message Queuing Protocol	routing_key	routing_keyq_proto_amqp	bytes	Virtual address used to route a message.
amqp	Advance Message Queuing Protocol	correlation_id	correlation_idq_proto_amqp	bytes	Identifier used to correlate the application.
amqp	Advance Message Queuing Protocol	replyto	replytoq_proto_amqp	bytes	Addresse of the reply queue.
adc	Advanced Direct Connect	file_hash	file_hashq_proto_adc	bytes	Hash of the transferred file.
adc	Advanced Direct Connect	filename	filenameq_proto_adc	bytes	Name of the transferred file.
adc	Advanced Direct Connect	client_version	client_versionq_proto_adc	bytes	Name and version of the client used by the peer.
adc	Advanced Direct Connect	query	queryq_proto_adc	bytes	Query sent to find a file.
adc	Advanced Direct Connect	command_code	command_codeq_proto_adc	bytes	Message action, as extracted from the three letters following the message type.
aim_express	AIM express	login	loginq_proto_aim_express	bytes	User's login string.
aim_express	AIM express	message	messageq_proto_aim_express	bytes	Contains the chat message.
aim_express	AIM express	sender	senderq_proto_aim_express	bytes	Contains the identity of the sender of a chat session or a file transfer.
aim_express	AIM express	receiver	receiverq_proto_aim_express	bytes	Contains the identity of the receiver for a chat message or a file transfer.
aim_express	AIM express	chat_id	chat_idq_proto_aim_express	bytes	Window chat id.
aim_express	AIM express	version	versionq_proto_aim_express	bytes	Client version.
aim_express	AIM express	contact_login	contact_loginq_proto_aim_express	bytes	Contact login.
aim_express	AIM express	contact_status	contact_statusq_proto_aim_express	bytes	Contact status.
aim_express	AIM express	client_status	client_statusq_proto_aim_express	bytes	Status of connected user.
aim_transfer	AIM Transfer	filename	filenameq_proto_aim_transfer	bytes	Name of the transferred file.
aim_transfer	AIM Transfer	filename_encoding	filename_encodingq_proto_aim_transfer	bytes	Encoding of the transferred file name.
aim_transfer	AIM Transfer	filesize	filesizeq_proto_aim_transfer	uint32	Size (byte) of the transferred file.
aim	AOL Instant Messenger (formerly OSCAR)	login	loginq_proto_aim	bytes	User's login string.
aim	AOL Instant Messenger (formerly OSCAR)	channel	channelq_proto_aim	bytes	Chat room name.
aim	AOL Instant Messenger (formerly OSCAR)	message	messageq_proto_aim	bytes	Contains the chat message.
aim	AOL Instant Messenger (formerly OSCAR)	sender	senderq_proto_aim	bytes	Contains the identity of the sender of a chat session or a file transfer.
aim	AOL Instant Messenger (formerly OSCAR)	receiver	receiverq_proto_aim	bytes	Contains the identity of the receiver for a chat message or a file transfer.
aim	AOL Instant Messenger (formerly OSCAR)	user_email	user_emailq_proto_aim	bytes	Email Address of an AIN user.
aim	AOL Instant Messenger (formerly OSCAR)	user_agent	user_agentq_proto_aim	bytes	Name of the software used.
aim	AOL Instant Messenger (formerly OSCAR)	client_status	client_statusq_proto_aim	bytes	Status of connected user.
aim	AOL Instant Messenger (formerly OSCAR)	service	serviceq_proto_aim	bytes	Current service identification string.
aim	AOL Instant Messenger (formerly OSCAR)	filename	filenameq_proto_aim	bytes	Name of the transferred file.
aim	AOL Instant Messenger (formerly OSCAR)	filename_encoding	filename_encodingq_proto_aim	bytes	Encoding of the transferred file name.
aim	AOL Instant Messenger (formerly OSCAR)	filesize	filesizeq_proto_aim	uint32	Size (byte) of the transferred file.
aim	AOL Instant Messenger (formerly OSCAR)	version	versionq_proto_aim	bytes	AIM software version.
aim	AOL Instant Messenger (formerly OSCAR)	file_sender	file_senderq_proto_aim	bytes	Contains the identity of the sender of a file transfer.
aim	AOL Instant Messenger (formerly OSCAR)	file_receiver	file_receiverq_proto_aim	bytes	Contains the identity of the receiver for a file transfer.
aim	AOL Instant Messenger (formerly OSCAR)	contact_login	contact_loginq_proto_aim	bytes	Contact login.
aim	AOL Instant Messenger (formerly OSCAR)	contact_status	contact_statusq_proto_aim	bytes	Contact status.
aim	AOL Instant Messenger (formerly OSCAR)	icon_buddy	icon_buddyq_proto_aim	bytes	The contact whose icon was downloaded.
aim	AOL Instant Messenger (formerly OSCAR)	internal_ip_address	internal_ip_addressq_proto_aim	string	Internal IP address of the contact.
aim	AOL Instant Messenger (formerly OSCAR)	external_ip_address	external_ip_addressq_proto_aim	string	External IP address of the contact.
aim	AOL Instant Messenger (formerly OSCAR)	message_raw	message_rawq_proto_aim	bytes	Message raw value.
appstore	Apple App Store	device_type	device_typeq_proto_appstore	bytes	Target device (iPhone, iPod,...).
appstore	Apple App Store	application_name	application_nameq_proto_appstore	bytes	Name of the downloaded app.
facetime	Apple FaceTime	service_duration	service_durationq_proto_facetime	uint32	4 bytes integer value indicating, when the service is ended, the duration of it in seconds
facetime	Apple FaceTime	service_id	service_idq_proto_facetime	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
facetime	Apple FaceTime	service	serviceq_proto_facetime	bytes	Current service identification string.
facetime	Apple FaceTime	service_duration_tv	service_duration_tvq_proto_facetime	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
facetime	Apple FaceTime	service_stats	service_statsq_proto_facetime	bytes	Composite attribute containing the packet metrics used for each new service type detection, extracting when performing STATISTICAL detection method only. Note: this attribute won't be extracted in case of session expiration (eg. when the current service is not ended properly by the user).
afp	Apple Filing Protocol	filename	filenameq_proto_afp	bytes	Name of the transferred file.
afp	Apple Filing Protocol	file_chunk_len	file_chunk_lenq_proto_afp	uint64	Size of the transferred piece.
afp	Apple Filing Protocol	file_chunk_data_offset	file_chunk_data_offsetq_proto_afp	uint64	Offset of the transferred data.
apple_update	Apple Update	pkg_name	pkg_nameq_proto_apple_update	bytes	pkg_name (package name) is the name of the software being updated.
archive	Archive.org	login	loginq_proto_archive	bytes	User's login string.
archive	Archive.org	query_text	query_textq_proto_archive	bytes	Query sent to the search engine.
archive	Archive.org	action	actionq_proto_archive	bytes	Indicates the action executed by the user.
archive	Archive.org	filename	filenameq_proto_archive	bytes	Name of the transferred file.
archive	Archive.org	subject	subjectq_proto_archive	bytes	File subject.
ares	Ares	nickname	nicknameq_proto_ares	bytes	Contains the user identity of the Ares connection.
ares	Ares	query	queryq_proto_ares	bytes	Query sent to find a file.
ares	Ares	file_hash	file_hashq_proto_ares	bytes	Hash of the transferred file.
ares	Ares	peer_info	peer_infoq_proto_ares	uint32	Structure containing a classification prediction of a network peer. The clep_peer_t structure (ixE 4.18.x) provides the IP v4 or v6 address (ul3l4_addr_t), the transport protocol ID (TCP/UDP/etc.), the listening port, and the list of protocols to be classified in case of successful prediction.
badongo	Badongo.com	login	loginq_proto_badongo	bytes	User's login string.
badongo	Badongo.com	action	actionq_proto_badongo	bytes	Indicates the action executed by the user.
badongo	Badongo.com	filename	filenameq_proto_badongo	bytes	Name of the transferred file.
badongo	Badongo.com	upload_description	upload_descriptionq_proto_badongo	bytes	Description of the uploaded file.
badoo	Badoo.com	login	loginq_proto_badoo	bytes	User's login string.
badoo	Badoo.com	sender	senderq_proto_badoo	bytes	Contains the identity of the sender of a chat session or a file transfer.
badoo	Badoo.com	receiver	receiverq_proto_badoo	bytes	Contains the identity of the receiver for a chat message or a file transfer.
badoo	Badoo.com	message	messageq_proto_badoo	bytes	Contains the chat message.
badoo	Badoo.com	contact_login	contact_loginq_proto_badoo	bytes	Contact login.
baidu	Baidu.com	query_text	query_textq_proto_baidu	bytes	Query sent to the search engine.
baidu	Baidu.com	query_raw	query_rawq_proto_baidu	bytes	Contains the query sent to the search engine as indicated in the URL.
bebo	Bebo.com	login	loginq_proto_bebo	bytes	User's login string.
bing	Bing.com (formerly MSN Search)	query_raw	query_rawq_proto_bing	bytes	Contains the query sent to the search engine as indicated in the URL.
bing	Bing.com (formerly MSN Search)	query_text	query_textq_proto_bing	bytes	Query sent to the search engine.
bittorrent	BitTorrent	tracker	trackerq_proto_bittorrent	bytes	BitTorrent tracker URL.
bittorrent	BitTorrent	user_agent	user_agentq_proto_bittorrent	bytes	Name of the software used.
bittorrent	BitTorrent	client_version	client_versionq_proto_bittorrent	bytes	Version of the software.
bittorrent	BitTorrent	canceled_chunk_number	canceled_chunk_numberq_proto_bittorrent	uint32	Number of the canceled piece.
bittorrent	BitTorrent	canceled_chunk_length	canceled_chunk_lengthq_proto_bittorrent	uint32	Size of the canceled piece.
bittorrent	BitTorrent	canceled_chunk_data_offset	canceled_chunk_data_offsetq_proto_bittorrent	uint32	Offset of the canceled data.
bittorrent	BitTorrent	file_chunk_number	file_chunk_numberq_proto_bittorrent	uint32	Number of the transferred piece.
bittorrent	BitTorrent	file_chunk_len	file_chunk_lenq_proto_bittorrent	uint32	Size of the transferred piece.
bittorrent	BitTorrent	file_chunk_data_offset	file_chunk_data_offsetq_proto_bittorrent	uint32	Offset of the transferred data.
bittorrent	BitTorrent	torrent_filename	torrent_filenameq_proto_bittorrent	bytes	Name of the torrent file.
bittorrent	BitTorrent	piece_length	piece_lengthq_proto_bittorrent	uint32	Chunk size, for the specified file.
bittorrent	BitTorrent	filename	filenameq_proto_bittorrent	bytes	Name of the transferred file.
bittorrent	BitTorrent	filesize	filesizeq_proto_bittorrent	uint32	Size (byte) of the transferred file.
bittorrent	BitTorrent	peer_share_ip	peer_share_ipq_proto_bittorrent	string	IP address used by a peer to share his files.
bittorrent	BitTorrent	peer_share_id	peer_share_idq_proto_bittorrent	bytes	ID used by a peer to share his files.
bittorrent	BitTorrent	file_completed	file_completedq_proto_bittorrent	bytes	Completed file.
bittorrent	BitTorrent	file_downloaded	file_downloadedq_proto_bittorrent	bytes	Downloaded file.
bittorrent	BitTorrent	file_incomplete	file_incompleteq_proto_bittorrent	bytes	Incomplete file.
bittorrent	BitTorrent	file_left	file_leftq_proto_bittorrent	bytes	Left file.
bittorrent	BitTorrent	file_uploaded	file_uploadedq_proto_bittorrent	bytes	Uploaded file.
bittorrent	BitTorrent	classification_type	classification_typeq_proto_bittorrent	bytes	How the protocol has been classified. Always returns Deterministic" if the port list has not been set."
bittorrent	BitTorrent	peer_info	peer_infoq_proto_bittorrent	uint32	Structure containing a classification prediction of a network peer. The clep_peer_t structure (ixE 4.18.x) provides the IP v4 or v6 address (ul3l4_addr_t), the transport protocol ID (TCP/UDP/etc.), the listening port, and the list of protocols to be classified in case of successful prediction.
bgp	Border Gateway Protocol	identifier	identifierq_proto_bgp	string	BGP Identifier of the sender
bgp	Border Gateway Protocol	path_attr_value_local_pref	path_attr_value_local_prefq_proto_bgp	uint32	Local preference value
bgp	Border Gateway Protocol	path_attr_value_as_num	path_attr_value_as_numq_proto_bgp	uint32	As number
bgp	Border Gateway Protocol	path_attr_value_next_hop_ip	path_attr_value_next_hop_ipq_proto_bgp	string	IP address of the next hop
bgp	Border Gateway Protocol	withdrawn_prefix	withdrawn_prefixq_proto_bgp	string	Contains Ip addresses Prefixes
bgp	Border Gateway Protocol	nlri_prefix	nlri_prefixq_proto_bgp	string	Contains IP addresses prefix
bssap	BSS Application Part	timestamp	timestampq_proto_bssap	string	Message timestamp
bssap	BSS Application Part	validity_period	validity_periodq_proto_bssap	bytes	Validity period for the message
bssap	BSS Application Part	imsi_receiver	imsi_receiverq_proto_bssap	bytes	International Mobile Subscriber Identity of the receiver
bssap	BSS Application Part	imei_receiver	imei_receiverq_proto_bssap	bytes	International Mobile Equipment Identity of the receiver
bssap	BSS Application Part	msisdn_receiver	msisdn_receiverq_proto_bssap	bytes	Mobile Subscriber Integrated Services Digital Network Number of the receiver
bssap	BSS Application Part	imsi_sender	imsi_senderq_proto_bssap	bytes	International Mobile Subscriber Identity of the sender
bssap	BSS Application Part	imei_sender	imei_senderq_proto_bssap	bytes	International Mobile Equipment Identity of the sender
bssap	BSS Application Part	msisdn_sender	msisdn_senderq_proto_bssap	bytes	Mobile Subscriber Integrated Services Digital Network Number of the sender
chap	Challenge Handshake Authentication Protocol	challenge_name	challenge_nameq_proto_chap	bytes	Hostname of the peer initiating the authentication process.
chap	Challenge Handshake Authentication Protocol	response_name	response_nameq_proto_chap	bytes	Hostname of the peer responding to challenge.
chap	Challenge Handshake Authentication Protocol	message_type	message_typeq_proto_chap	bytes	Type of message sent.
chrome_update	Chrome Update	new_version	new_versionq_proto_chrome_update	bytes	New version number returned by the server.
chrome_update	Chrome Update	current_version	current_versionq_proto_chrome_update	bytes	Current version installed on the host.
chrome_update	Chrome Update	plugin_id	plugin_idq_proto_chrome_update	bytes	Plugin Id for the updated plugin.
chrome_update	Chrome Update	plugin_new_version	plugin_new_versionq_proto_chrome_update	bytes	New version number returned by the server for the plugin.
chrome_update	Chrome Update	plugin_current_version	plugin_current_versionq_proto_chrome_update	bytes	Plugin version number currently installed.
cip	Common Industrial Protocol	vendor_id	vendor_idq_proto_cip	uint32	Value indentifying the Vendor.
cip	Common Industrial Protocol	ekey_vendor_id	ekey_vendor_idq_proto_cip	uint32	Value indentifying the Vendor in the Electronic Key.
cip	Common Industrial Protocol	ekey_device_type	ekey_device_typeq_proto_cip	uint32	Value indicating the device Type in the Electronic Key.
cip	Common Industrial Protocol	request_path_size	request_path_sizeq_proto_cip	uint32	The number of 16 bit words in the Request_Path field.
cip	Common Industrial Protocol	attr_vendor_id	attr_vendor_idq_proto_cip	uint32	The vendor ID is a unique number assigned to the various vendors of products.
cip	Common Industrial Protocol	attr_device_type	attr_device_typeq_proto_cip	uint32	Identifies the device profile that a particular product is using.
cip	Common Industrial Protocol	attr_product_code	attr_product_codeq_proto_cip	uint32	Identifies a particular product within a device type of an individual vendor.
cip	Common Industrial Protocol	attr_status	attr_statusq_proto_cip	uint32	Represents the current status of the entire device.
cip	Common Industrial Protocol	attr_serial_number	attr_serial_numberq_proto_cip	uint32	Number used in conjunction with the Vendor ID to form a unique identifier for each device on any CIP network.
cip	Common Industrial Protocol	attr_product_name	attr_product_nameq_proto_cip	bytes	Short description of the product/product family represented by the product code. The same product code may have a variety of product name.
cip	Common Industrial Protocol	number_of_services	number_of_servicesq_proto_cip	uint32	Returns the number of services contained whithin CIP message (request and reply).
cip	Common Industrial Protocol	attr_ccv	attr_ccvq_proto_cip	uint32	Value modified each time any nonvolatile attribute is altered. It can be a CRC or a counter for instance. The presence of this attibute among the indentity attributes is optional.
cip	Common Industrial Protocol	path_logical_seg_class_value	path_logical_seg_class_valueq_proto_cip	uint32	Defines Class type of the logical segment (lower byte first).
cups	Common Unix Printer System	printer	printerq_proto_cups	bytes	URI addressing the CUPS printer.
cups	Common Unix Printer System	location	locationq_proto_cups	bytes	Location of the Printer.
cups	Common Unix Printer System	information	informationq_proto_cups	bytes	Information on Printer.
cups	Common Unix Printer System	model	modelq_proto_cups	bytes	Printer model.
pronto	CommuniGate Pronto!	msg_id	msg_idq_proto_pronto	bytes	Identifier of the message.
pronto	CommuniGate Pronto!	msglist_receiver	msglist_receiverq_proto_pronto	bytes	Full address of email receiver in a message list.
pronto	CommuniGate Pronto!	msglist_receiver_email	msglist_receiver_emailq_proto_pronto	bytes	Email address of the email receiver.
pronto	CommuniGate Pronto!	msglist_receiver_alias	msglist_receiver_aliasq_proto_pronto	bytes	Name of email receiver.
pronto	CommuniGate Pronto!	client_status	client_statusq_proto_pronto	bytes	Status of connected user.
pronto	CommuniGate Pronto!	message	messageq_proto_pronto	bytes	Contains the chat message.
pronto	CommuniGate Pronto!	importance	importanceq_proto_pronto	uint32	Indicates if the email has been marked by the user.
pronto	CommuniGate Pronto!	date	dateq_proto_pronto	bytes	Message sending date. Can be extracted on different format depending on the platform (RFC1123 pattern on mobile platform, ISO format for Windows application and webmail).
pronto	CommuniGate Pronto!	sender_email	sender_emailq_proto_pronto	bytes	Email address of the email sender.
pronto	CommuniGate Pronto!	sender_alias	sender_aliasq_proto_pronto	bytes	Name of the email sender.
pronto	CommuniGate Pronto!	msglist_date	msglist_dateq_proto_pronto	bytes	Message date in a message list. Can be extracted on different format depending on the platform.
pronto	CommuniGate Pronto!	msglist_subject	msglist_subjectq_proto_pronto	bytes	Message subject in a message list.
pronto	CommuniGate Pronto!	msglist_sender	msglist_senderq_proto_pronto	bytes	Full address of email sender (alias followed by email address).
pronto	CommuniGate Pronto!	draft	draftq_proto_pronto	uint32	Indicates if the email is a draft or has really been posted
pronto	CommuniGate Pronto!	attach_id	attach_idq_proto_pronto	bytes	Attachment identifier.
pronto	CommuniGate Pronto!	session_id	session_idq_proto_pronto	bytes	Uniquely identifies the current user session.
pronto	CommuniGate Pronto!	codec_name	codec_nameq_proto_pronto	bytes	Name of the codec.
pronto	CommuniGate Pronto!	codec_id	codec_idq_proto_pronto	uint32	Number identifying the codec.
pronto	CommuniGate Pronto!	media_port	media_portq_proto_pronto	uint32	The mentioned UDP port number to be used.
pronto	CommuniGate Pronto!	media_address	media_addressq_proto_pronto	string	The mentioned IPv4 address to be used.
pronto	CommuniGate Pronto!	media_proto	media_protoq_proto_pronto	bytes	Protocol used in client stream.
pronto	CommuniGate Pronto!	media_type	media_typeq_proto_pronto	bytes	Contains the media type.
pronto	CommuniGate Pronto!	caller	callerq_proto_pronto	bytes	Contains the identity (or the phone number) of the initiator of the call.
pronto	CommuniGate Pronto!	callee	calleeq_proto_pronto	bytes	Contains the identity (or the phone number) of the called party for a call.
pronto	CommuniGate Pronto!	call_id	call_idq_proto_pronto	bytes	Call id, extracted for each call.
pronto	CommuniGate Pronto!	version	versionq_proto_pronto	bytes	Server version number.
pronto	CommuniGate Pronto!	msglist_folder	msglist_folderq_proto_pronto	bytes	Indicates the directory from a message list.
pronto	CommuniGate Pronto!	chat_attach_url	chat_attach_urlq_proto_pronto	bytes	TODO
pronto	CommuniGate Pronto!	chat_attach	chat_attachq_proto_pronto	bytes	TODO
pronto	CommuniGate Pronto!	chat_date	chat_dateq_proto_pronto	bytes	Message sending date on ISO format.
pronto	CommuniGate Pronto!	chat_receiver	chat_receiverq_proto_pronto	bytes	Contains the identity of the receiver for a chat message.
pronto	CommuniGate Pronto!	chat_sender	chat_senderq_proto_pronto	bytes	Contains the identity of the sender of a chat message.
pronto	CommuniGate Pronto!	folder	folderq_proto_pronto	bytes	Indicates the directory from where messages are read.
pronto	CommuniGate Pronto!	attach_type	attach_typeq_proto_pronto	bytes	Content type of the sent attached file.
pronto	CommuniGate Pronto!	attach_filename	attach_filenameq_proto_pronto	bytes	Attachment name.
pronto	CommuniGate Pronto!	subject	subjectq_proto_pronto	bytes	Message subject.
pronto	CommuniGate Pronto!	sender	senderq_proto_pronto	bytes	Contains the identity of the sender of a chat session or a file transfer.
pronto	CommuniGate Pronto!	receiver_type	receiver_typeq_proto_pronto	bytes	Type of the email receiver.
pronto	CommuniGate Pronto!	receiver_email	receiver_emailq_proto_pronto	bytes	Email address of message receiver (included cc and bcc receivers).
pronto	CommuniGate Pronto!	receiver_alias	receiver_aliasq_proto_pronto	bytes	Name of email receiver (included cc and bcc receivers).
pronto	CommuniGate Pronto!	receiver	receiverq_proto_pronto	bytes	Full address of email receiver (including cc and bcc receivers).
capwap	Control And Provisioning of Wireless Access Points	bssid	bssidq_proto_capwap	string	EUI-48 MAC address of the radio receiving the packet.
capwap	Control And Provisioning of Wireless Access Points	bssid_64	bssid_64q_proto_capwap	uint64	EUI-64 MAC address of the radio receiving the packet.
dailymotion	Dailymotion.com	login	loginq_proto_dailymotion	bytes	User's login string.
dailymotion	Dailymotion.com	email	emailq_proto_dailymotion	bytes	Parent entry, for fields belonging to the same email.
dailymotion	Dailymotion.com	query_text	query_textq_proto_dailymotion	bytes	Query sent to the search engine.
dailymotion	Dailymotion.com	query_raw	query_rawq_proto_dailymotion	bytes	Contains the query sent to the search engine as indicated in the URL.
dtls	Datagram Transport Layer Security	server_name	server_nameq_proto_dtls	bytes	Domain name mentioned in Client Hello message.
dtls	Datagram Transport Layer Security	common_name	common_nameq_proto_dtls	bytes	Domain name mentioned in the certificate.
dtls	Datagram Transport Layer Security	subject_alt_name	subject_alt_nameq_proto_dtls	bytes	Identifies a list of host names which belong to the same certificate.
dtls	Datagram Transport Layer Security	certificate_issuer_cn	certificate_issuer_cnq_proto_dtls	bytes	Common name of the subject formatted according to RFC 1779.
debian_update	Debian/Ubuntu Update	package_version	package_versionq_proto_debian_update	bytes	Repository packet version.
debian_update	Debian/Ubuntu Update	package_name	package_nameq_proto_debian_update	bytes	Debian packet name.
diameter	Diameter	framed_ip	framed_ipq_proto_diameter	bytes	IP address.
diameter	Diameter	acct_record_number	acct_record_numberq_proto_diameter	uint32	Unique identifier for one record within a session
diameter	Diameter	acct_record_type	acct_record_typeq_proto_diameter	uint32	Record type
diameter	Diameter	acct_output_octets	acct_output_octetsq_proto_diameter	uint64	Indicates how many octets have been sent to the port in the course of delivering this service
diameter	Diameter	acct_input_octets	acct_input_octetsq_proto_diameter	uint64	Indicates how many octets have been received from the port over the course of this service being provided
diameter	Diameter	acct_sub_session_id	acct_sub_session_idq_proto_diameter	uint64	Sub-session identifier
diameter	Diameter	acct_multi_session_id	acct_multi_session_idq_proto_diameter	bytes	Link between multiple accounting sessions
diameter	Diameter	acct_session_id	acct_session_idq_proto_diameter	bytes	Accounting session ID.
diameter	Diameter	terminate_cause	terminate_causeq_proto_diameter	uint32	This attribute indicates how the session was terminated
diameter	Diameter	destination_host	destination_hostq_proto_diameter	bytes	Destination Diameter host for the current message
diameter	Diameter	auth_request_type	auth_request_typeq_proto_diameter	uint32	Requested authentication type
diameter	Diameter	result_code	result_codeq_proto_diameter	uint32	Indicates whether a particular Diameter request was completed successfully not
diameter	Diameter	origin_host	origin_hostq_proto_diameter	bytes	Source Diameter host for the current message
diameter	Diameter	session_id	session_idq_proto_diameter	bytes	Uniquely identifies the current user session.
diameter	Diameter	calling_station_id	calling_station_idq_proto_diameter	bytes	Client id.
diameter	Diameter	called_station_id	called_station_idq_proto_diameter	bytes	The phone number that the user called, using Dialed Number Identification (DNIS) or similar technology.
diameter	Diameter	nas_port	nas_portq_proto_diameter	uint32	Physical port number of the user on the NAS
diameter	Diameter	nas_port_type	nas_port_typeq_proto_diameter	uint32	Indicates the type of the physical port of the NAS that is authenticating the user.
diameter	Diameter	nas_port_id	nas_port_idq_proto_diameter	bytes	Indicates the physical port number of the NAS that is authenticating the user.
diameter	Diameter	nas_ip	nas_ipq_proto_diameter	bytes	IP address of the NAS originating the Access-Request
diameter	Diameter	nas_id	nas_idq_proto_diameter	bytes	Unique identifier of the NAS originating the Access-Request
diameter	Diameter	login	loginq_proto_diameter	bytes	User's login string.
diameter	Diameter	end_to_end_id	end_to_end_idq_proto_diameter	uint32	Used to detect duplicate messages
diameter	Diameter	hop_by_hop_id	hop_by_hop_idq_proto_diameter	uint32	Used to match Diameter request and reply messages
diameter	Diameter	application_id	application_idq_proto_diameter	uint32	Identify which application the message is applicable for
diameter	Diameter	command_code	command_codeq_proto_diameter	uint32	Command associated with the Diameter request
diameter	Diameter	processing_anomaly_attr	processing_anomaly_attrq_proto_diameter	uint32	Gives an attribute ID, or an attribute structure (parent attribute ID), not extracted because of the anomaly.
diameter	Diameter	processing_anomaly_type	processing_anomaly_typeq_proto_diameter	bytes	Defines the category of the anomaly.
diameter	Diameter	avp_code	avp_codeq_proto_diameter	uint32	AVP code (cf. IANA).
dicom	DICOM	pdu_data_pdv_len	pdu_data_pdv_lenq_proto_dicom	uint32	Length of data contained in a PDV.
dicom	DICOM	pdu_data_pdv_elem_tag_gn	pdu_data_pdv_elem_tag_gnq_proto_dicom	uint32	The Tag of an Element describes the nature of data. This attribute is the Group Number part of the tag, basically first 16 bits, see section 7.1.1 Data Element Fields in part dicom_vr_part05.pdf.
dicom	DICOM	pdu_data_pdv_elem_tag_en	pdu_data_pdv_elem_tag_enq_proto_dicom	uint32	The Tag of an Element describes the nature of data. This attribute is the Element Number part of the tag, basically second 16 bits, see section 7.1.1 Data Element Fields in part dicom_vr_part05.pdf.
dicom	DICOM	pdu_data_pdv_elem_tag_raw	pdu_data_pdv_elem_tag_rawq_proto_dicom	uint32	The Tag of an Element describes the nature of data. This attribute is the raw value of the TAG including the Group Number and Element Number.
dicom	DICOM	pdu_data_pdv_elem_keyword	pdu_data_pdv_elem_keywordq_proto_dicom	bytes	Translation of the Tag in human readable format as described in dicom_pdv_part07.pdf.
dicom	DICOM	pdu_data_pdv_elem_vr	pdu_data_pdv_elem_vrq_proto_dicom	bytes	VR (Value Representation) of the Elememt.
dicom	DICOM	pdu_data_pdv_elem_len	pdu_data_pdv_elem_lenq_proto_dicom	uint32	Length of the Element
dicom	DICOM	pdu_data_pdv_elem_val_ae	pdu_data_pdv_elem_val_aeq_proto_dicom	bytes	Value Representation for Application Entity (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_as	pdu_data_pdv_elem_val_asq_proto_dicom	bytes	Value Representation for Age String (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_cs	pdu_data_pdv_elem_val_csq_proto_dicom	bytes	Value Representation for Code String (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_da	pdu_data_pdv_elem_val_daq_proto_dicom	bytes	Value Representation for Date (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_ds	pdu_data_pdv_elem_val_dsq_proto_dicom	bytes	Value Representation for Decimal String (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_dt	pdu_data_pdv_elem_val_dtq_proto_dicom	bytes	Value Representation for Date Time (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_is	pdu_data_pdv_elem_val_isq_proto_dicom	bytes	Value Representation for Integer String (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_lo	pdu_data_pdv_elem_val_loq_proto_dicom	bytes	Value Representation for Long String (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_lt	pdu_data_pdv_elem_val_ltq_proto_dicom	bytes	Value Representation for Long Text (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_pn	pdu_data_pdv_elem_val_pnq_proto_dicom	bytes	Value Representation for Person Name (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_sh	pdu_data_pdv_elem_val_shq_proto_dicom	bytes	Value Representation for Short String (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_ss	pdu_data_pdv_elem_val_ssq_proto_dicom	uint32	Value Representation for Signed Short (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as signed short.
dicom	DICOM	pdu_data_pdv_elem_val_st	pdu_data_pdv_elem_val_stq_proto_dicom	bytes	Value Representation for Short Text (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_tm	pdu_data_pdv_elem_val_tmq_proto_dicom	bytes	Value Representation for Time (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_uc	pdu_data_pdv_elem_val_ucq_proto_dicom	bytes	Value Representation for Unlimited Characters (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_ui	pdu_data_pdv_elem_val_uiq_proto_dicom	bytes	Value Representation for Unique Identifier (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_ul	pdu_data_pdv_elem_val_ulq_proto_dicom	uint32	Value Representation for Unsigned Long (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as unsigned long.
dicom	DICOM	pdu_data_pdv_elem_val_ur	pdu_data_pdv_elem_val_urq_proto_dicom	bytes	Value Representation for Universal Resource (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	DICOM	pdu_data_pdv_elem_val_us	pdu_data_pdv_elem_val_usq_proto_dicom	uint32	Value Representation for Unsigned Short (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as unsigned short.
dicom	DICOM	pdu_data_pdv_elem_val_ut	pdu_data_pdv_elem_val_utq_proto_dicom	bytes	Value Representation for Unlimited Text (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
directconnect	DirectConnect (NMDC)	login	loginq_proto_directconnect	bytes	User's login string.
directconnect	DirectConnect (NMDC)	query	queryq_proto_directconnect	bytes	Query sent to find a file.
directconnect	DirectConnect (NMDC)	query_way	query_wayq_proto_directconnect	bytes	Way of the query.
directconnect	DirectConnect (NMDC)	sr_filename	sr_filenameq_proto_directconnect	bytes	The name of a file returned by a search query.
directconnect	DirectConnect (NMDC)	sr_filesize	sr_filesizeq_proto_directconnect	bytes	The size of a file returned by a search query.
directconnect	DirectConnect (NMDC)	sr_filehash	sr_filehashq_proto_directconnect	bytes	The hash of a file returned by a search query.
directconnect	DirectConnect (NMDC)	file_hash	file_hashq_proto_directconnect	bytes	Hash of the transferred file.
directconnect	DirectConnect (NMDC)	file_is_compressed	file_is_compressedq_proto_directconnect	uint32	Tells whether a file is compressed or not.
directconnect	DirectConnect (NMDC)	file_compression_type	file_compression_typeq_proto_directconnect	bytes	Tells the compression type.
directconnect	DirectConnect (NMDC)	file_chunk_data_offset	file_chunk_data_offsetq_proto_directconnect	uint32	Offset of the transferred data.
directconnect	DirectConnect (NMDC)	file_chunk_len	file_chunk_lenq_proto_directconnect	uint32	Size of the transferred piece.
directconnect	DirectConnect (NMDC)	peer_info	peer_infoq_proto_directconnect	uint32	Structure containing a classification prediction of a network peer. The clep_peer_t structure (ixE 4.18.x) provides the IP v4 or v6 address (ul3l4_addr_t), the transport protocol ID (TCP/UDP/etc.), the listening port, and the list of protocols to be classified in case of successful prediction.
dcerpc	Distributed Computing Environment - Remote Procedure Call	service	serviceq_proto_dcerpc	bytes	Current service identification string.
dcerpc	Distributed Computing Environment - Remote Procedure Call	interface_uuid	interface_uuidq_proto_dcerpc	bytes	ID of the interface.
dcerpc	Distributed Computing Environment - Remote Procedure Call	call_id	call_idq_proto_dcerpc	uint32	ID of the call.
dcerpc	Distributed Computing Environment - Remote Procedure Call	ntlm_domain	ntlm_domainq_proto_dcerpc	bytes	Domain" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
dcerpc	Distributed Computing Environment - Remote Procedure Call	ntlm_user	ntlm_userq_proto_dcerpc	bytes	User" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
dcerpc	Distributed Computing Environment - Remote Procedure Call	ntlm_workstation	ntlm_workstationq_proto_dcerpc	bytes	Workstation" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
dcerpc	Distributed Computing Environment - Remote Procedure Call	ntlm_identifier	ntlm_identifierq_proto_dcerpc	bytes	NTLM protocol Signature (null-terminated string).
dcerpc	Distributed Computing Environment - Remote Procedure Call	ntlm_message_type	ntlm_message_typeq_proto_dcerpc	uint32	NTLM message type.
dcerpc	Distributed Computing Environment - Remote Procedure Call	length	lengthq_proto_dcerpc	uint32	Packet length. (only when over UDP)
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_address_string_binding_tower_id	orpc_address_string_binding_tower_idq_proto_dcerpc	uint32	A numeric value that uniquely identifies an RPC transport protocol.
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_major_version	orpc_major_versionq_proto_dcerpc	uint32	DCOM Remote Protocol major version.
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_minor_version	orpc_minor_versionq_proto_dcerpc	uint32	DCOM Remote Protocol minor version.
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_stdobjref_oxid	orpc_stdobjref_oxidq_proto_dcerpc	uint64	object exporter identifier (OXID): A 64-bit number that uniquely identifies an object exporter within an object server provided by a STANDARD OBJREF (STDOBJREF). This attribute is only extracted for these <UUID, opnum> couples: <00000143-0000-0000-c000-000000000046, 3>, <000001a0-0000-0000-c000-000000000046, 4>.
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_stdobjref_oid	orpc_stdobjref_oidq_proto_dcerpc	uint64	A 64-bit number that uniquely identifies an object server provided by a STANDARD OBJREF (STDOBJREF). This attribute is only extracted for these <UUID, opnum> couples: <00000143-0000-0000-c000-000000000046, 3>, <000001a0-0000-0000-c000-000000000046, 4>.
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_stdobjref_ipid	orpc_stdobjref_ipidq_proto_dcerpc	bytes	A 128-bit number that uniquely identifies an interface on an object within an object exporter, provided by a STANDARD OBJREF (STDOBJREF)). This attribute is only extracted for these <UUID, opnum> couples: <00000143-0000-0000-c000-000000000046, 3>, <000001a0-0000-0000-c000-000000000046, 4>.
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_objref_custom_clsid	orpc_objref_custom_clsidq_proto_dcerpc	bytes	The CLSID type specifies a CLSID for a GUID that identifies an object class, this attribute is extracted from a OBJREF_CUSTOM.
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_objref_iid	orpc_objref_iidq_proto_dcerpc	bytes	A 64-bit attribute which specifies the IID of the COM interface pointed to by an interface pointer.
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_cid	orpc_cidq_proto_dcerpc	bytes	A UUID that is passed as part of an ORPC call to identify a chain of calls that are causally related.
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_objref_custom_act_prop_in_info_obj_clsid	orpc_objref_custom_act_prop_in_info_obj_clsidq_proto_dcerpc	bytes	Class ID (UUID) of the remotely instantiated object by the client in string format.
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_objref_custom_act_prop_in_info_itf_count	orpc_objref_custom_act_prop_in_info_itf_countq_proto_dcerpc	uint32	Number of interfaces UUID listed to access instantiated object.
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_objref_custom_act_prop_in_info_itf_id	orpc_objref_custom_act_prop_in_info_itf_idq_proto_dcerpc	bytes	Interface UUID of an instantiated object in string format.
dcerpc	Distributed Computing Environment - Remote Procedure Call	item_context_id	item_context_idq_proto_dcerpc	uint32	Index of the current context item
dcerpc	Distributed Computing Environment - Remote Procedure Call	abstract_itf_uuid	abstract_itf_uuidq_proto_dcerpc	bytes	Interface UUID allowing to identify RPC interface to call.
dcerpc	Distributed Computing Environment - Remote Procedure Call	abstract_itf_version	abstract_itf_versionq_proto_dcerpc	uint32	Version number of interface to call. It is defined on 32 bits.
dcerpc	Distributed Computing Environment - Remote Procedure Call	transfer_itf_uuid	transfer_itf_uuidq_proto_dcerpc	bytes	Interface UUID allowing to identify RPC interface to get reply.
dcerpc	Distributed Computing Environment - Remote Procedure Call	transfer_itf_version	transfer_itf_versionq_proto_dcerpc	uint32	Version number of interface to get reply. It is defined on 32 bits.
dcerpc	Distributed Computing Environment - Remote Procedure Call	result_ack_result	result_ack_resultq_proto_dcerpc	uint32	Negociation result of the given presentation transfer syntax (0 stands for Acceptance).
dcerpc	Distributed Computing Environment - Remote Procedure Call	result_ack_reason	result_ack_reasonq_proto_dcerpc	uint32	Reason detailing non acceptance of the given transfer syntax, usually set to 0 when transfer syntax is accepted (Q_DCERPC_RESULT_ACK == 0)
dcerpc	Distributed Computing Environment - Remote Procedure Call	result_transfer_syntax_uuid	result_transfer_syntax_uuidq_proto_dcerpc	bytes	UUID of selected transfer syntax, 0 stands for transfer syntax is not selected"."
dcerpc	Distributed Computing Environment - Remote Procedure Call	result_transfer_syntax_version	result_transfer_syntax_versionq_proto_dcerpc	uint32	Version of selected transfer syntax, usually also set to 0 when UUID is 0.
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_address_security_binding_sec_provider	orpc_address_security_binding_sec_providerq_proto_dcerpc	uint32	Defines type of security provider, known values defined at 'https://docs.microsoft.com/en-us/windows/desktop/com/com-authentication-service-constants', 'https://msdn.microsoft.com/en-us/library/cc243578.aspx'.
dcerpc	Distributed Computing Environment - Remote Procedure Call	orpc_address_security_binding_princ_name	orpc_address_security_binding_princ_nameq_proto_dcerpc	bytes	Defines the service name used by client for authentication, this attribute is a null-terminated Unicode string and it is optional. This field not present if security provider is RPC_C_AUTHN_NONE (see https://msdn.microsoft.com/en-us/library/cc226839.aspx).
dcerpc	Distributed Computing Environment - Remote Procedure Call	ac_item_context_id	ac_item_context_idq_proto_dcerpc	uint32	Index of the current context item.
dcerpc	Distributed Computing Environment - Remote Procedure Call	ac_abstract_itf_uuid	ac_abstract_itf_uuidq_proto_dcerpc	bytes	Interface UUID allowing to identify RPC interface to call.
dcerpc	Distributed Computing Environment - Remote Procedure Call	ac_abstract_itf_version	ac_abstract_itf_versionq_proto_dcerpc	uint32	Version number of interface to call. It is defined on 32 bits.
dcerpc	Distributed Computing Environment - Remote Procedure Call	ac_transfer_itf_uuid	ac_transfer_itf_uuidq_proto_dcerpc	bytes	Interface UUID allowing to identify RPC interface to get reply.
dcerpc	Distributed Computing Environment - Remote Procedure Call	ac_transfer_itf_version	ac_transfer_itf_versionq_proto_dcerpc	uint32	Version number of interface to get reply.
dcerpc	Distributed Computing Environment - Remote Procedure Call	ac_result_ack_result	ac_result_ack_resultq_proto_dcerpc	uint32	Negotiation result of the given presentation transfer syntax (0x00 stands for Acceptance, 0x03 is specific to Microsoft implementation of DCERPC).
dcerpc	Distributed Computing Environment - Remote Procedure Call	ac_result_ack_reason	ac_result_ack_reasonq_proto_dcerpc	uint32	Reason detailing non acceptance of the given transfer syntax, usually set to 0 when transfer syntax is accepted (Q_DCERPC_RESULT_ACK == 0). This attribute is not raised if Q_DCERPC_RESULT_ACK does not match either 0, 1, 2.
dcerpc	Distributed Computing Environment - Remote Procedure Call	ac_result_transfer_syntax_uuid	ac_result_transfer_syntax_uuidq_proto_dcerpc	bytes	UUID of selected transfer syntax, 0 stands for transfer syntax is not selected"."
dcerpc	Distributed Computing Environment - Remote Procedure Call	ac_result_transfer_syntax_version	ac_result_transfer_syntax_versionq_proto_dcerpc	uint32	Version of selected transfer syntax, usually also set to 0 when UUID is 0.
dcerpc	Distributed Computing Environment - Remote Procedure Call	rtt_tv	rtt_tvq_proto_dcerpc	string	Time between request and response expressed in a timeval.
dcerpc	Distributed Computing Environment - Remote Procedure Call	secondary_addr	secondary_addrq_proto_dcerpc	bytes	Secondary address is an alternative for subsequent transport connection requests to establish concurrent session to the server
dnp3	Distributed Network Protocol	dl_start_sync	dl_start_syncq_proto_dnp3	uint32	Header start magic field.
dnp3	Distributed Network Protocol	dl_dest	dl_destq_proto_dnp3	uint32	Destination address of the frame.
dnp3	Distributed Network Protocol	dl_src	dl_srcq_proto_dnp3	uint32	Source address of the frame.
dnp3	Distributed Network Protocol	dl_crc	dl_crcq_proto_dnp3	uint32	CRC Checksum field.
dnp3	Distributed Network Protocol	al_obj_type_field	al_obj_type_fieldq_proto_dnp3	uint32	First object type in the application layer control field. Only the first object is handled. This attribute is not raised in case of fragmented DNP3 application data.
dns	Domain Name Service	query	queryq_proto_dns	bytes	DNS Query sent.
dns	Domain Name Service	qdcount	qdcountq_proto_dns	uint32	Number of queries.
dns	Domain Name Service	ancount	ancountq_proto_dns	uint32	Number of answers.
dns	Domain Name Service	nscount	nscountq_proto_dns	uint32	Number of answers in the 'authority' section.
dns	Domain Name Service	arcount	arcountq_proto_dns	uint32	Number of additional answers.
dns	Domain Name Service	transaction_id	transaction_idq_proto_dns	uint32	DNS unique transaction ID.
dns	Domain Name Service	name	nameq_proto_dns	bytes	Name of the request
dns	Domain Name Service	host	hostq_proto_dns	bytes	Host name
dns	Domain Name Service	host_addr	host_addrq_proto_dns	string	IPV4 Host address
dns	Domain Name Service	reverse_addr	reverse_addrq_proto_dns	string	IP address returned to the PTR request.
dns	Domain Name Service	response_time	response_timeq_proto_dns	string	Elapsed time between sending of the dns request and reception of its response.
dns	Domain Name Service	ttl	ttlq_proto_dns	uint32	Time (in seconds) a DNS information returned by the server will be kept in cache.
dns	Domain Name Service	section_type	section_typeq_proto_dns	bytes	Type of section for each DNS answer.
dns	Domain Name Service	flags	flagsq_proto_dns	uint32	16-bit representation of some DNS header flags. These fields are described in RFC 1035 section 4.1.1 Header section format" and are the following: QA, Opcode, AA, TC, RD, RA, Z, RCODE."
dns	Domain Name Service	dns_query	dns_queryq_proto_dns	bool	DNS query.
dns	Domain Name Service	opcode	opcodeq_proto_dns	uint32	A four bit field that specifies kind of query in this message. This value is set by the originator of a query and copied into the response.
dns	Domain Name Service	class	classq_proto_dns	uint32	DNS query class
dns	Domain Name Service	host_class	host_classq_proto_dns	uint32	DNS response class
dns	Domain Name Service	web_application_info	web_application_infoq_proto_dns	uint32	Structure containing metadata for classification of known HTTP/HTTPS based web applications. These metadata are based on Type A (IPv4) DNS responses returned from the server. The ul3l4_addr_t structure contains the web application protocol path, classified using the requested host name, and the IPv4 address resolved by the server. The extraction of this attribute can be produced on DNS requests instead of being produced on DNS responses, if the prototune query_base_web_application_info is set to 1. In this case the IPv4 address information is not relevant.
dns	Domain Name Service	krb5_message_type	krb5_message_typeq_proto_dns	uint32	Message type.
dns	Domain Name Service	krb5_service	krb5_serviceq_proto_dns	bytes	Service type.
dns	Domain Name Service	krb5_server	krb5_serverq_proto_dns	bytes	Name of the server requiring Kerberos authentication.
dns	Domain Name Service	krb5_enc_data_type	krb5_enc_data_typeq_proto_dns	uint32	Indicates type of Encrypted data (hash) sent in the AS-RQ message.
dns	Domain Name Service	krb5_pa_data_type	krb5_pa_data_typeq_proto_dns	uint32	PA-DATA type.
dns	Domain Name Service	krb5_ticket_name_type	krb5_ticket_name_typeq_proto_dns	uint32	Ticket name-type.
dns	Domain Name Service	krb5_ticket_name	krb5_ticket_nameq_proto_dns	bytes	Ticket name component.
dns	Domain Name Service	krb5_realm	krb5_realmq_proto_dns	bytes	Realm in KRB-ERROR message.
dns	Domain Name Service	krb5_err_crealm	krb5_err_crealmq_proto_dns	bytes	Realm in KRB-ERROR message.
dns	Domain Name Service	krb5_err_realm	krb5_err_realmq_proto_dns	bytes	Correct realm in KRB-ERROR message.
dns	Domain Name Service	krb5_err_cname_type	krb5_err_cname_typeq_proto_dns	uint32	KRB-ERROR cname type.
dns	Domain Name Service	krb5_err_cname_name	krb5_err_cname_nameq_proto_dns	bytes	KRB-ERROR message cname component.
dns	Domain Name Service	krb5_err_sname_type	krb5_err_sname_typeq_proto_dns	uint32	KRB-ERROR message server sname type.
dns	Domain Name Service	krb5_err_sname_name	krb5_err_sname_nameq_proto_dns	bytes	KRB-ERROR message server sname component.
dns	Domain Name Service	krb5_err_text	krb5_err_textq_proto_dns	bytes	KRB-ERROR message error description.
dns	Domain Name Service	dnssec_rrsig_signer_name	dnssec_rrsig_signer_nameq_proto_dns	bytes	Signer's name. This field could be empty. Notably when signer is DNS Root zone.
dns	Domain Name Service	mdns_service_name	mdns_service_nameq_proto_dns	bytes	'mdns' advertised service name.
dhcp	Dynamic Host Configuration Protocol	ciaddr	ciaddrq_proto_dhcp	string	Current client ip address.
dhcp	Dynamic Host Configuration Protocol	yiaddr	yiaddrq_proto_dhcp	string	New ip address attributed to the client.
dhcp	Dynamic Host Configuration Protocol	siaddr	siaddrq_proto_dhcp	string	Ip address of next server (used when booting via a server).
dhcp	Dynamic Host Configuration Protocol	giaddr	giaddrq_proto_dhcp	string	Relay agent ip address (used when booting via a relay agent).
dhcp	Dynamic Host Configuration Protocol	chaddr	chaddrq_proto_dhcp	string	Client hardware address.
dhcp	Dynamic Host Configuration Protocol	sname	snameq_proto_dhcp	bytes	Server host name (optional).
dhcp	Dynamic Host Configuration Protocol	subnetmask	subnetmaskq_proto_dhcp	string	Subnet mask assigned to the client.
dhcp	Dynamic Host Configuration Protocol	router	routerq_proto_dhcp	string	List of gateway's ip addresses.
dhcp	Dynamic Host Configuration Protocol	dns_server	dns_serverq_proto_dhcp	string	List of dns server's ip addresses.
dhcp	Dynamic Host Configuration Protocol	bootfilename	bootfilenameq_proto_dhcp	bytes	File name used when initializing
dhcp	Dynamic Host Configuration Protocol	circuit_id	circuit_idq_proto_dhcp	bytes	A suboption that contains the circuit identifier
dhcp	Dynamic Host Configuration Protocol	remote_id	remote_idq_proto_dhcp	bytes	The remote agent
dhcp	Dynamic Host Configuration Protocol	remote_id_type	remote_id_typeq_proto_dhcp	bytes	An suboption that contains the remote agent identifier.
dhcp	Dynamic Host Configuration Protocol	remote_id_subtype	remote_id_subtypeq_proto_dhcp	bytes	Subtype for the remote agent
dhcp	Dynamic Host Configuration Protocol	ip_lease_time	ip_lease_timeq_proto_dhcp	uint32	In a server reply (dhcpoffer), a dhcp server uses this option to specify the lease time it is willing to offer. the time is in seconds
dhcp	Dynamic Host Configuration Protocol	end_status	end_statusq_proto_dhcp	uint32	An event sent when dhcp session expires. it's equal to 1 when a release message was observed and 0 if not
dhcp	Dynamic Host Configuration Protocol	xid	xidq_proto_dhcp	uint32	Transaction ID, a random number chosen by the client, used by the client and server to associate requests and responses.
dhcp	Dynamic Host Configuration Protocol	host_name	host_nameq_proto_dhcp	bytes	Host name sent by the client in the DCHP option 12 (optional).
dhcp	Dynamic Host Configuration Protocol	domain_name	domain_nameq_proto_dhcp	bytes	DNS server name sent by the server in the DHCP option 15 for further use by the client (optional).
dhcp	Dynamic Host Configuration Protocol	client_fqdn	client_fqdnq_proto_dhcp	bytes	Fully qualified host name sent by the client in the DHCP option 81 (optional).
dhcp6	Dynamic Host Configuration Protocol for IPv6	xid	xidq_proto_dhcp6	uint32	Transaction ID, a random number chosen by the client, used by the client and server to associate requests and responses.
dhcp6	Dynamic Host Configuration Protocol for IPv6	chaddr	chaddrq_proto_dhcp6	string	Client hardware address.
dhcp6	Dynamic Host Configuration Protocol for IPv6	ip_lease_time	ip_lease_timeq_proto_dhcp6	uint32	A DHCPv6 server uses this option to specify the lease time it is willing to offer (time period in second)
dhcp6	Dynamic Host Configuration Protocol for IPv6	client_fqdn	client_fqdnq_proto_dhcp6	bytes	Fully qualified domain name sent by the client in the DHCPv6 option 39. This metadata is not raised in case of decoding error.
dhcp6	Dynamic Host Configuration Protocol for IPv6	duid_type	duid_typeq_proto_dhcp6	uint32	DUID type.
dhcp6	Dynamic Host Configuration Protocol for IPv6	shaddr	shaddrq_proto_dhcp6	string	Server hardware address.
dhcp6	Dynamic Host Configuration Protocol for IPv6	requested_option_code	requested_option_codeq_proto_dhcp6	uint32	Option code for an option requested by the client.
dhcp6	Dynamic Host Configuration Protocol for IPv6	ia_prefix_option	ia_prefix_optionq_proto_dhcp6	uint32	Option type.
dhcp6	Dynamic Host Configuration Protocol for IPv6	ia_prefix_length	ia_prefix_lengthq_proto_dhcp6	uint32	Length of the option data.
dhcp6	Dynamic Host Configuration Protocol for IPv6	ia_prefix_preferred_life_time	ia_prefix_preferred_life_timeq_proto_dhcp6	uint32	Recommended preferred lifetime for the IPv6 prefix in the option expressed in seconds.
dhcp6	Dynamic Host Configuration Protocol for IPv6	ia_prefix_valid_life_time	ia_prefix_valid_life_timeq_proto_dhcp6	uint32	The valid lifetime for the IPv6 prefix in the option expressed in seconds.
dhcp6	Dynamic Host Configuration Protocol for IPv6	iapd_iaid	iapd_iaidq_proto_dhcp6	uint32	Unique identifier for a IA_PD option.
dhcp6	Dynamic Host Configuration Protocol for IPv6	enterprise_number	enterprise_numberq_proto_dhcp6	uint32	The vendor's Enterprise Number as registered with IANA.
dimp	Dynamic Internet Messaging Program	attach_type	attach_typeq_proto_dimp	bytes	Content type of the sent attached file.
dimp	Dynamic Internet Messaging Program	receiver_alias	receiver_aliasq_proto_dimp	bytes	Name of email receiver (included cc and bcc receivers).
dimp	Dynamic Internet Messaging Program	receiver_email	receiver_emailq_proto_dimp	bytes	Email address of message receiver (included cc and bcc receivers).
dimp	Dynamic Internet Messaging Program	sender_alias	sender_aliasq_proto_dimp	bytes	Name of the email sender.
dimp	Dynamic Internet Messaging Program	sender_email	sender_emailq_proto_dimp	bytes	Email address of the email sender.
dimp	Dynamic Internet Messaging Program	subject	subjectq_proto_dimp	bytes	Message subject.
dimp	Dynamic Internet Messaging Program	date	dateq_proto_dimp	bytes	Message date.
dimp	Dynamic Internet Messaging Program	attach_filename	attach_filenameq_proto_dimp	bytes	Attachment name.
dimp	Dynamic Internet Messaging Program	action	actionq_proto_dimp	bytes	Indicates if the message is read (Read) or composed (Compose).
dimp	Dynamic Internet Messaging Program	msg_id	msg_idq_proto_dimp	bytes	Identifier of the message.
dimp	Dynamic Internet Messaging Program	msglist_subject	msglist_subjectq_proto_dimp	bytes	Message subject in a message list.
dimp	Dynamic Internet Messaging Program	msglist_sender_email	msglist_sender_emailq_proto_dimp	bytes	Address of email sender.
dimp	Dynamic Internet Messaging Program	login	loginq_proto_dimp	bytes	User's login string.
dimp	Dynamic Internet Messaging Program	password	passwordq_proto_dimp	bytes	User's password string.
ebay	eBay.com	query_text	query_textq_proto_ebay	bytes	Query sent to the search engine.
ebay	eBay.com	query_raw	query_rawq_proto_ebay	bytes	Contains the query sent to the search engine as indicated in the URL.
ebuddy	eBuddy.com	contact_message	contact_messageq_proto_ebuddy	bytes	User's contact IM personal message.
ebuddy	eBuddy.com	contact_login	contact_loginq_proto_ebuddy	bytes	Contact login.
ebuddy	eBuddy.com	message	messageq_proto_ebuddy	bytes	Contains the chat message.
ebuddy	eBuddy.com	receiver	receiverq_proto_ebuddy	bytes	Contains the identity of the receiver for a chat message or a file transfer.
ebuddy	eBuddy.com	sender	senderq_proto_ebuddy	bytes	Contains the identity of the sender of a chat session or a file transfer.
ebuddy	eBuddy.com	client_message	client_messageq_proto_ebuddy	bytes	User's IM personal message.
ebuddy	eBuddy.com	e_action	e_actionq_proto_ebuddy	bytes	Action of the user.
ebuddy	eBuddy.com	login	loginq_proto_ebuddy	bytes	User's login string.
edonkey	Edonkey	login	loginq_proto_edonkey	bytes	User's login string.
edonkey	Edonkey	query	queryq_proto_edonkey	bytes	Query sent to find a file.
edonkey	Edonkey	filename	filenameq_proto_edonkey	bytes	Name of the transferred file.
enip	Ethernet/IP	command	commandq_proto_enip	uint32	Command code which has been sent by the request.
enip	Ethernet/IP	status	statusq_proto_enip	uint32	Status code.
enip	Ethernet/IP	session_handle	session_handleq_proto_enip	uint32	Session id. Some commands do not require a session handle.
enip	Ethernet/IP	data_item_count	data_item_countq_proto_enip	uint32	Number of items to follow in the packet.
enip	Ethernet/IP	data_type_id	data_type_idq_proto_enip	uint32	Type of encapsulated item.
enip	Ethernet/IP	data_length	data_lengthq_proto_enip	uint32	Length in bytes of command data section.
enip	Ethernet/IP	options	optionsq_proto_enip	uint32	Options. Its behavior or use is not defined yet (Future use).
enip	Ethernet/IP	csd_interface_handle	csd_interface_handleq_proto_enip	uint32	Communications interface ID. Is part of Command Specific Data (CSD).
enip	Ethernet/IP	csd_timeout	csd_timeoutq_proto_enip	uint32	Timeout in seconds used by routers. Is part of Command Specific Data (CSD).
enip	Ethernet/IP	csd_cpf_data_item_count	csd_cpf_data_item_countq_proto_enip	uint32	Number of items to follow in the packet.
enip	Ethernet/IP	csd_cpf_item_type_id	csd_cpf_item_type_idq_proto_enip	uint32	Type of encapsulated item.
enip	Ethernet/IP	csd_cpf_item_length	csd_cpf_item_lengthq_proto_enip	uint32	Size of encapsulated item.
activesync	Exchange ActiveSync (EAS)	login	loginq_proto_activesync	bytes	User's login string.
activesync	Exchange ActiveSync (EAS)	action	actionq_proto_activesync	bytes	Indicates if the message is read (Read) or composed (Compose).
activesync	Exchange ActiveSync (EAS)	sender	senderq_proto_activesync	bytes	Full address of email sender (alias followed by email address).
activesync	Exchange ActiveSync (EAS)	sender_email	sender_emailq_proto_activesync	bytes	Email address of the email sender.
activesync	Exchange ActiveSync (EAS)	sender_alias	sender_aliasq_proto_activesync	bytes	Name of the email sender.
activesync	Exchange ActiveSync (EAS)	receiver	receiverq_proto_activesync	bytes	Full address of email receiver (including cc and bcc receivers).
activesync	Exchange ActiveSync (EAS)	receiver_email	receiver_emailq_proto_activesync	bytes	Email address of message receiver (included cc and bcc receivers).
activesync	Exchange ActiveSync (EAS)	receiver_alias	receiver_aliasq_proto_activesync	bytes	Name of email receiver (included cc and bcc receivers).
activesync	Exchange ActiveSync (EAS)	receiver_type	receiver_typeq_proto_activesync	bytes	Type of the email receiver.
activesync	Exchange ActiveSync (EAS)	replyto	replytoq_proto_activesync	bytes	Email address to use in a reply for this message.
activesync	Exchange ActiveSync (EAS)	date	dateq_proto_activesync	bytes	Message date.
activesync	Exchange ActiveSync (EAS)	subject	subjectq_proto_activesync	bytes	Message subject.
activesync	Exchange ActiveSync (EAS)	msg_id	msg_idq_proto_activesync	bytes	Identifier of the message.
activesync	Exchange ActiveSync (EAS)	content_type	content_typeq_proto_activesync	bytes	Indicates the content type of transferred file.
activesync	Exchange ActiveSync (EAS)	content_transfer_encoding	content_transfer_encodingq_proto_activesync	bytes	Contains the encoding of the content
activesync	Exchange ActiveSync (EAS)	encoding	encodingq_proto_activesync	bytes	Page encoding
activesync	Exchange ActiveSync (EAS)	attach_id	attach_idq_proto_activesync	bytes	Attachment identifier.
activesync	Exchange ActiveSync (EAS)	attach_filename	attach_filenameq_proto_activesync	bytes	Attachment name.
activesync	Exchange ActiveSync (EAS)	attach_type	attach_typeq_proto_activesync	bytes	Content type of the sent attached file.
activesync	Exchange ActiveSync (EAS)	attach_size	attach_sizeq_proto_activesync	uint32	Attached file MIME size.
activesync	Exchange ActiveSync (EAS)	attach_transfer_encoding	attach_transfer_encodingq_proto_activesync	bytes	Contains the encoding of the attached content
activesync	Exchange ActiveSync (EAS)	folderlist_item_name	folderlist_item_nameq_proto_activesync	bytes	Message folder name.
activesync	Exchange ActiveSync (EAS)	folderlist_item_id	folderlist_item_idq_proto_activesync	bytes	Message folder unique identifier.
activesync	Exchange ActiveSync (EAS)	timezone_raw	timezone_rawq_proto_activesync	bytes	Timezone to be used. The extracted data is a base64 encoded structure.
activesync	Exchange ActiveSync (EAS)	timezone_standard_name	timezone_standard_nameq_proto_activesync	bytes	It contains an optional description for standard time.
activesync	Exchange ActiveSync (EAS)	timezone_daylight_name	timezone_daylight_nameq_proto_activesync	bytes	It contains an optional description for DST.
activesync	Exchange ActiveSync (EAS)	creation_time	creation_timeq_proto_activesync	bytes	Creation time of the entry.
activesync	Exchange ActiveSync (EAS)	end_time	end_timeq_proto_activesync	bytes	End time of the meeting.
activesync	Exchange ActiveSync (EAS)	location	locationq_proto_activesync	bytes	Location of the meeting.
activesync	Exchange ActiveSync (EAS)	organizer_email	organizer_emailq_proto_activesync	bytes	This element is an optional element that specifies the e-mail address of the user who created the calendar item.
activesync	Exchange ActiveSync (EAS)	reminder	reminderq_proto_activesync	uint32	Reminder element is an optional element that specifies the number of minutes before the calendar item's start time to display a reminder notice.
activesync	Exchange ActiveSync (EAS)	calendar_subject	calendar_subjectq_proto_activesync	bytes	Subject element is an optional element that specifies the subject of the calendar item.
activesync	Exchange ActiveSync (EAS)	start_time	start_timeq_proto_activesync	bytes	start_time element is an optional element that specifies the start time of the calendar item.
activesync	Exchange ActiveSync (EAS)	calendar_id	calendar_idq_proto_activesync	bytes	Element that specifies an ID that uniquely identifies a single event or recurring series.
activesync	Exchange ActiveSync (EAS)	recurrence_interval	recurrence_intervalq_proto_activesync	uint32	Element that specifies the interval between recurrences.
activesync	Exchange ActiveSync (EAS)	attendee_name	attendee_nameq_proto_activesync	bytes	Specifies the attendee's name.
activesync	Exchange ActiveSync (EAS)	attendee_email	attendee_emailq_proto_activesync	bytes	Specifies the attendee's email address.
facebook	Facebook	message	messageq_proto_facebook	bytes	Instant message content.
facebook	Facebook	feed_text	feed_textq_proto_facebook	bytes	feed text.
facebook	Facebook	receiver	receiverq_proto_facebook	bytes	Instant message recipient name.
facebook	Facebook	sender_email	sender_emailq_proto_facebook	bytes	Email address of the message sender.
facebook	Facebook	query_text	query_textq_proto_facebook	bytes	Query sent to the search engine.
facebook	Facebook	login	loginq_proto_facebook	bytes	User's login string.
facebook	Facebook	action	actionq_proto_facebook	bytes	Indicates the action executed by the user.
facebook	Facebook	server_name	server_nameq_proto_facebook	bytes	Domain name mentioned in CHLO message of the underlying transport protocol Zero.
facebook_apps	Facebook Apps	application_action	application_actionq_proto_facebook_apps	bytes	Indicates the action executed by the user.
facebook_apps	Facebook Apps	application_name	application_nameq_proto_facebook_apps	bytes	Name of the application.
facebook_mail	Facebook Mail	attach_type	attach_typeq_proto_facebook_mail	bytes	Content type of the sent attached file.
facebook_mail	Facebook Mail	attach_filename	attach_filenameq_proto_facebook_mail	bytes	Attachment name.
facebook_mail	Facebook Mail	sender_email	sender_emailq_proto_facebook_mail	bytes	Email address of the email sender.
facebook_mail	Facebook Mail	receiver_email	receiver_emailq_proto_facebook_mail	bytes	Email address of message receiver (included cc and bcc receivers).
facebook_mail	Facebook Mail	action	actionq_proto_facebook_mail	bytes	Indicates if the message is read (Read) or composed (Compose).
facebook_mail	Facebook Mail	subject	subjectq_proto_facebook_mail	bytes	Message subject.
facebook_mail	Facebook Mail	login	loginq_proto_facebook_mail	bytes	User's login string.
facebook_mail	Facebook Mail	session_id	session_idq_proto_facebook_mail	bytes	Uniquely identifies the current user session.
facebook_messenger	Facebook Messenger	service_id	service_idq_proto_facebook_messenger	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
facebook_messenger	Facebook Messenger	service	serviceq_proto_facebook_messenger	bytes	Current service identification string.
facebook_messenger	Facebook Messenger	service_duration	service_durationq_proto_facebook_messenger	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
facebook_messenger	Facebook Messenger	service_duration_tv	service_duration_tvq_proto_facebook_messenger	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
facebook_messenger	Facebook Messenger	uid	uidq_proto_facebook_messenger	bytes	Generic user ID.
ftp	File Transfer Protocol	login	loginq_proto_ftp	bytes	User's login string.
ftp	File Transfer Protocol	password	passwordq_proto_ftp	bytes	User's password string.
ftp	File Transfer Protocol	filename	filenameq_proto_ftp	bytes	Name of the transferred file.
ftp	File Transfer Protocol	method	methodq_proto_ftp	bytes	Contains the FTP command sent.
ftp	File Transfer Protocol	filesize	filesizeq_proto_ftp	uint32	Size (byte) of the transferred file.
ftp	File Transfer Protocol	loadway	loadwayq_proto_ftp	bytes	Contains the file transfer way (Upload vs Download).
ftp	File Transfer Protocol	offset	offsetq_proto_ftp	uint32	Indicates the start offset of the file transfer.
ftp	File Transfer Protocol	greeting_message	greeting_messageq_proto_ftp	bytes	First line of the server banner.
ftp	File Transfer Protocol	return_content	return_contentq_proto_ftp	bytes	Message of server's response.
ftp	File Transfer Protocol	transfer_duration	transfer_durationq_proto_ftp	string	Elapsed time (in seconds) between the beginning of a transfer (ftp code 150) and the first packet signaling the end with success of the transfer (ftp code 226)
ftp	File Transfer Protocol	index	indexq_proto_ftp	uint32	Identifier of the request and response in a FTP flow.
ftp	File Transfer Protocol	method_content	method_contentq_proto_ftp	bytes	Method parameter
ftp	File Transfer Protocol	data_port_start_offset	data_port_start_offsetq_proto_ftp	uint32	Offset to the first FTP port byte given in the PORT command.
ftp	File Transfer Protocol	data_port_end_offset	data_port_end_offsetq_proto_ftp	uint32	Offset to the first byte which is not part of the TCP port value, given in the PORT command.
ftp_data	File Transfer Protocol Data	content	contentq_proto_ftp_data	bytes	File content
fix	Financial Information eXchange (FIX)	transaction_time	transaction_timeq_proto_fix	bytes	Time the order request was initiated/released by the trading system.
fix	Financial Information eXchange (FIX)	symbol	symbolq_proto_fix	bytes	Common representation of the security.
fix	Financial Information eXchange (FIX)	order_type	order_typeq_proto_fix	bytes	Order type.
fix	Financial Information eXchange (FIX)	order_status	order_statusq_proto_fix	bytes	Describes the current state of a chain of orders.
fix	Financial Information eXchange (FIX)	order_qty	order_qtyq_proto_fix	bytes	Quantity ordered.
fix	Financial Information eXchange (FIX)	order_id	order_idq_proto_fix	bytes	Unique identifier for an order.
fix	Financial Information eXchange (FIX)	message_type	message_typeq_proto_fix	bytes	Defines FIX message type.
firefox_update	Firefox Update	plugin_new_version	plugin_new_versionq_proto_firefox_update	bytes	Plugin version after update.
firefox_update	Firefox Update	plugin_name	plugin_nameq_proto_firefox_update	bytes	Name of the plugin.
firefox_update	Firefox Update	new_version	new_versionq_proto_firefox_update	bytes	Browser version after update.
firefox_update	Firefox Update	current_version	current_versionq_proto_firefox_update	bytes	Browser version before update.
freebsd_update	FreeBSD Updates	package_name	package_nameq_proto_freebsd_update	bytes	Software package name.
giop	General Inter-ORB Protocol	version	versionq_proto_giop	bytes	Current GIOP version.
giop	General Inter-ORB Protocol	ior_type_id	ior_type_idq_proto_giop	bytes	IOR object's repository id.
giop	General Inter-ORB Protocol	message_type	message_typeq_proto_giop	bytes	GIOP message type.
giop	General Inter-ORB Protocol	request_operation	request_operationq_proto_giop	bytes	Name of the request sent to the server.
giop	General Inter-ORB Protocol	request_id	request_idq_proto_giop	uint32	ID used to associate a reply message with a request message.
gmail_basic	Gmail Basic	date	dateq_proto_gmail_basic	bytes	Message date.
gmail_basic	Gmail Basic	sender_alias	sender_aliasq_proto_gmail_basic	bytes	Name of the email sender.
gmail_basic	Gmail Basic	sender_email	sender_emailq_proto_gmail_basic	bytes	Email address of the email sender.
gmail_basic	Gmail Basic	login	loginq_proto_gmail_basic	bytes	User's login string. It's also sender id in case of e-mail compose/send workflow (use session_id to correlate email and login).
gmail_basic	Gmail Basic	subject	subjectq_proto_gmail_basic	bytes	Message subject.
gmail_basic	Gmail Basic	receiver_type	receiver_typeq_proto_gmail_basic	bytes	Type of the email receiver.
gmail_basic	Gmail Basic	receiver_alias	receiver_aliasq_proto_gmail_basic	bytes	Name of email receiver (included cc and bcc receivers).
gmail_basic	Gmail Basic	receiver_email	receiver_emailq_proto_gmail_basic	bytes	Email address of message receiver (included cc and bcc receivers).
gmail_basic	Gmail Basic	attach_type	attach_typeq_proto_gmail_basic	bytes	Content type of the sent attached file.
gmail_basic	Gmail Basic	attach_filename	attach_filenameq_proto_gmail_basic	bytes	Attachment name.
gmail_basic	Gmail Basic	attach_id	attach_idq_proto_gmail_basic	bytes	Attachment identifier.
gmail_basic	Gmail Basic	draft	draftq_proto_gmail_basic	uint32	Indicates if the email is a draft or has really been posted
gmail_basic	Gmail Basic	msg_id	msg_idq_proto_gmail_basic	bytes	Identifier of the message.
gmail_basic	Gmail Basic	action	actionq_proto_gmail_basic	bytes	Indicates if the message is read (Read) or composed (Compose).
gmail_basic	Gmail Basic	attach_size	attach_sizeq_proto_gmail_basic	uint32	Attached file MIME size.
gmail_basic	Gmail Basic	session_id	session_idq_proto_gmail_basic	bytes	Uniquely identifies the current user session.
gmail_basic	Gmail Basic	encoding	encodingq_proto_gmail_basic	bytes	Page encoding
gmail_mobile	Gmail Mobile	msglist_subject	msglist_subjectq_proto_gmail_mobile	bytes	Message subject in a message list.
gmail_mobile	Gmail Mobile	msglist_msgid	msglist_msgidq_proto_gmail_mobile	bytes	Message identifier.
gmail_mobile	Gmail Mobile	msglist_sender_alias	msglist_sender_aliasq_proto_gmail_mobile	bytes	Name of email sender.
gmail_mobile	Gmail Mobile	msglist_folder	msglist_folderq_proto_gmail_mobile	bytes	Indicates the directory from a message list.
gmail_mobile	Gmail Mobile	contact_email	contact_emailq_proto_gmail_mobile	bytes	Email address of a contact.
gmail_mobile	Gmail Mobile	contact_alias	contact_aliasq_proto_gmail_mobile	bytes	Alias of a contact.
gmail_mobile	Gmail Mobile	date	dateq_proto_gmail_mobile	bytes	Message date.
gmail_mobile	Gmail Mobile	attach_filename	attach_filenameq_proto_gmail_mobile	bytes	Attachment name.
gmail_mobile	Gmail Mobile	attach_id	attach_idq_proto_gmail_mobile	bytes	Attachment identifier.
gmail_mobile	Gmail Mobile	email_index	email_indexq_proto_gmail_mobile	bytes	Index of the request which the email is attached to.
gmail_mobile	Gmail Mobile	subject	subjectq_proto_gmail_mobile	bytes	Message subject.
gmail_mobile	Gmail Mobile	receiver_type	receiver_typeq_proto_gmail_mobile	bytes	Type of the email receiver.
gmail_mobile	Gmail Mobile	receiver_alias	receiver_aliasq_proto_gmail_mobile	bytes	Name of email receiver (included cc and bcc receivers).
gmail_mobile	Gmail Mobile	receiver_email	receiver_emailq_proto_gmail_mobile	bytes	Email address of message receiver (included cc and bcc receivers).
gmail_mobile	Gmail Mobile	sender_alias	sender_aliasq_proto_gmail_mobile	bytes	Name of the email sender.
gmail_mobile	Gmail Mobile	sender_email	sender_emailq_proto_gmail_mobile	bytes	Email address of the email sender.
gmail_mobile	Gmail Mobile	action	actionq_proto_gmail_mobile	bytes	Indicates if the message is read (Read) or composed (Compose).
gmail_mobile	Gmail Mobile	login	loginq_proto_gmail_mobile	bytes	User's login string.
gmail_mobile	Gmail Mobile	session_id	session_idq_proto_gmail_mobile	bytes	Uniquely identifies the current user session.
gmail_mobile	Gmail Mobile	msglist_receiver_alias	msglist_receiver_aliasq_proto_gmail_mobile	bytes	Name of email receiver.
gmail_mobile	Gmail Mobile	draft	draftq_proto_gmail_mobile	uint32	Indicates if the email is a draft or has really been posted
gmail_mobile	Gmail Mobile	name	nameq_proto_gmail_mobile	bytes	User's full name.
gmail_mobile	Gmail Mobile	encoding	encodingq_proto_gmail_mobile	bytes	Page encoding
gmail_mobile	Gmail Mobile	msglist_sender_email	msglist_sender_emailq_proto_gmail_mobile	bytes	Address of email sender.
gmail_mobile	Gmail Mobile	msglist_receiver_email	msglist_receiver_emailq_proto_gmail_mobile	bytes	Email address of the email receiver.
gmail_mobile	Gmail Mobile	msglist_date	msglist_dateq_proto_gmail_mobile	bytes	Message date in a message list.
gmail_mobile	Gmail Mobile	replyto	replytoq_proto_gmail_mobile	bytes	Email address to use in a reply for this message.
gmail_mobile	Gmail Mobile	attach_type	attach_typeq_proto_gmail_mobile	bytes	Content type of the sent attached file.
gmail_mobile	Gmail Mobile	attach_size	attach_sizeq_proto_gmail_mobile	uint32	Attached file MIME size.
gmail_mobile	Gmail Mobile	last_activity	last_activityq_proto_gmail_mobile	bytes	Time elapsed since last account activity.
gmail_mobile	Gmail Mobile	last_activity_timestamp	last_activity_timestampq_proto_gmail_mobile	string	Last account-activity timestamp.
gmail_mobile	Gmail Mobile	current_ip_address	current_ip_addressq_proto_gmail_mobile	string	IP address of the logged user.
gmail_mobile	Gmail Mobile	other_ip_address	other_ip_addressq_proto_gmail_mobile	string	IP address of the other logged user.
gmail_mobile	Gmail Mobile	attach_transfer_encoding	attach_transfer_encodingq_proto_gmail_mobile	bytes	Contains the encoding of the attached content
gmail_mobile	Gmail Mobile	password	passwordq_proto_gmail_mobile	bytes	User's password string.
gmx	GMX webmail	attach_filename	attach_filenameq_proto_gmx	bytes	Attachment name.
gmx	GMX webmail	receiver_email	receiver_emailq_proto_gmx	bytes	Email address of message receiver (included cc and bcc receivers).
gmx	GMX webmail	sender_email	sender_emailq_proto_gmx	bytes	Email address of the email sender.
gmx	GMX webmail	subject	subjectq_proto_gmx	bytes	Message subject.
gmx	GMX webmail	login	loginq_proto_gmx	bytes	User's login string.
gnutella	Gnutella	user_agent	user_agentq_proto_gnutella	bytes	Name of the software used.
gnutella	Gnutella	server	serverq_proto_gnutella	bytes	Name of the server from which the file is downloaded.
gnutella	Gnutella	query	queryq_proto_gnutella	bytes	Query sent to find a file.
gnutella	Gnutella	filename	filenameq_proto_gnutella	bytes	Name of the transferred file.
google_ads	Google Ads	ad_url_full	ad_url_fullq_proto_google_ads	bytes	Complete ad URL.
google_ads	Google Ads	ad_status	ad_statusq_proto_google_ads	bytes	Indicates whether the ad has been displayed or clicked.
gmail_chat	Google Chat	login	loginq_proto_gmail_chat	bytes	User's login string.
gmail_chat	Google Chat	message	messageq_proto_gmail_chat	bytes	Contains the chat message.
google_earth	Google Earth	query_raw	query_rawq_proto_google_earth	bytes	Contains the query sent to the search engine as indicated in the URL.
google_earth	Google Earth	query_text	query_textq_proto_google_earth	bytes	Query sent to the search engine.
google_groups	Google Groups	sender_email	sender_emailq_proto_google_groups	bytes	Email address of the email sender.
google_groups	Google Groups	action	actionq_proto_google_groups	bytes	Indicates if the message is read (Read) or composed (Compose).
google_groups	Google Groups	msglist_subject	msglist_subjectq_proto_google_groups	bytes	Message subject in a message list.
google_groups	Google Groups	group_name	group_nameq_proto_google_groups	bytes	Name of the group the user has subscribed to.
google_groups	Google Groups	receiver_email	receiver_emailq_proto_google_groups	bytes	Email address of message receiver (included cc and bcc receivers).
google_groups	Google Groups	subject	subjectq_proto_google_groups	bytes	Message subject.
google_groups	Google Groups	msglist_sender_email	msglist_sender_emailq_proto_google_groups	bytes	Address of email sender.
gmail	Google Mail	session_id	session_idq_proto_gmail	bytes	Uniquely identifies the current user session.
gmail	Google Mail	login	loginq_proto_gmail	bytes	User's login string.
gmail	Google Mail	name	nameq_proto_gmail	bytes	User's full name.
gmail	Google Mail	encoding	encodingq_proto_gmail	bytes	Page encoding
gmail	Google Mail	msglist_sender_alias	msglist_sender_aliasq_proto_gmail	bytes	Name of email sender.
gmail	Google Mail	msglist_sender_email	msglist_sender_emailq_proto_gmail	bytes	Address of email sender.
gmail	Google Mail	msglist_receiver_alias	msglist_receiver_aliasq_proto_gmail	bytes	Name of email receiver.
gmail	Google Mail	msglist_receiver_email	msglist_receiver_emailq_proto_gmail	bytes	Email address of the email receiver.
gmail	Google Mail	msglist_subject	msglist_subjectq_proto_gmail	bytes	Message subject in a message list.
gmail	Google Mail	msglist_msgid	msglist_msgidq_proto_gmail	bytes	Message identifier.
gmail	Google Mail	msglist_date	msglist_dateq_proto_gmail	bytes	Message date in a message list.
gmail	Google Mail	msglist_folder	msglist_folderq_proto_gmail	bytes	Indicates the directory from a message list.
gmail	Google Mail	sender_email	sender_emailq_proto_gmail	bytes	Email address of the email sender.
gmail	Google Mail	sender_alias	sender_aliasq_proto_gmail	bytes	Name of the email sender.
gmail	Google Mail	real_sender_domain	real_sender_domainq_proto_gmail	bytes	Domain of the email sender.
gmail	Google Mail	real_sender_msgid	real_sender_msgidq_proto_gmail	bytes	Email identifier.
gmail	Google Mail	receiver_email	receiver_emailq_proto_gmail	bytes	Email address of message receiver (included cc and bcc receivers).
gmail	Google Mail	receiver_alias	receiver_aliasq_proto_gmail	bytes	Name of email receiver (included cc and bcc receivers).
gmail	Google Mail	receiver_type	receiver_typeq_proto_gmail	bytes	Type of the email receiver.
gmail	Google Mail	replyto	replytoq_proto_gmail	bytes	Email address to use in a reply for this message.
gmail	Google Mail	date	dateq_proto_gmail	bytes	Message date.
gmail	Google Mail	subject	subjectq_proto_gmail	bytes	Message subject.
gmail	Google Mail	msg_id	msg_idq_proto_gmail	bytes	Identifier of the message.
gmail	Google Mail	attach_id	attach_idq_proto_gmail	bytes	Attachment identifier.
gmail	Google Mail	attach_filename	attach_filenameq_proto_gmail	bytes	Attachment name.
gmail	Google Mail	attach_type	attach_typeq_proto_gmail	bytes	Content type of the sent attached file.
gmail	Google Mail	attach_size	attach_sizeq_proto_gmail	uint32	Attached file MIME size.
gmail	Google Mail	thumbnail	thumbnailq_proto_gmail	uint32	Indicates whether this attachment is an image thumbnail.
gmail	Google Mail	draft	draftq_proto_gmail	uint32	Indicates if the email is a draft or has really been posted
gmail	Google Mail	action	actionq_proto_gmail	bytes	Indicates if the message is read (Read) or composed (Compose).
gmail	Google Mail	version	versionq_proto_gmail	bytes	Gmail version used.
gmail	Google Mail	last_activity	last_activityq_proto_gmail	bytes	Time elapsed since last account activity.
gmail	Google Mail	last_activity_timestamp	last_activity_timestampq_proto_gmail	string	Last account activity timestamp.
gmail	Google Mail	current_ip_address	current_ip_addressq_proto_gmail	string	IP address of the logged user.
gmail	Google Mail	other_ip_address	other_ip_addressq_proto_gmail	string	IP address of the other logged user.
gmail	Google Mail	contact_email	contact_emailq_proto_gmail	bytes	Email address of a contact.
gmail	Google Mail	contact_alias	contact_aliasq_proto_gmail	bytes	Alias of a contact.
gmail	Google Mail	email_index	email_indexq_proto_gmail	bytes	Index of the request which the email is attached to.
gmail	Google Mail	attach_id_temp	attach_id_tempq_proto_gmail	bytes	Temporary value for attach_id of an attachment, it is present during attachment uploading (it is use to correlate uploaded attachment and sending the associated email).
google_maps	Google Maps	query_text	query_textq_proto_google_maps	bytes	Query sent to the search engine.
google_maps	Google Maps	query_raw	query_rawq_proto_google_maps	bytes	Contains the query sent to the search engine as indicated in the URL.
google_maps	Google Maps	start_addr_raw	start_addr_rawq_proto_google_maps	bytes	Departure point as indicated in the URL as indicated in the URL.
google_maps	Google Maps	start_addr	start_addrq_proto_google_maps	bytes	Encoded departure point .
google_play	Google Play Store	application_name	application_nameq_proto_google_play	bytes	Name of the downloaded app.
google	Google Search	query_text	query_textq_proto_google	bytes	Query sent to the search engine.
google	Google Search	query_raw	query_rawq_proto_google	bytes	Contains the query sent to the search engine as indicated in the URL.
gtalk	Google Talk (incl. Hangouts and Allo and Duo)	service_id	service_idq_proto_gtalk	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
gtalk	Google Talk (incl. Hangouts and Allo and Duo)	service	serviceq_proto_gtalk	bytes	Current service identification string.
gtalk	Google Talk (incl. Hangouts and Allo and Duo)	service_duration	service_durationq_proto_gtalk	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
gtalk	Google Talk (incl. Hangouts and Allo and Duo)	service_duration_tv	service_duration_tvq_proto_gtalk	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
gotomypc	GoToMyPC Remote Access	service	serviceq_proto_gotomypc	bytes	Current service identification string.
gotomypc	GoToMyPC Remote Access	service_id	service_idq_proto_gotomypc	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
gougou	Gougou.com	query_raw	query_rawq_proto_gougou	bytes	Contains the query sent to the search engine as indicated in the URL.
gougou	Gougou.com	query_text	query_textq_proto_gougou	bytes	Query sent to the search engine.
gtpv2	GPRS Tunneling Protocol version 2	processing_anomaly_type	processing_anomaly_typeq_proto_gtpv2	bytes	Defines the category of the anomaly.
gtpv2	GPRS Tunneling Protocol version 2	processing_anomaly_attr	processing_anomaly_attrq_proto_gtpv2	uint32	Gives an attribute ID, or an attribute structure (parent attribute ID), not extracted because of the anomaly.
gtpv2	GPRS Tunneling Protocol version 2	uli_field_type	uli_field_typeq_proto_gtpv2	uint32	Type of the field
gtpv2	GPRS Tunneling Protocol version 2	uli_mcc	uli_mccq_proto_gtpv2	uint32	Mobile Country Code (MCC) present in the identity
gtpv2	GPRS Tunneling Protocol version 2	uli_mnc	uli_mncq_proto_gtpv2	uint32	Mobile Network Code (MNC) present in the identity
gtpv2	GPRS Tunneling Protocol version 2	uli_eci	uli_eciq_proto_gtpv2	uint32	E-UTRAN Cell Identifier (ECI) present in the identity of type ECGI.
gtpv2	GPRS Tunneling Protocol version 2	uli_ci	uli_ciq_proto_gtpv2	uint32	Cell Identifier (CI) present in the identity of type CGI.
gtpv2	GPRS Tunneling Protocol version 2	uli_tac	uli_tacq_proto_gtpv2	uint32	Tracking Area Code (TAC) present in the identity of type TAI.
gtpv2	GPRS Tunneling Protocol version 2	uli_lac	uli_lacq_proto_gtpv2	uint32	Location Area Code (LAC) present in the identity of type LAI,RAI, SAI or CGI.
gtpv2	GPRS Tunneling Protocol version 2	uli_sac	uli_sacq_proto_gtpv2	uint32	Service Area Code (SAC) present in the identity of type SAI.
gtpv2	GPRS Tunneling Protocol version 2	uli_rac	uli_racq_proto_gtpv2	uint32	Routing Area Code (RAC) present in the identity of type RAI.
gtpv2	GPRS Tunneling Protocol version 2	sn_mcc	sn_mccq_proto_gtpv2	uint32	Mobile Country Code (MCC) of the Serving NEtwork.
gtpv2	GPRS Tunneling Protocol version 2	sn_mnc	sn_mncq_proto_gtpv2	uint32	Mobile Network Code (MNC) of the Serving Network.
h225	H225	call_setup	call_setupq_proto_h225	string	Call setup delay.
h225	H225	call_duration	call_durationq_proto_h225	string	Call duration.
h225	H225	session_duration	session_durationq_proto_h225	string	Call setup duration.
h225	H225	start_time	start_timeq_proto_h225	string	Start date of the call.
h225	H225	time_before_spk	time_before_spkq_proto_h225	string	Waiting delay before speak
h225	H225	call_id	call_idq_proto_h225	bytes	Call id, extracted for each call.
h225	H225	end_status	end_statusq_proto_h225	bytes	Status of the call end
h225	H225	media_attr_encoding	media_attr_encodingq_proto_h225	bytes	The encoding of media data.
h225	H225	caller	callerq_proto_h225	bytes	Contains the identity (or the phone number) of the initiator of the call.
h225	H225	callee	calleeq_proto_h225	bytes	Contains the identity (or the phone number) of the called party for a call.
h225	H225	method	methodq_proto_h225	bytes	The command
h225	H225	h245_addr	h245_addrq_proto_h225	string	Address used by h245 session.
h225	H225	request_call_id	request_call_idq_proto_h225	bytes	Call's id in the message.
h225	H225	request_caller	request_callerq_proto_h225	bytes	Contains the identity (or the phone number) of the initiator in the message
h225	H225	request_callee	request_calleeq_proto_h225	bytes	Contains the identity (or the phone number) of the called party in the message.
h225	H225	audio_data	audio_dataq_proto_h225	bytes	Encoding can be used in audio flow.
h225	H225	media_control_channel_addr	media_control_channel_addrq_proto_h225	string	Address used for a rtcp channel.
h225	H225	media_channel_addr	media_channel_addrq_proto_h225	string	Address used for a rtp channel.
h225	H225	h245_method	h245_methodq_proto_h225	bytes	The command for a H245 message.
h225	H225	language	languageq_proto_h225	bytes	Used language.
h225	H225	product_id	product_idq_proto_h225	bytes	H225 product component identifier.
h225	H225	version	versionq_proto_h225	bytes	Version of the H225 VoIP client software.
h245	H245	media_attr_encoding	media_attr_encodingq_proto_h245	bytes	The encoding of media data.
h245	H245	method	methodq_proto_h245	bytes	The command
h245	H245	media_control_channel_addr	media_control_channel_addrq_proto_h245	string	Address used for a rtcp channel.
h245	H245	media_channel_addr	media_channel_addrq_proto_h245	string	Address used for a rtp channel.
h248_binary	h248 Protocol (Megaco) in binary mode	context_id	context_idq_proto_h248_binary	uint32	The context ID identifies the context. It is assigned by the Media Gateway. It can be an integer, -" (null context), "*" (all) or "$" (choose)."
h248_binary	h248 Protocol (Megaco) in binary mode	call_id	call_idq_proto_h248_binary	bytes	Call id, extracted for each call.
h248_binary	h248 Protocol (Megaco) in binary mode	action	actionq_proto_h248_binary	bytes	The action designates the command that is executed during the transaction. The coommand name is postfixed by Req if the transaction is a request, by Reply if the transaction is a reply
h248_binary	h248 Protocol (Megaco) in binary mode	from_ip	from_ipq_proto_h248_binary	string	Source IPv4 address
h248_binary	h248 Protocol (Megaco) in binary mode	to_ip	to_ipq_proto_h248_binary	string	Destination IPv4 address
h248_binary	h248 Protocol (Megaco) in binary mode	src_audio_connection	src_audio_connectionq_proto_h248_binary	bytes	Source audio connection type
h248_binary	h248 Protocol (Megaco) in binary mode	src_video_connection	src_video_connectionq_proto_h248_binary	bytes	Source video connection type
h248_binary	h248 Protocol (Megaco) in binary mode	dst_audio_connection	dst_audio_connectionq_proto_h248_binary	bytes	Destination audio connection type
h248_binary	h248 Protocol (Megaco) in binary mode	dst_video_connection	dst_video_connectionq_proto_h248_binary	bytes	Destination video connection type
h248_binary	h248 Protocol (Megaco) in binary mode	response_code	response_codeq_proto_h248_binary	uint32	Return code, extracted from the reply
h248_text	h248 Protocol (Megaco) in text mode	context_id	context_idq_proto_h248_text	bytes	The context ID identifies the context. It is assigned by the Media Gateway. It can be an integer, -" (null context), "*" (all) or "$" (choose)."
h248_text	h248 Protocol (Megaco) in text mode	call_id	call_idq_proto_h248_text	bytes	Call id, extracted for each call.
h248_text	h248 Protocol (Megaco) in text mode	action	actionq_proto_h248_text	bytes	The action designates the command that is executed during the transaction. The coommand name is postfixed by Req if the transaction is a request, by Reply if the transaction is a reply
h248_text	h248 Protocol (Megaco) in text mode	from_ip	from_ipq_proto_h248_text	string	Source IPv4 address
h248_text	h248 Protocol (Megaco) in text mode	to_ip	to_ipq_proto_h248_text	string	Destination IPv4 address
h248_text	h248 Protocol (Megaco) in text mode	src_audio_connection	src_audio_connectionq_proto_h248_text	bytes	Source audio connection type
h248_text	h248 Protocol (Megaco) in text mode	src_video_connection	src_video_connectionq_proto_h248_text	bytes	Source video connection type
h248_text	h248 Protocol (Megaco) in text mode	dst_audio_connection	dst_audio_connectionq_proto_h248_text	bytes	Destination audio connection type
h248_text	h248 Protocol (Megaco) in text mode	dst_video_connection	dst_video_connectionq_proto_h248_text	bytes	Destination video connection type
h248_text	h248 Protocol (Megaco) in text mode	response_code	response_codeq_proto_h248_text	uint32	Return code, extracted from the reply
haproxy	HAProxy	ipv4_src_addr	ipv4_src_addrq_proto_haproxy	string	IPv4 source address.
haproxy	HAProxy	ipv4_dst_addr	ipv4_dst_addrq_proto_haproxy	string	IPv4 destination address.
haproxy	HAProxy	src_port	src_portq_proto_haproxy	uint32	Source port.
haproxy	HAProxy	dst_port	dst_portq_proto_haproxy	uint32	Destination port.
hi5	Hi5.com	nickname	nicknameq_proto_hi5	bytes	User's profile displayed name.
hi5	Hi5.com	password	passwordq_proto_hi5	bytes	User's password string.
hi5	Hi5.com	login	loginq_proto_hi5	bytes	User's login string.
hi5	Hi5.com	is_mobile_service	is_mobile_serviceq_proto_hi5	uint32	Whether or not the access was made through a mobile device.
hi5	Hi5.com	uid	uidq_proto_hi5	bytes	Generic user ID.
high_entropy	High Entropy	entropy	entropyq_proto_high_entropy	uint32	Computed entropy value.
hike_messenger	Hike Messenger	service_id	service_idq_proto_hike_messenger	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
hike_messenger	Hike Messenger	service	serviceq_proto_hike_messenger	bytes	Current service identification string.
hsrp	Hot Standby Router Protocol	virtual_addr	virtual_addrq_proto_hsrp	string	Virtual IP address used by the group.
http	HyperText Transfer Protocol	server	serverq_proto_http	bytes	Normalized web server name, including lowercase transformation and suffix cleaning. The value is extracted from an absolute URI (if present), or from the Host: header value by default (extracted once per HTTP request).
http	HyperText Transfer Protocol	location	locationq_proto_http	bytes	Destination address where the client is redirected.
http	HyperText Transfer Protocol	referer	refererq_proto_http	bytes	Source address from which the client obtained the requested URI.
http	HyperText Transfer Protocol	referer_server	referer_serverq_proto_http	bytes	Contains the host or the website name of the referrer.
http	HyperText Transfer Protocol	uri_full	uri_fullq_proto_http	bytes	Complete name (scheme/authority + path + request) of a web resource.
http	HyperText Transfer Protocol	user_agent	user_agentq_proto_http	bytes	Software used by the client to access the web page.
http	HyperText Transfer Protocol	mime_type	mime_typeq_proto_http	bytes	Content type of the request or the web page.
http	HyperText Transfer Protocol	content_disposition	content_dispositionq_proto_http	bytes	Information related to the disposition of the content present on the web page.
http	HyperText Transfer Protocol	method	methodq_proto_http	bytes	HTTP command sent by the client.
http	HyperText Transfer Protocol	proxy_auth	proxy_authq_proto_http	bytes	Authentication type on the proxy.
http	HyperText Transfer Protocol	proxy_login	proxy_loginq_proto_http	bytes	Login used for proxy authentication.
http	HyperText Transfer Protocol	proxy_realm	proxy_realmq_proto_http	bytes	Parameter used for proxy authentication.
http	HyperText Transfer Protocol	smb_client	smb_clientq_proto_http	bytes	Name of the computer during NTLM authentication (Windows environment).
http	HyperText Transfer Protocol	version	versionq_proto_http	bytes	Protocol version.
http	HyperText Transfer Protocol	server_agent	server_agentq_proto_http	bytes	Name of the server software.
http	HyperText Transfer Protocol	rtt	rttq_proto_http	string	Server response time, calculated between the HTTP Request, and the client acknowledgment of the first non-empty HTTP Response packet.
http	HyperText Transfer Protocol	directory	directoryq_proto_http	bytes	Directory of the accessed web page.
http	HyperText Transfer Protocol	cookie	cookieq_proto_http	bytes	Raw value of the HTTP Cookie header line, containing the HTTP request cookies.
http	HyperText Transfer Protocol	code	codeq_proto_http	uint32	Return code sent by the server.
http	HyperText Transfer Protocol	content_len	content_lenq_proto_http	uint64	Contains the content length of the HTTP request/response.
http	HyperText Transfer Protocol	filename	filenameq_proto_http	bytes	Name of uploaded file. Extracted if Content-Disposition" field has a "filename-parm" ("filename")."
http	HyperText Transfer Protocol	header_raw	header_rawq_proto_http	bytes	One HTTP header line (field and value).
http	HyperText Transfer Protocol	auth_username	auth_usernameq_proto_http	bytes	Login used in the HTTP Authorization request extension for authentication. The supported authentication methods are Basic and Digest.
http	HyperText Transfer Protocol	auth_password	auth_passwordq_proto_http	bytes	Password used in the HTTP request Authorization extension. The only supported authentication method for password extraction is Basic.
http	HyperText Transfer Protocol	part_filename	part_filenameq_proto_http	bytes	Name of uploaded file. Extracted if Content-Disposition" field has a "filename-parm" ("filename"). Extracted only if content-type is "multipart"."
http	HyperText Transfer Protocol	content_encoding	content_encodingq_proto_http	bytes	Contains content encoding format.
http	HyperText Transfer Protocol	accept_encoding	accept_encodingq_proto_http	bytes	Contains the accepted encoding's.
http	HyperText Transfer Protocol	ntlm_domain	ntlm_domainq_proto_http	bytes	Domain" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
http	HyperText Transfer Protocol	ntlm_user	ntlm_userq_proto_http	bytes	User" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
http	HyperText Transfer Protocol	ntlm_workstation	ntlm_workstationq_proto_http	bytes	Workstation" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
http	HyperText Transfer Protocol	file_type	file_typeq_proto_http	bytes	Received or sent file content type (prefix-based pattern recognition) exchanged using this protocol.
http	HyperText Transfer Protocol	date	dateq_proto_http	bytes	Contains the date of the response (DATE HTTP header).
http	HyperText Transfer Protocol	content	contentq_proto_http	bytes	Message content.
http	HyperText Transfer Protocol	video_codec	video_codecq_proto_http	bytes	Video Codec.
http	HyperText Transfer Protocol	audio_codec	audio_codecq_proto_http	bytes	Audio Codec.
http	HyperText Transfer Protocol	ntlm_identifier	ntlm_identifierq_proto_http	bytes	NTLM protocol Signature (null-terminated string).
http	HyperText Transfer Protocol	ntlm_message_type	ntlm_message_typeq_proto_http	uint32	NTLM message type.
http	HyperText Transfer Protocol	content_type	content_typeq_proto_http	bytes	Indicates the content type of transferred file.
http	HyperText Transfer Protocol	header_private_name	header_private_nameq_proto_http	bytes	One HTTP header line (field) starting with X-" (private header)."
http	HyperText Transfer Protocol	header_private_value	header_private_valueq_proto_http	bytes	One HTTP header line (value) starting with X-" (private header)."
http	HyperText Transfer Protocol	referer_fragment	referer_fragmentq_proto_http	bytes	Contains the fragment passed with the referrer.
http	HyperText Transfer Protocol	referer_scheme	referer_schemeq_proto_http	bytes	Contains the scheme of the referrer.
http_proxy	HyperText Transfer Protocol proxy	server	serverq_proto_http_proxy	bytes	Normalized web server name, including lowercase transformation and suffix cleaning. The value is extracted from an absolute URI (if present), or from the Host: header value by default (extracted once per HTTP request).
http_proxy	HyperText Transfer Protocol proxy	host	hostq_proto_http_proxy	bytes	Host name value extracted from the Host header.
http_proxy	HyperText Transfer Protocol proxy	uri_full	uri_fullq_proto_http_proxy	bytes	Complete name (scheme/authority + path + request) of a web resource.
http_proxy	HyperText Transfer Protocol proxy	user_agent	user_agentq_proto_http_proxy	bytes	Name of the software used.
http_proxy	HyperText Transfer Protocol proxy	method	methodq_proto_http_proxy	bytes	Command sent by the client
http_proxy	HyperText Transfer Protocol proxy	header_raw	header_rawq_proto_http_proxy	bytes	One HTTP header line (field and value).
http_proxy	HyperText Transfer Protocol proxy	header_name	header_nameq_proto_http_proxy	bytes	One HTTP header line (field).
http_proxy	HyperText Transfer Protocol proxy	header_value	header_valueq_proto_http_proxy	bytes	One HTTP header line (value).
http_proxy	HyperText Transfer Protocol proxy	header_statusline	header_statuslineq_proto_http_proxy	bytes	The status line, just before the header lines.
http_proxy	HyperText Transfer Protocol proxy	code	codeq_proto_http_proxy	uint32	Return code sent by the server.
http_proxy	HyperText Transfer Protocol proxy	port	portq_proto_http_proxy	uint32	Port containing in HTTP CONNECT request.
http_proxy	HyperText Transfer Protocol proxy	tunneled_application	tunneled_applicationq_proto_http_proxy	uint32	This shall be triggered if we can classify based on request CONNECT URI and user-agent, then return the top application ID.
http_proxy	HyperText Transfer Protocol proxy	processing_anomaly_type	processing_anomaly_typeq_proto_http_proxy	bytes	Defines the category of the anomaly.
http_proxy	HyperText Transfer Protocol proxy	header_end_offset	header_end_offsetq_proto_http_proxy	uint32	Offset to the first byte after the last HTTP PROXY Header-line (\r\n included). This is an offset to the '\r' character of the second carriage return.
http_proxy	HyperText Transfer Protocol proxy	uri	uriq_proto_http_proxy	bytes	Partially normalized URL form (path + request) of a web resource, with UNRESERVED percent-encoded characters decoding (RFC3986).
http2	HyperText Transfer Protocol version 2	frame_length	frame_lengthq_proto_http2	uint32	Frame length (not including header).
http2	HyperText Transfer Protocol version 2	stream_id	stream_idq_proto_http2	uint32	Stream identifier.
http2	HyperText Transfer Protocol version 2	host	hostq_proto_http2	bytes	Host name value extracted from the :host header.
http2	HyperText Transfer Protocol version 2	server_agent	server_agentq_proto_http2	bytes	Name of the server software.
http2	HyperText Transfer Protocol version 2	location	locationq_proto_http2	bytes	Destination address where the client is redirected.
http2	HyperText Transfer Protocol version 2	referer	refererq_proto_http2	bytes	Source address from which the client obtained the requested URI.
http2	HyperText Transfer Protocol version 2	uri_raw	uri_rawq_proto_http2	bytes	Complete name (scheme/authority + path + request) of a web resource.
http2	HyperText Transfer Protocol version 2	cookie	cookieq_proto_http2	bytes	Raw value of the HTTP Cookie header line, containing the HTTP request cookies.
http2	HyperText Transfer Protocol version 2	content_disposition	content_dispositionq_proto_http2	bytes	Information related to the disposition of the content present on the web page.
http2	HyperText Transfer Protocol version 2	content_len	content_lenq_proto_http2	uint64	Contains the content length of the HTTP2 request/response.
http2	HyperText Transfer Protocol version 2	content_encoding	content_encodingq_proto_http2	bytes	Contains content encoding format.
http2	HyperText Transfer Protocol version 2	code	codeq_proto_http2	uint32	Return code sent by the server.
http2	HyperText Transfer Protocol version 2	method	methodq_proto_http2	bytes	HTTP2 command sent by the client.
http2	HyperText Transfer Protocol version 2	user_agent	user_agentq_proto_http2	bytes	Software used by the client to access the web page.
http2	HyperText Transfer Protocol version 2	mime_type	mime_typeq_proto_http2	bytes	Content type of the request or the web page.
http2	HyperText Transfer Protocol version 2	header_raw	header_rawq_proto_http2	bytes	One HTTP2 header line (field and value).
http2	HyperText Transfer Protocol version 2	date	dateq_proto_http2	bytes	Message date.
http2	HyperText Transfer Protocol version 2	decompress_size	decompress_sizeq_proto_http2	uint32	Contains length of decompressed data.
icloud	iCloud (Apple)	service	serviceq_proto_icloud	bytes	Current service identification string.
ident	Identification Protocol	server_port	server_portq_proto_ident	uint32	TCP server's port
ident	Identification Protocol	client_port	client_portq_proto_ident	uint32	TCP client's port
imo	IMO Video Calling Application	service	serviceq_proto_imo	bytes	Current service identification string.
imo	IMO Video Calling Application	service_id	service_idq_proto_imo	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
imo	IMO Video Calling Application	service_duration	service_durationq_proto_imo	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds.
imo	IMO Video Calling Application	service_duration_tv	service_duration_tvq_proto_imo	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
mimp	IMP mobile version	attach_filename	attach_filenameq_proto_mimp	bytes	Attachment name.
mimp	IMP mobile version	date	dateq_proto_mimp	bytes	Message date.
mimp	IMP mobile version	sender_email	sender_emailq_proto_mimp	bytes	Email address of the email sender.
mimp	IMP mobile version	subject	subjectq_proto_mimp	bytes	Message subject.
mimp	IMP mobile version	receiver_email	receiver_emailq_proto_mimp	bytes	Email address of message receiver (included cc and bcc receivers).
mimp	IMP mobile version	msglist_subject	msglist_subjectq_proto_mimp	bytes	Message subject in a message list.
mimp	IMP mobile version	password	passwordq_proto_mimp	bytes	User's password string.
mimp	IMP mobile version	login	loginq_proto_mimp	bytes	User's login string.
mimp	IMP mobile version	action	actionq_proto_mimp	bytes	Indicates if the message is read (Read) or composed (Compose).
mimp	IMP mobile version	attach_size	attach_sizeq_proto_mimp	uint32	Attached file MIME size.
ica	Independant Computing Architecture (Citrix)	application	applicationq_proto_ica	bytes	Application name used by the client, decoded into UTF-8 format.
ica	Independant Computing Architecture (Citrix)	login_info	login_infoq_proto_ica	bytes	Login information for the given connection (host, username, network domain).
ica	Independant Computing Architecture (Citrix)	service	serviceq_proto_ica	bytes	Current service identification string.
ica	Independant Computing Architecture (Citrix)	login_info_utf16	login_info_utf16q_proto_ica	bytes	Login information for the given connection (host, username, network domain), in UTF-16 format.
iax	Inter Asterisk eXchange	packet_type	packet_typeq_proto_iax	bytes	Packet type.
iax	Inter Asterisk eXchange	trunk_timestamp	trunk_timestampq_proto_iax	uint32	Timestamp (in ms) after the start of this call, indicating the time at which this trunk packet was transmitted.
iax	Inter Asterisk eXchange	trunk_call_data_offset	trunk_call_data_offsetq_proto_iax	uint32	Trunk call data offset in bytes in the UDP Stream.
iax	Inter Asterisk eXchange	message_name	message_nameq_proto_iax	bytes	For full IAX2 frames, message_name is the name of a frame.
iax	Inter Asterisk eXchange	subclass_name	subclass_nameq_proto_iax	bytes	The command string for a message_name" type packet."
iax	Inter Asterisk eXchange	element_name	element_nameq_proto_iax	bytes	Name of the information coming from a packet of type Full" whose message_id is "IAX"."
icap	Internet Content Adaptation Protocol	x_client_ip_respmod_req	x_client_ip_respmod_reqq_proto_icap	bytes	The IP source address of the encapsulated HTTP request, when using the X-Client-IP ICAP header extension (draft-stecher-icap-subid-00).
icap	Internet Content Adaptation Protocol	referer_respmod_req	referer_respmod_reqq_proto_icap	bytes	The HTTP referer embedded in the ICAP RESPMOD request (see http).
icap	Internet Content Adaptation Protocol	content_type_respmod_req	content_type_respmod_reqq_proto_icap	bytes	The HTTP content_type embedded in the http response part of the ICAP RESPMOD request (see http).
icap	Internet Content Adaptation Protocol	user_agent_respmod_req	user_agent_respmod_reqq_proto_icap	bytes	The HTTP user_agent embedded in the ICAP RESPMOD request (see http).
icap	Internet Content Adaptation Protocol	host_respmod_req	host_respmod_reqq_proto_icap	bytes	The HTTP host embedded in the ICAP RESPMOD request (see http).
icap	Internet Content Adaptation Protocol	uri_respmod_req	uri_respmod_reqq_proto_icap	bytes	The HTTP uri embedded in the ICAP RESPMOD request (see http).
icap	Internet Content Adaptation Protocol	method_respmod_req	method_respmod_reqq_proto_icap	bytes	The HTTP method embedded in the ICAP RESPMOD request (see http).
icap	Internet Content Adaptation Protocol	code_respmod_req	code_respmod_reqq_proto_icap	uint32	The HTTP code embedded in the ICAP RESPMOD request (see http).
icmp	Internet Control Message Protocol	rtt	rttq_proto_icmp	string	Response time of a ping command.
icmp6	Internet Control Message Protocol for IP6	rtt	rttq_proto_icmp6	string	Response time of a ping command.
icmp6	Internet Control Message Protocol for IP6	link_layer_addr_type	link_layer_addr_typeq_proto_icmp6	uint32	Type of link-layer address (source or target).
icmp6	Internet Control Message Protocol for IP6	link_layer_mac_addr	link_layer_mac_addrq_proto_icmp6	string	Link-layer address in MAC format (if applicable).
icmp6	Internet Control Message Protocol for IP6	link_layer_eui64_addr	link_layer_eui64_addrq_proto_icmp6	uint64	Link-layer address in EUI64 format (if applicable).
icmp6	Internet Control Message Protocol for IP6	mtu	mtuq_proto_icmp6	uint32	Maximum transmission unit.
igmp	Internet Group Management Protocol	version	versionq_proto_igmp	uint32	Protocol version.
igmp	Internet Group Management Protocol	address	addressq_proto_igmp	string	Multicast address.
igmp	Internet Group Management Protocol	record_maddress	record_maddressq_proto_igmp	string	The multicast address in this record
imap	Internet Message Access Protocol version 4	method	methodq_proto_imap	bytes	Command sent by the client
imap	Internet Message Access Protocol version 4	server_response	server_responseq_proto_imap	bytes	First line of every server's tagged response, including pipe lined responses.
imap	Internet Message Access Protocol version 4	login	loginq_proto_imap	bytes	User's login string.
imap	Internet Message Access Protocol version 4	password	passwordq_proto_imap	bytes	User's password string.
imap	Internet Message Access Protocol version 4	subject	subjectq_proto_imap	bytes	Message subject.
imap	Internet Message Access Protocol version 4	date	dateq_proto_imap	bytes	Message date.
imap	Internet Message Access Protocol version 4	sender	senderq_proto_imap	bytes	Full address of email sender (alias followed by email address).
imap	Internet Message Access Protocol version 4	receiver	receiverq_proto_imap	bytes	Full address of email receiver (including cc and bcc receivers).
imap	Internet Message Access Protocol version 4	msglist_subject	msglist_subjectq_proto_imap	bytes	Message subject in a message list.
imap	Internet Message Access Protocol version 4	msglist_sender	msglist_senderq_proto_imap	bytes	Full address of email sender (alias and email address).
imap	Internet Message Access Protocol version 4	msglist_receiver	msglist_receiverq_proto_imap	bytes	Full address of email receiver in a message list.
imap	Internet Message Access Protocol version 4	msglist_mime_type	msglist_mime_typeq_proto_imap	bytes	Content type of the email.
imap	Internet Message Access Protocol version 4	msglist_attach_mime_type	msglist_attach_mime_typeq_proto_imap	bytes	Content type of the attachment (in a list).
imap	Internet Message Access Protocol version 4	msglist_attach_filename	msglist_attach_filenameq_proto_imap	bytes	Name of file attached to message (in a list).
imap	Internet Message Access Protocol version 4	user_agent	user_agentq_proto_imap	bytes	Name of the software used.
imap	Internet Message Access Protocol version 4	attach_filename	attach_filenameq_proto_imap	bytes	Attachment name.
imap	Internet Message Access Protocol version 4	file_type	file_typeq_proto_imap	bytes	Received or sent file content type (prefix-based pattern recognition) exchanged using this protocol.
imap	Internet Message Access Protocol version 4	request	requestq_proto_imap	bool	Parent entry, empty, for client request and server response.
imap	Internet Message Access Protocol version 4	msglist_entry	msglist_entryq_proto_imap	bool	Parent entry, for different elements belonging to the same message of a message list.
imap	Internet Message Access Protocol version 4	msglist_attach	msglist_attachq_proto_imap	bool	Parent entry for attached file in a list of emails.
imap	Internet Message Access Protocol version 4	sender_entry	sender_entryq_proto_imap	bool	Parent entry, for different elements belonging to the sender.
imap	Internet Message Access Protocol version 4	receiver_entry	receiver_entryq_proto_imap	bool	Parent entry, for different elements belonging to the email receiver.
imap	Internet Message Access Protocol version 4	msglist_sender_entry	msglist_sender_entryq_proto_imap	bool	Parent entry for a sender in a message list.
imap	Internet Message Access Protocol version 4	msglist_receiver_entry	msglist_receiver_entryq_proto_imap	bool	Parent entry for a receiver in a message list.
imap	Internet Message Access Protocol version 4	received	receivedq_proto_imap	bool	Parent entry, for fields added by each relay
imap	Internet Message Access Protocol version 4	msg_id	msg_idq_proto_imap	bytes	Identifier of the message.
imap	Internet Message Access Protocol version 4	attach_size	attach_sizeq_proto_imap	uint32	Attached file MIME size.
imap	Internet Message Access Protocol version 4	attach_type	attach_typeq_proto_imap	bytes	Content type of the sent attached file.
imap	Internet Message Access Protocol version 4	attach_size_decoded	attach_size_decodedq_proto_imap	uint32	Base64-decoded attached file content size in Bytes.
imap	Internet Message Access Protocol version 4	email_boundary	email_boundaryq_proto_imap	bytes	boundary used to separate different parts of the message body.
imap	Internet Message Access Protocol version 4	auth_type	auth_typeq_proto_imap	bytes	The type of used authentication.
imap	Internet Message Access Protocol version 4	ntlm_domain	ntlm_domainq_proto_imap	bytes	Domain" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
imap	Internet Message Access Protocol version 4	ntlm_user	ntlm_userq_proto_imap	bytes	User" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
imap	Internet Message Access Protocol version 4	ntlm_workstation	ntlm_workstationq_proto_imap	bytes	Workstation" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
imap	Internet Message Access Protocol version 4	ntlm_identifier	ntlm_identifierq_proto_imap	bytes	NTLM protocol Signature (null-terminated string).
imap	Internet Message Access Protocol version 4	ntlm_message_type	ntlm_message_typeq_proto_imap	uint32	NTLM message type.
imap	Internet Message Access Protocol version 4	resent_from	resent_fromq_proto_imap	bytes	Full address of the person for whom message is resent.
imap	Internet Message Access Protocol version 4	resent_from_email	resent_from_emailq_proto_imap	bytes	Email address of the person for whom message is resent.
imap	Internet Message Access Protocol version 4	resent_from_alias	resent_from_aliasq_proto_imap	bytes	Name of the person for whom message is resent.
imap	Internet Message Access Protocol version 4	resent_sender	resent_senderq_proto_imap	bytes	Full address of the person who has actually resent the message.
imap	Internet Message Access Protocol version 4	resent_sender_email	resent_sender_emailq_proto_imap	bytes	Email address of the person who has actually resent the message.
imap	Internet Message Access Protocol version 4	resent_sender_alias	resent_sender_aliasq_proto_imap	bytes	Name of the person who has actually resent the message.
imap	Internet Message Access Protocol version 4	msglist_msgid	msglist_msgidq_proto_imap	bytes	Message identifier.
imap	Internet Message Access Protocol version 4	msglist_receiver_type	msglist_receiver_typeq_proto_imap	bytes	Type of the email receiver.
imap	Internet Message Access Protocol version 4	msglist_boundary	msglist_boundaryq_proto_imap	bytes	boundary used to separate different parts of the message body.
imap	Internet Message Access Protocol version 4	msglist_content_transfer_encoding	msglist_content_transfer_encodingq_proto_imap	bytes	Contains the encoding of the content
imap	Internet Message Access Protocol version 4	msglist_mime_version	msglist_mime_versionq_proto_imap	bytes	Version of the message body format standard used in the mail protocol in a message list.
imap	Internet Message Access Protocol version 4	msglist_return_path	msglist_return_pathq_proto_imap	bytes	Return path in a message list.
imap	Internet Message Access Protocol version 4	msglist_resent_from	msglist_resent_fromq_proto_imap	bytes	Full address of the person for whom message is resent in a message list.
imap	Internet Message Access Protocol version 4	msglist_resent_from_alias	msglist_resent_from_aliasq_proto_imap	bytes	Name of the person for whom message is resent in a message list.
imap	Internet Message Access Protocol version 4	msglist_resent_from_email	msglist_resent_from_emailq_proto_imap	bytes	Email address of the person for whom message is resent in a message list.
imap	Internet Message Access Protocol version 4	msglist_resent_sender	msglist_resent_senderq_proto_imap	bytes	Full address of the person who has actually resent the message in a message list.
imap	Internet Message Access Protocol version 4	msglist_resent_sender_alias	msglist_resent_sender_aliasq_proto_imap	bytes	Name of the person who has actually resent the message in a message list.
imap	Internet Message Access Protocol version 4	msglist_resent_sender_email	msglist_resent_sender_emailq_proto_imap	bytes	Email address of the person who has actually resent the message in a message list.
imap	Internet Message Access Protocol version 4	attach_content_id	attach_content_idq_proto_imap	bytes	Attached file content identifier.
imap	Internet Message Access Protocol version 4	attach_content_desc	attach_content_descq_proto_imap	bytes	Descriptive information for the attached file content.
imap	Internet Message Access Protocol version 4	content_id	content_idq_proto_imap	bytes	Indicates the identifier of the email content.
imap	Internet Message Access Protocol version 4	content_desc	content_descq_proto_imap	bytes	Indicates the description of the email content.
imap	Internet Message Access Protocol version 4	received_by	received_byq_proto_imap	bytes	Contains the name of the receiving host.
imap	Internet Message Access Protocol version 4	msglist_received_from_name	msglist_received_from_nameq_proto_imap	bytes	Contains the sending host name
imap	Internet Message Access Protocol version 4	msglist_received_from_ip	msglist_received_from_ipq_proto_imap	string	Contains the IP address of the sending host name
imap	Internet Message Access Protocol version 4	msglist_received_by_name	msglist_received_by_nameq_proto_imap	bytes	Contains the receiving host name
imap	Internet Message Access Protocol version 4	msglist_received_by_ip	msglist_received_by_ipq_proto_imap	string	Contains the IP address of the receiving host name
imap	Internet Message Access Protocol version 4	msglist_received_with	msglist_received_withq_proto_imap	bytes	Contains the software used to send the email
imap	Internet Message Access Protocol version 4	msglist_received_date	msglist_received_dateq_proto_imap	bytes	Date when the transport service relayed the message
imap	Internet Message Access Protocol version 4	msglist_received_by	msglist_received_byq_proto_imap	bytes	Contains the name of the receiving host.
imap	Internet Message Access Protocol version 4	msglist_received_server_agent	msglist_received_server_agentq_proto_imap	bytes	Contains the name of the sever agent
imap	Internet Message Access Protocol version 4	mime_version	mime_versionq_proto_imap	bytes	Version of the message body format standard used in the mail protocol.
imap	Internet Message Access Protocol version 4	return_path	return_pathq_proto_imap	bytes	Message return path.
imap	Internet Message Access Protocol version 4	server_version	server_versionq_proto_imap	bytes	The version of the IMAP server. It is given by the CAPABILITY command server result.
imap	Internet Message Access Protocol version 4	flags	flagsq_proto_imap	bytes	A list of named tokens associated with the message.
imap	Internet Message Access Protocol version 4	request_line	request_lineq_proto_imap	bytes	Client-to-Server IMAP request full line.
imap	Internet Message Access Protocol version 4	trailer	trailerq_proto_imap	bytes	Optional data found after the advertised size of an email, ending with a ')', in a FETCH response.
imap	Internet Message Access Protocol version 4	server_response_line	server_response_lineq_proto_imap	bytes	First line of every server's untagged response, including pipe lined responses.
imp	Internet Messaging Program	attach_size	attach_sizeq_proto_imp	uint32	Attached file MIME size.
imp	Internet Messaging Program	date	dateq_proto_imp	bytes	Message date.
imp	Internet Messaging Program	action	actionq_proto_imp	bytes	Indicates if the message is read (Read) or composed (Compose).
imp	Internet Messaging Program	msglist_receiver_email	msglist_receiver_emailq_proto_imp	bytes	Email address of the email receiver.
imp	Internet Messaging Program	sender_email	sender_emailq_proto_imp	bytes	Email address of the email sender.
imp	Internet Messaging Program	msglist_subject	msglist_subjectq_proto_imp	bytes	Message subject in a message list.
imp	Internet Messaging Program	attach_type	attach_typeq_proto_imp	bytes	Content type of the sent attached file.
imp	Internet Messaging Program	subject	subjectq_proto_imp	bytes	Message subject.
imp	Internet Messaging Program	receiver_email	receiver_emailq_proto_imp	bytes	Email address of message receiver (included cc and bcc receivers).
imp	Internet Messaging Program	attach_filename	attach_filenameq_proto_imp	bytes	Attachment name.
imp	Internet Messaging Program	password	passwordq_proto_imp	bytes	User's password string.
imp	Internet Messaging Program	login	loginq_proto_imp	bytes	User's login string.
imp	Internet Messaging Program	session_id	session_idq_proto_imp	bytes	Uniquely identifies the current user session.
imp	Internet Messaging Program	version	versionq_proto_imp	bytes	IMP version deployed.
imp	Internet Messaging Program	msglist_sender_email	msglist_sender_emailq_proto_imp	bytes	Address of email sender.
ipp	Internet Printing Protocol	version	versionq_proto_ipp	bytes	Protocol version.
ip	Internet Protocol	fragment_buffered_count	fragment_buffered_countq_proto_ip	uint32	Number of segments that have been buffered for defragmentation
ip	Internet Protocol	fragment_buffered_size	fragment_buffered_sizeq_proto_ip	uint32	Sizes sum of segments that have been buffered for defragmentation
irc	Internet Relay Chat	login	loginq_proto_irc	bytes	User's login string.
irc	Internet Relay Chat	login_server	login_serverq_proto_irc	bytes	Concatenated login and server: <login>@<server>.
irc	Internet Relay Chat	nickname	nicknameq_proto_irc	bytes	User's alias.
irc	Internet Relay Chat	server	serverq_proto_irc	bytes	Server name to which the user is connected.
irc	Internet Relay Chat	message	messageq_proto_irc	bytes	Contains the chat message.
irc	Internet Relay Chat	sender	senderq_proto_irc	bytes	Contains the identity of the sender of a chat session or a file transfer.
irc	Internet Relay Chat	receiver	receiverq_proto_irc	bytes	Contains the identity of the receiver for a chat message or a file transfer.
irc	Internet Relay Chat	channel	channelq_proto_irc	bytes	Chat room name.
irc	Internet Relay Chat	mode_channel	mode_channelq_proto_irc	bytes	Name of the irc channel.
irc	Internet Relay Chat	mode_status	mode_statusq_proto_irc	bytes	Status of the irc channel.
irc	Internet Relay Chat	filename	filenameq_proto_irc	bytes	Name of the transferred file.
irc	Internet Relay Chat	file_identifier	file_identifierq_proto_irc	bytes	File correlation key.
irc	Internet Relay Chat	filesize	filesizeq_proto_irc	uint32	Size (byte) of the transferred file.
isakmp	Internet Security Association and Key Management Protocol	version	versionq_proto_isakmp	bytes	Protocol version.
isakmp	Internet Security Association and Key Management Protocol	life_duration	life_durationq_proto_isakmp	uint32	Life time of connection parameters.
isup	ISDN User Part	message_ts	message_tsq_proto_isup	string	Timestamp of ISUP message
isup	ISDN User Part	message_way	message_wayq_proto_isup	bytes	Way of message
isup	ISDN User Part	caller	callerq_proto_isup	bytes	Calling party number
isup	ISDN User Part	callee	calleeq_proto_isup	bytes	Called party number
isup	ISDN User Part	orig_point_code	orig_point_codeq_proto_isup	uint32	Originating Point Code
isup	ISDN User Part	dest_point_code	dest_point_codeq_proto_isup	uint32	Destination Point Code
isup	ISDN User Part	start_time	start_timeq_proto_isup	string	Start date of the call
isup	ISDN User Part	session_duration	session_durationq_proto_isup	string	Call session duration (elapsed time between the sending of SETUP command and the end of the communication)
isup	ISDN User Part	time_before_spk	time_before_spkq_proto_isup	string	Waiting delay before speak
isup	ISDN User Part	call_setup	call_setupq_proto_isup	string	Call setup delay.
isup	ISDN User Part	call_duration	call_durationq_proto_isup	string	Call duration
isup	ISDN User Part	call_id	call_idq_proto_isup	uint64	Internal unique call identifier
bmff	ISO Base Media File Format	video_type	video_typeq_proto_bmff	bytes	File format.
bmff	ISO Base Media File Format	video_brand	video_brandq_proto_bmff	bytes	Normalized video format specification identifier.
bmff	ISO Base Media File Format	video_duration	video_durationq_proto_bmff	uint32	Duration of the video in seconds.
bmff	ISO Base Media File Format	video_width	video_widthq_proto_bmff	uint32	Width of the video in pixels.
bmff	ISO Base Media File Format	video_height	video_heightq_proto_bmff	uint32	Height of the video in pixels.
bmff	ISO Base Media File Format	video_datarate	video_datarateq_proto_bmff	uint32	Video bitrate in kilobits per second.
bmff	ISO Base Media File Format	video_avgdatarate	video_avgdatarateq_proto_bmff	uint32	Average video bitrate in kilobits per second.
java_update	Java Update	type	typeq_proto_java_update	bytes	Version type of updated Java.
java_update	Java Update	new_version	new_versionq_proto_java_update	bytes	New version number returned by the server.
kakaotalk	KakaoTalk	mime_type	mime_typeq_proto_kakaotalk	bytes	Mime type of the file beeing transferred.
kakaotalk	KakaoTalk	filename	filenameq_proto_kakaotalk	bytes	Name of the transferred file.
kakaotalk	KakaoTalk	login	loginq_proto_kakaotalk	uint64	User's login string.
kakaotalk	KakaoTalk	service	serviceq_proto_kakaotalk	bytes	Current service identification string.
kakaotalk	KakaoTalk	service_duration_tv	service_duration_tvq_proto_kakaotalk	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
kakaotalk	KakaoTalk	service_duration	service_durationq_proto_kakaotalk	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
kaskus	Kaskus.co.id	query_text	query_textq_proto_kaskus	bytes	Query sent to the search engine.
kaskus	Kaskus.co.id	query_raw	query_rawq_proto_kaskus	bytes	Contains the query sent to the search engine as indicated in the URL.
kaskus	Kaskus.co.id	title	titleq_proto_kaskus	bytes	Title of the current page.
kazaa	Kazaa (FastTrack protocol)	mime_type	mime_typeq_proto_kazaa	bytes	Type of the downloaded file.
kazaa	Kazaa (FastTrack protocol)	filename	filenameq_proto_kazaa	bytes	Name of the transferred file.
kazaa	Kazaa (FastTrack protocol)	login	loginq_proto_kazaa	bytes	User's login string.
krb5	Kerberos	login	loginq_proto_krb5	bytes	User's login string.
krb5	Kerberos	service	serviceq_proto_krb5	bytes	Current service identification string.
krb5	Kerberos	server	serverq_proto_krb5	bytes	Name of the server requiring Kerberos authentication.
krb5	Kerberos	enc_data_type	enc_data_typeq_proto_krb5	uint32	Indicate type of Encrypted data (hash) sent in the AS-RQ message.
krb5	Kerberos	pa_data_type	pa_data_typeq_proto_krb5	uint32	PA-DATA type.
krb5	Kerberos	ticket_name_type	ticket_name_typeq_proto_krb5	uint32	Ticket name-type.
krb5	Kerberos	ticket_name	ticket_nameq_proto_krb5	bytes	Ticket name component.
krb5	Kerberos	realm	realmq_proto_krb5	bytes	Realm in KRB-ERROR message.
krb5	Kerberos	err_crealm	err_crealmq_proto_krb5	bytes	Realm in KRB-ERROR message.
krb5	Kerberos	err_realm	err_realmq_proto_krb5	bytes	Correct realm in KRB-ERROR message.
krb5	Kerberos	err_cname_type	err_cname_typeq_proto_krb5	uint32	KRB-ERROR cname type.
krb5	Kerberos	err_cname_name	err_cname_nameq_proto_krb5	bytes	KRB-ERROR message cname component.
krb5	Kerberos	err_sname_type	err_sname_typeq_proto_krb5	uint32	KRB-ERROR message server sname type.
krb5	Kerberos	err_sname_name	err_sname_nameq_proto_krb5	bytes	KRB-ERROR message server sname component.
krb5	Kerberos	err_text	err_textq_proto_krb5	bytes	KRB-ERROR message error description.
krb5	Kerberos	error_code	error_codeq_proto_krb5	uint32	Error code in KRB-ERROR message.
krb5	Kerberos	cname_type	cname_typeq_proto_krb5	uint32	cname type.
krb5	Kerberos	cname_string	cname_stringq_proto_krb5	bytes	string representation of cname.
laposte_webmail	La Poste Webmail	login	loginq_proto_laposte_webmail	bytes	User's login string.
l2tp	Layer 2 Tunneling Protocol	hostname	hostnameq_proto_l2tp	bytes	Name of the issuing LAC or LNS.
l2tp	Layer 2 Tunneling Protocol	vendor_name	vendor_nameq_proto_l2tp	bytes	Vendor specific string describing the type of LAC or LNS being used.
ldap	Lighweight Directory Access Protocol	message_type	message_typeq_proto_ldap	bytes	Message type.
ldap	Lighweight Directory Access Protocol	message_id	message_idq_proto_ldap	uint32	Message identification.
ldap	Lighweight Directory Access Protocol	name	nameq_proto_ldap	bytes	Name of the LDAP element, in the LDAP tree (RFC2251).
ldap	Lighweight Directory Access Protocol	hostname	hostnameq_proto_ldap	bytes	Hostname extracted from a logon response to a CLDAP searchRequest.
ldap	Lighweight Directory Access Protocol	krb5_message_type	krb5_message_typeq_proto_ldap	uint32	Message type.
ldap	Lighweight Directory Access Protocol	krb5_service	krb5_serviceq_proto_ldap	bytes	Service type.
ldap	Lighweight Directory Access Protocol	krb5_server	krb5_serverq_proto_ldap	bytes	Name of the server requiring Kerberos authentication.
ldap	Lighweight Directory Access Protocol	krb5_ticket_name	krb5_ticket_nameq_proto_ldap	bytes	Ticket name component.
ldap	Lighweight Directory Access Protocol	krb5_realm	krb5_realmq_proto_ldap	bytes	Realm in KRB-ERROR message.
ldap	Lighweight Directory Access Protocol	krb5_err_cname_name	krb5_err_cname_nameq_proto_ldap	bytes	KRB-ERROR message cname component.
ldap	Lighweight Directory Access Protocol	krb5_err_sname_name	krb5_err_sname_nameq_proto_ldap	bytes	KRB-ERROR message server sname component.
ldap	Lighweight Directory Access Protocol	krb5_err_text	krb5_err_textq_proto_ldap	bytes	KRB-ERROR message error description.
ldap	Lighweight Directory Access Protocol	sasl_len	sasl_lenq_proto_ldap	uint32	sasl buffer size in bytes.
line	Line	proto_version	proto_versionq_proto_line	bytes	Protocol version currently used by the client.
line	Line	call_byte_count	call_byte_countq_proto_line	uint32	(Deprecated) The count of bytes that were exchanged during the call.
line	Line	call_pkt_count	call_pkt_countq_proto_line	uint32	(Deprecated) The count of data packets that were exchanged during the call.
line	Line	service	serviceq_proto_line	bytes	Current service identification string.
line	Line	service_duration_tv	service_duration_tvq_proto_line	string	timeval structure indicating, when the service is ended, the length of it in seconds and microseconds.
line	Line	service_duration	service_durationq_proto_line	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds.
line	Line	service_id	service_idq_proto_line	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
line	Line	service_stats	service_statsq_proto_line	bytes	Composite attribute containing the packet metrics used for each new service type detection, extracting when performing STATISTICAL detection method only. Note: this attribute won't be extracted in case of session expiration (eg. when the current service is not ended properly by the user).
lpr	Line Printer Remote	login	loginq_proto_lpr	bytes	User's login string.
lpr	Line Printer Remote	server	serverq_proto_lpr	bytes	Name of the machine that sent a file to print.
lpr	Line Printer Remote	job	jobq_proto_lpr	bytes	Name of the printed file.
linkedin	LinkedIn	receiver_email	receiver_emailq_proto_linkedin	bytes	Email address of message receiver (included cc and bcc receivers).
linkedin	LinkedIn	sender_email	sender_emailq_proto_linkedin	bytes	Email address of the email sender.
linkedin	LinkedIn	query_text	query_textq_proto_linkedin	bytes	Query sent to the search engine.
linkedin	LinkedIn	folder	folderq_proto_linkedin	bytes	Indicates the directory from where messages are read.
linkedin	LinkedIn	subject	subjectq_proto_linkedin	bytes	Message subject.
linkedin	LinkedIn	msglist_subject	msglist_subjectq_proto_linkedin	bytes	Message subject in a message list.
linkedin	LinkedIn	msglist_sender	msglist_senderq_proto_linkedin	bytes	Full address of email sender (alias and email address).
linkedin	LinkedIn	msglist_folder	msglist_folderq_proto_linkedin	bytes	Indicates the directory from a message list.
linkedin	LinkedIn	login	loginq_proto_linkedin	bytes	User's login string.
livemail_mobile	Live hotmail for mobile	receiver_email	receiver_emailq_proto_livemail_mobile	bytes	Email address of message receiver (included cc and bcc receivers).
livemail_mobile	Live hotmail for mobile	sender_email	sender_emailq_proto_livemail_mobile	bytes	Email address of the email sender.
livemail_mobile	Live hotmail for mobile	login	loginq_proto_livemail_mobile	bytes	User's login string.
livemail_mobile	Live hotmail for mobile	msglist_sender_email	msglist_sender_emailq_proto_livemail_mobile	bytes	Address of email sender.
livemail_mobile	Live hotmail for mobile	msglist_subject	msglist_subjectq_proto_livemail_mobile	bytes	Message subject in a message list.
livemail_mobile	Live hotmail for mobile	attach_filename	attach_filenameq_proto_livemail_mobile	bytes	Attachment name.
livemail_mobile	Live hotmail for mobile	subject	subjectq_proto_livemail_mobile	bytes	Message subject.
livemail_mobile	Live hotmail for mobile	action	actionq_proto_livemail_mobile	bytes	Indicates if the message is read (Read) or composed (Compose).
livemail_mobile	Live hotmail for mobile	attach_size	attach_sizeq_proto_livemail_mobile	uint32	Attached file MIME size.
lotusnotes	Lotus Notes	login	loginq_proto_lotusnotes	bytes	User's login string.
lotusnotes	Lotus Notes	organization	organizationq_proto_lotusnotes	bytes	Organization.
lotusnotes	Lotus Notes	service	serviceq_proto_lotusnotes	bytes	Current service identification string.
lotusnotes	Lotus Notes	version	versionq_proto_lotusnotes	bytes	Client version.
lotusnotes	Lotus Notes	subject	subjectq_proto_lotusnotes	bytes	Message subject.
lotusnotes	Lotus Notes	mime_version	mime_versionq_proto_lotusnotes	bytes	MIME version.
lotusnotes	Lotus Notes	msg_id	msg_idq_proto_lotusnotes	bytes	Identifier of the message.
lotusnotes	Lotus Notes	replyto	replytoq_proto_lotusnotes	bytes	Email address to use in a reply for this message.
lotusnotes	Lotus Notes	header_name	header_nameq_proto_lotusnotes	bytes	Lotusnotes header name (used for the Email service).
lotusnotes	Lotus Notes	header_value	header_valueq_proto_lotusnotes	bytes	Lotusnotes header value (used for the Email service).
lotusnotes	Lotus Notes	sender_alias	sender_aliasq_proto_lotusnotes	bytes	Name of the email sender.
lotusnotes	Lotus Notes	sender_email	sender_emailq_proto_lotusnotes	bytes	Email address of the email sender.
lotusnotes	Lotus Notes	receiver_alias	receiver_aliasq_proto_lotusnotes	bytes	Name of email receiver (included cc and bcc receivers).
lotusnotes	Lotus Notes	receiver_email	receiver_emailq_proto_lotusnotes	bytes	Email address of message receiver (included cc and bcc receivers).
lotusnotes	Lotus Notes	receiver_type	receiver_typeq_proto_lotusnotes	bytes	Type of the email receiver.
lotusnotes	Lotus Notes	attach_id	attach_idq_proto_lotusnotes	bytes	Attachment identifier.
lotusnotes	Lotus Notes	attach_filename	attach_filenameq_proto_lotusnotes	bytes	Attachment name.
lotusnotes	Lotus Notes	attach_size	attach_sizeq_proto_lotusnotes	uint32	Attached file MIME size.
lotusnotes	Lotus Notes	attach_compress	attach_compressq_proto_lotusnotes	bytes	The compression method used for the attached file download.
lotusnotes	Lotus Notes	attach_content_seq	attach_content_seqq_proto_lotusnotes	uint32	Sequence number of a attach file part.
lotusnotes	Lotus Notes	attach_content_size	attach_content_sizeq_proto_lotusnotes	uint32	Size of a attach file part.
mplus_messenger	M+ Messenger	service_id	service_idq_proto_mplus_messenger	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
mplus_messenger	M+ Messenger	service	serviceq_proto_mplus_messenger	bytes	Current service identification string.
mashare	Ma-Share.com	action	actionq_proto_mashare	bytes	Indicates the action executed by the user.
mashare	Ma-Share.com	filename	filenameq_proto_mashare	bytes	Name of the transferred file.
mailru_agent	Mail.ru Agent	msg_receiver	msg_receiverq_proto_mailru_agent	bytes	The person who chat or voice is done with
mailru_agent	Mail.ru Agent	msg	msgq_proto_mailru_agent	bytes	Exchanged message during a chat
mailru_agent	Mail.ru Agent	im_action	im_actionq_proto_mailru_agent	bytes	Action of the user.
mailru_agent	Mail.ru Agent	user	userq_proto_mailru_agent	bytes	Application user name.
mailru	Mail.ru Webmail	sender_email	sender_emailq_proto_mailru	bytes	Email address of the email sender.
mailru	Mail.ru Webmail	subject	subjectq_proto_mailru	bytes	Message subject.
mailru	Mail.ru Webmail	receiver_email	receiver_emailq_proto_mailru	bytes	Email address of message receiver (included cc and bcc receivers).
mailru	Mail.ru Webmail	msglist_subject	msglist_subjectq_proto_mailru	bytes	Message subject in a message list.
mailru	Mail.ru Webmail	msglist_receiver_email	msglist_receiver_emailq_proto_mailru	bytes	Email address of the email receiver.
mailru	Mail.ru Webmail	msglist_sender_email	msglist_sender_emailq_proto_mailru	bytes	Address of email sender.
mailru	Mail.ru Webmail	login	loginq_proto_mailru	bytes	User's login string.
mailru	Mail.ru Webmail	attach_filename	attach_filenameq_proto_mailru	bytes	Attachment name.
mailru	Mail.ru Webmail	action	actionq_proto_mailru	bytes	Indicates if the message is read (Read) or composed (Compose).
mandriva_update	Mandriva Update	package_name	package_nameq_proto_mandriva_update	bytes	Name of the downloaded package.
mandriva_update	Mandriva Update	package_version	package_versionq_proto_mandriva_update	bytes	Version number of the downloaded package.
mandriva_update	Mandriva Update	package_archi	package_archiq_proto_mandriva_update	bytes	Archi of package.
mandriva_update	Mandriva Update	package_distrib	package_distribq_proto_mandriva_update	bytes	Version of the currently upgraded-distribution
mms_iso	Manufacturing Message Specification (ISO 9506 )	service_tag	service_tagq_proto_mms_iso	uint32	Returns the decimal value of the Encoded Tag" indicating which service/function is called (read,write, ...). See table "MMS Confirmed Services TAG" in http://www.c-epc.com/Technological%20data/mms/Mmsenc3.pdf."
mms_iso	Manufacturing Message Specification (ISO 9506 )	service_raw	service_rawq_proto_mms_iso	uint32	Returns the raw value of the Encoded Tag" (ASN1) indicating which service/function is called (read,write, ...). See table "MMS Confirmed Services TAG" in http://www.c-epc.com/Technological%20data/mms/Mmsenc3.pdf"
mgcp	Media Gateway Control Protocol	method	methodq_proto_mgcp	bytes	The command
mgcp	Media Gateway Control Protocol	endpoint	endpointq_proto_mgcp	bytes	Handset identifier
mgcp	Media Gateway Control Protocol	version	versionq_proto_mgcp	bytes	Protocol version
mgcp	Media Gateway Control Protocol	tid	tidq_proto_mgcp	uint32	Transaction identifier
mgcp	Media Gateway Control Protocol	code	codeq_proto_mgcp	uint32	Return code of a query
mgcp	Media Gateway Control Protocol	packets_sent	packets_sentq_proto_mgcp	uint32	Number of RTP packets sent
mgcp	Media Gateway Control Protocol	octets_sent	octets_sentq_proto_mgcp	uint32	Number of RTP octets sent
mgcp	Media Gateway Control Protocol	packets_received	packets_receivedq_proto_mgcp	uint32	Number of RTP packets received
mgcp	Media Gateway Control Protocol	octets_received	octets_receivedq_proto_mgcp	uint32	Number of RTP octets received
mgcp	Media Gateway Control Protocol	packets_lost	packets_lostq_proto_mgcp	uint32	Number of lost RTP packets
mgcp	Media Gateway Control Protocol	jitter	jitterq_proto_mgcp	uint32	Observed Jitter for RTP packets
mgcp	Media Gateway Control Protocol	latency	latencyq_proto_mgcp	uint32	Observed latency for RTP packets
mgcp	Media Gateway Control Protocol	call_duration	call_durationq_proto_mgcp	string	Call duration.
mgcp	Media Gateway Control Protocol	session_duration	session_durationq_proto_mgcp	string	Call setup duration.
mgcp	Media Gateway Control Protocol	phone_number	phone_numberq_proto_mgcp	bytes	The phone number.
mgcp	Media Gateway Control Protocol	event	eventq_proto_mgcp	bytes	Observed events
mgcp	Media Gateway Control Protocol	message_type	message_typeq_proto_mgcp	bytes	The message type
mgcp	Media Gateway Control Protocol	call_way	call_wayq_proto_mgcp	bytes	The call Way (In, Out)
mgcp	Media Gateway Control Protocol	start_time	start_timeq_proto_mgcp	string	Start date of the call.
mgcp	Media Gateway Control Protocol	mode	modeq_proto_mgcp	bytes	Contains the connection mode (sendrcv, recvonly, ...)
mgcp	Media Gateway Control Protocol	notifiedEntity	notifiedentityq_proto_mgcp	bytes	Contains the identity of the notified identity
mgcp	Media Gateway Control Protocol	media_type	media_typeq_proto_mgcp	bytes	Contains the media type.
mgcp	Media Gateway Control Protocol	media_proto	media_protoq_proto_mgcp	bytes	Protocol used in client stream.
mgcp	Media Gateway Control Protocol	media_format	media_formatq_proto_mgcp	uint32	Client's protocol formats available.
mgcp	Media Gateway Control Protocol	signal	signalq_proto_mgcp	bytes	Contains the received/sent signal
mgcp	Media Gateway Control Protocol	digitmap	digitmapq_proto_mgcp	bytes	Contains the digitmap
mgcp	Media Gateway Control Protocol	caller	callerq_proto_mgcp	bytes	Contains the identity (or the phone number) of the initiator of the call.
mgcp	Media Gateway Control Protocol	callee	calleeq_proto_mgcp	bytes	Contains the identity (or the phone number) of the called party for a call.
mgcp	Media Gateway Control Protocol	connection_id	connection_idq_proto_mgcp	bytes	Connection identifier
mgcp	Media Gateway Control Protocol	media_attr_type	media_attr_typeq_proto_mgcp	uint32	Contains the media type (audio or video).
mgcp	Media Gateway Control Protocol	media_attr_encoding	media_attr_encodingq_proto_mgcp	bytes	The encoding of media data.
mgcp	Media Gateway Control Protocol	media_attr_rate	media_attr_rateq_proto_mgcp	bytes	The encoding rate.
mgcp	Media Gateway Control Protocol	media_attr_param	media_attr_paramq_proto_mgcp	bytes	Session attribute value.
mgcp	Media Gateway Control Protocol	media_attr_label	media_attr_labelq_proto_mgcp	bytes	Name of the described session attribute.
mgcp	Media Gateway Control Protocol	media_attr_addr	media_attr_addrq_proto_mgcp	string	The mentioned IPv4 address to be used.
mgcp	Media Gateway Control Protocol	media_attr_channel	media_attr_channelq_proto_mgcp	bytes	The channel value.
mgcp	Media Gateway Control Protocol	media_attr_transport	media_attr_transportq_proto_mgcp	bytes	The transport protocol (TCP or UDP).
mgcp	Media Gateway Control Protocol	media_attr_value	media_attr_valueq_proto_mgcp	bytes	Line value of the media attribute.
mgcp	Media Gateway Control Protocol	call_id	call_idq_proto_mgcp	bytes	Call id, extracted for each call.
msrp	Message Session Relay Protocol	session_id	session_idq_proto_msrp	bytes	Uniquely identifies the current user session.
msrp	Message Session Relay Protocol	authority	authorityq_proto_msrp	bytes	The authority component of the MSRP URI.
msrp	Message Session Relay Protocol	uri	uriq_proto_msrp	bytes	The MSRP URI.
msrp	Message Session Relay Protocol	path_type	path_typeq_proto_msrp	bytes	path_entry attribute type.
mms	Microsoft Multimedia Streaming	filename	filenameq_proto_mms	bytes	Name of the file currently broadcasted.
lync	Microsoft Skype for Business (Desktop)	service_id	service_idq_proto_lync	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
lync	Microsoft Skype for Business (Desktop)	service	serviceq_proto_lync	bytes	Current service identification string.
ms_teams	Microsoft teams	service	serviceq_proto_ms_teams	bytes	Current service identification string, v5 only.
ms_teams	Microsoft teams	service_id	service_idq_proto_ms_teams	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer), v5 only.
ms_teams	Microsoft teams	service_duration	service_durationq_proto_ms_teams	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds, v5 only.
ms_teams	Microsoft teams	service_duration_tv	service_duration_tvq_proto_ms_teams	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds, v5 only.
modbus	Modbus	protocol_id	protocol_idq_proto_modbus	uint32	Protocol ID. Modbus protocol is identified by the value 0.
modbus	Modbus	length	lengthq_proto_modbus	uint32	The length field is a byte count of the following fields, including the Unit Identifier and data fields.
modbus	Modbus	transaction_id	transaction_idq_proto_modbus	uint32	Transaction Identifier set by the client to uniquely identify each request. Used for transaction pairing.
modbus	Modbus	function_subcode	function_subcodeq_proto_modbus	uint32	The function subcode specifies the modbus function_code action.
modbus	Modbus	starting_address	starting_addressq_proto_modbus	uint32	The data address of the first coil or register.
modbus	Modbus	quantity_of_coils	quantity_of_coilsq_proto_modbus	uint32	Total number of coils requested.
modbus	Modbus	output_address	output_addressq_proto_modbus	uint32	The data address of the coil or register.
modbus	Modbus	output_value	output_valueq_proto_modbus	uint32	Value to write.
modbus	Modbus	quantity_of_outputs	quantity_of_outputsq_proto_modbus	uint32	The number of coils or registers to write.
modbus	Modbus	byte_count	byte_countq_proto_modbus	uint32	The number of data bytes to follow.
modbus	Modbus	file_number	file_numberq_proto_modbus	uint32	Identifier of the file.
modbus	Modbus	record_number	record_numberq_proto_modbus	uint32	Starting record number within the file.
modbus	Modbus	record_length	record_lengthq_proto_modbus	uint32	The length of the record to be read.
modbus	Modbus	reference_address	reference_addressq_proto_modbus	uint32	Address of the reference.
modbus	Modbus	and_mask	and_maskq_proto_modbus	uint32	AND mask applied when writing the data of the register.
modbus	Modbus	or_mask	or_maskq_proto_modbus	uint32	OR mask applied when writing the data of the register.
modbus	Modbus	fifo_pointer_address	fifo_pointer_addressq_proto_modbus	uint32	Queue content address.
modbus	Modbus	fifo_count	fifo_countq_proto_modbus	uint32	Quantity of data registers in the queue.
modbus	Modbus	output_data	output_dataq_proto_modbus	uint32	Exception status outputs, packed into one byte (one bit per output).
modbus	Modbus	status	statusq_proto_modbus	uint32	Response status word.
modbus	Modbus	event_count	event_countq_proto_modbus	uint32	Event counter.
modbus	Modbus	message_count	message_countq_proto_modbus	uint32	Quantity of messages processed by the remote device.
modbus_rtu	Modbus Remote Terminal Unit	slave_addr	slave_addrq_proto_modbus_rtu	uint32	Value of slave address field.
modbus_rtu	Modbus Remote Terminal Unit	crc	crcq_proto_modbus_rtu	uint32	CRC Checksum field.
mongodb	Mongodb Protocol	request_message_length	request_message_lengthq_proto_mongodb	uint32	Mongodb request length
mongodb	Mongodb Protocol	request_request_id	request_request_idq_proto_mongodb	uint32	Unique identifiant of the request
mongodb	Mongodb Protocol	request_response_id	request_response_idq_proto_mongodb	uint32	Unique identifiant of the response
mongodb	Mongodb Protocol	request_op_code	request_op_codeq_proto_mongodb	uint32	Type of message
mongodb	Mongodb Protocol	response_message_length	response_message_lengthq_proto_mongodb	uint32	Mongodb response length
mongodb	Mongodb Protocol	response_request_id	response_request_idq_proto_mongodb	uint32	Unique identifiant of the response
mongodb	Mongodb Protocol	response_response_id	response_response_idq_proto_mongodb	uint32	Unique identifiant of the request
mongodb	Mongodb Protocol	response_op_code	response_op_codeq_proto_mongodb	uint32	Type of message
mount	Mount	flavor	flavorq_proto_mount	uint32	Authentification supported by the server
mount	Mount	flavors	flavorsq_proto_mount	uint32	Number of authentification flavors supported by the server
mount	Mount	length_fhandle	length_fhandleq_proto_mount	uint32	Length of the file handle
mount	Mount	status	statusq_proto_mount	uint32	Information status on the request process.
mount	Mount	path_value	path_valueq_proto_mount	bytes	Value of the data path string.
mount	Mount	path_length	path_lengthq_proto_mount	uint32	Length of the data path string.
mpegts	MPEG-Transport Stream	chunk_len	chunk_lenq_proto_mpegts	uint32	Data length.
mqtt	MQ Telemetry Transport	protocol_name	protocol_nameq_proto_mqtt	bytes	Name of the protocol encoded in UTF-8. Should not contain NULL character.
mqtt	MQ Telemetry Transport	client_id	client_idq_proto_mqtt	bytes	Client identifier. In MQTT 3.1 it cannot exceed 23 bytes while in 3.1.1 it can exceed this limit but will be limited to 65536 bytes as any other string value of MQTT.
mqtt	MQ Telemetry Transport	topic	topicq_proto_mqtt	bytes	Name of the topic to which the client subscribes.
mapi	MS Exchange Message API	login	loginq_proto_mapi	bytes	User's login string.
mapi	MS Exchange Message API	login_server	login_serverq_proto_mapi	bytes	Concatenated login and server: <login>@<server>.
mapi	MS Exchange Message API	host	hostq_proto_mapi	bytes	Client's hostname.
mapi	MS Exchange Message API	domain	domainq_proto_mapi	bytes	Network domain of the client.
mapi	MS Exchange Message API	action	actionq_proto_mapi	bytes	Indicates if the message is read (Read) or composed (Compose).
mapi	MS Exchange Message API	attach_size	attach_sizeq_proto_mapi	uint32	Attached file MIME size.
mapi	MS Exchange Message API	attach_filename	attach_filenameq_proto_mapi	bytes	Attachment name (UTF-16).
mapi	MS Exchange Message API	msg_id	msg_idq_proto_mapi	bytes	Identifier of the message.
msn	MSN Messenger	login	loginq_proto_msn	bytes	User's login string.
msn	MSN Messenger	sender	senderq_proto_msn	bytes	Contains the identity of the sender of a chat session or a file transfer.
msn	MSN Messenger	receiver	receiverq_proto_msn	bytes	Contains the identity of the receiver for a chat message or a file transfer.
msn	MSN Messenger	message	messageq_proto_msn	bytes	Contains the chat message.
msn	MSN Messenger	file_sender	file_senderq_proto_msn	bytes	Contains the identity of the sender of a file transfer.
msn	MSN Messenger	file_receiver	file_receiverq_proto_msn	bytes	Contains the identity of the receiver for a file transfer.
msn	MSN Messenger	filename	filenameq_proto_msn	bytes	Name of the transferred file.
msn	MSN Messenger	contact_login	contact_loginq_proto_msn	bytes	Contact login.
msn_search	MSN Search	query_text	query_textq_proto_msn_search	bytes	Query sent to the search engine.
msn_search	MSN Search	query_raw	query_rawq_proto_msn_search	bytes	Contains the query sent to the search engine as indicated in the URL.
mmse	MultiMedia Messages Encapsulation	receiver	receiverq_proto_mmse	bytes	MMS receiver.
mmse	MultiMedia Messages Encapsulation	nb_receiver	nb_receiverq_proto_mmse	uint32	Number of receiver for the same MMS.
mmse	MultiMedia Messages Encapsulation	version	versionq_proto_mmse	bytes	Protocol version.
mmse	MultiMedia Messages Encapsulation	tid	tidq_proto_mmse	bytes	Transaction identifier.
mmse	MultiMedia Messages Encapsulation	sender	senderq_proto_mmse	bytes	MMS sender.
mmse	MultiMedia Messages Encapsulation	subject	subjectq_proto_mmse	bytes	MMS subject.
mmse	MultiMedia Messages Encapsulation	content_type	content_typeq_proto_mmse	bytes	The content type of the message.
mmse	MultiMedia Messages Encapsulation	message_id	message_idq_proto_mmse	bytes	A unique reference assigned to the message. The ID enables a client to match delivery reports with previously sent messages.
mmse	MultiMedia Messages Encapsulation	content_location	content_locationq_proto_mmse	bytes	Specifies a reference to the stored version of the MM that can be retrieved or can be used to obtain information about the MM using the WSP/HTTP GET or M-Mbox-View-req.
mmse	MultiMedia Messages Encapsulation	response_status_code	response_status_codeq_proto_mmse	uint32	It is used by the originating MMS Proxy-Relay to inform the MMS Client, which has performed a submission or a forward the result of that particular operation.
mmse	MultiMedia Messages Encapsulation	response_status_text	response_status_textq_proto_mmse	bytes	Description which qualifies the response_status_code. The description may be based on the on the status code names contained in RFC1893.
mmse	MultiMedia Messages Encapsulation	message_sz	message_szq_proto_mmse	uint32	Full size of message in octets.
mmse	MultiMedia Messages Encapsulation	content_part_type	content_part_typeq_proto_mmse	bytes	Message sub-part type.
mmse	MultiMedia Messages Encapsulation	content_part_id	content_part_idq_proto_mmse	bytes	Message sub-part ID.
mmse	MultiMedia Messages Encapsulation	content_part_filename	content_part_filenameq_proto_mmse	bytes	Name of the file containing the current message sub-part data.
mute	Mute	peer_info	peer_infoq_proto_mute	uint32	Structure containing a classification prediction of a network peer. The clep_peer_t structure (ixE 4.18.x) provides the IP v4 or v6 address (ul3l4_addr_t), the transport protocol ID (TCP/UDP/etc.), the listening port, and the list of protocols to be classified in case of successful prediction.
myspace	MySpace.com	query_raw	query_rawq_proto_myspace	bytes	Contains the query sent to the search engine as indicated in the URL.
myspace	MySpace.com	query_text	query_textq_proto_myspace	bytes	Query sent to the search engine.
myspace	MySpace.com	login	loginq_proto_myspace	bytes	User's login string.
mysql	MySQL Protocol	login	loginq_proto_mysql	bytes	User's login string.
mysql	MySQL Protocol	base	baseq_proto_mysql	bytes	Database name.
mysql	MySQL Protocol	query	queryq_proto_mysql	bytes	SQL query sent by the client.
mysql	MySQL Protocol	sqlstate_code	sqlstate_codeq_proto_mysql	bytes	SQL error code.
mysql	MySQL Protocol	query_id	query_idq_proto_mysql	bytes	Request identifier. It is used to correlate SQL queries with query parameter values (Bind Variables).
mysql	MySQL Protocol	number_columns	number_columnsq_proto_mysql	uint64	Column count in the result data set retrieved from server after a SQL query.
mysql	MySQL Protocol	number_rows	number_rowsq_proto_mysql	uint32	Row count in the result data set retrieved from server after a SQL query.
mysql	MySQL Protocol	variable_id	variable_idq_proto_mysql	bytes	Query parameter (Bind Variable) identifier within a SQL request.
mysql	MySQL Protocol	variable_type	variable_typeq_proto_mysql	bytes	Data type of a SQL query parameter (Bind Variable).
mysql	MySQL Protocol	error	errorq_proto_mysql	bytes	Error message associated to a request.
mysql	MySQL Protocol	error_code	error_codeq_proto_mysql	uint32	Error code associated to a request.
netbios	Netbios	caller	callerq_proto_netbios	bytes	Name of the caller.
netbios	Netbios	callee	calleeq_proto_netbios	bytes	Name of the called member.
nbns	Netbios Name Service	service	serviceq_proto_nbns	bytes	Current service identification string.
nbns	Netbios Name Service	query	queryq_proto_nbns	bytes	Queried name (QUESTION_NAME) in a request.
nbns	Netbios Name Service	transaction_id	transaction_idq_proto_nbns	uint32	Name service transaction identifier.
nbns	Netbios Name Service	message_type	message_typeq_proto_nbns	bytes	NBNS message type.
nbns	Netbios Name Service	record_name	record_nameq_proto_nbns	bytes	First answered resource record name (RR_NAME) in a response.
netbsd_update	NetBSD Updates	package_name	package_nameq_proto_netbsd_update	bytes	Software package name.
netflix	Netflix.com	login	loginq_proto_netflix	bytes	User's login string.
netflix	Netflix.com	title	titleq_proto_netflix	bytes	Title of the movie.
netflix	Netflix.com	description	descriptionq_proto_netflix	bytes	Synopsis of the movie.
netlog	Netlog.com	login	loginq_proto_netlog	bytes	User's login string.
nfs	Network File System	version	versionq_proto_nfs	bytes	Used version
nfs	Network File System	filename	filenameq_proto_nfs	bytes	Accessed, written or read file name.
nfs	Network File System	offset	offsetq_proto_nfs	uint64	Offset of the written/read file. Extracted on READ and WRITE procedure replies.
nfs	Network File System	filesize	filesizeq_proto_nfs	uint64	Size of the file.
nfs	Network File System	uid	uidq_proto_nfs	uint32	Generic user ID.
nfs	Network File System	gid	gidq_proto_nfs	uint32	Identifier of the file owner's group (see page 21 of RFC 1813).
nfs	Network File System	mode	modeq_proto_nfs	uint32	Protection mode bits (see page 22 of RFC 1813).
nfs	Network File System	type_string	type_stringq_proto_nfs	bytes	File type (see page 19 of RFC 1813).
nfs	Network File System	current_state	current_stateq_proto_nfs	bytes	Indicate RENAME procedure filename state.
nfs	Network File System	symlink_name	symlink_nameq_proto_nfs	bytes	Indicate the symbolic link name on SYMLINK procedure.
nfs4	Network File System version 4.0	filename	filenameq_proto_nfs4	bytes	Accessed, written or read file name. Extracted on operations CREATE, OPEN, READDIR, RENAME, REMOVE, LOOKUP, SECINFO
nfs4	Network File System version 4.0	filesize	filesizeq_proto_nfs4	uint64	Size of the file.
nfs4	Network File System version 4.0	symlink_name	symlink_nameq_proto_nfs4	bytes	Indicate the symbolic link name on operations LINK and READLINK.
nfs4	Network File System version 4.0	mode	modeq_proto_nfs4	uint32	Protection mode bits (RFC 7530 section 6.2.2).
nfs4	Network File System version 4.0	offset	offsetq_proto_nfs4	uint64	Offset of the written/read file. Extracted on READ, WRITE, LOCK, LOCKU, LOCKT and COMMIT operations calls.
nntp	Network News Transport Protocol	sender	senderq_proto_nntp	bytes	Full address of email sender (alias followed by email address).
nntp	Network News Transport Protocol	newsgroup	newsgroupq_proto_nntp	bytes	Newsgroup name.
nntp	Network News Transport Protocol	subject	subjectq_proto_nntp	bytes	Message subject.
nntp	Network News Transport Protocol	login	loginq_proto_nntp	bytes	User's login string.
nntp	Network News Transport Protocol	password	passwordq_proto_nntp	bytes	User's password string.
nntp	Network News Transport Protocol	attach_filename	attach_filenameq_proto_nntp	bytes	Attachment name.
ntp	Network Time Protocol	reference_clock	reference_clockq_proto_ntp	string	Reference clock IP address.
niconico_douga	Nicovideo.jp (aka Nico Nico Douga)	query_text	query_textq_proto_niconico_douga	bytes	Decoded query text.
niconico_douga	Nicovideo.jp (aka Nico Nico Douga)	query_raw	query_rawq_proto_niconico_douga	bytes	Query in raw HTML
niconico_douga	Nicovideo.jp (aka Nico Nico Douga)	video_duration	video_durationq_proto_niconico_douga	bytes	Duration of the video in seconds.
niconico_douga	Nicovideo.jp (aka Nico Nico Douga)	videoid	videoidq_proto_niconico_douga	bytes	Nico nico video identifier.
niconico_douga	Nicovideo.jp (aka Nico Nico Douga)	tag	tagq_proto_niconico_douga	bytes	Video tag.
niconico_douga	Nicovideo.jp (aka Nico Nico Douga)	title	titleq_proto_niconico_douga	bytes	Title of the video.
niconico_douga	Nicovideo.jp (aka Nico Nico Douga)	description	descriptionq_proto_niconico_douga	bytes	Synopsis of the video.
niconico_douga	Nicovideo.jp (aka Nico Nico Douga)	date	dateq_proto_niconico_douga	bytes	Release date of the video.
niconico_douga	Nicovideo.jp (aka Nico Nico Douga)	nickname	nicknameq_proto_niconico_douga	bytes	User nickname.
niconico_douga	Nicovideo.jp (aka Nico Nico Douga)	login	loginq_proto_niconico_douga	bytes	User's login string.
odnoklassniki	Odnoklassniki.ru	group_name	group_nameq_proto_odnoklassniki	bytes	Name of the group the user has subscribed to.
odnoklassniki	Odnoklassniki.ru	login	loginq_proto_odnoklassniki	bytes	User's login string.
oovoo	Oovoo	login	loginq_proto_oovoo	bytes	User's login string.
ospf	Open Shortest Path First	netmask	netmaskq_proto_ospf	string	The network mask associated with this interface.
ospf	Open Shortest Path First	dead_interval	dead_intervalq_proto_ospf	uint32	The number of seconds before declaring a silent router down.
ospf	Open Shortest Path First	designed_router	designed_routerq_proto_ospf	string	The identity of the Designated Router for this network, in the view of the sending router>.
ospf	Open Shortest Path First	backup_router	backup_routerq_proto_ospf	string	The identity of the Backup Designated Router for this network, in the view of the sending router.
ospf	Open Shortest Path First	neighbor	neighborq_proto_ospf	string	The Router IDs of each router from whom valid Hello packets have been seen recently on the network.
ospf	Open Shortest Path First	ls_type	ls_typeq_proto_ospf	uint32	The type of the LSA.
ospf	Open Shortest Path First	ls_id	ls_idq_proto_ospf	string	This field identifies the portion of the internet environment that is being described by the LSA.
ospf	Open Shortest Path First	ls_adv_router	ls_adv_routerq_proto_ospf	string	The Router ID of the router that originated the LSA.
ospf	Open Shortest Path First	ls_seq_number	ls_seq_numberq_proto_ospf	uint32	Detects old or duplicate LSAs.
ospf	Open Shortest Path First	ls_netmask	ls_netmaskq_proto_ospf	string	The IP address mask for the network.
ospf	Open Shortest Path First	ls_metric	ls_metricq_proto_ospf	uint32	The cost of this route.
ospf	Open Shortest Path First	ls_attach_router	ls_attach_routerq_proto_ospf	string	The Router IDs of each of the routers attached to the network.
ospf	Open Shortest Path First	link_id	link_idq_proto_ospf	string	Identifies the object that this router link connects to.
ospf	Open Shortest Path First	link_data	link_dataq_proto_ospf	string	For connections to stub networks, Link Data specifies the network's IP address mask. For unnumbered point-to-point connections, it specifies the interface's MIB-II [Ref8] ifIndex value. For the other link types it specifies the router interface's IP address.
ospf	Open Shortest Path First	dd_seq_nbr	dd_seq_nbrq_proto_ospf	uint32	Used to sequence the collection of Database Description Packets.
ospf	Open Shortest Path First	external_fwd_addr	external_fwd_addrq_proto_ospf	string	Data traffic for the advertised destination will be forwarded to this address.
ospf	Open Shortest Path First	external_route_tag	external_route_tagq_proto_ospf	uint32	A 32-bit field attached to each external route.
openbsd_update	OpenBSD Updates	package_name	package_nameq_proto_openbsd_update	bytes	Software package name.
openvpn	OpenVPN	seq	seqq_proto_openvpn	uint32	Sequence number
opera_update	Opera Update	new_version	new_versionq_proto_opera_update	bytes	New version of Opera which will be installed.
opera_update	Opera Update	current_version	current_versionq_proto_opera_update	bytes	Opera version currently installed.
orangemail	Orange webmail	attach_filename	attach_filenameq_proto_orangemail	bytes	Attachment name.
orangemail	Orange webmail	receiver_email	receiver_emailq_proto_orangemail	bytes	Email address of message receiver (included cc and bcc receivers).
orangemail	Orange webmail	sender_email	sender_emailq_proto_orangemail	bytes	Email address of the email sender.
orangemail	Orange webmail	subject	subjectq_proto_orangemail	bytes	Message subject.
orangemail	Orange webmail	action	actionq_proto_orangemail	bytes	Indicates if the message is read (Read) or composed (Compose).
orangemail	Orange webmail	msglist_subject	msglist_subjectq_proto_orangemail	bytes	Message subject in a message list.
orangemail	Orange webmail	attach_size	attach_sizeq_proto_orangemail	uint32	Attached file MIME size.
orangemail	Orange webmail	login	loginq_proto_orangemail	bytes	User's login string.
owa	Outlook Web App	msglist_subject	msglist_subjectq_proto_owa	bytes	Message subject in a message list.
owa	Outlook Web App	receiver_email	receiver_emailq_proto_owa	bytes	Email address of message receiver (included cc and bcc receivers).
owa	Outlook Web App	sender_email	sender_emailq_proto_owa	bytes	Email address of the email sender.
owa	Outlook Web App	attach_filename	attach_filenameq_proto_owa	bytes	Attachment name.
owa	Outlook Web App	action	actionq_proto_owa	bytes	Indicates if the message is read (Read) or composed (Compose).
owa	Outlook Web App	session_id	session_idq_proto_owa	bytes	Uniquely identifies the current user session.
owa	Outlook Web App	attach_size	attach_sizeq_proto_owa	uint32	Attached file MIME size.
owa	Outlook Web App	login	loginq_proto_owa	bytes	User's login string.
owa	Outlook Web App	msglist_receiver_email	msglist_receiver_emailq_proto_owa	bytes	Email address of the email receiver.
owa	Outlook Web App	msglist_sender_email	msglist_sender_emailq_proto_owa	bytes	Address of email sender.
owa	Outlook Web App	subject	subjectq_proto_owa	bytes	Message subject.
paltalk	PalTalk	uid	uidq_proto_paltalk	uint32	Generic user ID.
paltalk	PalTalk	login	loginq_proto_paltalk	bytes	User's login string.
paltalk	PalTalk	user_email	user_emailq_proto_paltalk	bytes	User's email address.
paltalk	PalTalk	contact_uid	contact_uidq_proto_paltalk	uint32	Contact ID.
paltalk	PalTalk	contact_login	contact_loginq_proto_paltalk	bytes	Contact login.
paltalk	PalTalk	chat_id	chat_idq_proto_paltalk	bytes	Window chat id.
paltalk	PalTalk	channel	channelq_proto_paltalk	bytes	Chat room name.
paltalk	PalTalk	message	messageq_proto_paltalk	bytes	Contains the chat message.
paltalk	PalTalk	encoding	encodingq_proto_paltalk	bytes	Message encoding.
paltalk	PalTalk	sender	senderq_proto_paltalk	bytes	Contains the identity of the sender of a chat session or a file transfer.
paltalk	PalTalk	receiver	receiverq_proto_paltalk	bytes	Contains the identity of the receiver for a chat message or a file transfer.
paltalk	PalTalk	sender_uid	sender_uidq_proto_paltalk	uint32	Message sender's unique identifier.
paltalk	PalTalk	receiver_uid	receiver_uidq_proto_paltalk	uint32	Message receiver's unique identifier.
paltalk	PalTalk	call_id	call_idq_proto_paltalk	bytes	Call id, extracted for each call.
paltalk	PalTalk	start_time	start_timeq_proto_paltalk	string	Start date of the call.
paltalk	PalTalk	caller	callerq_proto_paltalk	bytes	Contains the identity (or the phone number) of the initiator of the call.
paltalk	PalTalk	caller_uid	caller_uidq_proto_paltalk	uint32	Caller's unique identifier.
paltalk	PalTalk	callee	calleeq_proto_paltalk	bytes	Contains the identity (or the phone number) of the called party for a call.
paltalk	PalTalk	callee_uid	callee_uidq_proto_paltalk	uint32	Callee's unique identifier.
paltalk	PalTalk	call_duration	call_durationq_proto_paltalk	string	Call duration.
paltalk	PalTalk	caller_addr	caller_addrq_proto_paltalk	string	Address which could be used by the initiator of the call.
paltalk	PalTalk	callee_addr	callee_addrq_proto_paltalk	string	Address which could be used by the called party.
paltalk_transfer	PalTalk Transfer Protocol	login	loginq_proto_paltalk_transfer	bytes	User's login string.
paltalk_transfer	PalTalk Transfer Protocol	receiver	receiverq_proto_paltalk_transfer	bytes	Contains the identity of the receiver for a file transfer.
paltalk_transfer	PalTalk Transfer Protocol	sender_uid	sender_uidq_proto_paltalk_transfer	uint32	File sender's UID
paltalk_transfer	PalTalk Transfer Protocol	receiver_uid	receiver_uidq_proto_paltalk_transfer	uint32	File receiver's UID
paltalk_transfer	PalTalk Transfer Protocol	filename	filenameq_proto_paltalk_transfer	bytes	Name of the transferred file.
paltalk_transfer	PalTalk Transfer Protocol	filesize	filesizeq_proto_paltalk_transfer	uint32	Size (byte) of the transferred file.
pap	Password Authentication Protocol	login	loginq_proto_pap	bytes	User's login string.
pap	Password Authentication Protocol	password	passwordq_proto_pap	bytes	User's password string.
pap	Password Authentication Protocol	message_type	message_typeq_proto_pap	bytes	Message type.
pccc	PC-cubed	object_tns	object_tnsq_proto_pccc	uint32	Transaction identifier of the PCCC object coded over 2 bytes, request and related response must share the same TNS value.
pccc	PC-cubed	routing_info_dst_link	routing_info_dst_linkq_proto_pccc	uint32	Destination link address.
pccc	PC-cubed	routing_info_src_link	routing_info_src_linkq_proto_pccc	uint32	Source link address.
perforce	Perforce Protocol	parameter_name	parameter_nameq_proto_perforce	bytes	Name of the perforce parameter.
perforce	Perforce Protocol	parameter_value	parameter_valueq_proto_perforce	bytes	Value of the perforce parameter.
perforce	Perforce Protocol	parameter_size	parameter_sizeq_proto_perforce	uint32	Size in bytes of the parameter value.
perfspot	Perfspot.com	is_mobile_service	is_mobile_serviceq_proto_perfspot	uint32	Whether or not the access was made through a mobile device.
perfspot	Perfspot.com	password	passwordq_proto_perfspot	bytes	User's password string.
perfspot	Perfspot.com	login	loginq_proto_perfspot	bytes	User's login string.
pptp	Point-to-Point Tunneling Protocol	version	versionq_proto_pptp	bytes	Protocol version.
pptp	Point-to-Point Tunneling Protocol	vendor	vendorq_proto_pptp	bytes	The type of PAC being used, or the type of PNS software being used
pop3	Post Office Protocol (Version 3)	login	loginq_proto_pop3	bytes	User's login string.
pop3	Post Office Protocol (Version 3)	password	passwordq_proto_pop3	bytes	User's password string.
pop3	Post Office Protocol (Version 3)	sender_email	sender_emailq_proto_pop3	bytes	Email address of the email sender.
pop3	Post Office Protocol (Version 3)	sender_alias	sender_aliasq_proto_pop3	bytes	Name of the email sender.
pop3	Post Office Protocol (Version 3)	receiver_email	receiver_emailq_proto_pop3	bytes	Email address of message receiver (included cc and bcc receivers).
pop3	Post Office Protocol (Version 3)	subject	subjectq_proto_pop3	bytes	Message subject.
pop3	Post Office Protocol (Version 3)	date	dateq_proto_pop3	bytes	Message date.
pop3	Post Office Protocol (Version 3)	mime_type	mime_typeq_proto_pop3	bytes	Content type of received email body.
pop3	Post Office Protocol (Version 3)	method	methodq_proto_pop3	bytes	Command sent by the client
pop3	Post Office Protocol (Version 3)	attach_filename	attach_filenameq_proto_pop3	bytes	Attachment name.
pop3	Post Office Protocol (Version 3)	attach_type	attach_typeq_proto_pop3	bytes	Content type of the sent attached file.
pop3	Post Office Protocol (Version 3)	login_server	login_serverq_proto_pop3	bytes	Concatenated login and server: <login>@<server>.
pop3	Post Office Protocol (Version 3)	message_id	message_idq_proto_pop3	bytes	A unique identifier of the message.
pop3	Post Office Protocol (Version 3)	user_agent	user_agentq_proto_pop3	bytes	Name of the software used.
pop3	Post Office Protocol (Version 3)	sender_entry	sender_entryq_proto_pop3	bool	Parent entry, for different elements belonging to the sender.
pop3	Post Office Protocol (Version 3)	receiver_entry	receiver_entryq_proto_pop3	bool	Parent entry, for different elements belonging to the email receiver.
pop3	Post Office Protocol (Version 3)	request	requestq_proto_pop3	bool	Parent entry, empty, for client request and server response.
pop3	Post Office Protocol (Version 3)	received	receivedq_proto_pop3	bool	Parent entry, for fields added by each relay
pop3	Post Office Protocol (Version 3)	content_type	content_typeq_proto_pop3	bytes	Indicates the content type of transferred file.
pop3	Post Office Protocol (Version 3)	content_language	content_languageq_proto_pop3	bytes	Language of message content.
pop3	Post Office Protocol (Version 3)	attach_filename_cdispo	attach_filename_cdispoq_proto_pop3	bytes	Attachment name. The attachment name is extracted from 'Content-Disposition' field.
pop3	Post Office Protocol (Version 3)	attach_size	attach_sizeq_proto_pop3	uint32	Attached file MIME size.
pop3	Post Office Protocol (Version 3)	attach_size_decoded	attach_size_decodedq_proto_pop3	uint32	Base64-decoded attached file content size in Bytes.
pop3	Post Office Protocol (Version 3)	email_boundary	email_boundaryq_proto_pop3	bytes	boundary used to separate different parts of the message body.
pop3	Post Office Protocol (Version 3)	resent_from	resent_fromq_proto_pop3	bytes	Full address of the person for whom message is resent.
pop3	Post Office Protocol (Version 3)	resent_from_email	resent_from_emailq_proto_pop3	bytes	Email address of the person for whom message is resent.
pop3	Post Office Protocol (Version 3)	resent_from_alias	resent_from_aliasq_proto_pop3	bytes	Name of the person for whom message is resent.
pop3	Post Office Protocol (Version 3)	resent_sender	resent_senderq_proto_pop3	bytes	Full address of the person who has actually resent the message.
pop3	Post Office Protocol (Version 3)	resent_sender_email	resent_sender_emailq_proto_pop3	bytes	Email address of the person who has actually resent the message.
pop3	Post Office Protocol (Version 3)	resent_sender_alias	resent_sender_aliasq_proto_pop3	bytes	Name of the person who has actually resent the message.
pop3	Post Office Protocol (Version 3)	content_id	content_idq_proto_pop3	bytes	Indicates the identifier of the email content.
pop3	Post Office Protocol (Version 3)	content_desc	content_descq_proto_pop3	bytes	Indicates the description of the email content.
pop3	Post Office Protocol (Version 3)	attach_content_id	attach_content_idq_proto_pop3	bytes	Attached file content identifier.
pop3	Post Office Protocol (Version 3)	attach_content_desc	attach_content_descq_proto_pop3	bytes	Descriptive information for the attached file content.
pop3	Post Office Protocol (Version 3)	mime_version	mime_versionq_proto_pop3	bytes	Version of the message body format standard used in the mail protocol.
pop3	Post Office Protocol (Version 3)	return_path	return_pathq_proto_pop3	bytes	Message return path.
pop3	Post Office Protocol (Version 3)	received_by	received_byq_proto_pop3	bytes	Contains the name of the receiving host.
postgres	PostgreSQL	login	loginq_proto_postgres	bytes	User's login string.
postgres	PostgreSQL	base	baseq_proto_postgres	bytes	Database name.
postgres	PostgreSQL	server_version	server_versionq_proto_postgres	bytes	Server version
postgres	PostgreSQL	proto_version	proto_versionq_proto_postgres	bytes	Protocol version used
postgres	PostgreSQL	query	queryq_proto_postgres	bytes	SQL query sent by the client.
postgres	PostgreSQL	error	errorq_proto_postgres	bytes	Error message
postgres	PostgreSQL	password	passwordq_proto_postgres	bytes	User's password string.
postgres	PostgreSQL	authentification_type	authentification_typeq_proto_postgres	bytes	Authentication method requested by the server.
postgres	PostgreSQL	sqlstate_code	sqlstate_codeq_proto_postgres	bytes	SQL error code.
postgres	PostgreSQL	query_id	query_idq_proto_postgres	bytes	Request identifier. It is used to correlate SQL queries with query parameter values (Bind Variables).
postgres	PostgreSQL	variable_id	variable_idq_proto_postgres	bytes	Query parameter (Bind Variable) identifier within a SQL request.
postgres	PostgreSQL	variable_type	variable_typeq_proto_postgres	bytes	Data type of a SQL query parameter (Bind Variable).
postgres	PostgreSQL	variable_format	variable_formatq_proto_postgres	uint32	Format of a SQL query parameter (Bind Variable).
pplive	PPlive	method	methodq_proto_pplive	bytes	Contains the method used for a PPLive Live Streaming command
pricerunner	PriceRunner	query_text	query_textq_proto_pricerunner	bytes	Query sent to the search engine.
pricerunner	PriceRunner	query_raw	query_rawq_proto_pricerunner	bytes	Contains the query sent to the search engine as indicated in the URL.
q931	Q.931	display	displayq_proto_q931	bytes	Display name.
q931	Q.931	call_duration	call_durationq_proto_q931	string	Call duration.
q931	Q.931	setup_delay	setup_delayq_proto_q931	string	Call setup delay
q931	Q.931	session_duration	session_durationq_proto_q931	string	Call setup duration.
q931	Q.931	caller	callerq_proto_q931	bytes	Contains the identity (or the phone number) of the initiator of the call.
q931	Q.931	callee	calleeq_proto_q931	bytes	Contains the identity (or the phone number) of the called party for a call.
qq	QQ	login	loginq_proto_qq	bytes	User's login string.
qq	QQ	version_code	version_codeq_proto_qq	bytes	The protocol version number used by the client.
qq	QQ	msg_type	msg_typeq_proto_qq	uint32	QQ command name.
qq	QQ	service	serviceq_proto_qq	bytes	Current service identification string.
qq	QQ	caller	callerq_proto_qq	bytes	Contains the identity (or the phone number) of the initiator of the call.
qq	QQ	callee	calleeq_proto_qq	bytes	Contains the identity (or the phone number) of the called party for a call.
qq	QQ	msg_code	msg_codeq_proto_qq	uint32	(deprecated) QQ command number.
qq	QQ	call_duration	call_durationq_proto_qq	string	Call duration.
qq	QQ	service_id	service_idq_proto_qq	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
qq	QQ	user_id	user_idq_proto_qq	bytes	Unique identifier related to a single user. This attribute is available for clear traffic from Mobile applications, it may be not available for traffic from recent web browsers enforcing use of TLS.
qq_web	QQ.com	user_id	user_idq_proto_qq_web	bytes	Unique identifier related to a single user. This attribute is available for clear traffic from Mobile applications, it may be not available for traffic from recent web browsers enforcing use of TLS.
quake	Quake	server	serverq_proto_quake	bytes	Server name.
quic	quic	server_name	server_nameq_proto_quic	bytes	Domain name mentioned in CHLO message.
quic	quic	user_agent	user_agentq_proto_quic	bytes	Name of the software used.
qvod	QVOD Player	peer_ip	peer_ipq_proto_qvod	string	IPv4 address of the QVOD peer.
rambler_webmail	Rambler webmail	attach_filename	attach_filenameq_proto_rambler_webmail	bytes	Attachment name.
rambler_webmail	Rambler webmail	subject	subjectq_proto_rambler_webmail	bytes	Message subject.
rambler_webmail	Rambler webmail	action	actionq_proto_rambler_webmail	bytes	Indicates if the message is read (Read) or composed (Compose).
rambler_webmail	Rambler webmail	msglist_subject	msglist_subjectq_proto_rambler_webmail	bytes	Message subject in a message list.
rambler_webmail	Rambler webmail	attach_size	attach_sizeq_proto_rambler_webmail	uint32	Attached file MIME size.
rambler_webmail	Rambler webmail	receiver_email	receiver_emailq_proto_rambler_webmail	bytes	Email address of message receiver (included cc and bcc receivers).
rambler_webmail	Rambler webmail	sender_email	sender_emailq_proto_rambler_webmail	bytes	Email address of the email sender.
rambler_webmail	Rambler webmail	msglist_receiver_email	msglist_receiver_emailq_proto_rambler_webmail	bytes	Email address of the email receiver.
rambler_webmail	Rambler webmail	msglist_sender_email	msglist_sender_emailq_proto_rambler_webmail	bytes	Address of email sender.
rambler_webmail	Rambler webmail	domain	domainq_proto_rambler_webmail	bytes	Domain name used for the email address of the user.
rambler_webmail	Rambler webmail	login	loginq_proto_rambler_webmail	bytes	User's login string.
rambler	Rambler.ru	query_text	query_textq_proto_rambler	bytes	Query sent to the search engine.
rambler	Rambler.ru	query_raw	query_rawq_proto_rambler	bytes	Contains the query sent to the search engine as indicated in the URL.
rambler	Rambler.ru	login	loginq_proto_rambler	bytes	User's login string.
rambler	Rambler.ru	domain	domainq_proto_rambler	bytes	Domain name used for the login of the user.
rapidshare	RapidShare.com	action	actionq_proto_rapidshare	bytes	Indicates the action executed by the user.
rapidshare	RapidShare.com	filename	filenameq_proto_rapidshare	bytes	Name of the transferred file.
rapidshare	RapidShare.com	filesize	filesizeq_proto_rapidshare	uint32	Size (byte) of the transferred file.
rapidshare	RapidShare.com	method	methodq_proto_rapidshare	bytes	HTTP method used for this action.
rapidshare	RapidShare.com	email_address	email_addressq_proto_rapidshare	bytes	User email address.
rapidshare	RapidShare.com	download_url	download_urlq_proto_rapidshare	bytes	Downloaded file URL.
rtcp	Real Time Control Protocol	cname	cnameq_proto_rtcp	bytes	User name.
rtcp	Real Time Control Protocol	name	nameq_proto_rtcp	bytes	Complete user name.
rtcp	Real Time Control Protocol	email	emailq_proto_rtcp	bytes	User's email address.
rtcp	Real Time Control Protocol	phone	phoneq_proto_rtcp	bytes	User's phone number.
rtcp	Real Time Control Protocol	loc	locq_proto_rtcp	bytes	User's location.
rtcp	Real Time Control Protocol	tool	toolq_proto_rtcp	bytes	Client's software.
rtcp	Real Time Control Protocol	note	noteq_proto_rtcp	bytes	User's comments.
rtcp	Real Time Control Protocol	rr_jitter	rr_jitterq_proto_rtcp	uint32	Jitter value (in receiver report).
rtcp	Real Time Control Protocol	rr_cumlost	rr_cumlostq_proto_rtcp	uint32	Contains the cumulative number of lost packets (in receiver reports).
rtcp	Real Time Control Protocol	rr_ssrc_id	rr_ssrc_idq_proto_rtcp	uint32	Identity of the source that sent the receiver report.
rtcp	Real Time Control Protocol	ssrc	ssrcq_proto_rtcp	uint32	Identity of the Synchronization source
rtcp	Real Time Control Protocol	rr_pkt_sender_ssrc	rr_pkt_sender_ssrcq_proto_rtcp	uint32	The synchronization source identifier for the originator of this Receiver Report packet.
rtcp	Real Time Control Protocol	rr_highestseqnum	rr_highestseqnumq_proto_rtcp	uint32	highest sequence number received in an RTP data packet from source SSRC_n
rtcp	Real Time Control Protocol	rr_lsr	rr_lsrq_proto_rtcp	uint32	The middle 32 bits out of 64 in the NTP timestamp
rtcp	Real Time Control Protocol	rr_dlsr	rr_dlsrq_proto_rtcp	uint32	The delay between receiving the last RR packet from source n and sending reception report block.
rtcp	Real Time Control Protocol	sr_pkt_sender_ssrc	sr_pkt_sender_ssrcq_proto_rtcp	uint32	The synchronization source identifier for the originator of this Sender Report packet.
rtcp	Real Time Control Protocol	sr_ntp_ts_msw	sr_ntp_ts_mswq_proto_rtcp	uint32	NTP timestamp, most significant word
rtcp	Real Time Control Protocol	sr_ntp_ts_lsw	sr_ntp_ts_lswq_proto_rtcp	uint32	NTP timestamp, least significant word
rtcp	Real Time Control Protocol	sr_rtp_ts	sr_rtp_tsq_proto_rtcp	uint32	RTP timestamp
rtcp	Real Time Control Protocol	sr_pkt_count	sr_pkt_countq_proto_rtcp	uint32	The total number of RTP data packets transmitted by the sender
rtcp	Real Time Control Protocol	sr_octet_count	sr_octet_countq_proto_rtcp	uint32	The total number of payload octets transmitted in RTP
rtcp	Real Time Control Protocol	sr_ssrc_id	sr_ssrc_idq_proto_rtcp	uint32	The SSRC identifier of the source
rtcp	Real Time Control Protocol	sr_cumlost	sr_cumlostq_proto_rtcp	uint32	>Contains the cumulative number of lost packets (in sender reports).
rtcp	Real Time Control Protocol	sr_highestseqnum	sr_highestseqnumq_proto_rtcp	uint32	highest sequence number received in an RTP data packet from source SSRC_n
rtcp	Real Time Control Protocol	sr_jitter	sr_jitterq_proto_rtcp	uint32	Jitter value (in Sender report).
rtcp	Real Time Control Protocol	sr_lsr	sr_lsrq_proto_rtcp	uint32	The middle 32 bits out of 64 in the NTP timestamp
rtcp	Real Time Control Protocol	sr_dlsr	sr_dlsrq_proto_rtcp	uint32	The delay between receiving the last SR packet from source n and sending reception report block.
rtmp	Real Time Messaging Protocol	page_url	page_urlq_proto_rtmp	bytes	URL of the webpage where the audio/video content is streamed.
rtmp	Real Time Messaging Protocol	stream_url	stream_urlq_proto_rtmp	bytes	URL of the streamed audio/video.
rtmp	Real Time Messaging Protocol	app_name	app_nameq_proto_rtmp	bytes	Name of the application accessing the streamed content.
rtmp	Real Time Messaging Protocol	start_time	start_timeq_proto_rtmp	uint32	The timestamp of the beginning of the streamed audio/video (in ms).
rtmp	Real Time Messaging Protocol	stop_time	stop_timeq_proto_rtmp	uint32	The timestamp of the end of the streamed audio/video (in ms).
rtmp	Real Time Messaging Protocol	encryption	encryptionq_proto_rtmp	bytes	Name of the encryption used.
rtp	Real Time Protocol	end_session	end_sessionq_proto_rtp	bytes	The end_session attribute is raised at the end of the RTP session
rtp	Real Time Protocol	codec_name	codec_nameq_proto_rtp	bytes	Name of the codec.
rtp	Real Time Protocol	unseq	unseqq_proto_rtp	uint32	Contains the number of miss ordered packets (use sum).
rtp	Real Time Protocol	ssrc	ssrcq_proto_rtp	uint32	Identity of the Synchronization source
rtp	Real Time Protocol	timestamp	timestampq_proto_rtp	uint32	RTP packet timestamp.
rtp	Real Time Protocol	mos_session	mos_sessionq_proto_rtp	uint32	Standard Mean Opinion Score voice quality indicator. The value is derived from the Rfactor indicator, following the ITU-T G.107.1 wideband Rfactor to MOS equations. The extracted value is multiplied by 1000. The following codecs are supported: PCM, GSM(AMR-NB), G.723.1, G.729-A, EVRC, EVRCB, G.722.2(AMR-WB).
rtp	Real Time Protocol	rfactor	rfactorq_proto_rtp	uint32	Rfactor indicator value, following the E-model from ITU-T G.107 and G.107.1. The calculation method is valid for narrowband (rfactor<=100) and wideband (rfactor<=129) codecs. The extracted value is multiplied by 1000. The following codecs are supported: PCM, AMR(GSM-FR), AMR-WB(G.722.2), G.723.1, G.729-A, EVRC, EVRCB. AMR and AMR-WB codecs support features multi-bitrate (codec modes) Rfactor evaluation. The codec-specific transmission impairment parameters used to compute the Rfactor were extracted from the ITU-T G.113 recommendation for narrowband codecs (PCM, G.723.1, G.729-A, GSM), and from ITU-T G.113.1 for wideband codecs (G.722.2). Additional equipment related impairment parameters (for G.722.2) were extracted from the Instrumental Estimation of E-Model Parameters For Wideband Speech Codecs study results at EURASIP.
rtp	Real Time Protocol	session_duration	session_durationq_proto_rtp	string	Call setup duration.
rtp	Real Time Protocol	csrc	csrcq_proto_rtp	uint32	Identit(y)(ies) of the source(s) contributing for the payload. There is one csrc per contributing source.
rtp	Real Time Protocol	parent_call_id	parent_call_idq_proto_rtp	bytes	Call Identifier extracted from SIP/SDP.
rtp	Real Time Protocol	service_id	service_idq_proto_rtp	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
rtp	Real Time Protocol	service	serviceq_proto_rtp	bytes	Current service identification string.
rtp	Real Time Protocol	service_duration	service_durationq_proto_rtp	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds.
rtp	Real Time Protocol	service_duration_tv	service_duration_tvq_proto_rtp	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
rtsp	Real Time Streaming Protocol	user_agent	user_agentq_proto_rtsp	bytes	Client's software.
rtsp	Real Time Streaming Protocol	filename	filenameq_proto_rtsp	bytes	Name of the streamed file.
rtsp	Real Time Streaming Protocol	method	methodq_proto_rtsp	bytes	RTSP command sent by the client.
rtsp	Real Time Streaming Protocol	server_agent	server_agentq_proto_rtsp	bytes	Name of the server software.
rtsp	Real Time Streaming Protocol	server	serverq_proto_rtsp	bytes	Name of the streaming server.
rtsp	Real Time Streaming Protocol	directory	directoryq_proto_rtsp	bytes	File directory.
rtsp	Real Time Streaming Protocol	code	codeq_proto_rtsp	uint32	Server return code.
rtsp	Real Time Streaming Protocol	uri	uriq_proto_rtsp	bytes	Complete name (path + filename) of a web resource (truncated at 1503 characters).
rtsp	Real Time Streaming Protocol	urilast64	urilast64q_proto_rtsp	bytes	uri last 64 characters of the uri.
rtsp	Real Time Streaming Protocol	urilen	urilenq_proto_rtsp	uint32	uri length.
rtsp	Real Time Streaming Protocol	uri_full	uri_fullq_proto_rtsp	bytes	Complete name (path + filename) of a web resource (not truncated).
rtsp	Real Time Streaming Protocol	header_name	header_nameq_proto_rtsp	bytes	One RTSP header line (field).
rtsp	Real Time Streaming Protocol	header_value	header_valueq_proto_rtsp	bytes	One RTSP header line (value).
rtsp	Real Time Streaming Protocol	header_statusline	header_statuslineq_proto_rtsp	bytes	The status line, just before the header lines.
rtsp	Real Time Streaming Protocol	version	versionq_proto_rtsp	bytes	Protocol version.
rtsp	Real Time Streaming Protocol	cseq	cseqq_proto_rtsp	bytes	Sequence number.
rtsp	Real Time Streaming Protocol	start_time	start_timeq_proto_rtsp	string	Start date of the call.
rtsp	Real Time Streaming Protocol	session_duration	session_durationq_proto_rtsp	string	Call setup duration.
rtsp	Real Time Streaming Protocol	media_attr_value	media_attr_valueq_proto_rtsp	bytes	Line value of the media attribute.
rtsp	Real Time Streaming Protocol	media_attr_type	media_attr_typeq_proto_rtsp	uint32	Contains the media type (audio or video).
rtsp	Real Time Streaming Protocol	media_attr_encoding	media_attr_encodingq_proto_rtsp	bytes	The encoding of media data.
rtsp	Real Time Streaming Protocol	media_attr_rate	media_attr_rateq_proto_rtsp	bytes	The encoding rate.
rtsp	Real Time Streaming Protocol	media_attr_param	media_attr_paramq_proto_rtsp	bytes	Session attribute value.
rtsp	Real Time Streaming Protocol	media_attr_label	media_attr_labelq_proto_rtsp	bytes	Name of the described session attribute.
rtsp	Real Time Streaming Protocol	media_attr_addr	media_attr_addrq_proto_rtsp	string	The mentioned IPv4 address to be used.
rtsp	Real Time Streaming Protocol	media_attr_channel	media_attr_channelq_proto_rtsp	bytes	The channel value.
rtsp	Real Time Streaming Protocol	media_attr_transport	media_attr_transportq_proto_rtsp	bytes	The transport protocol (TCP or UDP).
rtsp	Real Time Streaming Protocol	media_type	media_typeq_proto_rtsp	bytes	Contains the media type.
rtsp	Real Time Streaming Protocol	media_proto	media_protoq_proto_rtsp	bytes	Protocol used in client stream.
rtsp	Real Time Streaming Protocol	media_format	media_formatq_proto_rtsp	uint32	Client's protocol formats available.
rtsp	Real Time Streaming Protocol	uri_start_offset	uri_start_offsetq_proto_rtsp	uint32	Offset to the first URI byte in the stream.
rtsp	Real Time Streaming Protocol	uri_end_offset	uri_end_offsetq_proto_rtsp	uint32	Offset to the first byte which is not part of the URI in the stream.
redhat_update	RedHat Update	kernel_name	kernel_nameq_proto_redhat_update	bytes	Kernel package or package linked to the kernel.
redhat_update	RedHat Update	kernel_version	kernel_versionq_proto_redhat_update	bytes	Version number of the kernel package.
redhat_update	RedHat Update	kernel_archi	kernel_archiq_proto_redhat_update	bytes	Archi of package kernel.
redhat_update	RedHat Update	kernel_distrib	kernel_distribq_proto_redhat_update	bytes	Distrib linked to this kernel package.
redhat_update	RedHat Update	package_name	package_nameq_proto_redhat_update	bytes	Name of the downloaded package.
redhat_update	RedHat Update	package_version	package_versionq_proto_redhat_update	bytes	Version number of the downloaded package.
redhat_update	RedHat Update	package_archi	package_archiq_proto_redhat_update	bytes	Archi of package.
redhat_update	RedHat Update	package_distrib	package_distribq_proto_redhat_update	bytes	Distrib linked to this package.
radius	Remote Authentication Dial-In User Service	login	loginq_proto_radius	bytes	User-Name (an attribute defined in RFC2865).
radius	Remote Authentication Dial-In User Service	calling_station_id	calling_station_idq_proto_radius	bytes	Client id.
radius	Remote Authentication Dial-In User Service	framed_ip	framed_ipq_proto_radius	string	Framed-IP-Address (an attribute defined in RFC2865).
radius	Remote Authentication Dial-In User Service	acct_session_id	acct_session_idq_proto_radius	bytes	Accounting session ID.
radius	Remote Authentication Dial-In User Service	called_station_id	called_station_idq_proto_radius	bytes	The phone number that the user called, using Dialed Number Identification (DNIS) or similar technology.
radius	Remote Authentication Dial-In User Service	nas_id	nas_idq_proto_radius	bytes	Unique identifier of the NAS originating the Access-Request
radius	Remote Authentication Dial-In User Service	nas_ip	nas_ipq_proto_radius	string	IP address of the NAS originating the Access-Request
radius	Remote Authentication Dial-In User Service	nas_port	nas_portq_proto_radius	uint32	Physical port number of the user on the NAS
radius	Remote Authentication Dial-In User Service	nas_port_type	nas_port_typeq_proto_radius	uint32	Indicates the type of physical port the network access server (NAS) is using to authenticate the user.
radius	Remote Authentication Dial-In User Service	nas_port_id	nas_port_idq_proto_radius	bytes	Identifies the NAS.
radius	Remote Authentication Dial-In User Service	callback_number	callback_numberq_proto_radius	bytes	Contains the dialing string to be used for callback
radius	Remote Authentication Dial-In User Service	terminate_cause	terminate_causeq_proto_radius	uint32	This attribute indicates how the session was terminated
radius	Remote Authentication Dial-In User Service	acct_output_octets	acct_output_octetsq_proto_radius	uint32	Indicates how many octets have been sent to the port in the course of delivering this service
radius	Remote Authentication Dial-In User Service	acct_input_octets	acct_input_octetsq_proto_radius	uint32	Indicates how many octets have been received from the port over the course of this service being provided
radius	Remote Authentication Dial-In User Service	session_timeout	session_timeoutq_proto_radius	uint32	The maximum number of seconds of service to be provided to the user before termination of the session or prompt.
radius	Remote Authentication Dial-In User Service	idle_timeout	idle_timeoutq_proto_radius	uint32	The maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt.
radius	Remote Authentication Dial-In User Service	start_time	start_timeq_proto_radius	string	Indicates the beginning of the user service.
radius	Remote Authentication Dial-In User Service	stop_time	stop_timeq_proto_radius	string	Indicates the end of the user service.
radius	Remote Authentication Dial-In User Service	framed_ipv6_route	framed_ipv6_routeq_proto_radius	bytes	Provides the routing information to be configured for the user on the NAS
radius	Remote Authentication Dial-In User Service	framed_ipv6_pool	framed_ipv6_poolq_proto_radius	bytes	Contains the name of an assigned pool that SHOULD be used to assign an IPv6 prefix for the user.
radius	Remote Authentication Dial-In User Service	avp_ipv4	avp_ipv4q_proto_radius	string	An IPv4 address. (CLEP_DATA_IP_ADDR)
radius	Remote Authentication Dial-In User Service	avp_int	avp_intq_proto_radius	uint32	An 8, 24 or 32 bits integer value. (CLEP_DATA_UINT32)
radius	Remote Authentication Dial-In User Service	avp_int64	avp_int64q_proto_radius	uint64	A 64 bits integer value. (CLEP_DATA_UINT64)
radius	Remote Authentication Dial-In User Service	avp_vendor_id	avp_vendor_idq_proto_radius	uint32	SMI Network Management Private Enterprise Code. (CLEP_DATA_UINT32)
radius	Remote Authentication Dial-In User Service	avp_interface_id	avp_interface_idq_proto_radius	uint64	IPv6 interface identifier. (CLEP_DATA_UINT64)
radius	Remote Authentication Dial-In User Service	3gpp_sgsn_address	3gpp_sgsn_addressq_proto_radius	string	IP address of the SGSN
radius	Remote Authentication Dial-In User Service	3gpp_sgsn_mcc_mnc	3gpp_sgsn_mcc_mncq_proto_radius	uint32	MCC and MNC of the SGSN
radius	Remote Authentication Dial-In User Service	3gpp_imsi	3gpp_imsiq_proto_radius	bytes	IMSI for the user
radius	Remote Authentication Dial-In User Service	framed_ip_netmask	framed_ip_netmaskq_proto_radius	string	Framed-IP-Netmask (an attribute defined in RFC2865).
rdp	Remote Desktop Protocol (Windows Terminal Server)	version	versionq_proto_rdp	bytes	RDP Version used.
rdp	Remote Desktop Protocol (Windows Terminal Server)	client_build	client_buildq_proto_rdp	uint32	RDP client build.
rdp	Remote Desktop Protocol (Windows Terminal Server)	desktop_width	desktop_widthq_proto_rdp	uint32	desktop width.
rdp	Remote Desktop Protocol (Windows Terminal Server)	desktop_height	desktop_heightq_proto_rdp	uint32	desktop height.
rdp	Remote Desktop Protocol (Windows Terminal Server)	hostname_ascii	hostname_asciiq_proto_rdp	bytes	Client hostname, in ASCII.
rdp	Remote Desktop Protocol (Windows Terminal Server)	domain_ascii	domain_asciiq_proto_rdp	bytes	Client domain, in ASCII.
rdp	Remote Desktop Protocol (Windows Terminal Server)	username_ascii	username_asciiq_proto_rdp	bytes	Client login, in ASCII.
rdp	Remote Desktop Protocol (Windows Terminal Server)	default_username	default_usernameq_proto_rdp	bytes	User's default login, provided at RDP's client runtime.
rdp	Remote Desktop Protocol (Windows Terminal Server)	encrypted	encryptedq_proto_rdp	uint32	Indicates if the traffic is encrypted with TLS or CresDDP.
rdp	Remote Desktop Protocol (Windows Terminal Server)	io_channel_id	io_channel_idq_proto_rdp	uint32	IO channel ID.
rdp	Remote Desktop Protocol (Windows Terminal Server)	channel_id	channel_idq_proto_rdp	uint32	Communication channel ID.
rdp	Remote Desktop Protocol (Windows Terminal Server)	channel_name	channel_nameq_proto_rdp	bytes	Communication channel name (An 8-byte array containing a unique 7-character ANSI channel name and a null terminator).
rdp	Remote Desktop Protocol (Windows Terminal Server)	channel_disabled	channel_disabledq_proto_rdp	uint32	Tells whether the channel is disabled.
rdp	Remote Desktop Protocol (Windows Terminal Server)	channel_encrypt_way	channel_encrypt_wayq_proto_rdp	bytes	Tells whether the channel is encrypted.
rdp	Remote Desktop Protocol (Windows Terminal Server)	channel_priority	channel_priorityq_proto_rdp	bytes	Channel priority.
rdp	Remote Desktop Protocol (Windows Terminal Server)	keyboard_type	keyboard_typeq_proto_rdp	uint32	The keyboard type.
rdp	Remote Desktop Protocol (Windows Terminal Server)	keyboard_subtype	keyboard_subtypeq_proto_rdp	uint32	The keyboard subtype.
rdp	Remote Desktop Protocol (Windows Terminal Server)	keyboard_function_key	keyboard_function_keyq_proto_rdp	uint32	The number of function keys on the keyboard.
rdp	Remote Desktop Protocol (Windows Terminal Server)	ime_filename_ascii	ime_filename_asciiq_proto_rdp	bytes	The input method editor (IME) file name associated with the active input locale, in ASCII.
rdp	Remote Desktop Protocol (Windows Terminal Server)	client_product_id	client_product_idq_proto_rdp	uint32	The client product ID.
rdp	Remote Desktop Protocol (Windows Terminal Server)	serial_number	serial_numberq_proto_rdp	uint32	Serial number.
rdp	Remote Desktop Protocol (Windows Terminal Server)	client_dig_product_id_ascii	client_dig_product_id_asciiq_proto_rdp	bytes	Contains a value that uniquely identifies the client, in ASCII.
rdp	Remote Desktop Protocol (Windows Terminal Server)	server_sec_cert_key_algo	server_sec_cert_key_algoq_proto_rdp	uint32	Type of algorithm used by certificate key (0x0001 == RSA).
rdp	Remote Desktop Protocol (Windows Terminal Server)	server_sec_cert_pub_key_magic	server_sec_cert_pub_key_magicq_proto_rdp	bytes	Name of algorithm used by certificate key.
rdp	Remote Desktop Protocol (Windows Terminal Server)	server_sec_cert_version	server_sec_cert_versionq_proto_rdp	uint32	Raw value (32 bits) of version field.
rdp	Remote Desktop Protocol (Windows Terminal Server)	server_sec_cert_count	server_sec_cert_countq_proto_rdp	uint32	Number of certificates in the chain.
rdp	Remote Desktop Protocol (Windows Terminal Server)	color_depth	color_depthq_proto_rdp	uint32	Color depth requested by RDP client. RDP specifications mention it must be ignored if post_beta_2_color_depth is raised.
rdp	Remote Desktop Protocol (Windows Terminal Server)	post_beta_2_color_depth	post_beta_2_color_depthq_proto_rdp	uint32	Color depth requested by RDP client. RDP specifications mention it must be ignored if high_color_depth is raised.
rdp	Remote Desktop Protocol (Windows Terminal Server)	high_color_depth	high_color_depthq_proto_rdp	uint32	Color depth requested by RDP client.
rlogin	Remote Login	client_login	client_loginq_proto_rlogin	bytes	Name of the client host.
rlogin	Remote Login	server_login	server_loginq_proto_rlogin	bytes	User login.
rlogin	Remote Login	server_password	server_passwordq_proto_rlogin	bytes	User password.
rlogin	Remote Login	term_type	term_typeq_proto_rlogin	bytes	Terminal type used to establish the remote session.
rlogin	Remote Login	speed	speedq_proto_rlogin	uint32	Connection speed.
rpc	Remote Procedure Call	program	programq_proto_rpc	uint32	Program Identifier.
rpc	Remote Procedure Call	version	versionq_proto_rpc	uint32	Version of the RPC protocol.
rpc	Remote Procedure Call	program_version	program_versionq_proto_rpc	uint32	Version of the used program over RPC.
rpc	Remote Procedure Call	procedure	procedureq_proto_rpc	uint32	Contains the request used by the application program (NFS, YelloPages, ...).
rpc	Remote Procedure Call	state	stateq_proto_rpc	uint32	Status of the command response.
rpc	Remote Procedure Call	xid	xidq_proto_rpc	uint32	Identifier of the request or the reply.
rpc	Remote Procedure Call	message_type	message_typeq_proto_rpc	bytes	Message type (Call or Reply).
rsh	Remote Shell	login	loginq_proto_rsh	bytes	User's login string.
rsh	Remote Shell	server	serverq_proto_rsh	bytes	Remote server.
rsync	Remote synchronous (file transfer)	module	moduleq_proto_rsync	bytes	Name of the group in which files are gathered.
rsync	Remote synchronous (file transfer)	login	loginq_proto_rsync	bytes	User's login string.
rsync	Remote synchronous (file transfer)	password	passwordq_proto_rsync	bytes	User's password string.
rsync	Remote synchronous (file transfer)	filename	filenameq_proto_rsync	bytes	Name of the transferred file.
rsync	Remote synchronous (file transfer)	filesize	filesizeq_proto_rsync	uint32	Size (byte) of the transferred file.
rsync	Remote synchronous (file transfer)	file_is_compressed	file_is_compressedq_proto_rsync	uint32	Tells whether a file is compressed or not.
rsync	Remote synchronous (file transfer)	file_chunk_number	file_chunk_numberq_proto_rsync	uint32	Number of the transferred piece.
rsync	Remote synchronous (file transfer)	file_chunk_len	file_chunk_lenq_proto_rsync	uint32	Size of the transferred piece.
rsync	Remote synchronous (file transfer)	file_chunk_data_offset	file_chunk_data_offsetq_proto_rsync	uint32	Offset of the transferred data.
rip2	Routing Information Protocol V2	ip_addr	ip_addrq_proto_rip2	string	IP address of a router.
rip2	Routing Information Protocol V2	next_hope	next_hopeq_proto_rip2	string	The immediate next hop IP address to which packets to the destination specified by this route entry should be forwarded.
rip2	Routing Information Protocol V2	netmask	netmaskq_proto_rip2	string	The Subnet Mask field contains the subnet mask which is applied to the IP address to yield the non-host portion of the address.
rip2	Routing Information Protocol V2	metric	metricq_proto_rip2	uint32	Total distance to a router.
rip2	Routing Information Protocol V2	authentication	authenticationq_proto_rip2	bytes	Authentication content (password for example).
s1ap	S1 Application Protocol	ep_name	ep_nameq_proto_s1ap	bytes	Elementary Procedure name.
s1ap	S1 Application Protocol	ep_mme_ue_id	ep_mme_ue_idq_proto_s1ap	uint32	Mobility Management Entity Identifier (MME UE S1AP ID).
s1ap	S1 Application Protocol	ep_enb_ue_id	ep_enb_ue_idq_proto_s1ap	uint32	E-UTRAN NodeB Identifier (eNB UE S1AP ID).
s1ap	S1 Application Protocol	ep_ie_name	ep_ie_nameq_proto_s1ap	bytes	Information Element name.
s1ap	S1 Application Protocol	ep_ie_rab_addr	ep_ie_rab_addrq_proto_s1ap	string	Transport Layer Address (IPv4).
s1ap	S1 Application Protocol	ep_ie_rab_teid	ep_ie_rab_teidq_proto_s1ap	bytes	GTP Tunnel Endpoint Identifier (GTP-TEID).
s1ap	S1 Application Protocol	ep_ie_tai	ep_ie_taiq_proto_s1ap	bytes	Tracking Area Identifier (TAI).
s1ap	S1 Application Protocol	ep_ie_cgi	ep_ie_cgiq_proto_s1ap	bytes	E-UTRAN Cell Global Identifier (E-UTRAN CGI).
s1ap	S1 Application Protocol	processing_anomaly_type	processing_anomaly_typeq_proto_s1ap	bytes	Defines the category of the anomaly.
s1ap	S1 Application Protocol	processing_anomaly_attr	processing_anomaly_attrq_proto_s1ap	uint32	Gives an attribute ID, or an attribute structure (parent attribute ID), not extracted because of the anomaly.
samsung_apps	Samsung Apps	is_smartphone	is_smartphoneq_proto_samsung_apps	uint32	Boolean attribute indicating whether the client is a smartphone(1) or not(0).
secondlife	SecondLife.com	login	loginq_proto_secondlife	bytes	User's login string.
secondlife	SecondLife.com	message	messageq_proto_secondlife	bytes	Content of chat message.
secondlife	SecondLife.com	message_type	message_typeq_proto_secondlife	bytes	Message type.
secondlife	SecondLife.com	source_name	source_nameq_proto_secondlife	bytes	Source name.
secondlife	SecondLife.com	source_type	source_typeq_proto_secondlife	bytes	Source type.
secondlife	SecondLife.com	chat_type	chat_typeq_proto_secondlife	bytes	Chat message type.
aims	Secure AIM	login	loginq_proto_aims	bytes	User's login string.
ssh	Secure Shell	rtt	rttq_proto_ssh	string	Server response time.
ssh	Secure Shell	version	versionq_proto_ssh	bytes	Protocol version.
ssh	Secure Shell	user_agent	user_agentq_proto_ssh	bytes	Protocol version, software version and optional comments sent by the client.
ssh	Secure Shell	server_agent	server_agentq_proto_ssh	bytes	Protocol version, software version and optional comments sent by the server.
ssh	Secure Shell	tsp_alg_kex	tsp_alg_kexq_proto_ssh	bytes	List of proposed algorithms for key exchange. Each value is separated by a comma.
ssh	Secure Shell	tsp_alg_server_host_key	tsp_alg_server_host_keyq_proto_ssh	bytes	List of proposed algorithms for server host key. Each value is separated by a comma.
ssh	Secure Shell	tsp_alg_encrypt_cts	tsp_alg_encrypt_ctsq_proto_ssh	bytes	List of proposed symmetric encryption algorithms for traffic from client to server. Each value is separated by a comma.
ssh	Secure Shell	tsp_alg_encrypt_stc	tsp_alg_encrypt_stcq_proto_ssh	bytes	List of proposed symmetric encryption algorithms for traffic from server to client. Each value is separated by a comma.
ssh	Secure Shell	tsp_alg_mac_cts	tsp_alg_mac_ctsq_proto_ssh	bytes	List of proposed algorithms for Message Authentication Code (MAC) on traffic from client to server. Each value is separated by a comma.
ssh	Secure Shell	tsp_alg_mac_stc	tsp_alg_mac_stcq_proto_ssh	bytes	List of proposed algorithms for Message Authentication Code (MAC) on traffic from server to client. Each value is separated by a comma.
ssh	Secure Shell	tsp_alg_comp_cts	tsp_alg_comp_ctsq_proto_ssh	bytes	List of proposed algorithms for compression on traffic from client to server. Each value is separated by a comma.
ssh	Secure Shell	tsp_alg_comp_stc	tsp_alg_comp_stcq_proto_ssh	bytes	List of proposed algorithms for compression on traffic from server to client. Each value is separated by a comma.
ssh	Secure Shell	tsp_server_key_type	tsp_server_key_typeq_proto_ssh	bytes	Algorithm related to public host key of the server.
ssh	Secure Shell	tsp_alg_kex_guessed_cts	tsp_alg_kex_guessed_ctsq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for key exchange from client to server, based on usual way client and server choose their algorithm for key exchange. This algorithm is only used for key exchange validation, not for encryption.
ssh	Secure Shell	tsp_alg_kex_guessed_stc	tsp_alg_kex_guessed_stcq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for key exchange from server to client, based on usual way client and server choose their algorithm for key exchange. This algorithm is only used for key exchange validation, not for encryption.
ssh	Secure Shell	tsp_alg_encrypt_guessed_cts	tsp_alg_encrypt_guessed_ctsq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for symmetric encryption from client to server, based on usual way client and server choose their algorithm for encryption.
ssh	Secure Shell	tsp_alg_encrypt_guessed_stc	tsp_alg_encrypt_guessed_stcq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for symmetric encryption from server to client, based on usual way client and server choose their algorithm for encryption.
ssh	Secure Shell	tsp_alg_mac_guessed_cts	tsp_alg_mac_guessed_ctsq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for Message Authenticate Code (MAC) from client to server, based on usual way client and server choose their algorithm for MAC.
ssh	Secure Shell	tsp_alg_mac_guessed_stc	tsp_alg_mac_guessed_stcq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for Message Authenticate Code (MAC) from server to client, based on usual way client and server choose their algorithm for MAC.
ssh	Secure Shell	tsp_comp_guessed_cts	tsp_comp_guessed_ctsq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for compression. from client to server, based on usual way client and server choose their algorithm for compression.
ssh	Secure Shell	tsp_comp_guessed_stc	tsp_comp_guessed_stcq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for compression. from server to client, based on usual way client and server choose their algorithm for compression.
ssl	Secure Socket Layer	common_name	common_nameq_proto_ssl	bytes	Domain name mentioned in the certificate.
ssl	Secure Socket Layer	server_name	server_nameq_proto_ssl	bytes	Domain name mentioned in Client Hello message.
ssl	Secure Socket Layer	supported_next_protocol	supported_next_protocolq_proto_ssl	bytes	Supported protocol on top of SSL specified by the server in the Next Protocol Negotiation or Application Layer Protocol Negotiation [RFC7301] TLS extensions.
ssl	Secure Socket Layer	issuer	issuerq_proto_ssl	bytes	Certificate Authority.
ssl	Secure Socket Layer	validity_not_before	validity_not_beforeq_proto_ssl	bytes	Certificate's validity start date, in UTCTime format : YYMMDDHHMMSSZ.
ssl	Secure Socket Layer	validity_not_after	validity_not_afterq_proto_ssl	bytes	Certificate's validity end date, in UTCTime format : YYMMDDHHMMSSZ.
ssl	Secure Socket Layer	subject_alt_name	subject_alt_nameq_proto_ssl	bytes	Identifies a list of host names which belong to the same certificate.
ssl	Secure Socket Layer	organization_name	organization_nameq_proto_ssl	bytes	Organisation name mentioned in the certificate.
ssl	Secure Socket Layer	index	indexq_proto_ssl	uint32	Identifier of the request and response in a SSL flow.
ssl	Secure Socket Layer	request_size	request_sizeq_proto_ssl	uint64	Contains the total length in bytes of the request or the response (including SSL headers). This attribute is computed at the end of the request or response.
ssl	Secure Socket Layer	cipher_suite_id	cipher_suite_idq_proto_ssl	uint32	Id of the cipher suite handled by the server.
ssl	Secure Socket Layer	protocol_version	protocol_versionq_proto_ssl	uint32	This attribute is extracted once per flow and indicates which SSL/TLS protocol was chosen by the server for this session.
ssl	Secure Socket Layer	common_name_raw	common_name_rawq_proto_ssl	bytes	Domain name mentioned in the certificate not decoded.
ssl	Secure Socket Layer	parent_common_name	parent_common_nameq_proto_ssl	bytes	Domain name mentioned in the original certificate (the session to be resumed).
ssl	Secure Socket Layer	server_name_raw	server_name_rawq_proto_ssl	bytes	Domain name mentioned in Client Hello message not decoded.
ssl	Secure Socket Layer	client_hello_extension_type	client_hello_extension_typeq_proto_ssl	uint32	Integer which define the type of extension on the client request
ssl	Secure Socket Layer	server_hello_extension_type	server_hello_extension_typeq_proto_ssl	uint32	Integer which define the type of extension on the server response
ssl	Secure Socket Layer	certificate_dn_subject	certificate_dn_subjectq_proto_ssl	bytes	Distinguished name of the subject formatted according to RFC 1779.
ssl	Secure Socket Layer	certificate_subject_cn	certificate_subject_cnq_proto_ssl	bytes	Common name of the subject formatted according to RFC 1779.
ssl	Secure Socket Layer	certificate_subject_l	certificate_subject_lq_proto_ssl	bytes	Locality name of the subject formatted according to RFC 1779.
ssl	Secure Socket Layer	certificate_subject_st	certificate_subject_stq_proto_ssl	bytes	State Or Province name of the subject formatted according to RFC 1779.
ssl	Secure Socket Layer	certificate_subject_o	certificate_subject_oq_proto_ssl	bytes	Organization name of the subject formatted according to RFC 1779.
ssl	Secure Socket Layer	certificate_subject_ou	certificate_subject_ouq_proto_ssl	bytes	Organization Unit name of the subject formatted according to RFC 1779.
ssl	Secure Socket Layer	certificate_subject_c	certificate_subject_cq_proto_ssl	bytes	Country name of the subject formatted according to RFC 1779.
ssl	Secure Socket Layer	certificate_subject_street	certificate_subject_streetq_proto_ssl	bytes	Street address of the subject formatted according to RFC 1779, delimiters (< and >) are used to avoid issue with special characters.
ssl	Secure Socket Layer	certificate_dn_issuer	certificate_dn_issuerq_proto_ssl	bytes	Distinguished name of the issuer formatted according to RFC 1779.
ssl	Secure Socket Layer	certificate_issuer_cn	certificate_issuer_cnq_proto_ssl	bytes	Common name of the subject formatted according to RFC 1779.
ssl	Secure Socket Layer	certificate_issuer_l	certificate_issuer_lq_proto_ssl	bytes	Locality name of the issuer formatted according to RFC 1779.
ssl	Secure Socket Layer	certificate_issuer_st	certificate_issuer_stq_proto_ssl	bytes	State Or Province name of the issuer formatted according to RFC 1779.
ssl	Secure Socket Layer	certificate_issuer_o	certificate_issuer_oq_proto_ssl	bytes	Organization name of the subject formatted according to RFC 1779.
ssl	Secure Socket Layer	certificate_issuer_ou	certificate_issuer_ouq_proto_ssl	bytes	Organization Unit name of the issuer formatted according to RFC 1779.
ssl	Secure Socket Layer	certificate_issuer_c	certificate_issuer_cq_proto_ssl	bytes	Country name of the subject issuer according to RFC 1779.
ssl	Secure Socket Layer	certificate_issuer_street	certificate_issuer_streetq_proto_ssl	bytes	Street address of the issuer formatted according to RFC 1779, delimiters (< and >) are used to avoid issue with special characters.
ssl	Secure Socket Layer	client_hello_extension_len	client_hello_extension_lenq_proto_ssl	uint32	Length in bytes of client hello extension payload.
ssl	Secure Socket Layer	server_hello_extension_len	server_hello_extension_lenq_proto_ssl	uint32	Length in bytes of server hello extension payload.
ssl	Secure Socket Layer	ext_sig_algorithms_len	ext_sig_algorithms_lenq_proto_ssl	uint32	Length in bytes of list of signature algorithms, so twice the number of algorithms. (Algorithms are encoded over two bytes.)
ssl	Secure Socket Layer	ext_sig_algorithm_scheme	ext_sig_algorithm_schemeq_proto_ssl	uint32	Signature scheme, aka hash, signature, ... (All SSL versions)
ssl	Secure Socket Layer	certificate_subject_key_algo_oid	certificate_subject_key_algo_oidq_proto_ssl	bytes	OID defining type of algorithm related to the subject key. (in string format)
ssl	Secure Socket Layer	certificate_subject_key_size	certificate_subject_key_sizeq_proto_ssl	uint32	SKI length in bytes (Subject Key Info, algorithm and value)
ssl	Secure Socket Layer	ext_ec_supported_groups_nb	ext_ec_supported_groups_nbq_proto_ssl	uint32	Number of elliptic curves.
ssl	Secure Socket Layer	ext_ec_supported_groups_type	ext_ec_supported_groups_typeq_proto_ssl	uint32	Type of the elliptic curve supported.
ssl	Secure Socket Layer	server_supported_version	server_supported_versionq_proto_ssl	uint32	Version of SSL/TLS supported by the server, this value comes from extension named supported version" in TLS. Final version chosen by server will be given by attribute protocol_version."
ssl	Secure Socket Layer	client_supported_version	client_supported_versionq_proto_ssl	uint32	Version of SSL/TLS supported by the client, this value comes from extension named supported version" in TLS. Final version chosen by server will be given by attribute protocol_version."
ssl	Secure Socket Layer	cert_extension_oid	cert_extension_oidq_proto_ssl	bytes	OID defining type of certificate extension in human readable string format.
ssl	Secure Socket Layer	client_hello_version	client_hello_versionq_proto_ssl	uint32	SSL/TLS client version field value.
ssl	Secure Socket Layer	server_hello_version	server_hello_versionq_proto_ssl	uint32	SSL/TLS server version field value.
smb	Server Message Block (Windows File Server)	login	loginq_proto_smb	bytes	User's login string.
smb	Server Message Block (Windows File Server)	service	serviceq_proto_smb	bytes	Service Type.
smb	Server Message Block (Windows File Server)	user_id	user_idq_proto_smb	uint32	User identifier (SMB usmb_v1 only).
smb	Server Message Block (Windows File Server)	directory	directoryq_proto_smb	bytes	Name of the shared directory on the server host.
smb	Server Message Block (Windows File Server)	path	pathq_proto_smb	bytes	The server/share name of the resource to which the client attempts to connect.
smb	Server Message Block (Windows File Server)	domain	domainq_proto_smb	bytes	Domain name (NTLMSSP domain).
smb	Server Message Block (Windows File Server)	native_os	native_osq_proto_smb	bytes	Client's operating system.
smb	Server Message Block (Windows File Server)	command_string	command_stringq_proto_smb	bytes	Command name.
smb	Server Message Block (Windows File Server)	filename	filenameq_proto_smb	bytes	Name of the transferred file.
smb	Server Message Block (Windows File Server)	filesize	filesizeq_proto_smb	uint64	Size (byte) of the transferred file.
smb	Server Message Block (Windows File Server)	version	versionq_proto_smb	uint32	Protocol version.
smb	Server Message Block (Windows File Server)	host	hostq_proto_smb	bytes	SMB client host name (NTLMSSP workstation).
smb	Server Message Block (Windows File Server)	krb5_service	krb5_serviceq_proto_smb	bytes	Service type.
smb	Server Message Block (Windows File Server)	krb5_server	krb5_serverq_proto_smb	bytes	Name of the server requiring Kerberos authentication.
smb	Server Message Block (Windows File Server)	krb5_realm	krb5_realmq_proto_smb	bytes	Realm in KRB-ERROR message.
smb	Server Message Block (Windows File Server)	file_type	file_typeq_proto_smb	uint32	file type.
smb	Server Message Block (Windows File Server)	ntlm_user	ntlm_userq_proto_smb	bytes	User" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
smb	Server Message Block (Windows File Server)	ntlm_domain	ntlm_domainq_proto_smb	bytes	Domain" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
smb	Server Message Block (Windows File Server)	ntlm_workstation	ntlm_workstationq_proto_smb	bytes	Workstation" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
smb	Server Message Block (Windows File Server)	ntlm_identifier	ntlm_identifierq_proto_smb	bytes	NTLM protocol Signature (null-terminated string).
smb	Server Message Block (Windows File Server)	ntlm_message_type	ntlm_message_typeq_proto_smb	uint32	NTLM message type.
smb	Server Message Block (Windows File Server)	dcerpc_service	dcerpc_serviceq_proto_smb	bytes	The DCERPC protocol is an RPC implementation used in Distributed Computing Environments. This protocol is used by many software applications including Microsft Exchange.
smb	Server Message Block (Windows File Server)	dcerpc_interface_uuid	dcerpc_interface_uuidq_proto_smb	bytes	ID of the interface.
smb	Server Message Block (Windows File Server)	dcerpc_call_id	dcerpc_call_idq_proto_smb	uint32	ID of the call.
smb	Server Message Block (Windows File Server)	dcerpc_context_id	dcerpc_context_idq_proto_smb	uint32	ID of the context.
smb	Server Message Block (Windows File Server)	dcerpc_opnum	dcerpc_opnumq_proto_smb	uint32	ID of specific function call to the interface.
smb	Server Message Block (Windows File Server)	header_length	header_lengthq_proto_smb	uint32	The size, in bytes, of the SMB2 header structure.
smb	Server Message Block (Windows File Server)	credit_charge	credit_chargeq_proto_smb	uint32	This field indicates the number of credits that this request consumes.
smb	Server Message Block (Windows File Server)	channel	channelq_proto_smb	uint32	This field is an indication to the server about the client's Channel change.
smb	Server Message Block (Windows File Server)	credits_requested	credits_requestedq_proto_smb	uint32	On a request, this field indicates the number of credits the client is requesting.
smb	Server Message Block (Windows File Server)	flags	flagsq_proto_smb	uint32	This field indicates how to process the operation.
smb	Server Message Block (Windows File Server)	session_id	session_idq_proto_smb	uint64	Uniquely identifies the current user session.
smb	Server Message Block (Windows File Server)	dcerpc_item_context_id	dcerpc_item_context_idq_proto_smb	uint32	Index of the current context item
smb	Server Message Block (Windows File Server)	dcerpc_abstract_itf_uuid	dcerpc_abstract_itf_uuidq_proto_smb	bytes	Interface UUID allowing to identifies RPC interface to call.
smb	Server Message Block (Windows File Server)	dcerpc_abstract_itf_version	dcerpc_abstract_itf_versionq_proto_smb	uint32	Version number of interface to call. It is defined on 32 bits.
smb	Server Message Block (Windows File Server)	dcerpc_transfer_itf_uuid	dcerpc_transfer_itf_uuidq_proto_smb	bytes	Interface UUID allowing to identifies RPC interface to get reply.
smb	Server Message Block (Windows File Server)	dcerpc_transfer_itf_version	dcerpc_transfer_itf_versionq_proto_smb	uint32	Version number of interface to get reply. It is defined on 32 bits.
smb	Server Message Block (Windows File Server)	dcerpc_result_ack_result	dcerpc_result_ack_resultq_proto_smb	uint32	Negociation result of the given presentation transfer syntax (0 stands for Acceptance).
smb	Server Message Block (Windows File Server)	dcerpc_result_ack_reason	dcerpc_result_ack_reasonq_proto_smb	uint32	Reason detailing non acceptance of the given transfer syntax, usually set to 0 when transfer syntax is accepted (Q_DCERPC_RESULT_ACK_RESULT == 0)
smb	Server Message Block (Windows File Server)	dcerpc_result_transfer_syntax_uuid	dcerpc_result_transfer_syntax_uuidq_proto_smb	bytes	UUID of selected transfer syntax, 0 stands for transfer syntax is not selected"."
smb	Server Message Block (Windows File Server)	dcerpc_result_transfer_syntax_version	dcerpc_result_transfer_syntax_versionq_proto_smb	uint32	Version of selected transfer syntax, usually also set to 0 when UUID is 0.
smb	Server Message Block (Windows File Server)	set_info_fix_struct_size	set_info_fix_struct_sizeq_proto_smb	uint32	Size of fix part of SET_INFO header (request or response).
smb	Server Message Block (Windows File Server)	set_info_size	set_info_sizeq_proto_smb	uint32	The length, in bytes, of the information to be set.
smb	Server Message Block (Windows File Server)	set_info_file_rename_root_dir	set_info_file_rename_root_dirq_proto_smb	uint64	Handle/ID of parent directory of the file to rename.
smb	Server Message Block (Windows File Server)	set_info_file_filename_length	set_info_file_filename_lengthq_proto_smb	uint32	Length of the file name field.
smb	Server Message Block (Windows File Server)	read_length	read_lengthq_proto_smb	uint32	This field is set in READ request. It is the size in bytes of number of bytes to read at a given offset (see Q_SMB_READ_OFFSET) from file referenced by GUID (Q_SMB_FILE_ID). This field can be 0.
smb	Server Message Block (Windows File Server)	read_offset	read_offsetq_proto_smb	uint64	This field is set in READ request. It is the offset in bytes from which read must be made from file referenced by GUID (Q_SMB_FILE_ID).
smb	Server Message Block (Windows File Server)	read_data_length	read_data_lengthq_proto_smb	uint32	This field is set in READ response. It is the size of data read from file referenced by from file referenced by GUID (Q_SMB_FILE_ID).
smb	Server Message Block (Windows File Server)	read_data_remaining	read_data_remainingq_proto_smb	uint32	This field is set in READ response. It is the size in bytes of the remaining data being sent on the Channel specified in the request.
smb	Server Message Block (Windows File Server)	write_length	write_lengthq_proto_smb	uint32	This field is set in WRITE request. It is the size in bytes of number of bytes to write at a given offset (see Q_SMB_WRITE_OFFSET) in file referenced by GUID (Q_SMB_FILE_ID). This field can be 0.
smb	Server Message Block (Windows File Server)	write_offset	write_offsetq_proto_smb	uint64	This field is set in WRITE request. It is the offset in bytes from which write must be made in file referenced by GUID (Q_SMB_FILE_ID).
smb	Server Message Block (Windows File Server)	write_count	write_countq_proto_smb	uint32	This field is set in WRITE response. It is the size of data written in file referenced by from file referenced by GUID (Q_SMB_FILE_ID).
smb	Server Message Block (Windows File Server)	write_data_remaining	write_data_remainingq_proto_smb	uint32	This field is set in WRITE response. It is a reserved field, raise it whatever it contains, It should be set to 0 by server.
smb	Server Message Block (Windows File Server)	tcax_rsp_native_fs	tcax_rsp_native_fsq_proto_smb	bytes	Name of the file system on the local resource to which the returned Tree ID is connected (null terminated Unicode or OEM characters).
sip	Session Initiation Protocol	method	methodq_proto_sip	bytes	The command
sip	Session Initiation Protocol	uri	uriq_proto_sip	bytes	Contains the URI (similar to To: field)
sip	Session Initiation Protocol	reply_code	reply_codeq_proto_sip	bytes	Return status code.
sip	Session Initiation Protocol	mime_type	mime_typeq_proto_sip	bytes	Data type.
sip	Session Initiation Protocol	user_agent	user_agentq_proto_sip	bytes	Client's software.
sip	Session Initiation Protocol	request_call_id	request_call_idq_proto_sip	bytes	Call's id extracted for each sip request.
sip	Session Initiation Protocol	server_agent	server_agentq_proto_sip	bytes	Server's software.
sip	Session Initiation Protocol	subject	subjectq_proto_sip	bytes	the subject header present in the SIP packet
sip	Session Initiation Protocol	date	dateq_proto_sip	bytes	Contains the date and time.
sip	Session Initiation Protocol	call_id	call_idq_proto_sip	bytes	Call id, extracted for each call.
sip	Session Initiation Protocol	time_before_spk	time_before_spkq_proto_sip	string	Waiting delay before speak
sip	Session Initiation Protocol	call_duration	call_durationq_proto_sip	string	Call duration.
sip	Session Initiation Protocol	caller	callerq_proto_sip	bytes	Contains the identity (or the phone number) of the initiator of the call.
sip	Session Initiation Protocol	callee	calleeq_proto_sip	bytes	Contains the identity (or the phone number) of the called party for a call.
sip	Session Initiation Protocol	caller_addr	caller_addrq_proto_sip	string	Address which could be used by the initiator of the call.
sip	Session Initiation Protocol	callee_addr	callee_addrq_proto_sip	string	Address which could be used by the called party.
sip	Session Initiation Protocol	media_type	media_typeq_proto_sip	bytes	Contains the media type.
sip	Session Initiation Protocol	media_proto	media_protoq_proto_sip	bytes	Protocol used in client stream.
sip	Session Initiation Protocol	media_format	media_formatq_proto_sip	uint32	Client's protocol formats available.
sip	Session Initiation Protocol	user_id	user_idq_proto_sip	bytes	Client identifier used for his registering with a SIP server.
sip	Session Initiation Protocol	domain	domainq_proto_sip	bytes	Caller's or callee's domain
sip	Session Initiation Protocol	connection_info_nb_addr	connection_info_nb_addrq_proto_sip	uint32	Number of addresses defined for the connection (see RFC 4566 section 5.14).
sip	Session Initiation Protocol	data_nb_ports	data_nb_portsq_proto_sip	uint32	Number of ports defined for the connection (see RFC 4566 section 5.14).
sip	Session Initiation Protocol	mime_type_main	mime_type_mainq_proto_sip	bytes	Primary part of the MIME type.
sip	Session Initiation Protocol	mime_type_sub	mime_type_subq_proto_sip	bytes	Second part of the MIME type.
stun	Session Traversal Utilities for NAT	mapped_address_ipv4	mapped_address_ipv4q_proto_stun	string	IPv4 address to be mapped.
stun	Session Traversal Utilities for NAT	xor_mapped_address_ipv4	xor_mapped_address_ipv4q_proto_stun	string	IPv4 address to be mapped, in XORed version (obfuscated).
stun	Session Traversal Utilities for NAT	magic_cookie	magic_cookieq_proto_stun	uint32	The magic cookie used to deobfuscate the XOR Mapped Port and XOR Mapped Address.
stun	Session Traversal Utilities for NAT	remote_address_ipv4	remote_address_ipv4q_proto_stun	string	IPv4 address of the distant peer as seen from the STUN relay server.
stun	Session Traversal Utilities for NAT	realm	realmq_proto_stun	bytes	Realm in message used for authentication.
stun	Session Traversal Utilities for NAT	software	softwareq_proto_stun	bytes	Description of the software used being used by the agent sending the message.
stun	Session Traversal Utilities for NAT	unxor_mapped_address_ipv4	unxor_mapped_address_ipv4q_proto_stun	string	IPv4 address to be mapped, in decoded XOR version (deobfuscated).
smpp	Short message peer-to-peer protocol	sender	senderq_proto_smpp	bytes	Sender's address.
smpp	Short message peer-to-peer protocol	receiver	receiverq_proto_smpp	bytes	Receiver's address.
silverlight	Silverlight (Microsoft Smooth Streaming)	video_datarate	video_datarateq_proto_silverlight	bytes	Video bitrate in kilobits per second.
smtp	Simple Mail Transfer Protocol	login	loginq_proto_smtp	bytes	User's login string.
smtp	Simple Mail Transfer Protocol	password	passwordq_proto_smtp	bytes	User's password string.
smtp	Simple Mail Transfer Protocol	sender_alias	sender_aliasq_proto_smtp	bytes	Name of the email sender.
smtp	Simple Mail Transfer Protocol	sender_email	sender_emailq_proto_smtp	bytes	Email address of the email sender.
smtp	Simple Mail Transfer Protocol	sender_domain	sender_domainq_proto_smtp	bytes	Domain of the sender's email address.
smtp	Simple Mail Transfer Protocol	receiver_domain	receiver_domainq_proto_smtp	bytes	Domain of the recipient's email address.
smtp	Simple Mail Transfer Protocol	receiver_email	receiver_emailq_proto_smtp	bytes	Email address of message receiver (included cc and bcc receivers).
smtp	Simple Mail Transfer Protocol	method	methodq_proto_smtp	bytes	Command sent by the client
smtp	Simple Mail Transfer Protocol	response_code	response_codeq_proto_smtp	uint32	Return code
smtp	Simple Mail Transfer Protocol	server_response	server_responseq_proto_smtp	bytes	The return code of the server
smtp	Simple Mail Transfer Protocol	subject	subjectq_proto_smtp	bytes	Message subject.
smtp	Simple Mail Transfer Protocol	date	dateq_proto_smtp	bytes	Message date.
smtp	Simple Mail Transfer Protocol	mime_type	mime_typeq_proto_smtp	bytes	Mail's content type.
smtp	Simple Mail Transfer Protocol	msg_id	msg_idq_proto_smtp	bytes	Identifier of the message.
smtp	Simple Mail Transfer Protocol	user_agent	user_agentq_proto_smtp	bytes	Name of the software used.
smtp	Simple Mail Transfer Protocol	start_time	start_timeq_proto_smtp	string	Starting time of SMTP session
smtp	Simple Mail Transfer Protocol	stop_time	stop_timeq_proto_smtp	string	Ending time of SMTP session
smtp	Simple Mail Transfer Protocol	duration	durationq_proto_smtp	string	Duration of the SMTP session
smtp	Simple Mail Transfer Protocol	attach_type	attach_typeq_proto_smtp	bytes	Content type of the sent attached file.
smtp	Simple Mail Transfer Protocol	attach_size	attach_sizeq_proto_smtp	uint32	Attached file MIME size.
smtp	Simple Mail Transfer Protocol	attach_disposition	attach_dispositionq_proto_smtp	bytes	Full 'Content-Disposition' header value starting with attached file disposition (inline, attachment, ...).
smtp	Simple Mail Transfer Protocol	attach_filename	attach_filenameq_proto_smtp	bytes	Attachment name.
smtp	Simple Mail Transfer Protocol	server	serverq_proto_smtp	bytes	Contains the name of the used SMTP server
smtp	Simple Mail Transfer Protocol	replyto	replytoq_proto_smtp	bytes	Email address to use in a reply for this message.
smtp	Simple Mail Transfer Protocol	file_type	file_typeq_proto_smtp	bytes	Received or sent file content type (prefix-based pattern recognition) exchanged using this protocol.
smtp	Simple Mail Transfer Protocol	email	emailq_proto_smtp	bool	Parent entry, for fields belonging to the same email.
smtp	Simple Mail Transfer Protocol	sender_entry	sender_entryq_proto_smtp	bool	Parent entry, for different elements belonging to the sender.
smtp	Simple Mail Transfer Protocol	mailfrom	mailfromq_proto_smtp	bool	Contains the domain and the sender's email
smtp	Simple Mail Transfer Protocol	rcptto	rcpttoq_proto_smtp	bool	Domain and recipient's email address (used by RCPT TO method).
smtp	Simple Mail Transfer Protocol	receiver_entry	receiver_entryq_proto_smtp	bool	Parent entry, for different elements belonging to the email receiver.
smtp	Simple Mail Transfer Protocol	request	requestq_proto_smtp	bool	Parent entry, empty, for client request and server response.
smtp	Simple Mail Transfer Protocol	attach	attachq_proto_smtp	bool	Parent entry, for attach fields in a message.
smtp	Simple Mail Transfer Protocol	content	contentq_proto_smtp	bytes	Full message content (headers, body, attachments). The data is extracted in streamed mode, line per line.
smtp	Simple Mail Transfer Protocol	received	receivedq_proto_smtp	bool	Parent entry, for fields added by each relay
smtp	Simple Mail Transfer Protocol	end	endq_proto_smtp	Void	Indicates the end of a top-level parent attribute. This attribute's behavior depends on the method used to extract it: 1) If using the ixEngine v4 API function uevent_hook_add_parms", it will be extracted like any other attribute. 2) If using the ixEngine v4 API function "afc_metadata_add", it will generate an attribute having the attribute ID of the associated top-level parent attribute and the ctb_metadata_attr.qm_end flag set to 1. 3) In ixEngine v5, the "qmdpi_result_attr_getnext" function allows user to get attribute information (flow, proto_id, attr_id, data, data_len and flags). When the parent attribute is ended, the QMDPI_ATTR_PARENT_END flag is set to 1."
smtp	Simple Mail Transfer Protocol	attach_filename_cdispo	attach_filename_cdispoq_proto_smtp	bytes	Attachment name. The attachment name is extracted from 'Content-Disposition' field.
smtp	Simple Mail Transfer Protocol	attach_size_decoded	attach_size_decodedq_proto_smtp	uint32	Base64-decoded attached file content size in Bytes.
smtp	Simple Mail Transfer Protocol	email_boundary	email_boundaryq_proto_smtp	bytes	boundary used to separate different parts of the message body.
smtp	Simple Mail Transfer Protocol	resent_from	resent_fromq_proto_smtp	bytes	Full address of the person for whom message is resent.
smtp	Simple Mail Transfer Protocol	resent_from_email	resent_from_emailq_proto_smtp	bytes	Email address of the person for whom message is resent.
smtp	Simple Mail Transfer Protocol	resent_from_alias	resent_from_aliasq_proto_smtp	bytes	Name of the person for whom message is resent.
smtp	Simple Mail Transfer Protocol	resent_sender	resent_senderq_proto_smtp	bytes	Full address of the person who has actually resent the message.
smtp	Simple Mail Transfer Protocol	resent_sender_email	resent_sender_emailq_proto_smtp	bytes	Email address of the person who has actually resent the message.
smtp	Simple Mail Transfer Protocol	resent_sender_alias	resent_sender_aliasq_proto_smtp	bytes	Name of the person who has actually resent the message.
smtp	Simple Mail Transfer Protocol	attach_content_id	attach_content_idq_proto_smtp	bytes	Attached file content identifier.
smtp	Simple Mail Transfer Protocol	attach_content_desc	attach_content_descq_proto_smtp	bytes	Descriptive information for the attached file content.
smtp	Simple Mail Transfer Protocol	content_id	content_idq_proto_smtp	bytes	Indicates the identifier of the email content.
smtp	Simple Mail Transfer Protocol	content_desc	content_descq_proto_smtp	bytes	Indicates the description of the email content.
smtp	Simple Mail Transfer Protocol	received_by	received_byq_proto_smtp	bytes	Contains the name of the receiving host.
smtp	Simple Mail Transfer Protocol	mime_version	mime_versionq_proto_smtp	bytes	Version of the message body format standard used in the mail protocol.
smtp	Simple Mail Transfer Protocol	return_path	return_pathq_proto_smtp	bytes	Message return path.
smtp	Simple Mail Transfer Protocol	client_domain	client_domainq_proto_smtp	bytes	Client domain information as found in the EHLO or HELO SMTP command parameter. This parameter gives the SMTP client domain name to the server. It can be sent as a FQDN or an IP address
smtp	Simple Mail Transfer Protocol	x_originating_ip4	x_originating_ip4q_proto_smtp	string	The IP address of client who sent the email.
smtp	Simple Mail Transfer Protocol	x_originating_str	x_originating_strq_proto_smtp	bytes	Non-standard SMTP header representing the origin IP address (IPv4 or IPv6) of client in string format.
smtp	Simple Mail Transfer Protocol	in_reply_to	in_reply_toq_proto_smtp	bytes	Email address of the original message used when creating a reply message.
snmp	Simple Network Management Protocol	community	communityq_proto_snmp	bytes	Community name.
snmp	Simple Network Management Protocol	method	methodq_proto_snmp	bytes	SNMP request type.
snmp	Simple Network Management Protocol	request_id	request_idq_proto_snmp	uint32	Request Identifier.
snmp	Simple Network Management Protocol	oid	oidq_proto_snmp	bytes	Object Identifier.
snmp	Simple Network Management Protocol	value_len	value_lenq_proto_snmp	uint32	Size of value_raw in bytes.
snmp	Simple Network Management Protocol	name	nameq_proto_snmp	bytes	Name the user.
snpp	Simple Network Paging Protocol	login	loginq_proto_snpp	bytes	User's login string.
snpp	Simple Network Paging Protocol	password	passwordq_proto_snpp	bytes	User's password string.
snpp	Simple Network Paging Protocol	method	methodq_proto_snpp	bytes	Contains the SNPP command.
snpp	Simple Network Paging Protocol	caller_id	caller_idq_proto_snpp	bytes	Login of person who send the message.
snpp	Simple Network Paging Protocol	message	messageq_proto_snpp	bytes	Contains the message sent to the pager.
snpp	Simple Network Paging Protocol	pager_id	pager_idq_proto_snpp	bytes	Contains pager number.
ssdp	Simple Service Discovery Protocol	header_value	header_valueq_proto_ssdp	bytes	Header data.
ssdp	Simple Service Discovery Protocol	header_name	header_nameq_proto_ssdp	bytes	Header name.
ssdp	Simple Service Discovery Protocol	content_length	content_lengthq_proto_ssdp	bytes	Length of the request body in bytes. (CONTENT-LENGTH field value)
ssdp	Simple Service Discovery Protocol	cache_control	cache_controlq_proto_ssdp	bytes	Contains max-age directive (max-age=) followed by an integer that specifies the validity duration in seconds. (CACHE-CONTROL field value)
ssdp	Simple Service Discovery Protocol	server_agent	server_agentq_proto_ssdp	bytes	Server information (SERVER field value). It contains the product tokens: <OS name/OS version> <UPnP/upnp version> <product name/product version>.
ssdp	Simple Service Discovery Protocol	location	locationq_proto_ssdp	bytes	URL for UPnP description of the device. (LOCATION field value)
ssdp	Simple Service Discovery Protocol	host	hostq_proto_ssdp	bytes	Domain name or IP address and optional port. (HOST field value)
ssdp	Simple Service Discovery Protocol	unique_service_name	unique_service_nameq_proto_ssdp	bytes	Unique service name. (USN field value)
ssdp	Simple Service Discovery Protocol	notification_sub_type	notification_sub_typeq_proto_ssdp	bytes	Notification sub type. (NTS field value)
ssdp	Simple Service Discovery Protocol	notification_type	notification_typeq_proto_ssdp	bytes	Notification type. (NT field value)
ssdp	Simple Service Discovery Protocol	search_target	search_targetq_proto_ssdp	bytes	Search target. (ST field value)
ssdp	Simple Service Discovery Protocol	uri	uriq_proto_ssdp	bytes	URI contained in the request.
ssdp	Simple Service Discovery Protocol	version	versionq_proto_ssdp	bytes	Version of the SSDP protocol used in the message.
ssdp	Simple Service Discovery Protocol	method	methodq_proto_ssdp	bytes	Contains the SSDP command.
sina_webmail	Sina Webmail	folderlist	folderlistq_proto_sina_webmail	bytes	Contains the message folder list.
sina_webmail	Sina Webmail	msglist_date	msglist_dateq_proto_sina_webmail	bytes	Message date in a message list.
sina_webmail	Sina Webmail	msglist_subject	msglist_subjectq_proto_sina_webmail	bytes	Message subject in a message list.
sina_webmail	Sina Webmail	msglist_receiver_alias	msglist_receiver_aliasq_proto_sina_webmail	bytes	Name of email receiver.
sina_webmail	Sina Webmail	msglist_receiver_email	msglist_receiver_emailq_proto_sina_webmail	bytes	Email address of the email receiver.
sina_webmail	Sina Webmail	msglist_receiver	msglist_receiverq_proto_sina_webmail	bytes	Full address of email receiver in a message list.
sina_webmail	Sina Webmail	msglist_sender_alias	msglist_sender_aliasq_proto_sina_webmail	bytes	Name of email sender.
sina_webmail	Sina Webmail	msglist_sender_email	msglist_sender_emailq_proto_sina_webmail	bytes	Address of email sender.
sina_webmail	Sina Webmail	msglist_sender	msglist_senderq_proto_sina_webmail	bytes	Full address of email sender (alias and email address).
sina_webmail	Sina Webmail	msglist_msgid	msglist_msgidq_proto_sina_webmail	bytes	Message identifier.
sina_webmail	Sina Webmail	date	dateq_proto_sina_webmail	bytes	Message date.
sina_webmail	Sina Webmail	content	contentq_proto_sina_webmail	bytes	Message content.
sina_webmail	Sina Webmail	importance	importanceq_proto_sina_webmail	uint32	Indicates if the email has been marked by the user.
sina_webmail	Sina Webmail	subject	subjectq_proto_sina_webmail	bytes	Message subject.
sina_webmail	Sina Webmail	receiver_type	receiver_typeq_proto_sina_webmail	bytes	Type of the email receiver.
sina_webmail	Sina Webmail	receiver_alias	receiver_aliasq_proto_sina_webmail	bytes	Name of email receiver (included cc and bcc receivers).
sina_webmail	Sina Webmail	receiver_email	receiver_emailq_proto_sina_webmail	bytes	Email address of message receiver (included cc and bcc receivers).
sina_webmail	Sina Webmail	receiver	receiverq_proto_sina_webmail	bytes	Full address of email receiver (including cc and bcc receivers).
sina_webmail	Sina Webmail	sender_alias	sender_aliasq_proto_sina_webmail	bytes	Name of the email sender.
sina_webmail	Sina Webmail	sender_email	sender_emailq_proto_sina_webmail	bytes	Email address of the email sender.
sina_webmail	Sina Webmail	sender	senderq_proto_sina_webmail	bytes	Full address of email sender (alias followed by email address).
sina_webmail	Sina Webmail	action	actionq_proto_sina_webmail	bytes	Indicates the action executed by the user.
sina_webmail	Sina Webmail	attach_id	attach_idq_proto_sina_webmail	bytes	Attachment identifier.
sina_webmail	Sina Webmail	attach_size	attach_sizeq_proto_sina_webmail	uint32	Attached file MIME size.
sina_webmail	Sina Webmail	attach_filename	attach_filenameq_proto_sina_webmail	bytes	Attachment name.
sina_webmail	Sina Webmail	msg_id	msg_idq_proto_sina_webmail	bytes	Identifier of the message.
sina_webmail	Sina Webmail	draft	draftq_proto_sina_webmail	uint32	Indicates if the email is a draft or has really been posted
sina_webmail	Sina Webmail	attach_type	attach_typeq_proto_sina_webmail	bytes	Content type of the sent attached file.
sina_webmail	Sina Webmail	is_html	is_htmlq_proto_sina_webmail	uint32	Specifies the email content format is html or not
sina_webmail	Sina Webmail	folder	folderq_proto_sina_webmail	bytes	Indicates the directory from where messages are read.
sina_webmail	Sina Webmail	folderlist_item_name	folderlist_item_nameq_proto_sina_webmail	bytes	Message folder name.
sina_webmail	Sina Webmail	folderlist_item_id	folderlist_item_idq_proto_sina_webmail	bytes	Message folder unique identifier.
sina_webmail	Sina Webmail	msglist_folder	msglist_folderq_proto_sina_webmail	bytes	Indicates the directory from a message list.
sina_weibo	Sina Weibo	user_id	user_idq_proto_sina_weibo	bytes	Unique identifier related to a single user. This attribute is available for clear traffic from Mobile applications, it may be not available for traffic from recent web browsers enforcing use of TLS.
sccp	Skinny Client Control Protocol	call_id	call_idq_proto_sccp	uint32	Call id, extracted for each call.
sccp	Skinny Client Control Protocol	caller	callerq_proto_sccp	bytes	Contains the identity (or the phone number) of the initiator of the call.
sccp	Skinny Client Control Protocol	callee	calleeq_proto_sccp	bytes	Contains the identity (or the phone number) of the called party for a call.
sccp	Skinny Client Control Protocol	callername	callernameq_proto_sccp	bytes	Calling party identity
sccp	Skinny Client Control Protocol	calleename	calleenameq_proto_sccp	bytes	Called party identity
sccp	Skinny Client Control Protocol	device_type	device_typeq_proto_sccp	uint32	Device type
sccp	Skinny Client Control Protocol	device_name	device_nameq_proto_sccp	bytes	Device name
sccp	Skinny Client Control Protocol	start_time	start_timeq_proto_sccp	string	Start date of the call.
sccp	Skinny Client Control Protocol	call_duration	call_durationq_proto_sccp	string	Call duration.
sccp	Skinny Client Control Protocol	nb_pkt_sent	nb_pkt_sentq_proto_sccp	uint32	Number of RTP packets sent
sccp	Skinny Client Control Protocol	nb_pkt_rcv	nb_pkt_rcvq_proto_sccp	uint32	Number of RTP packets received
sccp	Skinny Client Control Protocol	nb_byt_sent	nb_byt_sentq_proto_sccp	uint32	Number of RTP octets sent
sccp	Skinny Client Control Protocol	nb_byt_rcv	nb_byt_rcvq_proto_sccp	uint32	Number of RTP octets received
sccp	Skinny Client Control Protocol	nb_pkt_lost	nb_pkt_lostq_proto_sccp	uint32	Number of RTP packets lost
sccp	Skinny Client Control Protocol	stats_jitter	stats_jitterq_proto_sccp	uint32	Observed Jitter for RTP packets
sccp	Skinny Client Control Protocol	stats_latency	stats_latencyq_proto_sccp	uint32	Observed latency for RTP packets
sccp	Skinny Client Control Protocol	message_type	message_typeq_proto_sccp	uint32	The type of the message.
sccp	Skinny Client Control Protocol	call_way	call_wayq_proto_sccp	uint32	The call Way (In, Out)
sccp	Skinny Client Control Protocol	callstate	callstateq_proto_sccp	uint32	Status of the current call
sccp	Skinny Client Control Protocol	codec	codecq_proto_sccp	uint32	The codec used in the RTP session
sccp	Skinny Client Control Protocol	softkeyevent	softkeyeventq_proto_sccp	uint32	Contains the soft key event
skyblog	Skyblog	login	loginq_proto_skyblog	bytes	User's login string.
skype	Skype	version	versionq_proto_skype	bytes	Skype client version.
skype	Skype	service	serviceq_proto_skype	bytes	Current service identification string.
skype	Skype	service_id	service_idq_proto_skype	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
skype	Skype	service_duration	service_durationq_proto_skype	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
skype	Skype	service_duration_tv	service_duration_tvq_proto_skype	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
skype	Skype	service_stats	service_statsq_proto_skype	bytes	Composite attribute containing the packet metrics used for each new service type detection, extracting when performing STATISTICAL detection method only. Note: this attribute won't be extracted in case of session expiration (eg. when the current service is not ended properly by the user).
skype	Skype	service_divergence	service_divergenceq_proto_skype	uint32	The minimal distance" between the real traffic and its theoretical model as implemented in the Qosmos plugin."
slack	Slack	service_id	service_idq_proto_slack	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
slack	Slack	service_duration_tv	service_duration_tvq_proto_slack	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
slack	Slack	service_duration	service_durationq_proto_slack	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
slack	Slack	service	serviceq_proto_slack	bytes	Current service identification string.
socks4	SOCKet Secure v4	remote_addr	remote_addrq_proto_socks4	string	Remote IP address.
socks4	SOCKet Secure v4	remote_name	remote_nameq_proto_socks4	bytes	Fully qualified remote domain name.
socks5	SOCKet Secure v5	remote_addr	remote_addrq_proto_socks5	string	Remote IP address.
socks5	SOCKet Secure v5	remote_name	remote_nameq_proto_socks5	bytes	Fully qualified remote domain name.
socks5	SOCKet Secure v5	login	loginq_proto_socks5	bytes	User's login string.
socks5	SOCKet Secure v5	password	passwordq_proto_socks5	bytes	User's password string.
slsk	SoulSeek	query	queryq_proto_slsk	bytes	Query sent to find a file.
slsk	SoulSeek	version	versionq_proto_slsk	uint32	Current version of the Soulseek client.
slsk	SoulSeek	filename	filenameq_proto_slsk	bytes	Name of the transferred file.
slsk	SoulSeek	filesize	filesizeq_proto_slsk	uint32	Size (byte) of the transferred file.
slsk	SoulSeek	file_id	file_idq_proto_slsk	uint64	Unique identifier of a file, based on IP of peer and the unique token for this combination file/peer.
slsk	SoulSeek	transfer_way	transfer_wayq_proto_slsk	bytes	Indicates whether the file is uploaded or downloaded.
slsk	SoulSeek	password	passwordq_proto_slsk	bytes	User's password string.
slsk	SoulSeek	login	loginq_proto_slsk	bytes	User's login string.
spdy	SPDY	stream_id	stream_idq_proto_spdy	uint32	Stream identifier.
spdy	SPDY	length	lengthq_proto_spdy	uint32	Length of the message starting at the offset of this field.
spdy	SPDY	status_code	status_codeq_proto_spdy	uint32	An indicator for why the stream is being terminated.
spdy	SPDY	header_count	header_countq_proto_spdy	uint32	The number of repeating name/value pairs following this field
spdy	SPDY	header_name	header_nameq_proto_spdy	bytes	Header name, prefixed by a ':' if it's a mandatory SPDY header.
spdy	SPDY	header_value	header_valueq_proto_spdy	bytes	Header value.
spdy	SPDY	associated_stream_id	associated_stream_idq_proto_spdy	uint32	Identifier for a stream which this stream is associated to.
spdy	SPDY	host	hostq_proto_spdy	bytes	Host name value extracted from the Host header.
spdy	SPDY	server_agent	server_agentq_proto_spdy	bytes	Name of the server software.
spdy	SPDY	location	locationq_proto_spdy	bytes	Destination address where the client is redirected.
spdy	SPDY	referer	refererq_proto_spdy	bytes	Source address from which the client obtained the requested URI.
spdy	SPDY	uri_raw	uri_rawq_proto_spdy	bytes	Complete name (scheme/authority + path + request) of a web resource.
spdy	SPDY	cookie	cookieq_proto_spdy	bytes	Raw value of the SPDY Cookie header line, containing the SPDY request cookies.
spdy	SPDY	content_disposition	content_dispositionq_proto_spdy	bytes	Information related to the disposition of the content present on the web page.
spdy	SPDY	content_len	content_lenq_proto_spdy	bytes	Contains the content length of the SPDY request/response.
spdy	SPDY	method	methodq_proto_spdy	bytes	SPDY command sent by the client.
spdy	SPDY	user_agent	user_agentq_proto_spdy	bytes	Software used by the client to access the web page.
spdy	SPDY	mime_type	mime_typeq_proto_spdy	bytes	Content type of the request or the web page.
spdy	SPDY	content_transfer_encoding	content_transfer_encodingq_proto_spdy	bytes	Corresponds to HTTP's Transfer-Encoding header. Contains the content encoding (TRANSFER-ENCODING HTTP header).
spdy	SPDY	content_encoding	content_encodingq_proto_spdy	bytes	Contains content encoding format.
spdy	SPDY	date	dateq_proto_spdy	bytes	Message date.
spdy	SPDY	code	codeq_proto_spdy	uint32	Return code sent by the server.
speedtest	Speedtest	test	testq_proto_speedtest	bytes	Defines which connection test is being performed.
squirrelmail	SquirrelMail	contact_email	contact_emailq_proto_squirrelmail	bytes	Email address of a contact.
squirrelmail	SquirrelMail	contact_alias	contact_aliasq_proto_squirrelmail	bytes	Alias of a contact.
squirrelmail	SquirrelMail	msglist_sender_alias	msglist_sender_aliasq_proto_squirrelmail	bytes	Name of email sender.
squirrelmail	SquirrelMail	msglist_sender_email	msglist_sender_emailq_proto_squirrelmail	bytes	Address of email sender.
squirrelmail	SquirrelMail	msglist_subject	msglist_subjectq_proto_squirrelmail	bytes	Message subject in a message list.
squirrelmail	SquirrelMail	msglist_date	msglist_dateq_proto_squirrelmail	bytes	Message date in a message list.
squirrelmail	SquirrelMail	msglist_receiver_alias	msglist_receiver_aliasq_proto_squirrelmail	bytes	Name of email receiver.
squirrelmail	SquirrelMail	msglist_receiver_email	msglist_receiver_emailq_proto_squirrelmail	bytes	Email address of the email receiver.
squirrelmail	SquirrelMail	msglist_msgid	msglist_msgidq_proto_squirrelmail	bytes	Message identifier.
squirrelmail	SquirrelMail	attach_size	attach_sizeq_proto_squirrelmail	uint32	Attached file MIME size.
squirrelmail	SquirrelMail	date	dateq_proto_squirrelmail	bytes	Message date.
squirrelmail	SquirrelMail	sender_alias	sender_aliasq_proto_squirrelmail	bytes	Name of the email sender.
squirrelmail	SquirrelMail	sender_email	sender_emailq_proto_squirrelmail	bytes	Email address of the email sender.
squirrelmail	SquirrelMail	msg_id	msg_idq_proto_squirrelmail	bytes	Identifier of the message.
squirrelmail	SquirrelMail	folder	folderq_proto_squirrelmail	bytes	Indicates the directory from where messages are read.
squirrelmail	SquirrelMail	subject	subjectq_proto_squirrelmail	bytes	Message subject.
squirrelmail	SquirrelMail	receiver_type	receiver_typeq_proto_squirrelmail	bytes	Type of the email receiver.
squirrelmail	SquirrelMail	receiver_alias	receiver_aliasq_proto_squirrelmail	bytes	Name of email receiver (included cc and bcc receivers).
squirrelmail	SquirrelMail	receiver_email	receiver_emailq_proto_squirrelmail	bytes	Email address of message receiver (included cc and bcc receivers).
squirrelmail	SquirrelMail	attach_type	attach_typeq_proto_squirrelmail	bytes	Content type of the sent attached file.
squirrelmail	SquirrelMail	attach_filename	attach_filenameq_proto_squirrelmail	bytes	Attachment name.
squirrelmail	SquirrelMail	draft	draftq_proto_squirrelmail	uint32	Indicates if the email is a draft or has really been posted
squirrelmail	SquirrelMail	action	actionq_proto_squirrelmail	bytes	Indicates if the message is read (Read) or composed (Compose).
squirrelmail	SquirrelMail	login_server	login_serverq_proto_squirrelmail	bytes	Concatenated login and server: <login>@<server>.
squirrelmail	SquirrelMail	password	passwordq_proto_squirrelmail	bytes	User's password string.
squirrelmail	SquirrelMail	login	loginq_proto_squirrelmail	bytes	User's login string.
squirrelmail	SquirrelMail	msglist_folder	msglist_folderq_proto_squirrelmail	bytes	Indicates the directory from a message list.
squirrelmail	SquirrelMail	attach_id	attach_idq_proto_squirrelmail	bytes	Attachment identifier.
spid	Statistical Protocol IDentification	found_protocol	found_protocolq_proto_spid	bytes	Protocol name that has been discovered by SPID.
spid	Statistical Protocol IDentification	divergence	divergenceq_proto_spid	uint32	Divergence giving the distance" between the flow content and the selected SPID model. The smaller the divergence, the better the classification."
sctp	Stream Control Transmission Protocol	chunk_data_tsn	chunk_data_tsnq_proto_sctp	uint32	The Transmission Sequence Number is a global sequence number of chunks.
sctp	Stream Control Transmission Protocol	chunk_data_proto	chunk_data_protoq_proto_sctp	uint32	Indicating the data type (or protocol) containing in the chunk.
sctp	Stream Control Transmission Protocol	chunk_data_len	chunk_data_lenq_proto_sctp	uint32	The chunk data length (the payload length).
syslog	Syslog	code	codeq_proto_syslog	bytes	Message type.
t38	T.38	caller	callerq_proto_t38	bytes	Calling subscriber identification
t38	T.38	callee	calleeq_proto_t38	bytes	Called subscriber identification
t38	T.38	fax_message_number	fax_message_numberq_proto_t38	bytes	Identification associated to the following FAX messages: CSI the called subscriber identification (which is equal to the callee), CIG the calling subscriber identification (which is the caller), PWD the password, SEP the selective polling, PSA the polled subaddress, TSI the transmitting subscriber identification, SUB the subaddress and SID the sender identification.
tds	Tabular Data Stream	login	loginq_proto_tds	bytes	User's login string.
tds	Tabular Data Stream	password	passwordq_proto_tds	bytes	User's password string.
tds	Tabular Data Stream	hostname	hostnameq_proto_tds	bytes	Name of workstation communicating with the SQL server.
tds	Tabular Data Stream	application	applicationq_proto_tds	bytes	Name of application used to connect to the database.
tds	Tabular Data Stream	server	serverq_proto_tds	bytes	Name of server hosting the SQL Server.
tds	Tabular Data Stream	library	libraryq_proto_tds	bytes	Name of network dynamic-link library used.
tds	Tabular Data Stream	database_name	database_nameq_proto_tds	bytes	Name of the used database.
tds	Tabular Data Stream	language	languageq_proto_tds	bytes	User locale.
tds	Tabular Data Stream	query	queryq_proto_tds	bytes	SQL query sent by the client.
tds	Tabular Data Stream	login_encrypted	login_encryptedq_proto_tds	uint32	This attribute is set to one if the login phase is encrypted. Implemented conforming to the Microsoft 2014 MS-TDS official specification (http://msdn.microsoft.com/en-us/library/dd304523.aspx); beware, the behaviour may be different with old releases of MS SQL Server not supporting the standard.
tds	Tabular Data Stream	query_id	query_idq_proto_tds	bytes	Request identifier. It is used to correlate SQL queries with query parameter values (Bind Variables).
tds	Tabular Data Stream	bind_variable	bind_variableq_proto_tds	bytes	Parent attribute containing attributes related to a query parameter (Bind Variable).
tds	Tabular Data Stream	variable_type	variable_typeq_proto_tds	bytes	Data type of a SQL query parameter (Bind Variable).
tds	Tabular Data Stream	variable_id	variable_idq_proto_tds	bytes	Query parameter (Bind Variable) identifier within a SQL request.
tds	Tabular Data Stream	variable_format	variable_formatq_proto_tds	uint32	Format of a SQL query parameter (Bind Variable).
tds	Tabular Data Stream	number_columns	number_columnsq_proto_tds	uint64	Column count in the result data set retrieved from server after a SQL query.
tds	Tabular Data Stream	number_rows	number_rowsq_proto_tds	uint32	Row count in the result data set retrieved from server after a SQL query.
tds	Tabular Data Stream	sqlstate_code	sqlstate_codeq_proto_tds	uint32	SQL error code.
tagged	Tagged.com	login	loginq_proto_tagged	bytes	User's login string.
tagged	Tagged.com	password	passwordq_proto_tagged	bytes	User's password string.
tango	Tango Video Calls	callee_id	callee_idq_proto_tango	bytes	Called part identifier.
tango	Tango Video Calls	caller_id	caller_idq_proto_tango	bytes	Calling part identifier.
tango	Tango Video Calls	callee	calleeq_proto_tango	bytes	Contains the identity (or the phone number) of the called party for a call.
tango	Tango Video Calls	caller	callerq_proto_tango	bytes	Contains the identity (or the phone number) of the initiator of the call.
tango	Tango Video Calls	call_id	call_idq_proto_tango	bytes	Call id, extracted for each call.
tango	Tango Video Calls	phone_number	phone_numberq_proto_tango	bytes	User's phone number.
tango	Tango Video Calls	user_email	user_emailq_proto_tango	bytes	User's email address.
tango	Tango Video Calls	login	loginq_proto_tango	bytes	User's login string.
tango	Tango Video Calls	user_id	user_idq_proto_tango	bytes	Unique user identifier.
tango	Tango Video Calls	device_id	device_idq_proto_tango	bytes	User's device identifier.
tango	Tango Video Calls	call_duration	call_durationq_proto_tango	uint32	Call duration.
tango	Tango Video Calls	service	serviceq_proto_tango	bytes	Current service identification string.
tango	Tango Video Calls	attach_filename	attach_filenameq_proto_tango	bytes	Transferred file name.
tango	Tango Video Calls	service_duration_tv	service_duration_tvq_proto_tango	string	Timeval structure indicating, when the service is ended, the duration of it in seconds and microseconds.
tango	Tango Video Calls	service_duration	service_durationq_proto_tango	uint32	4 bytes integer value indicating, when the service is ended, the duration of it in seconds.
tango	Tango Video Calls	service_id	service_idq_proto_tango	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
tango	Tango Video Calls	service_stats	service_statsq_proto_tango	bytes	Composite attribute containing the packet metrics used for each new service type detection, extracting when performing STATISTICAL detection method only. Note: this attribute won't be extracted in case of session expiration (eg. when the current service is not ended properly by the user).
tchatche	Tchatche	login	loginq_proto_tchatche	bytes	User's login string.
tchatche	Tchatche	password	passwordq_proto_tchatche	bytes	User's password string.
teamspeak	Teamspeak v2	channel_description	channel_descriptionq_proto_teamspeak	bytes	Channel description (long)
teamspeak	Teamspeak v2	channel_action	channel_actionq_proto_teamspeak	bytes	Action associated to a channel
teamspeak	Teamspeak v2	channel_topic	channel_topicq_proto_teamspeak	bytes	Channel topic (short)
teamspeak	Teamspeak v2	channel_user	channel_userq_proto_teamspeak	bytes	User associated to an action on a channel
teamspeak	Teamspeak v2	channel_name	channel_nameq_proto_teamspeak	bytes	Channel name
teamspeak	Teamspeak v2	channel_id	channel_idq_proto_teamspeak	uint32	Channel ID
teamspeak	Teamspeak v2	contact_uid	contact_uidq_proto_teamspeak	uint32	Contact ID.
teamspeak	Teamspeak v2	contact_alias	contact_aliasq_proto_teamspeak	bytes	Contact alias.
teamspeak	Teamspeak v2	message_scope	message_scopeq_proto_teamspeak	uint32	Message scope
teamspeak	Teamspeak v2	message	messageq_proto_teamspeak	bytes	Contains the chat message.
teamspeak	Teamspeak v2	receiver_uid	receiver_uidq_proto_teamspeak	uint32	Receiver ID for this message
teamspeak	Teamspeak v2	receiver	receiverq_proto_teamspeak	bytes	Contains the identity of the receiver for a chat message or a file transfer.
teamspeak	Teamspeak v2	sender_uid	sender_uidq_proto_teamspeak	uint32	Sender ID for this message
teamspeak	Teamspeak v2	sender	senderq_proto_teamspeak	bytes	Contains the identity of the sender of a chat session or a file transfer.
teamspeak	Teamspeak v2	channel	channelq_proto_teamspeak	bytes	Chat room name.
teamspeak	Teamspeak v2	greeting_message	greeting_messageq_proto_teamspeak	bytes	Server greeting message
teamspeak	Teamspeak v2	server_version	server_versionq_proto_teamspeak	bytes	Server software version
teamspeak	Teamspeak v2	server_name	server_nameq_proto_teamspeak	bytes	Server name
teamspeak	Teamspeak v2	server_platform	server_platformq_proto_teamspeak	bytes	Server architecture
teamspeak	Teamspeak v2	client_version	client_versionq_proto_teamspeak	bytes	Client software version
teamspeak	Teamspeak v2	client_software	client_softwareq_proto_teamspeak	bytes	Client software name
teamspeak	Teamspeak v2	client_platform	client_platformq_proto_teamspeak	bytes	Client architecture
teamspeak	Teamspeak v2	client_uid	client_uidq_proto_teamspeak	uint32	Client session ID
teamspeak	Teamspeak v2	session_id	session_idq_proto_teamspeak	uint32	Uniquely identifies the current user session.
teamspeak	Teamspeak v2	password	passwordq_proto_teamspeak	bytes	User's password string.
teamspeak	Teamspeak v2	login	loginq_proto_teamspeak	bytes	User's login string.
teamspeak	Teamspeak v2	nickname	nicknameq_proto_teamspeak	bytes	User nickname
telegram	Telegram	service	serviceq_proto_telegram	bytes	Current service identification string.
telegram	Telegram	service_id	service_idq_proto_telegram	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
telegram	Telegram	service_duration	service_durationq_proto_telegram	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
telegram	Telegram	service_duration_tv	service_duration_tvq_proto_telegram	string	structure indicating, when the service is ended, the length of it in second and microseconds.
telnet	Telnet	login	loginq_proto_telnet	bytes	User's login string.
telnet	Telnet	password	passwordq_proto_telnet	bytes	User's password string.
telnet	Telnet	term_type	term_typeq_proto_telnet	bytes	Terminal type.
telnet	Telnet	rtt	rttq_proto_telnet	string	Server response time.
teredo	Teredo protocol	server_ip	server_ipq_proto_teredo	string	The IPv4 network address of the Teredo server involved in the exchange, read from the encapsulated IPv6 packet header
teredo	Teredo protocol	client_ip	client_ipq_proto_teredo	string	Client's mapped IPv4 net address.
teredo	Teredo protocol	origin_client_ip	origin_client_ipq_proto_teredo	string	IPv4 client address as visible in the Origin Indication
teredo	Teredo protocol	client_id	client_idq_proto_teredo	bytes	Client identifier, set up during its configuration
teredo	Teredo protocol	auth_value	auth_valueq_proto_teredo	bytes	Client Authentication string
tcp	Transmission Control Protocol	seg_buffered_count	seg_buffered_countq_proto_tcp	uint32	Number of segments that have been buffered for reassembly
tcp	Transmission Control Protocol	seg_buffered_size	seg_buffered_sizeq_proto_tcp	uint32	Sizes sum of segments that have been buffered for reassembly
tns	Transparent Network Service (Oracle)	login	loginq_proto_tns	bytes	User's login string.
tns	Transparent Network Service (Oracle)	password	passwordq_proto_tns	bytes	User's password string.
tns	Transparent Network Service (Oracle)	base	baseq_proto_tns	bytes	Database name.
tns	Transparent Network Service (Oracle)	server_hostname	server_hostnameq_proto_tns	bytes	Database server hostname.
tns	Transparent Network Service (Oracle)	server_os	server_osq_proto_tns	bytes	Database server operating system.
tns	Transparent Network Service (Oracle)	client_os	client_osq_proto_tns	bytes	Client machine operating system.
tns	Transparent Network Service (Oracle)	client_hostname	client_hostnameq_proto_tns	bytes	Client machine hostname.
tns	Transparent Network Service (Oracle)	client_program_path	client_program_pathq_proto_tns	bytes	Client program absolute path.
tns	Transparent Network Service (Oracle)	client_program_name	client_program_nameq_proto_tns	bytes	Client program name.
tns	Transparent Network Service (Oracle)	query	queryq_proto_tns	bytes	SQL query sent by the client.
tns	Transparent Network Service (Oracle)	response_size	response_sizeq_proto_tns	uint32	Unitary size in bytes of one the PDUs returned by the server.
tns	Transparent Network Service (Oracle)	response_time	response_timeq_proto_tns	string	Elapsed time between sending of the tns request and reception of its response.
tns	Transparent Network Service (Oracle)	rdbms_version	rdbms_versionq_proto_tns	bytes	Version of the Relational Data Base Management System
tns	Transparent Network Service (Oracle)	oracle_version	oracle_versionq_proto_tns	uint32	Version of the Oracle server
tns	Transparent Network Service (Oracle)	sqlstate_code	sqlstate_codeq_proto_tns	bytes	SQL error code.
tns	Transparent Network Service (Oracle)	variable_id	variable_idq_proto_tns	bytes	Query parameter (Bind Variable) identifier within a SQL request.
tns	Transparent Network Service (Oracle)	variable_type	variable_typeq_proto_tns	bytes	Data type of a SQL query parameter (Bind Variable).
tns	Transparent Network Service (Oracle)	number_columns	number_columnsq_proto_tns	uint64	Column count in the result data set retrieved from server after a SQL query.
tns	Transparent Network Service (Oracle)	number_rows	number_rowsq_proto_tns	uint32	Row count in the result data set retrieved from server after a SQL query.
tftp	Trivial File Transfer Protocol	filename	filenameq_proto_tftp	bytes	Name of the transferred file.
tftp	Trivial File Transfer Protocol	request_filename	request_filenameq_proto_tftp	bytes	Name of the requested file.
tftp	Trivial File Transfer Protocol	filesize	filesizeq_proto_tftp	uint32	Size (byte) of the transferred file.
tftp	Trivial File Transfer Protocol	mode	modeq_proto_tftp	bytes	File transfer mode (Netascii/ Binary/ Mail).
tftp	Trivial File Transfer Protocol	query	queryq_proto_tftp	bytes	Command type.
twitter	Twitter	media_url	media_urlq_proto_twitter	bytes	URL of the image which is shared inside a tweet (legacy Twitter API).
twitter	Twitter	tweet	tweetq_proto_twitter	bytes	Text of a tweet or a direct message.
twitter	Twitter	user_id	user_idq_proto_twitter	bytes	User id appearing in the result of a request.
twitter	Twitter	param_screen_name	param_screen_nameq_proto_twitter	bytes	User screen name used as request parameter.
twitter	Twitter	param_user_id	param_user_idq_proto_twitter	bytes	User id used as request parameter.
twitter	Twitter	action	actionq_proto_twitter	bytes	Indicates the action executed by the user.
twitter	Twitter	login	loginq_proto_twitter	bytes	User's login string.
twitter	Twitter	session_id	session_idq_proto_twitter	bytes	Uniquely identifies the current user session.
unknown	Unknown virtual protocol	maybe_application_id	maybe_application_idq_proto_unknown	uint32	Possible application's ID for this flow.
unknown	Unknown virtual protocol	maybe_application	maybe_applicationq_proto_unknown	bytes	Possible application's name for this flow.
unknown	Unknown virtual protocol	maybe_family	maybe_familyq_proto_unknown	bytes	Protocol family of a possible application for this flow.
upnp	upnp	server_agent	server_agentq_proto_upnp	bytes	Server information (SERVER field value). It contains the product tokens: <OS name/OS version> <UPnP/upnp version> <product name/product version>, v5 only.
upnp	upnp	user_agent	user_agentq_proto_upnp	bytes	Client information (USER-AGENT field value). It contains the product tokens: <OS name/OS version> <UPnP/upnp version> <product name/product version>,v5 only.
ustream	UStream	password	passwordq_proto_ustream	bytes	User's password string.
ustream	UStream	login	loginq_proto_ustream	bytes	User's login string.
ustream	UStream	query_text	query_textq_proto_ustream	bytes	Query sent to the search engine.
ustream	UStream	query_raw	query_rawq_proto_ustream	bytes	Contains the query sent to the search engine as indicated in the URL.
viadeo	Viadeo.com	login	loginq_proto_viadeo	bytes	User's login string.
viadeo	Viadeo.com	contact_email	contact_emailq_proto_viadeo	bytes	Contact's mail address.
viber	Viber	filesize	filesizeq_proto_viber	uint64	Size (byte) of the transferred file.
viber	Viber	service	serviceq_proto_viber	bytes	Current service identification string.
viber	Viber	service_id	service_idq_proto_viber	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
viber	Viber	service_duration	service_durationq_proto_viber	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
viber	Viber	service_duration_tv	service_duration_tvq_proto_viber	string	structure indicating, when the service is ended, the length of it in second and microseconds.
vxlan	Virtual Extensible Lan	vxlan_id	vxlan_idq_proto_vxlan	uint32	VLAN Identifier of the frame.
vkontakte	Vk.com (Vkontakte)	group_name	group_nameq_proto_vkontakte	bytes	Name of the group the user has subscribed to.
vkontakte	Vk.com (Vkontakte)	contact_uid	contact_uidq_proto_vkontakte	bytes	Contact ID.
vkontakte	Vk.com (Vkontakte)	account_uid	account_uidq_proto_vkontakte	bytes	User ID.
vkontakte	Vk.com (Vkontakte)	login	loginq_proto_vkontakte	bytes	User's login string.
webex	WebEx	service	serviceq_proto_webex	bytes	Current service identification string, v5 only.
webex	WebEx	service_id	service_idq_proto_webex	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer), v5 only.
webex	WebEx	service_duration	service_durationq_proto_webex	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds, v5 only.
webex	WebEx	service_duration_tv	service_duration_tvq_proto_webex	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds, v5 only.
wechat	WeChat	service_id	service_idq_proto_wechat	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
wechat	WeChat	service	serviceq_proto_wechat	bytes	Current service identification string.
wechat	WeChat	service_duration	service_durationq_proto_wechat	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
wechat	WeChat	service_duration_tv	service_duration_tvq_proto_wechat	string	structure indicating, when the service is ended, the length of it in second and microseconds.
wechat	WeChat	user_id	user_idq_proto_wechat	bytes	Unique identifier related to a single user. This attribute is available for clear traffic from Mobile applications, it may be not available for traffic from recent web browsers enforcing use of TLS.
whatsapp	WhatsApp Messenger	version	versionq_proto_whatsapp	bytes	Program version.
whatsapp	WhatsApp Messenger	service_id	service_idq_proto_whatsapp	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
whatsapp	WhatsApp Messenger	service	serviceq_proto_whatsapp	bytes	Current service identification string.
whatsapp	WhatsApp Messenger	service_duration_tv	service_duration_tvq_proto_whatsapp	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
whatsapp	WhatsApp Messenger	service_duration	service_durationq_proto_whatsapp	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds.
wikipedia	Wikipedia.com	query_text	query_textq_proto_wikipedia	bytes	Query sent to the search engine.
wikipedia