Application Metadata Fields | LogRhythm Documentation

This table lists the applications supported by the latest release of LogRhythm NetMon. An application can be a website that generates traffic (for example, Google or Gmail) or it can be the underlying protocol of the traffic (for example, IP or TCP).

You can perform in-depth analysis of specific application traffic in the NetMon interface. With this valuable data, you can locate suspicious data transfers, network policy violations, and advanced attacks.

Protocol Name	Attribute Name	Full Attribute Name	Attribute Type	Attribute Description
Internal	session	Session	string	Session UUID.
Internal	srcmac	SrcMAC	uint64	Source MAC address.
Internal	destmac	DestMAC	uint64	Destination MAC address.
Internal	srcip	SrcIP	uint32	Source IP address.
Internal	destip	DestIP	uint32	Destination IP address.
Internal	packetpath	PacketPath	string	Packet path.
Internal	flowsessioncount	FlowSessionCount	uint32	Flow Session Count.
Internal	srcport	SrcPort	uint32	Source Port.
Internal	destport	DestPort	uint32	Destination Port.
Internal	flowcompleted	FlowCompleted	bool	Flow Completed flag.
Internal	delay	Delay	string	Delay.
Internal	protocol	Protocol	uint32	Protocol.
Internal	totalpackets	TotalPackets	uint64	Total packets in the session.
Internal	timestart	TimeStart	uint64	Start time of the flow.
Internal	timeupdated	TimeUpdated	uint64	Time updated.
Internal	destbytes	DestBytes	uint64	Destination bytes.
Internal	srcbytes	SrcBytes	uint64	Source bytes.
Internal	flowtype	FlowType	FlowType	Flow type.
Internal	packetsdelta	PacketsDelta	uint64	Packets delta between update.
Internal	timedelta	TimeDelta	uint64	Time delta between update.
Internal	destbytesdelta	DestBytesDelta	uint64	Destination byte delta between update.
Internal	srcbytesdelta	SrcBytesDelta	uint64	Source byte delta between update.
Internal	customapplication	CustomApplication	bytes	Custom Application.
Internal	flowstate	FlowState	FlowState	Flow State type.
Internal	captured	Captured	bool	Captured flag.
Internal	childflownumber	ChildFlowNumber	uint32	Child Flow number.
Internal	totalbytes	TotalBytes	uint64	Total bytes of the session.
Internal	totalbytesdelta	TotalBytesDelta	uint64	Total bytes delta between update.
Internal	application	Application	string	Application.
Internal	applicationpath	ApplicationPath	string	Application Path.
Internal	duration	Duration	uint64	Duration of the flow.
Internal	messagesize	MessageSize	uint64	Size of the DPI message.
Internal	threadid	ThreadID	uint32	Thread ID.
Internal	fieldcount	FieldCount	uint64	Total fields in DPI message.
Internal	debugmessage	DebugMessage	string	Debug message.
Internal	applicationid	ApplicationID	uint32	Application ID.
Internal	timeprevious	TimePrevious	uint64	Time Previous.
Internal	written	Written	bool	Capture written flag.
Internal	captureremoved	CaptureRemoved	bool	Capture removed flag.
Internal	srcip6	SrcIP6	uint32	Source IP6 address.
Internal	destip6	DestIP6	uint32	Destination IP6 address.
Internal	normalizedsyslogdata	NormalizedSyslogData	string	Normalized Syslog data.
Internal	timeend	TimeEnd	uint64	Time End.
Internal	headerwritten	HeaderWritten	bool	Header written flag.
Internal	connectionestablished	ConnectionEstablished	bool	Connection Established flag.
Internal	maxrepeatedfieldcount	MaxRepeatedFieldCount	uint32	Maximum number of fields indexed by ElasticSearch.
Internal	fieldcountindexed	FieldCountIndexed	uint32	Field count indexed by ElasticSearch.
Internal	emailAttachments	EmailAttachments	EmailAttach	Email attachment structure.
Internal	customfields	CustomFields	CustomField	Custom Fields.
Internal	repeatedfieldcount	RepeatedFieldCount	uint64	Total repeated fields in DPI message.
Internal	flowclassified	FlowClassified	bool	Flow Classified.
Internal	vlanid	VlanID	uint32	VLAN ID.
Internal	httpclientcontent	HttpClientContent	bytes	Http Client Content.
Internal	httpservercontent	HttpServerContent	bytes	Http Server Content.
Internal	replayed	Replayed	bool	Whether the session was replayed via PCAP.
Internal	pcapfilename	PcapFilename	string	Name of the PCAP file the session was replayed from.
Internal	blacklisted	Blacklisted	bool	Whether the session has been blacklisted from further processing and storage.
Internal	applicationtags	ApplicationTags	string	One or more sub-categories of a flow’s application.
Internal	applicationfamily	ApplicationFamily	string	Top level categorization of a flow’s application.
Internal	netmonhostname	NetmonHostname	string	The Network Monitor hostname that processed the flow.
0zz0	login	loginq_proto_0zz0	bytes	User's login string.
0zz0	action	actionq_proto_0zz0	bytes	Indicates the action executed by the user.
0zz0	filename	filenameq_proto_0zz0	bytes	Name of the transferred file.
0zz0	upload_description	upload_descriptionq_proto_0zz0	bytes	Description of the uploaded file.
0zz0	email_address	email_addressq_proto_0zz0	bytes	User's email address.
0zz0	download_url	download_urlq_proto_0zz0	bytes	Link of the downloaded file.
3gpp_li	version	versionq_proto_3gpp_li	uint32	Version
flashplugin_update	new_version	new_versionq_proto_flashplugin_update	bytes	New version number, as returned by Adobe Web Server.
flashplugin_update	current_version	current_versionq_proto_flashplugin_update	bytes	Current flash-plugin version number installed on the client.
adobe_update	component_list_name	component_list_nameq_proto_adobe_update	bytes	Name of a piece of Adobe software we have a new version for.
adobe_update	component_list_desc	component_list_descq_proto_adobe_update	bytes	Short component update description, including version number.
adobe_update	component_list_version	component_list_versionq_proto_adobe_update	bytes	Last component version available."
adobe_update	component_list_url	component_list_urlq_proto_adobe_update	bytes	Component update download link."
adobe_update	update_manager	update_managerq_proto_adobe_update	bytes	Adobe Update Manager version and identifier.
adobe_update	product_name	product_nameq_proto_adobe_update	bytes	User's request for a product update.
adobe_update	action	actionq_proto_adobe_update	bytes	Indicates the action executed by the user.
amqp	major_version	major_versionq_proto_amqp	uint32	Major version of the protocol used by the client.
amqp	minor_version	minor_versionq_proto_amqp	uint32	Minor version of the protocol used by the client.
amqp	response_time	response_timeq_proto_amqp	string	Server response time during the connection procedure.
amqp	exchange_type	exchange_typeq_proto_amqp	bytes	Mode of AMQP exchange.
amqp	routing_key	routing_keyq_proto_amqp	bytes	Virtual address used to route a message.
amqp	correlation_id	correlation_idq_proto_amqp	bytes	Identifier used to correlate the application.
amqp	replyto	replytoq_proto_amqp	bytes	Addresse of the reply queue.
adc	file_hash	file_hashq_proto_adc	bytes	Hash of the transferred file.
adc	filename	filenameq_proto_adc	bytes	Name of the transferred file.
adc	client_version	client_versionq_proto_adc	bytes	Name and version of the client used by the peer.
adc	query	queryq_proto_adc	bytes	Query sent to find a file.
adc	command_code	command_codeq_proto_adc	bytes	Message action, as extracted from the three letters following the message type.
aim_express	login	loginq_proto_aim_express	bytes	User's login string.
aim_express	message	messageq_proto_aim_express	bytes	Contains the chat message.
aim_express	sender	senderq_proto_aim_express	bytes	Contains the identity of the sender of a chat session or a file transfer.
aim_express	receiver	receiverq_proto_aim_express	bytes	Contains the identity of the receiver for a chat message or a file transfer.
aim_express	chat_id	chat_idq_proto_aim_express	bytes	Window chat id.
aim_express	version	versionq_proto_aim_express	bytes	Client version.
aim_express	contact_login	contact_loginq_proto_aim_express	bytes	Contact login.
aim_express	contact_status	contact_statusq_proto_aim_express	bytes	Contact status.
aim_express	client_status	client_statusq_proto_aim_express	bytes	Status of connected user.
aim_transfer	filename	filenameq_proto_aim_transfer	bytes	Name of the transferred file.
aim_transfer	filename_encoding	filename_encodingq_proto_aim_transfer	bytes	Encoding of the transferred file name.
aim_transfer	filesize	filesizeq_proto_aim_transfer	uint32	Size (byte) of the transferred file.
aim	login	loginq_proto_aim	bytes	User's login string.
aim	channel	channelq_proto_aim	bytes	Chat room name.
aim	message	messageq_proto_aim	bytes	Contains the chat message.
aim	sender	senderq_proto_aim	bytes	Contains the identity of the sender of a chat session or a file transfer.
aim	receiver	receiverq_proto_aim	bytes	Contains the identity of the receiver for a chat message or a file transfer.
aim	user_email	user_emailq_proto_aim	bytes	Email Address of an AIN user.
aim	user_agent	user_agentq_proto_aim	bytes	Name of the software used.
aim	client_status	client_statusq_proto_aim	bytes	Status of connected user.
aim	service	serviceq_proto_aim	bytes	Current service identification string.
aim	filename	filenameq_proto_aim	bytes	Name of the transferred file.
aim	filename_encoding	filename_encodingq_proto_aim	bytes	Encoding of the transferred file name.
aim	filesize	filesizeq_proto_aim	uint32	Size (byte) of the transferred file.
aim	version	versionq_proto_aim	bytes	AIM software version.
aim	file_sender	file_senderq_proto_aim	bytes	Contains the identity of the sender of a file transfer.
aim	file_receiver	file_receiverq_proto_aim	bytes	Contains the identity of the receiver for a file transfer.
aim	contact_login	contact_loginq_proto_aim	bytes	Contact login.
aim	contact_status	contact_statusq_proto_aim	bytes	Contact status.
aim	icon_buddy	icon_buddyq_proto_aim	bytes	The contact whose icon was downloaded.
aim	internal_ip_address	internal_ip_addressq_proto_aim	string	Internal IP address of the contact.
aim	external_ip_address	external_ip_addressq_proto_aim	string	External IP address of the contact.
aim	message_raw	message_rawq_proto_aim	bytes	Message raw value.
appstore	device_type	device_typeq_proto_appstore	bytes	Target device (iPhone, iPod,...).
appstore	application_name	application_nameq_proto_appstore	bytes	Name of the downloaded app.
facetime	service_duration	service_durationq_proto_facetime	uint32	4 bytes integer value indicating, when the service is ended, the duration of it in seconds
facetime	service_id	service_idq_proto_facetime	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
facetime	service	serviceq_proto_facetime	bytes	Current service identification string.
facetime	service_duration_tv	service_duration_tvq_proto_facetime	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
facetime	service_stats	service_statsq_proto_facetime	bytes	Composite attribute containing the packet metrics used for each new service type detection, extracting when performing STATISTICAL detection method only. Note: this attribute won't be extracted in case of session expiration (eg. when the current service is not ended properly by the user).
afp	filename	filenameq_proto_afp	bytes	Name of the transferred file.
afp	file_chunk_len	file_chunk_lenq_proto_afp	uint64	Size of the transferred piece.
afp	file_chunk_data_offset	file_chunk_data_offsetq_proto_afp	uint64	Offset of the transferred data.
apple_update	pkg_name	pkg_nameq_proto_apple_update	bytes	pkg_name (package name) is the name of the software being updated.
archive	login	loginq_proto_archive	bytes	User's login string.
archive	query_text	query_textq_proto_archive	bytes	Query sent to the search engine.
archive	action	actionq_proto_archive	bytes	Indicates the action executed by the user.
archive	filename	filenameq_proto_archive	bytes	Name of the transferred file.
archive	subject	subjectq_proto_archive	bytes	File subject.
ares	nickname	nicknameq_proto_ares	bytes	Contains the user identity of the Ares connection.
ares	query	queryq_proto_ares	bytes	Query sent to find a file.
ares	file_hash	file_hashq_proto_ares	bytes	Hash of the transferred file.
ares	peer_info	peer_infoq_proto_ares	uint32	Structure containing a classification prediction of a network peer. The clep_peer_t structure (ixE 4.18.x) provides the IP v4 or v6 address (ul3l4_addr_t), the transport protocol ID (TCP/UDP/etc.), the listening port, and the list of protocols to be classified in case of successful prediction.
badongo	login	loginq_proto_badongo	bytes	User's login string.
badongo	action	actionq_proto_badongo	bytes	Indicates the action executed by the user.
badongo	filename	filenameq_proto_badongo	bytes	Name of the transferred file.
badongo	upload_description	upload_descriptionq_proto_badongo	bytes	Description of the uploaded file.
badoo	login	loginq_proto_badoo	bytes	User's login string.
badoo	sender	senderq_proto_badoo	bytes	Contains the identity of the sender of a chat session or a file transfer.
badoo	receiver	receiverq_proto_badoo	bytes	Contains the identity of the receiver for a chat message or a file transfer.
badoo	message	messageq_proto_badoo	bytes	Contains the chat message.
badoo	contact_login	contact_loginq_proto_badoo	bytes	Contact login.
baidu	query_text	query_textq_proto_baidu	bytes	Query sent to the search engine.
baidu	query_raw	query_rawq_proto_baidu	bytes	Contains the query sent to the search engine as indicated in the URL.
bebo	login	loginq_proto_bebo	bytes	User's login string.
bing	query_raw	query_rawq_proto_bing	bytes	Contains the query sent to the search engine as indicated in the URL.
bing	query_text	query_textq_proto_bing	bytes	Query sent to the search engine.
bittorrent	tracker	trackerq_proto_bittorrent	bytes	BitTorrent tracker URL.
bittorrent	user_agent	user_agentq_proto_bittorrent	bytes	Name of the software used.
bittorrent	client_version	client_versionq_proto_bittorrent	bytes	Version of the software.
bittorrent	canceled_chunk_number	canceled_chunk_numberq_proto_bittorrent	uint32	Number of the canceled piece.
bittorrent	canceled_chunk_length	canceled_chunk_lengthq_proto_bittorrent	uint32	Size of the canceled piece.
bittorrent	canceled_chunk_data_offset	canceled_chunk_data_offsetq_proto_bittorrent	uint32	Offset of the canceled data.
bittorrent	file_chunk_number	file_chunk_numberq_proto_bittorrent	uint32	Number of the transferred piece.
bittorrent	file_chunk_len	file_chunk_lenq_proto_bittorrent	uint32	Size of the transferred piece.
bittorrent	file_chunk_data_offset	file_chunk_data_offsetq_proto_bittorrent	uint32	Offset of the transferred data.
bittorrent	torrent_filename	torrent_filenameq_proto_bittorrent	bytes	Name of the torrent file.
bittorrent	piece_length	piece_lengthq_proto_bittorrent	uint32	Chunk size, for the specified file.
bittorrent	filename	filenameq_proto_bittorrent	bytes	Name of the transferred file.
bittorrent	filesize	filesizeq_proto_bittorrent	uint32	Size (byte) of the transferred file.
bittorrent	peer_share_ip	peer_share_ipq_proto_bittorrent	string	IP address used by a peer to share his files.
bittorrent	peer_share_id	peer_share_idq_proto_bittorrent	bytes	ID used by a peer to share his files.
bittorrent	file_completed	file_completedq_proto_bittorrent	bytes	Completed file.
bittorrent	file_downloaded	file_downloadedq_proto_bittorrent	bytes	Downloaded file.
bittorrent	file_incomplete	file_incompleteq_proto_bittorrent	bytes	Incomplete file.
bittorrent	file_left	file_leftq_proto_bittorrent	bytes	Left file.
bittorrent	file_uploaded	file_uploadedq_proto_bittorrent	bytes	Uploaded file.
bittorrent	classification_type	classification_typeq_proto_bittorrent	bytes	How the protocol has been classified. Always returns Deterministic" if the port list has not been set."
bittorrent	peer_info	peer_infoq_proto_bittorrent	uint32	Structure containing a classification prediction of a network peer. The clep_peer_t structure (ixE 4.18.x) provides the IP v4 or v6 address (ul3l4_addr_t), the transport protocol ID (TCP/UDP/etc.), the listening port, and the list of protocols to be classified in case of successful prediction.
bgp	identifier	identifierq_proto_bgp	string	BGP Identifier of the sender
bgp	path_attr_value_local_pref	path_attr_value_local_prefq_proto_bgp	uint32	Local preference value
bgp	path_attr_value_as_num	path_attr_value_as_numq_proto_bgp	uint32	As number
bgp	path_attr_value_next_hop_ip	path_attr_value_next_hop_ipq_proto_bgp	string	IP address of the next hop
bgp	withdrawn_prefix	withdrawn_prefixq_proto_bgp	string	Contains Ip addresses Prefixes
bgp	nlri_prefix	nlri_prefixq_proto_bgp	string	Contains IP addresses prefix
bssap	timestamp	timestampq_proto_bssap	string	Message timestamp
bssap	validity_period	validity_periodq_proto_bssap	bytes	Validity period for the message
bssap	imsi_receiver	imsi_receiverq_proto_bssap	bytes	International Mobile Subscriber Identity of the receiver
bssap	imei_receiver	imei_receiverq_proto_bssap	bytes	International Mobile Equipment Identity of the receiver
bssap	msisdn_receiver	msisdn_receiverq_proto_bssap	bytes	Mobile Subscriber Integrated Services Digital Network Number of the receiver
bssap	imsi_sender	imsi_senderq_proto_bssap	bytes	International Mobile Subscriber Identity of the sender
bssap	imei_sender	imei_senderq_proto_bssap	bytes	International Mobile Equipment Identity of the sender
bssap	msisdn_sender	msisdn_senderq_proto_bssap	bytes	Mobile Subscriber Integrated Services Digital Network Number of the sender
chap	challenge_name	challenge_nameq_proto_chap	bytes	Hostname of the peer initiating the authentication process.
chap	response_name	response_nameq_proto_chap	bytes	Hostname of the peer responding to challenge.
chap	message_type	message_typeq_proto_chap	bytes	Type of message sent.
chrome_update	new_version	new_versionq_proto_chrome_update	bytes	New version number returned by the server.
chrome_update	current_version	current_versionq_proto_chrome_update	bytes	Current version installed on the host.
chrome_update	plugin_id	plugin_idq_proto_chrome_update	bytes	Plugin Id for the updated plugin.
chrome_update	plugin_new_version	plugin_new_versionq_proto_chrome_update	bytes	New version number returned by the server for the plugin.
chrome_update	plugin_current_version	plugin_current_versionq_proto_chrome_update	bytes	Plugin version number currently installed.
cip	vendor_id	vendor_idq_proto_cip	uint32	Value indentifying the Vendor.
cip	ekey_vendor_id	ekey_vendor_idq_proto_cip	uint32	Value indentifying the Vendor in the Electronic Key.
cip	ekey_device_type	ekey_device_typeq_proto_cip	uint32	Value indicating the device Type in the Electronic Key.
cip	request_path_size	request_path_sizeq_proto_cip	uint32	The number of 16 bit words in the Request_Path field.
cip	attr_vendor_id	attr_vendor_idq_proto_cip	uint32	The vendor ID is a unique number assigned to the various vendors of products.
cip	attr_device_type	attr_device_typeq_proto_cip	uint32	Identifies the device profile that a particular product is using.
cip	attr_product_code	attr_product_codeq_proto_cip	uint32	Identifies a particular product within a device type of an individual vendor.
cip	attr_status	attr_statusq_proto_cip	uint32	Represents the current status of the entire device.
cip	attr_serial_number	attr_serial_numberq_proto_cip	uint32	Number used in conjunction with the Vendor ID to form a unique identifier for each device on any CIP network.
cip	attr_product_name	attr_product_nameq_proto_cip	bytes	Short description of the product/product family represented by the product code. The same product code may have a variety of product name.
cip	number_of_services	number_of_servicesq_proto_cip	uint32	Returns the number of services contained whithin CIP message (request and reply).
cip	attr_ccv	attr_ccvq_proto_cip	uint32	Value modified each time any nonvolatile attribute is altered. It can be a CRC or a counter for instance. The presence of this attibute among the indentity attributes is optional.
cip	path_logical_seg_class_value	path_logical_seg_class_valueq_proto_cip	uint32	Defines Class type of the logical segment (lower byte first).
cups	printer	printerq_proto_cups	bytes	URI addressing the CUPS printer.
cups	location	locationq_proto_cups	bytes	Location of the Printer.
cups	information	informationq_proto_cups	bytes	Information on Printer.
cups	model	modelq_proto_cups	bytes	Printer model.
pronto	msg_id	msg_idq_proto_pronto	bytes	Identifier of the message.
pronto	msglist_receiver	msglist_receiverq_proto_pronto	bytes	Full address of email receiver in a message list.
pronto	msglist_receiver_email	msglist_receiver_emailq_proto_pronto	bytes	Email address of the email receiver.
pronto	msglist_receiver_alias	msglist_receiver_aliasq_proto_pronto	bytes	Name of email receiver.
pronto	client_status	client_statusq_proto_pronto	bytes	Status of connected user.
pronto	message	messageq_proto_pronto	bytes	Contains the chat message.
pronto	importance	importanceq_proto_pronto	uint32	Indicates if the email has been marked by the user.
pronto	date	dateq_proto_pronto	bytes	Message sending date. Can be extracted on different format depending on the platform (RFC1123 pattern on mobile platform, ISO format for Windows application and webmail).
pronto	sender_email	sender_emailq_proto_pronto	bytes	Email address of the email sender.
pronto	sender_alias	sender_aliasq_proto_pronto	bytes	Name of the email sender.
pronto	msglist_date	msglist_dateq_proto_pronto	bytes	Message date in a message list. Can be extracted on different format depending on the platform.
pronto	msglist_subject	msglist_subjectq_proto_pronto	bytes	Message subject in a message list.
pronto	msglist_sender	msglist_senderq_proto_pronto	bytes	Full address of email sender (alias followed by email address).
pronto	draft	draftq_proto_pronto	uint32	Indicates if the email is a draft or has really been posted
pronto	attach_id	attach_idq_proto_pronto	bytes	Attachment identifier.
pronto	session_id	session_idq_proto_pronto	bytes	Uniquely identifies the current user session.
pronto	codec_name	codec_nameq_proto_pronto	bytes	Name of the codec.
pronto	codec_id	codec_idq_proto_pronto	uint32	Number identifying the codec.
pronto	media_port	media_portq_proto_pronto	uint32	The mentioned UDP port number to be used.
pronto	media_address	media_addressq_proto_pronto	string	The mentioned IPv4 address to be used.
pronto	media_proto	media_protoq_proto_pronto	bytes	Protocol used in client stream.
pronto	media_type	media_typeq_proto_pronto	bytes	Contains the media type.
pronto	caller	callerq_proto_pronto	bytes	Contains the identity (or the phone number) of the initiator of the call.
pronto	callee	calleeq_proto_pronto	bytes	Contains the identity (or the phone number) of the called party for a call.
pronto	call_id	call_idq_proto_pronto	bytes	Call id, extracted for each call.
pronto	version	versionq_proto_pronto	bytes	Server version number.
pronto	msglist_folder	msglist_folderq_proto_pronto	bytes	Indicates the directory from a message list.
pronto	chat_attach_url	chat_attach_urlq_proto_pronto	bytes	TODO
pronto	chat_attach	chat_attachq_proto_pronto	bytes	TODO
pronto	chat_date	chat_dateq_proto_pronto	bytes	Message sending date on ISO format.
pronto	chat_receiver	chat_receiverq_proto_pronto	bytes	Contains the identity of the receiver for a chat message.
pronto	chat_sender	chat_senderq_proto_pronto	bytes	Contains the identity of the sender of a chat message.
pronto	folder	folderq_proto_pronto	bytes	Indicates the directory from where messages are read.
pronto	attach_type	attach_typeq_proto_pronto	bytes	Content type of the sent attached file.
pronto	attach_filename	attach_filenameq_proto_pronto	bytes	Attachment name.
pronto	subject	subjectq_proto_pronto	bytes	Message subject.
pronto	sender	senderq_proto_pronto	bytes	Contains the identity of the sender of a chat session or a file transfer.
pronto	receiver_type	receiver_typeq_proto_pronto	bytes	Type of the email receiver.
pronto	receiver_email	receiver_emailq_proto_pronto	bytes	Email address of message receiver (included cc and bcc receivers).
pronto	receiver_alias	receiver_aliasq_proto_pronto	bytes	Name of email receiver (included cc and bcc receivers).
pronto	receiver	receiverq_proto_pronto	bytes	Full address of email receiver (including cc and bcc receivers).
capwap	bssid	bssidq_proto_capwap	string	EUI-48 MAC address of the radio receiving the packet.
capwap	bssid_64	bssid_64q_proto_capwap	uint64	EUI-64 MAC address of the radio receiving the packet.
dailymotion	login	loginq_proto_dailymotion	bytes	User's login string.
dailymotion	email	emailq_proto_dailymotion	bytes	Parent entry, for fields belonging to the same email.
dailymotion	query_text	query_textq_proto_dailymotion	bytes	Query sent to the search engine.
dailymotion	query_raw	query_rawq_proto_dailymotion	bytes	Contains the query sent to the search engine as indicated in the URL.
dtls	server_name	server_nameq_proto_dtls	bytes	Domain name mentioned in Client Hello message.
dtls	common_name	common_nameq_proto_dtls	bytes	Domain name mentioned in the certificate.
dtls	subject_alt_name	subject_alt_nameq_proto_dtls	bytes	Identifies a list of host names which belong to the same certificate.
dtls	certificate_issuer_cn	certificate_issuer_cnq_proto_dtls	bytes	Common name of the subject formatted according to RFC 1779.
debian_update	package_version	package_versionq_proto_debian_update	bytes	Repository packet version.
debian_update	package_name	package_nameq_proto_debian_update	bytes	Debian packet name.
diameter	framed_ip	framed_ipq_proto_diameter	bytes	IP address.
diameter	acct_record_number	acct_record_numberq_proto_diameter	uint32	Unique identifier for one record within a session
diameter	acct_record_type	acct_record_typeq_proto_diameter	uint32	Record type
diameter	acct_output_octets	acct_output_octetsq_proto_diameter	uint64	Indicates how many octets have been sent to the port in the course of delivering this service
diameter	acct_input_octets	acct_input_octetsq_proto_diameter	uint64	Indicates how many octets have been received from the port over the course of this service being provided
diameter	acct_sub_session_id	acct_sub_session_idq_proto_diameter	uint64	Sub-session identifier
diameter	acct_multi_session_id	acct_multi_session_idq_proto_diameter	bytes	Link between multiple accounting sessions
diameter	acct_session_id	acct_session_idq_proto_diameter	bytes	Accounting session ID.
diameter	terminate_cause	terminate_causeq_proto_diameter	uint32	This attribute indicates how the session was terminated
diameter	destination_host	destination_hostq_proto_diameter	bytes	Destination Diameter host for the current message
diameter	auth_request_type	auth_request_typeq_proto_diameter	uint32	Requested authentication type
diameter	result_code	result_codeq_proto_diameter	uint32	Indicates whether a particular Diameter request was completed successfully not
diameter	origin_host	origin_hostq_proto_diameter	bytes	Source Diameter host for the current message
diameter	session_id	session_idq_proto_diameter	bytes	Uniquely identifies the current user session.
diameter	calling_station_id	calling_station_idq_proto_diameter	bytes	Client id.
diameter	called_station_id	called_station_idq_proto_diameter	bytes	The phone number that the user called, using Dialed Number Identification (DNIS) or similar technology.
diameter	nas_port	nas_portq_proto_diameter	uint32	Physical port number of the user on the NAS
diameter	nas_port_type	nas_port_typeq_proto_diameter	uint32	Indicates the type of the physical port of the NAS that is authenticating the user.
diameter	nas_port_id	nas_port_idq_proto_diameter	bytes	Indicates the physical port number of the NAS that is authenticating the user.
diameter	nas_ip	nas_ipq_proto_diameter	bytes	IP address of the NAS originating the Access-Request
diameter	nas_id	nas_idq_proto_diameter	bytes	Unique identifier of the NAS originating the Access-Request
diameter	login	loginq_proto_diameter	bytes	User's login string.
diameter	end_to_end_id	end_to_end_idq_proto_diameter	uint32	Used to detect duplicate messages
diameter	hop_by_hop_id	hop_by_hop_idq_proto_diameter	uint32	Used to match Diameter request and reply messages
diameter	application_id	application_idq_proto_diameter	uint32	Identify which application the message is applicable for
diameter	command_code	command_codeq_proto_diameter	uint32	Command associated with the Diameter request
diameter	processing_anomaly_attr	processing_anomaly_attrq_proto_diameter	uint32	Gives an attribute ID, or an attribute structure (parent attribute ID), not extracted because of the anomaly.
diameter	processing_anomaly_type	processing_anomaly_typeq_proto_diameter	bytes	Defines the category of the anomaly.
diameter	avp_code	avp_codeq_proto_diameter	uint32	AVP code (cf. IANA).
dicom	pdu_data_pdv_len	pdu_data_pdv_lenq_proto_dicom	uint32	Length of data contained in a PDV.
dicom	pdu_data_pdv_elem_tag_gn	pdu_data_pdv_elem_tag_gnq_proto_dicom	uint32	The Tag of an Element describes the nature of data. This attribute is the Group Number part of the tag, basically first 16 bits, see section 7.1.1 Data Element Fields in part dicom_vr_part05.pdf.
dicom	pdu_data_pdv_elem_tag_en	pdu_data_pdv_elem_tag_enq_proto_dicom	uint32	The Tag of an Element describes the nature of data. This attribute is the Element Number part of the tag, basically second 16 bits, see section 7.1.1 Data Element Fields in part dicom_vr_part05.pdf.
dicom	pdu_data_pdv_elem_tag_raw	pdu_data_pdv_elem_tag_rawq_proto_dicom	uint32	The Tag of an Element describes the nature of data. This attribute is the raw value of the TAG including the Group Number and Element Number.
dicom	pdu_data_pdv_elem_keyword	pdu_data_pdv_elem_keywordq_proto_dicom	bytes	Translation of the Tag in human readable format as described in dicom_pdv_part07.pdf.
dicom	pdu_data_pdv_elem_vr	pdu_data_pdv_elem_vrq_proto_dicom	bytes	VR (Value Representation) of the Elememt.
dicom	pdu_data_pdv_elem_len	pdu_data_pdv_elem_lenq_proto_dicom	uint32	Length of the Element
dicom	pdu_data_pdv_elem_val_ae	pdu_data_pdv_elem_val_aeq_proto_dicom	bytes	Value Representation for Application Entity (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_as	pdu_data_pdv_elem_val_asq_proto_dicom	bytes	Value Representation for Age String (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_cs	pdu_data_pdv_elem_val_csq_proto_dicom	bytes	Value Representation for Code String (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_da	pdu_data_pdv_elem_val_daq_proto_dicom	bytes	Value Representation for Date (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_ds	pdu_data_pdv_elem_val_dsq_proto_dicom	bytes	Value Representation for Decimal String (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_dt	pdu_data_pdv_elem_val_dtq_proto_dicom	bytes	Value Representation for Date Time (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_is	pdu_data_pdv_elem_val_isq_proto_dicom	bytes	Value Representation for Integer String (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_lo	pdu_data_pdv_elem_val_loq_proto_dicom	bytes	Value Representation for Long String (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_lt	pdu_data_pdv_elem_val_ltq_proto_dicom	bytes	Value Representation for Long Text (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_pn	pdu_data_pdv_elem_val_pnq_proto_dicom	bytes	Value Representation for Person Name (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_sh	pdu_data_pdv_elem_val_shq_proto_dicom	bytes	Value Representation for Short String (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_ss	pdu_data_pdv_elem_val_ssq_proto_dicom	uint32	Value Representation for Signed Short (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as signed short.
dicom	pdu_data_pdv_elem_val_st	pdu_data_pdv_elem_val_stq_proto_dicom	bytes	Value Representation for Short Text (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_tm	pdu_data_pdv_elem_val_tmq_proto_dicom	bytes	Value Representation for Time (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_uc	pdu_data_pdv_elem_val_ucq_proto_dicom	bytes	Value Representation for Unlimited Characters (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_ui	pdu_data_pdv_elem_val_uiq_proto_dicom	bytes	Value Representation for Unique Identifier (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_ul	pdu_data_pdv_elem_val_ulq_proto_dicom	uint32	Value Representation for Unsigned Long (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as unsigned long.
dicom	pdu_data_pdv_elem_val_ur	pdu_data_pdv_elem_val_urq_proto_dicom	bytes	Value Representation for Universal Resource (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
dicom	pdu_data_pdv_elem_val_us	pdu_data_pdv_elem_val_usq_proto_dicom	uint32	Value Representation for Unsigned Short (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as unsigned short.
dicom	pdu_data_pdv_elem_val_ut	pdu_data_pdv_elem_val_utq_proto_dicom	bytes	Value Representation for Unlimited Text (dicom_vr_part05.pdf). Attribute with this VR is expected to be displayed as string.
directconnect	login	loginq_proto_directconnect	bytes	User's login string.
directconnect	query	queryq_proto_directconnect	bytes	Query sent to find a file.
directconnect	query_way	query_wayq_proto_directconnect	bytes	Way of the query.
directconnect	sr_filename	sr_filenameq_proto_directconnect	bytes	The name of a file returned by a search query.
directconnect	sr_filesize	sr_filesizeq_proto_directconnect	bytes	The size of a file returned by a search query.
directconnect	sr_filehash	sr_filehashq_proto_directconnect	bytes	The hash of a file returned by a search query.
directconnect	file_hash	file_hashq_proto_directconnect	bytes	Hash of the transferred file.
directconnect	file_is_compressed	file_is_compressedq_proto_directconnect	uint32	Tells whether a file is compressed or not.
directconnect	file_compression_type	file_compression_typeq_proto_directconnect	bytes	Tells the compression type.
directconnect	file_chunk_data_offset	file_chunk_data_offsetq_proto_directconnect	uint32	Offset of the transferred data.
directconnect	file_chunk_len	file_chunk_lenq_proto_directconnect	uint32	Size of the transferred piece.
directconnect	peer_info	peer_infoq_proto_directconnect	uint32	Structure containing a classification prediction of a network peer. The clep_peer_t structure (ixE 4.18.x) provides the IP v4 or v6 address (ul3l4_addr_t), the transport protocol ID (TCP/UDP/etc.), the listening port, and the list of protocols to be classified in case of successful prediction.
dcerpc	service	serviceq_proto_dcerpc	bytes	Current service identification string.
dcerpc	interface_uuid	interface_uuidq_proto_dcerpc	bytes	ID of the interface.
dcerpc	call_id	call_idq_proto_dcerpc	uint32	ID of the call.
dcerpc	ntlm_domain	ntlm_domainq_proto_dcerpc	bytes	Domain" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
dcerpc	ntlm_user	ntlm_userq_proto_dcerpc	bytes	User" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
dcerpc	ntlm_workstation	ntlm_workstationq_proto_dcerpc	bytes	Workstation" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
dcerpc	ntlm_identifier	ntlm_identifierq_proto_dcerpc	bytes	NTLM protocol Signature (null-terminated string).
dcerpc	ntlm_message_type	ntlm_message_typeq_proto_dcerpc	uint32	NTLM message type.
dcerpc	length	lengthq_proto_dcerpc	uint32	Packet length. (only when over UDP)
dcerpc	orpc_address_string_binding_tower_id	orpc_address_string_binding_tower_idq_proto_dcerpc	uint32	A numeric value that uniquely identifies an RPC transport protocol.
dcerpc	orpc_major_version	orpc_major_versionq_proto_dcerpc	uint32	DCOM Remote Protocol major version.
dcerpc	orpc_minor_version	orpc_minor_versionq_proto_dcerpc	uint32	DCOM Remote Protocol minor version.
dcerpc	orpc_stdobjref_oxid	orpc_stdobjref_oxidq_proto_dcerpc	uint64	object exporter identifier (OXID): A 64-bit number that uniquely identifies an object exporter within an object server provided by a STANDARD OBJREF (STDOBJREF). This attribute is only extracted for these <UUID, opnum> couples: <00000143-0000-0000-c000-000000000046, 3>, <000001a0-0000-0000-c000-000000000046, 4>.
dcerpc	orpc_stdobjref_oid	orpc_stdobjref_oidq_proto_dcerpc	uint64	A 64-bit number that uniquely identifies an object server provided by a STANDARD OBJREF (STDOBJREF). This attribute is only extracted for these <UUID, opnum> couples: <00000143-0000-0000-c000-000000000046, 3>, <000001a0-0000-0000-c000-000000000046, 4>.
dcerpc	orpc_stdobjref_ipid	orpc_stdobjref_ipidq_proto_dcerpc	bytes	A 128-bit number that uniquely identifies an interface on an object within an object exporter, provided by a STANDARD OBJREF (STDOBJREF)). This attribute is only extracted for these <UUID, opnum> couples: <00000143-0000-0000-c000-000000000046, 3>, <000001a0-0000-0000-c000-000000000046, 4>.
dcerpc	orpc_objref_custom_clsid	orpc_objref_custom_clsidq_proto_dcerpc	bytes	The CLSID type specifies a CLSID for a GUID that identifies an object class, this attribute is extracted from a OBJREF_CUSTOM.
dcerpc	orpc_objref_iid	orpc_objref_iidq_proto_dcerpc	bytes	A 64-bit attribute which specifies the IID of the COM interface pointed to by an interface pointer.
dcerpc	orpc_cid	orpc_cidq_proto_dcerpc	bytes	A UUID that is passed as part of an ORPC call to identify a chain of calls that are causally related.
dcerpc	orpc_objref_custom_act_prop_in_info_obj_clsid	orpc_objref_custom_act_prop_in_info_obj_clsidq_proto_dcerpc	bytes	Class ID (UUID) of the remotely instantiated object by the client in string format.
dcerpc	orpc_objref_custom_act_prop_in_info_itf_count	orpc_objref_custom_act_prop_in_info_itf_countq_proto_dcerpc	uint32	Number of interfaces UUID listed to access instantiated object.
dcerpc	orpc_objref_custom_act_prop_in_info_itf_id	orpc_objref_custom_act_prop_in_info_itf_idq_proto_dcerpc	bytes	Interface UUID of an instantiated object in string format.
dcerpc	item_context_id	item_context_idq_proto_dcerpc	uint32	Index of the current context item
dcerpc	abstract_itf_uuid	abstract_itf_uuidq_proto_dcerpc	bytes	Interface UUID allowing to identify RPC interface to call.
dcerpc	abstract_itf_version	abstract_itf_versionq_proto_dcerpc	uint32	Version number of interface to call. It is defined on 32 bits.
dcerpc	transfer_itf_uuid	transfer_itf_uuidq_proto_dcerpc	bytes	Interface UUID allowing to identify RPC interface to get reply.
dcerpc	transfer_itf_version	transfer_itf_versionq_proto_dcerpc	uint32	Version number of interface to get reply. It is defined on 32 bits.
dcerpc	result_ack_result	result_ack_resultq_proto_dcerpc	uint32	Negociation result of the given presentation transfer syntax (0 stands for Acceptance).
dcerpc	result_ack_reason	result_ack_reasonq_proto_dcerpc	uint32	Reason detailing non acceptance of the given transfer syntax, usually set to 0 when transfer syntax is accepted (Q_DCERPC_RESULT_ACK == 0)
dcerpc	result_transfer_syntax_uuid	result_transfer_syntax_uuidq_proto_dcerpc	bytes	UUID of selected transfer syntax, 0 stands for transfer syntax is not selected"."
dcerpc	result_transfer_syntax_version	result_transfer_syntax_versionq_proto_dcerpc	uint32	Version of selected transfer syntax, usually also set to 0 when UUID is 0.
dcerpc	orpc_address_security_binding_sec_provider	orpc_address_security_binding_sec_providerq_proto_dcerpc	uint32	Defines type of security provider, known values defined at ' https://docs.microsoft.com/en-us/windows/desktop/com/com-authentication-service-constants ', ' https://msdn.microsoft.com/en-us/library/cc243578.aspx '.
dcerpc	orpc_address_security_binding_princ_name	orpc_address_security_binding_princ_nameq_proto_dcerpc	bytes	Defines the service name used by client for authentication, this attribute is a null-terminated Unicode string and it is optional. This field not present if security provider is RPC_C_AUTHN_NONE (see https://msdn.microsoft.com/en-us/library/cc226839.aspx ).
dcerpc	ac_item_context_id	ac_item_context_idq_proto_dcerpc	uint32	Index of the current context item.
dcerpc	ac_abstract_itf_uuid	ac_abstract_itf_uuidq_proto_dcerpc	bytes	Interface UUID allowing to identify RPC interface to call.
dcerpc	ac_abstract_itf_version	ac_abstract_itf_versionq_proto_dcerpc	uint32	Version number of interface to call. It is defined on 32 bits.
dcerpc	ac_transfer_itf_uuid	ac_transfer_itf_uuidq_proto_dcerpc	bytes	Interface UUID allowing to identify RPC interface to get reply.
dcerpc	ac_transfer_itf_version	ac_transfer_itf_versionq_proto_dcerpc	uint32	Version number of interface to get reply.
dcerpc	ac_result_ack_result	ac_result_ack_resultq_proto_dcerpc	uint32	Negotiation result of the given presentation transfer syntax (0x00 stands for Acceptance, 0x03 is specific to Microsoft implementation of DCERPC).
dcerpc	ac_result_ack_reason	ac_result_ack_reasonq_proto_dcerpc	uint32	Reason detailing non acceptance of the given transfer syntax, usually set to 0 when transfer syntax is accepted (Q_DCERPC_RESULT_ACK == 0). This attribute is not raised if Q_DCERPC_RESULT_ACK does not match either 0, 1, 2.
dcerpc	ac_result_transfer_syntax_uuid	ac_result_transfer_syntax_uuidq_proto_dcerpc	bytes	UUID of selected transfer syntax, 0 stands for transfer syntax is not selected"."
dcerpc	ac_result_transfer_syntax_version	ac_result_transfer_syntax_versionq_proto_dcerpc	uint32	Version of selected transfer syntax, usually also set to 0 when UUID is 0.
dcerpc	rtt_tv	rtt_tvq_proto_dcerpc	string	Time between request and response expressed in a timeval.
dcerpc	secondary_addr	secondary_addrq_proto_dcerpc	bytes	Secondary address is an alternative for subsequent transport connection requests to establish concurrent session to the server
dnp3	dl_start_sync	dl_start_syncq_proto_dnp3	uint32	Header start magic field.
dnp3	dl_dest	dl_destq_proto_dnp3	uint32	Destination address of the frame.
dnp3	dl_src	dl_srcq_proto_dnp3	uint32	Source address of the frame.
dnp3	dl_crc	dl_crcq_proto_dnp3	uint32	CRC Checksum field.
dnp3	al_obj_type_field	al_obj_type_fieldq_proto_dnp3	uint32	First object type in the application layer control field. Only the first object is handled. This attribute is not raised in case of fragmented DNP3 application data.
dns	query	queryq_proto_dns	bytes	DNS Query sent.
dns	qdcount	qdcountq_proto_dns	uint32	Number of queries.
dns	ancount	ancountq_proto_dns	uint32	Number of answers.
dns	nscount	nscountq_proto_dns	uint32	Number of answers in the 'authority' section.
dns	arcount	arcountq_proto_dns	uint32	Number of additional answers.
dns	transaction_id	transaction_idq_proto_dns	uint32	DNS unique transaction ID.
dns	name	nameq_proto_dns	bytes	Name of the request
dns	host	hostq_proto_dns	bytes	Host name
dns	host_addr	host_addrq_proto_dns	string	IPV4 Host address
dns	reverse_addr	reverse_addrq_proto_dns	string	IP address returned to the PTR request.
dns	response_time	response_timeq_proto_dns	string	Elapsed time between sending of the dns request and reception of its response.
dns	ttl	ttlq_proto_dns	uint32	Time (in seconds) a DNS information returned by the server will be kept in cache.
dns	section_type	section_typeq_proto_dns	bytes	Type of section for each DNS answer.
dns	flags	flagsq_proto_dns	uint32	16-bit representation of some DNS header flags. These fields are described in RFC 1035 section 4.1.1 Header section format" and are the following: QA, Opcode, AA, TC, RD, RA, Z, RCODE."
dns	dns_query	dns_queryq_proto_dns	bool	DNS query.
dns	opcode	opcodeq_proto_dns	uint32	A four bit field that specifies kind of query in this message. This value is set by the originator of a query and copied into the response.
dns	class	classq_proto_dns	uint32	DNS query class
dns	host_class	host_classq_proto_dns	uint32	DNS response class
dns	web_application_info	web_application_infoq_proto_dns	uint32	Structure containing metadata for classification of known HTTP/HTTPS based web applications. These metadata are based on Type A (IPv4) DNS responses returned from the server. The ul3l4_addr_t structure contains the web application protocol path, classified using the requested host name, and the IPv4 address resolved by the server. The extraction of this attribute can be produced on DNS requests instead of being produced on DNS responses, if the prototune query_base_web_application_info is set to 1. In this case the IPv4 address information is not relevant.
dns	krb5_message_type	krb5_message_typeq_proto_dns	uint32	Message type.
dns	krb5_service	krb5_serviceq_proto_dns	bytes	Service type.
dns	krb5_server	krb5_serverq_proto_dns	bytes	Name of the server requiring Kerberos authentication.
dns	krb5_enc_data_type	krb5_enc_data_typeq_proto_dns	uint32	Indicates type of Encrypted data (hash) sent in the AS-RQ message.
dns	krb5_pa_data_type	krb5_pa_data_typeq_proto_dns	uint32	PA-DATA type.
dns	krb5_ticket_name_type	krb5_ticket_name_typeq_proto_dns	uint32	Ticket name-type.
dns	krb5_ticket_name	krb5_ticket_nameq_proto_dns	bytes	Ticket name component.
dns	krb5_realm	krb5_realmq_proto_dns	bytes	Realm in KRB-ERROR message.
dns	krb5_err_crealm	krb5_err_crealmq_proto_dns	bytes	Realm in KRB-ERROR message.
dns	krb5_err_realm	krb5_err_realmq_proto_dns	bytes	Correct realm in KRB-ERROR message.
dns	krb5_err_cname_type	krb5_err_cname_typeq_proto_dns	uint32	KRB-ERROR cname type.
dns	krb5_err_cname_name	krb5_err_cname_nameq_proto_dns	bytes	KRB-ERROR message cname component.
dns	krb5_err_sname_type	krb5_err_sname_typeq_proto_dns	uint32	KRB-ERROR message server sname type.
dns	krb5_err_sname_name	krb5_err_sname_nameq_proto_dns	bytes	KRB-ERROR message server sname component.
dns	krb5_err_text	krb5_err_textq_proto_dns	bytes	KRB-ERROR message error description.
dns	dnssec_rrsig_signer_name	dnssec_rrsig_signer_nameq_proto_dns	bytes	Signer's name. This field could be empty. Notably when signer is DNS Root zone.
dns	mdns_service_name	mdns_service_nameq_proto_dns	bytes	'mdns' advertised service name.
dhcp	ciaddr	ciaddrq_proto_dhcp	string	Current client ip address.
dhcp	yiaddr	yiaddrq_proto_dhcp	string	New ip address attributed to the client.
dhcp	siaddr	siaddrq_proto_dhcp	string	Ip address of next server (used when booting via a server).
dhcp	giaddr	giaddrq_proto_dhcp	string	Relay agent ip address (used when booting via a relay agent).
dhcp	chaddr	chaddrq_proto_dhcp	string	Client hardware address.
dhcp	sname	snameq_proto_dhcp	bytes	Server host name (optional).
dhcp	subnetmask	subnetmaskq_proto_dhcp	string	Subnet mask assigned to the client.
dhcp	router	routerq_proto_dhcp	string	List of gateway's ip addresses.
dhcp	dns_server	dns_serverq_proto_dhcp	string	List of dns server's ip addresses.
dhcp	bootfilename	bootfilenameq_proto_dhcp	bytes	File name used when initializing
dhcp	circuit_id	circuit_idq_proto_dhcp	bytes	A suboption that contains the circuit identifier
dhcp	remote_id	remote_idq_proto_dhcp	bytes	The remote agent
dhcp	remote_id_type	remote_id_typeq_proto_dhcp	bytes	An suboption that contains the remote agent identifier.
dhcp	remote_id_subtype	remote_id_subtypeq_proto_dhcp	bytes	Subtype for the remote agent
dhcp	ip_lease_time	ip_lease_timeq_proto_dhcp	uint32	In a server reply (dhcpoffer), a dhcp server uses this option to specify the lease time it is willing to offer. the time is in seconds
dhcp	end_status	end_statusq_proto_dhcp	uint32	An event sent when dhcp session expires. it's equal to 1 when a release message was observed and 0 if not
dhcp	xid	xidq_proto_dhcp	uint32	Transaction ID, a random number chosen by the client, used by the client and server to associate requests and responses.
dhcp	host_name	host_nameq_proto_dhcp	bytes	Host name sent by the client in the DCHP option 12 (optional).
dhcp	domain_name	domain_nameq_proto_dhcp	bytes	DNS server name sent by the server in the DHCP option 15 for further use by the client (optional).
dhcp	client_fqdn	client_fqdnq_proto_dhcp	bytes	Fully qualified host name sent by the client in the DHCP option 81 (optional).
dhcp6	xid	xidq_proto_dhcp6	uint32	Transaction ID, a random number chosen by the client, used by the client and server to associate requests and responses.
dhcp6	chaddr	chaddrq_proto_dhcp6	string	Client hardware address.
dhcp6	ip_lease_time	ip_lease_timeq_proto_dhcp6	uint32	A DHCPv6 server uses this option to specify the lease time it is willing to offer (time period in second)
dhcp6	client_fqdn	client_fqdnq_proto_dhcp6	bytes	Fully qualified domain name sent by the client in the DHCPv6 option 39. This metadata is not raised in case of decoding error.
dhcp6	duid_type	duid_typeq_proto_dhcp6	uint32	DUID type.
dhcp6	shaddr	shaddrq_proto_dhcp6	string	Server hardware address.
dhcp6	requested_option_code	requested_option_codeq_proto_dhcp6	uint32	Option code for an option requested by the client.
dhcp6	ia_prefix_option	ia_prefix_optionq_proto_dhcp6	uint32	Option type.
dhcp6	ia_prefix_length	ia_prefix_lengthq_proto_dhcp6	uint32	Length of the option data.
dhcp6	ia_prefix_preferred_life_time	ia_prefix_preferred_life_timeq_proto_dhcp6	uint32	Recommended preferred lifetime for the IPv6 prefix in the option expressed in seconds.
dhcp6	ia_prefix_valid_life_time	ia_prefix_valid_life_timeq_proto_dhcp6	uint32	The valid lifetime for the IPv6 prefix in the option expressed in seconds.
dhcp6	iapd_iaid	iapd_iaidq_proto_dhcp6	uint32	Unique identifier for a IA_PD option.
dhcp6	enterprise_number	enterprise_numberq_proto_dhcp6	uint32	The vendor's Enterprise Number as registered with IANA.
dimp	attach_type	attach_typeq_proto_dimp	bytes	Content type of the sent attached file.
dimp	receiver_alias	receiver_aliasq_proto_dimp	bytes	Name of email receiver (included cc and bcc receivers).
dimp	receiver_email	receiver_emailq_proto_dimp	bytes	Email address of message receiver (included cc and bcc receivers).
dimp	sender_alias	sender_aliasq_proto_dimp	bytes	Name of the email sender.
dimp	sender_email	sender_emailq_proto_dimp	bytes	Email address of the email sender.
dimp	subject	subjectq_proto_dimp	bytes	Message subject.
dimp	date	dateq_proto_dimp	bytes	Message date.
dimp	attach_filename	attach_filenameq_proto_dimp	bytes	Attachment name.
dimp	action	actionq_proto_dimp	bytes	Indicates if the message is read (Read) or composed (Compose).
dimp	msg_id	msg_idq_proto_dimp	bytes	Identifier of the message.
dimp	msglist_subject	msglist_subjectq_proto_dimp	bytes	Message subject in a message list.
dimp	msglist_sender_email	msglist_sender_emailq_proto_dimp	bytes	Address of email sender.
dimp	login	loginq_proto_dimp	bytes	User's login string.
dimp	password	passwordq_proto_dimp	bytes	User's password string.
ebay	query_text	query_textq_proto_ebay	bytes	Query sent to the search engine.
ebay	query_raw	query_rawq_proto_ebay	bytes	Contains the query sent to the search engine as indicated in the URL.
ebuddy	contact_message	contact_messageq_proto_ebuddy	bytes	User's contact IM personal message.
ebuddy	contact_login	contact_loginq_proto_ebuddy	bytes	Contact login.
ebuddy	message	messageq_proto_ebuddy	bytes	Contains the chat message.
ebuddy	receiver	receiverq_proto_ebuddy	bytes	Contains the identity of the receiver for a chat message or a file transfer.
ebuddy	sender	senderq_proto_ebuddy	bytes	Contains the identity of the sender of a chat session or a file transfer.
ebuddy	client_message	client_messageq_proto_ebuddy	bytes	User's IM personal message.
ebuddy	e_action	e_actionq_proto_ebuddy	bytes	Action of the user.
ebuddy	login	loginq_proto_ebuddy	bytes	User's login string.
edonkey	login	loginq_proto_edonkey	bytes	User's login string.
edonkey	query	queryq_proto_edonkey	bytes	Query sent to find a file.
edonkey	filename	filenameq_proto_edonkey	bytes	Name of the transferred file.
enip	command	commandq_proto_enip	uint32	Command code which has been sent by the request.
enip	status	statusq_proto_enip	uint32	Status code.
enip	session_handle	session_handleq_proto_enip	uint32	Session id. Some commands do not require a session handle.
enip	data_item_count	data_item_countq_proto_enip	uint32	Number of items to follow in the packet.
enip	data_type_id	data_type_idq_proto_enip	uint32	Type of encapsulated item.
enip	data_length	data_lengthq_proto_enip	uint32	Length in bytes of command data section.
enip	options	optionsq_proto_enip	uint32	Options. Its behavior or use is not defined yet (Future use).
enip	csd_interface_handle	csd_interface_handleq_proto_enip	uint32	Communications interface ID. Is part of Command Specific Data (CSD).
enip	csd_timeout	csd_timeoutq_proto_enip	uint32	Timeout in seconds used by routers. Is part of Command Specific Data (CSD).
enip	csd_cpf_data_item_count	csd_cpf_data_item_countq_proto_enip	uint32	Number of items to follow in the packet.
enip	csd_cpf_item_type_id	csd_cpf_item_type_idq_proto_enip	uint32	Type of encapsulated item.
enip	csd_cpf_item_length	csd_cpf_item_lengthq_proto_enip	uint32	Size of encapsulated item.
activesync	login	loginq_proto_activesync	bytes	User's login string.
activesync	action	actionq_proto_activesync	bytes	Indicates if the message is read (Read) or composed (Compose).
activesync	sender	senderq_proto_activesync	bytes	Full address of email sender (alias followed by email address).
activesync	sender_email	sender_emailq_proto_activesync	bytes	Email address of the email sender.
activesync	sender_alias	sender_aliasq_proto_activesync	bytes	Name of the email sender.
activesync	receiver	receiverq_proto_activesync	bytes	Full address of email receiver (including cc and bcc receivers).
activesync	receiver_email	receiver_emailq_proto_activesync	bytes	Email address of message receiver (included cc and bcc receivers).
activesync	receiver_alias	receiver_aliasq_proto_activesync	bytes	Name of email receiver (included cc and bcc receivers).
activesync	receiver_type	receiver_typeq_proto_activesync	bytes	Type of the email receiver.
activesync	replyto	replytoq_proto_activesync	bytes	Email address to use in a reply for this message.
activesync	date	dateq_proto_activesync	bytes	Message date.
activesync	subject	subjectq_proto_activesync	bytes	Message subject.
activesync	msg_id	msg_idq_proto_activesync	bytes	Identifier of the message.
activesync	content_type	content_typeq_proto_activesync	bytes	Indicates the content type of transferred file.
activesync	content_transfer_encoding	content_transfer_encodingq_proto_activesync	bytes	Contains the encoding of the content
activesync	encoding	encodingq_proto_activesync	bytes	Page encoding
activesync	attach_id	attach_idq_proto_activesync	bytes	Attachment identifier.
activesync	attach_filename	attach_filenameq_proto_activesync	bytes	Attachment name.
activesync	attach_type	attach_typeq_proto_activesync	bytes	Content type of the sent attached file.
activesync	attach_size	attach_sizeq_proto_activesync	uint32	Attached file MIME size.
activesync	attach_transfer_encoding	attach_transfer_encodingq_proto_activesync	bytes	Contains the encoding of the attached content
activesync	folderlist_item_name	folderlist_item_nameq_proto_activesync	bytes	Message folder name.
activesync	folderlist_item_id	folderlist_item_idq_proto_activesync	bytes	Message folder unique identifier.
activesync	timezone_raw	timezone_rawq_proto_activesync	bytes	Timezone to be used. The extracted data is a base64 encoded structure.
activesync	timezone_standard_name	timezone_standard_nameq_proto_activesync	bytes	It contains an optional description for standard time.
activesync	timezone_daylight_name	timezone_daylight_nameq_proto_activesync	bytes	It contains an optional description for DST.
activesync	creation_time	creation_timeq_proto_activesync	bytes	Creation time of the entry.
activesync	end_time	end_timeq_proto_activesync	bytes	End time of the meeting.
activesync	location	locationq_proto_activesync	bytes	Location of the meeting.
activesync	organizer_email	organizer_emailq_proto_activesync	bytes	This element is an optional element that specifies the e-mail address of the user who created the calendar item.
activesync	reminder	reminderq_proto_activesync	uint32	Reminder element is an optional element that specifies the number of minutes before the calendar item's start time to display a reminder notice.
activesync	calendar_subject	calendar_subjectq_proto_activesync	bytes	Subject element is an optional element that specifies the subject of the calendar item.
activesync	start_time	start_timeq_proto_activesync	bytes	start_time element is an optional element that specifies the start time of the calendar item.
activesync	calendar_id	calendar_idq_proto_activesync	bytes	Element that specifies an ID that uniquely identifies a single event or recurring series.
activesync	recurrence_interval	recurrence_intervalq_proto_activesync	uint32	Element that specifies the interval between recurrences.
activesync	attendee_name	attendee_nameq_proto_activesync	bytes	Specifies the attendee's name.
activesync	attendee_email	attendee_emailq_proto_activesync	bytes	Specifies the attendee's email address.
facebook	message	messageq_proto_facebook	bytes	Instant message content.
facebook	feed_text	feed_textq_proto_facebook	bytes	feed text.
facebook	receiver	receiverq_proto_facebook	bytes	Instant message recipient name.
facebook	sender_email	sender_emailq_proto_facebook	bytes	Email address of the message sender.
facebook	query_text	query_textq_proto_facebook	bytes	Query sent to the search engine.
facebook	login	loginq_proto_facebook	bytes	User's login string.
facebook	action	actionq_proto_facebook	bytes	Indicates the action executed by the user.
facebook	server_name	server_nameq_proto_facebook	bytes	Domain name mentioned in CHLO message of the underlying transport protocol Zero.
facebook_apps	application_action	application_actionq_proto_facebook_apps	bytes	Indicates the action executed by the user.
facebook_apps	application_name	application_nameq_proto_facebook_apps	bytes	Name of the application.
facebook_mail	attach_type	attach_typeq_proto_facebook_mail	bytes	Content type of the sent attached file.
facebook_mail	attach_filename	attach_filenameq_proto_facebook_mail	bytes	Attachment name.
facebook_mail	sender_email	sender_emailq_proto_facebook_mail	bytes	Email address of the email sender.
facebook_mail	receiver_email	receiver_emailq_proto_facebook_mail	bytes	Email address of message receiver (included cc and bcc receivers).
facebook_mail	action	actionq_proto_facebook_mail	bytes	Indicates if the message is read (Read) or composed (Compose).
facebook_mail	subject	subjectq_proto_facebook_mail	bytes	Message subject.
facebook_mail	login	loginq_proto_facebook_mail	bytes	User's login string.
facebook_mail	session_id	session_idq_proto_facebook_mail	bytes	Uniquely identifies the current user session.
facebook_messenger	service_id	service_idq_proto_facebook_messenger	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
facebook_messenger	service	serviceq_proto_facebook_messenger	bytes	Current service identification string.
facebook_messenger	service_duration	service_durationq_proto_facebook_messenger	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
facebook_messenger	service_duration_tv	service_duration_tvq_proto_facebook_messenger	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
facebook_messenger	uid	uidq_proto_facebook_messenger	bytes	Generic user ID.
ftp	login	loginq_proto_ftp	bytes	User's login string.
ftp	password	passwordq_proto_ftp	bytes	User's password string.
ftp	filename	filenameq_proto_ftp	bytes	Name of the transferred file.
ftp	method	methodq_proto_ftp	bytes	Contains the FTP command sent.
ftp	filesize	filesizeq_proto_ftp	uint32	Size (byte) of the transferred file.
ftp	loadway	loadwayq_proto_ftp	bytes	Contains the file transfer way (Upload vs Download).
ftp	offset	offsetq_proto_ftp	uint32	Indicates the start offset of the file transfer.
ftp	greeting_message	greeting_messageq_proto_ftp	bytes	First line of the server banner.
ftp	return_content	return_contentq_proto_ftp	bytes	Message of server's response.
ftp	transfer_duration	transfer_durationq_proto_ftp	string	Elapsed time (in seconds) between the beginning of a transfer (ftp code 150) and the first packet signaling the end with success of the transfer (ftp code 226)
ftp	index	indexq_proto_ftp	uint32	Identifier of the request and response in a FTP flow.
ftp	method_content	method_contentq_proto_ftp	bytes	Method parameter
ftp	data_port_start_offset	data_port_start_offsetq_proto_ftp	uint32	Offset to the first FTP port byte given in the PORT command.
ftp	data_port_end_offset	data_port_end_offsetq_proto_ftp	uint32	Offset to the first byte which is not part of the TCP port value, given in the PORT command.
ftp_data	content	contentq_proto_ftp_data	bytes	File content
fix	transaction_time	transaction_timeq_proto_fix	bytes	Time the order request was initiated/released by the trading system.
fix	symbol	symbolq_proto_fix	bytes	Common representation of the security.
fix	order_type	order_typeq_proto_fix	bytes	Order type.
fix	order_status	order_statusq_proto_fix	bytes	Describes the current state of a chain of orders.
fix	order_qty	order_qtyq_proto_fix	bytes	Quantity ordered.
fix	order_id	order_idq_proto_fix	bytes	Unique identifier for an order.
fix	message_type	message_typeq_proto_fix	bytes	Defines FIX message type.
firefox_update	plugin_new_version	plugin_new_versionq_proto_firefox_update	bytes	Plugin version after update.
firefox_update	plugin_name	plugin_nameq_proto_firefox_update	bytes	Name of the plugin.
firefox_update	new_version	new_versionq_proto_firefox_update	bytes	Browser version after update.
firefox_update	current_version	current_versionq_proto_firefox_update	bytes	Browser version before update.
freebsd_update	package_name	package_nameq_proto_freebsd_update	bytes	Software package name.
giop	version	versionq_proto_giop	bytes	Current GIOP version.
giop	ior_type_id	ior_type_idq_proto_giop	bytes	IOR object's repository id.
giop	message_type	message_typeq_proto_giop	bytes	GIOP message type.
giop	request_operation	request_operationq_proto_giop	bytes	Name of the request sent to the server.
giop	request_id	request_idq_proto_giop	uint32	ID used to associate a reply message with a request message.
gmail_basic	date	dateq_proto_gmail_basic	bytes	Message date.
gmail_basic	sender_alias	sender_aliasq_proto_gmail_basic	bytes	Name of the email sender.
gmail_basic	sender_email	sender_emailq_proto_gmail_basic	bytes	Email address of the email sender.
gmail_basic	login	loginq_proto_gmail_basic	bytes	User's login string. It's also sender id in case of e-mail compose/send workflow (use session_id to correlate email and login).
gmail_basic	subject	subjectq_proto_gmail_basic	bytes	Message subject.
gmail_basic	receiver_type	receiver_typeq_proto_gmail_basic	bytes	Type of the email receiver.
gmail_basic	receiver_alias	receiver_aliasq_proto_gmail_basic	bytes	Name of email receiver (included cc and bcc receivers).
gmail_basic	receiver_email	receiver_emailq_proto_gmail_basic	bytes	Email address of message receiver (included cc and bcc receivers).
gmail_basic	attach_type	attach_typeq_proto_gmail_basic	bytes	Content type of the sent attached file.
gmail_basic	attach_filename	attach_filenameq_proto_gmail_basic	bytes	Attachment name.
gmail_basic	attach_id	attach_idq_proto_gmail_basic	bytes	Attachment identifier.
gmail_basic	draft	draftq_proto_gmail_basic	uint32	Indicates if the email is a draft or has really been posted
gmail_basic	msg_id	msg_idq_proto_gmail_basic	bytes	Identifier of the message.
gmail_basic	action	actionq_proto_gmail_basic	bytes	Indicates if the message is read (Read) or composed (Compose).
gmail_basic	attach_size	attach_sizeq_proto_gmail_basic	uint32	Attached file MIME size.
gmail_basic	session_id	session_idq_proto_gmail_basic	bytes	Uniquely identifies the current user session.
gmail_basic	encoding	encodingq_proto_gmail_basic	bytes	Page encoding
gmail_mobile	msglist_subject	msglist_subjectq_proto_gmail_mobile	bytes	Message subject in a message list.
gmail_mobile	msglist_msgid	msglist_msgidq_proto_gmail_mobile	bytes	Message identifier.
gmail_mobile	msglist_sender_alias	msglist_sender_aliasq_proto_gmail_mobile	bytes	Name of email sender.
gmail_mobile	msglist_folder	msglist_folderq_proto_gmail_mobile	bytes	Indicates the directory from a message list.
gmail_mobile	contact_email	contact_emailq_proto_gmail_mobile	bytes	Email address of a contact.
gmail_mobile	contact_alias	contact_aliasq_proto_gmail_mobile	bytes	Alias of a contact.
gmail_mobile	date	dateq_proto_gmail_mobile	bytes	Message date.
gmail_mobile	attach_filename	attach_filenameq_proto_gmail_mobile	bytes	Attachment name.
gmail_mobile	attach_id	attach_idq_proto_gmail_mobile	bytes	Attachment identifier.
gmail_mobile	email_index	email_indexq_proto_gmail_mobile	bytes	Index of the request which the email is attached to.
gmail_mobile	subject	subjectq_proto_gmail_mobile	bytes	Message subject.
gmail_mobile	receiver_type	receiver_typeq_proto_gmail_mobile	bytes	Type of the email receiver.
gmail_mobile	receiver_alias	receiver_aliasq_proto_gmail_mobile	bytes	Name of email receiver (included cc and bcc receivers).
gmail_mobile	receiver_email	receiver_emailq_proto_gmail_mobile	bytes	Email address of message receiver (included cc and bcc receivers).
gmail_mobile	sender_alias	sender_aliasq_proto_gmail_mobile	bytes	Name of the email sender.
gmail_mobile	sender_email	sender_emailq_proto_gmail_mobile	bytes	Email address of the email sender.
gmail_mobile	action	actionq_proto_gmail_mobile	bytes	Indicates if the message is read (Read) or composed (Compose).
gmail_mobile	login	loginq_proto_gmail_mobile	bytes	User's login string.
gmail_mobile	session_id	session_idq_proto_gmail_mobile	bytes	Uniquely identifies the current user session.
gmail_mobile	msglist_receiver_alias	msglist_receiver_aliasq_proto_gmail_mobile	bytes	Name of email receiver.
gmail_mobile	draft	draftq_proto_gmail_mobile	uint32	Indicates if the email is a draft or has really been posted
gmail_mobile	name	nameq_proto_gmail_mobile	bytes	User's full name.
gmail_mobile	encoding	encodingq_proto_gmail_mobile	bytes	Page encoding
gmail_mobile	msglist_sender_email	msglist_sender_emailq_proto_gmail_mobile	bytes	Address of email sender.
gmail_mobile	msglist_receiver_email	msglist_receiver_emailq_proto_gmail_mobile	bytes	Email address of the email receiver.
gmail_mobile	msglist_date	msglist_dateq_proto_gmail_mobile	bytes	Message date in a message list.
gmail_mobile	replyto	replytoq_proto_gmail_mobile	bytes	Email address to use in a reply for this message.
gmail_mobile	attach_type	attach_typeq_proto_gmail_mobile	bytes	Content type of the sent attached file.
gmail_mobile	attach_size	attach_sizeq_proto_gmail_mobile	uint32	Attached file MIME size.
gmail_mobile	last_activity	last_activityq_proto_gmail_mobile	bytes	Time elapsed since last account activity.
gmail_mobile	last_activity_timestamp	last_activity_timestampq_proto_gmail_mobile	string	Last account-activity timestamp.
gmail_mobile	current_ip_address	current_ip_addressq_proto_gmail_mobile	string	IP address of the logged user.
gmail_mobile	other_ip_address	other_ip_addressq_proto_gmail_mobile	string	IP address of the other logged user.
gmail_mobile	attach_transfer_encoding	attach_transfer_encodingq_proto_gmail_mobile	bytes	Contains the encoding of the attached content
gmail_mobile	password	passwordq_proto_gmail_mobile	bytes	User's password string.
gmx	attach_filename	attach_filenameq_proto_gmx	bytes	Attachment name.
gmx	receiver_email	receiver_emailq_proto_gmx	bytes	Email address of message receiver (included cc and bcc receivers).
gmx	sender_email	sender_emailq_proto_gmx	bytes	Email address of the email sender.
gmx	subject	subjectq_proto_gmx	bytes	Message subject.
gmx	login	loginq_proto_gmx	bytes	User's login string.
gnutella	user_agent	user_agentq_proto_gnutella	bytes	Name of the software used.
gnutella	server	serverq_proto_gnutella	bytes	Name of the server from which the file is downloaded.
gnutella	query	queryq_proto_gnutella	bytes	Query sent to find a file.
gnutella	filename	filenameq_proto_gnutella	bytes	Name of the transferred file.
google_ads	ad_url_full	ad_url_fullq_proto_google_ads	bytes	Complete ad URL.
google_ads	ad_status	ad_statusq_proto_google_ads	bytes	Indicates whether the ad has been displayed or clicked.
gmail_chat	login	loginq_proto_gmail_chat	bytes	User's login string.
gmail_chat	message	messageq_proto_gmail_chat	bytes	Contains the chat message.
google_earth	query_raw	query_rawq_proto_google_earth	bytes	Contains the query sent to the search engine as indicated in the URL.
google_earth	query_text	query_textq_proto_google_earth	bytes	Query sent to the search engine.
google_groups	sender_email	sender_emailq_proto_google_groups	bytes	Email address of the email sender.
google_groups	action	actionq_proto_google_groups	bytes	Indicates if the message is read (Read) or composed (Compose).
google_groups	msglist_subject	msglist_subjectq_proto_google_groups	bytes	Message subject in a message list.
google_groups	group_name	group_nameq_proto_google_groups	bytes	Name of the group the user has subscribed to.
google_groups	receiver_email	receiver_emailq_proto_google_groups	bytes	Email address of message receiver (included cc and bcc receivers).
google_groups	subject	subjectq_proto_google_groups	bytes	Message subject.
google_groups	msglist_sender_email	msglist_sender_emailq_proto_google_groups	bytes	Address of email sender.
gmail	session_id	session_idq_proto_gmail	bytes	Uniquely identifies the current user session.
gmail	login	loginq_proto_gmail	bytes	User's login string.
gmail	name	nameq_proto_gmail	bytes	User's full name.
gmail	encoding	encodingq_proto_gmail	bytes	Page encoding
gmail	msglist_sender_alias	msglist_sender_aliasq_proto_gmail	bytes	Name of email sender.
gmail	msglist_sender_email	msglist_sender_emailq_proto_gmail	bytes	Address of email sender.
gmail	msglist_receiver_alias	msglist_receiver_aliasq_proto_gmail	bytes	Name of email receiver.
gmail	msglist_receiver_email	msglist_receiver_emailq_proto_gmail	bytes	Email address of the email receiver.
gmail	msglist_subject	msglist_subjectq_proto_gmail	bytes	Message subject in a message list.
gmail	msglist_msgid	msglist_msgidq_proto_gmail	bytes	Message identifier.
gmail	msglist_date	msglist_dateq_proto_gmail	bytes	Message date in a message list.
gmail	msglist_folder	msglist_folderq_proto_gmail	bytes	Indicates the directory from a message list.
gmail	sender_email	sender_emailq_proto_gmail	bytes	Email address of the email sender.
gmail	sender_alias	sender_aliasq_proto_gmail	bytes	Name of the email sender.
gmail	real_sender_domain	real_sender_domainq_proto_gmail	bytes	Domain of the email sender.
gmail	real_sender_msgid	real_sender_msgidq_proto_gmail	bytes	Email identifier.
gmail	receiver_email	receiver_emailq_proto_gmail	bytes	Email address of message receiver (included cc and bcc receivers).
gmail	receiver_alias	receiver_aliasq_proto_gmail	bytes	Name of email receiver (included cc and bcc receivers).
gmail	receiver_type	receiver_typeq_proto_gmail	bytes	Type of the email receiver.
gmail	replyto	replytoq_proto_gmail	bytes	Email address to use in a reply for this message.
gmail	date	dateq_proto_gmail	bytes	Message date.
gmail	subject	subjectq_proto_gmail	bytes	Message subject.
gmail	msg_id	msg_idq_proto_gmail	bytes	Identifier of the message.
gmail	attach_id	attach_idq_proto_gmail	bytes	Attachment identifier.
gmail	attach_filename	attach_filenameq_proto_gmail	bytes	Attachment name.
gmail	attach_type	attach_typeq_proto_gmail	bytes	Content type of the sent attached file.
gmail	attach_size	attach_sizeq_proto_gmail	uint32	Attached file MIME size.
gmail	thumbnail	thumbnailq_proto_gmail	uint32	Indicates whether this attachment is an image thumbnail.
gmail	draft	draftq_proto_gmail	uint32	Indicates if the email is a draft or has really been posted
gmail	action	actionq_proto_gmail	bytes	Indicates if the message is read (Read) or composed (Compose).
gmail	version	versionq_proto_gmail	bytes	Gmail version used.
gmail	last_activity	last_activityq_proto_gmail	bytes	Time elapsed since last account activity.
gmail	last_activity_timestamp	last_activity_timestampq_proto_gmail	string	Last account activity timestamp.
gmail	current_ip_address	current_ip_addressq_proto_gmail	string	IP address of the logged user.
gmail	other_ip_address	other_ip_addressq_proto_gmail	string	IP address of the other logged user.
gmail	contact_email	contact_emailq_proto_gmail	bytes	Email address of a contact.
gmail	contact_alias	contact_aliasq_proto_gmail	bytes	Alias of a contact.
gmail	email_index	email_indexq_proto_gmail	bytes	Index of the request which the email is attached to.
gmail	attach_id_temp	attach_id_tempq_proto_gmail	bytes	Temporary value for attach_id of an attachment, it is present during attachment uploading (it is use to correlate uploaded attachment and sending the associated email).
google_maps	query_text	query_textq_proto_google_maps	bytes	Query sent to the search engine.
google_maps	query_raw	query_rawq_proto_google_maps	bytes	Contains the query sent to the search engine as indicated in the URL.
google_maps	start_addr_raw	start_addr_rawq_proto_google_maps	bytes	Departure point as indicated in the URL as indicated in the URL.
google_maps	start_addr	start_addrq_proto_google_maps	bytes	Encoded departure point .
google_play	application_name	application_nameq_proto_google_play	bytes	Name of the downloaded app.
google	query_text	query_textq_proto_google	bytes	Query sent to the search engine.
google	query_raw	query_rawq_proto_google	bytes	Contains the query sent to the search engine as indicated in the URL.
gtalk	service_id	service_idq_proto_gtalk	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
gtalk	service	serviceq_proto_gtalk	bytes	Current service identification string.
gtalk	service_duration	service_durationq_proto_gtalk	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
gtalk	service_duration_tv	service_duration_tvq_proto_gtalk	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
gotomypc	service	serviceq_proto_gotomypc	bytes	Current service identification string.
gotomypc	service_id	service_idq_proto_gotomypc	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
gougou	query_raw	query_rawq_proto_gougou	bytes	Contains the query sent to the search engine as indicated in the URL.
gougou	query_text	query_textq_proto_gougou	bytes	Query sent to the search engine.
gtpv2	processing_anomaly_type	processing_anomaly_typeq_proto_gtpv2	bytes	Defines the category of the anomaly.
gtpv2	processing_anomaly_attr	processing_anomaly_attrq_proto_gtpv2	uint32	Gives an attribute ID, or an attribute structure (parent attribute ID), not extracted because of the anomaly.
gtpv2	uli_field_type	uli_field_typeq_proto_gtpv2	uint32	Type of the field
gtpv2	uli_mcc	uli_mccq_proto_gtpv2	uint32	Mobile Country Code (MCC) present in the identity
gtpv2	uli_mnc	uli_mncq_proto_gtpv2	uint32	Mobile Network Code (MNC) present in the identity
gtpv2	uli_eci	uli_eciq_proto_gtpv2	uint32	E-UTRAN Cell Identifier (ECI) present in the identity of type ECGI.
gtpv2	uli_ci	uli_ciq_proto_gtpv2	uint32	Cell Identifier (CI) present in the identity of type CGI.
gtpv2	uli_tac	uli_tacq_proto_gtpv2	uint32	Tracking Area Code (TAC) present in the identity of type TAI.
gtpv2	uli_lac	uli_lacq_proto_gtpv2	uint32	Location Area Code (LAC) present in the identity of type LAI,RAI, SAI or CGI.
gtpv2	uli_sac	uli_sacq_proto_gtpv2	uint32	Service Area Code (SAC) present in the identity of type SAI.
gtpv2	uli_rac	uli_racq_proto_gtpv2	uint32	Routing Area Code (RAC) present in the identity of type RAI.
gtpv2	sn_mcc	sn_mccq_proto_gtpv2	uint32	Mobile Country Code (MCC) of the Serving NEtwork.
gtpv2	sn_mnc	sn_mncq_proto_gtpv2	uint32	Mobile Network Code (MNC) of the Serving Network.
h225	call_setup	call_setupq_proto_h225	string	Call setup delay.
h225	call_duration	call_durationq_proto_h225	string	Call duration.
h225	session_duration	session_durationq_proto_h225	string	Call setup duration.
h225	start_time	start_timeq_proto_h225	string	Start date of the call.
h225	time_before_spk	time_before_spkq_proto_h225	string	Waiting delay before speak
h225	call_id	call_idq_proto_h225	bytes	Call id, extracted for each call.
h225	end_status	end_statusq_proto_h225	bytes	Status of the call end
h225	media_attr_encoding	media_attr_encodingq_proto_h225	bytes	The encoding of media data.
h225	caller	callerq_proto_h225	bytes	Contains the identity (or the phone number) of the initiator of the call.
h225	callee	calleeq_proto_h225	bytes	Contains the identity (or the phone number) of the called party for a call.
h225	method	methodq_proto_h225	bytes	The command
h225	h245_addr	h245_addrq_proto_h225	string	Address used by h245 session.
h225	request_call_id	request_call_idq_proto_h225	bytes	Call's id in the message.
h225	request_caller	request_callerq_proto_h225	bytes	Contains the identity (or the phone number) of the initiator in the message
h225	request_callee	request_calleeq_proto_h225	bytes	Contains the identity (or the phone number) of the called party in the message.
h225	audio_data	audio_dataq_proto_h225	bytes	Encoding can be used in audio flow.
h225	media_control_channel_addr	media_control_channel_addrq_proto_h225	string	Address used for a rtcp channel.
h225	media_channel_addr	media_channel_addrq_proto_h225	string	Address used for a rtp channel.
h225	h245_method	h245_methodq_proto_h225	bytes	The command for a H245 message.
h225	language	languageq_proto_h225	bytes	Used language.
h225	product_id	product_idq_proto_h225	bytes	H225 product component identifier.
h225	version	versionq_proto_h225	bytes	Version of the H225 VoIP client software.
h245	media_attr_encoding	media_attr_encodingq_proto_h245	bytes	The encoding of media data.
h245	method	methodq_proto_h245	bytes	The command
h245	media_control_channel_addr	media_control_channel_addrq_proto_h245	string	Address used for a rtcp channel.
h245	media_channel_addr	media_channel_addrq_proto_h245	string	Address used for a rtp channel.
h248_binary	context_id	context_idq_proto_h248_binary	uint32	The context ID identifies the context. It is assigned by the Media Gateway. It can be an integer, -" (null context), "*" (all) or "$" (choose)."
h248_binary	call_id	call_idq_proto_h248_binary	bytes	Call id, extracted for each call.
h248_binary	action	actionq_proto_h248_binary	bytes	The action designates the command that is executed during the transaction. The coommand name is postfixed by Req if the transaction is a request, by Reply if the transaction is a reply
h248_binary	from_ip	from_ipq_proto_h248_binary	string	Source IPv4 address
h248_binary	to_ip	to_ipq_proto_h248_binary	string	Destination IPv4 address
h248_binary	src_audio_connection	src_audio_connectionq_proto_h248_binary	bytes	Source audio connection type
h248_binary	src_video_connection	src_video_connectionq_proto_h248_binary	bytes	Source video connection type
h248_binary	dst_audio_connection	dst_audio_connectionq_proto_h248_binary	bytes	Destination audio connection type
h248_binary	dst_video_connection	dst_video_connectionq_proto_h248_binary	bytes	Destination video connection type
h248_binary	response_code	response_codeq_proto_h248_binary	uint32	Return code, extracted from the reply
h248_text	context_id	context_idq_proto_h248_text	bytes	The context ID identifies the context. It is assigned by the Media Gateway. It can be an integer, -" (null context), "*" (all) or "$" (choose)."
h248_text	call_id	call_idq_proto_h248_text	bytes	Call id, extracted for each call.
h248_text	action	actionq_proto_h248_text	bytes	The action designates the command that is executed during the transaction. The coommand name is postfixed by Req if the transaction is a request, by Reply if the transaction is a reply
h248_text	from_ip	from_ipq_proto_h248_text	string	Source IPv4 address
h248_text	to_ip	to_ipq_proto_h248_text	string	Destination IPv4 address
h248_text	src_audio_connection	src_audio_connectionq_proto_h248_text	bytes	Source audio connection type
h248_text	src_video_connection	src_video_connectionq_proto_h248_text	bytes	Source video connection type
h248_text	dst_audio_connection	dst_audio_connectionq_proto_h248_text	bytes	Destination audio connection type
h248_text	dst_video_connection	dst_video_connectionq_proto_h248_text	bytes	Destination video connection type
h248_text	response_code	response_codeq_proto_h248_text	uint32	Return code, extracted from the reply
haproxy	ipv4_src_addr	ipv4_src_addrq_proto_haproxy	string	IPv4 source address.
haproxy	ipv4_dst_addr	ipv4_dst_addrq_proto_haproxy	string	IPv4 destination address.
haproxy	src_port	src_portq_proto_haproxy	uint32	Source port.
haproxy	dst_port	dst_portq_proto_haproxy	uint32	Destination port.
hi5	nickname	nicknameq_proto_hi5	bytes	User's profile displayed name.
hi5	password	passwordq_proto_hi5	bytes	User's password string.
hi5	login	loginq_proto_hi5	bytes	User's login string.
hi5	is_mobile_service	is_mobile_serviceq_proto_hi5	uint32	Whether or not the access was made through a mobile device.
hi5	uid	uidq_proto_hi5	bytes	Generic user ID.
high_entropy	entropy	entropyq_proto_high_entropy	uint32	Computed entropy value.
hike_messenger	service_id	service_idq_proto_hike_messenger	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
hike_messenger	service	serviceq_proto_hike_messenger	bytes	Current service identification string.
hsrp	virtual_addr	virtual_addrq_proto_hsrp	string	Virtual IP address used by the group.
http	server	serverq_proto_http	bytes	Normalized web server name, including lowercase transformation and suffix cleaning. The value is extracted from an absolute URI (if present), or from the Host: header value by default (extracted once per HTTP request).
http	location	locationq_proto_http	bytes	Destination address where the client is redirected.
http	referer	refererq_proto_http	bytes	Source address from which the client obtained the requested URI.
http	referer_server	referer_serverq_proto_http	bytes	Contains the host or the website name of the referrer.
http	uri_full	uri_fullq_proto_http	bytes	Complete name (scheme/authority + path + request) of a web resource.
http	user_agent	user_agentq_proto_http	bytes	Software used by the client to access the web page.
http	mime_type	mime_typeq_proto_http	bytes	Content type of the request or the web page.
http	content_disposition	content_dispositionq_proto_http	bytes	Information related to the disposition of the content present on the web page.
http	method	methodq_proto_http	bytes	HTTP command sent by the client.
http	proxy_auth	proxy_authq_proto_http	bytes	Authentication type on the proxy.
http	proxy_login	proxy_loginq_proto_http	bytes	Login used for proxy authentication.
http	proxy_realm	proxy_realmq_proto_http	bytes	Parameter used for proxy authentication.
http	smb_client	smb_clientq_proto_http	bytes	Name of the computer during NTLM authentication (Windows environment).
http	version	versionq_proto_http	bytes	Protocol version.
http	server_agent	server_agentq_proto_http	bytes	Name of the server software.
http	rtt	rttq_proto_http	string	Server response time, calculated between the HTTP Request, and the client acknowledgment of the first non-empty HTTP Response packet.
http	directory	directoryq_proto_http	bytes	Directory of the accessed web page.
http	cookie	cookieq_proto_http	bytes	Raw value of the HTTP Cookie header line, containing the HTTP request cookies.
http	code	codeq_proto_http	uint32	Return code sent by the server.
http	content_len	content_lenq_proto_http	uint64	Contains the content length of the HTTP request/response.
http	filename	filenameq_proto_http	bytes	Name of uploaded file. Extracted if Content-Disposition" field has a "filename-parm" ("filename")."
http	header_raw	header_rawq_proto_http	bytes	One HTTP header line (field and value).
http	auth_username	auth_usernameq_proto_http	bytes	Login used in the HTTP Authorization request extension for authentication. The supported authentication methods are Basic and Digest.
http	auth_password	auth_passwordq_proto_http	bytes	Password used in the HTTP request Authorization extension. The only supported authentication method for password extraction is Basic.
http	part_filename	part_filenameq_proto_http	bytes	Name of uploaded file. Extracted if Content-Disposition" field has a "filename-parm" ("filename"). Extracted only if content-type is "multipart"."
http	content_encoding	content_encodingq_proto_http	bytes	Contains content encoding format.
http	accept_encoding	accept_encodingq_proto_http	bytes	Contains the accepted encoding's.
http	ntlm_domain	ntlm_domainq_proto_http	bytes	Domain" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
http	ntlm_user	ntlm_userq_proto_http	bytes	User" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
http	ntlm_workstation	ntlm_workstationq_proto_http	bytes	Workstation" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
http	file_type	file_typeq_proto_http	bytes	Received or sent file content type (prefix-based pattern recognition) exchanged using this protocol.
http	date	dateq_proto_http	bytes	Contains the date of the response (DATE HTTP header).
http	content	contentq_proto_http	bytes	Message content.
http	video_codec	video_codecq_proto_http	bytes	Video Codec.
http	audio_codec	audio_codecq_proto_http	bytes	Audio Codec.
http	ntlm_identifier	ntlm_identifierq_proto_http	bytes	NTLM protocol Signature (null-terminated string).
http	ntlm_message_type	ntlm_message_typeq_proto_http	uint32	NTLM message type.
http	content_type	content_typeq_proto_http	bytes	Indicates the content type of transferred file.
http	header_private_name	header_private_nameq_proto_http	bytes	One HTTP header line (field) starting with X-" (private header)."
http	header_private_value	header_private_valueq_proto_http	bytes	One HTTP header line (value) starting with X-" (private header)."
http	referer_fragment	referer_fragmentq_proto_http	bytes	Contains the fragment passed with the referrer.
http	referer_scheme	referer_schemeq_proto_http	bytes	Contains the scheme of the referrer.
http_proxy	server	serverq_proto_http_proxy	bytes	Normalized web server name, including lowercase transformation and suffix cleaning. The value is extracted from an absolute URI (if present), or from the Host: header value by default (extracted once per HTTP request).
http_proxy	host	hostq_proto_http_proxy	bytes	Host name value extracted from the Host header.
http_proxy	uri_full	uri_fullq_proto_http_proxy	bytes	Complete name (scheme/authority + path + request) of a web resource.
http_proxy	user_agent	user_agentq_proto_http_proxy	bytes	Name of the software used.
http_proxy	method	methodq_proto_http_proxy	bytes	Command sent by the client
http_proxy	header_raw	header_rawq_proto_http_proxy	bytes	One HTTP header line (field and value).
http_proxy	header_name	header_nameq_proto_http_proxy	bytes	One HTTP header line (field).
http_proxy	header_value	header_valueq_proto_http_proxy	bytes	One HTTP header line (value).
http_proxy	header_statusline	header_statuslineq_proto_http_proxy	bytes	The status line, just before the header lines.
http_proxy	code	codeq_proto_http_proxy	uint32	Return code sent by the server.
http_proxy	port	portq_proto_http_proxy	uint32	Port containing in HTTP CONNECT request.
http_proxy	tunneled_application	tunneled_applicationq_proto_http_proxy	uint32	This shall be triggered if we can classify based on request CONNECT URI and user-agent, then return the top application ID.
http_proxy	processing_anomaly_type	processing_anomaly_typeq_proto_http_proxy	bytes	Defines the category of the anomaly.
http_proxy	header_end_offset	header_end_offsetq_proto_http_proxy	uint32	Offset to the first byte after the last HTTP PROXY Header-line (\r\n included). This is an offset to the '\r' character of the second carriage return.
http_proxy	uri	uriq_proto_http_proxy	bytes	Partially normalized URL form (path + request) of a web resource, with UNRESERVED percent-encoded characters decoding (RFC3986).
http2	frame_length	frame_lengthq_proto_http2	uint32	Frame length (not including header).
http2	stream_id	stream_idq_proto_http2	uint32	Stream identifier.
http2	host	hostq_proto_http2	bytes	Host name value extracted from the :host header.
http2	server_agent	server_agentq_proto_http2	bytes	Name of the server software.
http2	location	locationq_proto_http2	bytes	Destination address where the client is redirected.
http2	referer	refererq_proto_http2	bytes	Source address from which the client obtained the requested URI.
http2	uri_raw	uri_rawq_proto_http2	bytes	Complete name (scheme/authority + path + request) of a web resource.
http2	cookie	cookieq_proto_http2	bytes	Raw value of the HTTP Cookie header line, containing the HTTP request cookies.
http2	content_disposition	content_dispositionq_proto_http2	bytes	Information related to the disposition of the content present on the web page.
http2	content_len	content_lenq_proto_http2	uint64	Contains the content length of the HTTP2 request/response.
http2	content_encoding	content_encodingq_proto_http2	bytes	Contains content encoding format.
http2	code	codeq_proto_http2	uint32	Return code sent by the server.
http2	method	methodq_proto_http2	bytes	HTTP2 command sent by the client.
http2	user_agent	user_agentq_proto_http2	bytes	Software used by the client to access the web page.
http2	mime_type	mime_typeq_proto_http2	bytes	Content type of the request or the web page.
http2	header_raw	header_rawq_proto_http2	bytes	One HTTP2 header line (field and value).
http2	date	dateq_proto_http2	bytes	Message date.
http2	decompress_size	decompress_sizeq_proto_http2	uint32	Contains length of decompressed data.
icloud	service	serviceq_proto_icloud	bytes	Current service identification string.
ident	server_port	server_portq_proto_ident	uint32	TCP server's port
ident	client_port	client_portq_proto_ident	uint32	TCP client's port
imo	service	serviceq_proto_imo	bytes	Current service identification string.
imo	service_id	service_idq_proto_imo	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
imo	service_duration	service_durationq_proto_imo	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds.
imo	service_duration_tv	service_duration_tvq_proto_imo	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
mimp	attach_filename	attach_filenameq_proto_mimp	bytes	Attachment name.
mimp	date	dateq_proto_mimp	bytes	Message date.
mimp	sender_email	sender_emailq_proto_mimp	bytes	Email address of the email sender.
mimp	subject	subjectq_proto_mimp	bytes	Message subject.
mimp	receiver_email	receiver_emailq_proto_mimp	bytes	Email address of message receiver (included cc and bcc receivers).
mimp	msglist_subject	msglist_subjectq_proto_mimp	bytes	Message subject in a message list.
mimp	password	passwordq_proto_mimp	bytes	User's password string.
mimp	login	loginq_proto_mimp	bytes	User's login string.
mimp	action	actionq_proto_mimp	bytes	Indicates if the message is read (Read) or composed (Compose).
mimp	attach_size	attach_sizeq_proto_mimp	uint32	Attached file MIME size.
ica	application	applicationq_proto_ica	bytes	Application name used by the client, decoded into UTF-8 format.
ica	login_info	login_infoq_proto_ica	bytes	Login information for the given connection (host, username, network domain).
ica	service	serviceq_proto_ica	bytes	Current service identification string.
ica	login_info_utf16	login_info_utf16q_proto_ica	bytes	Login information for the given connection (host, username, network domain), in UTF-16 format.
iax	packet_type	packet_typeq_proto_iax	bytes	Packet type.
iax	trunk_timestamp	trunk_timestampq_proto_iax	uint32	Timestamp (in ms) after the start of this call, indicating the time at which this trunk packet was transmitted.
iax	trunk_call_data_offset	trunk_call_data_offsetq_proto_iax	uint32	Trunk call data offset in bytes in the UDP Stream.
iax	message_name	message_nameq_proto_iax	bytes	For full IAX2 frames, message_name is the name of a frame.
iax	subclass_name	subclass_nameq_proto_iax	bytes	The command string for a message_name" type packet."
iax	element_name	element_nameq_proto_iax	bytes	Name of the information coming from a packet of type Full" whose message_id is "IAX"."
icap	x_client_ip_respmod_req	x_client_ip_respmod_reqq_proto_icap	bytes	The IP source address of the encapsulated HTTP request, when using the X-Client-IP ICAP header extension (draft-stecher-icap-subid-00).
icap	referer_respmod_req	referer_respmod_reqq_proto_icap	bytes	The HTTP referer embedded in the ICAP RESPMOD request (see http).
icap	content_type_respmod_req	content_type_respmod_reqq_proto_icap	bytes	The HTTP content_type embedded in the http response part of the ICAP RESPMOD request (see http).
icap	user_agent_respmod_req	user_agent_respmod_reqq_proto_icap	bytes	The HTTP user_agent embedded in the ICAP RESPMOD request (see http).
icap	host_respmod_req	host_respmod_reqq_proto_icap	bytes	The HTTP host embedded in the ICAP RESPMOD request (see http).
icap	uri_respmod_req	uri_respmod_reqq_proto_icap	bytes	The HTTP uri embedded in the ICAP RESPMOD request (see http).
icap	method_respmod_req	method_respmod_reqq_proto_icap	bytes	The HTTP method embedded in the ICAP RESPMOD request (see http).
icap	code_respmod_req	code_respmod_reqq_proto_icap	uint32	The HTTP code embedded in the ICAP RESPMOD request (see http).
icmp	rtt	rttq_proto_icmp	string	Response time of a ping command.
icmp6	rtt	rttq_proto_icmp6	string	Response time of a ping command.
icmp6	link_layer_addr_type	link_layer_addr_typeq_proto_icmp6	uint32	Type of link-layer address (source or target).
icmp6	link_layer_mac_addr	link_layer_mac_addrq_proto_icmp6	string	Link-layer address in MAC format (if applicable).
icmp6	link_layer_eui64_addr	link_layer_eui64_addrq_proto_icmp6	uint64	Link-layer address in EUI64 format (if applicable).
icmp6	mtu	mtuq_proto_icmp6	uint32	Maximum transmission unit.
igmp	version	versionq_proto_igmp	uint32	Protocol version.
igmp	address	addressq_proto_igmp	string	Multicast address.
igmp	record_maddress	record_maddressq_proto_igmp	string	The multicast address in this record
imap	method	methodq_proto_imap	bytes	Command sent by the client
imap	server_response	server_responseq_proto_imap	bytes	First line of every server's tagged response, including pipe lined responses.
imap	login	loginq_proto_imap	bytes	User's login string.
imap	password	passwordq_proto_imap	bytes	User's password string.
imap	subject	subjectq_proto_imap	bytes	Message subject.
imap	date	dateq_proto_imap	bytes	Message date.
imap	sender	senderq_proto_imap	bytes	Full address of email sender (alias followed by email address).
imap	receiver	receiverq_proto_imap	bytes	Full address of email receiver (including cc and bcc receivers).
imap	msglist_subject	msglist_subjectq_proto_imap	bytes	Message subject in a message list.
imap	msglist_sender	msglist_senderq_proto_imap	bytes	Full address of email sender (alias and email address).
imap	msglist_receiver	msglist_receiverq_proto_imap	bytes	Full address of email receiver in a message list.
imap	msglist_mime_type	msglist_mime_typeq_proto_imap	bytes	Content type of the email.
imap	msglist_attach_mime_type	msglist_attach_mime_typeq_proto_imap	bytes	Content type of the attachment (in a list).
imap	msglist_attach_filename	msglist_attach_filenameq_proto_imap	bytes	Name of file attached to message (in a list).
imap	user_agent	user_agentq_proto_imap	bytes	Name of the software used.
imap	attach_filename	attach_filenameq_proto_imap	bytes	Attachment name.
imap	file_type	file_typeq_proto_imap	bytes	Received or sent file content type (prefix-based pattern recognition) exchanged using this protocol.
imap	request	requestq_proto_imap	bool	Parent entry, empty, for client request and server response.
imap	msglist_entry	msglist_entryq_proto_imap	bool	Parent entry, for different elements belonging to the same message of a message list.
imap	msglist_attach	msglist_attachq_proto_imap	bool	Parent entry for attached file in a list of emails.
imap	sender_entry	sender_entryq_proto_imap	bool	Parent entry, for different elements belonging to the sender.
imap	receiver_entry	receiver_entryq_proto_imap	bool	Parent entry, for different elements belonging to the email receiver.
imap	msglist_sender_entry	msglist_sender_entryq_proto_imap	bool	Parent entry for a sender in a message list.
imap	msglist_receiver_entry	msglist_receiver_entryq_proto_imap	bool	Parent entry for a receiver in a message list.
imap	received	receivedq_proto_imap	bool	Parent entry, for fields added by each relay
imap	msg_id	msg_idq_proto_imap	bytes	Identifier of the message.
imap	attach_size	attach_sizeq_proto_imap	uint32	Attached file MIME size.
imap	attach_type	attach_typeq_proto_imap	bytes	Content type of the sent attached file.
imap	attach_size_decoded	attach_size_decodedq_proto_imap	uint32	Base64-decoded attached file content size in Bytes.
imap	email_boundary	email_boundaryq_proto_imap	bytes	boundary used to separate different parts of the message body.
imap	auth_type	auth_typeq_proto_imap	bytes	The type of used authentication.
imap	ntlm_domain	ntlm_domainq_proto_imap	bytes	Domain" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
imap	ntlm_user	ntlm_userq_proto_imap	bytes	User" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
imap	ntlm_workstation	ntlm_workstationq_proto_imap	bytes	Workstation" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
imap	ntlm_identifier	ntlm_identifierq_proto_imap	bytes	NTLM protocol Signature (null-terminated string).
imap	ntlm_message_type	ntlm_message_typeq_proto_imap	uint32	NTLM message type.
imap	resent_from	resent_fromq_proto_imap	bytes	Full address of the person for whom message is resent.
imap	resent_from_email	resent_from_emailq_proto_imap	bytes	Email address of the person for whom message is resent.
imap	resent_from_alias	resent_from_aliasq_proto_imap	bytes	Name of the person for whom message is resent.
imap	resent_sender	resent_senderq_proto_imap	bytes	Full address of the person who has actually resent the message.
imap	resent_sender_email	resent_sender_emailq_proto_imap	bytes	Email address of the person who has actually resent the message.
imap	resent_sender_alias	resent_sender_aliasq_proto_imap	bytes	Name of the person who has actually resent the message.
imap	msglist_msgid	msglist_msgidq_proto_imap	bytes	Message identifier.
imap	msglist_receiver_type	msglist_receiver_typeq_proto_imap	bytes	Type of the email receiver.
imap	msglist_boundary	msglist_boundaryq_proto_imap	bytes	boundary used to separate different parts of the message body.
imap	msglist_content_transfer_encoding	msglist_content_transfer_encodingq_proto_imap	bytes	Contains the encoding of the content
imap	msglist_mime_version	msglist_mime_versionq_proto_imap	bytes	Version of the message body format standard used in the mail protocol in a message list.
imap	msglist_return_path	msglist_return_pathq_proto_imap	bytes	Return path in a message list.
imap	msglist_resent_from	msglist_resent_fromq_proto_imap	bytes	Full address of the person for whom message is resent in a message list.
imap	msglist_resent_from_alias	msglist_resent_from_aliasq_proto_imap	bytes	Name of the person for whom message is resent in a message list.
imap	msglist_resent_from_email	msglist_resent_from_emailq_proto_imap	bytes	Email address of the person for whom message is resent in a message list.
imap	msglist_resent_sender	msglist_resent_senderq_proto_imap	bytes	Full address of the person who has actually resent the message in a message list.
imap	msglist_resent_sender_alias	msglist_resent_sender_aliasq_proto_imap	bytes	Name of the person who has actually resent the message in a message list.
imap	msglist_resent_sender_email	msglist_resent_sender_emailq_proto_imap	bytes	Email address of the person who has actually resent the message in a message list.
imap	attach_content_id	attach_content_idq_proto_imap	bytes	Attached file content identifier.
imap	attach_content_desc	attach_content_descq_proto_imap	bytes	Descriptive information for the attached file content.
imap	content_id	content_idq_proto_imap	bytes	Indicates the identifier of the email content.
imap	content_desc	content_descq_proto_imap	bytes	Indicates the description of the email content.
imap	received_by	received_byq_proto_imap	bytes	Contains the name of the receiving host.
imap	msglist_received_from_name	msglist_received_from_nameq_proto_imap	bytes	Contains the sending host name
imap	msglist_received_from_ip	msglist_received_from_ipq_proto_imap	string	Contains the IP address of the sending host name
imap	msglist_received_by_name	msglist_received_by_nameq_proto_imap	bytes	Contains the receiving host name
imap	msglist_received_by_ip	msglist_received_by_ipq_proto_imap	string	Contains the IP address of the receiving host name
imap	msglist_received_with	msglist_received_withq_proto_imap	bytes	Contains the software used to send the email
imap	msglist_received_date	msglist_received_dateq_proto_imap	bytes	Date when the transport service relayed the message
imap	msglist_received_by	msglist_received_byq_proto_imap	bytes	Contains the name of the receiving host.
imap	msglist_received_server_agent	msglist_received_server_agentq_proto_imap	bytes	Contains the name of the sever agent
imap	mime_version	mime_versionq_proto_imap	bytes	Version of the message body format standard used in the mail protocol.
imap	return_path	return_pathq_proto_imap	bytes	Message return path.
imap	server_version	server_versionq_proto_imap	bytes	The version of the IMAP server. It is given by the CAPABILITY command server result.
imap	flags	flagsq_proto_imap	bytes	A list of named tokens associated with the message.
imap	request_line	request_lineq_proto_imap	bytes	Client-to-Server IMAP request full line.
imap	trailer	trailerq_proto_imap	bytes	Optional data found after the advertised size of an email, ending with a ')', in a FETCH response.
imap	server_response_line	server_response_lineq_proto_imap	bytes	First line of every server's untagged response, including pipe lined responses.
imp	attach_size	attach_sizeq_proto_imp	uint32	Attached file MIME size.
imp	date	dateq_proto_imp	bytes	Message date.
imp	action	actionq_proto_imp	bytes	Indicates if the message is read (Read) or composed (Compose).
imp	msglist_receiver_email	msglist_receiver_emailq_proto_imp	bytes	Email address of the email receiver.
imp	sender_email	sender_emailq_proto_imp	bytes	Email address of the email sender.
imp	msglist_subject	msglist_subjectq_proto_imp	bytes	Message subject in a message list.
imp	attach_type	attach_typeq_proto_imp	bytes	Content type of the sent attached file.
imp	subject	subjectq_proto_imp	bytes	Message subject.
imp	receiver_email	receiver_emailq_proto_imp	bytes	Email address of message receiver (included cc and bcc receivers).
imp	attach_filename	attach_filenameq_proto_imp	bytes	Attachment name.
imp	password	passwordq_proto_imp	bytes	User's password string.
imp	login	loginq_proto_imp	bytes	User's login string.
imp	session_id	session_idq_proto_imp	bytes	Uniquely identifies the current user session.
imp	version	versionq_proto_imp	bytes	IMP version deployed.
imp	msglist_sender_email	msglist_sender_emailq_proto_imp	bytes	Address of email sender.
ipp	version	versionq_proto_ipp	bytes	Protocol version.
ip	fragment_buffered_count	fragment_buffered_countq_proto_ip	uint32	Number of segments that have been buffered for defragmentation
ip	fragment_buffered_size	fragment_buffered_sizeq_proto_ip	uint32	Sizes sum of segments that have been buffered for defragmentation
irc	login	loginq_proto_irc	bytes	User's login string.
irc	login_server	login_serverq_proto_irc	bytes	Concatenated login and server: <login>@<server>.
irc	nickname	nicknameq_proto_irc	bytes	User's alias.
irc	server	serverq_proto_irc	bytes	Server name to which the user is connected.
irc	message	messageq_proto_irc	bytes	Contains the chat message.
irc	sender	senderq_proto_irc	bytes	Contains the identity of the sender of a chat session or a file transfer.
irc	receiver	receiverq_proto_irc	bytes	Contains the identity of the receiver for a chat message or a file transfer.
irc	channel	channelq_proto_irc	bytes	Chat room name.
irc	mode_channel	mode_channelq_proto_irc	bytes	Name of the irc channel.
irc	mode_status	mode_statusq_proto_irc	bytes	Status of the irc channel.
irc	filename	filenameq_proto_irc	bytes	Name of the transferred file.
irc	file_identifier	file_identifierq_proto_irc	bytes	File correlation key.
irc	filesize	filesizeq_proto_irc	uint32	Size (byte) of the transferred file.
isakmp	version	versionq_proto_isakmp	bytes	Protocol version.
isakmp	life_duration	life_durationq_proto_isakmp	uint32	Life time of connection parameters.
isup	message_ts	message_tsq_proto_isup	string	Timestamp of ISUP message
isup	message_way	message_wayq_proto_isup	bytes	Way of message
isup	caller	callerq_proto_isup	bytes	Calling party number
isup	callee	calleeq_proto_isup	bytes	Called party number
isup	orig_point_code	orig_point_codeq_proto_isup	uint32	Originating Point Code
isup	dest_point_code	dest_point_codeq_proto_isup	uint32	Destination Point Code
isup	start_time	start_timeq_proto_isup	string	Start date of the call
isup	session_duration	session_durationq_proto_isup	string	Call session duration (elapsed time between the sending of SETUP command and the end of the communication)
isup	time_before_spk	time_before_spkq_proto_isup	string	Waiting delay before speak
isup	call_setup	call_setupq_proto_isup	string	Call setup delay.
isup	call_duration	call_durationq_proto_isup	string	Call duration
isup	call_id	call_idq_proto_isup	uint64	Internal unique call identifier
bmff	video_type	video_typeq_proto_bmff	bytes	File format.
bmff	video_brand	video_brandq_proto_bmff	bytes	Normalized video format specification identifier.
bmff	video_duration	video_durationq_proto_bmff	uint32	Duration of the video in seconds.
bmff	video_width	video_widthq_proto_bmff	uint32	Width of the video in pixels.
bmff	video_height	video_heightq_proto_bmff	uint32	Height of the video in pixels.
bmff	video_datarate	video_datarateq_proto_bmff	uint32	Video bitrate in kilobits per second.
bmff	video_avgdatarate	video_avgdatarateq_proto_bmff	uint32	Average video bitrate in kilobits per second.
java_update	type	typeq_proto_java_update	bytes	Version type of updated Java.
java_update	new_version	new_versionq_proto_java_update	bytes	New version number returned by the server.
kakaotalk	mime_type	mime_typeq_proto_kakaotalk	bytes	Mime type of the file beeing transferred.
kakaotalk	filename	filenameq_proto_kakaotalk	bytes	Name of the transferred file.
kakaotalk	login	loginq_proto_kakaotalk	uint64	User's login string.
kakaotalk	service	serviceq_proto_kakaotalk	bytes	Current service identification string.
kakaotalk	service_duration_tv	service_duration_tvq_proto_kakaotalk	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
kakaotalk	service_duration	service_durationq_proto_kakaotalk	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
kaskus	query_text	query_textq_proto_kaskus	bytes	Query sent to the search engine.
kaskus	query_raw	query_rawq_proto_kaskus	bytes	Contains the query sent to the search engine as indicated in the URL.
kaskus	title	titleq_proto_kaskus	bytes	Title of the current page.
kazaa	mime_type	mime_typeq_proto_kazaa	bytes	Type of the downloaded file.
kazaa	filename	filenameq_proto_kazaa	bytes	Name of the transferred file.
kazaa	login	loginq_proto_kazaa	bytes	User's login string.
krb5	login	loginq_proto_krb5	bytes	User's login string.
krb5	service	serviceq_proto_krb5	bytes	Current service identification string.
krb5	server	serverq_proto_krb5	bytes	Name of the server requiring Kerberos authentication.
krb5	enc_data_type	enc_data_typeq_proto_krb5	uint32	Indicate type of Encrypted data (hash) sent in the AS-RQ message.
krb5	pa_data_type	pa_data_typeq_proto_krb5	uint32	PA-DATA type.
krb5	ticket_name_type	ticket_name_typeq_proto_krb5	uint32	Ticket name-type.
krb5	ticket_name	ticket_nameq_proto_krb5	bytes	Ticket name component.
krb5	realm	realmq_proto_krb5	bytes	Realm in KRB-ERROR message.
krb5	err_crealm	err_crealmq_proto_krb5	bytes	Realm in KRB-ERROR message.
krb5	err_realm	err_realmq_proto_krb5	bytes	Correct realm in KRB-ERROR message.
krb5	err_cname_type	err_cname_typeq_proto_krb5	uint32	KRB-ERROR cname type.
krb5	err_cname_name	err_cname_nameq_proto_krb5	bytes	KRB-ERROR message cname component.
krb5	err_sname_type	err_sname_typeq_proto_krb5	uint32	KRB-ERROR message server sname type.
krb5	err_sname_name	err_sname_nameq_proto_krb5	bytes	KRB-ERROR message server sname component.
krb5	err_text	err_textq_proto_krb5	bytes	KRB-ERROR message error description.
krb5	error_code	error_codeq_proto_krb5	uint32	Error code in KRB-ERROR message.
krb5	cname_type	cname_typeq_proto_krb5	uint32	cname type.
krb5	cname_string	cname_stringq_proto_krb5	bytes	string representation of cname.
laposte_webmail	login	loginq_proto_laposte_webmail	bytes	User's login string.
l2tp	hostname	hostnameq_proto_l2tp	bytes	Name of the issuing LAC or LNS.
l2tp	vendor_name	vendor_nameq_proto_l2tp	bytes	Vendor specific string describing the type of LAC or LNS being used.
ldap	message_type	message_typeq_proto_ldap	bytes	Message type.
ldap	message_id	message_idq_proto_ldap	uint32	Message identification.
ldap	name	nameq_proto_ldap	bytes	Name of the LDAP element, in the LDAP tree (RFC2251).
ldap	hostname	hostnameq_proto_ldap	bytes	Hostname extracted from a logon response to a CLDAP searchRequest.
ldap	krb5_message_type	krb5_message_typeq_proto_ldap	uint32	Message type.
ldap	krb5_service	krb5_serviceq_proto_ldap	bytes	Service type.
ldap	krb5_server	krb5_serverq_proto_ldap	bytes	Name of the server requiring Kerberos authentication.
ldap	krb5_ticket_name	krb5_ticket_nameq_proto_ldap	bytes	Ticket name component.
ldap	krb5_realm	krb5_realmq_proto_ldap	bytes	Realm in KRB-ERROR message.
ldap	krb5_err_cname_name	krb5_err_cname_nameq_proto_ldap	bytes	KRB-ERROR message cname component.
ldap	krb5_err_sname_name	krb5_err_sname_nameq_proto_ldap	bytes	KRB-ERROR message server sname component.
ldap	krb5_err_text	krb5_err_textq_proto_ldap	bytes	KRB-ERROR message error description.
ldap	sasl_len	sasl_lenq_proto_ldap	uint32	sasl buffer size in bytes.
line	proto_version	proto_versionq_proto_line	bytes	Protocol version currently used by the client.
line	call_byte_count	call_byte_countq_proto_line	uint32	(Deprecated) The count of bytes that were exchanged during the call.
line	call_pkt_count	call_pkt_countq_proto_line	uint32	(Deprecated) The count of data packets that were exchanged during the call.
line	service	serviceq_proto_line	bytes	Current service identification string.
line	service_duration_tv	service_duration_tvq_proto_line	string	timeval structure indicating, when the service is ended, the length of it in seconds and microseconds.
line	service_duration	service_durationq_proto_line	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds.
line	service_id	service_idq_proto_line	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
line	service_stats	service_statsq_proto_line	bytes	Composite attribute containing the packet metrics used for each new service type detection, extracting when performing STATISTICAL detection method only. Note: this attribute won't be extracted in case of session expiration (eg. when the current service is not ended properly by the user).
lpr	login	loginq_proto_lpr	bytes	User's login string.
lpr	server	serverq_proto_lpr	bytes	Name of the machine that sent a file to print.
lpr	job	jobq_proto_lpr	bytes	Name of the printed file.
linkedin	receiver_email	receiver_emailq_proto_linkedin	bytes	Email address of message receiver (included cc and bcc receivers).
linkedin	sender_email	sender_emailq_proto_linkedin	bytes	Email address of the email sender.
linkedin	query_text	query_textq_proto_linkedin	bytes	Query sent to the search engine.
linkedin	folder	folderq_proto_linkedin	bytes	Indicates the directory from where messages are read.
linkedin	subject	subjectq_proto_linkedin	bytes	Message subject.
linkedin	msglist_subject	msglist_subjectq_proto_linkedin	bytes	Message subject in a message list.
linkedin	msglist_sender	msglist_senderq_proto_linkedin	bytes	Full address of email sender (alias and email address).
linkedin	msglist_folder	msglist_folderq_proto_linkedin	bytes	Indicates the directory from a message list.
linkedin	login	loginq_proto_linkedin	bytes	User's login string.
livemail_mobile	receiver_email	receiver_emailq_proto_livemail_mobile	bytes	Email address of message receiver (included cc and bcc receivers).
livemail_mobile	sender_email	sender_emailq_proto_livemail_mobile	bytes	Email address of the email sender.
livemail_mobile	login	loginq_proto_livemail_mobile	bytes	User's login string.
livemail_mobile	msglist_sender_email	msglist_sender_emailq_proto_livemail_mobile	bytes	Address of email sender.
livemail_mobile	msglist_subject	msglist_subjectq_proto_livemail_mobile	bytes	Message subject in a message list.
livemail_mobile	attach_filename	attach_filenameq_proto_livemail_mobile	bytes	Attachment name.
livemail_mobile	subject	subjectq_proto_livemail_mobile	bytes	Message subject.
livemail_mobile	action	actionq_proto_livemail_mobile	bytes	Indicates if the message is read (Read) or composed (Compose).
livemail_mobile	attach_size	attach_sizeq_proto_livemail_mobile	uint32	Attached file MIME size.
lotusnotes	login	loginq_proto_lotusnotes	bytes	User's login string.
lotusnotes	organization	organizationq_proto_lotusnotes	bytes	Organization.
lotusnotes	service	serviceq_proto_lotusnotes	bytes	Current service identification string.
lotusnotes	version	versionq_proto_lotusnotes	bytes	Client version.
lotusnotes	subject	subjectq_proto_lotusnotes	bytes	Message subject.
lotusnotes	mime_version	mime_versionq_proto_lotusnotes	bytes	MIME version.
lotusnotes	msg_id	msg_idq_proto_lotusnotes	bytes	Identifier of the message.
lotusnotes	replyto	replytoq_proto_lotusnotes	bytes	Email address to use in a reply for this message.
lotusnotes	header_name	header_nameq_proto_lotusnotes	bytes	Lotusnotes header name (used for the Email service).
lotusnotes	header_value	header_valueq_proto_lotusnotes	bytes	Lotusnotes header value (used for the Email service).
lotusnotes	sender_alias	sender_aliasq_proto_lotusnotes	bytes	Name of the email sender.
lotusnotes	sender_email	sender_emailq_proto_lotusnotes	bytes	Email address of the email sender.
lotusnotes	receiver_alias	receiver_aliasq_proto_lotusnotes	bytes	Name of email receiver (included cc and bcc receivers).
lotusnotes	receiver_email	receiver_emailq_proto_lotusnotes	bytes	Email address of message receiver (included cc and bcc receivers).
lotusnotes	receiver_type	receiver_typeq_proto_lotusnotes	bytes	Type of the email receiver.
lotusnotes	attach_id	attach_idq_proto_lotusnotes	bytes	Attachment identifier.
lotusnotes	attach_filename	attach_filenameq_proto_lotusnotes	bytes	Attachment name.
lotusnotes	attach_size	attach_sizeq_proto_lotusnotes	uint32	Attached file MIME size.
lotusnotes	attach_compress	attach_compressq_proto_lotusnotes	bytes	The compression method used for the attached file download.
lotusnotes	attach_content_seq	attach_content_seqq_proto_lotusnotes	uint32	Sequence number of a attach file part.
lotusnotes	attach_content_size	attach_content_sizeq_proto_lotusnotes	uint32	Size of a attach file part.
mplus_messenger	service_id	service_idq_proto_mplus_messenger	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
mplus_messenger	service	serviceq_proto_mplus_messenger	bytes	Current service identification string.
mashare	action	actionq_proto_mashare	bytes	Indicates the action executed by the user.
mashare	filename	filenameq_proto_mashare	bytes	Name of the transferred file.
mailru_agent	msg_receiver	msg_receiverq_proto_mailru_agent	bytes	The person who chat or voice is done with
mailru_agent	msg	msgq_proto_mailru_agent	bytes	Exchanged message during a chat
mailru_agent	im_action	im_actionq_proto_mailru_agent	bytes	Action of the user.
mailru_agent	user	userq_proto_mailru_agent	bytes	Application user name.
mailru	sender_email	sender_emailq_proto_mailru	bytes	Email address of the email sender.
mailru	subject	subjectq_proto_mailru	bytes	Message subject.
mailru	receiver_email	receiver_emailq_proto_mailru	bytes	Email address of message receiver (included cc and bcc receivers).
mailru	msglist_subject	msglist_subjectq_proto_mailru	bytes	Message subject in a message list.
mailru	msglist_receiver_email	msglist_receiver_emailq_proto_mailru	bytes	Email address of the email receiver.
mailru	msglist_sender_email	msglist_sender_emailq_proto_mailru	bytes	Address of email sender.
mailru	login	loginq_proto_mailru	bytes	User's login string.
mailru	attach_filename	attach_filenameq_proto_mailru	bytes	Attachment name.
mailru	action	actionq_proto_mailru	bytes	Indicates if the message is read (Read) or composed (Compose).
mandriva_update	package_name	package_nameq_proto_mandriva_update	bytes	Name of the downloaded package.
mandriva_update	package_version	package_versionq_proto_mandriva_update	bytes	Version number of the downloaded package.
mandriva_update	package_archi	package_archiq_proto_mandriva_update	bytes	Archi of package.
mandriva_update	package_distrib	package_distribq_proto_mandriva_update	bytes	Version of the currently upgraded-distribution
mms_iso	service_tag	service_tagq_proto_mms_iso	uint32	Returns the decimal value of the Encoded Tag" indicating which service/function is called (read,write, ...). See table "MMS Confirmed Services TAG" in http://www.c-epc.com/Technological%20data/mms/Mmsenc3.pdf ."
mms_iso	service_raw	service_rawq_proto_mms_iso	uint32	Returns the raw value of the Encoded Tag" (ASN1) indicating which service/function is called (read,write, ...). See table "MMS Confirmed Services TAG" in http://www.c-epc.com/Technological%20data/mms/Mmsenc3.pdf "
mgcp	method	methodq_proto_mgcp	bytes	The command
mgcp	endpoint	endpointq_proto_mgcp	bytes	Handset identifier
mgcp	version	versionq_proto_mgcp	bytes	Protocol version
mgcp	tid	tidq_proto_mgcp	uint32	Transaction identifier
mgcp	code	codeq_proto_mgcp	uint32	Return code of a query
mgcp	packets_sent	packets_sentq_proto_mgcp	uint32	Number of RTP packets sent
mgcp	octets_sent	octets_sentq_proto_mgcp	uint32	Number of RTP octets sent
mgcp	packets_received	packets_receivedq_proto_mgcp	uint32	Number of RTP packets received
mgcp	octets_received	octets_receivedq_proto_mgcp	uint32	Number of RTP octets received
mgcp	packets_lost	packets_lostq_proto_mgcp	uint32	Number of lost RTP packets
mgcp	jitter	jitterq_proto_mgcp	uint32	Observed Jitter for RTP packets
mgcp	latency	latencyq_proto_mgcp	uint32	Observed latency for RTP packets
mgcp	call_duration	call_durationq_proto_mgcp	string	Call duration.
mgcp	session_duration	session_durationq_proto_mgcp	string	Call setup duration.
mgcp	phone_number	phone_numberq_proto_mgcp	bytes	The phone number.
mgcp	event	eventq_proto_mgcp	bytes	Observed events
mgcp	message_type	message_typeq_proto_mgcp	bytes	The message type
mgcp	call_way	call_wayq_proto_mgcp	bytes	The call Way (In, Out)
mgcp	start_time	start_timeq_proto_mgcp	string	Start date of the call.
mgcp	mode	modeq_proto_mgcp	bytes	Contains the connection mode (sendrcv, recvonly, ...)
mgcp	notifiedEntity	notifiedentityq_proto_mgcp	bytes	Contains the identity of the notified identity
mgcp	media_type	media_typeq_proto_mgcp	bytes	Contains the media type.
mgcp	media_proto	media_protoq_proto_mgcp	bytes	Protocol used in client stream.
mgcp	media_format	media_formatq_proto_mgcp	uint32	Client's protocol formats available.
mgcp	signal	signalq_proto_mgcp	bytes	Contains the received/sent signal
mgcp	digitmap	digitmapq_proto_mgcp	bytes	Contains the digitmap
mgcp	caller	callerq_proto_mgcp	bytes	Contains the identity (or the phone number) of the initiator of the call.
mgcp	callee	calleeq_proto_mgcp	bytes	Contains the identity (or the phone number) of the called party for a call.
mgcp	connection_id	connection_idq_proto_mgcp	bytes	Connection identifier
mgcp	media_attr_type	media_attr_typeq_proto_mgcp	uint32	Contains the media type (audio or video).
mgcp	media_attr_encoding	media_attr_encodingq_proto_mgcp	bytes	The encoding of media data.
mgcp	media_attr_rate	media_attr_rateq_proto_mgcp	bytes	The encoding rate.
mgcp	media_attr_param	media_attr_paramq_proto_mgcp	bytes	Session attribute value.
mgcp	media_attr_label	media_attr_labelq_proto_mgcp	bytes	Name of the described session attribute.
mgcp	media_attr_addr	media_attr_addrq_proto_mgcp	string	The mentioned IPv4 address to be used.
mgcp	media_attr_channel	media_attr_channelq_proto_mgcp	bytes	The channel value.
mgcp	media_attr_transport	media_attr_transportq_proto_mgcp	bytes	The transport protocol (TCP or UDP).
mgcp	media_attr_value	media_attr_valueq_proto_mgcp	bytes	Line value of the media attribute.
mgcp	call_id	call_idq_proto_mgcp	bytes	Call id, extracted for each call.
msrp	session_id	session_idq_proto_msrp	bytes	Uniquely identifies the current user session.
msrp	authority	authorityq_proto_msrp	bytes	The authority component of the MSRP URI.
msrp	uri	uriq_proto_msrp	bytes	The MSRP URI.
msrp	path_type	path_typeq_proto_msrp	bytes	path_entry attribute type.
mms	filename	filenameq_proto_mms	bytes	Name of the file currently broadcasted.
lync	service_id	service_idq_proto_lync	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
lync	service	serviceq_proto_lync	bytes	Current service identification string.
ms_teams	service	serviceq_proto_ms_teams	bytes	Current service identification string, v5 only.
ms_teams	service_id	service_idq_proto_ms_teams	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer), v5 only.
ms_teams	service_duration	service_durationq_proto_ms_teams	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds, v5 only.
ms_teams	service_duration_tv	service_duration_tvq_proto_ms_teams	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds, v5 only.
modbus	protocol_id	protocol_idq_proto_modbus	uint32	Protocol ID. Modbus protocol is identified by the value 0.
modbus	length	lengthq_proto_modbus	uint32	The length field is a byte count of the following fields, including the Unit Identifier and data fields.
modbus	transaction_id	transaction_idq_proto_modbus	uint32	Transaction Identifier set by the client to uniquely identify each request. Used for transaction pairing.
modbus	function_subcode	function_subcodeq_proto_modbus	uint32	The function subcode specifies the modbus function_code action.
modbus	starting_address	starting_addressq_proto_modbus	uint32	The data address of the first coil or register.
modbus	quantity_of_coils	quantity_of_coilsq_proto_modbus	uint32	Total number of coils requested.
modbus	output_address	output_addressq_proto_modbus	uint32	The data address of the coil or register.
modbus	output_value	output_valueq_proto_modbus	uint32	Value to write.
modbus	quantity_of_outputs	quantity_of_outputsq_proto_modbus	uint32	The number of coils or registers to write.
modbus	byte_count	byte_countq_proto_modbus	uint32	The number of data bytes to follow.
modbus	file_number	file_numberq_proto_modbus	uint32	Identifier of the file.
modbus	record_number	record_numberq_proto_modbus	uint32	Starting record number within the file.
modbus	record_length	record_lengthq_proto_modbus	uint32	The length of the record to be read.
modbus	reference_address	reference_addressq_proto_modbus	uint32	Address of the reference.
modbus	and_mask	and_maskq_proto_modbus	uint32	AND mask applied when writing the data of the register.
modbus	or_mask	or_maskq_proto_modbus	uint32	OR mask applied when writing the data of the register.
modbus	fifo_pointer_address	fifo_pointer_addressq_proto_modbus	uint32	Queue content address.
modbus	fifo_count	fifo_countq_proto_modbus	uint32	Quantity of data registers in the queue.
modbus	output_data	output_dataq_proto_modbus	uint32	Exception status outputs, packed into one byte (one bit per output).
modbus	status	statusq_proto_modbus	uint32	Response status word.
modbus	event_count	event_countq_proto_modbus	uint32	Event counter.
modbus	message_count	message_countq_proto_modbus	uint32	Quantity of messages processed by the remote device.
modbus_rtu	slave_addr	slave_addrq_proto_modbus_rtu	uint32	Value of slave address field.
modbus_rtu	crc	crcq_proto_modbus_rtu	uint32	CRC Checksum field.
mongodb	request_message_length	request_message_lengthq_proto_mongodb	uint32	Mongodb request length
mongodb	request_request_id	request_request_idq_proto_mongodb	uint32	Unique identifiant of the request
mongodb	request_response_id	request_response_idq_proto_mongodb	uint32	Unique identifiant of the response
mongodb	request_op_code	request_op_codeq_proto_mongodb	uint32	Type of message
mongodb	response_message_length	response_message_lengthq_proto_mongodb	uint32	Mongodb response length
mongodb	response_request_id	response_request_idq_proto_mongodb	uint32	Unique identifiant of the response
mongodb	response_response_id	response_response_idq_proto_mongodb	uint32	Unique identifiant of the request
mongodb	response_op_code	response_op_codeq_proto_mongodb	uint32	Type of message
mount	flavor	flavorq_proto_mount	uint32	Authentification supported by the server
mount	flavors	flavorsq_proto_mount	uint32	Number of authentification flavors supported by the server
mount	length_fhandle	length_fhandleq_proto_mount	uint32	Length of the file handle
mount	status	statusq_proto_mount	uint32	Information status on the request process.
mount	path_value	path_valueq_proto_mount	bytes	Value of the data path string.
mount	path_length	path_lengthq_proto_mount	uint32	Length of the data path string.
mpegts	chunk_len	chunk_lenq_proto_mpegts	uint32	Data length.
mqtt	protocol_name	protocol_nameq_proto_mqtt	bytes	Name of the protocol encoded in UTF-8. Should not contain NULL character.
mqtt	client_id	client_idq_proto_mqtt	bytes	Client identifier. In MQTT 3.1 it cannot exceed 23 bytes while in 3.1.1 it can exceed this limit but will be limited to 65536 bytes as any other string value of MQTT.
mqtt	topic	topicq_proto_mqtt	bytes	Name of the topic to which the client subscribes.
mapi	login	loginq_proto_mapi	bytes	User's login string.
mapi	login_server	login_serverq_proto_mapi	bytes	Concatenated login and server: <login>@<server>.
mapi	host	hostq_proto_mapi	bytes	Client's hostname.
mapi	domain	domainq_proto_mapi	bytes	Network domain of the client.
mapi	action	actionq_proto_mapi	bytes	Indicates if the message is read (Read) or composed (Compose).
mapi	attach_size	attach_sizeq_proto_mapi	uint32	Attached file MIME size.
mapi	attach_filename	attach_filenameq_proto_mapi	bytes	Attachment name (UTF-16).
mapi	msg_id	msg_idq_proto_mapi	bytes	Identifier of the message.
msn	login	loginq_proto_msn	bytes	User's login string.
msn	sender	senderq_proto_msn	bytes	Contains the identity of the sender of a chat session or a file transfer.
msn	receiver	receiverq_proto_msn	bytes	Contains the identity of the receiver for a chat message or a file transfer.
msn	message	messageq_proto_msn	bytes	Contains the chat message.
msn	file_sender	file_senderq_proto_msn	bytes	Contains the identity of the sender of a file transfer.
msn	file_receiver	file_receiverq_proto_msn	bytes	Contains the identity of the receiver for a file transfer.
msn	filename	filenameq_proto_msn	bytes	Name of the transferred file.
msn	contact_login	contact_loginq_proto_msn	bytes	Contact login.
msn_search	query_text	query_textq_proto_msn_search	bytes	Query sent to the search engine.
msn_search	query_raw	query_rawq_proto_msn_search	bytes	Contains the query sent to the search engine as indicated in the URL.
mmse	receiver	receiverq_proto_mmse	bytes	MMS receiver.
mmse	nb_receiver	nb_receiverq_proto_mmse	uint32	Number of receiver for the same MMS.
mmse	version	versionq_proto_mmse	bytes	Protocol version.
mmse	tid	tidq_proto_mmse	bytes	Transaction identifier.
mmse	sender	senderq_proto_mmse	bytes	MMS sender.
mmse	subject	subjectq_proto_mmse	bytes	MMS subject.
mmse	content_type	content_typeq_proto_mmse	bytes	The content type of the message.
mmse	message_id	message_idq_proto_mmse	bytes	A unique reference assigned to the message. The ID enables a client to match delivery reports with previously sent messages.
mmse	content_location	content_locationq_proto_mmse	bytes	Specifies a reference to the stored version of the MM that can be retrieved or can be used to obtain information about the MM using the WSP/HTTP GET or M-Mbox-View-req.
mmse	response_status_code	response_status_codeq_proto_mmse	uint32	It is used by the originating MMS Proxy-Relay to inform the MMS Client, which has performed a submission or a forward the result of that particular operation.
mmse	response_status_text	response_status_textq_proto_mmse	bytes	Description which qualifies the response_status_code. The description may be based on the on the status code names contained in RFC1893.
mmse	message_sz	message_szq_proto_mmse	uint32	Full size of message in octets.
mmse	content_part_type	content_part_typeq_proto_mmse	bytes	Message sub-part type.
mmse	content_part_id	content_part_idq_proto_mmse	bytes	Message sub-part ID.
mmse	content_part_filename	content_part_filenameq_proto_mmse	bytes	Name of the file containing the current message sub-part data.
mute	peer_info	peer_infoq_proto_mute	uint32	Structure containing a classification prediction of a network peer. The clep_peer_t structure (ixE 4.18.x) provides the IP v4 or v6 address (ul3l4_addr_t), the transport protocol ID (TCP/UDP/etc.), the listening port, and the list of protocols to be classified in case of successful prediction.
myspace	query_raw	query_rawq_proto_myspace	bytes	Contains the query sent to the search engine as indicated in the URL.
myspace	query_text	query_textq_proto_myspace	bytes	Query sent to the search engine.
myspace	login	loginq_proto_myspace	bytes	User's login string.
mysql	login	loginq_proto_mysql	bytes	User's login string.
mysql	base	baseq_proto_mysql	bytes	Database name.
mysql	query	queryq_proto_mysql	bytes	SQL query sent by the client.
mysql	sqlstate_code	sqlstate_codeq_proto_mysql	bytes	SQL error code.
mysql	query_id	query_idq_proto_mysql	bytes	Request identifier. It is used to correlate SQL queries with query parameter values (Bind Variables).
mysql	number_columns	number_columnsq_proto_mysql	uint64	Column count in the result data set retrieved from server after a SQL query.
mysql	number_rows	number_rowsq_proto_mysql	uint32	Row count in the result data set retrieved from server after a SQL query.
mysql	variable_id	variable_idq_proto_mysql	bytes	Query parameter (Bind Variable) identifier within a SQL request.
mysql	variable_type	variable_typeq_proto_mysql	bytes	Data type of a SQL query parameter (Bind Variable).
mysql	error	errorq_proto_mysql	bytes	Error message associated to a request.
mysql	error_code	error_codeq_proto_mysql	uint32	Error code associated to a request.
netbios	caller	callerq_proto_netbios	bytes	Name of the caller.
netbios	callee	calleeq_proto_netbios	bytes	Name of the called member.
nbns	service	serviceq_proto_nbns	bytes	Current service identification string.
nbns	query	queryq_proto_nbns	bytes	Queried name (QUESTION_NAME) in a request.
nbns	transaction_id	transaction_idq_proto_nbns	uint32	Name service transaction identifier.
nbns	message_type	message_typeq_proto_nbns	bytes	NBNS message type.
nbns	record_name	record_nameq_proto_nbns	bytes	First answered resource record name (RR_NAME) in a response.
netbsd_update	package_name	package_nameq_proto_netbsd_update	bytes	Software package name.
netflix	login	loginq_proto_netflix	bytes	User's login string.
netflix	title	titleq_proto_netflix	bytes	Title of the movie.
netflix	description	descriptionq_proto_netflix	bytes	Synopsis of the movie.
netlog	login	loginq_proto_netlog	bytes	User's login string.
nfs	version	versionq_proto_nfs	bytes	Used version
nfs	filename	filenameq_proto_nfs	bytes	Accessed, written or read file name.
nfs	offset	offsetq_proto_nfs	uint64	Offset of the written/read file. Extracted on READ and WRITE procedure replies.
nfs	filesize	filesizeq_proto_nfs	uint64	Size of the file.
nfs	uid	uidq_proto_nfs	uint32	Generic user ID.
nfs	gid	gidq_proto_nfs	uint32	Identifier of the file owner's group (see page 21 of RFC 1813).
nfs	mode	modeq_proto_nfs	uint32	Protection mode bits (see page 22 of RFC 1813).
nfs	type_string	type_stringq_proto_nfs	bytes	File type (see page 19 of RFC 1813).
nfs	current_state	current_stateq_proto_nfs	bytes	Indicate RENAME procedure filename state.
nfs	symlink_name	symlink_nameq_proto_nfs	bytes	Indicate the symbolic link name on SYMLINK procedure.
nfs4	filename	filenameq_proto_nfs4	bytes	Accessed, written or read file name. Extracted on operations CREATE, OPEN, READDIR, RENAME, REMOVE, LOOKUP, SECINFO
nfs4	filesize	filesizeq_proto_nfs4	uint64	Size of the file.
nfs4	symlink_name	symlink_nameq_proto_nfs4	bytes	Indicate the symbolic link name on operations LINK and READLINK.
nfs4	mode	modeq_proto_nfs4	uint32	Protection mode bits (RFC 7530 section 6.2.2).
nfs4	offset	offsetq_proto_nfs4	uint64	Offset of the written/read file. Extracted on READ, WRITE, LOCK, LOCKU, LOCKT and COMMIT operations calls.
nntp	sender	senderq_proto_nntp	bytes	Full address of email sender (alias followed by email address).
nntp	newsgroup	newsgroupq_proto_nntp	bytes	Newsgroup name.
nntp	subject	subjectq_proto_nntp	bytes	Message subject.
nntp	login	loginq_proto_nntp	bytes	User's login string.
nntp	password	passwordq_proto_nntp	bytes	User's password string.
nntp	attach_filename	attach_filenameq_proto_nntp	bytes	Attachment name.
ntp	reference_clock	reference_clockq_proto_ntp	string	Reference clock IP address.
niconico_douga	query_text	query_textq_proto_niconico_douga	bytes	Decoded query text.
niconico_douga	query_raw	query_rawq_proto_niconico_douga	bytes	Query in raw HTML
niconico_douga	video_duration	video_durationq_proto_niconico_douga	bytes	Duration of the video in seconds.
niconico_douga	videoid	videoidq_proto_niconico_douga	bytes	Nico nico video identifier.
niconico_douga	tag	tagq_proto_niconico_douga	bytes	Video tag.
niconico_douga	title	titleq_proto_niconico_douga	bytes	Title of the video.
niconico_douga	description	descriptionq_proto_niconico_douga	bytes	Synopsis of the video.
niconico_douga	date	dateq_proto_niconico_douga	bytes	Release date of the video.
niconico_douga	nickname	nicknameq_proto_niconico_douga	bytes	User nickname.
niconico_douga	login	loginq_proto_niconico_douga	bytes	User's login string.
odnoklassniki	group_name	group_nameq_proto_odnoklassniki	bytes	Name of the group the user has subscribed to.
odnoklassniki	login	loginq_proto_odnoklassniki	bytes	User's login string.
oovoo	login	loginq_proto_oovoo	bytes	User's login string.
ospf	netmask	netmaskq_proto_ospf	string	The network mask associated with this interface.
ospf	dead_interval	dead_intervalq_proto_ospf	uint32	The number of seconds before declaring a silent router down.
ospf	designed_router	designed_routerq_proto_ospf	string	The identity of the Designated Router for this network, in the view of the sending router>.
ospf	backup_router	backup_routerq_proto_ospf	string	The identity of the Backup Designated Router for this network, in the view of the sending router.
ospf	neighbor	neighborq_proto_ospf	string	The Router IDs of each router from whom valid Hello packets have been seen recently on the network.
ospf	ls_type	ls_typeq_proto_ospf	uint32	The type of the LSA.
ospf	ls_id	ls_idq_proto_ospf	string	This field identifies the portion of the internet environment that is being described by the LSA.
ospf	ls_adv_router	ls_adv_routerq_proto_ospf	string	The Router ID of the router that originated the LSA.
ospf	ls_seq_number	ls_seq_numberq_proto_ospf	uint32	Detects old or duplicate LSAs.
ospf	ls_netmask	ls_netmaskq_proto_ospf	string	The IP address mask for the network.
ospf	ls_metric	ls_metricq_proto_ospf	uint32	The cost of this route.
ospf	ls_attach_router	ls_attach_routerq_proto_ospf	string	The Router IDs of each of the routers attached to the network.
ospf	link_id	link_idq_proto_ospf	string	Identifies the object that this router link connects to.
ospf	link_data	link_dataq_proto_ospf	string	For connections to stub networks, Link Data specifies the network's IP address mask. For unnumbered point-to-point connections, it specifies the interface's MIB-II [Ref8] ifIndex value. For the other link types it specifies the router interface's IP address.
ospf	dd_seq_nbr	dd_seq_nbrq_proto_ospf	uint32	Used to sequence the collection of Database Description Packets.
ospf	external_fwd_addr	external_fwd_addrq_proto_ospf	string	Data traffic for the advertised destination will be forwarded to this address.
ospf	external_route_tag	external_route_tagq_proto_ospf	uint32	A 32-bit field attached to each external route.
openbsd_update	package_name	package_nameq_proto_openbsd_update	bytes	Software package name.
openvpn	seq	seqq_proto_openvpn	uint32	Sequence number
opera_update	new_version	new_versionq_proto_opera_update	bytes	New version of Opera which will be installed.
opera_update	current_version	current_versionq_proto_opera_update	bytes	Opera version currently installed.
orangemail	attach_filename	attach_filenameq_proto_orangemail	bytes	Attachment name.
orangemail	receiver_email	receiver_emailq_proto_orangemail	bytes	Email address of message receiver (included cc and bcc receivers).
orangemail	sender_email	sender_emailq_proto_orangemail	bytes	Email address of the email sender.
orangemail	subject	subjectq_proto_orangemail	bytes	Message subject.
orangemail	action	actionq_proto_orangemail	bytes	Indicates if the message is read (Read) or composed (Compose).
orangemail	msglist_subject	msglist_subjectq_proto_orangemail	bytes	Message subject in a message list.
orangemail	attach_size	attach_sizeq_proto_orangemail	uint32	Attached file MIME size.
orangemail	login	loginq_proto_orangemail	bytes	User's login string.
owa	msglist_subject	msglist_subjectq_proto_owa	bytes	Message subject in a message list.
owa	receiver_email	receiver_emailq_proto_owa	bytes	Email address of message receiver (included cc and bcc receivers).
owa	sender_email	sender_emailq_proto_owa	bytes	Email address of the email sender.
owa	attach_filename	attach_filenameq_proto_owa	bytes	Attachment name.
owa	action	actionq_proto_owa	bytes	Indicates if the message is read (Read) or composed (Compose).
owa	session_id	session_idq_proto_owa	bytes	Uniquely identifies the current user session.
owa	attach_size	attach_sizeq_proto_owa	uint32	Attached file MIME size.
owa	login	loginq_proto_owa	bytes	User's login string.
owa	msglist_receiver_email	msglist_receiver_emailq_proto_owa	bytes	Email address of the email receiver.
owa	msglist_sender_email	msglist_sender_emailq_proto_owa	bytes	Address of email sender.
owa	subject	subjectq_proto_owa	bytes	Message subject.
paltalk	uid	uidq_proto_paltalk	uint32	Generic user ID.
paltalk	login	loginq_proto_paltalk	bytes	User's login string.
paltalk	user_email	user_emailq_proto_paltalk	bytes	User's email address.
paltalk	contact_uid	contact_uidq_proto_paltalk	uint32	Contact ID.
paltalk	contact_login	contact_loginq_proto_paltalk	bytes	Contact login.
paltalk	chat_id	chat_idq_proto_paltalk	bytes	Window chat id.
paltalk	channel	channelq_proto_paltalk	bytes	Chat room name.
paltalk	message	messageq_proto_paltalk	bytes	Contains the chat message.
paltalk	encoding	encodingq_proto_paltalk	bytes	Message encoding.
paltalk	sender	senderq_proto_paltalk	bytes	Contains the identity of the sender of a chat session or a file transfer.
paltalk	receiver	receiverq_proto_paltalk	bytes	Contains the identity of the receiver for a chat message or a file transfer.
paltalk	sender_uid	sender_uidq_proto_paltalk	uint32	Message sender's unique identifier.
paltalk	receiver_uid	receiver_uidq_proto_paltalk	uint32	Message receiver's unique identifier.
paltalk	call_id	call_idq_proto_paltalk	bytes	Call id, extracted for each call.
paltalk	start_time	start_timeq_proto_paltalk	string	Start date of the call.
paltalk	caller	callerq_proto_paltalk	bytes	Contains the identity (or the phone number) of the initiator of the call.
paltalk	caller_uid	caller_uidq_proto_paltalk	uint32	Caller's unique identifier.
paltalk	callee	calleeq_proto_paltalk	bytes	Contains the identity (or the phone number) of the called party for a call.
paltalk	callee_uid	callee_uidq_proto_paltalk	uint32	Callee's unique identifier.
paltalk	call_duration	call_durationq_proto_paltalk	string	Call duration.
paltalk	caller_addr	caller_addrq_proto_paltalk	string	Address which could be used by the initiator of the call.
paltalk	callee_addr	callee_addrq_proto_paltalk	string	Address which could be used by the called party.
paltalk_transfer	login	loginq_proto_paltalk_transfer	bytes	User's login string.
paltalk_transfer	receiver	receiverq_proto_paltalk_transfer	bytes	Contains the identity of the receiver for a file transfer.
paltalk_transfer	sender_uid	sender_uidq_proto_paltalk_transfer	uint32	File sender's UID
paltalk_transfer	receiver_uid	receiver_uidq_proto_paltalk_transfer	uint32	File receiver's UID
paltalk_transfer	filename	filenameq_proto_paltalk_transfer	bytes	Name of the transferred file.
paltalk_transfer	filesize	filesizeq_proto_paltalk_transfer	uint32	Size (byte) of the transferred file.
pap	login	loginq_proto_pap	bytes	User's login string.
pap	password	passwordq_proto_pap	bytes	User's password string.
pap	message_type	message_typeq_proto_pap	bytes	Message type.
pccc	object_tns	object_tnsq_proto_pccc	uint32	Transaction identifier of the PCCC object coded over 2 bytes, request and related response must share the same TNS value.
pccc	routing_info_dst_link	routing_info_dst_linkq_proto_pccc	uint32	Destination link address.
pccc	routing_info_src_link	routing_info_src_linkq_proto_pccc	uint32	Source link address.
perforce	parameter_name	parameter_nameq_proto_perforce	bytes	Name of the perforce parameter.
perforce	parameter_value	parameter_valueq_proto_perforce	bytes	Value of the perforce parameter.
perforce	parameter_size	parameter_sizeq_proto_perforce	uint32	Size in bytes of the parameter value.
perfspot	is_mobile_service	is_mobile_serviceq_proto_perfspot	uint32	Whether or not the access was made through a mobile device.
perfspot	password	passwordq_proto_perfspot	bytes	User's password string.
perfspot	login	loginq_proto_perfspot	bytes	User's login string.
pptp	version	versionq_proto_pptp	bytes	Protocol version.
pptp	vendor	vendorq_proto_pptp	bytes	The type of PAC being used, or the type of PNS software being used
pop3	login	loginq_proto_pop3	bytes	User's login string.
pop3	password	passwordq_proto_pop3	bytes	User's password string.
pop3	sender_email	sender_emailq_proto_pop3	bytes	Email address of the email sender.
pop3	sender_alias	sender_aliasq_proto_pop3	bytes	Name of the email sender.
pop3	receiver_email	receiver_emailq_proto_pop3	bytes	Email address of message receiver (included cc and bcc receivers).
pop3	subject	subjectq_proto_pop3	bytes	Message subject.
pop3	date	dateq_proto_pop3	bytes	Message date.
pop3	mime_type	mime_typeq_proto_pop3	bytes	Content type of received email body.
pop3	method	methodq_proto_pop3	bytes	Command sent by the client
pop3	attach_filename	attach_filenameq_proto_pop3	bytes	Attachment name.
pop3	attach_type	attach_typeq_proto_pop3	bytes	Content type of the sent attached file.
pop3	login_server	login_serverq_proto_pop3	bytes	Concatenated login and server: <login>@<server>.
pop3	message_id	message_idq_proto_pop3	bytes	A unique identifier of the message.
pop3	user_agent	user_agentq_proto_pop3	bytes	Name of the software used.
pop3	sender_entry	sender_entryq_proto_pop3	bool	Parent entry, for different elements belonging to the sender.
pop3	receiver_entry	receiver_entryq_proto_pop3	bool	Parent entry, for different elements belonging to the email receiver.
pop3	request	requestq_proto_pop3	bool	Parent entry, empty, for client request and server response.
pop3	received	receivedq_proto_pop3	bool	Parent entry, for fields added by each relay
pop3	content_type	content_typeq_proto_pop3	bytes	Indicates the content type of transferred file.
pop3	content_language	content_languageq_proto_pop3	bytes	Language of message content.
pop3	attach_filename_cdispo	attach_filename_cdispoq_proto_pop3	bytes	Attachment name. The attachment name is extracted from 'Content-Disposition' field.
pop3	attach_size	attach_sizeq_proto_pop3	uint32	Attached file MIME size.
pop3	attach_size_decoded	attach_size_decodedq_proto_pop3	uint32	Base64-decoded attached file content size in Bytes.
pop3	email_boundary	email_boundaryq_proto_pop3	bytes	boundary used to separate different parts of the message body.
pop3	resent_from	resent_fromq_proto_pop3	bytes	Full address of the person for whom message is resent.
pop3	resent_from_email	resent_from_emailq_proto_pop3	bytes	Email address of the person for whom message is resent.
pop3	resent_from_alias	resent_from_aliasq_proto_pop3	bytes	Name of the person for whom message is resent.
pop3	resent_sender	resent_senderq_proto_pop3	bytes	Full address of the person who has actually resent the message.
pop3	resent_sender_email	resent_sender_emailq_proto_pop3	bytes	Email address of the person who has actually resent the message.
pop3	resent_sender_alias	resent_sender_aliasq_proto_pop3	bytes	Name of the person who has actually resent the message.
pop3	content_id	content_idq_proto_pop3	bytes	Indicates the identifier of the email content.
pop3	content_desc	content_descq_proto_pop3	bytes	Indicates the description of the email content.
pop3	attach_content_id	attach_content_idq_proto_pop3	bytes	Attached file content identifier.
pop3	attach_content_desc	attach_content_descq_proto_pop3	bytes	Descriptive information for the attached file content.
pop3	mime_version	mime_versionq_proto_pop3	bytes	Version of the message body format standard used in the mail protocol.
pop3	return_path	return_pathq_proto_pop3	bytes	Message return path.
pop3	received_by	received_byq_proto_pop3	bytes	Contains the name of the receiving host.
postgres	login	loginq_proto_postgres	bytes	User's login string.
postgres	base	baseq_proto_postgres	bytes	Database name.
postgres	server_version	server_versionq_proto_postgres	bytes	Server version
postgres	proto_version	proto_versionq_proto_postgres	bytes	Protocol version used
postgres	query	queryq_proto_postgres	bytes	SQL query sent by the client.
postgres	error	errorq_proto_postgres	bytes	Error message
postgres	password	passwordq_proto_postgres	bytes	User's password string.
postgres	authentification_type	authentification_typeq_proto_postgres	bytes	Authentication method requested by the server.
postgres	sqlstate_code	sqlstate_codeq_proto_postgres	bytes	SQL error code.
postgres	query_id	query_idq_proto_postgres	bytes	Request identifier. It is used to correlate SQL queries with query parameter values (Bind Variables).
postgres	variable_id	variable_idq_proto_postgres	bytes	Query parameter (Bind Variable) identifier within a SQL request.
postgres	variable_type	variable_typeq_proto_postgres	bytes	Data type of a SQL query parameter (Bind Variable).
postgres	variable_format	variable_formatq_proto_postgres	uint32	Format of a SQL query parameter (Bind Variable).
pplive	method	methodq_proto_pplive	bytes	Contains the method used for a PPLive Live Streaming command
pricerunner	query_text	query_textq_proto_pricerunner	bytes	Query sent to the search engine.
pricerunner	query_raw	query_rawq_proto_pricerunner	bytes	Contains the query sent to the search engine as indicated in the URL.
q931	display	displayq_proto_q931	bytes	Display name.
q931	call_duration	call_durationq_proto_q931	string	Call duration.
q931	setup_delay	setup_delayq_proto_q931	string	Call setup delay
q931	session_duration	session_durationq_proto_q931	string	Call setup duration.
q931	caller	callerq_proto_q931	bytes	Contains the identity (or the phone number) of the initiator of the call.
q931	callee	calleeq_proto_q931	bytes	Contains the identity (or the phone number) of the called party for a call.
qq	login	loginq_proto_qq	bytes	User's login string.
qq	version_code	version_codeq_proto_qq	bytes	The protocol version number used by the client.
qq	msg_type	msg_typeq_proto_qq	uint32	QQ command name.
qq	service	serviceq_proto_qq	bytes	Current service identification string.
qq	caller	callerq_proto_qq	bytes	Contains the identity (or the phone number) of the initiator of the call.
qq	callee	calleeq_proto_qq	bytes	Contains the identity (or the phone number) of the called party for a call.
qq	msg_code	msg_codeq_proto_qq	uint32	(deprecated) QQ command number.
qq	call_duration	call_durationq_proto_qq	string	Call duration.
qq	service_id	service_idq_proto_qq	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
qq	user_id	user_idq_proto_qq	bytes	Unique identifier related to a single user. This attribute is available for clear traffic from Mobile applications, it may be not available for traffic from recent web browsers enforcing use of TLS.
qq_web	user_id	user_idq_proto_qq_web	bytes	Unique identifier related to a single user. This attribute is available for clear traffic from Mobile applications, it may be not available for traffic from recent web browsers enforcing use of TLS.
quake	server	serverq_proto_quake	bytes	Server name.
quic	server_name	server_nameq_proto_quic	bytes	Domain name mentioned in CHLO message.
quic	user_agent	user_agentq_proto_quic	bytes	Name of the software used.
qvod	peer_ip	peer_ipq_proto_qvod	string	IPv4 address of the QVOD peer.
rambler_webmail	attach_filename	attach_filenameq_proto_rambler_webmail	bytes	Attachment name.
rambler_webmail	subject	subjectq_proto_rambler_webmail	bytes	Message subject.
rambler_webmail	action	actionq_proto_rambler_webmail	bytes	Indicates if the message is read (Read) or composed (Compose).
rambler_webmail	msglist_subject	msglist_subjectq_proto_rambler_webmail	bytes	Message subject in a message list.
rambler_webmail	attach_size	attach_sizeq_proto_rambler_webmail	uint32	Attached file MIME size.
rambler_webmail	receiver_email	receiver_emailq_proto_rambler_webmail	bytes	Email address of message receiver (included cc and bcc receivers).
rambler_webmail	sender_email	sender_emailq_proto_rambler_webmail	bytes	Email address of the email sender.
rambler_webmail	msglist_receiver_email	msglist_receiver_emailq_proto_rambler_webmail	bytes	Email address of the email receiver.
rambler_webmail	msglist_sender_email	msglist_sender_emailq_proto_rambler_webmail	bytes	Address of email sender.
rambler_webmail	domain	domainq_proto_rambler_webmail	bytes	Domain name used for the email address of the user.
rambler_webmail	login	loginq_proto_rambler_webmail	bytes	User's login string.
rambler	query_text	query_textq_proto_rambler	bytes	Query sent to the search engine.
rambler	query_raw	query_rawq_proto_rambler	bytes	Contains the query sent to the search engine as indicated in the URL.
rambler	login	loginq_proto_rambler	bytes	User's login string.
rambler	domain	domainq_proto_rambler	bytes	Domain name used for the login of the user.
rapidshare	action	actionq_proto_rapidshare	bytes	Indicates the action executed by the user.
rapidshare	filename	filenameq_proto_rapidshare	bytes	Name of the transferred file.
rapidshare	filesize	filesizeq_proto_rapidshare	uint32	Size (byte) of the transferred file.
rapidshare	method	methodq_proto_rapidshare	bytes	HTTP method used for this action.
rapidshare	email_address	email_addressq_proto_rapidshare	bytes	User email address.
rapidshare	download_url	download_urlq_proto_rapidshare	bytes	Downloaded file URL.
rtcp	cname	cnameq_proto_rtcp	bytes	User name.
rtcp	name	nameq_proto_rtcp	bytes	Complete user name.
rtcp	email	emailq_proto_rtcp	bytes	User's email address.
rtcp	phone	phoneq_proto_rtcp	bytes	User's phone number.
rtcp	loc	locq_proto_rtcp	bytes	User's location.
rtcp	tool	toolq_proto_rtcp	bytes	Client's software.
rtcp	note	noteq_proto_rtcp	bytes	User's comments.
rtcp	rr_jitter	rr_jitterq_proto_rtcp	uint32	Jitter value (in receiver report).
rtcp	rr_cumlost	rr_cumlostq_proto_rtcp	uint32	Contains the cumulative number of lost packets (in receiver reports).
rtcp	rr_ssrc_id	rr_ssrc_idq_proto_rtcp	uint32	Identity of the source that sent the receiver report.
rtcp	ssrc	ssrcq_proto_rtcp	uint32	Identity of the Synchronization source
rtcp	rr_pkt_sender_ssrc	rr_pkt_sender_ssrcq_proto_rtcp	uint32	The synchronization source identifier for the originator of this Receiver Report packet.
rtcp	rr_highestseqnum	rr_highestseqnumq_proto_rtcp	uint32	highest sequence number received in an RTP data packet from source SSRC_n
rtcp	rr_lsr	rr_lsrq_proto_rtcp	uint32	The middle 32 bits out of 64 in the NTP timestamp
rtcp	rr_dlsr	rr_dlsrq_proto_rtcp	uint32	The delay between receiving the last RR packet from source n and sending reception report block.
rtcp	sr_pkt_sender_ssrc	sr_pkt_sender_ssrcq_proto_rtcp	uint32	The synchronization source identifier for the originator of this Sender Report packet.
rtcp	sr_ntp_ts_msw	sr_ntp_ts_mswq_proto_rtcp	uint32	NTP timestamp, most significant word
rtcp	sr_ntp_ts_lsw	sr_ntp_ts_lswq_proto_rtcp	uint32	NTP timestamp, least significant word
rtcp	sr_rtp_ts	sr_rtp_tsq_proto_rtcp	uint32	RTP timestamp
rtcp	sr_pkt_count	sr_pkt_countq_proto_rtcp	uint32	The total number of RTP data packets transmitted by the sender
rtcp	sr_octet_count	sr_octet_countq_proto_rtcp	uint32	The total number of payload octets transmitted in RTP
rtcp	sr_ssrc_id	sr_ssrc_idq_proto_rtcp	uint32	The SSRC identifier of the source
rtcp	sr_cumlost	sr_cumlostq_proto_rtcp	uint32	>Contains the cumulative number of lost packets (in sender reports).
rtcp	sr_highestseqnum	sr_highestseqnumq_proto_rtcp	uint32	highest sequence number received in an RTP data packet from source SSRC_n
rtcp	sr_jitter	sr_jitterq_proto_rtcp	uint32	Jitter value (in Sender report).
rtcp	sr_lsr	sr_lsrq_proto_rtcp	uint32	The middle 32 bits out of 64 in the NTP timestamp
rtcp	sr_dlsr	sr_dlsrq_proto_rtcp	uint32	The delay between receiving the last SR packet from source n and sending reception report block.
rtmp	page_url	page_urlq_proto_rtmp	bytes	URL of the webpage where the audio/video content is streamed.
rtmp	stream_url	stream_urlq_proto_rtmp	bytes	URL of the streamed audio/video.
rtmp	app_name	app_nameq_proto_rtmp	bytes	Name of the application accessing the streamed content.
rtmp	start_time	start_timeq_proto_rtmp	uint32	The timestamp of the beginning of the streamed audio/video (in ms).
rtmp	stop_time	stop_timeq_proto_rtmp	uint32	The timestamp of the end of the streamed audio/video (in ms).
rtmp	encryption	encryptionq_proto_rtmp	bytes	Name of the encryption used.
rtp	end_session	end_sessionq_proto_rtp	bytes	The end_session attribute is raised at the end of the RTP session
rtp	codec_name	codec_nameq_proto_rtp	bytes	Name of the codec.
rtp	unseq	unseqq_proto_rtp	uint32	Contains the number of miss ordered packets (use sum).
rtp	ssrc	ssrcq_proto_rtp	uint32	Identity of the Synchronization source
rtp	timestamp	timestampq_proto_rtp	uint32	RTP packet timestamp.
rtp	mos_session	mos_sessionq_proto_rtp	uint32	Standard Mean Opinion Score voice quality indicator. The value is derived from the Rfactor indicator, following the ITU-T G.107.1 wideband Rfactor to MOS equations. The extracted value is multiplied by 1000. The following codecs are supported: PCM, GSM(AMR-NB), G.723.1, G.729-A, EVRC, EVRCB, G.722.2(AMR-WB).
rtp	rfactor	rfactorq_proto_rtp	uint32	Rfactor indicator value, following the E-model from ITU-T G.107 and G.107.1. The calculation method is valid for narrowband (rfactor<=100) and wideband (rfactor<=129) codecs. The extracted value is multiplied by 1000. The following codecs are supported: PCM, AMR(GSM-FR), AMR-WB(G.722.2), G.723.1, G.729-A, EVRC, EVRCB. AMR and AMR-WB codecs support features multi-bitrate (codec modes) Rfactor evaluation. The codec-specific transmission impairment parameters used to compute the Rfactor were extracted from the ITU-T G.113 recommendation for narrowband codecs (PCM, G.723.1, G.729-A, GSM), and from ITU-T G.113.1 for wideband codecs (G.722.2). Additional equipment related impairment parameters (for G.722.2) were extracted from the Instrumental Estimation of E-Model Parameters For Wideband Speech Codecs study results at EURASIP.
rtp	session_duration	session_durationq_proto_rtp	string	Call setup duration.
rtp	csrc	csrcq_proto_rtp	uint32	Identit(y)(ies) of the source(s) contributing for the payload. There is one csrc per contributing source.
rtp	parent_call_id	parent_call_idq_proto_rtp	bytes	Call Identifier extracted from SIP/SDP.
rtp	service_id	service_idq_proto_rtp	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
rtp	service	serviceq_proto_rtp	bytes	Current service identification string.
rtp	service_duration	service_durationq_proto_rtp	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds.
rtp	service_duration_tv	service_duration_tvq_proto_rtp	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
rtsp	user_agent	user_agentq_proto_rtsp	bytes	Client's software.
rtsp	filename	filenameq_proto_rtsp	bytes	Name of the streamed file.
rtsp	method	methodq_proto_rtsp	bytes	RTSP command sent by the client.
rtsp	server_agent	server_agentq_proto_rtsp	bytes	Name of the server software.
rtsp	server	serverq_proto_rtsp	bytes	Name of the streaming server.
rtsp	directory	directoryq_proto_rtsp	bytes	File directory.
rtsp	code	codeq_proto_rtsp	uint32	Server return code.
rtsp	uri	uriq_proto_rtsp	bytes	Complete name (path + filename) of a web resource (truncated at 1503 characters).
rtsp	urilast64	urilast64q_proto_rtsp	bytes	uri last 64 characters of the uri.
rtsp	urilen	urilenq_proto_rtsp	uint32	uri length.
rtsp	uri_full	uri_fullq_proto_rtsp	bytes	Complete name (path + filename) of a web resource (not truncated).
rtsp	header_name	header_nameq_proto_rtsp	bytes	One RTSP header line (field).
rtsp	header_value	header_valueq_proto_rtsp	bytes	One RTSP header line (value).
rtsp	header_statusline	header_statuslineq_proto_rtsp	bytes	The status line, just before the header lines.
rtsp	version	versionq_proto_rtsp	bytes	Protocol version.
rtsp	cseq	cseqq_proto_rtsp	bytes	Sequence number.
rtsp	start_time	start_timeq_proto_rtsp	string	Start date of the call.
rtsp	session_duration	session_durationq_proto_rtsp	string	Call setup duration.
rtsp	media_attr_value	media_attr_valueq_proto_rtsp	bytes	Line value of the media attribute.
rtsp	media_attr_type	media_attr_typeq_proto_rtsp	uint32	Contains the media type (audio or video).
rtsp	media_attr_encoding	media_attr_encodingq_proto_rtsp	bytes	The encoding of media data.
rtsp	media_attr_rate	media_attr_rateq_proto_rtsp	bytes	The encoding rate.
rtsp	media_attr_param	media_attr_paramq_proto_rtsp	bytes	Session attribute value.
rtsp	media_attr_label	media_attr_labelq_proto_rtsp	bytes	Name of the described session attribute.
rtsp	media_attr_addr	media_attr_addrq_proto_rtsp	string	The mentioned IPv4 address to be used.
rtsp	media_attr_channel	media_attr_channelq_proto_rtsp	bytes	The channel value.
rtsp	media_attr_transport	media_attr_transportq_proto_rtsp	bytes	The transport protocol (TCP or UDP).
rtsp	media_type	media_typeq_proto_rtsp	bytes	Contains the media type.
rtsp	media_proto	media_protoq_proto_rtsp	bytes	Protocol used in client stream.
rtsp	media_format	media_formatq_proto_rtsp	uint32	Client's protocol formats available.
rtsp	uri_start_offset	uri_start_offsetq_proto_rtsp	uint32	Offset to the first URI byte in the stream.
rtsp	uri_end_offset	uri_end_offsetq_proto_rtsp	uint32	Offset to the first byte which is not part of the URI in the stream.
redhat_update	kernel_name	kernel_nameq_proto_redhat_update	bytes	Kernel package or package linked to the kernel.
redhat_update	kernel_version	kernel_versionq_proto_redhat_update	bytes	Version number of the kernel package.
redhat_update	kernel_archi	kernel_archiq_proto_redhat_update	bytes	Archi of package kernel.
redhat_update	kernel_distrib	kernel_distribq_proto_redhat_update	bytes	Distrib linked to this kernel package.
redhat_update	package_name	package_nameq_proto_redhat_update	bytes	Name of the downloaded package.
redhat_update	package_version	package_versionq_proto_redhat_update	bytes	Version number of the downloaded package.
redhat_update	package_archi	package_archiq_proto_redhat_update	bytes	Archi of package.
redhat_update	package_distrib	package_distribq_proto_redhat_update	bytes	Distrib linked to this package.
radius	login	loginq_proto_radius	bytes	User-Name (an attribute defined in RFC2865).
radius	calling_station_id	calling_station_idq_proto_radius	bytes	Client id.
radius	framed_ip	framed_ipq_proto_radius	string	Framed-IP-Address (an attribute defined in RFC2865).
radius	acct_session_id	acct_session_idq_proto_radius	bytes	Accounting session ID.
radius	called_station_id	called_station_idq_proto_radius	bytes	The phone number that the user called, using Dialed Number Identification (DNIS) or similar technology.
radius	nas_id	nas_idq_proto_radius	bytes	Unique identifier of the NAS originating the Access-Request
radius	nas_ip	nas_ipq_proto_radius	string	IP address of the NAS originating the Access-Request
radius	nas_port	nas_portq_proto_radius	uint32	Physical port number of the user on the NAS
radius	nas_port_type	nas_port_typeq_proto_radius	uint32	Indicates the type of physical port the network access server (NAS) is using to authenticate the user.
radius	nas_port_id	nas_port_idq_proto_radius	bytes	Identifies the NAS.
radius	callback_number	callback_numberq_proto_radius	bytes	Contains the dialing string to be used for callback
radius	terminate_cause	terminate_causeq_proto_radius	uint32	This attribute indicates how the session was terminated
radius	acct_output_octets	acct_output_octetsq_proto_radius	uint32	Indicates how many octets have been sent to the port in the course of delivering this service
radius	acct_input_octets	acct_input_octetsq_proto_radius	uint32	Indicates how many octets have been received from the port over the course of this service being provided
radius	session_timeout	session_timeoutq_proto_radius	uint32	The maximum number of seconds of service to be provided to the user before termination of the session or prompt.
radius	idle_timeout	idle_timeoutq_proto_radius	uint32	The maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt.
radius	start_time	start_timeq_proto_radius	string	Indicates the beginning of the user service.
radius	stop_time	stop_timeq_proto_radius	string	Indicates the end of the user service.
radius	framed_ipv6_route	framed_ipv6_routeq_proto_radius	bytes	Provides the routing information to be configured for the user on the NAS
radius	framed_ipv6_pool	framed_ipv6_poolq_proto_radius	bytes	Contains the name of an assigned pool that SHOULD be used to assign an IPv6 prefix for the user.
radius	avp_ipv4	avp_ipv4q_proto_radius	string	An IPv4 address. (CLEP_DATA_IP_ADDR)
radius	avp_int	avp_intq_proto_radius	uint32	An 8, 24 or 32 bits integer value. (CLEP_DATA_UINT32)
radius	avp_int64	avp_int64q_proto_radius	uint64	A 64 bits integer value. (CLEP_DATA_UINT64)
radius	avp_vendor_id	avp_vendor_idq_proto_radius	uint32	SMI Network Management Private Enterprise Code. (CLEP_DATA_UINT32)
radius	avp_interface_id	avp_interface_idq_proto_radius	uint64	IPv6 interface identifier. (CLEP_DATA_UINT64)
radius	3gpp_sgsn_address	3gpp_sgsn_addressq_proto_radius	string	IP address of the SGSN
radius	3gpp_sgsn_mcc_mnc	3gpp_sgsn_mcc_mncq_proto_radius	uint32	MCC and MNC of the SGSN
radius	3gpp_imsi	3gpp_imsiq_proto_radius	bytes	IMSI for the user
radius	framed_ip_netmask	framed_ip_netmaskq_proto_radius	string	Framed-IP-Netmask (an attribute defined in RFC2865).
rdp	version	versionq_proto_rdp	bytes	RDP Version used.
rdp	client_build	client_buildq_proto_rdp	uint32	RDP client build.
rdp	desktop_width	desktop_widthq_proto_rdp	uint32	desktop width.
rdp	desktop_height	desktop_heightq_proto_rdp	uint32	desktop height.
rdp	hostname_ascii	hostname_asciiq_proto_rdp	bytes	Client hostname, in ASCII.
rdp	domain_ascii	domain_asciiq_proto_rdp	bytes	Client domain, in ASCII.
rdp	username_ascii	username_asciiq_proto_rdp	bytes	Client login, in ASCII.
rdp	default_username	default_usernameq_proto_rdp	bytes	User's default login, provided at RDP's client runtime.
rdp	encrypted	encryptedq_proto_rdp	uint32	Indicates if the traffic is encrypted with TLS or CresDDP.
rdp	io_channel_id	io_channel_idq_proto_rdp	uint32	IO channel ID.
rdp	channel_id	channel_idq_proto_rdp	uint32	Communication channel ID.
rdp	channel_name	channel_nameq_proto_rdp	bytes	Communication channel name (An 8-byte array containing a unique 7-character ANSI channel name and a null terminator).
rdp	channel_disabled	channel_disabledq_proto_rdp	uint32	Tells whether the channel is disabled.
rdp	channel_encrypt_way	channel_encrypt_wayq_proto_rdp	bytes	Tells whether the channel is encrypted.
rdp	channel_priority	channel_priorityq_proto_rdp	bytes	Channel priority.
rdp	keyboard_type	keyboard_typeq_proto_rdp	uint32	The keyboard type.
rdp	keyboard_subtype	keyboard_subtypeq_proto_rdp	uint32	The keyboard subtype.
rdp	keyboard_function_key	keyboard_function_keyq_proto_rdp	uint32	The number of function keys on the keyboard.
rdp	ime_filename_ascii	ime_filename_asciiq_proto_rdp	bytes	The input method editor (IME) file name associated with the active input locale, in ASCII.
rdp	client_product_id	client_product_idq_proto_rdp	uint32	The client product ID.
rdp	serial_number	serial_numberq_proto_rdp	uint32	Serial number.
rdp	client_dig_product_id_ascii	client_dig_product_id_asciiq_proto_rdp	bytes	Contains a value that uniquely identifies the client, in ASCII.
rdp	server_sec_cert_key_algo	server_sec_cert_key_algoq_proto_rdp	uint32	Type of algorithm used by certificate key (0x0001 == RSA).
rdp	server_sec_cert_pub_key_magic	server_sec_cert_pub_key_magicq_proto_rdp	bytes	Name of algorithm used by certificate key.
rdp	server_sec_cert_version	server_sec_cert_versionq_proto_rdp	uint32	Raw value (32 bits) of version field.
rdp	server_sec_cert_count	server_sec_cert_countq_proto_rdp	uint32	Number of certificates in the chain.
rdp	color_depth	color_depthq_proto_rdp	uint32	Color depth requested by RDP client. RDP specifications mention it must be ignored if post_beta_2_color_depth is raised.
rdp	post_beta_2_color_depth	post_beta_2_color_depthq_proto_rdp	uint32	Color depth requested by RDP client. RDP specifications mention it must be ignored if high_color_depth is raised.
rdp	high_color_depth	high_color_depthq_proto_rdp	uint32	Color depth requested by RDP client.
rlogin	client_login	client_loginq_proto_rlogin	bytes	Name of the client host.
rlogin	server_login	server_loginq_proto_rlogin	bytes	User login.
rlogin	server_password	server_passwordq_proto_rlogin	bytes	User password.
rlogin	term_type	term_typeq_proto_rlogin	bytes	Terminal type used to establish the remote session.
rlogin	speed	speedq_proto_rlogin	uint32	Connection speed.
rpc	program	programq_proto_rpc	uint32	Program Identifier.
rpc	version	versionq_proto_rpc	uint32	Version of the RPC protocol.
rpc	program_version	program_versionq_proto_rpc	uint32	Version of the used program over RPC.
rpc	procedure	procedureq_proto_rpc	uint32	Contains the request used by the application program (NFS, YelloPages, ...).
rpc	state	stateq_proto_rpc	uint32	Status of the command response.
rpc	xid	xidq_proto_rpc	uint32	Identifier of the request or the reply.
rpc	message_type	message_typeq_proto_rpc	bytes	Message type (Call or Reply).
rsh	login	loginq_proto_rsh	bytes	User's login string.
rsh	server	serverq_proto_rsh	bytes	Remote server.
rsync	module	moduleq_proto_rsync	bytes	Name of the group in which files are gathered.
rsync	login	loginq_proto_rsync	bytes	User's login string.
rsync	password	passwordq_proto_rsync	bytes	User's password string.
rsync	filename	filenameq_proto_rsync	bytes	Name of the transferred file.
rsync	filesize	filesizeq_proto_rsync	uint32	Size (byte) of the transferred file.
rsync	file_is_compressed	file_is_compressedq_proto_rsync	uint32	Tells whether a file is compressed or not.
rsync	file_chunk_number	file_chunk_numberq_proto_rsync	uint32	Number of the transferred piece.
rsync	file_chunk_len	file_chunk_lenq_proto_rsync	uint32	Size of the transferred piece.
rsync	file_chunk_data_offset	file_chunk_data_offsetq_proto_rsync	uint32	Offset of the transferred data.
rip2	ip_addr	ip_addrq_proto_rip2	string	IP address of a router.
rip2	next_hope	next_hopeq_proto_rip2	string	The immediate next hop IP address to which packets to the destination specified by this route entry should be forwarded.
rip2	netmask	netmaskq_proto_rip2	string	The Subnet Mask field contains the subnet mask which is applied to the IP address to yield the non-host portion of the address.
rip2	metric	metricq_proto_rip2	uint32	Total distance to a router.
rip2	authentication	authenticationq_proto_rip2	bytes	Authentication content (password for example).
s1ap	ep_name	ep_nameq_proto_s1ap	bytes	Elementary Procedure name.
s1ap	ep_mme_ue_id	ep_mme_ue_idq_proto_s1ap	uint32	Mobility Management Entity Identifier (MME UE S1AP ID).
s1ap	ep_enb_ue_id	ep_enb_ue_idq_proto_s1ap	uint32	E-UTRAN NodeB Identifier (eNB UE S1AP ID).
s1ap	ep_ie_name	ep_ie_nameq_proto_s1ap	bytes	Information Element name.
s1ap	ep_ie_rab_addr	ep_ie_rab_addrq_proto_s1ap	string	Transport Layer Address (IPv4).
s1ap	ep_ie_rab_teid	ep_ie_rab_teidq_proto_s1ap	bytes	GTP Tunnel Endpoint Identifier (GTP-TEID).
s1ap	ep_ie_tai	ep_ie_taiq_proto_s1ap	bytes	Tracking Area Identifier (TAI).
s1ap	ep_ie_cgi	ep_ie_cgiq_proto_s1ap	bytes	E-UTRAN Cell Global Identifier (E-UTRAN CGI).
s1ap	processing_anomaly_type	processing_anomaly_typeq_proto_s1ap	bytes	Defines the category of the anomaly.
s1ap	processing_anomaly_attr	processing_anomaly_attrq_proto_s1ap	uint32	Gives an attribute ID, or an attribute structure (parent attribute ID), not extracted because of the anomaly.
samsung_apps	is_smartphone	is_smartphoneq_proto_samsung_apps	uint32	Boolean attribute indicating whether the client is a smartphone(1) or not(0).
secondlife	login	loginq_proto_secondlife	bytes	User's login string.
secondlife	message	messageq_proto_secondlife	bytes	Content of chat message.
secondlife	message_type	message_typeq_proto_secondlife	bytes	Message type.
secondlife	source_name	source_nameq_proto_secondlife	bytes	Source name.
secondlife	source_type	source_typeq_proto_secondlife	bytes	Source type.
secondlife	chat_type	chat_typeq_proto_secondlife	bytes	Chat message type.
aims	login	loginq_proto_aims	bytes	User's login string.
ssh	rtt	rttq_proto_ssh	string	Server response time.
ssh	version	versionq_proto_ssh	bytes	Protocol version.
ssh	user_agent	user_agentq_proto_ssh	bytes	Protocol version, software version and optional comments sent by the client.
ssh	server_agent	server_agentq_proto_ssh	bytes	Protocol version, software version and optional comments sent by the server.
ssh	tsp_alg_kex	tsp_alg_kexq_proto_ssh	bytes	List of proposed algorithms for key exchange. Each value is separated by a comma.
ssh	tsp_alg_server_host_key	tsp_alg_server_host_keyq_proto_ssh	bytes	List of proposed algorithms for server host key. Each value is separated by a comma.
ssh	tsp_alg_encrypt_cts	tsp_alg_encrypt_ctsq_proto_ssh	bytes	List of proposed symmetric encryption algorithms for traffic from client to server. Each value is separated by a comma.
ssh	tsp_alg_encrypt_stc	tsp_alg_encrypt_stcq_proto_ssh	bytes	List of proposed symmetric encryption algorithms for traffic from server to client. Each value is separated by a comma.
ssh	tsp_alg_mac_cts	tsp_alg_mac_ctsq_proto_ssh	bytes	List of proposed algorithms for Message Authentication Code (MAC) on traffic from client to server. Each value is separated by a comma.
ssh	tsp_alg_mac_stc	tsp_alg_mac_stcq_proto_ssh	bytes	List of proposed algorithms for Message Authentication Code (MAC) on traffic from server to client. Each value is separated by a comma.
ssh	tsp_alg_comp_cts	tsp_alg_comp_ctsq_proto_ssh	bytes	List of proposed algorithms for compression on traffic from client to server. Each value is separated by a comma.
ssh	tsp_alg_comp_stc	tsp_alg_comp_stcq_proto_ssh	bytes	List of proposed algorithms for compression on traffic from server to client. Each value is separated by a comma.
ssh	tsp_server_key_type	tsp_server_key_typeq_proto_ssh	bytes	Algorithm related to public host key of the server.
ssh	tsp_alg_kex_guessed_cts	tsp_alg_kex_guessed_ctsq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for key exchange from client to server, based on usual way client and server choose their algorithm for key exchange. This algorithm is only used for key exchange validation, not for encryption.
ssh	tsp_alg_kex_guessed_stc	tsp_alg_kex_guessed_stcq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for key exchange from server to client, based on usual way client and server choose their algorithm for key exchange. This algorithm is only used for key exchange validation, not for encryption.
ssh	tsp_alg_encrypt_guessed_cts	tsp_alg_encrypt_guessed_ctsq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for symmetric encryption from client to server, based on usual way client and server choose their algorithm for encryption.
ssh	tsp_alg_encrypt_guessed_stc	tsp_alg_encrypt_guessed_stcq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for symmetric encryption from server to client, based on usual way client and server choose their algorithm for encryption.
ssh	tsp_alg_mac_guessed_cts	tsp_alg_mac_guessed_ctsq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for Message Authenticate Code (MAC) from client to server, based on usual way client and server choose their algorithm for MAC.
ssh	tsp_alg_mac_guessed_stc	tsp_alg_mac_guessed_stcq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for Message Authenticate Code (MAC) from server to client, based on usual way client and server choose their algorithm for MAC.
ssh	tsp_comp_guessed_cts	tsp_comp_guessed_ctsq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for compression. from client to server, based on usual way client and server choose their algorithm for compression.
ssh	tsp_comp_guessed_stc	tsp_comp_guessed_stcq_proto_ssh	bytes	This attribute indicates what algorithm should be in use for compression. from server to client, based on usual way client and server choose their algorithm for compression.
ssl	common_name	common_nameq_proto_ssl	bytes	Domain name mentioned in the certificate.
ssl	server_name	server_nameq_proto_ssl	bytes	Domain name mentioned in Client Hello message.
ssl	supported_next_protocol	supported_next_protocolq_proto_ssl	bytes	Supported protocol on top of SSL specified by the server in the Next Protocol Negotiation or Application Layer Protocol Negotiation [RFC7301] TLS extensions.
ssl	issuer	issuerq_proto_ssl	bytes	Certificate Authority.
ssl	validity_not_before	validity_not_beforeq_proto_ssl	bytes	Certificate's validity start date, in UTCTime format : YYMMDDHHMMSSZ.
ssl	validity_not_after	validity_not_afterq_proto_ssl	bytes	Certificate's validity end date, in UTCTime format : YYMMDDHHMMSSZ.
ssl	subject_alt_name	subject_alt_nameq_proto_ssl	bytes	Identifies a list of host names which belong to the same certificate.
ssl	organization_name	organization_nameq_proto_ssl	bytes	Organisation name mentioned in the certificate.
ssl	index	indexq_proto_ssl	uint32	Identifier of the request and response in a SSL flow.
ssl	request_size	request_sizeq_proto_ssl	uint64	Contains the total length in bytes of the request or the response (including SSL headers). This attribute is computed at the end of the request or response.
ssl	cipher_suite_id	cipher_suite_idq_proto_ssl	uint32	Id of the cipher suite handled by the server.
ssl	protocol_version	protocol_versionq_proto_ssl	uint32	This attribute is extracted once per flow and indicates which SSL/TLS protocol was chosen by the server for this session.
ssl	common_name_raw	common_name_rawq_proto_ssl	bytes	Domain name mentioned in the certificate not decoded.
ssl	parent_common_name	parent_common_nameq_proto_ssl	bytes	Domain name mentioned in the original certificate (the session to be resumed).
ssl	server_name_raw	server_name_rawq_proto_ssl	bytes	Domain name mentioned in Client Hello message not decoded.
ssl	client_hello_extension_type	client_hello_extension_typeq_proto_ssl	uint32	Integer which define the type of extension on the client request
ssl	server_hello_extension_type	server_hello_extension_typeq_proto_ssl	uint32	Integer which define the type of extension on the server response
ssl	certificate_dn_subject	certificate_dn_subjectq_proto_ssl	bytes	Distinguished name of the subject formatted according to RFC 1779.
ssl	certificate_subject_cn	certificate_subject_cnq_proto_ssl	bytes	Common name of the subject formatted according to RFC 1779.
ssl	certificate_subject_l	certificate_subject_lq_proto_ssl	bytes	Locality name of the subject formatted according to RFC 1779.
ssl	certificate_subject_st	certificate_subject_stq_proto_ssl	bytes	State Or Province name of the subject formatted according to RFC 1779.
ssl	certificate_subject_o	certificate_subject_oq_proto_ssl	bytes	Organization name of the subject formatted according to RFC 1779.
ssl	certificate_subject_ou	certificate_subject_ouq_proto_ssl	bytes	Organization Unit name of the subject formatted according to RFC 1779.
ssl	certificate_subject_c	certificate_subject_cq_proto_ssl	bytes	Country name of the subject formatted according to RFC 1779.
ssl	certificate_subject_street	certificate_subject_streetq_proto_ssl	bytes	Street address of the subject formatted according to RFC 1779, delimiters (< and >) are used to avoid issue with special characters.
ssl	certificate_dn_issuer	certificate_dn_issuerq_proto_ssl	bytes	Distinguished name of the issuer formatted according to RFC 1779.
ssl	certificate_issuer_cn	certificate_issuer_cnq_proto_ssl	bytes	Common name of the subject formatted according to RFC 1779.
ssl	certificate_issuer_l	certificate_issuer_lq_proto_ssl	bytes	Locality name of the issuer formatted according to RFC 1779.
ssl	certificate_issuer_st	certificate_issuer_stq_proto_ssl	bytes	State Or Province name of the issuer formatted according to RFC 1779.
ssl	certificate_issuer_o	certificate_issuer_oq_proto_ssl	bytes	Organization name of the subject formatted according to RFC 1779.
ssl	certificate_issuer_ou	certificate_issuer_ouq_proto_ssl	bytes	Organization Unit name of the issuer formatted according to RFC 1779.
ssl	certificate_issuer_c	certificate_issuer_cq_proto_ssl	bytes	Country name of the subject issuer according to RFC 1779.
ssl	certificate_issuer_street	certificate_issuer_streetq_proto_ssl	bytes	Street address of the issuer formatted according to RFC 1779, delimiters (< and >) are used to avoid issue with special characters.
ssl	client_hello_extension_len	client_hello_extension_lenq_proto_ssl	uint32	Length in bytes of client hello extension payload.
ssl	server_hello_extension_len	server_hello_extension_lenq_proto_ssl	uint32	Length in bytes of server hello extension payload.
ssl	ext_sig_algorithms_len	ext_sig_algorithms_lenq_proto_ssl	uint32	Length in bytes of list of signature algorithms, so twice the number of algorithms. (Algorithms are encoded over two bytes.)
ssl	ext_sig_algorithm_scheme	ext_sig_algorithm_schemeq_proto_ssl	uint32	Signature scheme, aka hash, signature, ... (All SSL versions)
ssl	certificate_subject_key_algo_oid	certificate_subject_key_algo_oidq_proto_ssl	bytes	OID defining type of algorithm related to the subject key. (in string format)
ssl	certificate_subject_key_size	certificate_subject_key_sizeq_proto_ssl	uint32	SKI length in bytes (Subject Key Info, algorithm and value)
ssl	ext_ec_supported_groups_nb	ext_ec_supported_groups_nbq_proto_ssl	uint32	Number of elliptic curves.
ssl	ext_ec_supported_groups_type	ext_ec_supported_groups_typeq_proto_ssl	uint32	Type of the elliptic curve supported.
ssl	server_supported_version	server_supported_versionq_proto_ssl	uint32	Version of SSL/TLS supported by the server, this value comes from extension named supported version" in TLS. Final version chosen by server will be given by attribute protocol_version."
ssl	client_supported_version	client_supported_versionq_proto_ssl	uint32	Version of SSL/TLS supported by the client, this value comes from extension named supported version" in TLS. Final version chosen by server will be given by attribute protocol_version."
ssl	cert_extension_oid	cert_extension_oidq_proto_ssl	bytes	OID defining type of certificate extension in human readable string format.
ssl	client_hello_version	client_hello_versionq_proto_ssl	uint32	SSL/TLS client version field value.
ssl	server_hello_version	server_hello_versionq_proto_ssl	uint32	SSL/TLS server version field value.
smb	login	loginq_proto_smb	bytes	User's login string.
smb	service	serviceq_proto_smb	bytes	Service Type.
smb	user_id	user_idq_proto_smb	uint32	User identifier (SMB usmb_v1 only).
smb	directory	directoryq_proto_smb	bytes	Name of the shared directory on the server host.
smb	path	pathq_proto_smb	bytes	The server/share name of the resource to which the client attempts to connect.
smb	domain	domainq_proto_smb	bytes	Domain name (NTLMSSP domain).
smb	native_os	native_osq_proto_smb	bytes	Client's operating system.
smb	command_string	command_stringq_proto_smb	bytes	Command name.
smb	filename	filenameq_proto_smb	bytes	Name of the transferred file.
smb	filesize	filesizeq_proto_smb	uint64	Size (byte) of the transferred file.
smb	version	versionq_proto_smb	uint32	Protocol version.
smb	host	hostq_proto_smb	bytes	SMB client host name (NTLMSSP workstation).
smb	krb5_service	krb5_serviceq_proto_smb	bytes	Service type.
smb	krb5_server	krb5_serverq_proto_smb	bytes	Name of the server requiring Kerberos authentication.
smb	krb5_realm	krb5_realmq_proto_smb	bytes	Realm in KRB-ERROR message.
smb	file_type	file_typeq_proto_smb	uint32	file type.
smb	ntlm_user	ntlm_userq_proto_smb	bytes	User" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
smb	ntlm_domain	ntlm_domainq_proto_smb	bytes	Domain" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
smb	ntlm_workstation	ntlm_workstationq_proto_smb	bytes	Workstation" attribute of the NTLM protocol, extracted from NTLM Authenticate (3) messages."
smb	ntlm_identifier	ntlm_identifierq_proto_smb	bytes	NTLM protocol Signature (null-terminated string).
smb	ntlm_message_type	ntlm_message_typeq_proto_smb	uint32	NTLM message type.
smb	dcerpc_service	dcerpc_serviceq_proto_smb	bytes	The DCERPC protocol is an RPC implementation used in Distributed Computing Environments. This protocol is used by many software applications including Microsft Exchange.
smb	dcerpc_interface_uuid	dcerpc_interface_uuidq_proto_smb	bytes	ID of the interface.
smb	dcerpc_call_id	dcerpc_call_idq_proto_smb	uint32	ID of the call.
smb	dcerpc_context_id	dcerpc_context_idq_proto_smb	uint32	ID of the context.
smb	dcerpc_opnum	dcerpc_opnumq_proto_smb	uint32	ID of specific function call to the interface.
smb	header_length	header_lengthq_proto_smb	uint32	The size, in bytes, of the SMB2 header structure.
smb	credit_charge	credit_chargeq_proto_smb	uint32	This field indicates the number of credits that this request consumes.
smb	channel	channelq_proto_smb	uint32	This field is an indication to the server about the client's Channel change.
smb	credits_requested	credits_requestedq_proto_smb	uint32	On a request, this field indicates the number of credits the client is requesting.
smb	flags	flagsq_proto_smb	uint32	This field indicates how to process the operation.
smb	session_id	session_idq_proto_smb	uint64	Uniquely identifies the current user session.
smb	dcerpc_item_context_id	dcerpc_item_context_idq_proto_smb	uint32	Index of the current context item
smb	dcerpc_abstract_itf_uuid	dcerpc_abstract_itf_uuidq_proto_smb	bytes	Interface UUID allowing to identifies RPC interface to call.
smb	dcerpc_abstract_itf_version	dcerpc_abstract_itf_versionq_proto_smb	uint32	Version number of interface to call. It is defined on 32 bits.
smb	dcerpc_transfer_itf_uuid	dcerpc_transfer_itf_uuidq_proto_smb	bytes	Interface UUID allowing to identifies RPC interface to get reply.
smb	dcerpc_transfer_itf_version	dcerpc_transfer_itf_versionq_proto_smb	uint32	Version number of interface to get reply. It is defined on 32 bits.
smb	dcerpc_result_ack_result	dcerpc_result_ack_resultq_proto_smb	uint32	Negociation result of the given presentation transfer syntax (0 stands for Acceptance).
smb	dcerpc_result_ack_reason	dcerpc_result_ack_reasonq_proto_smb	uint32	Reason detailing non acceptance of the given transfer syntax, usually set to 0 when transfer syntax is accepted (Q_DCERPC_RESULT_ACK_RESULT == 0)
smb	dcerpc_result_transfer_syntax_uuid	dcerpc_result_transfer_syntax_uuidq_proto_smb	bytes	UUID of selected transfer syntax, 0 stands for transfer syntax is not selected"."
smb	dcerpc_result_transfer_syntax_version	dcerpc_result_transfer_syntax_versionq_proto_smb	uint32	Version of selected transfer syntax, usually also set to 0 when UUID is 0.
smb	set_info_fix_struct_size	set_info_fix_struct_sizeq_proto_smb	uint32	Size of fix part of SET_INFO header (request or response).
smb	set_info_size	set_info_sizeq_proto_smb	uint32	The length, in bytes, of the information to be set.
smb	set_info_file_rename_root_dir	set_info_file_rename_root_dirq_proto_smb	uint64	Handle/ID of parent directory of the file to rename.
smb	set_info_file_filename_length	set_info_file_filename_lengthq_proto_smb	uint32	Length of the file name field.
smb	read_length	read_lengthq_proto_smb	uint32	This field is set in READ request. It is the size in bytes of number of bytes to read at a given offset (see Q_SMB_READ_OFFSET) from file referenced by GUID (Q_SMB_FILE_ID). This field can be 0.
smb	read_offset	read_offsetq_proto_smb	uint64	This field is set in READ request. It is the offset in bytes from which read must be made from file referenced by GUID (Q_SMB_FILE_ID).
smb	read_data_length	read_data_lengthq_proto_smb	uint32	This field is set in READ response. It is the size of data read from file referenced by from file referenced by GUID (Q_SMB_FILE_ID).
smb	read_data_remaining	read_data_remainingq_proto_smb	uint32	This field is set in READ response. It is the size in bytes of the remaining data being sent on the Channel specified in the request.
smb	write_length	write_lengthq_proto_smb	uint32	This field is set in WRITE request. It is the size in bytes of number of bytes to write at a given offset (see Q_SMB_WRITE_OFFSET) in file referenced by GUID (Q_SMB_FILE_ID). This field can be 0.
smb	write_offset	write_offsetq_proto_smb	uint64	This field is set in WRITE request. It is the offset in bytes from which write must be made in file referenced by GUID (Q_SMB_FILE_ID).
smb	write_count	write_countq_proto_smb	uint32	This field is set in WRITE response. It is the size of data written in file referenced by from file referenced by GUID (Q_SMB_FILE_ID).
smb	write_data_remaining	write_data_remainingq_proto_smb	uint32	This field is set in WRITE response. It is a reserved field, raise it whatever it contains, It should be set to 0 by server.
smb	tcax_rsp_native_fs	tcax_rsp_native_fsq_proto_smb	bytes	Name of the file system on the local resource to which the returned Tree ID is connected (null terminated Unicode or OEM characters).
sip	method	methodq_proto_sip	bytes	The command
sip	uri	uriq_proto_sip	bytes	Contains the URI (similar to To: field)
sip	reply_code	reply_codeq_proto_sip	bytes	Return status code.
sip	mime_type	mime_typeq_proto_sip	bytes	Data type.
sip	user_agent	user_agentq_proto_sip	bytes	Client's software.
sip	request_call_id	request_call_idq_proto_sip	bytes	Call's id extracted for each sip request.
sip	server_agent	server_agentq_proto_sip	bytes	Server's software.
sip	subject	subjectq_proto_sip	bytes	the subject header present in the SIP packet
sip	date	dateq_proto_sip	bytes	Contains the date and time.
sip	call_id	call_idq_proto_sip	bytes	Call id, extracted for each call.
sip	time_before_spk	time_before_spkq_proto_sip	string	Waiting delay before speak
sip	call_duration	call_durationq_proto_sip	string	Call duration.
sip	caller	callerq_proto_sip	bytes	Contains the identity (or the phone number) of the initiator of the call.
sip	callee	calleeq_proto_sip	bytes	Contains the identity (or the phone number) of the called party for a call.
sip	caller_addr	caller_addrq_proto_sip	string	Address which could be used by the initiator of the call.
sip	callee_addr	callee_addrq_proto_sip	string	Address which could be used by the called party.
sip	media_type	media_typeq_proto_sip	bytes	Contains the media type.
sip	media_proto	media_protoq_proto_sip	bytes	Protocol used in client stream.
sip	media_format	media_formatq_proto_sip	uint32	Client's protocol formats available.
sip	user_id	user_idq_proto_sip	bytes	Client identifier used for his registering with a SIP server.
sip	domain	domainq_proto_sip	bytes	Caller's or callee's domain
sip	connection_info_nb_addr	connection_info_nb_addrq_proto_sip	uint32	Number of addresses defined for the connection (see RFC 4566 section 5.14).
sip	data_nb_ports	data_nb_portsq_proto_sip	uint32	Number of ports defined for the connection (see RFC 4566 section 5.14).
sip	mime_type_main	mime_type_mainq_proto_sip	bytes	Primary part of the MIME type.
sip	mime_type_sub	mime_type_subq_proto_sip	bytes	Second part of the MIME type.
stun	mapped_address_ipv4	mapped_address_ipv4q_proto_stun	string	IPv4 address to be mapped.
stun	xor_mapped_address_ipv4	xor_mapped_address_ipv4q_proto_stun	string	IPv4 address to be mapped, in XORed version (obfuscated).
stun	magic_cookie	magic_cookieq_proto_stun	uint32	The magic cookie used to deobfuscate the XOR Mapped Port and XOR Mapped Address.
stun	remote_address_ipv4	remote_address_ipv4q_proto_stun	string	IPv4 address of the distant peer as seen from the STUN relay server.
stun	realm	realmq_proto_stun	bytes	Realm in message used for authentication.
stun	software	softwareq_proto_stun	bytes	Description of the software used being used by the agent sending the message.
stun	unxor_mapped_address_ipv4	unxor_mapped_address_ipv4q_proto_stun	string	IPv4 address to be mapped, in decoded XOR version (deobfuscated).
smpp	sender	senderq_proto_smpp	bytes	Sender's address.
smpp	receiver	receiverq_proto_smpp	bytes	Receiver's address.
silverlight	video_datarate	video_datarateq_proto_silverlight	bytes	Video bitrate in kilobits per second.
smtp	login	loginq_proto_smtp	bytes	User's login string.
smtp	password	passwordq_proto_smtp	bytes	User's password string.
smtp	sender_alias	sender_aliasq_proto_smtp	bytes	Name of the email sender.
smtp	sender_email	sender_emailq_proto_smtp	bytes	Email address of the email sender.
smtp	sender_domain	sender_domainq_proto_smtp	bytes	Domain of the sender's email address.
smtp	receiver_domain	receiver_domainq_proto_smtp	bytes	Domain of the recipient's email address.
smtp	receiver_email	receiver_emailq_proto_smtp	bytes	Email address of message receiver (included cc and bcc receivers).
smtp	method	methodq_proto_smtp	bytes	Command sent by the client
smtp	response_code	response_codeq_proto_smtp	uint32	Return code
smtp	server_response	server_responseq_proto_smtp	bytes	The return code of the server
smtp	subject	subjectq_proto_smtp	bytes	Message subject.
smtp	date	dateq_proto_smtp	bytes	Message date.
smtp	mime_type	mime_typeq_proto_smtp	bytes	Mail's content type.
smtp	msg_id	msg_idq_proto_smtp	bytes	Identifier of the message.
smtp	user_agent	user_agentq_proto_smtp	bytes	Name of the software used.
smtp	start_time	start_timeq_proto_smtp	string	Starting time of SMTP session
smtp	stop_time	stop_timeq_proto_smtp	string	Ending time of SMTP session
smtp	duration	durationq_proto_smtp	string	Duration of the SMTP session
smtp	attach_type	attach_typeq_proto_smtp	bytes	Content type of the sent attached file.
smtp	attach_size	attach_sizeq_proto_smtp	uint32	Attached file MIME size.
smtp	attach_disposition	attach_dispositionq_proto_smtp	bytes	Full 'Content-Disposition' header value starting with attached file disposition (inline, attachment, ...).
smtp	attach_filename	attach_filenameq_proto_smtp	bytes	Attachment name.
smtp	server	serverq_proto_smtp	bytes	Contains the name of the used SMTP server
smtp	replyto	replytoq_proto_smtp	bytes	Email address to use in a reply for this message.
smtp	file_type	file_typeq_proto_smtp	bytes	Received or sent file content type (prefix-based pattern recognition) exchanged using this protocol.
smtp	email	emailq_proto_smtp	bool	Parent entry, for fields belonging to the same email.
smtp	sender_entry	sender_entryq_proto_smtp	bool	Parent entry, for different elements belonging to the sender.
smtp	mailfrom	mailfromq_proto_smtp	bool	Contains the domain and the sender's email
smtp	rcptto	rcpttoq_proto_smtp	bool	Domain and recipient's email address (used by RCPT TO method).
smtp	receiver_entry	receiver_entryq_proto_smtp	bool	Parent entry, for different elements belonging to the email receiver.
smtp	request	requestq_proto_smtp	bool	Parent entry, empty, for client request and server response.
smtp	attach	attachq_proto_smtp	bool	Parent entry, for attach fields in a message.
smtp	content	contentq_proto_smtp	bytes	Full message content (headers, body, attachments). The data is extracted in streamed mode, line per line.
smtp	received	receivedq_proto_smtp	bool	Parent entry, for fields added by each relay
smtp	end	endq_proto_smtp	Void	Indicates the end of a top-level parent attribute. This attribute's behavior depends on the method used to extract it: 1) If using the ixEngine v4 API function uevent_hook_add_parms", it will be extracted like any other attribute. 2) If using the ixEngine v4 API function "afc_metadata_add", it will generate an attribute having the attribute ID of the associated top-level parent attribute and the ctb_metadata_attr.qm_end flag set to 1. 3) In ixEngine v5, the "qmdpi_result_attr_getnext" function allows user to get attribute information (flow, proto_id, attr_id, data, data_len and flags). When the parent attribute is ended, the QMDPI_ATTR_PARENT_END flag is set to 1."
smtp	attach_filename_cdispo	attach_filename_cdispoq_proto_smtp	bytes	Attachment name. The attachment name is extracted from 'Content-Disposition' field.
smtp	attach_size_decoded	attach_size_decodedq_proto_smtp	uint32	Base64-decoded attached file content size in Bytes.
smtp	email_boundary	email_boundaryq_proto_smtp	bytes	boundary used to separate different parts of the message body.
smtp	resent_from	resent_fromq_proto_smtp	bytes	Full address of the person for whom message is resent.
smtp	resent_from_email	resent_from_emailq_proto_smtp	bytes	Email address of the person for whom message is resent.
smtp	resent_from_alias	resent_from_aliasq_proto_smtp	bytes	Name of the person for whom message is resent.
smtp	resent_sender	resent_senderq_proto_smtp	bytes	Full address of the person who has actually resent the message.
smtp	resent_sender_email	resent_sender_emailq_proto_smtp	bytes	Email address of the person who has actually resent the message.
smtp	resent_sender_alias	resent_sender_aliasq_proto_smtp	bytes	Name of the person who has actually resent the message.
smtp	attach_content_id	attach_content_idq_proto_smtp	bytes	Attached file content identifier.
smtp	attach_content_desc	attach_content_descq_proto_smtp	bytes	Descriptive information for the attached file content.
smtp	content_id	content_idq_proto_smtp	bytes	Indicates the identifier of the email content.
smtp	content_desc	content_descq_proto_smtp	bytes	Indicates the description of the email content.
smtp	received_by	received_byq_proto_smtp	bytes	Contains the name of the receiving host.
smtp	mime_version	mime_versionq_proto_smtp	bytes	Version of the message body format standard used in the mail protocol.
smtp	return_path	return_pathq_proto_smtp	bytes	Message return path.
smtp	client_domain	client_domainq_proto_smtp	bytes	Client domain information as found in the EHLO or HELO SMTP command parameter. This parameter gives the SMTP client domain name to the server. It can be sent as a FQDN or an IP address
smtp	x_originating_ip4	x_originating_ip4q_proto_smtp	string	The IP address of client who sent the email.
smtp	x_originating_str	x_originating_strq_proto_smtp	bytes	Non-standard SMTP header representing the origin IP address (IPv4 or IPv6) of client in string format.
smtp	in_reply_to	in_reply_toq_proto_smtp	bytes	Email address of the original message used when creating a reply message.
snmp	community	communityq_proto_snmp	bytes	Community name.
snmp	method	methodq_proto_snmp	bytes	SNMP request type.
snmp	request_id	request_idq_proto_snmp	uint32	Request Identifier.
snmp	oid	oidq_proto_snmp	bytes	Object Identifier.
snmp	value_len	value_lenq_proto_snmp	uint32	Size of value_raw in bytes.
snmp	name	nameq_proto_snmp	bytes	Name the user.
snpp	login	loginq_proto_snpp	bytes	User's login string.
snpp	password	passwordq_proto_snpp	bytes	User's password string.
snpp	method	methodq_proto_snpp	bytes	Contains the SNPP command.
snpp	caller_id	caller_idq_proto_snpp	bytes	Login of person who send the message.
snpp	message	messageq_proto_snpp	bytes	Contains the message sent to the pager.
snpp	pager_id	pager_idq_proto_snpp	bytes	Contains pager number.
ssdp	header_value	header_valueq_proto_ssdp	bytes	Header data.
ssdp	header_name	header_nameq_proto_ssdp	bytes	Header name.
ssdp	content_length	content_lengthq_proto_ssdp	bytes	Length of the request body in bytes. (CONTENT-LENGTH field value)
ssdp	cache_control	cache_controlq_proto_ssdp	bytes	Contains max-age directive (max-age=) followed by an integer that specifies the validity duration in seconds. (CACHE-CONTROL field value)
ssdp	server_agent	server_agentq_proto_ssdp	bytes	Server information (SERVER field value). It contains the product tokens: <OS name/OS version> <UPnP/upnp version> <product name/product version>.
ssdp	location	locationq_proto_ssdp	bytes	URL for UPnP description of the device. (LOCATION field value)
ssdp	host	hostq_proto_ssdp	bytes	Domain name or IP address and optional port. (HOST field value)
ssdp	unique_service_name	unique_service_nameq_proto_ssdp	bytes	Unique service name. (USN field value)
ssdp	notification_sub_type	notification_sub_typeq_proto_ssdp	bytes	Notification sub type. (NTS field value)
ssdp	notification_type	notification_typeq_proto_ssdp	bytes	Notification type. (NT field value)
ssdp	search_target	search_targetq_proto_ssdp	bytes	Search target. (ST field value)
ssdp	uri	uriq_proto_ssdp	bytes	URI contained in the request.
ssdp	version	versionq_proto_ssdp	bytes	Version of the SSDP protocol used in the message.
ssdp	method	methodq_proto_ssdp	bytes	Contains the SSDP command.
sina_webmail	folderlist	folderlistq_proto_sina_webmail	bytes	Contains the message folder list.
sina_webmail	msglist_date	msglist_dateq_proto_sina_webmail	bytes	Message date in a message list.
sina_webmail	msglist_subject	msglist_subjectq_proto_sina_webmail	bytes	Message subject in a message list.
sina_webmail	msglist_receiver_alias	msglist_receiver_aliasq_proto_sina_webmail	bytes	Name of email receiver.
sina_webmail	msglist_receiver_email	msglist_receiver_emailq_proto_sina_webmail	bytes	Email address of the email receiver.
sina_webmail	msglist_receiver	msglist_receiverq_proto_sina_webmail	bytes	Full address of email receiver in a message list.
sina_webmail	msglist_sender_alias	msglist_sender_aliasq_proto_sina_webmail	bytes	Name of email sender.
sina_webmail	msglist_sender_email	msglist_sender_emailq_proto_sina_webmail	bytes	Address of email sender.
sina_webmail	msglist_sender	msglist_senderq_proto_sina_webmail	bytes	Full address of email sender (alias and email address).
sina_webmail	msglist_msgid	msglist_msgidq_proto_sina_webmail	bytes	Message identifier.
sina_webmail	date	dateq_proto_sina_webmail	bytes	Message date.
sina_webmail	content	contentq_proto_sina_webmail	bytes	Message content.
sina_webmail	importance	importanceq_proto_sina_webmail	uint32	Indicates if the email has been marked by the user.
sina_webmail	subject	subjectq_proto_sina_webmail	bytes	Message subject.
sina_webmail	receiver_type	receiver_typeq_proto_sina_webmail	bytes	Type of the email receiver.
sina_webmail	receiver_alias	receiver_aliasq_proto_sina_webmail	bytes	Name of email receiver (included cc and bcc receivers).
sina_webmail	receiver_email	receiver_emailq_proto_sina_webmail	bytes	Email address of message receiver (included cc and bcc receivers).
sina_webmail	receiver	receiverq_proto_sina_webmail	bytes	Full address of email receiver (including cc and bcc receivers).
sina_webmail	sender_alias	sender_aliasq_proto_sina_webmail	bytes	Name of the email sender.
sina_webmail	sender_email	sender_emailq_proto_sina_webmail	bytes	Email address of the email sender.
sina_webmail	sender	senderq_proto_sina_webmail	bytes	Full address of email sender (alias followed by email address).
sina_webmail	action	actionq_proto_sina_webmail	bytes	Indicates the action executed by the user.
sina_webmail	attach_id	attach_idq_proto_sina_webmail	bytes	Attachment identifier.
sina_webmail	attach_size	attach_sizeq_proto_sina_webmail	uint32	Attached file MIME size.
sina_webmail	attach_filename	attach_filenameq_proto_sina_webmail	bytes	Attachment name.
sina_webmail	msg_id	msg_idq_proto_sina_webmail	bytes	Identifier of the message.
sina_webmail	draft	draftq_proto_sina_webmail	uint32	Indicates if the email is a draft or has really been posted
sina_webmail	attach_type	attach_typeq_proto_sina_webmail	bytes	Content type of the sent attached file.
sina_webmail	is_html	is_htmlq_proto_sina_webmail	uint32	Specifies the email content format is html or not
sina_webmail	folder	folderq_proto_sina_webmail	bytes	Indicates the directory from where messages are read.
sina_webmail	folderlist_item_name	folderlist_item_nameq_proto_sina_webmail	bytes	Message folder name.
sina_webmail	folderlist_item_id	folderlist_item_idq_proto_sina_webmail	bytes	Message folder unique identifier.
sina_webmail	msglist_folder	msglist_folderq_proto_sina_webmail	bytes	Indicates the directory from a message list.
sina_weibo	user_id	user_idq_proto_sina_weibo	bytes	Unique identifier related to a single user. This attribute is available for clear traffic from Mobile applications, it may be not available for traffic from recent web browsers enforcing use of TLS.
sccp	call_id	call_idq_proto_sccp	uint32	Call id, extracted for each call.
sccp	caller	callerq_proto_sccp	bytes	Contains the identity (or the phone number) of the initiator of the call.
sccp	callee	calleeq_proto_sccp	bytes	Contains the identity (or the phone number) of the called party for a call.
sccp	callername	callernameq_proto_sccp	bytes	Calling party identity
sccp	calleename	calleenameq_proto_sccp	bytes	Called party identity
sccp	device_type	device_typeq_proto_sccp	uint32	Device type
sccp	device_name	device_nameq_proto_sccp	bytes	Device name
sccp	start_time	start_timeq_proto_sccp	string	Start date of the call.
sccp	call_duration	call_durationq_proto_sccp	string	Call duration.
sccp	nb_pkt_sent	nb_pkt_sentq_proto_sccp	uint32	Number of RTP packets sent
sccp	nb_pkt_rcv	nb_pkt_rcvq_proto_sccp	uint32	Number of RTP packets received
sccp	nb_byt_sent	nb_byt_sentq_proto_sccp	uint32	Number of RTP octets sent
sccp	nb_byt_rcv	nb_byt_rcvq_proto_sccp	uint32	Number of RTP octets received
sccp	nb_pkt_lost	nb_pkt_lostq_proto_sccp	uint32	Number of RTP packets lost
sccp	stats_jitter	stats_jitterq_proto_sccp	uint32	Observed Jitter for RTP packets
sccp	stats_latency	stats_latencyq_proto_sccp	uint32	Observed latency for RTP packets
sccp	message_type	message_typeq_proto_sccp	uint32	The type of the message.
sccp	call_way	call_wayq_proto_sccp	uint32	The call Way (In, Out)
sccp	callstate	callstateq_proto_sccp	uint32	Status of the current call
sccp	codec	codecq_proto_sccp	uint32	The codec used in the RTP session
sccp	softkeyevent	softkeyeventq_proto_sccp	uint32	Contains the soft key event
skyblog	login	loginq_proto_skyblog	bytes	User's login string.
skype	version	versionq_proto_skype	bytes	Skype client version.
skype	service	serviceq_proto_skype	bytes	Current service identification string.
skype	service_id	service_idq_proto_skype	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
skype	service_duration	service_durationq_proto_skype	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
skype	service_duration_tv	service_duration_tvq_proto_skype	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
skype	service_stats	service_statsq_proto_skype	bytes	Composite attribute containing the packet metrics used for each new service type detection, extracting when performing STATISTICAL detection method only. Note: this attribute won't be extracted in case of session expiration (eg. when the current service is not ended properly by the user).
skype	service_divergence	service_divergenceq_proto_skype	uint32	The minimal distance" between the real traffic and its theoretical model as implemented in the Qosmos plugin."
slack	service_id	service_idq_proto_slack	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
slack	service_duration_tv	service_duration_tvq_proto_slack	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
slack	service_duration	service_durationq_proto_slack	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
slack	service	serviceq_proto_slack	bytes	Current service identification string.
socks4	remote_addr	remote_addrq_proto_socks4	string	Remote IP address.
socks4	remote_name	remote_nameq_proto_socks4	bytes	Fully qualified remote domain name.
socks5	remote_addr	remote_addrq_proto_socks5	string	Remote IP address.
socks5	remote_name	remote_nameq_proto_socks5	bytes	Fully qualified remote domain name.
socks5	login	loginq_proto_socks5	bytes	User's login string.
socks5	password	passwordq_proto_socks5	bytes	User's password string.
slsk	query	queryq_proto_slsk	bytes	Query sent to find a file.
slsk	version	versionq_proto_slsk	uint32	Current version of the Soulseek client.
slsk	filename	filenameq_proto_slsk	bytes	Name of the transferred file.
slsk	filesize	filesizeq_proto_slsk	uint32	Size (byte) of the transferred file.
slsk	file_id	file_idq_proto_slsk	uint64	Unique identifier of a file, based on IP of peer and the unique token for this combination file/peer.
slsk	transfer_way	transfer_wayq_proto_slsk	bytes	Indicates whether the file is uploaded or downloaded.
slsk	password	passwordq_proto_slsk	bytes	User's password string.
slsk	login	loginq_proto_slsk	bytes	User's login string.
spdy	stream_id	stream_idq_proto_spdy	uint32	Stream identifier.
spdy	length	lengthq_proto_spdy	uint32	Length of the message starting at the offset of this field.
spdy	status_code	status_codeq_proto_spdy	uint32	An indicator for why the stream is being terminated.
spdy	header_count	header_countq_proto_spdy	uint32	The number of repeating name/value pairs following this field
spdy	header_name	header_nameq_proto_spdy	bytes	Header name, prefixed by a ':' if it's a mandatory SPDY header.
spdy	header_value	header_valueq_proto_spdy	bytes	Header value.
spdy	associated_stream_id	associated_stream_idq_proto_spdy	uint32	Identifier for a stream which this stream is associated to.
spdy	host	hostq_proto_spdy	bytes	Host name value extracted from the Host header.
spdy	server_agent	server_agentq_proto_spdy	bytes	Name of the server software.
spdy	location	locationq_proto_spdy	bytes	Destination address where the client is redirected.
spdy	referer	refererq_proto_spdy	bytes	Source address from which the client obtained the requested URI.
spdy	uri_raw	uri_rawq_proto_spdy	bytes	Complete name (scheme/authority + path + request) of a web resource.
spdy	cookie	cookieq_proto_spdy	bytes	Raw value of the SPDY Cookie header line, containing the SPDY request cookies.
spdy	content_disposition	content_dispositionq_proto_spdy	bytes	Information related to the disposition of the content present on the web page.
spdy	content_len	content_lenq_proto_spdy	bytes	Contains the content length of the SPDY request/response.
spdy	method	methodq_proto_spdy	bytes	SPDY command sent by the client.
spdy	user_agent	user_agentq_proto_spdy	bytes	Software used by the client to access the web page.
spdy	mime_type	mime_typeq_proto_spdy	bytes	Content type of the request or the web page.
spdy	content_transfer_encoding	content_transfer_encodingq_proto_spdy	bytes	Corresponds to HTTP's Transfer-Encoding header. Contains the content encoding (TRANSFER-ENCODING HTTP header).
spdy	content_encoding	content_encodingq_proto_spdy	bytes	Contains content encoding format.
spdy	date	dateq_proto_spdy	bytes	Message date.
spdy	code	codeq_proto_spdy	uint32	Return code sent by the server.
speedtest	test	testq_proto_speedtest	bytes	Defines which connection test is being performed.
squirrelmail	contact_email	contact_emailq_proto_squirrelmail	bytes	Email address of a contact.
squirrelmail	contact_alias	contact_aliasq_proto_squirrelmail	bytes	Alias of a contact.
squirrelmail	msglist_sender_alias	msglist_sender_aliasq_proto_squirrelmail	bytes	Name of email sender.
squirrelmail	msglist_sender_email	msglist_sender_emailq_proto_squirrelmail	bytes	Address of email sender.
squirrelmail	msglist_subject	msglist_subjectq_proto_squirrelmail	bytes	Message subject in a message list.
squirrelmail	msglist_date	msglist_dateq_proto_squirrelmail	bytes	Message date in a message list.
squirrelmail	msglist_receiver_alias	msglist_receiver_aliasq_proto_squirrelmail	bytes	Name of email receiver.
squirrelmail	msglist_receiver_email	msglist_receiver_emailq_proto_squirrelmail	bytes	Email address of the email receiver.
squirrelmail	msglist_msgid	msglist_msgidq_proto_squirrelmail	bytes	Message identifier.
squirrelmail	attach_size	attach_sizeq_proto_squirrelmail	uint32	Attached file MIME size.
squirrelmail	date	dateq_proto_squirrelmail	bytes	Message date.
squirrelmail	sender_alias	sender_aliasq_proto_squirrelmail	bytes	Name of the email sender.
squirrelmail	sender_email	sender_emailq_proto_squirrelmail	bytes	Email address of the email sender.
squirrelmail	msg_id	msg_idq_proto_squirrelmail	bytes	Identifier of the message.
squirrelmail	folder	folderq_proto_squirrelmail	bytes	Indicates the directory from where messages are read.
squirrelmail	subject	subjectq_proto_squirrelmail	bytes	Message subject.
squirrelmail	receiver_type	receiver_typeq_proto_squirrelmail	bytes	Type of the email receiver.
squirrelmail	receiver_alias	receiver_aliasq_proto_squirrelmail	bytes	Name of email receiver (included cc and bcc receivers).
squirrelmail	receiver_email	receiver_emailq_proto_squirrelmail	bytes	Email address of message receiver (included cc and bcc receivers).
squirrelmail	attach_type	attach_typeq_proto_squirrelmail	bytes	Content type of the sent attached file.
squirrelmail	attach_filename	attach_filenameq_proto_squirrelmail	bytes	Attachment name.
squirrelmail	draft	draftq_proto_squirrelmail	uint32	Indicates if the email is a draft or has really been posted
squirrelmail	action	actionq_proto_squirrelmail	bytes	Indicates if the message is read (Read) or composed (Compose).
squirrelmail	login_server	login_serverq_proto_squirrelmail	bytes	Concatenated login and server: <login>@<server>.
squirrelmail	password	passwordq_proto_squirrelmail	bytes	User's password string.
squirrelmail	login	loginq_proto_squirrelmail	bytes	User's login string.
squirrelmail	msglist_folder	msglist_folderq_proto_squirrelmail	bytes	Indicates the directory from a message list.
squirrelmail	attach_id	attach_idq_proto_squirrelmail	bytes	Attachment identifier.
spid	found_protocol	found_protocolq_proto_spid	bytes	Protocol name that has been discovered by SPID.
spid	divergence	divergenceq_proto_spid	uint32	Divergence giving the distance" between the flow content and the selected SPID model. The smaller the divergence, the better the classification."
sctp	chunk_data_tsn	chunk_data_tsnq_proto_sctp	uint32	The Transmission Sequence Number is a global sequence number of chunks.
sctp	chunk_data_proto	chunk_data_protoq_proto_sctp	uint32	Indicating the data type (or protocol) containing in the chunk.
sctp	chunk_data_len	chunk_data_lenq_proto_sctp	uint32	The chunk data length (the payload length).
syslog	code	codeq_proto_syslog	bytes	Message type.
t38	caller	callerq_proto_t38	bytes	Calling subscriber identification
t38	callee	calleeq_proto_t38	bytes	Called subscriber identification
t38	fax_message_number	fax_message_numberq_proto_t38	bytes	Identification associated to the following FAX messages: CSI the called subscriber identification (which is equal to the callee), CIG the calling subscriber identification (which is the caller), PWD the password, SEP the selective polling, PSA the polled subaddress, TSI the transmitting subscriber identification, SUB the subaddress and SID the sender identification.
tds	login	loginq_proto_tds	bytes	User's login string.
tds	password	passwordq_proto_tds	bytes	User's password string.
tds	hostname	hostnameq_proto_tds	bytes	Name of workstation communicating with the SQL server.
tds	application	applicationq_proto_tds	bytes	Name of application used to connect to the database.
tds	server	serverq_proto_tds	bytes	Name of server hosting the SQL Server.
tds	library	libraryq_proto_tds	bytes	Name of network dynamic-link library used.
tds	database_name	database_nameq_proto_tds	bytes	Name of the used database.
tds	language	languageq_proto_tds	bytes	User locale.
tds	query	queryq_proto_tds	bytes	SQL query sent by the client.
tds	login_encrypted	login_encryptedq_proto_tds	uint32	This attribute is set to one if the login phase is encrypted. Implemented conforming to the Microsoft 2014 MS-TDS official specification ( http://msdn.microsoft.com/en-us/library/dd304523.aspx ); beware, the behaviour may be different with old releases of MS SQL Server not supporting the standard.
tds	query_id	query_idq_proto_tds	bytes	Request identifier. It is used to correlate SQL queries with query parameter values (Bind Variables).
tds	bind_variable	bind_variableq_proto_tds	bytes	Parent attribute containing attributes related to a query parameter (Bind Variable).
tds	variable_type	variable_typeq_proto_tds	bytes	Data type of a SQL query parameter (Bind Variable).
tds	variable_id	variable_idq_proto_tds	bytes	Query parameter (Bind Variable) identifier within a SQL request.
tds	variable_format	variable_formatq_proto_tds	uint32	Format of a SQL query parameter (Bind Variable).
tds	number_columns	number_columnsq_proto_tds	uint64	Column count in the result data set retrieved from server after a SQL query.
tds	number_rows	number_rowsq_proto_tds	uint32	Row count in the result data set retrieved from server after a SQL query.
tds	sqlstate_code	sqlstate_codeq_proto_tds	uint32	SQL error code.
tagged	login	loginq_proto_tagged	bytes	User's login string.
tagged	password	passwordq_proto_tagged	bytes	User's password string.
tango	callee_id	callee_idq_proto_tango	bytes	Called part identifier.
tango	caller_id	caller_idq_proto_tango	bytes	Calling part identifier.
tango	callee	calleeq_proto_tango	bytes	Contains the identity (or the phone number) of the called party for a call.
tango	caller	callerq_proto_tango	bytes	Contains the identity (or the phone number) of the initiator of the call.
tango	call_id	call_idq_proto_tango	bytes	Call id, extracted for each call.
tango	phone_number	phone_numberq_proto_tango	bytes	User's phone number.
tango	user_email	user_emailq_proto_tango	bytes	User's email address.
tango	login	loginq_proto_tango	bytes	User's login string.
tango	user_id	user_idq_proto_tango	bytes	Unique user identifier.
tango	device_id	device_idq_proto_tango	bytes	User's device identifier.
tango	call_duration	call_durationq_proto_tango	uint32	Call duration.
tango	service	serviceq_proto_tango	bytes	Current service identification string.
tango	attach_filename	attach_filenameq_proto_tango	bytes	Transferred file name.
tango	service_duration_tv	service_duration_tvq_proto_tango	string	Timeval structure indicating, when the service is ended, the duration of it in seconds and microseconds.
tango	service_duration	service_durationq_proto_tango	uint32	4 bytes integer value indicating, when the service is ended, the duration of it in seconds.
tango	service_id	service_idq_proto_tango	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
tango	service_stats	service_statsq_proto_tango	bytes	Composite attribute containing the packet metrics used for each new service type detection, extracting when performing STATISTICAL detection method only. Note: this attribute won't be extracted in case of session expiration (eg. when the current service is not ended properly by the user).
tchatche	login	loginq_proto_tchatche	bytes	User's login string.
tchatche	password	passwordq_proto_tchatche	bytes	User's password string.
teamspeak	channel_description	channel_descriptionq_proto_teamspeak	bytes	Channel description (long)
teamspeak	channel_action	channel_actionq_proto_teamspeak	bytes	Action associated to a channel
teamspeak	channel_topic	channel_topicq_proto_teamspeak	bytes	Channel topic (short)
teamspeak	channel_user	channel_userq_proto_teamspeak	bytes	User associated to an action on a channel
teamspeak	channel_name	channel_nameq_proto_teamspeak	bytes	Channel name
teamspeak	channel_id	channel_idq_proto_teamspeak	uint32	Channel ID
teamspeak	contact_uid	contact_uidq_proto_teamspeak	uint32	Contact ID.
teamspeak	contact_alias	contact_aliasq_proto_teamspeak	bytes	Contact alias.
teamspeak	message_scope	message_scopeq_proto_teamspeak	uint32	Message scope
teamspeak	message	messageq_proto_teamspeak	bytes	Contains the chat message.
teamspeak	receiver_uid	receiver_uidq_proto_teamspeak	uint32	Receiver ID for this message
teamspeak	receiver	receiverq_proto_teamspeak	bytes	Contains the identity of the receiver for a chat message or a file transfer.
teamspeak	sender_uid	sender_uidq_proto_teamspeak	uint32	Sender ID for this message
teamspeak	sender	senderq_proto_teamspeak	bytes	Contains the identity of the sender of a chat session or a file transfer.
teamspeak	channel	channelq_proto_teamspeak	bytes	Chat room name.
teamspeak	greeting_message	greeting_messageq_proto_teamspeak	bytes	Server greeting message
teamspeak	server_version	server_versionq_proto_teamspeak	bytes	Server software version
teamspeak	server_name	server_nameq_proto_teamspeak	bytes	Server name
teamspeak	server_platform	server_platformq_proto_teamspeak	bytes	Server architecture
teamspeak	client_version	client_versionq_proto_teamspeak	bytes	Client software version
teamspeak	client_software	client_softwareq_proto_teamspeak	bytes	Client software name
teamspeak	client_platform	client_platformq_proto_teamspeak	bytes	Client architecture
teamspeak	client_uid	client_uidq_proto_teamspeak	uint32	Client session ID
teamspeak	session_id	session_idq_proto_teamspeak	uint32	Uniquely identifies the current user session.
teamspeak	password	passwordq_proto_teamspeak	bytes	User's password string.
teamspeak	login	loginq_proto_teamspeak	bytes	User's login string.
teamspeak	nickname	nicknameq_proto_teamspeak	bytes	User nickname
telegram	service	serviceq_proto_telegram	bytes	Current service identification string.
telegram	service_id	service_idq_proto_telegram	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
telegram	service_duration	service_durationq_proto_telegram	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
telegram	service_duration_tv	service_duration_tvq_proto_telegram	string	structure indicating, when the service is ended, the length of it in second and microseconds.
telnet	login	loginq_proto_telnet	bytes	User's login string.
telnet	password	passwordq_proto_telnet	bytes	User's password string.
telnet	term_type	term_typeq_proto_telnet	bytes	Terminal type.
telnet	rtt	rttq_proto_telnet	string	Server response time.
teredo	server_ip	server_ipq_proto_teredo	string	The IPv4 network address of the Teredo server involved in the exchange, read from the encapsulated IPv6 packet header
teredo	client_ip	client_ipq_proto_teredo	string	Client's mapped IPv4 net address.
teredo	origin_client_ip	origin_client_ipq_proto_teredo	string	IPv4 client address as visible in the Origin Indication
teredo	client_id	client_idq_proto_teredo	bytes	Client identifier, set up during its configuration
teredo	auth_value	auth_valueq_proto_teredo	bytes	Client Authentication string
tcp	seg_buffered_count	seg_buffered_countq_proto_tcp	uint32	Number of segments that have been buffered for reassembly
tcp	seg_buffered_size	seg_buffered_sizeq_proto_tcp	uint32	Sizes sum of segments that have been buffered for reassembly
tns	login	loginq_proto_tns	bytes	User's login string.
tns	password	passwordq_proto_tns	bytes	User's password string.
tns	base	baseq_proto_tns	bytes	Database name.
tns	server_hostname	server_hostnameq_proto_tns	bytes	Database server hostname.
tns	server_os	server_osq_proto_tns	bytes	Database server operating system.
tns	client_os	client_osq_proto_tns	bytes	Client machine operating system.
tns	client_hostname	client_hostnameq_proto_tns	bytes	Client machine hostname.
tns	client_program_path	client_program_pathq_proto_tns	bytes	Client program absolute path.
tns	client_program_name	client_program_nameq_proto_tns	bytes	Client program name.
tns	query	queryq_proto_tns	bytes	SQL query sent by the client.
tns	response_size	response_sizeq_proto_tns	uint32	Unitary size in bytes of one the PDUs returned by the server.
tns	response_time	response_timeq_proto_tns	string	Elapsed time between sending of the tns request and reception of its response.
tns	rdbms_version	rdbms_versionq_proto_tns	bytes	Version of the Relational Data Base Management System
tns	oracle_version	oracle_versionq_proto_tns	uint32	Version of the Oracle server
tns	sqlstate_code	sqlstate_codeq_proto_tns	bytes	SQL error code.
tns	variable_id	variable_idq_proto_tns	bytes	Query parameter (Bind Variable) identifier within a SQL request.
tns	variable_type	variable_typeq_proto_tns	bytes	Data type of a SQL query parameter (Bind Variable).
tns	number_columns	number_columnsq_proto_tns	uint64	Column count in the result data set retrieved from server after a SQL query.
tns	number_rows	number_rowsq_proto_tns	uint32	Row count in the result data set retrieved from server after a SQL query.
tftp	filename	filenameq_proto_tftp	bytes	Name of the transferred file.
tftp	request_filename	request_filenameq_proto_tftp	bytes	Name of the requested file.
tftp	filesize	filesizeq_proto_tftp	uint32	Size (byte) of the transferred file.
tftp	mode	modeq_proto_tftp	bytes	File transfer mode (Netascii/ Binary/ Mail).
tftp	query	queryq_proto_tftp	bytes	Command type.
twitter	media_url	media_urlq_proto_twitter	bytes	URL of the image which is shared inside a tweet (legacy Twitter API).
twitter	tweet	tweetq_proto_twitter	bytes	Text of a tweet or a direct message.
twitter	user_id	user_idq_proto_twitter	bytes	User id appearing in the result of a request.
twitter	param_screen_name	param_screen_nameq_proto_twitter	bytes	User screen name used as request parameter.
twitter	param_user_id	param_user_idq_proto_twitter	bytes	User id used as request parameter.
twitter	action	actionq_proto_twitter	bytes	Indicates the action executed by the user.
twitter	login	loginq_proto_twitter	bytes	User's login string.
twitter	session_id	session_idq_proto_twitter	bytes	Uniquely identifies the current user session.
unknown	maybe_application_id	maybe_application_idq_proto_unknown	uint32	Possible application's ID for this flow.
unknown	maybe_application	maybe_applicationq_proto_unknown	bytes	Possible application's name for this flow.
unknown	maybe_family	maybe_familyq_proto_unknown	bytes	Protocol family of a possible application for this flow.
upnp	server_agent	server_agentq_proto_upnp	bytes	Server information (SERVER field value). It contains the product tokens: <OS name/OS version> <UPnP/upnp version> <product name/product version>, v5 only.
upnp	user_agent	user_agentq_proto_upnp	bytes	Client information (USER-AGENT field value). It contains the product tokens: <OS name/OS version> <UPnP/upnp version> <product name/product version>,v5 only.
ustream	password	passwordq_proto_ustream	bytes	User's password string.
ustream	login	loginq_proto_ustream	bytes	User's login string.
ustream	query_text	query_textq_proto_ustream	bytes	Query sent to the search engine.
ustream	query_raw	query_rawq_proto_ustream	bytes	Contains the query sent to the search engine as indicated in the URL.
viadeo	login	loginq_proto_viadeo	bytes	User's login string.
viadeo	contact_email	contact_emailq_proto_viadeo	bytes	Contact's mail address.
viber	filesize	filesizeq_proto_viber	uint64	Size (byte) of the transferred file.
viber	service	serviceq_proto_viber	bytes	Current service identification string.
viber	service_id	service_idq_proto_viber	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
viber	service_duration	service_durationq_proto_viber	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
viber	service_duration_tv	service_duration_tvq_proto_viber	string	structure indicating, when the service is ended, the length of it in second and microseconds.
vxlan	vxlan_id	vxlan_idq_proto_vxlan	uint32	VLAN Identifier of the frame.
vkontakte	group_name	group_nameq_proto_vkontakte	bytes	Name of the group the user has subscribed to.
vkontakte	contact_uid	contact_uidq_proto_vkontakte	bytes	Contact ID.
vkontakte	account_uid	account_uidq_proto_vkontakte	bytes	User ID.
vkontakte	login	loginq_proto_vkontakte	bytes	User's login string.
webex	service	serviceq_proto_webex	bytes	Current service identification string, v5 only.
webex	service_id	service_idq_proto_webex	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer), v5 only.
webex	service_duration	service_durationq_proto_webex	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds, v5 only.
webex	service_duration_tv	service_duration_tvq_proto_webex	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds, v5 only.
wechat	service_id	service_idq_proto_wechat	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
wechat	service	serviceq_proto_wechat	bytes	Current service identification string.
wechat	service_duration	service_durationq_proto_wechat	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds
wechat	service_duration_tv	service_duration_tvq_proto_wechat	string	structure indicating, when the service is ended, the length of it in second and microseconds.
wechat	user_id	user_idq_proto_wechat	bytes	Unique identifier related to a single user. This attribute is available for clear traffic from Mobile applications, it may be not available for traffic from recent web browsers enforcing use of TLS.
whatsapp	version	versionq_proto_whatsapp	bytes	Program version.
whatsapp	service_id	service_idq_proto_whatsapp	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
whatsapp	service	serviceq_proto_whatsapp	bytes	Current service identification string.
whatsapp	service_duration_tv	service_duration_tvq_proto_whatsapp	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds.
whatsapp	service_duration	service_durationq_proto_whatsapp	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds.
wikipedia	query_text	query_textq_proto_wikipedia	bytes	Query sent to the search engine.
wikipedia	query_raw	query_rawq_proto_wikipedia	bytes	Contains the query sent to the search engine as indicated in the URL.
live_groups	login	loginq_proto_live_groups	bytes	User's login string.
live_groups	group_name	group_nameq_proto_live_groups	bytes	Name of the group the user has subscribed to.
live_groups	sender_email	sender_emailq_proto_live_groups	bytes	Email address of the email sender.
live_groups	subject	subjectq_proto_live_groups	bytes	Message subject.
live_groups	action	actionq_proto_live_groups	bytes	Indicates if the message is read (Read) or composed (Compose).
live_groups	msglist_subject	msglist_subjectq_proto_live_groups	bytes	Message subject in a message list.
live_groups	msglist_sender_email	msglist_sender_emailq_proto_live_groups	bytes	Address of email sender.
live_hotmail	login	loginq_proto_live_hotmail	bytes	User's login string.
live_hotmail	sender_email	sender_emailq_proto_live_hotmail	bytes	Email address of the email sender.
live_hotmail	receiver_email	receiver_emailq_proto_live_hotmail	bytes	Email address of message receiver (included cc and bcc receivers).
live_hotmail	subject	subjectq_proto_live_hotmail	bytes	Message subject.
live_hotmail	attach_filename	attach_filenameq_proto_live_hotmail	bytes	Attachment name. Generally encoded in UTF-8, it can be in UTF-16 in some cases.
live_hotmail	action	actionq_proto_live_hotmail	bytes	Indicates if the message is read (Read) or composed (Compose).
windows_marketplace	application_name	application_nameq_proto_windows_marketplace	bytes	Name of the downloaded app.
windows_update	platform	platformq_proto_windows_update	bytes	Indicating the Windows version using this update
windows_update	kb	kbq_proto_windows_update	bytes	kb (Knowledge base) is a unique internal Microsoft number to identify different software and updates.
winmx	login	loginq_proto_winmx	bytes	User's login string.
winmx	query	queryq_proto_winmx	bytes	Query sent to find a file.
winmx	filename	filenameq_proto_winmx	bytes	Name of the transferred file.
winmx	filesize	filesizeq_proto_winmx	uint32	Size (byte) of the transferred file.
winmx	file_chunk_len	file_chunk_lenq_proto_winmx	uint32	Size of the transferred piece.
winmx	file_chunk_data_offset	file_chunk_data_offsetq_proto_winmx	uint32	Offset of the transferred data.
winmx	loadway	loadwayq_proto_winmx	bytes	Contains the file transfer way (Upload vs Download).
wsp	pdu_type	pdu_typeq_proto_wsp	bytes	Message type.
wsp	uri	uriq_proto_wsp	bytes	Complete name (path + filename) of a web resource.
wsp	connect_rtt	connect_rttq_proto_wsp	string	Connection establishment time.
wsp	query_rtt	query_rttq_proto_wsp	string	Elapsed time between a request and its response.
wsp	server	serverq_proto_wsp	bytes	Server name.
wsp	user_agent	user_agentq_proto_wsp	bytes	Client mobile name.
wsp	mime_type	mime_typeq_proto_wsp	bytes	Data type.
wsp	request_size	request_sizeq_proto_wsp	uint32	Contains the total length of the request or the response (including headers).
wsp	mime_type_main	mime_type_mainq_proto_wsp	bytes	Primary part of the MIME type.
wsp	mime_type_sub	mime_type_subq_proto_wsp	bytes	Second part of the MIME type.
wsp	profile	profileq_proto_wsp	bytes	A link for a full description of the used user_agent.
wsp	index	indexq_proto_wsp	uint32	Identifier of the request and response in a WSP flow.
wsp	index_client	index_clientq_proto_wsp	uint32	Identifier of the request in a WSP flow.
wsp	index_server	index_serverq_proto_wsp	uint32	Identifier of the response in a WSP flow.
xdmcp	client_ip	client_ipq_proto_xdmcp	string	Client IPv4 address.
xdmcp	server_ip	server_ipq_proto_xdmcp	string	Server IPv4 address.
xdmcp	server_status	server_statusq_proto_xdmcp	bytes	X11 server availability.
x25	calling_addr	calling_addrq_proto_x25	bytes	Calling station address.
x25	called_addr	called_addrq_proto_x25	bytes	Called station address.
x25	pkt_type	pkt_typeq_proto_x25	bytes	Packet type.
xcap	supplementary_service	supplementary_serviceq_proto_xcap	bytes	Supplementary Service in VoLTE flow (only with auid simservs)
xcap	auid	auidq_proto_xcap	bytes	ID of the application
jabber	login	loginq_proto_jabber	bytes	User's login string.
jabber	nickname	nicknameq_proto_jabber	bytes	contains the used username.
jabber	version	versionq_proto_jabber	bytes	JABBER software version.
jabber	user_agent	user_agentq_proto_jabber	bytes	Name of the software used.
jabber	os	osq_proto_jabber	bytes	Client operating system.
jabber	message	messageq_proto_jabber	bytes	Contains the chat message.
jabber	encoding	encodingq_proto_jabber	bytes	Message encoding.
jabber	sender	senderq_proto_jabber	bytes	Contains the identity of the sender of a chat session or a file transfer.
jabber	receiver	receiverq_proto_jabber	bytes	Contains the identity of the receiver for a chat message or a file transfer.
jabber	file_sender	file_senderq_proto_jabber	bytes	Contains the identity of the sender of a file transfer.
jabber	file_receiver	file_receiverq_proto_jabber	bytes	Contains the identity of the receiver for a file transfer.
jabber	filename	filenameq_proto_jabber	bytes	Name of the transferred file.
jabber	filesize	filesizeq_proto_jabber	uint32	Size (byte) of the transferred file.
jabber	file_sid	file_sidq_proto_jabber	bytes	Transferred file identifier.
jabber	contact_login	contact_loginq_proto_jabber	bytes	Contact login.
jabber	contact_name	contact_nameq_proto_jabber	bytes	Contact name.
jabber	contact_status	contact_statusq_proto_jabber	bytes	Contact status.
jabber	call_id	call_idq_proto_jabber	bytes	Call id, extracted for each call.
jabber	start_time	start_timeq_proto_jabber	string	Start date of the call.
jabber	caller	callerq_proto_jabber	bytes	Contains the identity (or the phone number) of the initiator of the call.
jabber	callee	calleeq_proto_jabber	bytes	Contains the identity (or the phone number) of the called party for a call.
jabber	call_duration	call_durationq_proto_jabber	string	Call duration.
jabber	end_status	end_statusq_proto_jabber	bytes	Session end reason.
jabber	caller_addr	caller_addrq_proto_jabber	string	Address which could be used by the initiator of the call.
jabber	callee_addr	callee_addrq_proto_jabber	string	Address which could be used by the called party.
jabber	file_chunk_len	file_chunk_lenq_proto_jabber	uint32	Size of the transferred piece.
jabber	file_chunk_number	file_chunk_numberq_proto_jabber	uint32	Number of the transferred piece.
jabber	file_chunk_sid	file_chunk_sidq_proto_jabber	bytes	Transferred file identifier.
yahoo_groups	login	loginq_proto_yahoo_groups	bytes	User's login string.
yahoo_groups	query_raw	query_rawq_proto_yahoo_groups	bytes	Contains the query sent to the search engine as indicated in the URL.
yahoo_groups	query_text	query_textq_proto_yahoo_groups	bytes	Query sent to the search engine.
yahoo_groups	group_name	group_nameq_proto_yahoo_groups	bytes	Name of the group the user has subscribed to.
yahoo_groups	name	nameq_proto_yahoo_groups	bytes	User's full name.
yahoo_groups	sender_email	sender_emailq_proto_yahoo_groups	bytes	Email address of the email sender.
yahoo_groups	subject	subjectq_proto_yahoo_groups	bytes	Message subject.
ymail_classic	login	loginq_proto_ymail_classic	bytes	User's login string.
ymail_classic	session_id	session_idq_proto_ymail_classic	bytes	Uniquely identifies the current user session.
ymail_classic	sender_email	sender_emailq_proto_ymail_classic	bytes	Email address of the email sender.
ymail_classic	receiver_email	receiver_emailq_proto_ymail_classic	bytes	Email address of message receiver (included cc and bcc receivers).
ymail_classic	subject	subjectq_proto_ymail_classic	bytes	Message subject.
ymail_classic	attach_filename	attach_filenameq_proto_ymail_classic	bytes	Attachment name.
ymail_classic	attach_size	attach_sizeq_proto_ymail_classic	uint32	Attached file MIME size.
ymail_classic	action	actionq_proto_ymail_classic	bytes	Indicates if the message is read (Read) or composed (Compose).
ymail2	msglist_subject	msglist_subjectq_proto_ymail2	bytes	Message subject in a message list.
ymail2	msglist_sender_email	msglist_sender_emailq_proto_ymail2	bytes	Address of email sender.
ymail2	msglist_receiver_email	msglist_receiver_emailq_proto_ymail2	bytes	Email address of the email receiver.
ymail2	login	loginq_proto_ymail2	bytes	User's login string.
ymail2	receiver_email	receiver_emailq_proto_ymail2	bytes	Email address of message receiver (included cc and bcc receivers).
ymail2	sender_email	sender_emailq_proto_ymail2	bytes	Email address of the email sender.
ymail2	attach_size	attach_sizeq_proto_ymail2	uint32	Attached file MIME size.
ymail2	attach_filename	attach_filenameq_proto_ymail2	bytes	Attachment name.
ymail2	action	actionq_proto_ymail2	bytes	Indicates if the message is read (Read) or composed (Compose).
ymail2	session_id	session_idq_proto_ymail2	bytes	Uniquely identifies the current user session.
ymail2	subject	subjectq_proto_ymail2	bytes	Message subject.
yahoo_maps	query_text	query_textq_proto_yahoo_maps	bytes	Query sent to the search engine.
ymsg	caller	callerq_proto_ymsg	bytes	Contains the identity (or the phone number) of the initiator of the call.
ymsg	callee	calleeq_proto_ymsg	bytes	Contains the identity (or the phone number) of the called party for a call.
ymsg	login	loginq_proto_ymsg	bytes	User's login string.
ymsg	version	versionq_proto_ymsg	bytes	The protocol version number used by the method.
ymsg	client_version	client_versionq_proto_ymsg	bytes	Client version.
ymsg	message	messageq_proto_ymsg	bytes	Contains the chat message.
ymsg	message_len	message_lenq_proto_ymsg	uint32	Contains the length of the chat message.
ymsg	encoding	encodingq_proto_ymsg	bytes	Message encoding.
ymsg	sender	senderq_proto_ymsg	bytes	Contains the identity of the sender of a chat session or a file transfer.
ymsg	receiver	receiverq_proto_ymsg	bytes	Contains the identity of the receiver for a chat message or a file transfer.
ymsg	chat_id	chat_idq_proto_ymsg	bytes	Window chat id.
ymsg	timestamp	timestampq_proto_ymsg	string	Packet timestamp.
ymsg	service	serviceq_proto_ymsg	bytes	Current service identification string.
ymsg	sessionid	sessionidq_proto_ymsg	uint32	Identification number of session.
ymsg	contact_login	contact_loginq_proto_ymsg	bytes	Contact login.
ymsg	client_firstname	client_firstnameq_proto_ymsg	bytes	First name of the user.
ymsg	client_lastname	client_lastnameq_proto_ymsg	bytes	Last name of the user.
ymsg	client_country	client_countryq_proto_ymsg	bytes	Country of the user.
ymsg	channel	channelq_proto_ymsg	bytes	Chat room name.
ymsg	file_sender	file_senderq_proto_ymsg	bytes	Contains the identity of the sender of a file transfer.
ymsg	file_receiver	file_receiverq_proto_ymsg	bytes	Contains the identity of the receiver for a file transfer.
ymsg	file_url	file_urlq_proto_ymsg	bytes	URL of the transfered file.
ymsg	filename	filenameq_proto_ymsg	bytes	Name of the transferred file.
ymsg	filesize	filesizeq_proto_ymsg	uint32	Size (byte) of the transferred file.
ymsg	filehash	filehashq_proto_ymsg	bytes	Hash of transferred file.
ymsg	client_local_ip	client_local_ipq_proto_ymsg	string	Client local ip.
ymsg	channel_name	channel_nameq_proto_ymsg	bytes	Channel name
ymsg	channel_action	channel_actionq_proto_ymsg	bytes	Action associated to a channel
ymsg	channel_user	channel_userq_proto_ymsg	bytes	User associated to an action on a channel
ymsg	client_ip	client_ipq_proto_ymsg	string	User IP address.
ymsg	server_ip	server_ipq_proto_ymsg	string	Server IP address.
ymsg	call_duration	call_durationq_proto_ymsg	string	Call duration.
ymsg	transfer_id	transfer_idq_proto_ymsg	bytes	Transfer identifier.
ymsg	webcam_brand	webcam_brandq_proto_ymsg	bytes	Webcam brand.
ymsg	conference_id	conference_idq_proto_ymsg	bytes	room identifier for a given conference
ymsg_conf	login	loginq_proto_ymsg_conf	bytes	User's login string.
ymsg_conf	caller	callerq_proto_ymsg_conf	bytes	Contains the identity (or the phone number) of the initiator of the call.
ymsg_conf	call_duration	call_durationq_proto_ymsg_conf	string	Call duration.
ymsg_transfer	login	loginq_proto_ymsg_transfer	bytes	User's login string.
ymsg_transfer	file_sender	file_senderq_proto_ymsg_transfer	bytes	Contains the identity of the sender of a file transfer.
ymsg_transfer	file_receiver	file_receiverq_proto_ymsg_transfer	bytes	Contains the identity of the receiver for a file transfer.
ymsg_transfer	filename	filenameq_proto_ymsg_transfer	bytes	Name of the transferred file.
ymsg_transfer	filesize	filesizeq_proto_ymsg_transfer	uint32	Size (byte) of the transferred file.
ymsg_transfer	file_url	file_urlq_proto_ymsg_transfer	bytes	URL of the transferred file.
ymsg_transfer	client_ip	client_ipq_proto_ymsg_transfer	string	User IP address.
ymsg_transfer	server_ip	server_ipq_proto_ymsg_transfer	string	Server IP address.
ymsg_video	login	loginq_proto_ymsg_video	bytes	User's login string.
ymsg_video	webcam_brand	webcam_brandq_proto_ymsg_video	bytes	Brand of webcam.
yahoo_search	query_text	query_textq_proto_yahoo_search	bytes	Query sent to the search engine.
yahoo_search	query_raw	query_rawq_proto_yahoo_search	bytes	Contains the query sent to the search engine as indicated in the URL.
ymail_mobile_new	attach_size	attach_sizeq_proto_ymail_mobile_new	uint32	Attached file MIME size.
ymail_mobile_new	attach_filename	attach_filenameq_proto_ymail_mobile_new	bytes	Attachment name.
ymail_mobile_new	subject	subjectq_proto_ymail_mobile_new	bytes	Message subject.
ymail_mobile_new	action	actionq_proto_ymail_mobile_new	bytes	Indicates if the message is read (Read) or composed (Compose).
ymail_mobile_new	login	loginq_proto_ymail_mobile_new	bytes	User's login string.
ymail_mobile_new	session_id	session_idq_proto_ymail_mobile_new	bytes	Uniquely identifies the current user session.
ymsg_webmessenger	service	serviceq_proto_ymsg_webmessenger	bytes	Current service identification string.
ymsg_webmessenger	message	messageq_proto_ymsg_webmessenger	bytes	Contains the chat message.
ymsg_webmessenger	receiver	receiverq_proto_ymsg_webmessenger	bytes	Contains the identity of the receiver for a chat message or a file transfer.
ymsg_webmessenger	sender	senderq_proto_ymsg_webmessenger	bytes	Contains the identity of the sender of a chat session or a file transfer.
ymsg_webmessenger	contact_login	contact_loginq_proto_ymsg_webmessenger	bytes	Contact login.
yandex_webmail	receiver_email	receiver_emailq_proto_yandex_webmail	bytes	Email address of message receiver (included cc and bcc receivers).
yandex_webmail	sender_email	sender_emailq_proto_yandex_webmail	bytes	Email address of the email sender.
yandex_webmail	attach_filename	attach_filenameq_proto_yandex_webmail	bytes	Attachment name.
yandex_webmail	attach_size	attach_sizeq_proto_yandex_webmail	uint32	Attached file MIME size.
yandex_webmail	msg_id	msg_idq_proto_yandex_webmail	bytes	Identifier of the message.
yandex_webmail	action	actionq_proto_yandex_webmail	bytes	Indicates if the message is read (Read) or composed (Compose).
yandex_webmail	subject	subjectq_proto_yandex_webmail	bytes	Message subject.
yandex_webmail	msglist_receiver_email	msglist_receiver_emailq_proto_yandex_webmail	bytes	Email address of the email receiver.
yandex_webmail	msglist_sender_email	msglist_sender_emailq_proto_yandex_webmail	bytes	Address of email sender.
yandex_webmail	msglist_subject	msglist_subjectq_proto_yandex_webmail	bytes	Message subject in a message list.
yandex_webmail	login	loginq_proto_yandex_webmail	bytes	User's login string.
yandex	login	loginq_proto_yandex	bytes	User's login string.
yandex	query_raw	query_rawq_proto_yandex	bytes	Contains the query sent to the search engine as indicated in the URL.
yandex	query_text	query_textq_proto_yandex	bytes	Query sent to the search engine.
youtube	login	loginq_proto_youtube	bytes	User's login string.
youtube	query_text	query_textq_proto_youtube	bytes	Query sent to the search engine.
youtube	url	urlq_proto_youtube	bytes	Contains the url for embedded players
youtube	name	nameq_proto_youtube	bytes	Name the user.
youtube	videoid	videoidq_proto_youtube	bytes	Contains the unique identifier of the uploaded video
youtube	method	methodq_proto_youtube	bytes	Contains the method used
zimbra	login	loginq_proto_zimbra	bytes	User's login string.
zimbra	msglist_sender_email	msglist_sender_emailq_proto_zimbra	bytes	Address of email sender.
zimbra	msglist_receiver_email	msglist_receiver_emailq_proto_zimbra	bytes	Email address of the email receiver.
zimbra	msglist_subject	msglist_subjectq_proto_zimbra	bytes	Message subject in a message list.
zimbra	sender_email	sender_emailq_proto_zimbra	bytes	Email address of the email sender.
zimbra	receiver_email	receiver_emailq_proto_zimbra	bytes	Email address of message receiver (included cc and bcc receivers).
zimbra	subject	subjectq_proto_zimbra	bytes	Message subject.
zimbra	msg_id	msg_idq_proto_zimbra	bytes	Identifier of the message.
zimbra	attach_filename	attach_filenameq_proto_zimbra	bytes	Attachment name.
zimbra	attach_size	attach_sizeq_proto_zimbra	uint32	Attached file MIME size.
zimbra	action	actionq_proto_zimbra	bytes	Indicates if the message is read (Read) or composed (Compose).
zimbra_standard	msglist_subject	msglist_subjectq_proto_zimbra_standard	bytes	Message subject in a message list.
zimbra_standard	msg_id	msg_idq_proto_zimbra_standard	bytes	Identifier of the message.
zimbra_standard	sender_email	sender_emailq_proto_zimbra_standard	bytes	Email address of the email sender.
zimbra_standard	receiver_email	receiver_emailq_proto_zimbra_standard	bytes	Email address of message receiver (included cc and bcc receivers).
zimbra_standard	attach_size	attach_sizeq_proto_zimbra_standard	uint32	Attached file MIME size.
zimbra_standard	attach_filename	attach_filenameq_proto_zimbra_standard	bytes	Attachment name.
zimbra_standard	subject	subjectq_proto_zimbra_standard	bytes	Message subject.
zimbra_standard	action	actionq_proto_zimbra_standard	bytes	Indicates if the message is read (Read) or composed (Compose).
zimbra_standard	login	loginq_proto_zimbra_standard	bytes	User's login string.
zoom	service	serviceq_proto_zoom	bytes	Current service identification string.
zoom	service_id	service_idq_proto_zoom	uint32	Composite 32-bit integer value defining the service currently used. The first byte (LSB) gives the generic service definition, the second byte gives an advanced service definition for specific cases (example: File Transfer).
zoom	service_duration	service_durationq_proto_zoom	uint32	4 bytes integer value indicating, when the service is ended, the length of it in seconds.
zoom	service_duration_tv	service_duration_tvq_proto_zoom	string	Timeval structure indicating, when the service is ended, the length of it in second and microseconds