########################################################################### # Here are listed all possible stats and realtime entry output fields ########################################################################### # Each field is explained below # # field name field type/size description # # BASIC CONNECTION STATS INFORMATION # ########################################################################### # NAME SIZE/TYPE DESCRIPTION ########################################################################### sancp_id 64bit based on timeptr.tv_sec and timeptr.tv_usec + unique increment start_time_gmt 32bit timestamp for first packet in gmt start_time_local 32bit timestamp for first packet in local timezone stop_time_gmt 32bit timestamp for last packet in gmt stop_time_local 32bit timestamp for last packet in local timezone erased_time_gmt 32bit timestamp in gmt, time connection was cleared from memory (no longer tracked) erased_time_local 32bit same as erased_time_gmt but in local timezone eth_proto 16bit layer 2/ethernet protocol (i.e. ip=8, arp=1544, igmp=2, etc...) eth_proto_hex 16bit same as eth_proto but in hex i.e. (ip=0800, arp=0806, igmp=0200 ...) ip_proto 8bit layer 3/ip protocol (if IP proto is layer 2) src_ip_decimal 32bit decimal form src IP address src_ip_dotted 32bit dotted notation src IP address src_port 16bit source port for udp, tcp, and (optionally) icmp type (see: --enable_icmp_mixed) dst_ip_decimal 32bit decimal form dst IP address dst_ip_dotted 32bit dotted notation dst IP address dst_port 16bit dest. port for udp, tcp, and (optionally) icmp code (see: --enable_icmp_mixed) duration 32bit seconds the connection remained active (difference between start and stop times) timeout 16bit applicable timeout value for the connection src_pkts 64bit count of packets received from source dst_pkts 64bit count of packets received from destination src_bytes 64bit bytes of data received from source (minus recognized proto headers -eth-ip-tcp) dst_bytes 64bit bytes of data received from destination (minus recognized proto headers) ########################################################################### # # TCP FLAGS # # The sflags and dflags fieldis contain values representing 8 possible # TCP flags cumulativeily seen from source and destination throughout # the connection. # # 8Bit order is 12UAPRSF, where: # 1: Reserved bit 1 from source # 2: Reserved bit 2 from source # U: Urgent Pointer bit from source # A: ACK bit from source # P: Push bit from source # R: Reset bit from source # S: SYN bit from source # F: FIN bit from source # ########################################################################### sflags 8bit decimal form - cumlative tcp flags from source (bit order: 12UAPRSF) sflags_hex 8bit hex form - cumlative tcp flags from source (bit order: 12UAPRSF) ########################################################################### # Names for specifying each flag individually ########################################################################### sflags_1 Y/N Reserved bit 1 from source sflags_2 Y/N Reserved bit 2 from source sflags_U Y/N Urgent Pointer bit from source sflags_A Y/N ACK bit from source sflags_P Y/N Push bit from source sflags_R Y/N Reset bit from source sflags_S Y/N SYN bit from source sflags_F Y/N FIN bit from source dflags 8bit decimal form - cumlative tcp flags from destination (bit order: 12UAPRSF) dflags_hex 8bit hex form - cumlative tcp flags from destination (bit order: 12UAPRSF) ########################################################################### # Names for specifying each flag individually ########################################################################### dflags_1 Y/N Reserved bit 1 from destination dflags_2 Y/N Reserved bit 2 from destination dflags_U Y/N Urgent Pointer bit from destination dflags_A Y/N ACK bit from destination dflags_P Y/N Push bit from destination dflags_R Y/N Reset bit from destination dflags_S Y/N SYN bit from destination dflags_F Y/N FIN bit from destination ########################################################################### # The next (8bit) field contains a value representing 6 possible # TCP close session flags from the source and destination. # The first 2 significant bits are unused.) # 8Bit order is 00AARRFF/00DSDSDS, where: # DA: Close ACK seen from destination # SA: Close ACK seen from source # DR: Close Reset seen from destination # SR: Close Reset seen from source # DF: Close FIN seen from destination # SF: Close FIN seen from source # ########################################################################### cflags 8bit decimal form - tcp close flags (bit order: 00AARRFF/00DSDSDS) cflags_hex 8bit hex form - tcp close flags (bit order: 00AARRFF/00DSDSDS) ########################################################################### # Names for specifying each flag individually ########################################################################### cflags_DA Y/N Close ACK seen from destination cflags_SA Y/N Close ACK seen from source cflags_DR Y/N Close Reset seen from destination cflags_SR Y/N Close Reset seen from source cflags_DF Y/N Close FIN seen from destination cflags_SF Y/N Close FIN seen from source ########################################################################### # # OS FINGERPRINT # # The next 8 fields contain p0F information gathered # from the initial TCP SYN packet # ########################################################################### ip_len_s 16bit ip length (initial packet, tcp only) ip_ttl_s 8bit time to live (initial packet, tcp only) ip_df_s Y/N don't fragment bit was set (initial packet, tcp only) tcp_wss_s 16bit window segment size (initial packet, tcp only) tcp_mss_s 16bit maximum segment size (initial packet, tcp only) tcp_wscale_s 8bit window scale (initial packet, tcp only) tcp_sack_ok_s Y/N sack_ok flag was set (initial packet, tcp only) tcp_nop_s Y/N 'no op' was seen (initial packet, tcp only) ########################################################################### # # The next 8 fields contain p0F information gathered # from second TCP SYN packet # ########################################################################### ip_len_d 16bit ip length (initial packet, tcp only) ip_ttl_d 8bit time to live (initial packet, tcp only) ip_df_d Y/N don't fragment bit was set (initial packet, tcp only) tcp_wss_d 16bit window segment size (initial packet, tcp only) tcp_mss_d 16bit maximum segment size (initial packet, tcp only) tcp_wscale_d 8bit window scale (initial packet, tcp only) tcp_sack_ok_d Y/N sack_ok flag was set (initial packet, tcp only) tcp_nop_d Y/N 'no op' was seen (initial packet, tcp only) ########################################################################### # # DEFAULT / RULE ASSIGNED FIELDS # use to group and/or categorize traffic which matchs a rule ) # ########################################################################### rid 32bit rule id assigned by the matching rule or 'default rid' rgid 32bit rule group id assigned by the matching rule or 'default rgid' node 16bit node id assigned by the matching rule or 'default node' zone 16bit zone id assigned by the matching rule or 'default zone' status 8bit status assigned by the matching rule or 'default status' ########################################################################### # # SPECIAL SANCP-SPECIFIC FIELDS # # The last 7 fields contain information about how we # handled the connection within sancp # ########################################################################### total_bytes 64bit all source + destination bytes, total includes entire packets w/headers collect 8bit the pcap collection mode: none(0), both(1), from_src(2), from_dst(3) collected 64bit how much raw pcap data did we collect in bytes (doesn't include pcap headers) climit 64bit what was the pcap data collection limit in bytes, 0 == none tcplag 16bit seconds to wait for straggler packets, after a tcp connection 'ends' pcap Y/N pcap collection was recorded for this connection (disregards -A option) realtime Y/N a realtime entry was recorded for this connection stats Y/N the connection was recorded to a stats file (value present in realtime too) reversed 8bit is the source and destination opposite that of the initial packet?(for tcp/udp) 0=no, hash 16bit the hash table key value is used to check and tune the performance of the sancp connection retro Y/N was a retroactive rule applied to this connection? Would explain collection src_mac ascii 17 byte max source ethernet address in first packet detected i.e. xx:xx:xx:xx:xx:xx dst_mac ascii 17 byte max destination ethernet address in first packet detected i.e. xx:xx:xx:xx:xx:xx ########################################################################### /* vim: set ws=4 ts=4 */