SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG
DONATE


YUM REPOSITORY

 
 

MAN page from RedHat 7.X ethereal-0.8.20-1.i386.rpm

TETHEREAL

Section: The Ethereal Network Analyzer (1)
Updated: 0.8.20
Index 

NAME

tethereal - Dump and analyze network traffic 

SYNOPSYS

tethereal-c count ][ -D ][ -f capture filter expression ][ -F file format ][ -h ][ -i interface ] [ -l ][ -n ][ -N resolving flags ] ...[ -o preference setting ] ...[ -p ][ -r infile ][ -R display filter expression ][ -s snaplen ][ -t time stamp format ][ -v ][ -V ][ -w savefile ][ -x ][ filter expression ] 

DESCRIPTION

Tethereal is a network protocol analyzer. It lets you capture packetdata from a live network, or read packets from a previously savedcapture file, either printing a decoded form of those packets to thestandard output or writing the packets to a file. Tethereal knowshow to read libpcap capture files, including those of tcpdump. Inaddition, Tethereal can read capture files from snoop (includingShomiti) and atmsnoop, LanAlyzer, Sniffer (compressed oruncompressed), Microsoft Network Monitor, AIX's iptrace,NetXray, Sniffer Pro, Etherpeek, RADCOM's WAN/LAN analyzer,Lucent/Ascend router debug output, HP-UX's nettl, the dump outputfrom Toshiba's ISDN routers, the output from i4btrace from theISDN4BSD project, and output in IPLog format from the Cisco SecureIntrusion Detection System. There is no need to tell Tethereal whattype of file you are reading; it will determine the file type by itself. Tethereal is also capable of reading any of these file formats ifthey are compressed using gzip. Tethereal recognizes this directlyfrom the file; the '.gz' extension is not required for this purpose.

If the -w flag is not specified, Tethereal prints a decoded formof the packets it captures or reads; otherwise, it writes those packetsto the file specified by that flag.

When printing a decoded form of packets, Tethereal prints, bydefault, a summary line containing the fields specified by thepreferences file (which are also the fields displayed in the packet listpane in Ethereal), although if it's printing packets as it capturesthem, rather than printing packets from a saved capture file, it won'tprint the ``frame number'' field. If the -V flag is specified, itprints intead a protocol tree, showing all the fields of all protocolsin the packet.

When writing packets to a file, Tethereal, by default, writes thefile in libpcap format, and writes all of the packets it sees to theoutput file. The -F flag can be used to specify the format in whichto write the file; it can write the file in libpcap format (standardlibpcap format, a modified format used by some patched versions oflibpcap, or the format used by Red Hat Linux 6.1), snoop format,uncompressed Sniffer format, Microsoft Network Monitor 1.x format,and the format used by Windows-based versions of the Sniffersoftware.

Read filters in Tethereal, which allow you to select which packetsare to be decoded or written to a file, are very powerful; more fieldsare filterable in Tethereal than in other protocol analyzers, and thesyntax you can use to create your filters is richer. As Tetherealprogresses, expect more and more protocol fields to be allowed in readfilters.

Packet capturing is performed with the pcap library. The capture filtersyntax follows the rules of the pcap library. This syntax is differentfrom the read filter syntax. A read filter can also be specified whencapturing, and only packets that pass the read filter will be displayedor saved to the output file; note, however, that capture filers are muchmore efficient than read filters, and it may be more difficult forTethereal to keep up with a busy network if a read filter isspecified for a live capture.

Compressed file support uses (and therefore requires) the zlib library. If the zlib library is not present, Tethereal will compile, but willbe unable to read compressed files.

A capture or read filter can either be specified with the -f or -Roption, respectively, in which case the entire filter expression must bespecified as a single argument (which means that if it contains spaces,it must be quoted), or can be specified with command-line argumentsafter the option arguments, in which case all the arguments after thefilter arguments are treated as a filter expression. If the filter isspecified with command-line arguments after the option arguments, it's acapture filter if a capture is being done (i.e., if no -r flag wasspecified) and a read filter if a capture file is being read (i.e., if a-r flag was specified). 

OPTIONS


-c
Sets the default number of packets to read when capturing livedata.
-D
Prints a list of the interfaces on which Tethereal can capture, andexits. Note that ``can capture'' means that Tethereal was able to openthat device to do a live capture; if, on your system, a program doing anetwork capture must be run from an account with special privileges (forexample, as root), then, if Tethereal is run with the -D flag andis not run from such an account, it will not list any interfaces.
-f
Sets the capture filter expression.
-F
Sets the file format of the output capture file.
-h
Prints the version and options and exits.
-i
Sets the name of the network interface to use for live packet capture. It should match one of the names listed in "netstat -i`` or''ifconfig -a". If no interface is specified, Tethereal searchesthe list of interfaces, choosing the first non-loopback interface ifthere are any non-loopback interfaces, and choosing the first loopbackinterface if there are no non-loopback interfaces; if there are nointerfaces, Tethereal reports an error and doesn't start the capture.
-l
Flush the standard output after the information for each packet isprinted. (This is not, strictly speaking, line-buffered if -Vwas specified; however, it is the same as line-buffered if -V wasn'tspecified, as only one line is printed for each packet, and, as -l isnormally used when piping a live capture to a program or script, so thatoutput for a packet shows up as soon as the packet is seen anddissected, it should work just as well as true line-buffering. We dothis as a workaround for a deficiency in the Microsoft Visual C++ Clibrary.)

This may be useful when piping the output of Tethereal to anotherprogram, as it means that the program to which the output is piped willsee the dissected data for a packet as soon as Tethereal sees thepacket and generates that output, rather than seeing it only when thestandard output buffer containing that data fills up.

-n
Disables network object name resolution (such as hostname, TCP and UDP portnames).
-N
Turns on name resolving for particular types of addresses and portnumbers; the argument is a string that may contain the letters m toenable MAC address resolution, n to enable network addressresolution, and t to enable transport-layer port number resolution. This overrides -n if both -N and -n are present.
-o
Sets a preference value, overriding the default value and any value readfrom a preference file. The argument to the flag is a string of theform prefname:value, where prefname is the name of thepreference (which is the same name that would appear in the preferencefile), and value is the value to which it should be set.
-p
Don't put the interface into promiscuous mode. Note that theinterface might be in promiscuous mode for some other reason; hence,-p cannot be used to ensure that the only traffic that is captured istraffic sent to or from the machine on which Tethereal is running,broadcast traffic, and multicast traffic to addresses received by thatmachine.
-r
Reads packet data from file.
-R
Causes the specified filter (which uses the syntax of read filters,rather than that of capture filters) to be applied before printing adecoded form of packets or writing packets to a file; packets notmatching the filter are discarded rather than being printed or written.
-s
Sets the default snapshot length to use when capturing live data. No more than snaplen bytes of each network packet will be read intomemory, or saved to disk.
-t
Sets the format of the packet timestamp printed in summary lines. Theformat can be one of 'r' (relative), 'a' (absolute), 'ad' (absolute withdate), or 'd' (delta). The relative time is the time elapsed betweenthe first packet and the current packet. The absolute time is theactual time the packet was captured, with no date displayed; theabsolute date and time is the actual time and date the packet wascaptured. The delta time is the time since the previous packet wascaptured. The default is relative.
-v
Prints the version and exits.
-V
Causes Tethereal to print a protocol tree for each packet rather thana one-line summary of the packet.
-w
Writes packet data to savefile.
-x
Causes Tethereal to print a hex and ASCII dump of the packet dataafter printing the summary or protocol tree.
 

CAPTURE FILTER SYNTAX

See manual page of tcpdump(8). 

READ FILTER SYNTAX

Read filters help you remove the noise from a packet trace and let yousee only the packets that interest you. If a packet meets therequirements expressed in your read filter, then it is printed. Readfilters let you compare the fields within a protocol against a specificvalue, compare fields against fields, and to check the existence ofspecified fields or protocols.

The simplest read filter allows you to check for the existence of aprotocol or field. If you want to see all packets which contain the IPXprotocol, the filter would be ``ipx''. (Without the quotation marks) Tosee all packets that contain a Token-Ring RIF field, use ``tr.rif''.

Fields can also be compared against values. The comparison operatorscan be expressed either through C-like symbols, or through English-likeabbreviations:

    eq, ==    Equal    ne, !=    Not equal    gt, >     Greater than    lt, <     Less Than    ge, >=    Greater than or Equal to    le, <=    Less than or Equal to
Furthermore, each protocol field is typed. The types are:

    Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit)    Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit)    Boolean    Ethernet address (6 bytes)    Byte string (n-number of bytes)    IPv4 address    IPv6 address    IPX network number    String (text)    Double-precision floating point number
An integer may be expressed in decimal, octal, or hexadecimal notation. The following three read filters are equivalent:

    frame.pkt_len > 10    frame.pkt_len > 012    frame.pkt_len > 0xa
Boolean values are either true or false. In a read filter expressiontesting the value of a Boolean field, ``true'' is expressed as 1 or anyother non-zero value, and ``false'' is expressed as zero. For example, atoken-ring packet's source route field is boolean. To find anysource-routed packets, a read filter would be:

    tr.sr == 1
Non source-routed packets can be found with:

    tr.sr == 0
Ethernet addresses, as well as a string of bytes, are represented in hexdigits. The hex digits may be separated by colons, periods, or hyphens:

    fddi.dst eq ff:ff:ff:ff:ff:ff    ipx.srcnode == 0.0.0.0.0.1    eth.src == aa-aa-aa-aa-aa-aa
If a string of bytes contains only one byte, then it is represented asan unsigned integer. That is, if you are testing for hex value 'ff' ina one-byte byte-string, you must compare it agains '0xff' and not 'ff'.

IPv4 addresses can be represented in either dotted decimal notation, orby using the hostname:

    ip.dst eq www.mit.edu    ip.src == 192.168.1.1
IPv4 addresses can be compared with the same logical relations as numbers:eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,so you do not have to worry about how the endianness of an IPv4 addresswhen using it in a read filter.

Classless InterDomain Routing (CIDR) notation can be used to test if anIPv4 address is in a certain subnet. For example, this display filterwill find all packets in the 129.111 Class-B network:

    ip.addr == 129.111.0.0/16
Remember, the number after the slash represents the number of bits usedto represent the network. CIDR notation can also be used withhostnames, in this example of finding IP addresses on the same Class Cnetwork as 'sneezy':

    ip.addr eq sneezy/24
The CIDR notation can only be used on IP addresses or hostnames, not invariable names. So, a display filter like ``ip.src/24 == ip.dst/24'' isnot valid. (yet)

IPX networks are represented by unsigned 32-bit integers. Most likelyyou will be using hexadecimal when testing for IPX network values:

    ipx.srcnet == 0xc0a82c00
A slice operator also exists. You can check the substring(byte-string) of any protocol or field. For example, you can filter onthe vendor portion of an ethernet address (the first three bytes) likethis:

    eth.src[0:3] == 00:00:83
If the length of your byte-slice is only one byte, then it is stillrepresented in hex, but without the preceding ``0x'':

    llc[3] == aa
You can use the slice operator on a protocol name, too. Andremember, the ``frame'' protocol encompasses the entire packet, allowingyou to look at the nth byte of a packet regardless of its frame type(Ethernet, token-ring, etc.).

    token[0:5] ne 0.0.0.1.1    ipx[0:2] == ff:ff    llc[3:1] eq 0xaa
The following syntax governs slices:

        [i:j]   i = start_offset, j = length        [i-j]   i = start_offet, j = end_offset, inclusive.        [i]     i = start_offset, length = 1        [:j]    start_offset = 0, length = j        [i:]    start_offset = i, end_offset = end_of_field
Offsets and lengths can be negative, in which case they indicate theoffset from the end of the field. Here's how to check the last 4bytes of a frame:

    frame[-4:4] == 0.1.2.3
or

    frame[-4:] == 0.1.2.3
You can create complex concatenations of slices using the comma operator:

        field[1,3-5,9:] == 01:03:04:05:09:0a:0b
All the above tests can be combined together with logical expressions. These too are expressable in C-like syntax or with English-likeabbreviations:

    and, &&   Logical AND    or, ||    Logical OR    not, !    Logical NOT
Expressions can be grouped by parentheses as well. The following areall valid read filter expression:

    tcp.port == 80 and ip.src == 192.168.2.1    not llc    (ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip    tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
A special caveat must be given regarding fields that occur more thanonce per packet. ``ip.addr'' occurs twice per IP packet, once for thesource address, and once for the destination address. Likewise,tr.rif.ring fields can occur more than once per packet. The followingtwo expressions are not equivalent:

        ip.addr ne 192.168.4.1    not ip.addr eq 192.168.4.1
The first filter says ``show me all packets where an ip.addr exists thatdoes not equal 192.168.4.1''. That is, as long as one ip.addr in thepacket does not equal 192.168.44.1, the packet passes the displayfilter. The second filter ``don't show me any packets that have at leastone ip.addr field equal to 192.168.4.1''. If one ip.addr is 192.168.4.1,the packet does not pass. If neither ip.addr fields is 192.168.4.1,then the packet passes.

It is easy to think of the 'ne' and 'eq' operators as having an implict``exists'' modifier when dealing with multiply-recurring fields. ``ip.addrne 192.168.4.1'' can be thought of as ``there exists an ip.addr that doesnot equal 192.168.4.1''.

Be careful with multiply-recurring fields; they can be confusing.

The following is a table of protocol and protocol fields that arefilterable in Tethereal. The abbreviation of the protocol or field isgiven. This abbreviation is what you use in the read filter. Thetype of the field is also given. 

802.1q Virtual LAN (vlan)

    vlan.cfi  CFI        Unsigned 16-bit integer
    vlan.etype  Type        Unsigned 16-bit integer
    vlan.id  ID        Unsigned 16-bit integer
    vlan.len  Length        Unsigned 16-bit integer
    vlan.priority  Priority        Unsigned 16-bit integer
    vlan.trailer  Trailer        Byte array
 

AOL Instant Messenger (aim)

    aim.channel  Channel ID        Unsigned 8-bit integer
    aim.cmd_start  Command Start        Unsigned 8-bit integer
    aim.datalen  Data Field Length        Unsigned 16-bit integer
    aim.fnac.family  FNAC Family ID        Unsigned 16-bit integer
    aim.fnac.subtype  FNAC Subtype ID        Unsigned 16-bit integer
    aim.seqno  Sequence Number        Unsigned 16-bit integer
 

ATM (atm)

    atm.vci  VCI        Unsigned 16-bit integer
    atm.vpi  VPI        Unsigned 8-bit integer
 

ATM LAN Emulation (lane)

 

Address Resolution Protocol (arp)

    arp.dst.atm_num_e164  Target ATM number (E.164)        String
    arp.dst.atm_num_nsap  Target ATM number (NSAP)        Byte array
    arp.dst.atm_subaddr  Target ATM subaddress        Byte array
    arp.dst.hlen  Target ATM number length        Unsigned 8-bit integer
    arp.dst.htype  Target ATM number type        Boolean
    arp.dst.hw  Target hardware address        Byte array
    arp.dst.pln  Target protocol size        Unsigned 8-bit integer
    arp.dst.proto  Target protocol address        Byte array
    arp.dst.slen  Target ATM subaddress length        Unsigned 8-bit integer
    arp.dst.stype  Target ATM subaddress type        Boolean
    arp.hw.size  Hardware size        Unsigned 8-bit integer
    arp.hw.type  Hardware type        Unsigned 16-bit integer
    arp.opcode  Opcode        Unsigned 16-bit integer
    arp.proto.size  Protocol size        Unsigned 8-bit integer
    arp.proto.type  Protocol type        Unsigned 16-bit integer
    arp.src.atm_num_e164  Sender ATM number (E.164)        String
    arp.src.atm_num_nsap  Sender ATM number (NSAP)        Byte array
    arp.src.atm_subaddr  Sender ATM subaddress        Byte array
    arp.src.hlen  Sender ATM number length        Unsigned 8-bit integer
    arp.src.htype  Sender ATM number type        Boolean
    arp.src.hw  Sender hardware address        Byte array
    arp.src.pln  Sender protocol size        Unsigned 8-bit integer
    arp.src.proto  Sender protocol address        Byte array
    arp.src.slen  Sender ATM subaddress length        Unsigned 8-bit integer
    arp.src.stype  Sender ATM subaddress type        Boolean
 

Andrew File System (AFS) (afs)

    afs.backup  Backup        Boolean
    afs.backup.errcode  Error Code        Unsigned 32-bit integer
    afs.backup.opcode  Operation        Unsigned 32-bit integer
    afs.bos  BOS        Boolean
    afs.bos.baktime  Backup Time        Date/Time stamp
    afs.bos.cell  Cell        String
    afs.bos.cmd  Command        String
    afs.bos.content  Content        String
    afs.bos.data  Data        Byte array
    afs.bos.date  Date        Unsigned 32-bit integer
    afs.bos.errcode  Error Code        Unsigned 32-bit integer
    afs.bos.error  Error        String
    afs.bos.file  File        String
    afs.bos.flags  Flags        Unsigned 32-bit integer
    afs.bos.host  Host        String
    afs.bos.instance  Instance        String
    afs.bos.key  Key        Byte array
    afs.bos.keychecksum  Key Checksum        Unsigned 32-bit integer
    afs.bos.keymodtime  Key Modification Time        Date/Time stamp
    afs.bos.keyspare2  Key Spare 2        Unsigned 32-bit integer
    afs.bos.kvno  Key Version Number        Unsigned 32-bit integer
    afs.bos.newtime  New Time        Date/Time stamp
    afs.bos.number  Number        Unsigned 32-bit integer
    afs.bos.oldtime  Old Time        Date/Time stamp
    afs.bos.opcode  Operation        Unsigned 32-bit integer
    afs.bos.parm  Parm        String
    afs.bos.path  Path        String
    afs.bos.size  Size        Unsigned 32-bit integer
    afs.bos.spare1  Spare1        String
    afs.bos.spare2  Spare2        String
    afs.bos.spare3  Spare3        String
    afs.bos.status  Status        Signed 32-bit integer
    afs.bos.statusdesc  Status Description        String
    afs.bos.type  Type        String
    afs.bos.user  User        String
    afs.cb  Callback        Boolean
    afs.cb.callback.expires  Expires        Date/Time stamp
    afs.cb.callback.type  Type        Unsigned 32-bit integer
    afs.cb.callback.version  Version        Unsigned 32-bit integer
    afs.cb.errcode  Error Code        Unsigned 32-bit integer
    afs.cb.fid.uniq  FileID (Uniqifier)        Unsigned 32-bit integer
    afs.cb.fid.vnode  FileID (VNode)        Unsigned 32-bit integer
    afs.cb.fid.volume  FileID (Volume)        Unsigned 32-bit integer
    afs.cb.opcode  Operation        Unsigned 32-bit integer
    afs.error  Error        Boolean
    afs.error.opcode  Operation        Unsigned 32-bit integer
    afs.fs  File Server        Boolean
    afs.fs.acl.a  _A_dminister        Unsigned 8-bit integer
    afs.fs.acl.count.negative  ACL Count (Negative)        Unsigned 32-bit integer
    afs.fs.acl.count.positive  ACL Count (Positive)        Unsigned 32-bit integer
    afs.fs.acl.d  _D_elete        Unsigned 8-bit integer
    afs.fs.acl.datasize  ACL Size        Unsigned 32-bit integer
    afs.fs.acl.entity  Entity (User/Group)        String
    afs.fs.acl.i  _I_nsert        Unsigned 8-bit integer
    afs.fs.acl.k  _L_ock        Unsigned 8-bit integer
    afs.fs.acl.l  _L_ookup        Unsigned 8-bit integer
    afs.fs.acl.r  _R_ead        Unsigned 8-bit integer
    afs.fs.acl.w  _W_rite        Unsigned 8-bit integer
    afs.fs.callback.expires  Expires        Date/Time stamp
    afs.fs.callback.type  Type        Unsigned 32-bit integer
    afs.fs.callback.version  Version        Unsigned 32-bit integer
    afs.fs.cps.spare1  CPS Spare1        Unsigned 32-bit integer
    afs.fs.cps.spare2  CPS Spare2        Unsigned 32-bit integer
    afs.fs.cps.spare3  CPS Spare3        Unsigned 32-bit integer
    afs.fs.data  Data        Byte array
    afs.fs.errcode  Error Code        Unsigned 32-bit integer
    afs.fs.fid.uniq  FileID (Uniqifier)        Unsigned 32-bit integer
    afs.fs.fid.vnode  FileID (VNode)        Unsigned 32-bit integer
    afs.fs.fid.volume  FileID (Volume)        Unsigned 32-bit integer
    afs.fs.flength  FLength        Unsigned 32-bit integer
    afs.fs.ipaddr  IP Address        IPv4 address
    afs.fs.length  Length        Unsigned 32-bit integer
    afs.fs.motd  Message of the Day        String
    afs.fs.name  Name        String
    afs.fs.newname  New Name        String
    afs.fs.offlinemsg  Offline Message        String
    afs.fs.offset  Offset        Unsigned 32-bit integer
    afs.fs.oldname  Old Name        String
    afs.fs.opcode  Operation        Unsigned 32-bit integer
    afs.fs.status.anonymousaccess  Anonymous Access        Unsigned 32-bit integer
    afs.fs.status.author  Author        Unsigned 32-bit integer
    afs.fs.status.calleraccess  Caller Access        Unsigned 32-bit integer
    afs.fs.status.clientmodtime  Client Modification Time        Date/Time stamp
    afs.fs.status.dataversion  Data Version        Unsigned 32-bit integer
    afs.fs.status.dataversionhigh  Data Version (High)        Unsigned 32-bit integer
    afs.fs.status.filetype  File Type        Unsigned 32-bit integer
    afs.fs.status.group  Group        Unsigned 32-bit integer
    afs.fs.status.interfaceversion  Interface Version        Unsigned 32-bit integer
    afs.fs.status.length  Length        Unsigned 32-bit integer
    afs.fs.status.linkcount  Link Count        Unsigned 32-bit integer
    afs.fs.status.mask  Mask        Unsigned 32-bit integer
    afs.fs.status.mask.fsync  FSync        Unsigned 32-bit integer
    afs.fs.status.mask.setgroup  Set Group        Unsigned 32-bit integer
    afs.fs.status.mask.setmode  Set Mode        Unsigned 32-bit integer
    afs.fs.status.mask.setmodtime  Set Modification Time        Unsigned 32-bit integer
    afs.fs.status.mask.setowner  Set Owner        Unsigned 32-bit integer
    afs.fs.status.mask.setsegsize  Set Segment Size        Unsigned 32-bit integer
    afs.fs.status.mode  Unix Mode        Unsigned 32-bit integer
    afs.fs.status.owner  Owner        Unsigned 32-bit integer
    afs.fs.status.parentunique  Parent Unique        Unsigned 32-bit integer
    afs.fs.status.parentvnode  Parent VNode        Unsigned 32-bit integer
    afs.fs.status.segsize  Segment Size        Unsigned 32-bit integer
    afs.fs.status.servermodtime  Server Modification Time        Date/Time stamp
    afs.fs.status.spare2  Spare 2        Unsigned 32-bit integer
    afs.fs.status.spare3  Spare 3        Unsigned 32-bit integer
    afs.fs.status.spare4  Spare 4        Unsigned 32-bit integer
    afs.fs.status.synccounter  Sync Counter        Unsigned 32-bit integer
    afs.fs.symlink.content  Symlink Content        String
    afs.fs.symlink.name  Symlink Name        String
    afs.fs.timestamp  Timestamp        Date/Time stamp
    afs.fs.token  Token        Byte array
    afs.fs.viceid  Vice ID        Unsigned 32-bit integer
    afs.fs.vicelocktype  Vice Lock Type        Unsigned 32-bit integer
    afs.fs.volid  Volume ID        Unsigned 32-bit integer
    afs.fs.volname  Volume Name        String
    afs.fs.volsync.spare1  Spare 1        Unsigned 32-bit integer
    afs.fs.volsync.spare2  Spare 2        Unsigned 32-bit integer
    afs.fs.volsync.spare3  Spare 3        Unsigned 32-bit integer
    afs.fs.volsync.spare4  Spare 4        Unsigned 32-bit integer
    afs.fs.volsync.spare5  Spare 5        Unsigned 32-bit integer
    afs.fs.volsync.spare6  Spare 6        Unsigned 32-bit integer
    afs.fs.xstats.clientversion  Client Version        Unsigned 32-bit integer
    afs.fs.xstats.collnumber  Collection Number        Unsigned 32-bit integer
    afs.fs.xstats.timestamp  XStats Timestamp        Unsigned 32-bit integer
    afs.fs.xstats.version  XStats Version        Unsigned 32-bit integer
    afs.kauth  KAuth        Boolean
    afs.kauth.data  Data        Byte array
    afs.kauth.domain  Domain        String
    afs.kauth.errcode  Error Code        Unsigned 32-bit integer
    afs.kauth.kvno  Key Version Number        Unsigned 32-bit integer
    afs.kauth.name  Name        String
    afs.kauth.opcode  Operation        Unsigned 32-bit integer
    afs.kauth.princ  Principal        String
    afs.kauth.realm  Realm        String
    afs.prot  Protection        Boolean
    afs.prot.count  Count        Unsigned 32-bit integer
    afs.prot.errcode  Error Code        Unsigned 32-bit integer
    afs.prot.flag  Flag        Unsigned 32-bit integer
    afs.prot.gid  Group ID        Unsigned 32-bit integer
    afs.prot.id  ID        Unsigned 32-bit integer
    afs.prot.maxgid  Maximum Group ID        Unsigned 32-bit integer
    afs.prot.maxuid  Maximum User ID        Unsigned 32-bit integer
    afs.prot.name  Name        String
    afs.prot.newid  New ID        Unsigned 32-bit integer
    afs.prot.oldid  Old ID        Unsigned 32-bit integer
    afs.prot.opcode  Operation        Unsigned 32-bit integer
    afs.prot.pos  Position        Unsigned 32-bit integer
    afs.prot.uid  User ID        Unsigned 32-bit integer
    afs.rmtsys  Rmtsys        Boolean
    afs.rmtsys.opcode  Operation        Unsigned 32-bit integer
    afs.ubik  Ubik        Boolean
    afs.ubik.activewrite  Active Write        Unsigned 32-bit integer
    afs.ubik.addr  Address        IPv4 address
    afs.ubik.amsyncsite  Am Sync Site        Unsigned 32-bit integer
    afs.ubik.anyreadlocks  Any Read Locks        Unsigned 32-bit integer
    afs.ubik.anywritelocks  Any Write Locks        Unsigned 32-bit integer
    afs.ubik.beaconsincedown  Beacon Since Down        Unsigned 32-bit integer
    afs.ubik.currentdb  Current DB        Unsigned 32-bit integer
    afs.ubik.currenttran  Current Transaction        Unsigned 32-bit integer
    afs.ubik.epochtime  Epoch Time        Date/Time stamp
    afs.ubik.errcode  Error Code        Unsigned 32-bit integer
    afs.ubik.file  File        Unsigned 32-bit integer
    afs.ubik.interface  Interface Address        IPv4 address
    afs.ubik.isclone  Is Clone        Unsigned 32-bit integer
    afs.ubik.lastbeaconsent  Last Beacon Sent        Date/Time stamp
    afs.ubik.lastvote  Last Vote        Unsigned 32-bit integer
    afs.ubik.lastvotetime  Last Vote Time        Date/Time stamp
    afs.ubik.lastyesclaim  Last Yes Claim        Date/Time stamp
    afs.ubik.lastyeshost  Last Yes Host        IPv4 address
    afs.ubik.lastyesstate  Last Yes State        Unsigned 32-bit integer
    afs.ubik.lastyesttime  Last Yes Time        Date/Time stamp
    afs.ubik.length  Length        Unsigned 32-bit integer
    afs.ubik.lockedpages  Locked Pages        Unsigned 32-bit integer
    afs.ubik.locktype  Lock Type        Unsigned 32-bit integer
    afs.ubik.lowesthost  Lowest Host        IPv4 address
    afs.ubik.lowesttime  Lowest Time        Date/Time stamp
    afs.ubik.now  Now        Date/Time stamp
    afs.ubik.nservers  Number of Servers        Unsigned 32-bit integer
    afs.ubik.opcode  Operation        Unsigned 32-bit integer
    afs.ubik.position  Position        Unsigned 32-bit integer
    afs.ubik.recoverystate  Recovery State        Unsigned 32-bit integer
    afs.ubik.site  Site        IPv4 address
    afs.ubik.state  State        Unsigned 32-bit integer
    afs.ubik.synchost  Sync Host        IPv4 address
    afs.ubik.syncsiteuntil  Sync Site Until        Date/Time stamp
    afs.ubik.synctime  Sync Time        Date/Time stamp
    afs.ubik.tidcounter  TID Counter        Unsigned 32-bit integer
    afs.ubik.up  Up        Unsigned 32-bit integer
    afs.ubik.version.counter  Counter        Unsigned 32-bit integer
    afs.ubik.version.epoch  Epoch        Date/Time stamp
    afs.ubik.voteend  Vote Ends        Date/Time stamp
    afs.ubik.votestart  Vote Started        Date/Time stamp
    afs.ubik.votetype  Vote Type        Unsigned 32-bit integer
    afs.ubik.writelockedpages  Write Locked Pages        Unsigned 32-bit integer
    afs.ubik.writetran  Write Transaction        Unsigned 32-bit integer
    afs.update  Update        Boolean
    afs.update.opcode  Operation        Unsigned 32-bit integer
    afs.vldb  VLDB        Boolean
    afs.vldb.bkvol  Backup Volume ID        Unsigned 32-bit integer
    afs.vldb.bump  Bumped Volume ID        Unsigned 32-bit integer
    afs.vldb.count  Volume Count        Unsigned 32-bit integer
    afs.vldb.errcode  Error Code        Unsigned 32-bit integer
    afs.vldb.id  Volume ID        Unsigned 32-bit integer
    afs.vldb.index  Volume Index        Unsigned 32-bit integer
    afs.vldb.name  Volume Name        String
    afs.vldb.nextindex  Next Volume Index        Unsigned 32-bit integer
    afs.vldb.numservers  Number of Servers        Unsigned 32-bit integer
    afs.vldb.opcode  Operation        Unsigned 32-bit integer
    afs.vldb.partition  Partition        String
    afs.vldb.rovol  Read-Only Volume ID        Unsigned 32-bit integer
    afs.vldb.rwvol  Read-Write Volume ID        Unsigned 32-bit integer
    afs.vldb.server  Server        IPv4 address
    afs.vldb.serveruuid  Server UUID        Byte array
    afs.vldb.type  Volume Type        Unsigned 32-bit integer
    afs.vol  Volume Server        Boolean
    afs.vol.count  Volume Count        Unsigned 32-bit integer
    afs.vol.errcode  Error Code        Unsigned 32-bit integer
    afs.vol.id  Volume ID        Unsigned 32-bit integer
    afs.vol.name  Volume Name        String
    afs.vol.opcode  Operation        Unsigned 32-bit integer
 

Appletalk Address Resolution Protocol (aarp)

    aarp.dst.ether  Target ether        Byte array
    aarp.dst.id  Target ID        Byte array
    aarp.hard.size  Hardware size        Unsigned 8-bit integer
    aarp.hard.type  Hardware type        Unsigned 16-bit integer
    aarp.opcode  Opcode        Unsigned 16-bit integer
    aarp.proto.size  Protocol size        Unsigned 8-bit integer
    aarp.proto.type  Protocol type        Unsigned 16-bit integer
    aarp.src.ether  Sender ether        Byte array
    aarp.src.id  Sender ID        Byte array
 

Async data over ISDN (V.120) (v120)

    v120.address  Link Address        Unsigned 16-bit integer
    v120.control  Control Field        Unsigned 16-bit integer
    v120.header  Header Field        String
 

Authentication Header (ah)

    ah.sequence  Sequence        Unsigned 32-bit integer
    ah.spi  SPI        Unsigned 32-bit integer
 

BACnet Virtual Link Control (bvlc)

    bvlc.bdt_ip  IP        IPv4 address
    bvlc.bdt_mask  Mask        Byte array
    bvlc.bdt_port  Port        Unsigned 16-bit integer
    bvlc.fdt_ip  IP        IPv4 address
    bvlc.fdt_port  Port        Unsigned 16-bit integer
    bvlc.fdt_timeout  Timeout        Unsigned 16-bit integer
    bvlc.fdt_ttl  TTL        Unsigned 16-bit integer
    bvlc.function  Function        Unsigned 8-bit integer
    bvlc.fwd_ip  IP        IPv4 address
    bvlc.fwd_port  Port        Unsigned 16-bit integer
    bvlc.length  Length        Unsigned 16-bit integer
    bvlc.reg_ttl  TTL        Unsigned 16-bit integer
    bvlc.result  Result        Unsigned 16-bit integer
    bvlc.type  Type        Unsigned 8-bit integer
 

Banyan Vines (vines)

    vines.protocol  Protocol        Unsigned 8-bit integer
 

Banyan Vines Fragmentation Protocol (vines_frp)

 

Banyan Vines SPP (vines_spp)

 

Blocks eXtensible eXchange Protocol (bxxp)

    bxxp.channel  Channel        Unsigned 32-bit integer
    bxxp.end  End        Boolean
    bxxp.more.complete  Complete        Boolean
    bxxp.more.intermediate  Intermediate        Boolean
    bxxp.req  Request        Boolean
    bxxp.req.channel  Request Channel Number        Unsigned 32-bit integer
    bxxp.rsp  Response        Boolean
    bxxp.rsp.channel  Response Channel Number        Unsigned 32-bit integer
    bxxp.seq  Sequence        Boolean
    bxxp.seq.ackno  Ackno        Unsigned 32-bit integer
    bxxp.seq.channel  Sequence Channel Number        Unsigned 32-bit integer
    bxxp.seq.window  Window        Unsigned 32-bit integer
    bxxp.seqno  Seqno        Unsigned 32-bit integer
    bxxp.serial  Serial        Unsigned 32-bit integer
    bxxp.size  Size        Unsigned 32-bit integer
    bxxp.status.negative  Negative        Boolean
    bxxp.status.positive  Positive        Boolean
    bxxp.violation  Protocol Violation        Boolean
 

Boot Parameters (bootparams)

    bootparams.domain  Client Domain        String
    bootparams.fileid  File ID        String
    bootparams.filepath  File Path        String
    bootparams.host  Client Host        String
    bootparams.hostaddr  Client Address        IPv4 address
    bootparams.routeraddr  Router Address        IPv4 address
    bootparams.type  Address Type        Unsigned 32-bit integer
 

Bootstrap Protocol (bootp)

    bootp.cookie  Magic cookie        IPv4 address
    bootp.dhcp  Frame is DHCP        Boolean
    bootp.file  Boot file name        String
    bootp.flag  Broadcast flag        Unsigned 16-bit integer
    bootp.hops  Hops        Unsigned 8-bit integer
    bootp.hw.addr  Client hardware address        Byte array
    bootp.hw.len  Hardware address length        Unsigned 8-bit integer
    bootp.hw.type  Hardware type        Unsigned 8-bit integer
    bootp.id  Transaction ID        Unsigned 32-bit integer
    bootp.ip.client  Client IP address        IPv4 address
    bootp.ip.relay  Relay agent IP address        IPv4 address
    bootp.ip.server  Next server IP address        IPv4 address
    bootp.ip.your  Your (client) IP address        IPv4 address
    bootp.secs  Seconds elapsed        Unsigned 16-bit integer
    bootp.server  Server host name        String
    bootp.type  Message type        Unsigned 8-bit integer
 

Border Gateway Protocol (bgp)

    bgp.type  BGP message type        Unsigned 8-bit integer
 

Building Automation and Control Network APDU (bacapp)

    bacapp.bacapp_type  APDU Type        Unsigned 8-bit integer
 

Building Automation and Control Network NPDU (bacnet)

    bacnet.control  Control        Unsigned 8-bit integer
    bacnet.control_dest  Destination Specifier        Boolean
    bacnet.control_expect  Expecting Reply        Boolean
    bacnet.control_net  NSDU contains        Boolean
    bacnet.control_prio_high  Priority        Boolean
    bacnet.control_prio_low  Priority        Boolean
    bacnet.control_res1  Reserved        Boolean
    bacnet.control_res2  Reserved        Boolean
    bacnet.control_src  Source specifier        Boolean
    bacnet.dadr_eth  Destination ISO 8802-3 MAC Address        6-byte Hardware (MAC) Address
    bacnet.dadr_tmp  Unknown Destination MAC        Byte array
    bacnet.dlen  Destination MAC Layer Address Length        Unsigned 8-bit integer
    bacnet.dnet  Destination Network Address        Unsigned 16-bit integer
    bacnet.hopc  Hop Count        Unsigned 8-bit integer
    bacnet.mesgtyp  Message Type        Unsigned 8-bit integer
    bacnet.perf  Performance Index        Unsigned 8-bit integer
    bacnet.pinfo  Port Info        Unsigned 8-bit integer
    bacnet.pinfolen  Port Info Length        Unsigned 8-bit integer
    bacnet.portid  Port ID        Unsigned 8-bit integer
    bacnet.rejectreason  Reject Reason        Unsigned 8-bit integer
    bacnet.rportnum  Number of Port Mappings        Unsigned 8-bit integer
    bacnet.sadr_eth  SADR        6-byte Hardware (MAC) Address
    bacnet.sadr_tmp  Unknown Source MAC        Byte array
    bacnet.slen  Source MAC Layer Address Length        Unsigned 8-bit integer
    bacnet.snet  Source Network Address        Unsigned 16-bit integer
    bacnet.vendor  Vendor ID        Unsigned 16-bit integer
    bacnet.version  Version        Unsigned 8-bit integer
 

Cisco Auto-RP (auto_rp)

    auto_rp.group_prefix  Prefix        IPv4 address
    auto_rp.holdtime  Holdtime        Unsigned 16-bit integer
    auto_rp.mask_len  Mask length        Unsigned 8-bit integer
    auto_rp.pim_ver  Version        Unsigned 8-bit integer
    auto_rp.prefix_sign  Sign        Unsigned 8-bit integer
    auto_rp.rp_addr  RP address        IPv4 address
    auto_rp.rp_count  RP count        Unsigned 8-bit integer
    auto_rp.type  Packet type        Unsigned 8-bit integer
    auto_rp.version  Protocol version        Unsigned 8-bit integer
 

Cisco Discovery Protocol (cdp)

    cdp.checksum  Checksum        Unsigned 16-bit integer
    cdp.tlv.len  Length        Unsigned 16-bit integer
    cdp.tlv.type  Type        Unsigned 16-bit integer
    cdp.ttl  TTL        Unsigned 16-bit integer
    cdp.version  Version        Unsigned 8-bit integer
 

Cisco Group Management Protocol (cgmp)

    cgmp.count  Count        Unsigned 8-bit integer
    cgmp.gda  Group Destination Address        6-byte Hardware (MAC) Address
    cgmp.type  Type        Unsigned 8-bit integer
    cgmp.usa  Unicast Source Address        6-byte Hardware (MAC) Address
    cgmp.version  Version        Unsigned 8-bit integer
 

Cisco HDLC (chdlc)

    chdlc.address  Address        Unsigned 8-bit integer
    chdlc.protocol  Protocol        Unsigned 16-bit integer
 

Cisco Hot Standby Router Protocol (hsrp)

    hsrp.auth_data  Authentication Data        String
    hsrp.group  Group        Unsigned 8-bit integer
    hsrp.hellotime  Hellotime        Unsigned 8-bit integer
    hsrp.holdtime  Holdtime        Unsigned 8-bit integer
    hsrp.opcode  Op Code        Unsigned 8-bit integer
    hsrp.priority  Priority        Unsigned 8-bit integer
    hsrp.reserved  Reserved        Unsigned 8-bit integer
    hsrp.state  State        Unsigned 8-bit integer
    hsrp.version  Version        Unsigned 8-bit integer
    hsrp.virt_ip  Virtual IP Address        IPv4 address
 

Cisco ISL (isl)

    isl.addr  Source or Destination Address        6-byte Hardware (MAC) Address
    isl.bpdu  BPDU        Boolean
    isl.crc  CRC        Unsigned 32-bit integer
    isl.dst  Destination        6-byte Hardware (MAC) Address
    isl.dst_route_desc  Destination route descriptor        Unsigned 16-bit integer
    isl.esize  Esize        Unsigned 8-bit integer
    isl.explorer  Explorer        Boolean
    isl.fcs_not_incl  FCS Not Included        Boolean
    isl.hsa  HSA        Unsigned 24-bit integer
    isl.index  Index        Unsigned 16-bit integer
    isl.len  Length        Unsigned 16-bit integer
    isl.src  Source        6-byte Hardware (MAC) Address
    isl.src_route_desc  Source-route descriptor        Unsigned 16-bit integer
    isl.src_vlan_id  Source VLAN ID        Unsigned 16-bit integer
    isl.type  Type        Unsigned 8-bit integer
    isl.user  User        Unsigned 8-bit integer
    isl.user_eth  User        Unsigned 8-bit integer
    isl.vlan_id  VLAN ID        Unsigned 16-bit integer
 

Cisco Interior Gateway Routing Protocol (igrp)

    igrp.as  Autonomous System        Unsigned 16-bit integer
    igrp.update  Update Release        Unsigned 8-bit integer
 

Cisco SLARP (slarp)

    slarp.address  Address        IPv4 address
    slarp.mysequence  Outgoing sequence number        Unsigned 32-bit integer
    slarp.ptype  Packet type        Unsigned 32-bit integer
    slarp.yoursequence  Returned sequence number        Unsigned 32-bit integer
 

Common Open Policy Service (cops)

    cops.accttimer.value  Contents: ACCT Timer Value        Unsigned 16-bit integer
    cops.c_num  C-Num        Unsigned 8-bit integer
    cops.c_type  C-Type        Unsigned 8-bit integer
    cops.client_type  Client Type        Unsigned 16-bit integer
    cops.context.m_type  M-Type        Unsigned 16-bit integer
    cops.context.r_type  R-Type        Unsigned 16-bit integer
    cops.decision.cmd  Command-Code        Unsigned 16-bit integer
    cops.decision.flags  Flags        Unsigned 16-bit integer
    cops.error  Error        Unsigned 16-bit integer
    cops.error_sub  Error Sub-code        Unsigned 16-bit integer
    cops.flags  Flags        Unsigned 8-bit integer
    cops.in-int.ipv4  IPv4 address        IPv4 address
    cops.in-int.ipv6  IPv6 address        IPv6 address
    cops.in-out-int.ifindex  ifIndex        Unsigned 32-bit integer
    cops.integrity.key_id  Contents: Key ID        Unsigned 32-bit integer
    cops.integrity.seq_num  Contents: Sequence Number        Unsigned 32-bit integer
    cops.katimer.value  Contents: KA Timer Value        Unsigned 16-bit integer
    cops.lastpdpaddr.ipv4  IPv4 address        IPv4 address
    cops.lastpdpaddr.ipv6  IPv6 address        IPv6 address
    cops.msg_len  Message Length        Unsigned 32-bit integer
    cops.obj.len  Object Length        Unsigned 32-bit integer
    cops.op_code  Op Code        Unsigned 8-bit integer
    cops.out-int.ipv4  IPv4 address        IPv4 address
    cops.out-int.ipv6  IPv6 address        IPv6 address
    cops.pdp.tcp_port  TCP Port Number        Unsigned 32-bit integer
    cops.pdprediraddr.ipv4  IPv4 address        IPv4 address
    cops.pdprediraddr.ipv6  IPv6 address        IPv6 address
    cops.pepid.id  Contents: PEP Id        String
    cops.reason  Reason        Unsigned 16-bit integer
    cops.reason_sub  Reason Sub-code        Unsigned 16-bit integer
    cops.report_type  Contents: Report-Type        Unsigned 16-bit integer
    cops.ver_flags  Version and Flags        Unsigned 8-bit integer
    cops.version  Version        Unsigned 8-bit integer
 

Common Unix Printing System (CUPS) Browsing Protocol (cups)

    cups.ptype  Type        Unsigned 32-bit integer
    cups.state  State        Unsigned 8-bit integer
 

DCE RPC (dcerpc)

    dcerpc.auth_ctx_id  Auth Context ID        Unsigned 32-bit integer
    dcerpc.auth_level  Auth level        Unsigned 8-bit integer
    dcerpc.auth_pad_len  Auth pad len        Unsigned 8-bit integer
    dcerpc.auth_rsrvd  Auth Rsrvd        Unsigned 8-bit integer
    dcerpc.auth_type  Auth type        Unsigned 8-bit integer
    dcerpc.cn_ack_reason  Ack reason        Unsigned 16-bit integer
    dcerpc.cn_ack_result  Ack result        Unsigned 16-bit integer
    dcerpc.cn_ack_trans_id  Transfer Syntax        String
    dcerpc.cn_ack_trans_ver  Syntax ver        Unsigned 32-bit integer
    dcerpc.cn_alloc_hint  Alloc hint        Unsigned 32-bit integer
    dcerpc.cn_assoc_group  Assoc Group        Unsigned 32-bit integer
    dcerpc.cn_auth_len  Auth Length        Unsigned 16-bit integer
    dcerpc.cn_bind_if_ver  Interface Ver        Unsigned 16-bit integer
    dcerpc.cn_bind_if_ver_minor  Interface Ver Minor        Unsigned 16-bit integer
    dcerpc.cn_bind_to_uuid  Interface UUID        String
    dcerpc.cn_bind_trans_id  Transfer Syntax        String
    dcerpc.cn_bind_trans_ver  Syntax ver        Unsigned 32-bit integer
    dcerpc.cn_call_id  Call ID        Unsigned 32-bit integer
    dcerpc.cn_cancel_count  Cancel count        Unsigned 8-bit integer
    dcerpc.cn_ctx_id  Context ID        Unsigned 16-bit integer
    dcerpc.cn_flags  Packet Flags        Unsigned 8-bit integer
    dcerpc.cn_flags.cancel_pending  Cancel Pending        Boolean
    dcerpc.cn_flags.dne  Did Not Execute        Boolean
    dcerpc.cn_flags.first_frag  First Frag        Boolean
    dcerpc.cn_flags.last_frag  Last Frag        Boolean
    dcerpc.cn_flags.maybe  Maybe        Boolean
    dcerpc.cn_flags.mpx  Multiplex        Boolean
    dcerpc.cn_flags.object  Object        Boolean
    dcerpc.cn_flags.reserved  Reserved        Boolean
    dcerpc.cn_frag_len  Frag Length        Unsigned 16-bit integer
    dcerpc.cn_max_recv  Max Recv Frag        Unsigned 16-bit integer
    dcerpc.cn_max_xmit  Max Xmit Frag        Unsigned 16-bit integer
    dcerpc.cn_num_ctx_items  Num Ctx Items        Unsigned 8-bit integer
    dcerpc.cn_num_results  Num results        Unsigned 8-bit integer
    dcerpc.cn_num_trans_items  Num Trans Items        Unsigned 16-bit integer
    dcerpc.cn_sec_addr_len  Scndry Addr len        Unsigned 16-bit integer
    dcerpc.dg_act_id  Activitiy        String
    dcerpc.dg_ahint  Activity Hint        Unsigned 16-bit integer
    dcerpc.dg_auth_proto  Auth proto        Unsigned 8-bit integer
    dcerpc.dg_flags1  Flags1        Unsigned 8-bit integer
    dcerpc.dg_flags1_broadcast  Broadcast        Boolean
    dcerpc.dg_flags1_frag  Fragment        Boolean
    dcerpc.dg_flags1_idempotent  Idempotent        Boolean
    dcerpc.dg_flags1_last_frag  Last Fragment        Boolean
    dcerpc.dg_flags1_maybe  Maybe        Boolean
    dcerpc.dg_flags1_nofack  No Fack        Boolean
    dcerpc.dg_flags1_rsrvd_01  Reserved        Boolean
    dcerpc.dg_flags1_rsrvd_80  Reserved        Boolean
    dcerpc.dg_flags2  Flags2        Unsigned 8-bit integer
    dcerpc.dg_flags2_cancel_pending  Cancel Pending        Boolean
    dcerpc.dg_flags2_rsrvd_01  Reserved        Boolean
    dcerpc.dg_flags2_rsrvd_04  Reserved        Boolean
    dcerpc.dg_flags2_rsrvd_08  Reserved        Boolean
    dcerpc.dg_flags2_rsrvd_10  Reserved        Boolean
    dcerpc.dg_flags2_rsrvd_20  Reserved        Boolean
    dcerpc.dg_flags2_rsrvd_40  Reserved        Boolean
    dcerpc.dg_flags2_rsrvd_80  Reserved        Boolean
    dcerpc.dg_frag_len  Fragment len        Unsigned 16-bit integer
    dcerpc.dg_frag_num  Fragment num        Unsigned 16-bit integer
    dcerpc.dg_if_id  Interface        String
    dcerpc.dg_if_ver  Interface Ver        Unsigned 32-bit integer
    dcerpc.dg_ihint  Interface Hint        Unsigned 16-bit integer
    dcerpc.dg_seqnum  Sequence num        Unsigned 32-bit integer
    dcerpc.dg_serial_hi  Serial High        Unsigned 8-bit integer
    dcerpc.dg_serial_lo  Serial Low        Unsigned 8-bit integer
    dcerpc.dg_server_boot  Server boot time        Unsigned 32-bit integer
    dcerpc.drep  Data Representation        Byte array
    dcerpc.drep.byteorder  Byte order        Unsigned 8-bit integer
    dcerpc.drep.character  Character        Unsigned 8-bit integer
    dcerpc.drep.fp  Floating-point        Unsigned 8-bit integer
    dcerpc.obj_id  Object        String
    dcerpc.opnum  Opnum        Unsigned 16-bit integer
    dcerpc.pkt_type  Packet type        Unsigned 8-bit integer
    dcerpc.ver  Version        Unsigned 8-bit integer
    dcerpc.ver_minor  Version (minor)        Unsigned 8-bit integer
 

DCE/RPC Conversation Manager (conv)

 

DCE/RPC Endpoint Mapper (epm)

 

DCE/RPC Remote Management (mgmt)

 

DCOM OXID Resolver (oxid)

 

DCOM Remote Activation (remact)

 

DEC Spanning Tree Protocol (dec_stp)

 

Data (data)

 

Data Stream Interface (dsi)

    dsi.code  Code        Unsigned 32-bit integer
    dsi.command  Command        Unsigned 8-bit integer
    dsi.flags  Flags        Unsigned 8-bit integer
    dsi.length  Length        Unsigned 32-bit integer
    dsi.requestid  Request ID        Unsigned 16-bit integer
    dsi.reserved  Reserved        Unsigned 32-bit integer
 

Datagram Delivery Protocol (ddp)

    ddp.checksum  Checksum        Unsigned 16-bit integer
    ddp.dst.net  Destination Net        Unsigned 16-bit integer
    ddp.dst.node  Destination Node        Unsigned 8-bit integer
    ddp.dst.socket  Destination Socket