Data Field Reference
Use the Query Value column to construct queries in the query bar. Example: classification:malicious or source.ip:1.2.3.4
General
| Field | Query Value | Description |
|---|---|---|
| Session ID | _id | Unique identifier for the session |
| Src DSCP | srcDscp | Source non zero differentiated services class selector set for session |
| Src DSCP Count | srcDscpCnt | Unique number of Source DSCP values for session |
| Dest DSCP | dstDscp | Destination non zero differentiated services class selector set for session |
| Dest DSCP Count | dstDscpCnt | Unique number of Destination DSCP values for session |
| TCP Flag SYN | tcpflags.syn | Count of packets with SYN and no ACK flag set |
| TCP Flag SYN-ACK | tcpflags.syn-ack | Count of packets with SYN and ACK flag set |
| TCP Flag ACK | tcpflags.ack | Count of packets with only the ACK flag set |
| TCP Flag PSH | tcpflags.psh | Count of packets with PSH flag set |
| TCP Flag FIN | tcpflags.fin | Count of packets with FIN flag set |
| TCP Flag RST | tcpflags.rst | Count of packets with RST flag set |
| TCP Flag URG | tcpflags.urg | Count of packets with URG flag set |
| Initial RTT | initRTT | Initial round trip time (SYN to ACK delta / 2) in ms |
| Session Segments | segmentCnt | Number of segments in session so far |
| Session Length | length | Session length in milliseconds |
| User | user | External user set for session |
| User Count | userCnt | Unique number of external users set for session |
| ICMP Type | icmp.type | ICMP type field values |
| ICMP Code | icmp.code | ICMP code field values |
| Protocols | protocol | Protocols set for session |
| Protocols Cnt | protocolCnt | Unique number of protocols set for session |
| Src RIR | srcRIR | Source Regional Internet Registry (RIR) |
| Dest RIR | dstRIR | Destination Regional Internet Registry (RIR) |
| Data bytes | totDataBytes | Total number of data bytes sent AND received in a session |
| IP Protocol | ipProtocol | IP protocol number or friendly name |
| Arkime Node | node | Arkime node name the session was recorded on |
| Src Payload UTF8 | srcPayload8 | First 8 bytes of source payload in utf8 |
| Dest Payload UTF8 | dstPayload8 | First 8 bytes of destination payload in utf8 |
| Start Time | firstPacket | Session start time |
| Stop Time | lastPacket | Session stop time |
| Src Port | source.port | Source port |
| Src Bytes | source.bytes | Total raw bytes sent by source in a session |
| Dest Port | destination.port | Destination port |
| Dest IP | destination.ip | Destination IP address |
| Dest Bytes | destination.bytes | Total raw bytes sent by destination in a session |
| Dst Data Bytes | server.bytes | Total data bytes sent by destination in a session |
| Src IP | source.ip | Source IP address |
| Bytes | network.bytes | Total raw bytes sent AND received in a session |
| Src Data Bytes | client.bytes | Total data bytes sent by source in a session |
| Packets | network.packets | Total packets sent AND received in a session |
| Spoofable | spoofable | Whether the session completed a three-way handshake |
| Is Bogon | isBogon | If the source IP is private or not |
| TCP No Ack | tcpNoAck | TCP sessions with no Ack packets |
| Classification | classification | GreyNoise tag classification of the session |
| Src Packets | source.packets | Total packets sent by source in a session |
| Dest Packets | destination.packets | Total packets sent by destination in a session |
| Community Id | network.community_id | Community id flow hash |
Source Metadata
| Field | Query Value | Description |
|---|---|---|
| Src Country Code | sourceMetadata.country_code | Source IP country code from IPInfo |
| Src isBot | sourceMetadata.is_bot | Whether source IP is a known bot |
| Src isMobile | sourceMetadata.is_mobile | Whether source IP is a mobile network |
| Src isTor | sourceMetadata.is_tor | Whether source IP is a Tor exit node |
| Src isVpn | sourceMetadata.is_vpn | Whether source IP is associated with a VPN |
| Src Organization | sourceMetadata.org | Source IP organization from IPInfo |
| Src Postal Code | sourceMetadata.postal | Source IP postal code from IPInfo |
| Src rdns Parent | sourceMetadata.rdns_parent | Source IP reverse DNS parent domain |
| Src rdns Validated | sourceMetadata.rdns_validated | Whether source IP reverse DNS is validated |
| Src VPN Service | sourceMetadata.vpn_service | VPN service associated with source IP |
| Src ASN | sourceMetadata.asn | Source IP ASN from IPInfo |
| Src Carrier | sourceMetadata.carrier | Source IP carrier from IPInfo |
| Src Datacenter | sourceMetadata.datacenter | Source IP datacenter from IPInfo |
| Src Domain | sourceMetadata.domain | Source IP domain from IPInfo |
| Src City | sourceMetadata.city | Source IP city from IPInfo |
| Src Country | sourceMetadata.country | Source IP country name from IPInfo |
| Src Latitude | sourceMetadata.latitude | Source IP latitude from IPInfo |
| Src Longitude | sourceMetadata.longitude | Source IP longitude from IPInfo |
| Src Phone | sourceMetadata.phone | Source IP phone prefix from IPInfo |
| Src rdns | sourceMetadata.rdns | Source IP reverse DNS from IPInfo |
| Src Region | sourceMetadata.region | Source IP region from IPInfo |
| Src Route | sourceMetadata.route | Source IP route from IPInfo |
| Src Type | sourceMetadata.type | Source IP network type from IPInfo |
| Src URL | sourceMetadata.url | Source IP info URL from IPInfo |
Destination Metadata
| Field | Query Value | Description |
|---|---|---|
| Dest Country Code | destinationMetadata.country_code | Destination IP country code from IPInfo |
| Dest isBot | destinationMetadata.is_bot | Whether destination IP is a known bot |
| Dest isMobile | destinationMetadata.is_mobile | Whether destination IP is a mobile network |
| Dest isTor | destinationMetadata.is_tor | Whether destination IP is a Tor exit node |
| Dest isVpn | destinationMetadata.is_vpn | Whether destination IP is associated with a VPN |
| Dest Organization | destinationMetadata.org | Destination IP organization from IPInfo |
| Dest Postal Code | destinationMetadata.postal | Destination IP postal code from IPInfo |
| Dest rdns Parent | destinationMetadata.rdns_parent | Destination IP reverse DNS parent domain |
| Dest rdns Validated | destinationMetadata.rdns_validated | Whether destination IP reverse DNS is validated |
| Dest VPN Service | destinationMetadata.vpn_service | VPN service associated with destination IP |
| Dest ASN | destinationMetadata.asn | Destination IP ASN from IPInfo |
| Dest Carrier | destinationMetadata.carrier | Destination IP carrier from IPInfo |
| Dest Datacenter | destinationMetadata.datacenter | Destination IP datacenter from IPInfo |
| Dest Domain | destinationMetadata.domain | Destination IP domain from IPInfo |
| Dest City | destinationMetadata.city | Destination IP city from IPInfo |
| Dest Country | destinationMetadata.country | Destination IP country name from IPInfo |
| Dest Latitude | destinationMetadata.latitude | Destination IP latitude from IPInfo |
| Dest Longitude | destinationMetadata.longitude | Destination IP longitude from IPInfo |
| Dest Phone | destinationMetadata.phone | Destination IP phone prefix from IPInfo |
| Dest rdns | destinationMetadata.rdns | Destination IP reverse DNS from IPInfo |
| Dest Region | destinationMetadata.region | Destination IP region from IPInfo |
| Dest Route | destinationMetadata.route | Destination IP route from IPInfo |
| Dest Type | destinationMetadata.type | Destination IP network type from IPInfo |
| Dest URL | destinationMetadata.url | Destination IP info URL from IPInfo |
GN Metadata
| Field | Query Value | Description |
|---|---|---|
| Workspace UUID | gnMetadata.workspace.id | Unique identifier of the workspace |
| Sensor UUID | gnMetadata.sensor.id | Unique identifier of the sensor |
| Profile UUID | gnMetadata.persona.id | Unique identifier of the profile |
| Sensor Name | gnMetadata.sensor.name | Human-readable name given to a sensor |
| Profile Name | gnMetadata.persona.name | Human-readable name given to a profile |
| Profile Categories | gnMetadata.persona.categories | Categories that apply to a profile |
| Profile Application Protocols | gnMetadata.persona.application_protocols | Application layer protocols that the profile mimics |
| Profile Associated Vulnerabilities | gnMetadata.persona.associated_vulnerabilities | Known vulnerabilities associated with the profile |
| Profile Ports | gnMetadata.persona.ports | TCP ports on which the profile listens |
| SPI Gen Timestamp | gnMetadata.spi_gen_timestamp | Timestamp of when Arkime SPI Gen processed the PCAP file |
| Replay Flag | gnMetadata.replay | Whether this session was replayed from a retrohunt |
GN Tag Metadata
| Field | Query Value | Description |
|---|---|---|
| Tag Category | gnTagMetadata.category | GreyNoise tag category |
| Tag Confidence | gnTagMetadata.confidence | Confidence of the GreyNoise tag classification |
| Tag Created | gnTagMetadata.created | Timestamp when GreyNoise tag was created |
| Tag CVEs | gnTagMetadata.cves | CVEs related to the GreyNoise tag |
| Tag Description | gnTagMetadata.description | Description of the GreyNoise tag |
| Tag Enabled | gnTagMetadata.enabled | Whether the GreyNoise tag is enabled |
| GreyNoise Tag ID | gnTagMetadata.id | The GreyNoise tag ID |
| Tag Inserted At | gnTagMetadata.inserted_at | Timestamp when GreyNoise tag was inserted |
| Tag Intention | gnTagMetadata.intention | GreyNoise tag intention (malicious, benign, etc.) |
| Tag Name | gnTagMetadata.name | Name of the GreyNoise tag |
| Tag Negates | gnTagMetadata.negates | Whether the GreyNoise tag is a negation |
| Tag Recommend Block | gnTagMetadata.recommend_block | Whether GreyNoise recommends blocking this traffic |
| Tag References | gnTagMetadata.references | References to GreyNoise tag research |
| Tag Silent | gnTagMetadata.silent | Whether the GreyNoise tag is silent |
| Tag Slug | gnTagMetadata.slug | The GreyNoise tag slug |
| Tag Updated At | gnTagMetadata.updated_at | Last time the GreyNoise tag was updated |
| Tag User Submitted | gnTagMetadata.submitted | Whether the GreyNoise tag was user submitted |
HTTP
| Field | Query Value | Description |
|---|---|---|
| Hostname | http.host | HTTP host header field |
| Hostname Count | http.hostCnt | Unique number of HTTP host header values |
| URI | http.uri | URIs for request |
| URI Count | http.uriCnt | Unique number of URIs for request |
| URI Path | http.path | Path portion of URI |
| URI Path Count | http.pathCnt | Unique number of URI path values |
| Useragent | http.useragent | User-Agent header |
| Useragent Count | http.useragentCnt | Unique number of User-Agent header values |
| Request Method | http.method | HTTP request method |
| Request Method Count | http.methodCnt | Unique number of HTTP request methods |
| Method GET Count | http.method-GET | Number of GET method calls in session |
| Method POST Count | http.method-POST | Number of POST method calls in session |
| Method CONNECT Count | http.method-CONNECT | Number of CONNECT method calls in session |
| Request Headers | http.requestHeader | Request headers present |
| Request Header Count | http.requestHeaderCnt | Unique number of request headers |
| Request Header Values | http.requestHeaderValue | Request header values |
| Request Header Values Count | http.requestHeaderValueCnt | Unique number of request header values |
| Request HTTP Version | http.clientVersion | Request HTTP version number |
| Request HTTP Version Count | http.clientVersionCnt | Unique number of request HTTP version values |
| Request content-type | http.request-content-type | Request header content-type |
| Request content-type Count | http.request-content-typeCnt | Unique number of request content-type values |
| Request accept | http.request-accept | Request header accept |
| Request accept Count | http.request-acceptCnt | Unique number of request accept values |
| Request accept-encoding | http.request-accept-encoding | Request header accept-encoding |
| Request accept-encoding Count | http.request-accept-encodingCnt | Unique number of accept-encoding values |
| Request accept-language | http.request-accept-language | Request header accept-language |
| Request accept-language Count | http.request-accept-languageCnt | Unique number of accept-language values |
| Request connection | http.request-connection | Request header connection |
| Request connection Count | http.request-connectionCnt | Unique number of connection header values |
| Request content-length | http.request-content-length | Request header content-length |
| Request content-length Count | http.request-content-lengthCnt | Unique number of content-length values |
| Request Body | http.requestBody | HTTP request body |
| Response Headers | http.responseHeader | Response headers present |
| Response Headers Count | http.responseHeaderCnt | Unique number of response headers |
| Response Header Values | http.responseHeaderValue | Response header values |
| Response Header Values Count | http.responseHeaderValueCnt | Unique number of response header values |
| Response HTTP Version | http.serverVersion | Response HTTP version number |
| Response HTTP Version Count | http.serverVersionCnt | Unique number of response HTTP version values |
| Response Status Code | http.statuscode | Response HTTP numeric status code |
| Response Status Code Count | http.statuscodeCnt | Unique number of response status codes |
| Body MD5 | http.md5 | MD5 of HTTP body response |
| Response Body MD5 Count | http.md5Cnt | Unique number of HTTP body MD5 values |
| Body Magic | http.bodyMagic | Content type of body determined by libfile/magic |
| Body Magic Count | http.bodyMagicCnt | Unique number of body magic values |
| JA4h | http.ja4h | HTTP JA4h fingerprint |
| JA4h Count | http.ja4hCnt | Unique number of JA4h fingerprint values |
| JA4h_r | http.ja4h_r | HTTP JA4h raw fingerprint |
| JA4h_r Count | http.ja4h_rCnt | Unique number of JA4h raw fingerprint values |
SSH
| Field | Query Value | Description |
|---|---|---|
| Version | ssh.version | SSH software version |
| Version Count | ssh.versionCnt | Unique number of SSH software version values |
| Key | ssh.key | SSH key |
| Key Cnt | ssh.keyCnt | Unique number of SSH keys |
| HASSH | ssh.hassh | SSH HASSH fingerprint |
| HASSH Count | ssh.hasshCnt | Unique number of HASSH fingerprint values |
| HASSH Server | ssh.hasshServer | SSH HASSH server fingerprint |
| HASSH Server Count | ssh.hasshServerCnt | Unique number of HASSH server fingerprint values |
| JA4ssh | ssh.ja4ssh | SSH JA4ssh fingerprint |
| JA4ssh Count | ssh.ja4sshCnt | Unique number of JA4ssh fingerprint values |
TLS
| Field | Query Value | Description |
|---|---|---|
| Version | tls.version | SSL/TLS version |
| Version Count | tls.versionCnt | Unique number of SSL/TLS version values |
| Cipher | tls.cipher | SSL/TLS cipher suite |
| Cipher Count | tls.cipherCnt | Unique number of cipher suite values |
| JA3 | tls.ja3 | SSL/TLS JA3 fingerprint |
| JA3 Count | tls.ja3Cnt | Unique number of JA3 fingerprint values |
| JA3 String | tls.ja3string | SSL/TLS JA3 string |
| JA3 String Count | tls.ja3stringCnt | Unique number of JA3 string values |
| JA3S | tls.ja3s | SSL/TLS JA3S fingerprint |
| JA3S Count | tls.ja3sCnt | Unique number of JA3S fingerprint values |
| JA3S String | tls.ja3sstring | SSL/TLS JA3S string |
| JA3S String Count | tls.ja3sstringCnt | Unique number of JA3S string values |
| JA4 | tls.ja4 | SSL/TLS JA4 fingerprint |
| JA4 Count | tls.ja4Cnt | Unique number of JA4 fingerprint values |
| JA4_r | tls.ja4_r | SSL/TLS JA4_r fingerprint |
| JA4_r Count | tls.ja4_rCnt | Unique number of JA4_r fingerprint values |
| JA4s | tls.ja4s | SSL/TLS JA4s fingerprint |
| JA4s Count | tls.ja4sCnt | Unique number of JA4s fingerprint values |
| JA4s_r | tls.ja4s_r | SSL/TLS JA4s raw fingerprint |
| JA4s_r Count | tls.ja4s_rCnt | Unique number of JA4s raw fingerprint values |
| Dst Session Id | tls.dstSessionId | SSL/TLS destination session ID |
| Src Session Id | tls.srcSessionId | SSL/TLS source session ID |
TCP
| Field | Query Value | Description |
|---|---|---|
| JA4l | tcp.ja4l | JA4 latency client fingerprint |
| JA4ls | tcp.ja4ls | JA4 latency server fingerprint |
| JA4t | tcp.ja4t | JA4 TCP client fingerprint |
| JA4t Count | tcp.ja4tCnt | Unique number of JA4 TCP client fingerprint values |
| JA4ts | tcp.ja4ts | JA4 TCP server fingerprint |
| JA4ts Count | tcp.ja4tsCnt | Unique number of JA4 TCP server fingerprint values |
Suricata
| Field | Query Value | Description |
|---|---|---|
| Flow Id | suricata.flowId | Suricata flow ID |
| Flow Id Cnt | suricata.flowIdCnt | Unique number of Suricata flow IDs |
| Action | suricata.action | Suricata action (alert, drop, etc.) |
| Action Cnt | suricata.actionCnt | Unique number of Suricata action values |
| Signature | suricata.signature | Suricata IDS signature name |
| Signature Cnt | suricata.signatureCnt | Unique number of Suricata signatures |
| Signature Id | suricata.signatureId | Suricata signature ID |
| Signature Id Cnt | suricata.signatureIdCnt | Unique number of Suricata signature IDs |
| Category | suricata.category | Suricata alert category |
| Category Cnt | suricata.categoryCnt | Unique number of Suricata category values |
| Gid | suricata.gid | Suricata group ID |
| Gid Cnt | suricata.gidCnt | Unique number of Suricata group IDs |
| Severity | suricata.severity | Suricata alert severity level |
| Severity Cnt | suricata.severityCnt | Unique number of Suricata severity values |
Krb5 (Kerberos)
| Field | Query Value | Description |
|---|---|---|
| Realm | krb5.realm | Kerberos 5 realm |
| Realm Cnt | krb5.realmCnt | Unique number of Kerberos 5 realm values |
| sname | krb5.sname | Kerberos 5 service name |
| sname Cnt | krb5.snameCnt | Unique number of Kerberos 5 service name values |
Updated about 2 hours ago
What’s Next