Command Line Options

nProbe supports a large number of command line parameters. To see what they are, simply enter the command nprobe -h and the help information should be printed. The most important parameters are briefly discussed here.

-n: collector addresses

This specifies the NetFlow collectors addresses to which nProbe will send the flows. If more than one is specified, they need to be separated with a comma or the –n flag can be repeated several times (e.g. -n 172.22.3.4:33,172.22.3.4:34 and -n 172.22.3.4:33 –n 172.22.3.4:34 are equivalent). When multiple collectors are defined, you can control the way flows are exported using the –a option (see below); if on a collector address the destination port is omitted, flows are sent to 2055 port and whereas if all the option is not specified, by default, flows are sent to the loop back interface (127.0.0.1) on port 2055. If this parameter is used, nProbe exports flows towards collector running at 127.0.0.1:2055. By default the UDP protocol is used but also TCP and SCTP (Linux only when nProbe is compiled with SCTP support and the kernel supports it). In this case you can specify the collector address as udp://<host>:<port>, tcp://<host>:<port>, and sctp://<host>:<port>,

-i: interface name

It specifies the interface from which packets are captured. If -i is not used, nProbe will use the default interface (if any). In case a user needs to activate nProbe on two different interfaces, then he/she needs to activate multiple nProbe instances once per interface. For debugging purposes it is possible to pass nProbe a .pcap file from which packets will be read. If nProbe is compiled and activated with PF_RING support, you can specify multiple interfaces from which packets are captured. For example, “-i eth0,eth1”, will merge packets received on eth0 and eth1 into a single traffic stream. This configuration is particularly useful when merging the two directions (TX and RX) of a network TAP.

-t: maximum flow lifetime

Regardless of the flow duration, a flow that has been active for more that the specified maximum lifetime is considered expired and it will be emitted. Further packets belonging to the same flow will be accounted on a new flow.

-d: maximum flow idle lifetime

A flow is over when the last packet received is older that the maximum flow idle lifetime. This means that whenever applicable, (e.g. SNMP walk) UDP flows will not be accounted on 1 packet/1 flow basis, but on one global flow that accounts all the traffic. This has a benefit on the total number of generated flows and on the overall collector performance.

-l: maximum queue timeout

It specifies the maximum amount of time that a flow can be queued waiting to be exported. Use this option in order to try to pack several flows into fewer packets, but at the same time have an upper bound timeout for queuing flows into the probe.

-s:  snaplen

This flag specifies the portion of the packet (also called snaplen) that will be captured by nProbe. By default nprobe sets the snaplen automatically according to its configuration, but you can override its value using thia flag.

-p: <VLAN Id>/<proto>/<IP>/<port>/<TOS>/<SCTP StreamId>/<exporter IP>

Flows can be aggregated both at collector and probe side. However probe allocation is much more effective as it reduces significantly the number of emitted flows hence the work that the collector has to carry on. nProbe supports various aggregation levels that can be selected specifying with the -p flag. The aggregation format is <VLAN Id>/<proto>/<IP>/<port>/<TOS>/<SCTP StreamId>/<exporter IP> where each option can be set to 0 (ignore) or 1 (take care). Ignored fields are set to a null value when doing the aggregation as well as when doing the export. For example setting the <exporter IP> to 0 (ignore) will consider all the incoming flows as if they were coming from the same null exporter that will be output in %EXPORTER_IPV4_ADDRESS as 0.0.0.0. By default no aggregation is performed. For the sake of example, the value 0/0/1/0/0/0/0 can be used to create a map of who’s talking to who (network conversation matrix).

-f: packet capture filter

This BPF filter (see the appendix for further information about BPF filters) allows nProbe to take into account only those packets that match the filter (if specified).

-a: select flow export policy

When multiple collectors are defined (see –n option), nProbe sends them flows in round robin. However it is possible to send the same flow to all collectors as a flow redirector does if the –a option is used.

-b: enable verbose logging

Using this flag, nProbe generates verbose output that can be used to tune its performance (see chapter 2.4). Zero is the lowest level (little information is printed), 1 displays traffic statistics, 2 is really verbose. Example of traffic statistics:

30/Oct/2020 16:10:00 Average traffic: [1.7 pkt/sec][1 Kb/sec]
30/Oct/2020 16:10:00 Current traffic: [1.9 pkt/sec][1 Kb/sec]
30/Oct/2020 16:10:00 Current flow export rate: [0.9 flows/sec]
30/Oct/2020 16:10:00 [Buckets: [active=13][allocated=21][free=8][toBeExported=0][frags=0]
30/Oct/2020 16:10:00 Fragment queue: [len=0]
30/Oct/2020 16:10:00 Num Packets: 111 (max bucket search: 0)
30/Oct/2020 16:10:00 115 pkts rcvd/0 pkts dropped

-G: start nprobe as a daemon.

Useful when starting nprobe as daemon.

--ndpi-protocols|-O: export only flows whose L7 protocol is in the specified list.

This option can be used to filter exported flows based on the application protocol. Example: -O “DNS,HTTP,BitTorrent”.

--ndpi-custom-protos <path|URL>

Custom nDPI protocols. You can specify both a path (e.g. nDPI/example/protos.txt) or URL (http://localhost/protos.txt).

-P: dump flows

This path specifies the directory where flows will be dumped. The dump format is text and it depends on the nProbe template specified with -T.

-F

It specifies the frequency at which files are dumped on disk

-D: dump flows format

Flows stored on disks can be stored in multiple formats: text (default), binary (as they are exported), JSON, or gzip-compressed text flows. Note that this flag has no effect unless -P is used.

-u: input device index

The NetFlow specification contains a numeric index in order to identify flows coming from different interfaces of the same probe. As multiple nProbe instances can be started on the same host but on different devices, the collector can use this flag to divide flows according to the interface number. If –u is not used, then nprobe will use 0 as interface index. Alternatively, if -1 is used then the last two bytes of the mac address of the flow sender are used as index.

-Q: output device index

Similar to –u but for the output interface.

--vlanid-as-iface-idx <mode: inner outer single double>

nProbe can use the VLAN tag as interface identifier. Using this flag you enable this feature. As VLAN tags can be stacked you need to specify if the inner or outer tag will be used for the interface identifier.

--discard-unknown-flows <mode:0 1 2>

nProbe includes nDPI support for analyzing packet contents in order to detect application protocol. The mode value can be used to:

  • 0: Export all know (i.e. those whose application protocol has been detected) and unknown (i.e. the application protocol is unknown)

  • 1: Export only know flows, discarding unknown flows.

  • 2: Export only unknown flows, discarding known flows.

-v: print version

This flag is used to print the nProbe version number and date.

-C: flow export lock

This is a simple way to implement high-availability. Start two probes capturing the same data. The master probe emit flows, the slave probe is started with –C <path>. As long as <path> exists, the slave works but no flow is emitted. If the <path> file is deleted (e.g. using an external program for controlling the master/slave such as heartbeat) the slave starts emitting flows. If the file is restored, the slave is silent again.

-h: print help

Prints the nProbe help.

--dont-nest-dump-dirs

nProbe dumps data on disk (e.g. with -P) using a nested directory. In essence the base directory will be partitioned in sub-directories with <year>/<month>/<day>/<hour>/<min> structure. use this option is you want nProbe to dump all data in the base directory without creating this nested directory tree.

-I: log to syslog <probe name>

nProbe logs on stdout unless the –g flag (see above) is used. If the syslog needs to be used instead of a file, this flag instruments nProbe to log on it using the specified name (this is useful when multiple nProbe instances are active on the same host). Please note that –g is ignored if –I is used, and this option is not available on nProbe for Win32.

-w: size of the hash that stores the flows

The default size is 131072 and it should be enough for most of networks. In case flows are not emitted often and with strong traffic conditions it would be necessary to increase the hash. See later in this manual for knowing more about nProbe tuning.

-W: Discard IPv6 traffic

Use this flag if you want nProbe not to account IPv6 traffic.

-e: flow export delay

Some collectors cannot keep up with nProbe export speed. This flag allows flows to be slow down by adding a short delay (specified in ms) between two consecutive exports. The maximum allowed delay is 1000 ms.

-B: packet count delay

It specified how many flow packets need to be sent before –e is applied,

-z: <TCP[:UDP[:O]]>

Peer-to-peer applications, attacks or misconfigured applications often generate a lot of tiny flows that can cause significant load on the collector side. As most collector setups often discarded those flows, it is possible to instrument nProbe via the –z flag not to emit such flows.

-M: maximum number of active flows

It is used to limit the maximum number of concurrent flows that the probe can sustain. This is useful for preventing the probe from creating as many flows as needed and hence to take over all the available resources.

-E: netflow engine

Specify the netflow engineType:engineId into the generated flows.

-m: minimum number of flows per packet

In order to minimize the number of emitted packets containing flows, it is possible to specify the minimum number of flows that necessarily need to be contained in a packet. This means that the packet is not emitted until the specified number of flows is reached.

-q: <host>:[<port>] flow sender address and port

This option is used to specify the address and, optionally, the port that will be used by nProbe to emit the flows towards the destination indicated with -n. In practice, nProbe will create a socket and bind it to <host>:[port], thus allowing the user to choose the interface taken by the emitted flows when leaving the host.

-S <pkt rate>:<flow collection rate>:<flow export rate>

Three different rates can be specified with this option:

  • Packet capture sampling rate <pkt rate>. This rate is effective for interfaces specified with -i and allows to control the sampling rate of incoming packets. For example, a sampling rate of 100 will instruct nprobe to actually process one packet out of 100, discarding all the others. All the statistics, including total bytes and packets, will be automatically up-scaled by nprobe to reflect the sample rate. In the previous example, the size of the sampled packet will be multiplied by 100. <pkt rate> can be prepended with a ‘@’ to instruct nprobe to only use the sampling rate for the up-scaling, without performing any actual sampling. This is particularly useful when incoming packets are already sampled on the capture device connected to nprobe but it is still meaningful to have up-scaled statistics.

  • Flow collection sampling rate <flow collection rate>. This rate works when nprobe is in collector mode, that is, when option –collector-port is used and specifies the flow rate at which flows being collected have been sampled. In this case, no actual sampling is performed on the incoming flows. The specified rate is only used to perform the upscaling. For example, a flow with 250 IN_BYTES will be up-scaled by a factor equal to the sampling rate. If the sampling rate is 100, a total of 2500 IN_BYTES will be accounted for that flow.

  • Flow export rate <flow export rate>. This rate is effective when nprobe exports NetFlow towards a downstream collector, that is, when option -n is used. It controls the output sampling. For example, a <flow export rate> of 100 will cause nprobe to only export 1 flow out of 100 towards the downstream collector.

-A: AS file

Network probes are usually installed on systems where the routing information is available (e.g. via BGP) in order to specify the AS (Autonomous System) id of the flow peer. As nProbe has no access to BGP information unless you enable the BGP plugin, users need to provide this information by means of a static file whose format is <AS>:<network>. The file can be stored in both plain text and gzip format.

--city-list: City List

With this option you can enable geolocation of IP addresses at city/country detail level. Here you need to specify the GeoIP city database (e.g. GeoLiteCity.dat)

-g

It specifies the path where nProbe will save the process PID.

-T: flow template definition

Contrary to NetFlow v5 where the flow format is fixed, NetFlow V9 and IPFIX flows have a custom format that can be specified at runtime using this option as specified in appendix.

-U: flow template id

NetFlow v9 and IPFIX flows format is specified in a template whose definition is sent by nProbe before to start sending flows. The flow format is defined by –T, where –U is used to set the template identifier. This option should not be used unless the default template value (257) needs to be changed. As based on -T nProbe can define several templates, this value is the one used for the first defined template.

-V: flow export version

It is used to specify the flow version for exported flows. Supported versions are 5 (v5), 9 (v9) and 10 (IPFIX).

-o: intra templates packet export.

It specifies the number of flow packets that are exported between two templates export.

--aggregate-gtp-tunnels

Aggregates traffic flowing in each GTP tunnel based in tunnel id.

-L: local networks

Use this flag to specify (format network/mask, e.g. 192.168.0.10/24) the list of networks that are considered local (see –c).

-c: track local hosts only

It allows nProbe to set to 0.0.0.0 all those hosts that are considered non-local (see –L). This is useful when it is necessary to restrict the traffic analysis only to local hosts.

-r: set traffic direction

When this option is used (-L must be specified before –r), all the traffic that goes towards the local networks is considered incoming, all the rest is outgoing. This has effect on the –u/-Q that are then forced with –r.

--if-networks

Flags -u and -Q are used to specify the SNMP interface identifiers for emitted flows. In mirrored environments, it is possible to simulate a switched environment by playing with MAC addresses. This option allows users to bind a MAC or IP address to a specified interfaceId.. The syntax of –if-networks is <MAC|IP/mask>@<interfaceId> where multiple entries can be separated by a comma (,). Example: –if-networks “AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2” or –if-networks @<filename> where <filename> is a file path containing the networks specified using the above format.

--count: debug only

Let the probe capture only up to the specified number of packets.

--collector-port: specifies the NetFlow collector port

Use nProbe to collect NetFlow/jFlow/IPFIX/sFlow packets. Use option --collector-port to specify on which on which ports such packets should be collected. nProbe is able to ingest and convert flows from various versions. For instance nprobe --collector-port 2055 --i 192.168.0.1:2056 --V 10 converts each flow received on port 2055 to IPFIX and sends them to 192.168.0.1:2056. By default nProbe binds the collection port to all available interfaces. If you want you can bind the port only to one interface. This can accomplshed specifying an optional local (to the host where nprobe is running) IP address. Exampple -3 192.168.1.23:2055.

Option --collector-port can also be used to receive NetFlow/jFlow/IPFIX/sFlow packets through a ZMQ relay. In this case one should specify a ZMQ endpoint. An implementation of a ZMQ relay is available in executable flowRelay. Run flowRelay -h to see how to use it.

--collector-passthrough

Export flows to the configured ZMQ endpoints as-is, ignoring the -T. Using --collector-passthrough gives the highest collection throughput. ZMQ/Syslog/Kafka exports are supported. See Understanding How Flow Collection Works for a detailed discussion. Note that -T is ignore when passthrough is used. This is a nProbe Pro-only feature.

--collector-nf-reforge <file>

Flow collection-only feature. It allows users to configure NetFlow collection filtering and reforge by specifying a configuration file and passing it as argument. The file format is the one shown in this example (columns are tab separated). In this example, flows sent by NeFflow probe active at IP address 192.168.1.1 are collected by nProbe and exported (e.g. via ZMQ to ntopng or to a remote collector via -n) as if they were sent by host 192.168.1.1: only flows from Netflow interfaceId 1,2,3,4 are handled, all other interfaces are discarded. For collecting all interfaces and just reforginf the probe IP address use * in the interface list. Probes not listed in the file are handled as-is without any reforging or template filtering.

# CollectorIP   ReforgedIP      ListOfAllowedInterfaces
# Example:
127.0.0.1       10.0.24.25      12
192.168.1.1     192.168.1.1     1,2,3,4

--tunnel

Let the probe decode tunneled traffic (e.g. GTP or GRE traffic) and thus extract traffic information from such traffic rather than from the external envelope.

--no-promisc

With this option nProbe does not use promiscuous mode to capture packets.

--smart-udp-frags:

Ignore UDP fragmented packets with fragment offset greater than zero, and compute the fragmented packet length on the initial fragment header. This flag might lead to inaccuracy in measurement but it speeds us operations with fragmented traffic.

--ipsec-auth-data-len

Length of the authentication data of IPSec in tunnel mode. If not set, IPSec will not be decoded but just accounted.

--dump-stats:  dump some flow statistics on file

Periodically dump NetFlow statistics on the specified file. Note that when using nProbe over PF_RING, nProbe dumps statistics on /proc/net/pf_ring/stats/<nprobe stats file>.

--black-list

With this option you can specify a list of networks or hosts from which all the incoming packets will be discarded by the probe. The accepted notation can be CIDR format or the classical network/netmask format.

--pcap-file-list <file>

The specified file path contains a list of pcap files to be read in sequence by nProbe. Use this option when you want nProbe to read a list of pcap files (e.g. when generated using tcpdump).

--biflows-export-policy <policy>

Bi-directional flows are such when there is traffic in both direction of the flow (i.e. source->dest and dest->source). As mono-directional flows might indicate suspicious activities, this flag is used to determine the export policy:

  • 0: Export all know (i.e. mono and bi-directional flows)

  • 1: Export only bi-directional flows, discarding mono-directional flows.

  • 2: Export only mono-directional flows, discarding bi-directional flows.

--csv-separator <separator>

Override the default ‘|’ separator in dumps with the specified one.

--dont-drop-privileges

Do not drop root privileges to user ‘nobody’ when this option is specified. See al –unprivileged-user later int this manual.

--account-l2

NetFlow accounts IP traffic only, not counting layer 2 headers. Using this option the layer 2 headers are also accounted in flow traffic statistics.

--dump-metadata <file>

Dump metadata information into the specified file and quit. This option is useful when users want to know the type of each information element exported by nProbe so that (for instance) they can properly import into a database.

--ntopng <option>

You can use this option to instruct nProbe to send data towards ntopng using ZMQ (available on all platforms) or Kafka (available on selected platforms). When ZMQ is used you can specy --ntopng zmq://<socket>:<port> to deliver flows to ntopng connected to the specified ZMQ endpoint (see also the old option --zmq). When more than one endpoint is defined, a hash function is used to evenly balance the flows among them. Example: --ntopng zmq://*:5556 or --ntopng zmq://127.0.0.1:1234

When Kafka is used the syntax is --ntopng kafka://<brokers> so that you can deliver flows to ntopng connected to the specified Kafka broker in plaintext. Instead you can use --ntopng kafka-ssl://<brokers> to deliver data in TLS/SSL. Kafka brokers are comma separated (if more than one is defined). Examples: --ntopng kafka://192.168.1.2 or --ntopng kafka-ssl://192.168.1.2,172.16.24.12.

--zmq <socket>

Specify a socket (e.g., tcp://*:5556) that will be used to deliver flows to subscribers polling the socket. Up to 8 ZMQ endpoints can be specified by repeating the –zmq. When more than one endpoint is specified, nProbe uses an hash function to evenly balance flows among all the defined endpoints. Please note that this option is an alias for --ntopng and it might be removed in future versions. Example:

./nprobe -i eth0 -n none --zmq tcp://\*:5556 --zmq tcp://\*:5557
./ntopng -i tcp://127.0.0.1:5556 -i tcp://127.0.0.1:5557 -i view: tcp://127.0.0.1:5556, tcp://127.0.0.1:5557

--zmq-probe-mode

By default, nProbe act as a ZMQ server that delivers flows to subscribers. Using this switch, its role is reverted. This is typically used in conjunction with ntopng run in collector mode. For a thorough description refer to the section “Using nProbe with ntopng”.

--tcp <server:port>

Delivers flows in JSON format via TCP to the specified pair server:port.

--event-log <file>

Dump relevant activities (e.g. nProbe start/stop or packet drop) onto the specified file.

--enable-throughput-stats

When -P is used, with this option is also possible to generate throughput information. The file has the following format: <epoch> <bytes> <packets>. Each line is printed every second and it contains the number of bytes and packets observed within minute.

--disable-upscale

Ignore sFlow/NetFlow/IPFIX sampling rate (1:1 is used)and thus collected traffic is not upscaled

--ndpi-proto-ports <file>

Read the nDPI custom protocol and ports configuration from the specified file. Please refer to the nDPI manual for further information about the format of this file.

--disable-l7-protocol-guess

When nDPI is unable to detect a protocol, nProbe uses the port information to guess the protocol. This flag prevents nProbe from doing that, so protocols are detected only by nDPI without relying on default ports.

--db-engine <database engine>

In case flows are dumped on a MySQL database (see later on this manual) the default database engine used by nProbe is MyISAM. With this option you can use another engine (e.g. InnoDB).

--unprivileged-user <name>

When nprobe drops privileges (unless –dont-drop-privileges is used) the user nobody is used. It is possible to use another user by using this option.

--enable-collection-cache

nProbe implements a flow cache for merging packets belonging to the same flow. In flow collection the flow cache is disabled. This option enables the flow collection cache as when nProbe operates in packet capture mode. Note that this option is available only in collector/proxy mode (i.e. use -i none).

--collector-passthrough

When you want to use nProbe as a flow proxy/collector (towards ntopng for instance) and have a 1:1 mapping between collected/exported flows this is the options to use. This because it allows you to collect flows at high speed with limited CPU usage. Note that this option is useless when –disable-cache is used.

--redis <host>[:<port>]

The redis database (when nProbe is compiled with it) is used to implement a data cache and for aggregating flow information. This option specifies the host (and optionally the port) where redis is listening. nProbe opens several connections to redis (not just one) in order to maximize performance.

--ucloud

This option enables the micro-cloud concept. Please refer to http://www.ntop.org/nprobe/monitoring-on-the-microcloud/ for more information.

--check-license

Checks if the configured license is valid (for binary nProbe’s only).

--disable-startup-checks

During startup nProbe obtains both the management interface IP address and its public IP address. The management interface IP address is the address of the physically-attached interface that carries nProbe network traffic. The public IP address is the address of the management interface as it is seen from the internet. Obtaining the public IP address triggers a request to http://checkip.dyndns.org.

--dump-plugin-families

Dump installed plugin family names.

--minute-expire

Force nProbe to export active flows when a minute elapses. This is useful if you want (e.g. using -P) to have fresh flows every minute and all ending at X minutes, 0 seconds.

As some people prefer to have a configuration file containing the options that otherwise would be specified on the command line, it is also possible to start nProbe as follows:

nprobe <configuration file path>

where the configuration file contains the same options otherwise specified on the command line. The only difference between the command line and the configuration file is that different options need to be specified on different lines. For instance:

nprobe --n 127.0.0.1:2055 -i en0 -a -p

is the same as:

nprobe /etc/nprobe.conf

where /etc/nprobe.conf contains the following lines:

# cat /etc/nprobe.conf

-n=127.0.0.1:2055
-i=en0
-a=
-p=

Note that flags with no parameter associated (e.g. –a) also need to have ‘=’ specified. Any standard NetFlow collector (e.g. ntop) can be used to analyze the flows generated by nProbe. When used with ntop, the nProbe can act as a remote and light traffic collector and ntop as a central network monitoring console. See chapter 3 for further information about this topic

Note on interface indexes and (router) MAC/IP addresses

Flags -u and -Q are used to specify the SNMP interface identifiers for emitted flows. However using –if-networks it is possible to specify an interface identifier to which a MAC address or IP network is bound. The syntax of –if-networks is:

<MAC|IP/mask>@<interfaceId> where multiple entries can be separated by a comma (,).

Example: –if-networks “AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2” or –if-networks @<filename> where <filename> is a file path containing the networks specified using the above format.

Further plugin available command line options

HTTP Protocol

--http-dump-dir <dump dir>

Directory where HTTP logs will be dumped

--http-content-dump-dir <dump dir>

Directory where HTTP content (request only) will be dumped

--http-content-dump-response

Dump both HTTP request and response with –http-content-dump-dir

--http-exec-cmd <cmd>

Command executed whenever a directory has been dumped

--dont-hash-cookies

Dump cookie string instead of cookie hash

--http-verbose-level <level>

0 - Relevant info, 1 - Very verbose (default: 1)

--http-ports

List of ports used for http protocol (default: 80)

--proxy-ports

List of ports used for proxy protocol (default: 3128, 8080)

--http-parse-geolocation

Dump geolocation info if explicitly present inside mobile app protocol (e.g., “Nimbuzz”)

DNS/LLMNR Protocol

--dns-dump-dir <dump dir>

Directory where DNS logs will be dumped

SIP Plugin

--sip-dump-dir <dump dir>

Directory where SIP logs will be dumped

--sip-exec-cmd <cmd>

Command executed whenever a directory has been dumped

You can use @SIP@ in -T as shortcut for %SIP_CALL_ID %SIP_UAC %SIP_UAS %SIP_CALLING_PARTY %SIP_CALLED_PARTY %SIP_RTP_IPV4_SRC_ADDR %SIP_RTP_L4_SRC_PORT %SIP_RTP_IPV4_DST_ADDR %SIP_RTP_L4_DST_PORT %SIP_RESPONSE_CODE %SIP_REASON_CAUSE %SIP_CALL_STATE %SIP_RTP_CODECS

RTP Plugin

--rtp-discard-late-pkts <msec>

Discard from stats RTP packets whose inter-arrival is greater than the specified latency.

You can use @RTP@ in -T as shortcut for %RTP_SIP_CALL_ID %RTP_RTT %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_IN_PKT_LOST %RTP_OUT_PKT_LOST %RTP_IN_PKT_DROP %RTP_OUT_PKT_DROP %RTP_IN_MAX_DELTA %RTP_OUT_MAX_DELTA %RTP_IN_PAYLOAD_TYPE %RTP_OUT_PAYLOAD_TYPE %RTP_IN_MOS %RTP_OUT_MOS %RTP_IN_R_FACTOR %RTP_OUT_R_FACTOR

FTP Protocol

--ftp-dump-dir <dump dir>

Directory where FTP logs will be dumped

--ftp-exec-cmd <cmd>

Command executed whenever a directory has been dumped

SMTP Protocol

--smtp-dump-dir <dump dir>

Directory where SMTP logs will be dumped

--smtp-exec-cmd <cmd>

Command executed whenever a directory has been dumped

Netflow-Lite Plugin

--nflite <flow listen port low>[:<num ports>]>

Specify NetFlow-Lite listen port(s) (max 32)

GTPv0 Signaling Protocol

--gtpv0-dump-dir <dump dir>

Directory where GTP logs will be dumped

--gtpv0-exec-cmd <cmd>

Command executed whenever a directory has been dumped

GTPv1 Signaling Protocol

--gtpv1-dump-dir <dump dir>

Directory where GTP logs will be dumped

--gtpv1-exec-cmd <cmd>

Command executed whenever a directory has been dumped

--gtpv1-account-imsi

Enable IMSI aggregation on GTPv1 signalling

--gtpv1-track-non-gtp-u-traffic

Enable tracking of user traffic non GTP-U encapsulated triggered by GTP-U signalling (requires –ucloud)

GTPv2 Signaling Protocol

--gtpv2-dump-dir <dump dir>

Directory where GTP logs will be dumped

--gtpv2-exec-cmd <cmd>

Command executed whenever a directory has been dumped

--gtpv2-account-imsi

Enable GTPv2 traffic accounting

--gtpv2-track-non-gtp-u-traffic

Enable tracking of user traffic non GTP-U encapsulated triggered by GTP-U signalling (requires –ucloud)

Radius Protocol

--radius-dump-dir <dump dir>

Directory where Radius logs will be dumped

--radius-exec-cmd <cmd>

Command executed whenever a directory has been dumped

Modbus Plugin

--modbus-dump-dir <dump dir>

Directory where modbus logs will be dumped

--modbus-exec-cmd <cmd>

Command executed whenever a directory has been dumped

--modbus-idle-timeout <duration>

Modbus idle flow timeout set to 120 seconds

Diameter Protocol

--diameter-dump-dir <dump dir>

Directory where Diameter logs will be dumped

--diameter-exec-cmd <cmd>

Command executed whenever a directory has been dumped

NETBIOS Protocol

--netbios-dump-dir <dump dir>

Directory where NETBIOS logs will be dumped

SSDP Protocol

--ssdp-dump-dir <dump dir>

Directory where SSDP logs will be dumped

DHCP Protocol

--dhcp-dump-dir <dump dir>

Directory where DHCP logs will be dumped

--dhcp-exec-cmd <cmd>

Command executed whenever a directory has been dumped

IMAP Protocol

--imap-dump-dir <dump dir>

Directory where IMAP logs will be dumped

--imap-exec-cmd <cmd>

Command executed whenever a directory has been dumped

--imap-peek-headers

Dump both emails body and headers (default: body only)

POP3 Protocol

--pop-dump-dir <dump dir>

Directory where POP3 logs will be dumped

--pop-exec-cmd <cmd>

Command executed whenever a directory has been dumped

Export Plugin

--elastic <format>

Enable export to ElasticSearch

Format: <index type>;<index name>;<es URL>;<es user>:<es pwd> Note: <es user> and <es pwd> can be directly specified in the <es URL> Note: the <index name> accepts the format supported by strftime(). Examples:

--elastic "flows;nprobe-%Y.%m.%d;http://localhost:9200/_bulk" --elastic "flows;nprobe-%Y.%m.%d;http://elastic:3last1cpassw0rd@localhost:9200/_bulk" --elastic "flows;nprobe-%Y.%m.%d;http://localhost:9200/_bulk;elastic:3last1cpassw0rd" --kafka <brokers>;<topic>;[<opt topic>;<ack>;<comp>]

Send flows to Apache Kafka brokers obtained by metadata information <host1>[:<port1>],<host2>[:<port2>]… Initial brokers list used to receive metadata information. Note that you can specify multiple --kafka options and exported data will be sent to all configured brokers.

<flow topic>    Flow topic <opt topic>     Flow options topic <0|1|-1>        0 = Don't wait for ack, 1 = Leader ack is enough, 2 = All replica must ack

<compression> Compression type: none, gzip, snappy

Note: <opt topic> is only used when collecting NetFlow to export option template records. Option template records are just exported as-is, and must be configured with option –load-custom-fields. To disable option template records export it is safe to specify none as value for <opt topic>.

Example:

--kafka localhost;flowsTopic;optionsTopic --kafka-conf [<prop=value>|list]

Set arbitrary librdkafka configuration property. Properties prefixed with “topic.” are set to the topic. Pass “list” to print all the available properties. Multiple properties can be set by repeating this option. Examples:

--kafka-conf batch.num.messages=1000 --kafka-conf debug=msg --kafka-conf queue.buffering.max.ms=100 --kafka-conf topic.auto.commit.interval.ms=200 --kafka-conf list

--kafka-add-timestamp

Add @timestamp field in ISO-8601 format

--mysql=<host[@port]|unix socket>:<dbname>:<prefix>:<user>:<pw> Enable MySQL database support configuration

--mysql-skip-db-creation Skip database schema creation (it is automatically created by –mysql unless this option is used).

--clickhouse=<host[@port]>:<dbname>:<prefix>:<user>:<pw> Dump flows into Clickhouse (Enterprise M/L only)

Custom Fields

--custom-fields <fields>

Comma-separated list of custom fields in the format <key>=<value> where value is a literal string/number (or a function) Example:

--custom-fields "NAME=ntop,YEAR=2019"

NetFlow v9/IPFIX format [-T]

The following options can be used to specify the format:

 ID          NetFlow Label               IPFIX Label                 Description
---------------------------------------------------------------------------------
[  1][Len 4] %IN_BYTES                   %octetDeltaCount               Incoming flow bytes (src->dst) [Aliased to %SRC_TO_DST_BYTES]
[  2][Len 4] %IN_PKTS                    %packetDeltaCount              Incoming flow packets (src->dst) [Aliased to %SRC_TO_DST_PKTS]
[  4][Len 1] %PROTOCOL                   %protocolIdentifier            IP protocol byte
[NFv9 58500][IPFIX 35632.1028][Len 16] %PROTOCOL_MAP                    IP protocol name
[  5][Len 1] %SRC_TOS                    %ipClassOfService              TOS/DSCP (src->dst)
[  6][Len 1] %TCP_FLAGS                  %tcpControlBits                Cumulative of all flow TCP flags
[  7][Len 2] %L4_SRC_PORT                %sourceTransportPort           IPv4 source port
[NFv9 58503][IPFIX 35632.1031][Len 16] %L4_SRC_PORT_MAP                 Layer 4 source port symbolic name
[  8][Len 4] %IPV4_SRC_ADDR              %sourceIPv4Address             IPv4 source address
[  9][Len 1] %IPV4_SRC_MASK              %sourceIPv4PrefixLength        IPv4 source subnet mask (/<bits>)
[ 10][Len 4] %INPUT_SNMP                 %ingressInterface              Input interface SNMP idx
[ 11][Len 2] %L4_DST_PORT                %destinationTransportPort      IPv4 destination port
[NFv9 58507][IPFIX 35632.1035][Len 16] %L4_DST_PORT_MAP                 Layer 4 destination port symbolic name
[NFv9 58508][IPFIX 35632.1036][Len 2] %L4_SRV_PORT                      Layer 4 server port
[NFv9 58509][IPFIX 35632.1037][Len 16] %L4_SRV_PORT_MAP                 Layer 4 server port symbolic name
[ 12][Len 4] %IPV4_DST_ADDR              %destinationIPv4Address        IPv4 destination address
[ 13][Len 1] %IPV4_DST_MASK              %destinationIPv4PrefixLength   IPv4 dest subnet mask (/<bits>)
[ 14][Len 4] %OUTPUT_SNMP                %egressInterface               Output interface SNMP idx
[ 15][Len 4] %IPV4_NEXT_HOP              %ipNextHopIPv4Address          IPv4 next hop address
[ 16][Len 4] %SRC_AS                     %bgpSourceAsNumber             Source BGP AS
[ 17][Len 4] %DST_AS                     %bgpDestinationAsNumber        Destination BGP AS
[129][Len 4] %BGP_PREV_ADJACENT_ASN      %bgpNextAdjacentAsNumber       Source BGP Prev AS
[128][Len 4] %BGP_NEXT_ADJACENT_ASN      %bgpPrevAdjacentAsNumber       Destination BGP Next AS
[ 18][Len 4] %IPV4_BGP_NEXT_HOP          %bgpNexthopIPv4Address
[ 21][Len 4] %LAST_SWITCHED              %flowEndSysUpTime              SysUptime (msec) of the last flow pkt
[ 22][Len 4] %FIRST_SWITCHED             %flowStartSysUpTime            SysUptime (msec) of the first flow pkt
[ 23][Len 4] %OUT_BYTES                  %postOctetDeltaCount           Outgoing flow bytes (dst->src) [Aliased to %DST_TO_SRC_BYTES]
[ 24][Len 4] %OUT_PKTS                   %postPacketDeltaCount          Outgoing flow packets (dst->src) [Aliased to %DST_TO_SRC_PKTS]
[ 25][Len 2] %MIN_IP_PKT_LEN             %minimumIpTotalLength          Len of the smallest flow IP packet observed
[ 26][Len 2] %MAX_IP_PKT_LEN             %maximumIpTotalLength          Len of the largest flow IP packet observed
[ 27][Len 16] %IPV6_SRC_ADDR              %sourceIPv6Address            IPv6 source address
[ 28][Len 16] %IPV6_DST_ADDR              %destinationIPv6Address       IPv6 destination address
[ 29][Len 1] %IPV6_SRC_MASK              %sourceIPv6PrefixLength        IPv6 source mask
[ 30][Len 1] %IPV6_DST_MASK              %destinationIPv6PrefixLength   IPv6 destination mask
[ 32][Len 2] %ICMP_TYPE                  %icmpTypeCodeIPv4              ICMP Type * 256 + ICMP code
[ 34][Len 4] %SAMPLING_INTERVAL                                         Sampling rate
[ 35][Len 1] %SAMPLING_ALGORITHM                                        Sampling type (deterministic/random)
[ 36][Len 2] %FLOW_ACTIVE_TIMEOUT        %flowActiveTimeout             Activity timeout of flow cache entries
[ 37][Len 2] %FLOW_INACTIVE_TIMEOUT      %flowIdleTimeout               Inactivity timeout of flow cache entries
[ 38][Len 1] %ENGINE_TYPE                                               Flow switching engine
[ 39][Len 1] %ENGINE_ID                                                 Id of the flow switching engine
[ 40][Len 4] %TOTAL_BYTES_EXP            %exportedOctetTotalCount       Total bytes exported
[ 41][Len 4] %TOTAL_PKTS_EXP             %exportedMessageTotalCount     Total flow packets exported
[ 42][Len 4] %TOTAL_FLOWS_EXP            %exportedFlowRecordTotalCount  Total number of exported flows
[ 52][Len 1] %MIN_TTL                    %minimumTTL                    Min flow TTL
[ 53][Len 1] %MAX_TTL                    %maximumTTL                    Max flow TTL
[ 55][Len 1] %DST_TOS                    %ipClassOfService              TOS/DSCP (dst->src)
[ 58][Len 2] %SRC_VLAN                   %vlanId                        Source VLAN (inner VLAN in QinQ)
[ 59][Len 2] %DST_VLAN                   %postVlanId                    Destination VLAN (inner VLAN in QinQ)
[ 56][Len 6] %IN_SRC_MAC                 %sourceMacAddress              Source MAC Address
[ 57][Len 6] %OUT_DST_MAC                %postDestinationMacAddress     Post Destination MAC Address
[ 80][Len 6] %IN_DST_MAC                 %destinationMacAddress         Destination MAC Address
[ 81][Len 6] %OUT_SRC_MAC                %postSourceMacAddress          Post Source MAC Address
[ 82][Len 8] %INTERFACE_NAME             %interfaceName                 Interface you are capturing from (-i)
[ 85][Len 8] %OCTET_TOTAL                %octetTotalCount               Total flow bytes [Aliased to %OCTETS_TOTAL]
[ 86][Len 8] %PACKET_TOTAL               %packetTotalCount              Total flow packets [Aliased to %PACKETS_TOTAL]
[ 89][Len 1] %FORWARDING_STATUS          %forwardingStatus              Forwarding status of the flow
[243][Len 2] %DOT1Q_SRC_VLAN             %dot1qVlanId                   Source VLAN (outer VLAN in QinQ)
[254][Len 2] %DOT1Q_DST_VLAN             %postdot1qVlanId               Destination VLAN (outer VLAN in QinQ)
[ 60][Len 1] %IP_PROTOCOL_VERSION        %ipVersion                     [4=IPv4][6=IPv6]
[ 61][Len 1] %DIRECTION                  %flowDirection                 Flow direction [0=RX, 1=TX]
[ 62][Len 16] %IPV6_NEXT_HOP              %ipNextHopIPv6Address         IPv6 next hop address
[ 70][Len 3] %MPLS_LABEL_1               %mplsTopLabelStackSection      MPLS label at position 1
[ 71][Len 3] %MPLS_LABEL_2               %mplsLabelStackSection2        MPLS label at position 2
[ 72][Len 3] %MPLS_LABEL_3               %mplsLabelStackSection3        MPLS label at position 3
[ 73][Len 3] %MPLS_LABEL_4               %mplsLabelStackSection4        MPLS label at position 4
[ 74][Len 3] %MPLS_LABEL_5               %mplsLabelStackSection5        MPLS label at position 5
[ 75][Len 3] %MPLS_LABEL_6               %mplsLabelStackSection6        MPLS label at position 6
[ 76][Len 3] %MPLS_LABEL_7               %mplsLabelStackSection7        MPLS label at position 7
[ 77][Len 3] %MPLS_LABEL_8               %mplsLabelStackSection8        MPLS label at position 8
[ 78][Len 3] %MPLS_LABEL_9               %mplsLabelStackSection9        MPLS label at position 9
[ 79][Len 3] %MPLS_LABEL_10              %mplsLabelStackSection10       MPLS label at position 10
[ 95][Len 4] %APPLICATION_ID             %application_id                Application Id
[ 96][Len 16] %APPLICATION_NAME                                         Application Name
[136][Len 1] %FLOW_END_REASON            %flowEndReason                 The reason for flow termination.
[58051][Len 1] %FLOW_SOURCE                                             0=Packets, 1=NetFlow/IPFIX, 2=sFlow
[57640][Len 4] %SRC_PROC_PID                                            Flow source proc PID
[57641][Len 16] %SRC_PROC_NAME                                          Flow source proc name
[57897][Len 4] %SRC_PROC_UID                                            Flow source proc userId
[57844][Len 16] %SRC_PROC_USER_NAME                                     Flow source proc user name
[58012][Len 16] %SRC_PROC_PKG_NAME                                      Flow source proc package name
[58028][Len 32] %SRC_PROC_CMDLINE                                       Flow source proc cmdline args
[58030][Len 16] %SRC_PROC_CONTAINER_ID                                  Flow source proc containerId
[57846][Len 16] %SRC_FATHER_PROC_NAME                                   Flow src father proc name
[58036][Len 4] %SRC_FATHER_PROC_UID                                     Flow src father proc UID
[57845][Len 4] %SRC_FATHER_PROC_PID                                     Flow source father proc PID
[58037][Len 16] %SRC_FATHER_PROC_USER_NAME                              Flow src father proc UID name
[58033][Len 16] %SRC_FATHER_PROC_PKG_NAME                               Flow src father proc package name
[57847][Len 4] %DST_PROC_PID                                            Flow dest proc PID
[57848][Len 16] %DST_PROC_NAME                                          Flow dest proc name
[57898][Len 4] %DST_PROC_UID                                            Flow dest proc userId
[57849][Len 16] %DST_PROC_USER_NAME                                     Flow dest proc user name
[58013][Len 16] %DST_PROC_PKG_NAME                                      Flow dest proc package name
[58029][Len 32] %DST_PROC_CMDLINE                                       Flow dest proc cmdline args
[58031][Len 16] %DST_PROC_CONTAINER_ID                                  Flow dest proc containerId
[57850][Len 4] %DST_FATHER_PROC_PID                                     Flow dest father proc PID
[57851][Len 16] %DST_FATHER_PROC_NAME                                   Flow dest father proc name
[58039][Len 4] %DST_FATHER_PROC_UID                                     Flow dst father proc UID
[58040][Len 16] %DST_FATHER_PROC_USER_NAME                              Flow dst father proc UID name
[58035][Len 16] %DST_FATHER_PROC_PKG_NAME                               Flow dst father proc package name
[102][Len 2] %PACKET_SECTION_OFFSET                                     Packet section offset
[103][Len 2] %SAMPLED_PACKET_SIZE                                       Sampled packet size
[104][Len 2] %SAMPLED_PACKET_ID                                         Sampled packet id
[130][Len 4] %EXPORTER_IPV4_ADDRESS      %exporterIPv4Address           Flow exporter IPv4 Address
[131][Len 16] %EXPORTER_IPV6_ADDRESS      %exporterIPv6Address          Flow exporter IPv6 Address
[148][Len 4] %FLOW_ID                    %flowId                        Serial Flow Identifier
[150][Len 4] %FLOW_START_SEC             %flowStartSeconds              Seconds (epoch) of the first flow packet
[151][Len 4] %FLOW_END_SEC               %flowEndSeconds                Seconds (epoch) of the last flow packet
[152][Len 8] %FLOW_START_MILLISECONDS    %flowStartMilliseconds         Msec (epoch) of the first flow packet
[154][Len 8] %FLOW_START_MICROSECONDS    %flowStartMicroseconds         uSec (epoch) of the first flow packet
[153][Len 8] %FLOW_END_MILLISECONDS      %flowEndMilliseconds           Msec (epoch) of the last flow packet
[155][Len 8] %FLOW_END_MICROSECONDS      %flowEndMicroseconds           uSec (epoch) of the last flow packet
[239][Len 1] %BIFLOW_DIRECTION           %biflow_direction              1=initiator, 2=reverseInitiator
[225][Len 4] %POST_NAT_SRC_IPV4_ADDR     %postNatSourceIPv4Address      Post Nat Source IPv4 Address
[226][Len 4] %POST_NAT_DST_IPV4_ADDR     %postNatDestinationIPv4Address Post Nat Destination IPv4 Address
[227][Len 2] %POST_NAPT_SRC_TRANSPORT_PORT %postNaptSourceTransportPort Post Napt Source Transport Port
[228][Len 2] %POST_NAPT_DST_TRANSPORT_PORT %postNaptDestinationTransportPort    Post Napt Destination Transport Port
[229][Len 1] %NAT_ORIGINATING_ADDRESS_REALM %natOriginatingAddressRealm Nat Originating Address Realm
[230][Len 1] %NAT_EVENT                  %natEvent                      Nat Event
[233][Len 1] %FIREWALL_EVENT             %firewallEvent                 Flow events 0=ignore, 1=created, 2=deleted, 3=denied, 4=alert, 5=update
[161][Len 4] %FLOW_DURATION_MILLISECONDS %flowDurationMilliseconds      Flow duration (msec)
[162][Len 4] %FLOW_DURATION_MICROSECONDS %flowDurationMicroseconds      Flow duration (usec)
[176][Len 1] %ICMP_IPV4_TYPE             %icmpTypeIPv4                  ICMP Type
[177][Len 1] %ICMP_IPV4_CODE             %icmpCodeIPv4                  ICMP Code
[277][Len 2] %OBSERVATION_POINT_TYPE                                    Observation point type
[300][Len 2] %OBSERVATION_POINT_ID                                      Observation point id
[302][Len 2] %SELECTOR_ID                                               Selector id
[304][Len 2] %IPFIX_SAMPLING_ALGORITHM                                  Sampling algorithm
[309][Len 2] %SAMPLING_SIZE                                             Number of packets to sample
[310][Len 2] %SAMPLING_POPULATION                                       Sampling population
[312][Len 2] %FRAME_LENGTH                                              Original L2 frame length
[318][Len 2] %PACKETS_OBSERVED                                          Tot number of packets seen
[319][Len 2] %PACKETS_SELECTED                                          Number of pkts selected for sampling
[234][Len 4] %INGRESS_VRFID              %ingressVRFID                  Ingress VRF ID
[235][Len 4] %EGRESS_VRFID               %egressVRFID                   Egress VRF ID
[335][Len 2] %SELECTOR_NAME                                             Sampler name
[361][Len 2] %PORT_RANGE_START           %portRangeStart                NAT port range start
[362][Len 2] %PORT_RANGE_END             %portRangeEnd                  NAT port range end
[NFv9 57552][IPFIX 35632.80][Len 2] %SRC_FRAGMENTS              Num fragmented packets src->dst
[NFv9 57553][IPFIX 35632.81][Len 2] %DST_FRAGMENTS              Num fragmented packets dst->src
[NFv9 57595][IPFIX 35632.123][Len 4] %CLIENT_NW_LATENCY_MS              Network TCP 3WH RTT/2 client <-> nprobe (msec)
[NFv9 57596][IPFIX 35632.124][Len 4] %SERVER_NW_LATENCY_MS              Network TCP 3WH RTT/2 nprobe <-> server (msec)
[NFv9 57550][IPFIX 35632.78][Len 1] %CLIENT_TCP_FLAGS           Cumulative of all client TCP flags
[NFv9 57551][IPFIX 35632.79][Len 1] %SERVER_TCP_FLAGS           Cumulative of all server TCP flags
[NFv9 57597][IPFIX 35632.125][Len 4] %APPL_LATENCY_MS                   Application latency (msec), a.k.a. server response time
[NFv9 57943][IPFIX 35632.471][Len 4] %NPROBE_IPV4_ADDRESS               IPv4 address of the host were nProbe runs
[NFv9 57554][IPFIX 35632.82][Len 4] %SRC_TO_DST_MAX_THROUGHPUT  Src to dst max thpt (bps)
[NFv9 57555][IPFIX 35632.83][Len 4] %SRC_TO_DST_MIN_THROUGHPUT  Src to dst min thpt (bps)
[NFv9 57556][IPFIX 35632.84][Len 4] %SRC_TO_DST_AVG_THROUGHPUT  Src to dst average thpt (bps)
[NFv9 57557][IPFIX 35632.85][Len 4] %DST_TO_SRC_MAX_THROUGHPUT  Dst to src max thpt (bps)
[NFv9 57558][IPFIX 35632.86][Len 4] %DST_TO_SRC_MIN_THROUGHPUT  Dst to src min thpt (bps)
[NFv9 57559][IPFIX 35632.87][Len 4] %DST_TO_SRC_AVG_THROUGHPUT  Dst to src average thpt (bps)
[NFv9 57995][IPFIX 35632.523][Len 4] %SRC_TO_DST_MAX_EST_THROUGHPUT     Src to dst max estimated TCP thpt (bps)
[NFv9 57996][IPFIX 35632.524][Len 4] %DST_TO_SRC_MAX_EST_THROUGHPUT     Dst to src max estimated TCP thpt (bps)
[NFv9 57560][IPFIX 35632.88][Len 4] %NUM_PKTS_UP_TO_128_BYTES   # packets whose IP size <= 128
[NFv9 57561][IPFIX 35632.89][Len 4] %NUM_PKTS_128_TO_256_BYTES  # packets whose IP size > 128 and <= 256
[NFv9 57562][IPFIX 35632.90][Len 4] %NUM_PKTS_256_TO_512_BYTES  # packets whose IP size > 256 and < 512
[NFv9 57563][IPFIX 35632.91][Len 4] %NUM_PKTS_512_TO_1024_BYTES # packets whose IP size > 512 and < 1024
[NFv9 57564][IPFIX 35632.92][Len 4] %NUM_PKTS_1024_TO_1514_BYTES        # packets whose IP size > 1024 and <= 1514
[NFv9 57565][IPFIX 35632.93][Len 4] %NUM_PKTS_OVER_1514_BYTES   # packets whose IP size > 1514
[NFv9 57570][IPFIX 35632.98][Len 4] %CUMULATIVE_ICMP_TYPE       Cumulative OR of ICMP type packets
[NFv9 57573][IPFIX 35632.101][Len 2] %SRC_IP_COUNTRY                    Country where the src IP is located
[NFv9 57574][IPFIX 35632.102][Len 16] %SRC_IP_CITY                      City where the src IP is located
[NFv9 57575][IPFIX 35632.103][Len 2] %DST_IP_COUNTRY                    Country where the dst IP is located
[NFv9 57576][IPFIX 35632.104][Len 16] %DST_IP_CITY                      City where the dst IP is located
[NFv9 57920][IPFIX 35632.448][Len 16] %SRC_IP_LONG                      Longitude where the src IP is located
[NFv9 57921][IPFIX 35632.449][Len 16] %SRC_IP_LAT                       Latitude where the src IP is located
[NFv9 57922][IPFIX 35632.450][Len 16] %DST_IP_LONG                      Longitude where the dst IP is located
[NFv9 57923][IPFIX 35632.451][Len 16] %DST_IP_LAT                       Latitude where the dst IP is located
[NFv9 57577][IPFIX 35632.105][Len 2] %FLOW_PROTO_PORT                   L7 port that identifies the flow protocol or 0 if unknown
[NFv9 57578][IPFIX 35632.106][Len 4] %UPSTREAM_TUNNEL_ID                Upstream tunnel identifier (e.g. GTP TEID, VXLAN VNI) or 0 if unknown
[NFv9 57918][IPFIX 35632.446][Len 2] %UPSTREAM_SESSION_ID               Upstream session identifier (e.g. L2TP) or 0 if unknown
[NFv9 57579][IPFIX 35632.107][Len 2] %LONGEST_FLOW_PKT                  Longest packet (bytes) of the flow
[NFv9 57580][IPFIX 35632.108][Len 2] %SHORTEST_FLOW_PKT                 Shortest packet (bytes) of the flow
[NFv9 57599][IPFIX 35632.127][Len 4] %RETRANSMITTED_IN_BYTES            Number of retransmitted TCP flow bytes (src->dst)
[NFv9 57581][IPFIX 35632.109][Len 4] %RETRANSMITTED_IN_PKTS             Number of retransmitted TCP flow packets (src->dst)
[NFv9 57600][IPFIX 35632.128][Len 4] %RETRANSMITTED_OUT_BYTES           Number of retransmitted TCP flow bytes (dst->src)
[NFv9 57582][IPFIX 35632.110][Len 4] %RETRANSMITTED_OUT_PKTS            Number of retransmitted TCP flow packets (dst->src)
[NFv9 57583][IPFIX 35632.111][Len 4] %OOORDER_IN_PKTS                   Number of out of order TCP flow packets (src->dst)
[NFv9 57584][IPFIX 35632.112][Len 4] %OOORDER_OUT_PKTS                  Number of out of order TCP flow packets (dst->src)
[NFv9 57585][IPFIX 35632.113][Len 1] %UNTUNNELED_PROTOCOL               Untunneled IP protocol byte
[NFv9 57586][IPFIX 35632.114][Len 4] %UNTUNNELED_IPV4_SRC_ADDR          Untunneled IPv4 source address
[NFv9 57587][IPFIX 35632.115][Len 2] %UNTUNNELED_L4_SRC_PORT            Untunneled IPv4 source port
[NFv9 57588][IPFIX 35632.116][Len 4] %UNTUNNELED_IPV4_DST_ADDR          Untunneled IPv4 destination address
[NFv9 57589][IPFIX 35632.117][Len 2] %UNTUNNELED_L4_DST_PORT            Untunneled IPv4 destination port
[NFv9 57590][IPFIX 35632.118][Len 2] %L7_PROTO                          Layer 7 Protocol (numeric)
[NFv9 58032][IPFIX 35632.560][Len 1] %L7_CONFIDENCE                     nDPI confidence
[NFv9 58045][IPFIX 35632.573][Len 4] %FLOW_EXPORT_TIME                  Epoch of flow export
[NFv9 57591][IPFIX 35632.119][Len 16 varlen] %L7_PROTO_NAME             Layer 7 Protocol Name [Aliased to %APPLICATION_NAME]
[NFv9 58046][IPFIX 35632.574][Len 1] %FLOW_CONTENT_TYPE                 Flow content (0=unk, 1=audio, 2=video...)
[NFv9 57973][IPFIX 35632.501][Len 16 varlen] %L7_PROTO_CATEGORY         Layer 7 Protocol Category
[NFv9 58011][IPFIX 35632.539][Len 24 varlen] %L7_INFO                   Layer 7 Flow Information
[NFv9 58063][IPFIX 35632.591][Len 24 varlen] %L7_DOMAIN_INFO            Layer 7 Flow domain Information
[NFv9 57592][IPFIX 35632.120][Len 4] %DOWNSTREAM_TUNNEL_ID              Downstream tunnel identifier (e.g. GTP TEID, VXLAN VNI) or 0 if unknown
[NFv9 57919][IPFIX 35632.447][Len 2] %DOWNSTREAM_SESSION_ID             Downstream session identifier (e.g. L2TP) or 0 if unknown
[NFv9 57660][IPFIX 35632.188][Len 48 varlen] %TLS_SERVER_NAME           TLS server name
[NFv9 57661][IPFIX 35632.189][Len 40 varlen] %BITTORRENT_HASH           BITTORRENT hash
[NFv9 57593][IPFIX 35632.121][Len 32 varlen] %FLOW_USER_NAME            Flow username of the tunnel (if known)
[NFv9 57594][IPFIX 35632.122][Len 32 varlen] %NPROBE_INSTANCE_NAME      nProbe instance name
[NFv9 57598][IPFIX 35632.126][Len 8 varlen] %PLUGIN_NAME                Plugin name used by this flow (if any)
[NFv9 57868][IPFIX 35632.396][Len 16] %UNTUNNELED_IPV6_SRC_ADDR         Untunneled IPv6 source address
[NFv9 57869][IPFIX 35632.397][Len 16] %UNTUNNELED_IPV6_DST_ADDR         Untunneled IPv6 destination address
[NFv9 57819][IPFIX 35632.347][Len 4] %NUM_PKTS_TTL_EQ_1                 # packets with TTL = 1
[NFv9 57818][IPFIX 35632.346][Len 4] %NUM_PKTS_TTL_2_5                  # packets with TTL > 1 and TTL <= 5
[NFv9 57806][IPFIX 35632.334][Len 4] %NUM_PKTS_TTL_5_32                 # packets with TTL > 5 and TTL <= 32
[NFv9 57807][IPFIX 35632.335][Len 4] %NUM_PKTS_TTL_32_64                # packets with TTL > 32 and <= 64
[NFv9 57808][IPFIX 35632.336][Len 4] %NUM_PKTS_TTL_64_96                # packets with TTL > 64 and <= 96
[NFv9 57809][IPFIX 35632.337][Len 4] %NUM_PKTS_TTL_96_128               # packets with TTL > 96 and <= 128
[NFv9 57810][IPFIX 35632.338][Len 4] %NUM_PKTS_TTL_128_160              # packets with TTL > 128 and <= 160
[NFv9 57811][IPFIX 35632.339][Len 4] %NUM_PKTS_TTL_160_192              # packets with TTL > 160 and <= 192
[NFv9 57812][IPFIX 35632.340][Len 4] %NUM_PKTS_TTL_192_224              # packets with TTL > 192 and <= 224
[NFv9 57813][IPFIX 35632.341][Len 4] %NUM_PKTS_TTL_224_255              # packets with TTL > 224 and <= 255
[NFv9 57821][IPFIX 35632.349][Len 37] %IN_SRC_OSI_SAP                   OSI Source SAP (OSI Traffic Only)
[NFv9 57822][IPFIX 35632.350][Len 37] %OUT_DST_OSI_SAP                  OSI Destination SAP (OSI Traffic Only)
[NFv9 57863][IPFIX 35632.391][Len 4] %DURATION_IN                       Client to Server stream duration (msec)
[NFv9 57864][IPFIX 35632.392][Len 4] %DURATION_OUT                      Client to Server stream duration (msec)
[NFv9 57887][IPFIX 35632.415][Len 2] %TCP_WIN_MIN_IN                    Min TCP Window (src->dst)
[NFv9 57888][IPFIX 35632.416][Len 2] %TCP_WIN_MAX_IN                    Max TCP Window (src->dst)
[NFv9 57889][IPFIX 35632.417][Len 2] %TCP_WIN_MSS_IN                    TCP Max Segment Size (src->dst)
[NFv9 57890][IPFIX 35632.418][Len 1] %TCP_WIN_SCALE_IN                  TCP Window Scale (src->dst)
[NFv9 57891][IPFIX 35632.419][Len 2] %TCP_WIN_MIN_OUT                   Min TCP Window (dst->src)
[NFv9 57892][IPFIX 35632.420][Len 2] %TCP_WIN_MAX_OUT                   Max TCP Window (dst->src)
[NFv9 57893][IPFIX 35632.421][Len 2] %TCP_WIN_MSS_OUT                   TCP Max Segment Size (dst->src)
[NFv9 57894][IPFIX 35632.422][Len 1] %TCP_WIN_SCALE_OUT                 TCP Window Scale (dst->src)
[NFv9 57910][IPFIX 35632.438][Len 4] %PAYLOAD_HASH                      Initial flow payload hash
[NFv9 57915][IPFIX 35632.443][Len 16] %SRC_AS_MAP                       Organization name for SRC_AS
[NFv9 57916][IPFIX 35632.444][Len 16] %DST_AS_MAP                       Organization name for DST_AS
[NFv9 57944][IPFIX 35632.472][Len 8] %SRC_TO_DST_SECOND_BYTES           Bytes/sec (src->dst)
[NFv9 57945][IPFIX 35632.473][Len 8] %DST_TO_SRC_SECOND_BYTES           Bytes/sec2 (dst->src)
[NFv9 57961][IPFIX 35632.489][Len 32 varlen] %JA3C_HASH                         JA3 client hash
[NFv9 58048][IPFIX 35632.576][Len 32 varlen] %JA4C_HASH                         JA4 client hash
[NFv9 57962][IPFIX 35632.490][Len 32 varlen] %JA3S_HASH                         JA3 server hash
[NFv9 57963][IPFIX 35632.491][Len 48 varlen] %SRC_HOST_NAME                     Symbolic src host name
[NFv9 57964][IPFIX 35632.492][Len 48 varlen] %DST_HOST_NAME                     Symbolic dst host name
[NFv9 57965][IPFIX 35632.493][Len 2] %TLS_CIPHER                        TLS Connection Cipher
[NFv9 57966][IPFIX 35632.494][Len 1] %TLS_UNSAFE_CIPHER                 TLS Safe(0)/unsafe(1) cipher
[NFv9 57967][IPFIX 35632.495][Len 2] %TLS_VERSION                       TLS Version
[NFv9 57974][IPFIX 35632.502][Len 47] %SEQ_PLEN                         Seq of packet len (6 classes)
[NFv9 57977][IPFIX 35632.505][Len 47] %SEQ_TDIFF                        Seq of time diff (6 classes)
[NFv9 57978][IPFIX 35632.506][Len 1] %SEQ_PLEN_HASH                     Seq of packet len hash
[NFv9 57979][IPFIX 35632.507][Len 1] %SEQ_TDIFF_HASH                    Seq of time diff hash
[NFv9 57980][IPFIX 35632.508][Len 94] %PKT_VECTOR                       Seq of packet len (+=c2s, -=s2c)
[NFv9 57971][IPFIX 35632.499][Len 32 varlen] %HASSH_CLIENT                      HASSH client hash
[NFv9 57972][IPFIX 35632.500][Len 32 varlen] %HASSH_SERVER                      HASSH server hash
[NFv9 57975][IPFIX 35632.503][Len 4] %ENTROPY_CLIENT_BYTES              Byte (src->dst) entropy * 1000
[NFv9 57976][IPFIX 35632.504][Len 4] %ENTROPY_SERVER_BYTES              Byte (dst->src) entropy * 1000
[NFv9 57981][IPFIX 35632.509][Len 8] %L7_PROTO_RISK                     Layer 7 protocol risk (bitmap)
[NFv9 57982][IPFIX 35632.510][Len 64 varlen] %L7_PROTO_RISK_NAME                Layer 7 protocol risk (string)
[NFv9 57999][IPFIX 35632.527][Len 2] %L7_RISK_SCORE                     Layer 7 flow Risk Score
[NFv9 57994][IPFIX 35632.522][Len 2] %FLOW_VERDICT                      Flow verdict marker (0 = unknown, 1=pass, 2=drop...)
[NFv9 57997][IPFIX 35632.525][Len 24 varlen] %SRC_HOST_LABEL                    Src host label
[NFv9 57998][IPFIX 35632.526][Len 24 varlen] %DST_HOST_LABEL                    Dest host label
[NFv9 58003][IPFIX 35632.531][Len 4] %SRC_TO_DST_IAT_MIN                Min (src->dst) Pkt Inter-Arrival Time (msec)
[NFv9 58004][IPFIX 35632.532][Len 4] %SRC_TO_DST_IAT_MAX                Max (src->dst) Pkt Inter-Arrival Time (msec)
[NFv9 58005][IPFIX 35632.533][Len 4] %SRC_TO_DST_IAT_AVG                Avg (src->dst) Pkt Inter-Arrival Time (msec)
[NFv9 58006][IPFIX 35632.534][Len 4] %SRC_TO_DST_IAT_STDDEV             StdDev (src->dst) Pkt Inter-Arrival Time (msec)
[NFv9 58007][IPFIX 35632.535][Len 4] %DST_TO_SRC_IAT_MIN                Min (dst->src) Pkt Inter-Arrival Time (msec)
[NFv9 58008][IPFIX 35632.536][Len 4] %DST_TO_SRC_IAT_MAX                Max (dst->src) Pkt Inter-Arrival Time (msec)
[NFv9 58009][IPFIX 35632.537][Len 4] %DST_TO_SRC_IAT_AVG                Avg (dst->src) Pkt Inter-Arrival Time (msec)
[NFv9 58010][IPFIX 35632.538][Len 4] %DST_TO_SRC_IAT_STDDEV             StdDev (dst->src) Pkt Inter-Arrival Time (msec)
[NFv9 58025][IPFIX 35632.553][Len 24 varlen] %AAA_NAT_KEY                       AAA/NAT Correlation Key
[NFv9 58026][IPFIX 35632.554][Len 4] %L7_ERROR_CODE                     Error code (e.g. SNMP, DNS. HTTP)
[NFv9 58027][IPFIX 35632.555][Len 48 varlen] %L7_RISK_INFO                      L7 Risk Information
[NFv9 58047][IPFIX 35632.575][Len 16 varlen] %ACCOUNT_ID                        AWS VPC Account-Id (string)
[NFv9 58058][IPFIX 35632.586][Len 1] %FLOW_ENCRYPTED                    0=cleartext/unknown, 1=encrypted (Entropy-based)
[NFv9 58061][IPFIX 35632.589][Len 4] %UNIQUE_SOURCE_ID                  Unique nProbe + exporter flow source id
[NFv9 58062][IPFIX 35632.590][Len 36] %NPROBE_UUID                      Unique nProbe UUID

Plugin HTTP Protocol templates:
[NFv9 57652][IPFIX 35632.180][Len 128 varlen] %HTTP_URL                         HTTP URL (IXIA URI)
[NFv9 57832][IPFIX 35632.360][Len 4 varlen] %HTTP_METHOD                HTTP METHOD
[NFv9 57653][IPFIX 35632.181][Len 2] %HTTP_RET_CODE                     HTTP return code (e.g. 200, 304...)
[NFv9 57654][IPFIX 35632.182][Len 128 varlen] %HTTP_REFERER                     HTTP Referer
[NFv9 57655][IPFIX 35632.183][Len 256 varlen] %HTTP_USER_AGENT                  HTTP User Agent
[NFv9 57656][IPFIX 35632.184][Len 256 varlen] %HTTP_MIME                        HTTP Mime Type
[NFv9 57659][IPFIX 35632.187][Len 64 varlen] %HTTP_HOST                         HTTP(S) Host Name (IXIA Host Name)
[NFv9 57833][IPFIX 35632.361][Len 64 varlen] %HTTP_SITE                         HTTP server without host name
[NFv9 57932][IPFIX 35632.460][Len 256 varlen] %HTTP_X_FORWARDED_FOR             HTTP X-Forwarded-For
[NFv9 57933][IPFIX 35632.461][Len 256 varlen] %HTTP_VIA                         HTTP Via

Plugin IMAP Protocol templates:
[NFv9 57732][IPFIX 35632.260][Len 64 varlen] %IMAP_LOGIN                        Mail sender

Plugin MySQL Plugin templates:
[NFv9 57667][IPFIX 35632.195][Len 16] %MYSQL_SERVER_VERSION             MySQL server version
[NFv9 57668][IPFIX 35632.196][Len 16] %MYSQL_USERNAME                   MySQL username
[NFv9 57669][IPFIX 35632.197][Len 64] %MYSQL_DB                         MySQL database in use
[NFv9 57670][IPFIX 35632.198][Len 128 varlen] %MYSQL_QUERY                      MySQL Query
[NFv9 57671][IPFIX 35632.199][Len 2] %MYSQL_RESPONSE                    MySQL server response
[NFv9 57792][IPFIX 35632.320][Len 4] %MYSQL_APPL_LATENCY_USEC           MySQL request->response latecy (usec)

Plugin NETBIOS Protocol templates:
[NFv9 57936][IPFIX 35632.464][Len 48 varlen] %NETBIOS_QUERY_NAME                NETBIOS Query Name
[NFv9 57937][IPFIX 35632.465][Len 64 varlen] %NETBIOS_QUERY_TYPE                NETBIOS Query Type
[NFv9 57938][IPFIX 35632.466][Len 64 varlen] %NETBIOS_RESPONSE                  NETBIOS Query Response
[NFv9 57939][IPFIX 35632.467][Len 24 varlen] %NETBIOS_QUERY_OS                  NETBIOS Query OS

Plugin POP3 Protocol templates:
[NFv9 57682][IPFIX 35632.210][Len 64 varlen] %POP_USER                          POP3 user login

Plugin Radius Protocol templates:
[NFv9 57712][IPFIX 35632.240][Len 1] %RADIUS_REQ_MSG_TYPE               RADIUS Request Msg Type
[NFv9 57713][IPFIX 35632.241][Len 1] %RADIUS_RSP_MSG_TYPE               RADIUS Response Msg Type
[NFv9 57714][IPFIX 35632.242][Len 32 varlen] %RADIUS_USER_NAME                  RADIUS User Name (Access Only)
[NFv9 57715][IPFIX 35632.243][Len 32 varlen] %RADIUS_CALLING_STATION_ID         RADIUS Calling Station Id
[NFv9 57716][IPFIX 35632.244][Len 32 varlen] %RADIUS_CALLED_STATION_ID          RADIUS Called Station Id
[NFv9 57717][IPFIX 35632.245][Len 4] %RADIUS_NAS_IP_ADDR                RADIUS NAS IP Address
[NFv9 57718][IPFIX 35632.246][Len 24 varlen] %RADIUS_NAS_IDENTIFIER             RADIUS NAS Identifier
[NFv9 57719][IPFIX 35632.247][Len 16] %RADIUS_USER_IMSI                 RADIUS User IMSI (Extension)
[NFv9 57720][IPFIX 35632.248][Len 16] %RADIUS_USER_IMEI                 RADIUS User MSISDN (Extension)
[NFv9 57721][IPFIX 35632.249][Len 4] %RADIUS_FRAMED_IP_ADDR             RADIUS Framed IP
[NFv9 57722][IPFIX 35632.250][Len 24 varlen] %RADIUS_ACCT_SESSION_ID            RADIUS Accounting Session Name
[NFv9 57723][IPFIX 35632.251][Len 1] %RADIUS_ACCT_STATUS_TYPE           RADIUS Accounting Status Type
[NFv9 57724][IPFIX 35632.252][Len 4] %RADIUS_ACCT_IN_OCTETS             RADIUS Accounting Input Octets
[NFv9 57725][IPFIX 35632.253][Len 4] %RADIUS_ACCT_OUT_OCTETS            RADIUS Accounting Output Octets
[NFv9 57726][IPFIX 35632.254][Len 4] %RADIUS_ACCT_IN_PKTS               RADIUS Accounting Input Packets
[NFv9 57727][IPFIX 35632.255][Len 4] %RADIUS_ACCT_OUT_PKTS              RADIUS Accounting Output Packets

Plugin RTP Plugin templates:
[NFv9 57909][IPFIX 35632.437][Len 4] %RTP_SSRC                          RTP Sync Source ID
[NFv9 57622][IPFIX 35632.150][Len 4] %RTP_FIRST_SEQ                     First flow RTP Seq Number
[NFv9 57623][IPFIX 35632.151][Len 4] %RTP_FIRST_TS                      First flow RTP timestamp
[NFv9 57624][IPFIX 35632.152][Len 4] %RTP_LAST_SEQ                      Last flow RTP Seq Number
[NFv9 57625][IPFIX 35632.153][Len 4] %RTP_LAST_TS                       Last flow RTP timestamp
[NFv9 57626][IPFIX 35632.154][Len 4] %RTP_IN_JITTER                     RTP jitter (ms * 1000)
[NFv9 57627][IPFIX 35632.155][Len 4] %RTP_OUT_JITTER                    RTP jitter (ms * 1000)
[NFv9 57628][IPFIX 35632.156][Len 4] %RTP_IN_PKT_LOST                   Packet %% lost in stream (src->dst)
[NFv9 57629][IPFIX 35632.157][Len 4] %RTP_OUT_PKT_LOST                  Packet %% lost in stream (dst->src)
[NFv9 57902][IPFIX 35632.430][Len 4] %RTP_IN_PKT_DROP                   Packet discarded by Jitter Buffer (src->dst)
[NFv9 57903][IPFIX 35632.431][Len 4] %RTP_OUT_PKT_DROP                  Packet discarded by Jitter Buffer (dst->src)
[NFv9 57633][IPFIX 35632.161][Len 1] %RTP_IN_PAYLOAD_TYPE               RTP payload type
[NFv9 57630][IPFIX 35632.158][Len 1] %RTP_OUT_PAYLOAD_TYPE              RTP payload type
[NFv9 57631][IPFIX 35632.159][Len 4] %RTP_IN_MAX_DELTA                  Max delta (ms*100) between consecutive pkts (src->dst)
[NFv9 57632][IPFIX 35632.160][Len 4] %RTP_OUT_MAX_DELTA                 Max delta (ms*100) between consecutive pkts (dst->src)
[NFv9 57820][IPFIX 35632.348][Len 64 varlen] %RTP_SIP_CALL_ID                   SIP call-id corresponding to this RTP stream
[NFv9 57906][IPFIX 35632.434][Len 4] %RTP_MOS                           RTP pseudo-MOS (value * 100) (average both directions)
[NFv9 57842][IPFIX 35632.370][Len 4] %RTP_IN_MOS                        RTP pseudo-MOS (value * 100) (src->dst)
[NFv9 57904][IPFIX 35632.432][Len 4] %RTP_OUT_MOS                       RTP pseudo-MOS (value * 100) (dst->src)
[NFv9 57908][IPFIX 35632.436][Len 4] %RTP_R_FACTOR                      RTP pseudo-R_FACTOR (value * 100) (average both directions)
[NFv9 57843][IPFIX 35632.371][Len 4] %RTP_IN_R_FACTOR                   RTP pseudo-R_FACTOR (value * 100) (src->dst)
[NFv9 57905][IPFIX 35632.433][Len 4] %RTP_OUT_R_FACTOR                  RTP pseudo-R_FACTOR (value * 100) (dst->src)
[NFv9 57853][IPFIX 35632.381][Len 4] %RTP_IN_TRANSIT                    RTP Transit (value * 100) (src->dst)
[NFv9 57854][IPFIX 35632.382][Len 4] %RTP_OUT_TRANSIT                   RTP Transit (value * 100) (dst->src)
[NFv9 57852][IPFIX 35632.380][Len 4] %RTP_RTT                           RTP Round Trip Time (ms)
[NFv9 57867][IPFIX 35632.395][Len 16 varlen] %RTP_DTMF_TONES                    DTMF tones sent (if any) during the call
Plugin SIP Plugin templates:
[NFv9 57602][IPFIX 35632.130][Len 96 varlen] %SIP_CALL_ID                       SIP call-id
[NFv9 57603][IPFIX 35632.131][Len 96 varlen] %SIP_CALLING_PARTY                 SIP Call initiator
[NFv9 57604][IPFIX 35632.132][Len 96 varlen] %SIP_CALLED_PARTY                  SIP Called party
[NFv9 57605][IPFIX 35632.133][Len 512] %SIP_RTP_CODECS                  SIP RTP codecs
[NFv9 58000][IPFIX 35632.528][Len 4] %SIP_REGISTER_MAX_RRD              SIP REGISTER max rsp delay (msec)
[NFv9 58001][IPFIX 35632.529][Len 1] %SIP_REGISTER_NUM_OK               SIP REGISTER number of rsp ok/authorized
[NFv9 58002][IPFIX 35632.530][Len 1] %SIP_REGISTER_NUM_OTHER            SIP REGISTER number of rsp not ok/authorized
[NFv9 57606][IPFIX 35632.134][Len 4] %SIP_INVITE_TIME                   SIP time (epoch) of INVITE
[NFv9 57607][IPFIX 35632.135][Len 4] %SIP_TRYING_TIME                   SIP time (epoch) of Trying
[NFv9 57608][IPFIX 35632.136][Len 4] %SIP_RINGING_TIME                  SIP time (epoch) of RINGING
[NFv9 57609][IPFIX 35632.137][Len 4] %SIP_INVITE_OK_TIME                SIP time (epoch) of INVITE OK
[NFv9 57610][IPFIX 35632.138][Len 4] %SIP_INVITE_FAILURE_TIME           SIP time (epoch) of INVITE FAILURE
[NFv9 57611][IPFIX 35632.139][Len 4] %SIP_BYE_TIME                      SIP time (epoch) of BYE
[NFv9 57612][IPFIX 35632.140][Len 4] %SIP_BYE_OK_TIME                   SIP time (epoch) of BYE OK
[NFv9 57613][IPFIX 35632.141][Len 4] %SIP_CANCEL_TIME                   SIP time (epoch) of CANCEL
[NFv9 57614][IPFIX 35632.142][Len 4] %SIP_CANCEL_OK_TIME                SIP time (epoch) of CANCEL OK
[NFv9 57615][IPFIX 35632.143][Len 4] %SIP_RTP_IPV4_SRC_ADDR             SIP RTP stream source IP
[NFv9 57616][IPFIX 35632.144][Len 2] %SIP_RTP_L4_SRC_PORT               SIP RTP stream source port
[NFv9 57617][IPFIX 35632.145][Len 4] %SIP_RTP_IPV4_DST_ADDR             SIP RTP stream dest IP
[NFv9 57618][IPFIX 35632.146][Len 2] %SIP_RTP_L4_DST_PORT               SIP RTP stream dest port
[NFv9 57619][IPFIX 35632.147][Len 4] %SIP_RESPONSE_CODE                 SIP failure response code
[NFv9 57620][IPFIX 35632.148][Len 4] %SIP_REASON_CAUSE                  SIP Cancel/Bye/Failure reason cause
[NFv9 57788][IPFIX 35632.316][Len 96 varlen] %SIP_UAC                           SIP user-agent client
[NFv9 57789][IPFIX 35632.317][Len 96 varlen] %SIP_UAS                           SIP user-agent server
[NFv9 57834][IPFIX 35632.362][Len 128] %SIP_C_IP                        SIP C IP addresses
[NFv9 57835][IPFIX 35632.363][Len 12 varlen] %SIP_CALL_STATE                    SIP Call State

Plugin SMTP Protocol templates:
[NFv9 57657][IPFIX 35632.185][Len 64 varlen] %SMTP_MAIL_FROM                    Mail sender
[NFv9 57658][IPFIX 35632.186][Len 64 varlen] %SMTP_RCPT_TO                      Mail recipient

Plugin SSDP Protocol templates:
[NFv9 57934][IPFIX 35632.462][Len 48 varlen] %SSDP_HOST                         SSDP Host
[NFv9 57935][IPFIX 35632.463][Len 64 varlen] %SSDP_USN                          SSDP USN
[NFv9 57940][IPFIX 35632.468][Len 64 varlen] %SSDP_SERVER                       SSDP Server
[NFv9 57941][IPFIX 35632.469][Len 64 varlen] %SSDP_TYPE                         SSDP Type
[NFv9 57942][IPFIX 35632.470][Len 8 varlen] %SSDP_METHOD                SSDP Method

The default template (if -T is omitted) is:

%IPV4_SRC_ADDR %IPV4_DST_ADDR %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS

In case @NTOPNG@ is used with -T, such template it is expanded according to the operational mode: 1. probe mode (-i <interface>)

%IN_SRC_MAC %OUT_DST_MAC %INPUT_SNMP %OUTPUT_SNMP %SRC_VLAN %IPV4_SRC_ADDR %IPV4_DST_ADDR %L4_SRC_PORT %L4_DST_PORT %IPV6_SRC_ADDR %IPV6_DST_ADDR %SRC_TOS %DST_TOS %IP_PROTOCOL_VERSION %PROTOCOL %L7_PROTO %L7_CONFIDENCE %IN_BYTES %IN_PKTS %OUT_BYTES %OUT_PKTS %FIRST_SWITCHED %LAST_SWITCHED %CLIENT_TCP_FLAGS %SERVER_TCP_FLAGS %L7_PROTO_RISK %L7_RISK_SCORE %EXPORTER_IPV4_ADDRESS %DIRECTION %SAMPLING_INTERVAL %TOTAL_FLOWS_EXP %NPROBE_IPV4_ADDRESS %NPROBE_INSTANCE_NAME %FLOW_SOURCE %JA4C_HASH %UNIQUE_SOURCE_ID %CLIENT_NW_LATENCY_MS %SERVER_NW_LATENCY_MS %APPL_LATENCY_MS %TCP_WIN_MAX_IN %TCP_WIN_MAX_OUT %OOORDER_IN_PKTS %OOORDER_OUT_PKTS %RETRANSMITTED_IN_PKTS %RETRANSMITTED_OUT_PKTS %SRC_FRAGMENTS %DST_FRAGMENTS %L7_INFO %DNS_QUERY %DNS_QUERY_TYPE %DNS_RET_CODE %HTTP_URL %HTTP_SITE %HTTP_METHOD %HTTP_RET_CODE %TLS_SERVER_NAME %BITTORRENT_HASH %SRC_TOS %DST_TOS %HTTP_USER_AGENT %L7_RISK_INFO

  1. collector mode (-3 <port>)

    %IN_SRC_MAC %OUT_DST_MAC %INPUT_SNMP %OUTPUT_SNMP %SRC_VLAN %IPV4_SRC_ADDR %IPV4_DST_ADDR %L4_SRC_PORT %L4_DST_PORT %IPV6_SRC_ADDR %IPV6_DST_ADDR %SRC_TOS %DST_TOS %IP_PROTOCOL_VERSION %PROTOCOL %L7_PROTO %L7_CONFIDENCE %IN_BYTES %IN_PKTS %OUT_BYTES %OUT_PKTS %FIRST_SWITCHED %LAST_SWITCHED %CLIENT_TCP_FLAGS %SERVER_TCP_FLAGS %L7_PROTO_RISK %L7_RISK_SCORE %EXPORTER_IPV4_ADDRESS %DIRECTION %SAMPLING_INTERVAL %TOTAL_FLOWS_EXP %NPROBE_IPV4_ADDRESS %NPROBE_INSTANCE_NAME %FLOW_SOURCE %JA4C_HASH %UNIQUE_SOURCE_ID %POST_NAT_SRC_IPV4_ADDR %POST_NAT_DST_IPV4_ADDR %POST_NAPT_SRC_TRANSPORT_PORT %POST_NAPT_DST_TRANSPORT_PORT

Application Protocols

Major protocol (%L7_PROTO) symbolic mapping:

Id Userd-id Protocol                   Layer_4    Nw_Proto Breed                 Category           Def UDP Port/s                  Def TCP Port/s                  Custom
 0        0 Unknown                    TCP        X        Unrated               Unspecified        -                               -                                    0
 1        1 FTP_CONTROL                TCP        X        Unsafe                Download           -                               21                                   0
 2        2 POP3                       TCP        X        Unsafe                Email              -                               110                                  0
 3        3 SMTP                       TCP        X        Acceptable            Email              -                               25,587                               0
 4        4 IMAP                       TCP        X        Unsafe                Email              -                               143                                  0
 5        5 DNS                        TCP/UDP    X        Acceptable            Network            53                              53                                   0
 6        6 IPP                        TCP                 Acceptable            System             -                               -                                    0
 7        7 HTTP                       TCP        X        Acceptable            Web                -                               80                                   0
 8        8 MDNS                       TCP        X        Acceptable            Network            5353,5354                       -                                    0
 9        9 NTP                        UDP        X        Acceptable            System             123                             -                                    0
10       10 NetBIOS                    TCP/UDP    X        Acceptable            System             137,138,139                     139                                  0
11       11 NFS                        TCP/UDP    X        Acceptable            DataTransfer       2049                            2049                                 0
12       12 SSDP                       UDP        X        Acceptable            System             -                               -                                    0
13       13 BGP                        TCP        X        Acceptable            Network            -                               179,2605                             0
14       14 SNMP                       UDP        X        Acceptable            Network            161,162                         -                                    0
15       15 XDMCP                      TCP/UDP    X        Acceptable            RemoteAccess       177                             177                                  0
16       16 SMBv1                      TCP                 Dangerous             System             -                               445                                  0
17       17 Syslog                     TCP/UDP    X        Acceptable            System             514                             514,601,6514                         0
18       18 DHCP                       UDP        X        Acceptable            Network            67,68                           -                                    0
19       19 PostgreSQL                 TCP        X        Acceptable            Database           -                               5432                                 0
20       20 MySQL                      TCP        X        Acceptable            Database           -                               3306                                 0
21       21 Outlook                    TCP                 Acceptable            Email              -                               -                                    0
22       22 VK                         TCP                 Fun                   SocialNetwork      -                               -                                    0
23       23 POPS                       TCP                 Safe                  Email              -                               995                                  0
24       24 Tailscale                  UDP                 Acceptable            VPN                41641                           -                                    0
25       25 Yandex                     TCP                 Safe                  Web                -                               -                                    0
26       26 ntop                       TCP                 Safe                  Network            -                               -                                    0
27       27 COAP                       UDP        X        Safe                  RPC                5683,5684                       -                                    0
28       28 VMware                     UDP        X        Acceptable            RemoteAccess       902,903                         903                                  0
29       29 SMTPS                      TCP                 Safe                  Email              -                               465                                  0
30       30 DTLS                       TCP/UDP    X        Safe                  Web                -                               -                                    0
31       31 UBNTAC2                    UDP                 Safe                  Network            10001                           -                                    0
32       32 BFCP                       TCP/UDP    X        Acceptable            Video              -                               -                                    0
33       33 YandexMail                 TCP                 Safe                  Email              -                               -                                    0
34       34 YandexMusic                TCP                 Fun                   Music              -                               -                                    0
35       35 Gnutella                   TCP/UDP             Potentially_Dangerous Download           -                               -                                    0
36       36 eDonkey                    TCP        X        Unsafe                Download           -                               -                                    0
37       37 BitTorrent                 TCP/UDP             Acceptable            Download           6881-6889,51413,6771            6881-6889,51413,53646                0
38       38 TeamsCall                  TCP                 Acceptable            VoIP               -                               -                                    0
39       39 Signal                     TCP                 Acceptable            Chat               -                               -                                    0
40       40 Memcached                  TCP/UDP    X        Acceptable            Network            11211                           11211                                0
41       41 SMBv23                     TCP                 Acceptable            System             -                               445                                  0
42       42 Mining                     TCP                 Unsafe                Mining             -                               -                                    0
43       43 NestLogSink                TCP                 Acceptable            Cloud              -                               11095                                0
44       44 Modbus                     TCP        X        Acceptable            IoT-Scada          -                               502                                  0
45       45 WhatsAppCall               TCP                 Acceptable            VoIP               -                               -                                    0
46       46 DataSaver                  TCP                 Fun                   Web                -                               -                                    0
47       47 Xbox                       UDP                 Fun                   Game               -                               -                                    0
48       48 QQ                         UDP                 Fun                   Chat               -                               -                                    0
49       49 TikTok                     TCP                 Fun                   SocialNetwork      -                               -                                    0
50       50 RTSP                       TCP/UDP    X        Fun                   Media              554                             554                                  0
51       51 IMAPS                      TCP                 Safe                  Email              -                               993                                  0
52       52 IceCast                    TCP        X        Fun                   Media              -                               -                                    0
53       53 CPHA                       UDP                 Fun                   Network            8116                            -                                    0
54       54 iQIYI                      UDP                 Fun                   Streaming          -                               -                                    0
55       55 Zattoo                     TCP/UDP             Fun                   Video              -                               -                                    0
56       56 YandexMarket               TCP                 Safe                  Shopping           -                               -                                    0
57       57 YandexDisk                 TCP                 Safe                  Cloud              -                               -                                    0
58       58 Discord                    UDP                 Fun                   Collaborative      -                               -                                    0
59       59 AdobeConnect               TCP                 Acceptable            Video              -                               -                                    0
60       60 MongoDB                    TCP        X        Acceptable            Database           -                               27017                                0
61       61 Pluralsight                TCP                 Fun                   Video              -                               -                                    0
62       62 YandexCloud                TCP                 Safe                  Cloud              -                               -                                    0
63       63 OCSP                       TCP                 Safe                  Network            -                               -                                    0
64       64 VXLAN                      UDP        X        Acceptable            Network            4789                            -                                    0
65       65 IRC                        TCP        X        Unsafe                Chat               194                             194                                  0
66       66 MerakiCloud                UDP        X        Acceptable            Network            -                               -                                    0
67       67 Jabber                     TCP        X        Acceptable            Web                -                               -                                    0
68       68 Nats                       TCP        X        Acceptable            RPC                -                               -                                    0
69       69 AmongUs                    UDP                 Fun                   Game               22023                           -                                    0
70       70 Yahoo                      TCP                 Safe                  Web                -                               -                                    0
71       71 DisneyPlus                 TCP                 Fun                   Streaming          -                               -                                    0
72       72 HART-IP                    TCP/UDP    X        Acceptable            IoT-Scada          -                               5094                                 0
73       73 VRRP                                  X        Acceptable            Network            -                               -                                    0
74       74 Steam                      UDP                 Fun                   Game               -                               -                                    0
75       75 MELSEC                     TCP/UDP             Acceptable            IoT-Scada          -                               -                                    0
76       76 WorldOfWarcraft            TCP                 Fun                   Game               -                               -                                    0
77       77 Telnet                     TCP        X        Unsafe                RemoteAccess       -                               23                                   0
78       78 STUN                       TCP/UDP    X        Acceptable            Network            3478                            3478                                 0
79       79 IPSec                      UDP        X        Safe                  VPN                500,4500                        500                                  0
80       80 GRE                                   X        Acceptable            Network            -                               -                                    0
81       81 ICMP                                  X        Acceptable            Network            -                               -                                    0
82       82 IGMP                                  X        Acceptable            Network            -                               -                                    0
83       83 EGP                                   X        Acceptable            Network            -                               -                                    0
84       84 SCTP                                  X        Acceptable            Network            -                               -                                    0
85       85 IP_OSPF                               X        Acceptable            Network            -                               -                                    0
86       86 IP_in_IP                              X        Acceptable            Network            -                               -                                    0
87       87 RTP                        TCP/UDP             Acceptable            Media              -                               -                                    0
88       88 RDP                        TCP/UDP             Acceptable            RemoteAccess       3389                            3389                                 0
89       89 VNC                        TCP        X        Acceptable            RemoteAccess       -                               5900,5901,5800                       0
90       90 Tumblr                     TCP                 Fun                   SocialNetwork      -                               -                                    0
91       91 TLS                        TCP/UDP    X        Safe                  Web                -                               443                                  0
92       92 SSH                        TCP        X        Acceptable            RemoteAccess       -                               22                                   0
93       93 Usenet                     TCP        X        Acceptable            Web                -                               -                                    0
94       94 MGCP                       UDP        X        Acceptable            VoIP               -                               -                                    0
95       95 IAX                        UDP        X        Acceptable            VoIP               4569                            4569                                 0
96       96 TFTP                       UDP        X        Acceptable            DataTransfer       69                              -                                    0
97       97 AFP                        TCP        X        Acceptable            DataTransfer       548                             548                                  0
98       98 YandexMetrika              TCP                 Safe                  Web                -                               -                                    0
99       99 YandexDirect               TCP                 Tracker_Ads           Advertisement      -                               -                                    0

100 100 SIP TCP/UDP X Acceptable VoIP 5060-5061 5060-5061 0 101 101 TruPhone TCP Acceptable VoIP - - 0 102 102 ICMPV6 X Acceptable Network - - 0 103 103 DHCPV6 UDP X Acceptable Network - - 0 104 104 Armagetron UDP X Fun Game - - 0 105 105 Crossfire TCP/UDP Fun RPC - - 0 106 106 Dofus TCP Fun Game - - 0 107 107 Blacknut TCP Fun Game - - 0 108 108 Boosteroid TCP Fun Game - - 0 109 109 GuildWars2 TCP X Fun Game - 6112 0 110 110 AmazonAlexa TCP Acceptable VirtAssistant - - 0 111 111 Kerberos TCP/UDP X Acceptable Network 88 88 0 112 112 LDAP TCP/UDP X Acceptable System 389 389 0 113 113 Nexon TCP Fun Game - - 0 114 114 MsSQL-TDS TCP X Acceptable Database - 1433,1434 0 115 115 PPTP TCP X Acceptable VPN - - 0 116 116 AH X Safe VPN - - 0 117 117 ESP X Safe VPN - - 0 118 118 Slack TCP Acceptable Collaborative - - 0 119 119 Facebook TCP Fun SocialNetwork - - 0 120 120 Twitter TCP Fun SocialNetwork - - 0 121 121 Dropbox UDP Acceptable Cloud 17500 - 0 122 122 GMail TCP Acceptable Email - - 0 123 123 GoogleMaps TCP Safe Web - - 0 124 124 YouTube TCP Fun Media - - 0 125 125 Mozilla TCP Acceptable Web - - 0 126 126 Google TCP Acceptable Web - - 0 127 127 MS-RPCH TCP X Acceptable RPC - - 0 128 128 NetFlow UDP X Acceptable Network 2055 - 0 129 129 sFlow UDP X Acceptable Network 6343 - 0 130 130 HTTP_Connect TCP X Acceptable Web - 8080 0 131 131 HTTP_Proxy TCP X Acceptable Web - 8080,3128 0 132 132 Citrix TCP Acceptable Network - 1494,2598 0 133 133 NetFlix TCP Fun Video - - 0 134 134 LastFM TCP Fun Music - - 0 135 135 Waze TCP Acceptable Web - - 0 136 136 YouTubeUpload TCP Fun Media - - 0 137 137 Hulu TCP Fun Streaming - - 0 138 138 CHECKMK TCP X Acceptable DataTransfer - 6556 0 139 139 AJP TCP X Acceptable Web - 8009,8010 0 140 140 Apple TCP Safe Web - - 0 141 141 Webex TCP Acceptable VoIP - - 0 142 142 WhatsApp TCP Acceptable Chat - - 0 143 143 AppleiCloud TCP Acceptable Web - - 0 144 144 Viber TCP/UDP Fun Chat 7985,7987,5242,5243,4244 7985,5242,5243,4244 0 145 145 AppleiTunes TCP Fun Streaming - - 0 146 146 Radius UDP X Acceptable Network 1812,1813 1812,1813 0 147 147 WindowsUpdate TCP Safe SoftwareUpdate - - 0 148 148 TeamViewer TCP/UDP Acceptable RemoteAccess 5938 5938 0 149 149 EthernetGlobalData UDP X Acceptable IoT-Scada - - 0 150 150 HCL_Notes TCP X Acceptable Collaborative - 1352 0 151 151 SAP TCP X Acceptable Network - 3201 0 152 152 GTP UDP X Acceptable Network 2152,2123 - 0 153 153 WSD UDP X Acceptable Network 3702 - 0 154 154 LLMNR TCP X Acceptable Network 5355 5355 0 155 155 TocaBoca UDP X Fun Game 5055 - 0 156 156 Spotify TCP/UDP Fun Music - - 0 157 157 FacebookMessenger TCP Acceptable Chat - - 0 158 158 H323 TCP/UDP X Acceptable VoIP 1719,1720 1719,1720 0 159 159 OpenVPN TCP/UDP Acceptable VPN 1194 1194 0 160 160 NOE UDP X Acceptable VoIP - - 0 161 161 CiscoVPN UDP X Acceptable VPN 10000 10000,8008 0 162 162 TeamSpeak TCP/UDP X Fun VoIP - - 0 163 163 Tor TCP Potentially_Dangerous VPN - - 0 164 164 CiscoSkinny TCP X Acceptable VoIP - 2000 0 165 165 RTCP TCP/UDP X Acceptable VoIP - - 0 166 166 RSYNC TCP X Acceptable DataTransfer - 873 0 167 167 Oracle TCP X Acceptable Database - 1521 0 168 168 Corba TCP/UDP X Acceptable RPC - - 0 169 169 Canonical TCP Acceptable Cloud - - 0 170 170 Whois-DAS TCP X Acceptable Network - 43,4343 0 171 171 SD-RTN UDP X Acceptable Media - - 0 172 172 SOCKS TCP X Acceptable Web 1080 1080 0 173 173 Nintendo UDP Fun Game - - 0 174 174 RTMP TCP X Acceptable Media - 1935 0 175 175 FTP_DATA TCP X Acceptable Download - 20 0 176 176 Wikipedia TCP Safe Web - - 0 177 177 ZeroMQ TCP X Acceptable RPC - - 0 178 178 Amazon TCP Acceptable Web - - 0 179 179 eBay TCP Safe Shopping - - 0 180 180 CNN TCP Safe Web - - 0 181 181 Megaco UDP X Acceptable VoIP 2944 - 0 182 182 RESP TCP X Acceptable Database - 6379 0 183 183 Pinterest TCP Fun SocialNetwork - - 0 184 184 OSPF TCP X Safe Network - 2604 0 185 185 Telegram TCP/UDP Acceptable Chat - - 0 186 186 CoD_Mobile UDP Fun Game - - 0 187 187 Pandora TCP Fun Streaming - - 0 188 188 QUIC UDP X Acceptable Web 443 - 0 189 189 Zoom UDP Acceptable Video - - 0 190 190 EAQ UDP X Acceptable Network 6000 - 0 191 191 Ookla TCP/UDP Safe Network - - 0 192 192 AMQP TCP X Acceptable RPC - - 0 193 193 KakaoTalk TCP Acceptable Chat - - 0 194 194 KakaoTalk_Voice UDP X Acceptable VoIP - - 0 195 195 Twitch TCP Fun Video - - 0 196 196 DoH_DoT TCP Acceptable Network 784,853 853 0 197 197 WeChat TCP Fun Chat - - 0 198 198 MPEG_TS UDP X Fun Media - - 0 199 199 Snapchat TCP Fun SocialNetwork - - 0 200 200 Sina TCP Fun SocialNetwork - - 0 201 201 GoogleMeet TCP Acceptable Chat - - 0 202 202 IFLIX TCP Fun Video - - 0 203 203 Github TCP Acceptable Collaborative - - 0 204 204 BJNP UDP X Acceptable System 8612 - 0 205 205 Reddit TCP Fun SocialNetwork - - 0 206 206 WireGuard UDP X Acceptable VPN 51820 - 0 207 207 SMPP TCP X Acceptable Download - - 0 208 208 DNScrypt TCP/UDP Acceptable Network - - 0 209 209 TINC TCP/UDP X Acceptable VPN 655 655 0 210 210 Deezer TCP Fun Music - - 0 211 211 Instagram TCP Fun SocialNetwork - - 0 212 212 Microsoft TCP Safe Cloud - - 0 213 213 Blizzard TCP/UDP Fun Game 1119 1119 0 214 214 Teredo UDP X Acceptable Network - - 0 215 215 HotspotShield TCP Potentially_Dangerous VPN - - 0 216 216 IMO UDP X Acceptable VoIP - - 0 217 217 GoogleDrive TCP Acceptable Cloud - - 0 218 218 OCS TCP Fun Media - - 0 219 219 Microsoft365 TCP Acceptable Collaborative - - 0 220 220 Cloudflare TCP Acceptable Web - - 0 221 221 MS_OneDrive TCP Acceptable Collaborative - - 0 222 222 MQTT TCP X Acceptable RPC - 1883,8883 0 223 223 RX UDP X Acceptable RPC - - 0 224 224 AppleStore TCP Safe SoftwareUpdate - - 0 225 225 OpenDNS TCP Acceptable Web - - 0 226 226 Git TCP X Safe Collaborative - 9418 0 227 227 DRDA TCP X Acceptable Database - - 0 228 228 PlayStore TCP Safe SoftwareUpdate - - 0 229 229 SOMEIP TCP/UDP X Acceptable RPC 30491,30501,30490 30491,30501 0 230 230 FIX TCP X Safe RPC - - 0 231 231 Playstation TCP Fun Game - - 0 232 232 Pastebin TCP Potentially_Dangerous Download - - 0 233 233 LinkedIn TCP Fun SocialNetwork - - 0 234 234 SoundCloud TCP Fun Music - - 0 235 235 SteamDatagramRelay UDP X Fun Game - - 0 236 236 LISP TCP/UDP X Acceptable Cloud 4342,4341 - 0 237 237 Diameter TCP X Acceptable Network - 3868 0 238 238 ApplePush TCP Acceptable Cloud - - 0 239 239 GoogleServices TCP Acceptable Web - - 0 240 240 AmazonVideo TCP/UDP Fun Cloud - - 0 241 241 GoogleDocs TCP Acceptable Collaborative - - 0 242 242 WhatsAppFiles TCP Acceptable Download - - 0 243 243 TargusDataspeed TCP X Acceptable Network 5001,5201 5001,5201 0 244 244 DNP3 TCP X Acceptable IoT-Scada - 20000 0 245 245 IEC60870 TCP X Acceptable IoT-Scada - 2404 0 246 246 Bloomberg TCP Acceptable Network - - 0 247 247 CAPWAP UDP X Acceptable Network 5246,5247 - 0 248 248 Zabbix TCP X Acceptable Network - 10050,10051 0 249 249 S7Comm TCP X Acceptable IoT-Scada - - 0 250 250 Teams TCP Safe Collaborative - - 0 251 251 WebSocket TCP Acceptable Web - - 0 252 252 AnyDesk TCP Acceptable RemoteAccess - - 0 253 253 SOAP TCP Acceptable RPC - - 0 254 254 AppleSiri TCP Acceptable VirtAssistant - - 0 255 255 SnapchatCall TCP Acceptable VoIP - - 0 256 256 HP_VIRTGRP TCP X Acceptable Network - - 0 257 257 GenshinImpact TCP/UDP X Fun Game 22102 - 0 258 258 Activision UDP Fun Game - - 0 259 259 FortiClient TCP Safe VPN - 8013,8014 0 260 260 Z3950 TCP X Acceptable Network - 210 0 261 261 Likee TCP Fun SocialNetwork - - 0 262 262 GitLab TCP Fun Collaborative - - 0 263 263 AVASTSecureDNS UDP Safe Network - - 0 264 264 Cassandra TCP X Acceptable Database - 7000,9042 0 265 265 AmazonAWS TCP Acceptable Cloud - - 0 266 266 Salesforce TCP Safe Cloud - - 0 267 267 Vimeo TCP Fun Streaming - - 0 268 268 FacebookVoip TCP Acceptable VoIP - - 0 269 269 SignalVoip TCP Acceptable VoIP - - 0 270 270 Fuze TCP Acceptable VoIP - - 0 271 271 GTP_U TCP Acceptable Network - - 0 272 272 GTP_C TCP Acceptable Network - - 0 273 273 GTP_PRIME TCP Acceptable Network - - 0 274 274 Alibaba TCP Acceptable Web - - 0 275 275 Crashlytics TCP Acceptable DataTransfer - - 0 276 276 Azure TCP Acceptable Cloud - - 0 277 277 iCloudPrivateRelay TCP Acceptable VPN - - 0 278 278 EthernetIP TCP X Acceptable Network - 44818 0 279 279 Badoo TCP Fun SocialNetwork - - 0 280 280 AccuWeather TCP Fun Web - - 0 281 281 GoogleClassroom TCP Acceptable Collaborative - - 0 282 282 HSRP UDP X Acceptable Network 1985 - 0 283 283 Cybersec TCP Safe Cybersecurity - - 0 284 284 GoogleCloud TCP Acceptable Cloud - - 0 285 285 Tencent TCP Fun SocialNetwork - - 0 286 286 RakNet UDP X Fun Game - - 0 287 287 Xiaomi TCP Acceptable Web - - 0 288 288 Edgecast TCP Acceptable Cloud - - 0 289 289 Cachefly TCP Acceptable Cloud - - 0 290 290 Softether UDP Acceptable VPN - - 0 291 291 MpegDash TCP Fun Media - - 0 292 292 Dazn TCP Fun Streaming - - 0 293 293 GoTo TCP Acceptable VoIP - - 0 294 294 RSH TCP X Unsafe RemoteAccess - - 0 295 295 1kxun TCP Fun Streaming - - 0 296 296 PGM X Acceptable Network - - 0 297 297 IP_PIM X Acceptable Network - - 0 298 298 collectd UDP X Acceptable System 25826 - 0 299 299 TunnelBear TCP Acceptable VPN - - 0 300 300 CloudflareWarp UDP Acceptable VPN - - 0 301 301 i3D UDP X Fun Game - - 0 302 302 RiotGames UDP Fun Game - - 0 303 303 Psiphon TCP Acceptable VPN - - 0 304 304 UltraSurf TCP Acceptable VPN - - 0 305 305 Threema TCP X Fun Chat - - 0 306 306 AliCloud TCP X Acceptable Cloud - - 0 307 307 AVAST TCP X Safe Network - - 0 308 308 TiVoConnect TCP/UDP X Fun Network 2190 2190 0 309 309 Kismet TCP X Acceptable Network - - 0 310 310 FastCGI TCP X Safe Network - - 0 311 311 FTPS TCP X Unsafe Download - - 0 312 312 NAT-PMP UDP X Acceptable Network 5351 - 0 313 313 Syncthing UDP X Fun Download - - 0 314 314 CryNetwork UDP X Fun Game - - 0 315 315 Line TCP Acceptable Chat - - 0 316 316 LineCall UDP X Acceptable VoIP - - 0 317 317 AppleTVPlus TCP Fun Streaming - - 0 318 318 DirecTV TCP Fun Streaming - - 0 319 319 HBO TCP Fun Streaming - - 0 320 320 Vudu TCP Fun Streaming - - 0 321 321 Showtime TCP Fun Streaming - - 0 322 322 Dailymotion TCP Fun Streaming - - 0 323 323 Livestream TCP Fun Streaming - - 0 324 324 Tencentvideo TCP Fun Streaming - - 0 325 325 IHeartRadio TCP Fun Music - - 0 326 326 Tidal TCP Fun Music - - 0 327 327 TuneIn TCP Fun Music - - 0 328 328 SiriusXMRadio TCP Fun Music - - 0 329 329 Munin TCP X Acceptable System - 4949 0 330 330 Elasticsearch TCP X Acceptable System - - 0 331 331 TuyaLP UDP X Acceptable IoT-Scada 6667 - 0 332 332 TPLINK_SHP TCP/UDP X Acceptable IoT-Scada 9999 9999 0 333 333 Source_Engine UDP X Fun Game 27015 - 0 334 334 BACnet UDP X Safe IoT-Scada 47808 - 0 335 335 OICQ UDP X Acceptable Chat 8000 - 0 336 336 Heroes_of_the_Storm UDP X Fun Game - - 0 337 337 FbookReelStory TCP Fun SocialNetwork - - 0 338 338 SRTP TCP Acceptable Media - - 0 339 339 OperaVPN TCP Acceptable VPN - - 0 340 340 EpicGames UDP Fun Game - - 0 341 341 GeForceNow TCP Fun Game - - 0 342 342 Nvidia TCP Safe Web - - 0 343 343 BITCOIN TCP X Acceptable Crypto_Currency - 8333 0 344 344 ProtonVPN TCP Acceptable VPN - - 0 345 345 Thrift TCP/UDP X Acceptable RPC - - 0 346 346 Roblox TCP Fun Game - - 0 347 347 Service_Location_Protocol TCP/UDP X Acceptable RPC 427 427 0 348 348 Mullvad TCP Acceptable VPN - - 0 349 349 HTTP2 TCP X Safe Web - - 0 350 350 HAProxy TCP X Safe Web - - 0 351 351 RMCP UDP X Safe System 623 - 0 352 352 Controller_Area_Network TCP/UDP X Safe System - - 0 353 353 Protobuf TCP/UDP X Safe Network - - 0 354 354 ETHEREUM TCP/UDP X Acceptable Crypto_Currency - 30303 0 355 355 TelegramVoip TCP Acceptable VoIP - - 0 356 356 SinaWeibo TCP Fun SocialNetwork - - 0 357 357 TeslaServices TCP Acceptable Network - - 0 358 358 PTPv2 UDP X Acceptable System 319,320 - 0 359 359 RTPS UDP X Acceptable RPC 7401 - 0 360 360 OPC-UA TCP X Acceptable IoT-Scada - 4840 0 361 361 S7CommPlus TCP X Acceptable IoT-Scada - - 0 362 362 FINS TCP/UDP X Acceptable IoT-Scada 9600 9600 0 363 363 EtherSIO UDP X Acceptable IoT-Scada 6060 - 0 364 364 UMAS TCP Acceptable IoT-Scada - - 0 365 365 BeckhoffADS TCP X Acceptable IoT-Scada - 48898 0 366 366 ISO9506-1-MMS TCP X Acceptable IoT-Scada - - 0 367 367 IEEE-C37118 TCP/UDP X Acceptable IoT-Scada 4713 4712 0 368 368 Ether-S-Bus UDP X Acceptable IoT-Scada 5050 - 0 369 369 Monero TCP Acceptable Crypto_Currency - - 0 370 370 DCERPC TCP/UDP X Acceptable RPC 135 135 0 371 371 PROFINET_IO UDP Acceptable IoT-Scada - - 0 372 372 HiSLIP TCP X Acceptable IoT-Scada - 4880 0 373 373 UFTP UDP X Acceptable Download 1044 - 0 374 374 OpenFlow TCP X Acceptable Network - 6653 0 375 375 JSON-RPC TCP Acceptable RPC - - 0 376 376 WebDAV TCP Acceptable Collaborative - - 0 377 377 Kafka TCP X Acceptable RPC - 9092 0 378 378 NoMachine TCP/UDP X Acceptable RemoteAccess 4000 4000 0 379 379 IEC62056 TCP/UDP X Acceptable IoT-Scada 4059 4059 0 380 380 HL7 TCP X Acceptable Health - 2575 0 381 381 Ceph TCP X Acceptable DataTransfer - 3300,6789 0 382 382 GoogleChat TCP Acceptable Chat - - 0 383 383 Roughtime TCP/UDP X Acceptable System 2002 2002 0 384 384 PrivateInternetAccess TCP Acceptable VPN - - 0 385 385 KCP TCP/UDP X Acceptable Network - - 0 386 386 Dota2 TCP Fun Game - - 0 387 387 Mumble UDP Fun VoIP - - 0 388 388 Yojimbo UDP X Fun Game - - 0 389 389 ElectronicArts TCP Fun Game - - 0 390 390 STOMP TCP X Acceptable RPC - 61613 0 391 391 Radmin TCP X Acceptable RemoteAccess - 4899 0 392 392 Raft TCP X Acceptable Network - - 0 393 393 CIP UDP X Acceptable IoT-Scada 2222 - 0 394 394 Gearman TCP X Acceptable RPC - 4730 0 395 395 TencentGames TCP X Fun Game - - 0 396 396 GaijinEntertainment UDP Fun Game 20011 - 0 397 397 ANSI_C1222 TCP/UDP X Acceptable IoT-Scada 1153 1153 0 398 398 Huawei TCP Acceptable Web - - 0 399 399 HuaweiCloud TCP Acceptable Cloud - - 0 400 400 DLEP TCP/UDP X Acceptable Network 854 854 0 401 401 BFD UDP X Acceptable Network 3784,3785 - 0 402 402 NetEaseGames UDP Fun Game - - 0 403 403 PathofExile TCP X Fun Game - - 0 404 404 GoogleCall TCP Acceptable VoIP - - 0 405 405 PFCP UDP X Acceptable Network 8805 - 0 406 406 FLUTE UDP X Acceptable Download - - 0 407 407 LoLWildRift UDP X Fun Game - - 0 408 408 TES_Online TCP X Fun Game - - 0 409 409 LDP TCP/UDP X Acceptable Network 646 646 0 410 410 KNXnet_IP TCP/UDP X Acceptable IoT-Scada 3671 3671 0 411 411 Bluesky TCP Fun SocialNetwork - - 0 412 412 Mastodon TCP Fun SocialNetwork - - 0 413 413 Threads TCP Fun SocialNetwork - - 0 414 414 ViberVoip TCP Acceptable VoIP - - 0 415 415 ZUG UDP X Acceptable Crypto_Currency - - 0 416 416 JRMI TCP X Acceptable RPC - 1099 0 417 417 RipeAtlas UDP X Acceptable Network - - 0 418 418 HLS TCP Fun Media - - 0 419 419 ClickHouse TCP X Acceptable Database - - 0 420 420 Nano TCP X Acceptable Crypto_Currency - 7075 0 421 421 OpenWire TCP X Acceptable RPC - 61616 0 422 422 CNP-IP UDP X Acceptable IoT-Scada - - 0 423 423 ATG TCP X Acceptable IoT-Scada - - 0 424 424 TRDP TCP/UDP X Acceptable IoT-Scada 17224,17225 17225 0 425 425 Lustre TCP X Acceptable DataTransfer - - 0 426 426 NordVPN TCP Acceptable VPN - - 0 427 427 SurfShark TCP Acceptable VPN - - 0 428 428 CactusVPN TCP Acceptable VPN - - 0 429 429 Windscribe TCP Acceptable VPN - - 0 430 430 Sonos UDP Fun Music - - 0 431 431 DingTalk TCP Acceptable Chat - - 0 432 432 Paltalk TCP Acceptable Chat - - 0 433 433 Naver TCP Safe Web - - 0 434 434 Shein TCP Acceptable Shopping - - 0 435 435 Temu TCP Acceptable Shopping - - 0 436 436 Taobao TCP Acceptable Shopping - - 0 437 437 Mikrotik UDP X Acceptable Network - - 0 438 438 DICOM TCP X Acceptable Health - 104 0 439 439 ParamountPlus TCP Fun Streaming - - 0 440 440 YandexAlice TCP Acceptable VirtAssistant - - 0 441 441 Vivox TCP Fun Game - - 0 442 442 DigitalOcean TCP Safe Web - - 0 443 443 RUTUBE TCP Fun Media - - 0 444 444 LagoFast UDP Acceptable VPN - - 0 445 445 GearUP_Booster UDP Acceptable VPN - - 0 446 446 Rumble TCP Fun Streaming - - 0 447 447 Ubiquity TCP Safe Network - - 0 448 448 MSDO TCP X Safe SoftwareUpdate - 7680 0 449 449 RockstarGames TCP Fun Game - - 0 450 450 Kick TCP Fun Video - - 0 451 451 Hamachi TCP/UDP Acceptable VPN 17771 12975,32976 0 452 452 GLBP UDP X Acceptable Network 3222 - 0 453 453 EasyWeather UDP X Acceptable Network - - 0 454 454 Mudfish TCP/UDP Acceptable VPN - - 0 455 455 TriStation UDP Acceptable IoT-Scada 1501,1502 - 0 456 456 SamsungSDP UDP Acceptable Network 15600 - 0 457 457 Matter UDP X Acceptable IoT-Scada 5540,5542 - 0

Usage examples

  1. Capture packets on eth0, and export them towards collector running at 192.168.2.25:2055

nprobe -i eth0 -n 192.168.2.25:2055
  1. Collect flows on port 9995 and export them in IPFIX format towards collector running at 192.168.2.25:2055

nprobe -i none -3 9995 -V 10 -n 192.168.2.25:2055
  1. Capture packets on eth0, and export them towards ntopng running on local host

nprobe -i eth0 -n none -T "@NTOPNG@" --zmq tcp://127.0.0.1:1234

On 192.168.2.25:

ntopng -itcp://127.0.01:1234