Reserved as per section 4 of [RFC7012].

TCP flags on the initial packet in the forward direction of the flow.

Union of TCP flags of all packets other than the initial packet in the forward direction of the flow.

Initial bytes of flow payload in the forward direction.

Difference in milliseconds between the times of the first packet in forward direction and the first packet in the reverse direction.

Application label, defined as the primary well-known port associated with a given application.

p0f OS Name for the forward flow based on the SYN packet and p0f SYN Fingerprints.

p0f OS Version for the forward flow based on the SYN packet and p0f SYN Fingerprints.

IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.

IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.

Miscellaneous flow attributes for the forward direction of the flow.

Total number of packet fragments that have been expired since yaf start time.

Total number of packets that been assembled from a series of fragments since yaf start time.

The mean flow rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.

The mean packet rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.

Total number of times the yaf flow table has been flushed since yaf start time.

The maximum number of flows in the yaf flow table at any one time since yaf start time.

The 32 bit hash of the 5-tuple and VLAN that is used as they key to YAF's internal flow table.

p0f OS Fingerprint for the forward flow based on the SYN packet and p0f SYN fingerprints.

HTTP Server Response-header field. Contains information about the software used to handle the HTTP Request.

HTTP User-Agent Request-header field. Contains information about the user agent originating the request.

HTTP Method Command. Retrieves information identified by the following Request-URI.

HTTP Connection header fields. Contains options that are desired for a particular connection.

HTTP Version Number.

HTTP Referer request-header field. Address (URI) of the resource which the Request-URI was obtained.

HTTP Location response-header field. Used to redirect the recipient to a location to complete a request or identify a new resource.

HTTP Host Request-header. The Internet host and port number of the resource being requested.

HTTP Content-Length header. Indicates the size of the entity-body.

HTTP Age response-header. Argument is the sender's estimate of the time elapsed since the response.

HTTP Accept request-header field. Used to specify certain media types that are acceptable for the response.

HTTP Accept-Language Request-Header field. Restricts the set of natural languages that preferred.

HTTP Content Type entity-header field. Indicates the media type of the entity-body.

HTTP Response Status Code. Usually a three-digit number followed by text.

POP3 Command and Replies. Contains any command or reply message found in POP3 payload data.

IRC Chat or Join Message. This field contains any IRC Command and the following arguments.

TFTP Name of File being transferred.

Contains the mode of transfer. (netascii, octet, mail)

SLP Version Number.

SLP Message Type. This value should be between 1 and 11 and describes the type of SLP message.

Contains the text elements found in an SLP Service Request.

FTP Commands or Replies.

FTP User Command Argument. This command will normally be the first command transmitted by the user.

FTP Password Command Argument. This command must be preceded by the user name command, and is usually required to complete authentication.

FTP Data Representation Type.

FTP Reply. This consists of a three digit number followed by some text.

IMAP Capability Command and Response. Captures the listing of capabilities that the server supports.

IMAP Login Command. Arguments are user name and password.

IMAP STARTTLS Command. Captures this command only as no arguments or responses are related.

IMAP Authenticate Command. Captures the authentication mechanism name of the server following this command.

Captures a variety of IMAP Commands and their arguments.

IMAP Exists Response. Reports the number of messages in the mailbox.

IMAP Recent Response. Reports the number of message with the Recent flag set.

RTSP URL. Captures the address of the network resources requested.

RTSP Version Number.

RTSP Status-Line. Captures the RTSP Protocol version, numeric status code, and the textual phrase associated with the numeric code.

RTSP Content-Length Header Field. Contains the length of the content of the method.

RTSP Command. Captures the method to be performed and the Request-URI associated with the method.

RTSP Content Type.

RTSP Transport request header field. Captures the transport protocol used and the parameters that follow.

RTSP CSeq field. Contains the sequence number for an RTSP request-response pair.

RTSP Location header field.

RTSP User Agent field. Contains information about the user agent originating the request.

RTSP User Agent field. Contains information about the user agent originating the request.

RTSP Jitter Value.

SIP Invite Method. Contains the SIP address and SIP Version Number.

SIP Command. Contains a SIP Method, SIP address, and SIP Version Number.

SIP Via contains the SIP Version Number and the address the sender is expecting to receive responses.

SIP Max Forwards contains the limit of number of hops a request can make on the way to its destination.

SIP Address contains the argument of the To, From, or Contact Header Fields.

SIP Content Length header field. Contains the byte count of the message byte.

SIP User Agent Header Field. Contains information about the User Agent Client originating the request.

SMTP Hello or Extend Hello command. Captures the command and the domain name of the SMTP client.

SMTP Mail Command. Contains the reverse-path of the sender mailbox.

The SMTP Recipient (RCPT) Command. Captures the command and the forward-path of the recipient of the mail data.

SMTP Content Type Header Field.

SMTP Subject. Contains the subject of the mail data.

SMTP Filename. Contains the name of the file attached to the mail message.

SMTP Content-Disposition Header field.

SMTP Replies. Consists of a three digit number followed by text.

Enhanced SMTP. Contains the ESMTP command with the following argument.

SSH Version Number

NNTP Reply. This consists of a three digit status code and text message.

NNTP Command. Contains an NNTP Command and following argument(s).

DNS Query/Response header field. This corresponds with the DNS header one bit field, QR. If the message is a query (0), or a response (1).

DNS Query/Response Type. This corresponds with the QTYPE field in the DNS Question Section or the TYPE field in the DNS Resource Record Section. This field determines the type of subTemplateList found in this record.

DNS Authoritative header field. This corresponds with the DNS header one bit field, AA. This bit is only valid in responses (when dnsQueryResponse is 1), and specifies that the responding name server is an authority for the domain name in the question section.

DNS NXDomain or Response Code (RCODE). This corresponds with the DNS RCODE header field. This field will be set to 3 for a Name Error, 2 for a Server Failure, 1 for a Format Error, and 0 for No Error. See [dns-parameters] for other valid values.

DNS Resource Record Section Field. This field will be set to 0 if the information is from the Question Section, 1 for the Answer Section, 2 for the Name Server Section, and 3 for the Additional Section.

A DNS Query or Response Name. This field corresponds with the QNAME field in the DNS Question Section or the NAME field in the DNS Resource Record Section.

A domain-name which specificies the canonical or primary name for the owner.

Corresponds to the DNS MX Preference field.

Corresponds to the DNS MX Exchange field.

An authoritative name server domain-name.

Corresponds to DNS PTR PTRDNAME Field.

sslCipher is a CipherSuite suggested by the client in the ClientHello Message.

sslClientVersion is the version it supports contained in the initial ClientHello message.

sslServerCipher is the CipherSuite chosen by the server in the ServerHello message.

sslCompressionMethod is the compression method chosen by the server in the ServerHello message.

The Certificate Version. This is the value contained in the certificate v1(0), v2(1), v3(2).

The signature contained in a SSL certificate. This is typically the hashing algorithm identifier.

DNS Time To Live. This is an unsigned integer that specifies the time interval, in seconds, that the resource record may be cached for. This will contain a value of zero for DNS Queries.

Corresponds to DNS TXT TXT-DATA field.

Corresponds to DNS SOA SERIAL Field.

Corresponds to DNS SOA REFRESH Field.

Corresponds to DNS SOA RETRY Field.

Corresponds to DNS SOA EXPIRE Field.

Corresponds to DNS SOA MINIMUM Field.

Corresponds to DNS SOA MNAME Field.

Corresponds to DNS SOA RNAME Field.

Corresponds to the Priority Field in the DNS SRV Resource Record.

Corresponds to the Weight Field in the DNS SRV Resource Record.

Corresponds to the Port Field in the DNS SRV Resource Record.

Corresponds to the Target Field in the DNS SRV Resource Record.

HTTP Cookie Header Field.

HTTP Set Cookie Header Field.

SMTP Size Header Field. Contains the size in bytes of the mail data.

MySQL Command Code. This number should be between 0 and 28.

MySQL Command Text. For example, this can be a SELECT, INSERT, DELETE statement.

DNS Transaction ID. This identifier is used by the requester to match up replies to outstanding queries.

The Hash Algorithm field in the DNSSEC NSEC3 or NSEC3PARAM RR. Values are described in [RFC5155].

The Key Tag field in the DS RR.

The Signer's Name field in the RRSIG RR.

The Signature field in the RRSIG RR. Contains the cryptographic signature that covers the dnsQName field.

The digest of the DNSKEY RR.

DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets. This field holds the public key. The format depends on the algorithm of the key.

The Salt Field in the DNSSEC NSEC3 or NSEC3PARAM RR.

The Next Hashed Owner Name in the DNSSEC NSEC3 RR. This will be empty for NSEC3PARAM records.

The Iterations field in the DNSSEC NSEC3 or NSEC3PARAM RR.

The Signature Inception field in a RRSIG RR. The Expiration and Inception fields specify a validity period for the signature.

The Signature Expiration field in a RRSIG RR. The Expiration and Inception fields specify a validity period for the signature.

The Digest Type field which identifes the algorithm used to construct the digest.

The Labels field in a RRSIG RR. Specifies the number of labels in the original RRSIG resource record owner name.

The Type Covered field in a RRSIG RR.

The flags field in the DNSKey Resource Record. Certain bits determine if the key is a zone key or should be used for a secure entry point.

The DHCP fingerprint. This will be the description of the OS.

The DHCP vendor class ID found in Option 60 of the DHCP packet. This field may help further identify the operating system of the sender.

The Serial Number from the X.509 certificate.

For the Issuer and Subject subTemplateLists, yaf only parses objects that are members of the id-at arc {joint-iso-ccitt(2) ds(5) 4}, pkcs-9 {iso(1) member-body (2) us(840) rsadsi(113459) pkcs(1) 9}, and LDAP dc 0.9.2342.19200300.100.1.25. This field will not contain the full object identfier, it will just contain the member id. For example, for an issuer common name, sslObjectType will contain 3. Below is a list of common objects in an X.509 RelativeDistinguishedName Sequence for X.509 Certificates:

pkcs-9-emailAddress          {pkcs-9 1}
id-at-commonName             {id-at 3}
id-at-countryName            {id-at 6}
id-at-localityName           {id-at 7}
id-at-stateOrProvinceName    {id-at 8}
id-at-streetAddress          {id-at 9}
id-at-organizationName       {id-at 10}
id-at-organizationalUnitName {id-at 11}
id-at-title                  {id-at 12}
id-at-postalCode             {id-at 17}
0.9.2342.19200300.100.1.25   {dc 25}
id-at-name                   {id-at 41}

The bit strings associated with sslObjectType.

The notBefore field in the Validity Sequence of the X.509 Certificate.

The notAfter field in the Validity Sequence of the X.509 Certificate.

The algorithm, encoded in ASN.1, in the SubjectPublicKeyInfo Sequence of the X.509 Certificate.

The length of the public key in the X.509 Certificate.

SMTP Date Field.

HTTP Authorization Header Field.

HTTP Via Header Field.

HTTP X-Forwarded-For Header Field.

HTTP Expires Header Field.

HTTP Refresh Header Field.

HTTP International Mobile Station Equipment Identity ID.

HTTP International Mobile Subscriber Identity

HTTP MSISDN number, a telephone number for the SIM card in a mobile/cellular phone.

HTTP Mobile Subscriber Information.

HTTP Accept Charset Header Field.

HTTP Accept Encoding Header Field.

HTTP Allow Header Field.

HTTP Date Header Field.

HTTP Expect Header Field.

HTTP From Header Field.

HTTP Proxy Authentication Field.

HTTP Upgrade Header Field.

HTTP Warning Header Field.

HTTP DNT Header Field.

HTTP X-Forwarded-Proto Header Field.

HTTP X-Forwarded-Host Header Field.

HTTP X-Forwarded-Server Header Field.

HTTP X-Device ID Header Field.

HTTP X-Profile Header Field.

HTTP Last Modified Header Field.

HTTP Content Encoding Header Field.

HTTP Content Language Header Field.

HTTP Content Location Header Field.

HTTP X-UA-Compatible Header Field.

The DNP3 Source Address found in the Data Link Layer of the DNP Header.

The DNP3 Destination Address found in the Data Link Layer of the DNP Header.

The DNP3 Function Code found in the first byte of the Application Layer.

The pattern captured from the DNP3 regular expression.

The payload type in the RTP header of the first payload in the forward direction.

sslRecordVersion is the version of ssl or tls that was used in the flow.

The server name from the SSL/TLS Client Hello. This is typically the name of the server that the client is connecting to.

The hash of the X.509 certificate.

The list of requested parameters found in DHCP Option 55.

IPv4 address than a dns query resolved to in a resource record. It is from the yaf-DNS template. Called rrIPv4 instead of sourceIPv4Address for disambiguation purposes.

IPv6 address than a dns query resolved to in a resource record. It is from the yaf-DNS template. Called rrIPv4 instead of sourceIPv4Address for disambiguation purposes.

Protocol from a DNS-KEY record out of YAF.

Element holding an entire DNS A record, which is a sub template list when emitted from YAF. This is used in Analysis Pipeline for fast flux.

Element holding an entire DNS AAAA record, which is a sub template list when emitted from YAF. This is used in Analysis Pipeline for fast flux.

Element holding an entire DNS resource record, which is a sub template list when emitted from YAF. This is used in Analysis Pipeline.

The number of packets that contain less than 60 bytes of payload.

The number of packets that contain at least 1 byte of payload.

Total bytes transferred as payload.

Average number of milliseconds between packets.

Standard deviation of the interarrival time for up to the first ten packets.

Payload length of the first non-empty packet.

The largest payload length transferred in the flow.

Represents directionality for the first 8 non-empty packets. 0 for forward direction, 1 for reverse direction.

The standard deviation of the payload length for up to the first 10 non empty packets.

The number of TCP packets that have the URGENT Flag set.

The number of packets that contain at least 220 bytes of payload.