User-Guide - Ethereal PDF

Ethereal Users Guide
V1.1 for Ethereal 0.8.19
Richard Sharpe
NS Computer Software and Services P/L
Ed Warnicke
Ethereal Users Guide: V1.1 for Ethereal 0.8.19
by Richard Sharpe and Ed Warnicke Copyright 2001 by Richard SharpeEd Warnicke

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in Appendix C
Table of Contents
Foreword.............................................................................................................................xiii Acknowledgments............................................................................................................. xv 1. Introduction .....................................................................................................................17 About this manual......................................................................................................17 What is Ethereal? .....................................................................................................17 The status of Ethereal ................................................................................................26 Development and maintenance of Ethereal.........................................................27 A rose by any other name .........................................................................................27 A brief history of Ethereal.........................................................................................27 Platforms Ethereal runs on .......................................................................................28 Where to get Ethereal.................................................................................................28 Reporting problems and getting help .....................................................................28 Where to get the latest copy of this document.......................................................29 Providing feedback ....................................................................................................30 2. Building and Installing Ethereal .................................................................................31 Introduction ................................................................................................................31 Obtaining the source and binary distributions......................................................31 Before you build Ethereal .......................................................................................32 Building from Source under UNIX..........................................................................34 Installing the binaries under UNIX .........................................................................35 Installing from RPMs under Linux..........................................................................35 Installing from debs under Debian..........................................................................36 Building from source under Windows....................................................................36 Installing Ethereal under Windows.........................................................................36 Troubleshooting during the install ..........................................................................36 3. Using Ethereal ...............................................................................................................39 Introduction ................................................................................................................39 Starting Ethereal ......................................................................................................39 The Ethereal menus....................................................................................................44 The Ethereal File menu..............................................................................................45 The Ethereal Edit menu.............................................................................................47 The Ethereal Capture menu......................................................................................49 The Ethereal Display menu ......................................................................................50 The Ethereal Tools menu ...........................................................................................52 The Ethereal Help menu ...........................................................................................53 Capturing packets with Ethereal ...........................................................................54 The Capture Preferences dialog box ..............................................................54 Filtering while capturing...........................................................................................57 Viewing packets you have captured .......................................................................59 Display Options..........................................................................................................64 Saving captured packets............................................................................................65 The Save Capture File As dialog box.............................................................66 Reading capture les .................................................................................................67 The File Open dialog box.................................................................................68 Filtering packets while viewing ...............................................................................70 Building lter expressions...............................................................................72 Packet colorization .....................................................................................................76 Finding frames............................................................................................................78 Following TCP streams .............................................................................................79 Dening and saving lters........................................................................................80
The Add Expression Dialog......................................................................................82 Printing packets..........................................................................................................84 Ethereal preferences ...................................................................................................86 Files used by Ethereal ................................................................................................87 4. Troubleshooting with Ethereal ..................................................................................91 An approach to troubleshooting with Ethereal .....................................................91 Capturing in the presence of switches and routers...............................................91 Examples of troubleshooting....................................................................................91 5. Related tools ....................................................................................................................93 Capturing with tcpdump for viewing with Ethereal............................................93 Tethereal, for terminal-based capturing..................................................................93 Using editcap ..............................................................................................................93 Merging multiple capture les into a single capture le with mergecap ..........95 Converting ASCII hexdumps to network captures with text2pcap ...................97 Creating dissectors from Corba IDL les with idl2eth ......................................100 What is it? ........................................................................................................100 Why do this?....................................................................................................100 How to use idl2eth .........................................................................................100 TODO ...............................................................................................................101 Limitations.......................................................................................................102 Notes.................................................................................................................102 A. Ethereal Display Filter Fields....................................................................................103 802.1q Virtual LAN (vlan).......................................................................................103 802.1x Authentication (eapol).................................................................................103 AOL Instant Messenger (aim) ................................................................................103 ATM (atm) .................................................................................................................104 ATM LAN Emulation (lane) ...................................................................................104 Ad hoc On-demand Distance Vector Routing Protocol (aodv) .........................104 Ad hoc On-demand Distance Vector Routing Protocol v6 (aodv6) ..................105 Address Resolution Protocol (arp) ........................................................................106 Aggregate Server Access Protocol (asap) .............................................................107 Andrew File System (AFS) (afs) .............................................................................108 Apache JServ Protocol v1.3 (ajp13) ........................................................................115 AppleTalk Filing Protocol (afp)..............................................................................116 AppleTalk Session Protocol (asp)...........................................................................123 AppleTalk Transaction Protocol packet (atp) .......................................................124 Appletalk Address Resolution Protocol (aarp)....................................................124 Async data over ISDN (V.120) (v120) ....................................................................125 Authentication Header (ah) ....................................................................................125 BACnet Virtual Link Control (bvlc).......................................................................125 Banyan Vines (vines)................................................................................................126 Banyan Vines Fragmentation Protocol (vines_frp) .............................................126 Banyan Vines SPP (vines_spp) ...............................................................................126 Blocks Extensible Exchange Protocol (beep) ........................................................126 Boot Parameters (bootparams)...............................................................................127 Bootstrap Protocol (bootp) ......................................................................................127 Border Gateway Protocol (bgp)..............................................................................128 Building Automation and Control Network APDU (bacapp) ..........................128 Building Automation and Control Network NPDU (bacnet)............................129 Checkpoint FW-1 (fw1)............................................................................................130 Cisco Auto-RP (auto_rp) .........................................................................................130 Cisco Discovery Protocol (cdp) ..............................................................................130
vi
Cisco Group Management Protocol (cgmp).........................................................131 Cisco HDLC (chdlc) .................................................................................................131 Cisco Hot Standby Router Protocol (hsrp) ...........................................................131 Cisco ISL (isl) ............................................................................................................132 Cisco Interior Gateway Routing Protocol (igrp)..................................................132 Cisco SLARP (slarp).................................................................................................133 CoSine IPNOS L2 debug output (cosine) .............................................................133 Common Open Policy Service (cops) ....................................................................133 Common Unix Printing System (CUPS) Browsing Protocol (cups) .................135 DCE RPC (dcerpc)....................................................................................................135 DCE/RPC Conversation Manager (conv) ............................................................138 DCE/RPC Endpoint Mapper (epm)......................................................................138 DCE/RPC Remote Management (mgmt).............................................................139 DCOM OXID Resolver (oxid).................................................................................139 DCOM Remote Activation (remact) ......................................................................140 DEC Spanning Tree Protocol (dec_stp) .................................................................140 DHCPv6 (dhcpv6)....................................................................................................141 Data (data).................................................................................................................141 Data Link SWitching (dlsw)....................................................................................141 Data Stream Interface (dsi) .....................................................................................141 Datagram Delivery Protocol (ddp) ........................................................................142 Diameter Protocol (diameter) .................................................................................143 Distance Vector Multicast Routing Protocol (dvmrp).........................................144 Distributed Checksum Clearinghouse Prototocl (dccp).....................................145 Domain Name Service (dns)...................................................................................146 Dynamic DNS Tools Protocol (ddtp).....................................................................147 Encapsulating Security Payload (esp)...................................................................147 Enhanced Interior Gateway Routing Protocol (eigrp) ........................................148 Ethernet (eth) ............................................................................................................148 Extensible Authentication Protocol (eap) .............................................................148 FTP Data (ftp-data) ..................................................................................................149 Fiber Distributed Data Interface (fddi) .................................................................149 File Transfer Protocol (FTP) (ftp)............................................................................149 Frame (frame) ...........................................................................................................150 Frame Relay (fr)........................................................................................................150 GARP Multicast Registration Protocol (gmrp) ....................................................151 GARP VLAN Registration Protocol (gvrp) ..........................................................151 GPRS Tunneling Protocol (gtp) ..............................................................................151 GPRS Tunnelling Protocol v0 (gtpv0)....................................................................152 GPRS Tunnelling Protocol v1 (gtpv1)....................................................................153 General Inter-ORB Protocol (giop) ........................................................................156 Generic Routing Encapsulation (gre) ....................................................................158 Gnutella Protocol (gnutella) ...................................................................................158 Hummingbird NFS Daemon (hclnfsd) .................................................................159 Hypertext Transfer Protocol (http) ........................................................................160 ICQ Protocol (icq).....................................................................................................161 IEEE 802.11 wireless LAN (wlan) ..........................................................................161 IEEE 802.11 wireless LAN management frame (wlan_mgt)..............................162 ILMI (ilmi) .................................................................................................................163 IP Payload Compression (ipcomp) ........................................................................164 IPX Message (ipxmsg) .............................................................................................164 IPX Routing Information Protocol (ipxrip)...........................................................164 ISDN Q.921-User Adaptation Layer (iua) ............................................................164
vii
ISDN User Part (isup)..............................................................................................165 ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol (isis) 169 ISO 8073 COTP Connection-Oriented Transport Protocol (cotp)......................170 ISO 8473 CLNP ConnectionLess Network Protocol (clnp) ................................170 ISO 8602 CLTP ConnectionLess Transport Protocol (cltp) .................................171 ISO 9542 ESIS Routeing Information Exchange Protocol (esis).........................171 ITU-T Recommendation H.261 (h261) ..................................................................172 Inter-Access-Point Protocol (iapp) .........................................................................172 Internet Cache Protocol (icp) ..................................................................................173 Internet Content Adaptation Protocol (icap)........................................................173 Internet Control Message Protocol (icmp)............................................................173 Internet Control Message Protocol v6 (icmpv6) ..................................................174 Internet Group Management Protocol (igmp) .....................................................174 Internet Message Access Protocol (imap) .............................................................175 Internet Printing Protocol (ipp)..............................................................................176 Internet Protocol (ip)................................................................................................176 Internet Protocol Version 6 (ipv6) ..........................................................................177 Internet Relay Chat (irc) ..........................................................................................178 Internet Security Association and Key Management Protocol (isakmp) .........179 Internetwork Packet eXchange (ipx) .....................................................................179 Java RMI (rmi) ..........................................................................................................179 Java Serialization (serialization).............................................................................180 Kerberos (kerberos)..................................................................................................180 Kernel Lock Manager (klm)....................................................................................180 Label Distribution Protocol (ldp) ...........................................................................181 Layer 2 Tunneling Protocol (l2tp) ..........................................................................185 Lightweight Directory Access Protocol (ldap).....................................................185 Line Printer Daemon Protocol (lpd) ......................................................................186 Link Access Procedure Balanced (LAPB) (lapb)..................................................187 Link Access Procedure Balanced Ethernet (LAPBETHER) (lapbether) ...........187 Link Access Procedure, Channel D (LAPD) (lapd) .............................................187 Link Aggregation Control Protocol (lacp) ............................................................187 Link Management Protocol (LMP) (lmp) .............................................................189 Linux cooked-mode capture (sll) ...........................................................................193 Local Management Interface (lmi).........................................................................193 LocalTalk Link Access Protocol (llap) ...................................................................194 Logical-Link Control (llc) ........................................................................................194 Lucent/Ascend debug output (ascend)................................................................194 MMS Message Encapsulation (mmse) ..................................................................195 MS Proxy Protocol (msproxy) ................................................................................196 MSNIP: Multicast Source Notication of Interest Protocol (msnip).................196 MTP 2 Transparent Proxy (m2tp)...........................................................................197 MTP 2 User Adaptation Layer (m2ua)..................................................................197 MTP 3 User Adaptation Layer (m3ua)..................................................................199 MTP2 Peer Adaptation Layer (m2pa) ...................................................................201 Malformed Packet (malformed).............................................................................201 Message Transfer Part Level 2 (mtp2) ...................................................................201 Message Transfer Part Level 3 (mtp3) ...................................................................202 Microsoft Distributed File System (dfs) ................................................................202 Microsoft Exchange MAPI (mapi) .........................................................................202 Microsoft Local Security Architecture (lsa) ..........................................................203 Microsoft Network Logon (rpc_netlogon) ...........................................................205
viii
Microsoft Registry (winreg)....................................................................................210 Microsoft Security Account Manager (samr) .......................................................211 Microsoft Server Service (srvsvc)...........................................................................213 Microsoft Spool Subsystem (spoolss) ....................................................................219 Microsoft Telephony API Service (tapi) ................................................................225 Microsoft Windows Browser Protocol (browser) ................................................225 Microsoft Windows Lanman Remote API Protocol (lanman) ...........................227 Microsoft Windows Logon Protocol (netlogon) ..................................................230 Microsoft Workstation Service (wkssvc)...............................................................231 Mobile IP (mip).........................................................................................................231 Modbus/TCP (mbtcp) .............................................................................................232 Mount Service (mount)............................................................................................233 MultiProtocol Label Switching Header (mpls) ....................................................234 Multicast Router DISCovery protocol (mrdisc) ...................................................234 Multicast Source Discovery Protocol (msdp).......................................................235 NFSACL (nfsacl).......................................................................................................235 NFSAUTH (nfsauth) ................................................................................................235 NIS+ (nisplus) ...........................................................................................................236 NIS+ Callback (nispluscb).......................................................................................239 NSPI (nspi) ................................................................................................................240 NTLM Secure Service Provider (ntlmssp) ............................................................240 Name Binding Protocol (nbp).................................................................................243 Name Management Protocol over IPX (nmpi) ....................................................243 NetBIOS (netbios).....................................................................................................244 NetBIOS Datagram Service (nbdgm) ....................................................................244 NetBIOS Name Service (nbns) ...............................................................................245 NetBIOS Session Service (nbss)..............................................................................245 NetBIOS over IPX (nbipx) .......................................................................................246 NetWare Core Protocol (ncp)..................................................................................246 Network Data Management Protocol (ndmp) .....................................................307 Network File System (nfs).......................................................................................311 Network Lock Manager Protocol (nlm) ................................................................318 Network News Transfer Protocol (nntp) ..............................................................319 Network Status Monitor CallBack Protocol (statnotify).....................................319 Network Status Monitor Protocol (stat)................................................................319 Network Time Protocol (ntp)..................................................................................320 Null/Loopback (null) ..............................................................................................320 Open Shortest Path First (ospf) ..............................................................................321 OpenBSD Packet Filter log le (pog) ..................................................................322 PC NFS (pcnfsd) .......................................................................................................322 PPP Bandwidth Allocation Control Protocol (bacp) ...........................................323 PPP Bandwidth Allocation Protocol (bap) ...........................................................323 PPP Callback Control Protocol (cbcp) ...................................................................323 PPP Challenge Handshake Authentication Protocol (chap)..............................323 PPP Compressed Datagram (comp_data) ............................................................323 PPP Compression Control Protocol (ccp) .............................................................324 PPP IP Control Protocol (ipcp) ...............................................................................324 PPP Link Control Protocol (lcp) .............................................................................324 PPP Multilink Protocol (mp) ..................................................................................324 PPP Multiplexing (pppmux) ..................................................................................324 PPP Password Authentication Protocol (pap) .....................................................325 PPP VJ Compression (vj) .........................................................................................325 PPP-over-Ethernet Discovery (pppoed) ...............................................................325
ix
PPP-over-Ethernet Session (pppoes) .....................................................................326 PPPMux Control Protocol (pppmuxcp) ................................................................326 Point-to-Point Protocol (ppp) .................................................................................326 Point-to-Point Tunnelling Protocol (pptp)............................................................326 Portmap (portmap) ..................................................................................................326 Post Ofce Protocol (pop) .......................................................................................327 Pragmatic General Multicast (pgm) ......................................................................327 Prism (prism) ............................................................................................................329 Protocol Independent Multicast (pim) ..................................................................329 Q.2931 (q2931)...........................................................................................................330 Q.931 (q931)...............................................................................................................330 Quake II Network Protocol (quake2) ....................................................................330 Quake III Arena Network Protocol (quake3) .......................................................331 Quake Network Protocol (quake) ..........................................................................332 QuakeWorld Network Protocol (quakeworld) ....................................................333 Qualied Logical Link Control (qllc) ....................................................................334 RFC 2250 MPEG1 (mpeg1)......................................................................................335 RIPng (ripng) ............................................................................................................335 RPC Browser (rpc_browser) ...................................................................................335 RSTAT (rstat) .............................................................................................................336 RX Protocol (rx) ........................................................................................................336 Radio Access Network Application Part (ranap) ................................................337 Radius Protocol (radius)..........................................................................................342 Raw packet data (raw).............................................................................................342 Real Time Streaming Protocol (rtsp)......................................................................342 Real-Time Transport Protocol (rtp) ........................................................................343 Real-time Transport Control Protocol (rtcp).........................................................343 Remote Procedure Call (rpc)...................................................................................345 Remote Quota (rquota)............................................................................................346 Remote Shell (rsh) ....................................................................................................347 Remote Wall protocol (rwall)..................................................................................347 Resource ReserVation Protocol (RSVP) (rsvp) .....................................................347 Rlogin Protocol (rlogin) ...........................................................................................349 Routing Information Protocol (rip)........................................................................350 Routing Table Maintenance Protocol (rtmp) ........................................................350 SADMIND (sadmind)..............................................................................................350 SCSI (scsi) ..................................................................................................................351 SMB (Server Message Block Protocol) (smb)........................................................353 SMB MailSlot Protocol (mailslot) ...........................................................................368 SMB Pipe Protocol (pipe) ........................................................................................368 SNA-over-Ethernet (snaeth) ...................................................................................369 SNMP Multiplex Protocol (smux)..........................................................................369 SPRAY (spray)...........................................................................................................369 SS7 SCCP-User Adaptation Layer (sua) ...............................................................370 SSCOP (sscop)...........................................................................................................374 Secure Socket Layer (ssl) .........................................................................................374 Sequenced Packet eXchange (spx) .........................................................................376 Service Advertisement Protocol (ipxsap) .............................................................377 Service Location Protocol (srvloc)..........................................................................377 Session Announcement Protocol (sap)..................................................................377 Session Description Protocol (sdp) ........................................................................377 Session Initiation Protocol (sip)..............................................................................379 Short Frame (short) ..................................................................................................379
Short Message Peer to Peer (smpp) .......................................................................380 Signalling Connection Control Part (sccp) ...........................................................383 Simple Mail Transfer Protocol (smtp) ...................................................................385 Simple Network Management Protocol (snmp)..................................................386 Sinec H1 Protocol (h1) .............................................................................................386 Skinny Client Control Protocol (skinny)...............................................................387 SliMP3 Communication Protocol (slimp3) ...........................................................391 Socks Protocol (socks)..............................................................................................391 Spanning Tree Protocol (stp)...................................................................................392 Stream Control Transmission Protocol (sctp).......................................................393 Syslog message (syslog) ..........................................................................................395 Systems Network Architecture (sna).....................................................................395 TACACS (tacacs) ......................................................................................................399 TACACS+ (tacplus)..................................................................................................399 TPKT (tpkt)................................................................................................................400 Telnet (telnet) ............................................................................................................400 Time Protocol (time).................................................................................................400 Time Synchronization Protocol (tsp) .....................................................................400 Token-Ring (tr)..........................................................................................................401 Token-Ring Media Access Control (trmac)...........................................................402 Transmission Control Protocol (tcp)......................................................................402 Transparent Network Substrate Protocol (tns) ....................................................403 Trivial File Transfer Protocol (tftp).........................................................................406 Universal Computer Protocol (ucp) ......................................................................406 Unreassembled Fragmented Packet (unreassembled)........................................409 User Datagram Protocol (udp) ...............................................................................410 Virtual Router Redundancy Protocol (vrrp).........................................................410 Virtual Trunking Protocol (vtp)..............................................................................410 Web Cache Coordination Protocol (wccp)............................................................411 Welleet Compression (wcp)..................................................................................412 Who (who).................................................................................................................412 Wireless Session Protocol (wap-wsp)....................................................................413 Wireless Transaction Protocol (wap-wsp-wtp) ....................................................419 Wireless Transport Layer Security (wap-wtls).....................................................420 X Display Manager Control Protocol (xdmcp) ....................................................423 X.25 (x.25) ..................................................................................................................424 X.25 over TCP (xot) ..................................................................................................424 X11 (x11) ....................................................................................................................424 Xyplex (xyplex).........................................................................................................440 Yahoo Messenger Protocol (yhoo) .........................................................................440 Yellow Pages Bind (ypbind)....................................................................................440 Yellow Pages Passwd (yppasswd) .........................................................................441 Yellow Pages Service (ypserv) ................................................................................441 Yellow Pages Transfer (ypxfr).................................................................................442 Zebra Protocol (zebra) .............................................................................................442 Zone Information Protocol (zip) ............................................................................443 iSCSI (iscsi) ................................................................................................................443 B. Ethereal Error Messages..............................................................................................447 Capture le format not understood.......................................................................447 Save le error ............................................................................................................447 C. The GNU Free Document Public Licence ...............................................................449 Copyright ..................................................................................................................449
xi
Preamble ....................................................................................................................449 Applicability and Denitions .................................................................................449 Verbatim Copying ....................................................................................................450 Copying in Quantity ................................................................................................450 Modications ............................................................................................................451 Combining Documents ...........................................................................................452 Collections of Documents .......................................................................................453 Aggregation with Independent Works .................................................................453 Translation.................................................................................................................453 Termination ...............................................................................................................454 Future Revisions of this License.............................................................................454
xii
Foreword
Ethereal is one of those packages that many network managers would love to be able to use, but they are often prevented from getting what they would like from Ethereal because of the lack of documentation. This document is part of an effort on the part of the Ethereal team to improve the accessibility of Ethereal. We hope that you nd it useful, and look forward to your comments.
xiii
Foreword
xiv
Acknowledgments
I would like to thank the whole Ethereal team for their assistance. In particular, I would like to thank:

Gerald Combs, for initiating the Ethereal project and funding me to do this documentation. Guy Harris, for many helpful hints and a great deal of patience in reviewing this document. Gilbert Ramirez, for general encouragement and helpful hints along the way.
I would also like to thank the following people for their helpful feedback on this document:
Pat Eyler, for his suggestions on improving the example on generating a backtrace.
I would like to acknowledge those man page and README authors for the ethereal project from who sections of this document borrow heavily:

Scott Renfro from whose mergecap man page the section called Merging multiple capture les into a single capture le with mergecap in Chapter 5 derived. Ashok Narayanan from whose text2pcap man page the section called Converting ASCII hexdumps to network captures with text2pcap in Chapter 5 derived. Frank Singleton from whose README.idl2eth the section called Creating dissectors from Corba IDL les with idl2eth in Chapter 5 derived.
xv
Acknowledgments
xvi
Chapter 1. Introduction
About this manual
This manual was originally developed by Richard Sharpe1 with funds provided from the Ethereal Fund. More recently, it was updated by Ed Warnicke2. It is written in DocBook/SGML for the moment.
What is Ethereal?
Every network manager at some time or other needs a tool that can capture packets off the network and analyze them. In the past, such tools were either very expensive, propietary, or both. However, with the advent of Ethereal, all that has changed.
Ethereal is perhaps one the best open source packet sniffers available today. The
following are some of the features Ethereal provides:

Available for UNIX and Windows. Capture and display packets from any interface on a UNIX system. Display packets captured under a number of other capture programs:

tcpdump Network Associates Sniffer and Sniffer Pro NetXray LANalyzer Shomiti AIXs iptrace RADCOMs WAN/LAN Analyzer Lucent/Ascend access products HP-UXs nettl Toshibas ISDN routers ISDN4BSD i4btrace utility Microsoft Network Monitor Sun snoop
Save captures to a number of formats:

libpcap (tcpdump) Sun snoop Microsoft Network Monitor Network Associates Sniffer
Filter packets on many criteria.
17
Search for packets using lters. Colorize packet display based on lters
However, to really appreciate its power, you have to start using it. Figure 1-1 shows Ethereal having captured some packets and waiting for you to examine the packets.
Figure 1-1. Ethereal captures packets and allows you to examine their content.
In addition, because all the source code for Ethereal is freely available, it is very easy for people to add new protocols to Ethereal, either as modules, or built into the source. There are currently protocol decoders (or dissectors, as they are known in Ethereal), for a great many protocols, including:
18
802.1q Virtual LAN 802.1x Authentication AOL Instant Messenger ATM ATM LAN Emulation Ad hoc On-demand Distance Vector Routing Protocol Ad hoc On-demand Distance Vector Routing Protocol v6 Address Resolution Protocol Aggregate Server Access Protocol Andrew File System (AFS) Apache JServ Protocol v1.3 AppleTalk Filing Protocol AppleTalk Session Protocol AppleTalk Transaction Protocol packet Appletalk Address Resolution Protocol Async data over ISDN (V.120) Authentication Header BACnet Virtual Link Control Banyan Vines Banyan Vines Fragmentation Protocol Banyan Vines SPP Blocks Extensible Exchange Protocol Boot Parameters Bootstrap Protocol Border Gateway Protocol Building Automation and Control Network APDU Building Automation and Control Network NPDU Checkpoint FW-1 Cisco Auto-RP Cisco Discovery Protocol Cisco Group Management Protocol Cisco HDLC Cisco Hot Standby Router Protocol Cisco ISL Cisco Interior Gateway Routing Protocol Cisco SLARP CoSine IPNOS L2 debug output
19
Common Open Policy Service Common Unix Printing System (CUPS) Browsing Protocol DCE RPC DCE/RPC Conversation Manager DCE/RPC Endpoint Mapper DCE/RPC Remote Management DCOM OXID Resolver DCOM Remote Activation DEC Spanning Tree Protocol DHCPv6 Data Data Link SWitching Data Stream Interface Datagram Delivery Protocol Diameter Protocol Distance Vector Multicast Routing Protocol Distributed Checksum Clearinghouse Prototocl Domain Name Service Dynamic DNS Tools Protocol Encapsulating Security Payload Enhanced Interior Gateway Routing Protocol Ethernet Extensible Authentication Protocol FTP Data Fiber Distributed Data Interface File Transfer Protocol (FTP) Frame Frame Relay GARP Multicast Registration Protocol GARP VLAN Registration Protocol GPRS Tunneling Protocol GPRS Tunnelling Protocol v0 GPRS Tunnelling Protocol v1 General Inter-ORB Protocol Generic Routing Encapsulation Gnutella Protocol Hummingbird NFS Daemon
20
Hypertext Transfer Protocol ICQ Protocol IEEE 802.11 wireless LAN IEEE 802.11 wireless LAN management frame ILMI IP Payload Compression IPX Message IPX Routing Information Protocol ISDN Q.921-User Adaptation Layer ISDN User Part ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol ISO 8073 COTP Connection-Oriented Transport Protocol ISO 8473 CLNP ConnectionLess Network Protocol ISO 8602 CLTP ConnectionLess Transport Protocol ISO 9542 ESIS Routeing Information Exchange Protocol ITU-T Recommendation H.261 Inter-Access-Point Protocol Internet Cache Protocol Internet Content Adaptation Protocol Internet Control Message Protocol Internet Control Message Protocol v6 Internet Group Management Protocol Internet Message Access Protocol Internet Printing Protocol Internet Protocol Internet Protocol Version 6 Internet Relay Chat Internet Security Association and Key Management Protocol Internetwork Packet eXchange Java RMI Java Serialization Kerberos Kernel Lock Manager Label Distribution Protocol Layer 2 Tunneling Protocol Lightweight Directory Access Protocol Line Printer Daemon Protocol
21
Link Access Procedure Balanced (LAPB) Link Access Procedure Balanced Ethernet (LAPBETHER) Link Access Procedure, Channel D (LAPD) Link Aggregation Control Protocol Link Management Protocol (LMP) Linux cooked-mode capture Local Management Interface LocalTalk Link Access Protocol Logical-Link Control Lucent/Ascend debug output MMS Message Encapsulation MS Proxy Protocol MSNIP: Multicast Source Notication of Interest Protocol MTP 2 Transparent Proxy MTP 2 User Adaptation Layer MTP 3 User Adaptation Layer MTP2 Peer Adaptation Layer Malformed Packet Message Transfer Part Level 2 Message Transfer Part Level 3 Microsoft Distributed File System Microsoft Exchange MAPI Microsoft Local Security Architecture Microsoft Network Logon Microsoft Registry Microsoft Security Account Manager Microsoft Server Service Microsoft Spool Subsystem Microsoft Telephony API Service Microsoft Windows Browser Protocol Microsoft Windows Lanman Remote API Protocol Microsoft Windows Logon Protocol Microsoft Workstation Service Mobile IP Modbus/TCP Mount Service MultiProtocol Label Switching Header
22
Multicast Router DISCovery protocol Multicast Source Discovery Protocol NFSACL NFSAUTH NIS+ NIS+ Callback NSPI NTLM Secure Service Provider Name Binding Protocol Name Management Protocol over IPX NetBIOS NetBIOS Datagram Service NetBIOS Name Service NetBIOS Session Service NetBIOS over IPX NetWare Core Protocol Network Data Management Protocol Network File System Network Lock Manager Protocol Network News Transfer Protocol Network Status Monitor CallBack Protocol Network Status Monitor Protocol Network Time Protocol Null/Loopback Open Shortest Path First OpenBSD Packet Filter log le PC NFS PPP Bandwidth Allocation Control Protocol PPP Bandwidth Allocation Protocol PPP Callback Control Protocol PPP Challenge Handshake Authentication Protocol PPP Compressed Datagram PPP Compression Control Protocol PPP IP Control Protocol PPP Link Control Protocol PPP Multilink Protocol PPP Multiplexing
23
PPP Password Authentication Protocol PPP VJ Compression PPP-over-Ethernet Discovery PPP-over-Ethernet Session PPPMux Control Protocol Point-to-Point Protocol Point-to-Point Tunnelling Protocol Portmap Post Ofce Protocol Pragmatic General Multicast Prism Protocol Independent Multicast Q.2931 Q.931 Quake II Network Protocol Quake III Arena Network Protocol Quake Network Protocol QuakeWorld Network Protocol Qualied Logical Link Control RFC 2250 MPEG1 RIPng RPC Browser RSTAT RX Protocol Radio Access Network Application Part Radius Protocol Raw packet data Real Time Streaming Protocol Real-Time Transport Protocol Real-time Transport Control Protocol Remote Procedure Call Remote Quota Remote Shell Remote Wall protocol Resource ReserVation Protocol (RSVP) Rlogin Protocol Routing Information Protocol
24
Routing Table Maintenance Protocol SADMIND SCSI SMB (Server Message Block Protocol) SMB MailSlot Protocol SMB Pipe Protocol SNA-over-Ethernet SNMP Multiplex Protocol SPRAY SS7 SCCP-User Adaptation Layer SSCOP Secure Socket Layer Sequenced Packet eXchange Service Advertisement Protocol Service Location Protocol Session Announcement Protocol Session Description Protocol Session Initiation Protocol Short Frame Short Message Peer to Peer Signalling Connection Control Part Simple Mail Transfer Protocol Simple Network Management Protocol Sinec H1 Protocol Skinny Client Control Protocol SliMP3 Communication Protocol Socks Protocol Spanning Tree Protocol Stream Control Transmission Protocol Syslog message Systems Network Architecture TACACS TACACS+ TPKT Telnet Time Protocol Time Synchronization Protocol
25
Token-Ring Token-Ring Media Access Control Transmission Control Protocol Transparent Network Substrate Protocol Trivial File Transfer Protocol Universal Computer Protocol Unreassembled Fragmented Packet User Datagram Protocol Virtual Router Redundancy Protocol Virtual Trunking Protocol Web Cache Coordination Protocol Welleet Compression Who Wireless Session Protocol Wireless Transaction Protocol Wireless Transport Layer Security X Display Manager Control Protocol X.25 X.25 over TCP X11 Xyplex Yahoo Messenger Protocol Yellow Pages Bind Yellow Pages Passwd Yellow Pages Service Yellow Pages Transfer Zebra Protocol Zone Information Protocol iSCSI
The status of Ethereal

Ethereal is an open source software project, and is released under the Gnu Public Licence3 (GPL). All source code is freely available under the GPL. You are welcome to modify Ethereal to suit your own needs, and it would be appreciated if you contribute your improvements back to the Ethereal team. You gain two benets by contributing your improvements back to the community:
26
Other people who nd your contributions useful will appreciate them, and you will know that you have helped people in the same way that the developers of Ethereal have helped people The maintainers and developers of Ethereal will maintain your code as well, xing it when API changes or other changes are made, and generally keeping it in tune with what is happening with Ethereal.
The Ethereal source code and binary kits for some platforms are all available on the Ethereal website: http://www.ethereal.com4.
Development and maintenance of Ethereal

Ethereal was initially developed by Gerald Combs. Ongoing development and maintenance of Ethereal is handled by the Ethereal team, a loose group of individuals who x bugs and provide new functionality. There have also been a large number of people who have contributed protocol dissectors to Ethereal, and it is expected that this will continue. You can nd a list of the people who have contributed code to Ethereal at the authors5 link on the web site.
A rose by any other name

William Shakespeare wrote: "A rose by any other name would smell as sweet." And so it is with Ethereal, as there appears to be two different ways that people pronounce the name. Some people pronounce it ether-real, while others pronounce it e-the-real, as in ghostly, insubstantial, etc. You are welcome to call it what you like, as long as you nd it useful.
A brief history of Ethereal

In late 1997, Gerald Combs needed a tool for tracking down networking problems and wanted to learn more about networking, so he started writing Ethereal as a way to solve both problems. Ethereal was initially released, after several pauses in development, in July 1998 as version 0.2.0. Within days, patches, bug reports, and words of encouragement started arriving, so Ethereal was on its way to success. Not long after that Gilbert Ramirez saw its potential and contributed a low-level dissector to it. In October, 1998, Guy Harris, of NetApp was looking for something better than TCPview, so he started applying patches and contributing dissectors to Ethereal. In late 1998, Richard Sharpe, who was giving TCP/IP courses, saw its potential on such courses, started looking at it to see if it supported the protocols he needed. While it didnt at that point, new protocols could be easily added. So he started contributing dissectors and contributing patches.
27
The list of people who have contributed to Ethereal is long, and almost all of them started with a protocol that they needed that Ethereal did not already handle, so they copied an existing dissector and contributed the code back to the team. You can get a list of the people who have contributed by checking the man pages for ethereal, or from the website (http://www.ethereal.com6).
Platforms Ethereal runs on

Ethereal currently runs on most UNIX platforms and the various Windows platforms. It requires GTK+, GLIB and libpcap in order to run. Binary packages are available for at least the following platforms:

AIX Tru64 UNIX (formerly Digital UNIX) Debian GNU/Linux Slackware Linux Red Hat Linux FreeBSD NetBSD OpenBSD HP/UX Sparc/Solaris 8 Windows 2000, Windows NT and Windows Me/98/95
If a binary package is not available for your platform, you should download the source and try to build it.
Where to get Ethereal

You can get the latest copy of the Ethereal from the Ethereal Website: http://www.ethereal.com7. The website allows you to choose from among several mirrors for downloading.
Reporting problems and getting help

If you have problems, or need help with Ethereal, there are several mailing lists that may be of interest to you: Ethereal Users This list is for users of Ethereal. People post with questions about building and using Ethereal. Others provide answers.
28
Ethereal Announce This list is for people wanting to receive announcements about Ethereal. Ethereal Dev This list is for Ethereal developers. If you want to start developing a protocol dissector, join this list. You can subscribe to each of these from the Ethereal web site: http://www.ethereal.com8. Simply select the mailing lists link on the left hand side of the site. The lists are archived at the Ethereal web site as well. When reporting crashes with Ethereal, it is helpful if you supply the following information: 1. The version number of Ethereal you found the problem with, eg Ethereal 0.8.10. 2. The version number of the other software linked with Ethereal, eg GTK+, etc. You can obtain this with the command ethereal -v. 3. A traceback if Ethereal crashed. You can obtain this with the following commands:
$ gdb whereis ethereal | cut -f2 -d: | cut -f -d2 core >& backtrace.txt backtrace ^D $
Note: Type the characters in the rst line verbatim! Those are back-tics there!
Note: backtrace is a gdb command. You should enter it verbatim after the rst line shown above. The ^D (Control-D, that is, press the Control key and the D key together) will cause gdb to exit. This will leave you with a le called backtrace.txt in the current directory. Include the le with your bug report.
Note: If you do not have gdb available, you will have to check out your operating systems debugger. Windows users might not be able to get a traceback.
You should mail the traceback to the ethereal-dev mailing list.
Where to get the latest copy of this document

The latest copy of this documentation can always http://www.ns.aus.com/ethereal/user-guide/book1.html9; http://www.ethereal.com/docs/user-guide/ 10. be found and at: at:
29
In addition, you can nd a PDF version of the guide at: http://www.ns.aus.com/ethereal/user-guide/user-guide-a4.pdf 11 in A4 and http://www.ns.aus.com/ethereal/user-guide/user-guide-usletter.pdf 12 in US Letter.
Providing feedback
Should you have any feedback about this document, please send them to the author at rsharpe@ns.aus.com13.
Notes
1. mailto:rsharpe@ns.aus.com 2. mailto:hagbard@physics.rutgers.edu 3. http://www.gnu.org/copyleft/gpl.html 4. http://www.ethereal.com 5. http://www.ethereal.com/introduction.html#authors 6. http://www.ethereal.com 7. http://www.ethereal.com 8. http://www.ethereal.com 9. http://www.ns.aus.com/ethereal/user-guide/book1.html 10. http://www.ethereal.com 11. http://www.ns.aus.com/ethereal/user-guide/user-guide-a4.pdf 12. http://www.ns.aus.com/ethereal/user-guide/user-guide-usletter.pdf 13. mailto:rsharpe@ns.aus.com
30
Chapter 2. Building and Installing Ethereal

Introduction
As with all things, there must be a beginning, and so it is with Ethereal. To use Ethereal, you must:

Obtain a binary package for your operating system, or Obtain the source and build Ethereal for your operating system.
Currently, only two or three Linux Distributions ship ethereal, and they are commonly shipping an out-of-date version. No other versions of UNIX ship Ethereal so far, and Microsoft does not ship it with any version of Windows. For that reason, you will need to know where to get the latest version of Ethereal and how to install it. The current version of Ethereal is 0.8.19. This chapter shows you how to obtain source and binary packages, and how to build Ethereal from source, should you choose to do so. The following are the general steps you would use: 1. Download the relevant package for your needs, eg, source or binary distribution. 2. Build the source into a binary, if you have downloaded the source. This may involve building and/or installing any other necessary packages. 3. Install the binaries in their nal destinations.
Obtaining the source and binary distributions

You can obtain both source and binary distributions from the Ethereal web site: http://www.ethereal.com1. Simply select the download link, and then select either the source package or binary package of your choice from the mirror site closest to you.
Download all the needed les: In general, unless you have already downloaded Ethereal before, you will most likely need to down load several source packages if you are building Ethereal from source. This is covered in more detail below.
Once you have downloaded the relevant les, you can go on to the next step.
Note: While you will nd a number of binary packages available on the Ethereal web site, you might not nd one for your platform, and they often tend to be several versions behind
31
the current released version, as they are contributed by people who have the platforms they are built for. For this reason, you might want to pull down the source distribution and build it, as the process is relatively simple.
Before you build Ethereal

Before you build Ethereal from sources, or install a binary package, you must ensure that you have the following other packages installed:
GTK+, The GIMP Tool Kit. You will also need Glib. Both can be obtained from www.gtk.org2
libpcap, the packet capture software that Ethereal uses. You can obtain libpcap from www.tcpdump.org3
Depending on your system, you may be able to install these from binaries, eg RPMs, or you may need to obtain them in source code form and build them. If you have downloaded the source for GTK+, the instructions shown in Example 2-1 may provide some help in building it: Example 2-1. Building GTK+ from source
gzip -dc gtk+-1.2.8.tar.gz | tar xvf <much output removed> cd gtk+-1.2.8 ./configure <much output removed> make <much output removed> make install <much output removed>
Note!: You may need to change the version number of gtk+ in Example 2-1 to match the version of GTK+ you have downloaded. The directory you change to will change if the version of GTK+ changes, and in all cases, tar xvf - will show you the name of the directory you should change to.
Note!: If you use Linux, or have GNU tar installed, you can use tar zxvf gtk+-1.2.8.tar.gz. It is also possible to use gunzip -c or gzcat rather than gzip -dc on many UNIX systems.
32
Note!: If you downloaded gtk+ or any other tar le using Windows, you may nd your le called gtk+-1_2_8_tar.gz.
You should consult the GTK+ web site if any errors occur in carrying out the instructions in Example 2-1. If you have downloaded the source to libpcap, the general instructions shown in Example 2-2 will assist in building it. Also, if your operating system does not support tcpdump, you might also want to download it from the tcpdump4 web site and install it. Example 2-2. Building and installing libpcap
gzip -dc libpcap-0.5.tar.Z | tar xvf <much output removed> cd libpcap_0_5rel2 ./configure <much output removed> make <much output removed> make install <much output removed> make install-incl <much output removed>
Note!: The directory you should change to will depend on the version of libpcap you have downloaded. In all cases, tar xvf - will show you the name of the directory that has been unpacked.
When installing the include les, you might get the error shown in Example 2-3 when you submit the command make install-incl. Example 2-3. Errors while installing the libpcap include les /usr/local/include/pcap.h /usr/bin/install -c -m 444 -o bin -g bin ./pcap-namedb.h \ /usr/local/include/pcap-namedb.h /usr/bin/install -c -m 444 -o bin -g bin ./net/bpf.h \ /usr/local/include/net/bpf.h /usr/bin/install: cannot create regular le \ /usr/local/include/net/bpf.h: No such le or directory make: *** [install-incl] Error 1
If you do, simply create the missing directory with the following command:
33
mkdir /usr/local/include/net
and rerun the command make install-incl. Under RedHat 6.x and beyond (and distributions based on it, like Mandrake) you can simply install each of the packages you need from RPMs. Most Linux systems will install GTK+ and Glib in anycase, however, you will probably need to install the devel versions of each of these packages. The commands shown in Example 2-4 will install all the needed RPMs if they are not already installed. Example 2-4. Installing required RPMs under RedHat Linux 6.2 and beyond
cd /mnt/cdrom/RedHat/RPMS rpm -ivh glib-1.2.6-3.i386.rpm rpm -ivh glib-devel-1.2.6-3.i386.rpm rpm -ivh gtk+-1.2.6-7.i386.rpm rpm -ivh gtk+-devel-1.2.6-7.i386.rpm rpm -ivh libpcap-0.4-19.i386.rpm
Note: If you are using a version of RedHat later than 6.2, the required RPMs have most likely changed. Simply use the correct RPMs from your distribution.
Under Debian you can install ethereal using apt-get. apt-get will handle any dependency issues for you. Example 2-5 shows how to do this. Example 2-5. Installing debs under Debian
apt-get install ethereal
Building from Source under UNIX

Use the following general steps if you are building Ethereal from source under a UNIX operating system: 1. Unpack the source from its gzipd tar le. If you are using Linux, or your version of UNIX uses GNU tar, you can use the following command:
tar zxvf ethereal-0.8.19-tar.gz
34
For other versions of UNIX, You will want to use the following commands:
gzip -d ethereal-0.8.19-tar.gz tar xvf ethereal-0.8.19-tar
Note!: The pipeline gzip -dc ethereal-0.8.19-tar.gz | tar xvf - will work here as well.
Note!: If you have downloaded the Ethereal tarball under Windows, you may nd that your browser has created a le with underscores rather than periods in its le name.
2. Change directory to the ethereal source directory. 3. Congure your source so it will build correctly for your version of UNIX. You can do this with the following command:
./configure
If this step fails, you will have to rectify the problems and rerun congure. Troubleshooting hints are provided in the section called Troubleshooting during the install. 4. Build the sources into a binary, with the make command. For example:
make
5. Install the software in its nal destination, using the command:

make install
Once you have installed Ethereal with make install above, you should be able to run it by entering ethereal.
Installing the binaries under UNIX

In general, installing the binary under your version of UNIX will be specic to the installation methods used with your version of UNIX. For example, under AIX, you would use smit to install the Ethereal binary package, while under Tru64 UNIX (formerly Digital UNIX) you would use setld.
35
Installing from RPMs under Linux

Use the following command to install the Ethereal RPM that you have downloaded from the Ethereal web site:
rpm -ivh ethereal-0.8.10-1.i386.rpm
If the above step fails because of missing dependencies, install the dependencies rst, and then retry the step above. See Example 2-4 for information on what RPMs you will need to have installed.
Installing from debs under Debian

Use the following command to install Ethereal under Debian:
apt-get install ethereal
apt-get should take care of all of the dependency issues for you.
Building from source under Windows

Unfortunately the current revisor of this document has never built Ethereal under Windows and is thus not competent to write this section. Hopefully this will be remedied in the future.
Installing Ethereal under Windows

In this section we explore installing Ethereal under Windows from the binary packages. You must follow two steps: 1. Install WinPcap. There are instructions at the WinPcap web site for installing it under Windows 9X, Windows NT and Windows 2000. These are located at: http://netgroup-serv.polito.it/winpcap/install/Default.htm 5. 2. Install Ethereal. You may acquire a binary installable of Ethereal at http://www.ethereal.com/download.html#binaries 6. Download the installer ( after installing WinPcap ) and execute it.
Troubleshooting during the install

A number of errors can occur during the installation process. Some hints on solving these are provided here.
36
If the congure stage fails, you will need to nd out why. You can check the le config.log in the source directory to nd out what failed. The last few lines of this le should help in determining the problems. The standard problems are that you do not have GTK+ on your system, or you do not have a recent enough version of GTK+. The congure will also fail if you do not have libpcap (at least the required include les) on your system. Another common problem is for the nal compile and link stage to terminate with a complaint of: Output to long. This is likely being caused by an antiquated sed ( like that shipped with Solaris ). Since sed is used by the libtool script to construct the nal link command, this leads to mysterious problems. This can be resolved by downloading sed from http://www.gnu.org/directory/sed.html 7. If you cannot determine what the problems are, send mail to the ethereal-dev mailing list explaining your problem, and including the output from config.log and anything else you think is relevant, like a trace of the make stage.
Notes
1. http://www.ethereal.com 2. http://www.gtk.org 3. http://www.tcpdump.org 4. http://www.tcpdump.org 5. http://netgroup-serv.polito.it/winpcap/install/Default.htm 6. http://www.ethereal.com/download.html#binaries 7. http://www.gnu.org/directory/sed.html
37
38
Chapter 3. Using Ethereal

Introduction
By now you have installed Ethereal and are most likely keen to get started capturing your rst packets. In this chapter we explore:

How to start Ethereal How to capture packets in Ethereal How to view packets Ethereal How to lter packets in Ethereal
In fact, most of the functionality of Ethereal is explored in this chapter.
Starting Ethereal
You can start Ethereal from the command line under UNIX, but it can also be started from most Window managers as well. In this section we will look at starting it from the command line. Before looking at the command line parameters Ethereal understands, lets look at Ethereal itself. Figure 3-1 shows Ethereal as you would usually see it.
39
Figure 3-1. Ethereal is comprised of three main windows
Ethereal is comprised of three main windows, or panes. 1. The top pane is the packet list pane. It displays a summary of each packet captured. By clicking on packets in this pane your control what is displayed in the other two panes. 2. The middle pane is the tree view pane. It displays the packet selected in the top pane in more detail. 3. The bottom pane is the data view pane. It displays the data from the packet selected in the top pane, and highlights the eld selected in the tree view pane.
40
In addition to the three main panes, there are four elements of interest on the bottom of the Ethereal main window. A. The lower leftmost button labeled "Filter:" can be clicked to bring up the lter construction dialog. B. The left middle text box provides an area to enter or edit lter strings. This is also where the current lter in effect it displayed. You can click on the pull down arrow to select past lter string from a list. More information on display lter strings is available in the section called Filtering packets while viewing C. The right middle button labeled "Reset" clears the current lter. D. The right text box displays informational messages. These message may indicate whether or not you are capturing, what le you have read into the packet list pane if you are not capturing. If you have selected a protocol eld from the tree view pane and it is possible to lter on that eld then the lter label for that protocol eld will be displayed.
Ethereal supports a large number of command line parameters. To see what they
are, simply enter the command ethereal -h and the help information shown in Example 3-1 should be printed. Example 3-1. Help information available from Ethereal
This is GNU ethereal 0.8.19, compiled with GTK+ 1.2.10, with GLib 1.2.10, with lib cap 0.6, with libz 1.1.3, with UCD SNMP 4.2.1 ethereal [ -vh ] [ -klpQS ] [ -B <byte view height> ] [ -c <count> ] [ -f <capture filter> ] [ -i <interface> ] [ -m <medium font> ] [ -n ] [ -N <resolving> ] [ -o <preference setting> ] ... [ -P <packet list height> ] [ -r <infile> ] [ -R <read filter> ] [ -s <snaplen> ] [ -t <time stamp format> ] [ -T <tree view height> ] [ -w <savefile> ]
We will examine each of these possible command line options in turn. The rst thing to notice is that issuing the command ethereal by itself will bring up Ethereal. However, you can include as many of the command line parameters as you like. Their meanings are as follows ( in alphabetical order ): -B <byte view height> This option sets the initial height of the byte view pane. This pane is the bottom pane in the Ethereal display. -c <count> This option species the number of packets to capture when capturing live data. It would be used in conjunction with the -k option. -b <bold font> This option sets the name of the bold font that Ethereal uses for data in the byte view pane when it is highlighted (ie, selected in the protocol pane
41
-D This option changes the way Ethereal deals with the original IPv4 TOS eld, so that rather than treating it as the Differentiated Services Field, it is treated as a Type of Service eld. -f <capture lter> This option sets the initial capture lter expression to be used when capturing packets. -h The -h option requests Ethereal to print its version and usage instructions and exit. -i <interface> The -i option allows you to specify, from the command line, which interface packet capture should occur on if capturing packets. An example would be: ethereal -i eth0. To get a listing of all the interfaces you can capture on, use the command ifcong -a or netstat -i. Unfortunately, some versions of UNIX do not support ifcong -a, so you will have to use netstat -i in these cases.
-k The -k option species that Ethereal should start capturing packets immediately. This option requires the use of the -i parameter to specify the interface that packet capture will occur from. -l This option turns on automatic scrolling if the packet list pane is being updated automatically as packets arrive during a capture ( as specied by the -S ag). -m <medium font> This option sets the name of the font used for most text displayed by Ethereal. -n This option species that Ethereal not perform address to name translation nor to translate TCP and UDP ports into names. -N <resolving> Turns on name resolving for particular types of addresses and port numbers; the argument is a string that may contain the letters m to enable MAC address resolution, n to enable network address resolution, and t to enable transportlayer port number resolution. This overrides -n if both -N and -n are present. -o <preference settings> Sets a preference value, overriding the default value and any value read from a preference le. The argument to the ag is a string of the form prefname:value, where prefname is the name of the preference (which is the same name that
42
would appear in the preference le), and value is the value to which it should be set. Multiple instances of -o <preference settings> can be given on a single command line. An example of setting a single preference would be: ethereal -o mgcp.display_dissect_tree:TRUE An example of setting multiple preferences would be: ethereal -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627
-p Dont put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, -p cannot be used to ensure that the only trafc that is captured is trafc sent to or from the machine on which Ethereal is running, broadcast trafc, and multicast trafc to addresses received by that machine. -P <packet list height> This option sets the initial height of the packet list pane, ie, the top pane. -Q This option forces Ethereal to exit when capturing is complete. It can be used with the -c option. It must be used in conjunction with the -i and -w options. -r <inle> This option provides the name of a capture le for Ethereal to read and display. This capture le can be in one of the formats Ethereal understands, including:

libpcap Net Mon Snoop NetXray
For a complete list, see the Ethereal man pages (man ethereal).
-R <read lter> This option species a capture lter to be applied when reading packets from a capture le. The syntax of this lter is that of the display lters discussed in the section called Filtering packets while viewing. Packets not matching the lter are discarded. -s <snaplen> This option species the snapshot length to use when capturing packets. Ethereal will only capture <snaplen> bytes of data for each packet.
43
-S This option species that Ethereal will display packets as it captures them. This is done by capturing in one process and displaying them in a separate process. -t <time stamp format> This option sets the format of packet timestamps that are displayed in the packet list window. The format can be one of:

r, which species timestamps are displayed relative to the rst packet captured. a, which species that actual dates and times be displayed for all packets. d, which species that timestamps are relative to the previous packet.
-T <tree view height> This option sets the initial height of the tree view pane. -v The -v option requests Ethereal to print out its version information and exit. -w <savele> This option sets the name of the savele to be used when saving a capture le.
The Ethereal menus

The Ethereal menu sits across the top of the Ethereal window. An example is shown in Figure 3-2.
Figure 3-2. The Ethereal Menu
It contains the following items: File This menu contains menu-items to open and reread capture les, save capture les, print capture les, print packets, and to quit from Ethereal.
44
Edit This menu contains menu-items to nd a frame and goto a frame,mark one or more frames, set your preferences, create lters, and enable or disable the dissection of protocols (cut, copy, and paste are not presently implemented). Capture This menu allows you to start and stop captures. Display This menu contains menu-items to modify display options, match selected frames, colorize frames, expand all frames, collapse all frames, show a packet in a separate window, and congure user specied decodes. Tools This menu contains menu-items to display loaded plugins, follow a TCP stream, obtain a summary of the packets that have been captured, and display protocol hierarchy statistics. Help This menu contains the About Ethereal... menu item and access to some basic Help. Each of these are described in more detail in the sections that follow.
The Ethereal File menu

The Ethereal le menu contains the elds shown in Table 3-1.
45
Figure 3-3. Ethereal File Menu Table 3-1. File menu Menu Item Open... Accelerator Ctrl-O Description This menu item brings up the le open dialog box that allows you to load a capture le for viewing. It is discussed in more detail in the section called The File Open dialog box. This menu item closes the current capture. If you have not saved the capture, it is lost. This menu item saves the current capture. If you have not set a default capture le name (perhaps with the -w <caple> option), Ethereal pops up the Save Capture File As dialog box (which is discussed further in the section called The Save Capture File As dialog box).
Note!: If you have already saved the current capture, this menu will be greyed out. Note!: You cannot save a live capture while it is in progress. You must stop the capture in order to save.
Close Save
Ctrl-W Ctrl-S
46
Menu Item Save As...
Accelerator
Description This menu item allows you to save the current capture le to whatever le you would like. It pops up the Save Capture File As dialog box (which is discussed further in the section called The Save Capture File As dialog box).
Reload
Ctrl-R
This menu item allows you to reload the current capture le. This menu item is no longer needed, and may be removed in future releases of Ethereal This menu item allows you to print all the packets in the capture le. It pops up the Ethereal Print dialog box (which is discussed further in the section called Printing packets).
Print...
Print Packet Quit
Ctrl-P Ctrl-Q
This menu item allows you to print the current packet. This menu item allows you to quit from Ethereal. In the current release of Ethereal (0.8.19), Ethereal silently exits even if you have not saved the current capture le. This may be changed in a future release of Ethereal.
The Ethereal Edit menu

The Ethereal Edit menu contains the elds shown in Table 3-2.
47
Figure 3-4. Ethereal Edit Menu Table 3-2. Edit menu Menu Item Find Frame... Accelerator Ctrl-F Description This menu item brings up a dialog box that allows you to nd a frame by entering an Ethereal display lter. There is further information on nding frames in the section called Finding frames. This menu item brings up a dialog box that allows you to specify a frame to goto by frame number. This menu item "marks" the currently selected frame. See the section called The Save Capture File As dialog box for more information about saving marked frames. This menu item "marks" all frames. See the section called The Save Capture File As dialog box for more information about saving marked frames. This menu item "unmarks" all marked frames.
Go to Frame... Ctrl-G
Mark Frame
Ctrl-M
Mark All Frames
Unmark All Frames
48
Menu Item Preferences...
Accelerator
Description This menu item brings up a dialog box that allows you to set preferences for many parameters that control Ethereal. You can also save your preferences so Ethereal will use them the next time you start it. More detail is provided in the section called Ethereal preferences This menu item brings up a dialog box that allows you to create and edit capture lters. You can name lters, and you can save them for future use. More detail on this subject is provided in the section called Dening and saving lters This menu item brings up a dialog box that allows you to create and edit display lters. You can name lters, and you can save them for future use. More detail on this subject is provided in the section called Dening and saving lters This menu item brings up a dialog box that allows you to enable or disable the dissection of individual protocols edit.
Capture Filters...
Display Filters...
Protocols...
The Ethereal Capture menu

The Ethereal Capture menu contains the elds shown in Table 3-3.
49
Figure 3-5. Ethereal Capture Menu Table 3-3. Capture menu Menu Item Start... Accelerator Ctrl-K Description This menu item brings up the Capture Preferences dialog box (discussed further in the section called Capturing packets with Ethereal) and allows you to start capturing packets. This menu item stops the currently running capture.
Stop
Ctrl-E
The Ethereal Display menu

The Ethereal Display menu contains the elds shown in Table 3-4.
50
Figure 3-6. Ethereal Display Menu Table 3-4. Display menu Menu Item Options... Accelerator Description This menu item brings up a dialog box that controls the way that Ethereal displays some information about packets. Examples include the way timestamps are handled, whether addresses and other numbers are translated, and so forth. This is further discussed in the section called Display Options. This menu item allows you to select all packets that have a matching value in the eld selected in the tree view pane (middle pane). This menu item brings up a dialog box that allows you color packets in the packet list pane according to lter expressions you choose. It can be very useful for spotting certain types of packets. Ethereal keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item collapses the tree view of all packets in the capture list.
Match Selected Colorize Display
Collapse All
51
Menu Item Expand All Show Packet in New Window User Specied Decodes...
Accelerator
Description This menu item expands all subtrees in all packets in the capture. This menu item brings up the selected packet in a separate window. The separate window shows only the tree view and byte view panes. This menu item allows the user to force ethereal to decode certain packets as a particular protocol.
The Ethereal Tools menu

The Ethereal Tools menu contains the elds shown in Table 3-5.
Figure 3-7. Ethereal Tools Menu Table 3-5. Tools menu Menu Item Plugins... Accelerator Description This menu item brings up a dialog box that allows you to manage Ethereal plugins. There are very few plugins todate.
52
Menu Item Follow TCP Stream
Accelerator
Description This menu item brings up a separate window and displays all the TCP segments captured that are on the same TCP connection as a selected packet. The data in the TCP stream is sorted into order, with duplicate segments removed, and it is then displayed in ascii. You can change the format is you desire. This menu item allows the user to force ethereal to decode certain packets as a particular protocol. This menu item brings up a statistics window that shows information about the packets captured. This menu item displays a hierarchical tree of packet statistics.
Decode As...
Summary
Protocol Hierarchy Statistics
The Ethereal Help menu

The Ethereal Help menu contains the elds shown in Table 3-6.
Figure 3-8. Ethereal Help Menu
53
Table 3-6. Help menu Menu Item Help About Ethereal... Accelerator Description This menu item brings up a basic help system. This menu item brings up an information window that provides some simple information on Ethereal.
Capturing packets with Ethereal

There are two methods you can use to capture packets with Ethereal: 1. From the command line using the following:
ethereal -i eth0 -k
2. By starting Ethereal and then selecting Start... from the Capture menu. This brings up the Capture Preferences dialog box and will be dealt with in more detail in the section called The Capture Preferences dialog box.
The Capture Preferences dialog box

When you select Start... from the Capture menu, Ethereal pops up the Capture Preferences dialog box as shown in Figure 3-9.
54
Figure 3-9. The Capture Preferences dialog box You can set the following elds in this dialog box: Interface This eld species the interface you want to capture on. You can only capture on one interface, and you can only capture on interfaces that the Ethereal has found on the system. It is a drop-down list, so simply click on the button on the right hand side and select the interface you want. It defaults to the rst non-loopback interface that supports capturing, and if there are none, the rst loopback interface. On some systems, loopback interfaces cannot be used for capturing. This eld performs the same function as the -i <interface> command line option.
Count This eld species the number of packets that you want to capture. It defaults to 0, which means do not stop capturing. Enter the value that you want in here, or leave it blank. Filter This eld allows you to specify a capture lter. Capture lters are discussed in more details in the section called Filtering while capturing. It defaults to empty, or no lter. You can also click on the Filter button/label, and Ethereal will bring up the Filters dialog box and allow you to create and/or select a lter. Please see the section called Dening and saving lters
55
File This eld allows you to specify the le name that will be used for the capture when you later choose Save... or Save As... from the Ethereal File menu. There is no default for this value. Capture length This eld allows you to specify the maximum amount of data that will be captured for each packet, and is sometimes referred to as the snaplen. The default is 65535, which will be sufcient for most protocols. It should be at least the MTU for the interface you are capturing on. Capture packets in promiscuous mode This radio button allows you to specify that Ethereal should set the interface in promiscuous mode when capturing. If you do not specify this, Ethereal will only capture the packets going to or from your computer ( not all packets going by your interface).
Note: If some other process has put the interface in promiscuous mode you may be capturing in promiscous mode even if you turn off this option
Update list of packets in real time This radio button allows you to specify that Ethereal should update the packet list pane in real time. If you do not specify this, Ethereal does not display any packets until you cancel the capture. When you click on this radio button, Ethereal captures in a separate process and feeds the captures to the display process. [Is this true for Windows?] Automatic scrolling in live capture This radio button allows you to specify that Ethereal should scroll the packet list pane as new packets come in, so you are always looking at the last packet. If you do not specify this, Ethereal simply adds new packets onto the end of the list, but does not scroll the packet list pane. Enable MAC name resolution This radio button allows you to control whether or not Ethereal translates the rst three octets of a MAC addresses into the name of the manufacturer to whom that prex has been assigned by the IETF. Enable network name resolution This radio button allows you to control whether or not Ethereal translates IP addresses into DNS domain names. By clicking on this radio button, the packet list pane will have more useful information, but you will also cause name lookup requests to occur, which might disturb the capture.
Note: If you cannot reach the name server, you may nd that Ethereal takes a long time in updating the packet list pane as it waits for name translation to time out.
56
Enable transport name resolution This radio button allows you to control whether or not Ethereal translates port numbers into protocols. Once you have set the values you desire and have selected the radio buttons you need, simply click on OK to commence the capture, or Cancel to cancel the capture. If you start a capture, Ethereal pops up a dialog box that shows you the progress of the capture and allows you to stop capturing when you have enough packets captured.
Filtering while capturing

Ethereal uses the libpcap lter language for capture lters. This is explained in the tcpdump man page. If you can understand it, you are a better man that I am, Gunga Din! You enter the capture lter into the Filter eld of the Ethereal Capture Preferences dialog box, as shown in Figure 3-9. The following is an outline of the syntax of the tcpdump capture lter language. A capture lter takes the form of a series of primitive expressions connected by conjuctions (and/or) and optionally preceeded by not:
[not] primitive [and|or [not] primitive ...]
An example is shown in Example 3-2. Example 3-2. A capture lter for telnet than captures trafc to and from a particular host
tcp port 23 and host 10.0.0.5
This example captures telnet trafc to and from the host 10.0.0.5, and shows how to use two primitives and the and conjunction. Another example is shown in Example 3-3, and shows how to capture all telnet trafc except that from 10.0.0.5. Example 3-3. Capturing all telnet trafc not from 10.0.0.5
tcp port 23 and not host 10.0.0.5
A primitive is simply one of the following:
57
[src|dst] host <host> This primitive allows you to lter on a host IP address or name. You can optionally preceed the primitive with the keyword src|dst to specify that you are only interested in source or destination addresses. If these are not present, packets where the specied address appears as either the source or the destination address will be selected. ether [src|dst] host <ehost> This primitive allows you to lter on Ethernet host addresses. You can optionally includethe keyword src|dst between the keywords ether and host to specify that you are only interested in source or destination addresses. If these are not present, packets where the specied address appears in either the source or destination address will be selected. gateway host <host> This primitive allows you to lter on packets that used host as a gateway. That is, where the Ethernet source or destination was host but neither the source nor destination IP address was host. [src|dst] net <net> [{mask <mask>}|{len <len>}] This primitive allows you to lter on network numbers. You can optionally preceed this primitive with the keyword src|dst to specify that you are only interested in a source or destination network. If neither of these are present, packets will be selected that have the specied network in either the source or destination address. In addition, you can specify either the netmask or the CIDR prex for the network if they are different from your own. [tcp|udp] [src|dst] port <port> This primitive allows you to lter on TCP and UDP port numbers. You can optionally preceed this primitive with the keywords src|dst and tcp|udp which allow you to specify that you are only interested in source or destination ports and TCP or UDP packets respectively. The keywords tcp|udp must appear before src|dst. If these are not specied, packets will be selected for both the TCP and UDP protocols and when the specied address appears in either the source or destination port eld.
less|greater <length> This primitive allows you to lter on packets whose length was less than or equal to the specied length, or greater than or equal to the specied length, respectively. ip|ether proto <protocol> This primitive allows you to lter on the specied protocol at either the Ethernet layer or the IP layer.
58
ether|ip broadcast|multicast This primitive allows you to lter on either Ethernet or IP broadcasts or multicasts. <expr> relop <expr> This primitive allows you to create complex lter expressions that select bytes or ranges of bytes in packets. Please see the tcpdump man pages for more details.
Viewing packets you have captured

Once you have captured some packets, or you have opened a previously saved capture le, you can view the packets that are displayed in the packet list pane by simply clicking on that packet in the packet list pane, which will bring up the selected packet in the tree view and byte view panes. You can then expand any part of the tree view by clicking on the plus sign to the left of that part of the payload, and you can select individual elds by clicking on them in the tree view pane. An example with a TCP segment selected is shown in Figure 3-10. It also has the Acknowledgment number in the TCP header selected, which shows up in the byte view as the selected bytes.
59
Figure 3-10. Ethereal with a TCP segment selected for viewing
You can also select and view packets when Ethereal is capturing if you selected "Update list of packets in real time" in the Ethereal Capture Preferences dialog box. In addition, you can view individual packets in a separate window as shown in Figure 3-11. Do this by selecting the packet you are interested in in the packet list pane, and then select "Show Packet in New Windows" from the Display menu. This allows you to easily compare two or more packets.
60
Figure 3-11. Viewing a packet in a separate window
Finally, you can bring up a pop-up menu over either the packet list pane or the tree view pane by clicking your right mouse button. The menus that is popped up contains the following items:
61
Figure 3-12. Packet Pane pop-up menu Follow TCP Stream This menu item is the same as the Display menu item of the same name. It allows you to view all the data on a TCP stream between a pair of nodes. Decode As... This menu item is the same as the Display menu item of the same name. Display Filters... This menu item is the same as the Edit menu item of the same name. It allows you to specify and manage lters. Colorize Display... This menu item is the same as the Display menu item of the same name. It allows you to colorize packets in the packet list pane. Print... This menu item is the same as the File menu item of the same name. It allows you to print packets. Print Packet This menu item is the same as the File menu item of the same name. It allows you to print the currently selected packet.
62
Show Packet in New Window This menu item is the same as the Display menu item of the same name. It allows you to display the selected packet in another window.
Figure 3-13. Treeview Pane pop-up menu Follow TCP Stream This menu item is the same as the Display menu item of the same name. It allows you to view all the data on a TCP stream between a pair of nodes. Decode As... This menu item is the same as the Display menu item of the same name. Display Filters... This menu item is the same as the Edit menu item of the same name. It allows you to specify and manage lters. Resolve Name This menu item causes name resolution to be performed for the selected packet, but NOT every packet in the capture.
63
Protocol Properties... The menu item takes you to the protocol properties dialog if there are properties associated with the highlighted elds. More information on preferences can be found in Figure 3-29. Match Selected This menu item allows you to select all packets that have a matching value in the eld selected in the tree view pane (middle pane). Collapse All Ethereal keeps a list of all the protocol subtrees that are expanded, and uses it to ensure that the correct subtrees are expanded when you display a packet. This menu item collapses the tree view of all packets in the capture list. Expand All This menu item expands all subtrees in all packets in the capture.
Display Options
You can control the way that Ethereal displays a number of items. You manage these by selecting the Options menu item from the Display menu. When you do this, Ethereal pops up the Display Options dialog box, as shown in Figure 3-14.
Figure 3-14. Ethereal Display Options dialog box The following are the items on this dialog box and their meanings:
64
Time of day Selecting this radio button tells Ethereal to display time stamps in time of day format. This eld, Date and time of day, Seconds since beginning of capture and Seconds since previous frame are mutually exclusive. Date and time of day Selecting this radia button tells Ethereal to display the time stamps in date and time of day format. Time of day, this eld, Seconds since beginning of capture and Seconds since previous frame are mutually exclusive. Seconds since beginning of capture Selecting this radio button tells Ethereal to display time stamps in seconds since beginning of capture format. Time of day, Date and time of day, this eld, and Seconds since previous frame are mutually exclusive. Seconds since previous frame This radio button tells Ethereal to display time stamps in seconds since previous frame format. Time of day, Date and time of day, Seconds since beginning of capture and this eld are mutually exclusive. Automatic scrolling in live capture This eld, when selected, tells Ethereal to scroll the packet list pane when new packets are captured. Enable MAC name resolution This eld, when selected, tells Ethereal to translate the rst three octets of MAC addresses (the vendor identier) into names (where it can) when displaying packets. Enable network name resolution This eld, when selected, tells Ethereal to translate ip addresses into domain names (where it can) when displaying packets.
Note: If you select this option and your DNS server is unavailable then ethereal will be very slow as it times out waiting for responses from your DNS server.
Enable transport name resolution This eld, when selected, tells Ethereal to translate the transport layer addresses ( TCP/UDP port numbers) into well known service names (where it can) when displaying packets.
65
Saving captured packets

You can save captured packets simply by using the Save As... menu item from the File menu under Ethereal. You can choose to save all packets that were captured or only the packets currently being displayed.
The Save Capture File As dialog box

The Ethereal Save Capture File As dialog box allows you to save the current capture to a le. Figure 3-15 shows an example of this dialog box.
Figure 3-15. The Ethereal Save Capture File As dialog box With this dialog box, you can perform the following actions:
1. Create directories with the Create Dir button. 2. Delete les with the Delete File button. 3. Rename les with the Rename File button. 4. Select les and directories with the directories and les list boxes and the le system heirarchy drop down box. 5. Save only the packets currently being displayed (as apposed to all the packets captured) by clicking on the "Save only packets currently being displayed" radio button.
66
6. Save only the marked packets (as apposed to all the packets captured) by clicking on the "Save only marked packets" radio button. More on Marking packets can be found in the section called The Ethereal Edit menu. 7. Specify the format of the saved capture le by clicking on the File type drop down box. You can choose from among the following types: a. libpcap (tcpdump, Ethereal, etc.) b. modied libpcap (tcpdump) c. RedHat Linux libpcap (tcpdump) d. Network Associates Sniffer (DOS based) e. Sun Snoop f. Microsoft Network Monitor 1.x g. Network Associates Sniffer (Windows based) 1.1
Note!: Some capture formats may not be available, depending on the frame types captured.
Note!: You can convert capture les from one format to another by reading in a capture le and writing it out using a different format.
8. Type in the name of the le you wish to save the captured packets in, as a standard le name in your le system. 9. Click on OK to accept your selected le and save to it. If Ethereal has a problem saving the captured packets to the le you specied, it will display an error dialog box. After clicking OK, you can try another le. 10. Click on Cancel to go back to Ethereal and not save the captured packets.
Reading capture les

Ethereal can read in previously saved capture les, and in addition, because it is built with a subroutine library called libwiretap, it can read capture les from a number of other packet capture programs as well. The following is the list of capture formats it understands:

tcpdump and Ethereal snoop (including Shomiti) and atmsnoop LanAlyzer Sniffer (compressed or uncompressed)
67
Microsoft Network Monitor AIXs iptrace NetXray Sniffer Pro RADCOMs WAN/LAN analyzer Lucent/Ascend router debug output HP-UXs nettl the dump output from Toshibas ISDN routers i4btrace from the ISDN4BSD project
You only need to get these les onto your system and Ethereal can read them. To read them, simply select the Open menu item from the File menu. Ethereal will then pop up the File Open dialog box, which is discussed in more detail in the section called The File Open dialog box
The File Open dialog box

The Ethereal File Open dialog box allows you to search for a capture le containing previously captured packets for display in Ethereal. Figure 3-16 shows an example of the Ethereal Open File Dialog box.
68
Figure 3-16. The Ethereal Open File Dialog box With this dialog box, you can perform the following actions:
1. Create directories with the Create Dir button. 2. Delete les with the Delete File button. 3. Rename les with the Rename File button. 4. Select les and directories with the directories and les list boxes and the le system heirarchy drop down box. 5. Specify a display lter with the Filter button and lter eld. Clicking on the Filter button causes Ethereal to pop up the Filters dialog box (while is discussed further in the section called Filtering packets while viewing). 6. Specify that MAC name resolution is to be performed for all MAC addresses in packets by clicking on the "Enable MAC name resolution" check button. 7. Specify that DNS name resolution is to be performed for all ip addresses in packets by clicking on the "Enable network name resolution" check button.
Note: Enabling network name resolution when your DNS server is unavailable may signicantly slow ethereal while it waits for all of the DNS requests to time out
69
8. Specify that transport name resolution is to be performed for all transport (TCP/UDP port) addresses in packets by clicking on the "Enable transport name resolution" check button. 9. Type in the name of the capture le you wish to open, as a standard le name in your le system. 10. Click on OK to accept your selected le and open it. If Ethereal recognizes the capture format, it will display the packets read from the capture le in the packet list pane. If it does not recognize the capture format, it will display an error dialog box. After clicking OK, you can try another le. 11. Click on Cancel to go back to Ethereal and not load a capture le.
Filtering packets while viewing

Ethereal has two ltering languages: One used when capturing packets, and one used when displaying packets. In this section we explore that second type of lters: Display lters. The rst one has already been dealt with in the section called Filtering while capturing. Display lters allow you to concentrate on the packets you are interested in. They allow you to select packets by:

Protocol The presence of a eld The values of elds A comparison between elds
To select packets based on protocol type, simply type the protocol you are interested in in the Filter: eld on the bottom left hand corner of the Ethereal window and press enter to initiate the lter. Figure 3-17 shown an example of what happens when you type smb in the lter eld.
Note!: All lter expressions are entered in lowercase. Also, dont forget to press enter after entering the lter expression.
70
Figure 3-17. Filtering on the SMB protocol

Note!: The packets selected in Figure 3-17 all show up as BROWSER packets but they are carried in SMB packets.
You can lter on any protocol that Ethereal understands. However, you can also lter on any eld that a dissector adds to the tree view, but only if the dissector has added an abbreviation for the eld. A list of such elds is available in the Ethereal in the Add Expression... dialog box. You can nd more information on the Add Expression... dialog box in the section called The Add Expression Dialog. You may also nd a list of the elds in Appendix A For example, to narrow the packet list pane down to only those packets to or from 10.0.0.5, use ip.addr==10.0.0.5.
Note!: To remove the lter, click on the Reset button to the right of the lter eld.
71
Building lter expressions

Ethereal provides a simple display lter language that you can build quite complex lter expressions with. You can compare values in packets as well as combine expressions into more specic expressions. The following sections provide more information on doing this.
Comparing values
You can build display lters that compare values using a number of different comparison operators. They are shown in Table 3-7. Table 3-7. Display lter comparison operators English eq C-like
==
Description and example Equal

ip.addr==10.0.0.5
ne
!=
Not equal
ip.addr!=10.0.0.5
gt
>
Greater than
frame.pkt_len > 10
lt
<
Less than
frame.pkt_len < 128
ge
>=
Greater than or equal to

frame.pkt_len ge 0x100
le
<=
Less than or equal to

frame.pkt_len <= 0x20
In addition, all protocol elds are typed. Table 3-8 provides a list of the types and example of how to express them.
72
Table 3-8. Field Types Type Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit) Example You can express integers in decimal, octal, or hexadecimal. The following display lters are equivalent: ip.len le 1500
ip.len le 02734 ip.len le 0x436
Signed integer (8-bit, 16-bit, 24-bit, 32-bit) Boolean A boolean eld is present in the protocol decode only if its value is true. For example, tcp.ags.syn is present, and thus true, only if the SYN ag is present in a TCP segment header. Thus the lter expression tcp.ags.syn will select only those packets for which this ag exists, that is, TCP segments where the segment header contains the SYN ag. Similarly, to nd source-routed token ring packets, use a lter expression of tr.sr.
Ethernet address (6 bytes) IPv4 address IPv6 address IPX network number String (text) Double-precision oating point number
Combining expressions
You can combine lter expressions in Ethereal using the logical operators shown in Table 3-9 Table 3-9. Display Filter Logical Operations English C-like Description and example
73
English and
C-like &&
Description and example Logical AND

ip.addr==10.0.0.5 and tcp.flags.fin
or
||
Logical OR
ip.addr==10.0.0.5 or ip.addr==192.1.1.1
xor
^^
Logical XOR
tr.dst[0:3] == 0.6.29 xor tr.src[0:3] ==
not
Logical NOT
not llc
74
English [...]
C-like
Description and example Substring Operator Ethereal will allow you to select subsequences of a sequence in rather elaborate ways. After a label you can place a pair of brackes [] containing a comma separated list of range speciers.
eth.src[0:3] == 00:00:83
The example above uses the n:m format to specify a single range. In this case n is the beginning offset and m is the length of the range being specied.
eth.src[1-2] == 00:83
The example above uses the n-m format to specify a single range. In this case n is the beginning offset and m is the ending offset.
eth.src[:4] == 00:00:83:00
The example above uses the :m format, which takes everything from the beginning of a sequence to offset m. It is equivalent to 0:m
eth.src[4:] == 20:20
The example above uses the n: format, which takes everything from offset n to the end of the sequence.
eth.src[2] == 83
The example above uses the n format to specify a single range. In this case the element in the sequence at offset n is selected. This is equivalent 75 to n:1.
eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:8
English
C-like
Description and example
Packet colorization
A very useful mechanism available in Ethereal is packet colorization. You can set Ethereal up so that it colorizes packets according to a lter. This allows you to emphasize the packets you are interested in. To colorize packets, select the Colorize Display... menu item from the Display menu, and Ethereal will pop up the Add Color to Protocols dialog box as shown in Figure 3-18.
Figure 3-18. The Ethereal Add Color to Protocols dialog box Once the Add Color to Protocol dialog box is up, there are a number of buttons you can use, depending on whether or not you have any color lters installed already. If this is the rst time you have used Add Color to Protocol, click on New which will bring up the Edit color lter dialog box as shown in Figure 3-19.
76
Figure 3-19. The Ethereal Edit color lter dialog box In the Edit Color dialog box, simply enter a name for the color lter, and enter a lter sting in the Filter text eld. Figure 3-19 shows the values smb and smb which means that the name of the color lter is smb and the lter will select protocols of type smb. Once you have entered these values, you can choose a background and foreground color for packets that match the lter expression. Click on Choose background color or Choose foreground color to do achieve this and Ethereal will pop up the Choose foreground/background color for protocol dialog box as shown in Figure 3-20.
Figure 3-20. Ethereal Choose color dialog box Select the color you desire for the selected packets and click on OK.
Note!: You must select a color in the colorbar next to the colorwheel to load values into the RGB sliders. Alternatively, you can use the sliders to select the color you want.
77
You will need to carefully select the order that lters are listed (and thus applied) as they are applied in order. So, more specic lters need to be listed before more general lters. For example, if you have a color lter for UDP before the one for DNS, the color lter for DNS will never be applied. Figure 3-21 shows an example of several color lters being used in Ethereal. You may not like the color choices, however, so feel free to choose your own.
Figure 3-21. Using color lters with Ethereal
Finding frames
You can easily nd frames once you have captured some packets or have read in a previously saved capture le. Simply select the Find Frame... menu item from the Edit menu. Ethereal will pop up the dialog box shown in Figure 3-22.
78
Figure 3-22. The Ethereal Find Frame dialog box Simply enter a display lter string into the Filter: eld, select a direction, and click on OK. For example, to nd the three way handshake for a connection from host 10.0.0.5, use the following lter string:
ip.addr==10.0.0.5 and tcp.flags.syn
For more details on display lters, see the section called Filtering packets while viewing
Following TCP streams

There will be occasions when you would like to see the data on a TCP session in the order that the application layer would see it. Perhaps you are looking for passwords in a Telnet stream, or perhaps you are trying to make sense of a data stream. If so, Ethereals ability to follow a TCP stream will be useful to you. Simply select a TCP segment on the stream/connection you are interested in and then select the Follow TCP Stream menu item from the Ethereal Tools menu. Ethereal will pop up a separate window with all the data from the TCP stream layed out in order, as shown in Figure 3-23.
79
Figure 3-23. Following a TCP Stream You can then select to view the data in one of three formats:
1. ASCII. In this view you see the data from each end in ASCII, but alternating according to when each end sent data. Unfortunately, non-printing characters do not print. 2. EBCDIC. For the big-iron freaks out there. 3. HEX Dump. This allows you to see all the data, but you lose the ability to read it in ASCII.
Note!: It is worthwhile noting that Follow TCP Stream installs a lter to select all the packets on the TCP stream you have selected.
Dening and saving lters

You can dene lters with Ethereal and give them labels for later use. This can save time in remembering and retyping some of the more complex lters you use. To dene a new lter or edit an existing lter, select the Filters... menu item from the Edit menu. Ethereal will then pop up the Filters dialog as shown in Figure 3-24.
80
Figure 3-24. The Ethereal Filters dialog box You would enter a lter name in the Filter name eld, and a lter string in the Filter string eld. However, for most other actions, you would select a lter from the list box (which will ll in the name and sting in the elds down the bottom of the dialog box), and make what ever changes you want to. Then you should choose one of the buttons down the left hand side of the dialog box. The buttons have the following meanings: New This button adds the lter string entered in the Filter string eld with the name supplied in the Filter name eld.
Note!: You can add multiple lters with the same name. This is not very useful.
Change This button changes the lter named in the Filter name string by replacing its lter string with the string in the Filter string eld. Copy This button copies the selected lter and calls it "Copy of <orig>", where <orig> is the name of the original lter. Delete This button deletes the selected lter. Apply This button applies the selected lter to the current display.
81
Add Expression... This button brings up the Add Expression dialog box which assists in building lter strings. You can nd more information about the Add Expression dialog in the section called The Add Expression Dialog
The Add Expression Dialog

When you are accustomed to Ethereals ltering system and know what labels you wish to use in your lters it can be very quick to simply type a lter string. However if you are new to Ethereal or are working with a slightly unfamiliar protocol it can be very confusing to try to gure out what to type. The Add Expression dialog box helps with this.
Figure 3-25. The Ethereal Add Expression dialog box, view 1 When you rst bring up the Add Expression dialog box you are shown a tree list of eld names, organized by protocol, and a box for selecting a relation. Field Name Select a protocols eld from the protocol eld tree. Every protocol with lterable elds is listed at the top level. By clicking on the "+" next to a protocol name you can get a list of the eld names available for ltering for that protocol.
82
Relation Select a relation from the list of available relation. The is present is a unary relation which is true if the selected eld is present in a packet. All other listed relations are binary relations require additional data ( ie a Value to match ) to complete.
Figure 3-26. The Ethereal Add Expression dialog box, view 2 When you select a eld from the eld name list and select a binary relation ( like the equality relation == ) you will be given the opportunity to enter a value, and possible some range information. Value You may enter an appropriate value in the Value text box. The Value will also indicate the type of value for the eld name you have selected ( like character string ). Accept When you have built a satisfactory expression click Accept and a lter string will be built for you. Close You can leave the Add Expression... dialog box without any effect by clicking the Close
83
Figure 3-27. The result of building a lter string using the Add Expression dialog box. The Add Expression dialog box is an excellent way to learn to write Ethereal display lter strings.
Printing packets
Ethereal provides two methods for printing packets: 1. Select the Print... menu item from the File menu. When you do this, Ethereal pops up the Print dialog box as shown in Figure 3-28. 2. Select the Print Packet menu item from the File menu (or type Ctrl-P) and Ethereal will print the currently selected packet. We present more detail on the Print dialog box below.
84
Figure 3-28. The Ethereal Print dialog box
Note: Currently, there is no simple way with the Print dialog box to print only a range of packets, or to print a single packet. To do this, rst select a range of packets with a display lter, then select Print... from the File menu. You could even select a single packet with something like frame.number == 10 or a range by frame number with something like frame.number >= 10 && frame.number <= 20.
The following elds are available in the Print dialog box: Format This eld contains a pair of mutually exclusive radio buttons:

Plain Text, which species that the packet print should be in plain text. PostScipt, which species that the packet print process should use Postscript to generate a better print.
Print to This eld contains another pair of mutually exclusive radio buttons:

Command, which species that a command be used for printing. File, which species that printing be done to a le.
Command This eld species the command to use for printing. It is typically lpr. You would change it to specify a particular queue if you need to print to a queue other than the default. An example might be:
lpr -Pmypostscript
85
This eld is greyed out if Command is not specied above. File This eld is where you enter the le to print to if you have selected Print to a le. It is greyed out if Print to a le is not selected. Print summary and Print detail This pair of mutually exclusive radio boxes select whether or not Ethereal prints a summary or the detail for each packet printed. Expand all details and Print as displayed This pair of mutially exclusive radio boxes select whether or not Ethereal expands all details for all packets printed, or prints them as displayed (ie, with only the currently expanded protocol trees expanded. Print hex data This radio box controls whether or not Ethereal prints the hex data for each packet selected.
Ethereal preferences
There are a number of preferences you can set from one place. Simply select the Preferences... menu item from the Edit menu, and Ethereal will pop up the Preferences dialog box as shown in Figure 3-29.
86
Figure 3-29. The Ethereal Preferences dialog box The Ethereal Preferences dialog box is a tabbed dialog box that allows you to set preferences for each of the following elements: Printing This tab allows you to dene the default printing command that Ethereal will use as well as the default output le name when you print to a le. These are discussed in more detail in the section called Printing packets Columns This tab allows you to select which columns appear in the Packet List Pane. TCP Streams This tab allows you to change the foreground and background colors used by the Follow TCP Stream described in the section called The Ethereal Tools menu. GUI This tab allows you to congure various characteristics of the GUI. Other tabs The remaining tabs allow you to congure various preferences for the dissection of various network protocols.
87
Files used by Ethereal

Ethereal uses a number of les while it is running. Some of these reside in $HOME/.ethereal and are used to maintain information between runs of Ethereal, while some of them are maintained in system areas. The following are some of the les accessed by Ethereal: $HOME/.ethereal/preferences This le contains all your Ethereal preferences, including defaults for capturing and displaying packets. It is a simple text le containing statements of the form variable: value. $HOME/.ethereal/lters This le contains all the lters that you have dened and saved. It consists of one or more lines, where each line has the following format:
"<filter name>" <filter string>
$HOME/.ethereal/colorlters This le contains all the color lters that you have dened and saved. It consists of one or more lines, where each line has the following format:
@<filter name>@<filter string>@[<bg RGB(16-bit)>][<fg RGB(16-bit)>]
/usr/share/ethereal/plugins, $HOME/.ethereal/plugins
/usr/local/share/ethereals/plugins,
Ethereal searches for plugins in the directories listed above. They are searched in the order listed. /etc/ethers, $HOME/.ethereal/ethers When Ethereal is trying to translate Ethernet hardware addresses to names, it consunts the les listed above in the order listed. If an address is not found in /etc/ethers, Etherereal looks in $HOME/.ethereal/etheres Each line in these les consists of one hardware address and name separated by whitespace. The digits of hardware addressses are spearated by colons (:), dashes (-) or periods(.). The following are some examples:
ff-ff-ff-ff-ff-ff c0-00-ff-ff-ff-ff 00.2b.08.93.4b.a1 Broadcast TR_broadcast Freds_machine
88
/usr/local/etc/manuf Ethereal uses the le listed above to translate the rst three bytes of an Ethernet address into a manufacturers name. This le has the same format as the ethers le, except addresses are three bytes long. $HOME/.ethereal/ipxnets Ethereal uses the above le to translate IPX network numbers into names. An example is:
C0.A8.2C.00 c0-a8-1c-00 00:00:BE:EF 110f HR CEO IT_Server1 FileServer3
89
90
Chapter 4. Troubleshooting with Ethereal

An approach to troubleshooting with Ethereal
Ethereal is a very useful tool for network troubleshooting, since it contains a number of features that allow you to quickly focus on problems in your networkfor several reasons:

It allows you to focus in on specic packets and protocols, as you can see a large amount of detail associated with various protocols. It supports a large number of protocols, and the list of protocols supported is growing as more people contribute dissectors By giving you a visual view of trafc in parts of your network, and providing tools to lter and colorize that information, you can get a better feel for your network trafc, and can understand your network better.
The following general approach is suggested:

Determine that the problem looks like a networking problem. There is no point in capturing packets if the problem is not networking related. Figure out where to capture packets. You will have to capture packets from a part of the network where you can actually get network trafc related to the problem. This is especially important in the presence of switches and routers. See the section called Capturing in the presence of switches and routers for more details. Because Ethereal can read many capture le formats, you can capture using any conventient tool. One useful approach is to use tcpdump to capture on remote systems and then copy the capture le to your system for later analysis. For more details on capturing with tcpdump, see the section called Capturing with tcpdump for viewing with Ethereal in Chapter 5.
Once you have captured packets that you think relate to the problem, load them into Ethereal and look for your problem. Using Ethereals ltering and colorization capabilities, you can quickly narrow down the capture to the area of interest. Examine the appropriate elds within the packets where the problem appears to be. These can often help to reveal the problem.
Capturing in the presence of switches and routers

Many vendors switches support a feature known as "port spanning" or "port mirroring" in which all of the trafc to and from port A are also sent out port B. An excellent reference on the "port spanning" feature of Cisco switches can be found at Conguring the Catalyst Switched Port Analyzer (SPAN) Feature 1
91
Chapter 4. Troubleshooting with Ethereal
Examples of troubleshooting
Troubleshooting often requires a reasonable knowledge of the protocols in question, however, you can often get a good idea of what might be going wrong simply by looking in the packets being exchanged.
Notes
1. http://www.cisco.com/warp/public/473/41.html
92
Chapter 5. Related tools

Capturing with tcpdump for viewing with Ethereal
There are occasions when you want to capture packets using tcpdump rather than ethereal, especially when you want to do a remote capture and do not want the network load associated with running Ethereal remotely (not to mention all the X trafc polluting your capture). However, the default tcpdump parameters result in a capture le where each packet is truncated, because tcpdump, by default, does not capture full packets. To ensure that you capture complete packets, use the following command:
tcpdump -i <interface> -s 1500 -w <some-file>
You will have to specify the correct interface and the name of a le to save into. In addition, you will have to terminate the capture with ^C when you believe you have captured enough packets.
Tethereal, for terminal-based capturing

Tethereal is a terminal oriented version of ethereal designed for capturing and dis-
playing packets when you do not have a graphical environment available. It supports the same option set that ethereal does. For more information on tethereal, see the manual pages (man tethereal).
Using editcap
Included with Ethereal is a small utility called editcap, which is a command-line utility for working with capture les. Its main function is to remove packets from capture le, but it can also be used to convert capture les from one format to another, as well as print information about capture les. editcap has the following format: editcap [-r] [-h] [-v] [-T {encap type}] [-F {capture type}] {inle} {outle} [record# [] [record#] ... ] Where each option has the following meaning: -r This option species that the frames listed should be kept, not deleted. The default is to delete the listed frames. -h This option provides help.
93
-v This option species verbose operation. The default is silent operation. -T {encap type} This option species the frame encapsulation type to use. It can take one of the following values:

ether - Ethernet tr - Token Ring slip - SLIP ppp - PPP fddi - FDDI fddi-swapped - FDDI with bit-swapped MAC addresses rawip - Raw IP arcnet - ARCNET atm-rfc1483 - RFC 1483 ATM linux-atm-clip - Linux ATM CLIP lapb - LAPB atm-sniffer - ATM Sniffer null - NULL ascend - Lucent/Ascend access equipment lapd - LAPD v120 - V.120
It is mainly for converting funny captures to something that Ethereal can deal with. The default frame encapsulation type is the same as the input encapsulation. -F {capture type} This option species the capture le format to write the output le in. You can choose from the following values:

libpcap - libpcap (tcpdump, Ethereal, etc.) modlibpcap - modied libpcap (tcpdump) rh6_1libpcap - Red Hat Linux 6.1 libpcap (tcpdump) ngsniffer - Network Associates Sniffer (DOS-based) snoop - Sun snoop netmon1 - Microsoft Network Monitor 1.x ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1
The default is libpcap format. {inle} This parameter species the input le to use. It must be present.
94
{outle} This parameter species the output le to use. It must be present. [record#[-][record# ...]] This optional parameter species the records to include or exclude (depending on the -r option. You can specify individual records or a range of records.
Merging multiple capture les into a single capture le with mergecap

Mergecap is a program that combines multiple saved capture les into a single output le specied by the -w argument. Mergecap knows how to read libpcap capture les, including those of tcpdump. In addition, Mergecap can read capture les from snoop (including Shomiti) and atmsnoop, LanAlyzer, Sniffer (compressed or uncompressed), Microsoft Network Monitor, AIXs iptrace, NetXray, Sniffer Pro, RADCOMs WAN/LAN analyzer, Lucent/Ascend router debug output, HP-UXs nettl, and the dump output from Toshibas ISDN routers. There is no need to tell Mergecap what type of le you are reading; it will determine the le type by itself. Mergecap is also capable of reading any of these le formats if they are compressed using gzip. Mergecap recognizes this directly from the le; the .gz extension is not required for this purpose. By default, it writes the capture le in libpcap format, and writes all of the packets in both input capture les to the output le. The -F ag can be used to specify the format in which to write the capture le; it can write the le in libpcap format (standard libpcap format, a modied format used by some patched versions of libpcap, the format used by Red Hat Linux 6.1, or the format used by SuSE Linux 6.3), snoop format, uncompressed Sniffer format, Microsoft Network Monitor 1.x format, and the format used by Windows-based versions of the Sniffer software. Packets from the input les are merged in chronological order based on each frames timestamp, unless the -a ag is specied. Mergecap assumes that frames within a single capture le are already stored in chronological order. When the -a ag is specied, packets are copied directly from each input le to the output le, independent of each frames timestamp. If the -s ag is used to specify a snapshot length, frames in the input le with more captured data than the specied snapshot length will have only the amount of data specied by the snapshot length written to the output le. This may be useful if the program that is to read the output le cannot handle packets larger than a certain size (for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6 appear to reject Ethernet frames larger than the standard Ethernet MTU, making them incapable of handling gigabit Ethernet captures if jumbo frames were used). If the -T ag is used to specify an encapsulation type, the encapsulation type of the output capture le will be forced to the specied type, rather than being the type appropriate to the encapsulation type of the input capture le. Note that this merely forces the encapsulation type of the output le to be the specied type; the packet headers of the packets will not be translated from the encapsulation type of the input capture le to the specied encapsulation type (for example, it will not translate an
95
Ethernet capture to an FDDI capture if an Ethernet capture is read and -T fddi is specied). Example 5-1. Help information available from mergecap
hagbard@hagbard:~/build/src/ethereal/doc$ mergecap -h mergecap version 0.8.19 Usage: mergecap [-h] [-v] [-a] [-s <snaplen>] [-T <encap type>] [-F <capture type>] -w <outfile> <infile> [...] where -h produces this help listing. -v verbose operation, default is silent -a files should be concatenated, not merged Default merges based on frame timestamps -s <snaplen>: truncate packets to <snaplen> bytes of data -w <outfile>: sets output filename to <outfile> -T <encap type> encapsulation type to use: ether - Ethernet tr - Token Ring slip - SLIP ppp - PPP fddi - FDDI fddi-swapped - FDDI with bit-swapped MAC addresses rawip - Raw IP arcnet - ARCNET atm-rfc1483 - RFC 1483 ATM linux-atm-clip - Linux ATM CLIP lapb - LAPB atm-sniffer - ATM Sniffer null - NULL ascend - Lucent/Ascend access equipment lapd - LAPD v120 - V.120 ppp-with-direction - PPP with Directional Info ieee-802-11 - IEEE 802.11 Wireless LAN linux-sll - Linux cooked-mode capture frelay - Frame Relay chdlc - Cisco HDLC default is the same as the first input file -F <capture type> capture file type to write: libpcap - libpcap (tcpdump, Ethereal, etc.) rh6_1libpcap - Red Hat Linux 6.1 libpcap (tcpdump) suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump) modlibpcap - modified libpcap (tcpdump) nokialibpcap - Nokia libpcap (tcpdump) ngsniffer - Network Associates Sniffer (DOS-based) snoop - Sun snoop netmon1 - Microsoft Network Monitor 1.x netmon2 - Microsoft Network Monitor 2.x ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1 default is libpcap
-h Prints the version and options and exits.
96
-v Causes mergecap to print a number of messages while its working. -a Causes the frame timestamps to be ignored, writing all packets from the rst input le followed by all packets from the second input le. By default, when -a is not specied, the contents of the input les are merged in chronological order based on each frames timestamp. Note: when merging, mergecap assumes that packets within a capture le are already in chronological order. -s Sets the snapshot length to use when writing the data. -w Sets the output lename. -T Sets the packet encapsulation type of the output capture le. -F Sets the le format of the output capture le. A simple example merging dhcp-capture.libpcap and imap-1.libpcap into outfile.libpcap is shown below. Example 5-2. Simple example of using mergecap
hagbard@hagbard:~/captures$ mergecap -w outfile.libpcap dhcp-capture.libpcap imap1.libpcap
Converting ASCII hexdumps to network captures with text2pcap

There may be some occasions when you wish to convert a hex dump of some network trafc into a libpcap le. Text2pcap is a program that reads in an ASCII hex dump and writes the data described into a libpcap-style capture le. text2pcap can read hexdumps withmultiple packets in them, and build a capture le of multiple packets. text2pcap is also capable of generating dummy Ethernet, IP and UDP headers, in order to build fully processable packet dumps from hexdumps of application-level data only. Text2pcap understands a hexdump of the form generated by od -t x1. In other words, each byte is individually displayed and surrounded with a space. Each line begins with an offset describing the position in the le. The offset is a hex number (can also be octal - see -o), of more than two hex digits. Here is a sample dump that text2pcap can recognize:
000000 00 e0 1e a7 05 6f 00 10 ........ 000008 5a a0 b9 12 08 00 46 00 ........ 000010 03 68 00 00 00 00 0a 2e ........
97
000018 000020 000028 000030
ee 03 16 01
33 80 a2 01
0f 94 0a 0f
19 04 00 19
08 00 03 03
7f 00 50 80
0f 10 00 11
19 01 0c 01
........ ........ ........ ........
There is no limit on the width or number of bytes per line. Also the text dump at the end of the line is ignored. Bytes/hex numbers can be uppercase or lowercase. Any text before the offset is ignored, including email forwarding characters >. Any lines of text between the bytestring lines is ignored. The offsets are used to track the bytes, so offsets must be correct. Any line which has only bytes without a leading offset is ignored. An offset is recognized as being a hex number longer than two characters. Any text after the bytes is ignored (e.g. the character dump). Any hex numbers in this text are also ignored. An offset of zero is indicative of starting a new packet, so a single text le with a series of hexdumps can be converted into a packet capture with multiple packets. Multiple packets are read in with timestamps differing by one second each. In general, short of these restrictions, text2pcap is pretty liberal about reading in hexdumps and has been tested with a variety of mangled outputs (including being forwarded through email multiple times, with limited line wrap etc.) There are a couple of other special features to note. Any line where the rst nonwhitespace character is # will be ignored as a comment. Any line beginning with #TEXT2PCAP is a directive and options can be inserted after this command to be processed by text2pcap. Currently there are no directives implemented; in the future, these may be used to give more ne grained control on the dump and the way it should be processed e.g. timestamps, encapsulation type etc. Text2pcap also allows the user to read in dumps of application-level data, by inserting dummy L2, L3 and L4 headers before each packet. The user can elect to insert Ethernet headers, Ethernet and IP, or Ethernet, IP and UDP headers before each packet. This allows Ethereal or any other full-packet decoder to handle these dumps. Example 5-3. Help information available for text2pcap
hagbard@hagbard:~/build/src/ethereal/doc$ text2pcap -h text2pcap: invalid option -- h Usage: text2pcap [-d] [-q] [-o h|o] [-l typenum] [-e l3pid] [-i proto] [-u srcp destp] <input-filename> <output-filename> where <input-filename> specifies input filename (use - for standard input) <output-filename> specifies output filename (use - for standard output) [options] are one or more of the following -w filename : Write capfile to <filename>. Default is standard output -h : Display this help message -d : Generate detailed debug of parser states -o hex|oct : Parse offsets as (h)ex or (o)ctal. Default is hex -l typenum : Specify link-layer type number. Default is 1 (Ethernet). See net/bpf.h for list of numbers. -q : Generate no output at all (automatically turns off -d) -e l3pid : Prepend dummy Ethernet II header with specified L3PID (in HEX) Example: -e 0x800 -i proto : Prepend dummy IP header with specified IP protocol (in DECIMAL).
98
Automatically prepends Ethernet header as well. Example: -i 46 -u srcp destp: Prepend dummy UDP header with specified dest and source ports (in DECIM Automatically prepends Ethernet and IP headers as well Example: -u 30 40
-w <lename> Write the capture le generated by text2pcap to <lename>. The default is to write to standard output. -h Display the help message -d Displays debugging information during the process. Can be used multiple times to generate more debugging information. -q Be completely quiet during the process. -o hex|oct Specify the radix for the offsets (hex or octal). Defaults to hex. This corresponds to the -A option for od. -l Specify the link-layer type of this packet. Default is Ethernet(1). See net/bpf.h for the complete list of possible encapsulations. Note that this option should be used if your dump is a complete hex dump of an encapsulated packet and you wish to specify the exact type of encapsulation. Example: -l 7 for ARCNet packets. -e l3pid Include a dummy Ethernet header before each packet. Specify the L3PID for the Ethernet header in hex. Use this option if your dump has Layer 3 header and payload (e.g. IP header), but no Layer 2 encapsulation. Example: -e 0x806 to specify an ARP packet. For IP packets, instead of generating a fake Ethernet header you can also use -l 12 to indicate a raw IP packet to Ethereal. Note that -l 12 does not work for any non-IP Layer 3 packet (e.g. ARP), whereas generating a dummy Ethernet header with -e works for any sort of L3 packet.
-u srcport destport Include dummy UDP headers before each packet. Specify the source and destination UDP ports for the packet in decimal. Use this option if your dump is the UDP payload of a packet but does not include any UDP, IP or Ethernet headers. Note that this automatically includes appropriate Ethernet and IP headers with each packet. Example: -u 1000 69 to make the packets look like TFTP/UDP packets.
99
Creating dissectors from Corba IDL les with idl2eth

In an ideal world idl2eth would be mentioned in the users guide in passing and documented in the developers guide. As the developers guide has not yet been completed it will be documented here.
What is it?
As you have probably guessed from the name, idl2eth takes a user specied IDL le and attempts to build a dissector that can decode the IDL trafc over GIOP. The resulting le is "C" code, that should compile okay as an ethereal dissector. idl2ethbasically parses the data struct given to it by the omniidl compiler, and using the GIOP API available in packet-giop.[ch], generates get_CDR_xxx calls to decode the CORBA trafc on the wire. It consists of 4 main les.
README.idl2eth
This document
ethereal_be.py
The main compiler backend

ethereal_gen.py
A helper class, that generates the C code.

idl2eth
A simple shell script wrapper that the end user should use to generate the dissector from the IDL le(s).
Why do this?
It is important to understand how CORBA trafc looks like over GIOP/IIOP, and to help build a tool that can assist in troubleshooting CORBA interworking. This was especially the case after seeing a lot of discussions about how particular IDL types are represented inside an octet stream. I have also had comments/feedback that this tool would be good for say a CORBA class when teaching students how CORBA trafc looks like "on the wire". It is also COOL to work on a great Open Source project such as the case with "Ethereal" ( http://www.ethereal.com 1 )
How to use idl2eth

To use the idl2eth to generate ethereal dissectors, you need the following: Prerequisites to using idl2eth 1. Python must be installed. See http://python.org/ 2
100
2.
omniidl from the the omniORB package must be http://www.uk.research.att.com/omniORB/omniORB.html 3
available.
3. Of course you need ethereal installed to compile the code an tweak it if required. idl2eth is part of the standard Ethereal distribution To use idl2eth to generate an ethereal dissector from an idl le use the following proceedure: Proceedure for converting a Corba idl le into an ethereal dissector 1. To write the C code to stdout.
idl2eth <your file.idl>
eg:
idl2eth echo.idl
2. To write to a le, just redirect the output.

idl2eth echo.idl > packet-test-idl.c
You may wish to comment out the register_giop_user_module() code and that will leave you with heuristic dissection. If you dont want to use the shell script wrapper, then try steps 3 or 4 instead. 3. To write the C code to stdout.
Usage: omniidl -p ./ -b ethereal_be <your file.idl>
eg:
omniidl -p ./ -b ethereal_be echo.idl
4. To write to a le, just redirect the output.

omniidl -p ./ -b ethereal_be echo.idl > packet-test-idl.c
You may wish to comment out the register_giop_user_module() code and that will leave you with heuristic dissection. 5. Copy the resulting C code to your ethereal src directory, edit the 2 make les to include the packet-test-idl.c
cp packet-test-idl.c /dir/where/ethereal/lives/ edit Makefile.am edit Makefile.nmake
6. Run congure
./configure (or ./autogen.sh)
7. Compile the code

make
8. Good Luck !!
101
TODO
1. Exception code not generated (yet), but can be added manually. 2. Enums not converted to symbolic values (yet), but can be added manually. 3. Add command line options etc 4. More I am sure :-)
Limitations
See the TODO list inside packet-giop.c
Notes
1. The "-p ./" option passed to omniidl indicates that the ethereal_be.py and ethereal_gen.py are residing in the current directory. This may need tweaking if you place these les somewhere else. 2. If it complains about being unable to nd some modules (eg temple.py), you may want to check if PYTHONPATH is set correctly. On my Linux box, it is PYTHONPATH=/usr/lib/python1.5/
Notes
1. http://www.ethereal.com 2. http://python.org/ 3. http://www.uk.research.att.com/omniORB/omniORB.html
102
Appendix A. Ethereal Display Filter Fields

802.1q Virtual LAN (vlan)
Table A-1. 802.1q Virtual LAN (vlan) Field vlan.c vlan.etype vlan.id vlan.len vlan.priority vlan.trailer Field Name CFI Type ID Length Priority Trailer Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Byte array
802.1x Authentication (eapol)

Table A-2. 802.1x Authentication (eapol) Field Field Name Type Unsigned 8-bit integer Boolean Byte array Byte array Byte array Unsigned 16-bit integer
eapol.keydes.index.indexnum Index Number eapol.keydes.index.keytype Key Type eapol.keydes.key eapol.keydes.key_iv Key Key IV
eapol.keydes.key_signature Key Signature eapol.keydes.keylen Key Length
eapol.keydes.replay_counter Replay Counter eapol.keydes.type eapol.len eapol.type eapol.version Descriptor Type Length Type Version Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
103
AOL Instant Messenger (aim)

Table A-3. AOL Instant Messenger (aim) Field aim.channel aim.cmd_start aim.datalen aim.fnac.family aim.fnac.subtype aim.seqno Field Name Channel ID Command Start Data Field Length FNAC Family ID FNAC Subtype ID Sequence Number Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
ATM (atm)
Table A-4. ATM (atm) Field atm.vci atm.vpi Field Name VCI VPI Type Unsigned 16-bit integer Unsigned 8-bit integer
ATM LAN Emulation (lane)

Table A-5. ATM LAN Emulation (lane) Field Field Name Type
Ad hoc On-demand Distance Vector Routing Protocol (aodv)

Table A-6. Ad hoc On-demand Distance Vector Routing Protocol (aodv) Field aodv.dest_ip aodv.dest_seqno aodv.destcount aodv.ags Field Name Destination IP Destination Sequence Number Destination Count Flags Type IPv4 address Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer
104
Field aodv.ags.rerr_nodelete aodv.ags.rrep_ack aodv.ags.rrep_repair aodv.ags.rreq_join aodv.ags.rreq_repair aodv.hopcount aodv.lifetime aodv.orig_ip aodv.orig_seqno aodv.rreq_id aodv.type aodv.unreach_dest_ip aodv.unreach_dest_seqno
Field Name RERR No Delete RREP Acknowledgement RREP Repair RREQ Join RREQ Repair Hop Count Lifetime Originator IP Originator Sequence Number RREQ Id Type Unreachable Destination IP Unreachable Destination Sequence Number
Type Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer IPv4 address Unsigned 32-bit integer
aodv.ags.rreq_gratuitous RREQ Gratuitous
Ad hoc On-demand Distance Vector Routing Protocol v6 (aodv6)

Table A-7. Ad hoc On-demand Distance Vector Routing Protocol v6 (aodv6) Field aodv6.dest_ip aodv6.dest_seqno aodv6.destcount aodv6.ext_length aodv6.ext_type aodv6.ags aodv6.ags.rerr_nodelete aodv6.ags.rrep_ack aodv6.ags.rrep_repair Field Name Destination IP Destination Sequence Number Destination Count Extension Length Extension Type Flags RERR No Delete RREP Acknowledgment RREP Repair Type IPv6 address Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean
aodv6.ags.rreq_gratuitous RREQ Gratuitous aodv6.ags.rreq_join aodv6.ags.rreq_repair RREQ Join RREQ Repair
105
Field aodv6.hello_interval aodv6.hopcount aodv6.lifetime aodv6.orig_ip aodv6.orig_seqno aodv6.rreq_id aodv6.timestamp aodv6.type aodv6.unreach_dest_ip
Field Name Hello Interval Hop Count Lifetime Originator IP Originator Sequence Number RREQ ID Timestamp Type Unreachable Destination IP
Type Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer IPv6 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer IPv6 address Unsigned 32-bit integer
aodv6.unreach_dest_seqno Unreachable Destination Sequence Number
Address Resolution Protocol (arp)

Table A-8. Address Resolution Protocol (arp) Field arp.dst.atm_num_e164 arp.dst.atm_num_nsap arp.dst.atm_subaddr arp.dst.hlen arp.dst.htype arp.dst.hw arp.dst.hw_mac arp.dst.pln arp.dst.proto arp.dst.proto_ipv4 arp.dst.slen arp.dst.stype arp.hw.size Field Name Target ATM number (E.164) Target ATM number (NSAP) Target ATM subaddress Type String Byte array Byte array
Target ATM number length Unsigned 8-bit integer Target ATM number type Target hardware address Target MAC address Target protocol size Target protocol address Target IP address Target ATM subaddress length Target ATM subaddress type Hardware size Boolean Byte array 6-byte Hardware (MAC) Address Unsigned 8-bit integer Byte array IPv4 address Unsigned 8-bit integer Boolean Unsigned 8-bit integer
106
Field arp.hw.type arp.opcode arp.proto.size arp.proto.type arp.src.atm_num_e164 arp.src.atm_num_nsap arp.src.atm_subaddr arp.src.hlen arp.src.htype arp.src.hw arp.src.hw_mac arp.src.pln arp.src.proto arp.src.proto_ipv4 arp.src.slen arp.src.stype
Field Name Hardware type Opcode Protocol size Protocol type Sender ATM number (E.164) Sender ATM number (NSAP) Sender ATM subaddress Sender ATM number length Sender hardware address Sender MAC address Sender protocol size Sender protocol address Sender IP address Sender ATM subaddress length Sender ATM subaddress type
Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer String Byte array Byte array Unsigned 8-bit integer
Sender ATM number type Boolean Byte array 6-byte Hardware (MAC) Address Unsigned 8-bit integer Byte array IPv4 address Unsigned 8-bit integer Boolean
Aggregate Server Access Protocol (asap)

Table A-9. Aggregate Server Access Protocol (asap) Field asap.cause.code asap.cause.info asap.cause.length asap.cause.padding asap.cookie.cookie Field Name Cause code Cause info Cause length Padding Cookie Type Unsigned 16-bit integer Byte array Unsigned 16-bit integer Byte array Byte array IPv4 address IPv6 address Unsigned 8-bit integer
asap.ipv4_address.ipv4_address IP Version 4 address asap.ipv6_address.ipv6_address IP Version 6 address asap.message_ags Flags
107
Field asap.message_length asap.message_type asap.parameter.length asap.parameter.padding asap.parameter.type asap.parameter.value
Field Name Length Type Parameter length Padding Parameter Type Parameter value
Type Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Signed 32-bit integer Byte array Unsigned 8-bit integer Signed 24-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
asap.pe_identier.pe_identier identier PE asap.pool_element.home_enrp_server_identier Home ENRP server identier asap.pool_element.pe_identier PE identier asap.pool_element.registration_life Registration life asap.pool_handle.pool_handle handle Pool asap.pool_member_slection_policy.type Policy type asap.pool_member_slection_policy.value Policy value asap.sctp_transport.port Port
asap.sctp_transport.reserved Reserved asap.server_information.m_bit M-Bit asap.server_information.reserved Reserved asap.server_information.server_identier Server identier asap.tcp_transport.port Port
asap.tcp_transport.reserved Reserved asap.udp_transport.port Port
asap.udp_transport.reserved Reserved
108
Andrew File System (AFS) (afs)

Table A-10. Andrew File System (AFS) (afs) Field afs.backup afs.backup.errcode afs.backup.opcode afs.bos afs.bos.baktime afs.bos.cell afs.bos.cmd afs.bos.content afs.bos.data afs.bos.date afs.bos.errcode afs.bos.error afs.bos.le afs.bos.ags afs.bos.host afs.bos.instance afs.bos.key afs.bos.keychecksum afs.bos.keymodtime afs.bos.keyspare2 afs.bos.kvno afs.bos.newtime afs.bos.number afs.bos.oldtime afs.bos.opcode afs.bos.parm afs.bos.path afs.bos.size afs.bos.spare1 afs.bos.spare2 afs.bos.spare3 afs.bos.status Field Name Backup Error Code Operation BOS Backup Time Cell Command Content Data Date Error Code Error File Flags Host Instance Key Key Checksum Key Modication Time Key Spare 2 Key Version Number New Time Number Old Time Operation Parm Path Size Spare1 Spare2 Spare3 Status Type Boolean Unsigned 32-bit integer Unsigned 32-bit integer Boolean Date/Time stamp String String String Byte array Unsigned 32-bit integer Unsigned 32-bit integer String String Unsigned 32-bit integer String String Byte array Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer String String Unsigned 32-bit integer String String String Signed 32-bit integer
109
Field afs.bos.statusdesc afs.bos.type afs.bos.user afs.cb afs.cb.callback.expires afs.cb.callback.type afs.cb.callback.version afs.cb.errcode afs.cb.d.uniq afs.cb.d.vnode afs.cb.d.volume afs.cb.opcode afs.error afs.error.opcode afs.fs afs.fs.acl.a afs.fs.acl.count.negative afs.fs.acl.count.positive afs.fs.acl.d afs.fs.acl.datasize afs.fs.acl.entity afs.fs.acl.i afs.fs.acl.k afs.fs.acl.l afs.fs.acl.r afs.fs.acl.w afs.fs.callback.expires afs.fs.callback.type afs.fs.callback.version afs.fs.cps.spare1 afs.fs.cps.spare2 afs.fs.cps.spare3 afs.fs.data afs.fs.errcode afs.fs.d.uniq afs.fs.d.vnode
Field Name Status Description Type User Callback Expires Type Version Error Code FileID (Uniqier) FileID (VNode) FileID (Volume) Operation Error Operation File Server _A_dminister ACL Count (Negative) ACL Count (Positive) _D_elete ACL Size Entity (User/Group) _I_nsert _L_ock _L_ookup _R_ead _W_rite Expires Type Version CPS Spare1 CPS Spare2 CPS Spare3 Data Error Code FileID (Uniqier) FileID (VNode)
Type String String String Boolean Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Unsigned 32-bit integer Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Boolean Unsigned 32-bit integer String Boolean Boolean Boolean Boolean Boolean Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
110
Field afs.fs.d.volume afs.fs.ength afs.fs.ipaddr afs.fs.length afs.fs.motd afs.fs.name afs.fs.newname afs.fs.ofinemsg afs.fs.offset afs.fs.oldname afs.fs.opcode
Field Name FileID (Volume) FLength IP Address Length Message of the Day Name New Name Ofine Message Offset Old Name Operation
Type Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer String String String String Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer
afs.fs.status.anonymousaccess Anonymous Access afs.fs.status.author afs.fs.status.calleraccess afs.fs.status.dataversion Author Caller Access Data Version
afs.fs.status.clientmodtime Client Modication Time afs.fs.status.dataversionhighData Version (High) afs.fs.status.letype afs.fs.status.group File Type Group
afs.fs.status.interfaceversionInterface Version afs.fs.status.length afs.fs.status.linkcount afs.fs.status.mask afs.fs.status.mask.fsync Length Link Count Mask FSync
afs.fs.status.mask.setgroup Set Group afs.fs.status.mask.setmode Set Mode afs.fs.status.mask.setmodtime Modication Time Set afs.fs.status.mask.setowner Set Owner afs.fs.status.mask.setsegsizeSet Segment Size afs.fs.status.mode afs.fs.status.owner Unix Mode Owner
111
Field afs.fs.status.parentunique afs.fs.status.parentvnode afs.fs.status.segsize
Field Name Parent Unique Parent VNode Segment Size
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String Date/Time stamp Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Byte array String Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer String
afs.fs.status.servermodtime Server Modication Time afs.fs.status.spare2 afs.fs.status.spare3 afs.fs.status.spare4 afs.fs.status.synccounter afs.fs.symlink.content afs.fs.symlink.name afs.fs.timestamp afs.fs.token afs.fs.viceid afs.fs.vicelocktype afs.fs.volid afs.fs.volname afs.fs.volsync.spare1 afs.fs.volsync.spare2 afs.fs.volsync.spare3 afs.fs.volsync.spare4 afs.fs.volsync.spare5 afs.fs.volsync.spare6 afs.fs.xstats.clientversion afs.fs.xstats.collnumber afs.fs.xstats.timestamp afs.fs.xstats.version afs.kauth afs.kauth.data afs.kauth.domain afs.kauth.errcode afs.kauth.kvno afs.kauth.name afs.kauth.opcode afs.kauth.princ Spare 2 Spare 3 Spare 4 Sync Counter Symlink Content Symlink Name Timestamp Token Vice ID Vice Lock Type Volume ID Volume Name Volume Creation Timestamp Spare 2 Spare 3 Spare 4 Spare 5 Spare 6 Client Version Collection Number XStats Timestamp XStats Version KAuth Data Domain Error Code Key Version Number Name Operation Principal
112
Field afs.kauth.realm afs.prot afs.prot.count afs.prot.errcode afs.prot.ag afs.prot.gid afs.prot.id afs.prot.maxgid afs.prot.maxuid afs.prot.name afs.prot.newid afs.prot.oldid afs.prot.opcode afs.prot.pos afs.prot.uid afs.rmtsys afs.rmtsys.opcode afs.ubik afs.ubik.activewrite afs.ubik.addr afs.ubik.amsyncsite afs.ubik.anyreadlocks afs.ubik.anywritelocks afs.ubik.currentdb afs.ubik.currenttran afs.ubik.epochtime afs.ubik.errcode afs.ubik.le afs.ubik.interface afs.ubik.isclone afs.ubik.lastbeaconsent afs.ubik.lastvote afs.ubik.lastvotetime afs.ubik.lastyesclaim afs.ubik.lastyeshost
Field Name Realm Protection Count Error Code Flag Group ID ID Maximum Group ID Maximum User ID Name New ID Old ID Operation Position User ID Rmtsys Operation Ubik Active Write Address Am Sync Site Any Read Locks Any Write Locks Current DB Current Transaction Epoch Time Error Code File Interface Address Is Clone Last Beacon Sent Last Vote Last Vote Time Last Yes Claim Last Yes Host
Type String Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Unsigned 32-bit integer Boolean Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer Date/Time stamp Date/Time stamp IPv4 address
afs.ubik.beaconsincedown Beacon Since Down
113
Field afs.ubik.lastyesstate afs.ubik.lastyesttime afs.ubik.length afs.ubik.lockedpages afs.ubik.locktype afs.ubik.lowesthost afs.ubik.lowesttime afs.ubik.now afs.ubik.nservers afs.ubik.opcode afs.ubik.position afs.ubik.recoverystate afs.ubik.site afs.ubik.state afs.ubik.synchost afs.ubik.syncsiteuntil afs.ubik.synctime afs.ubik.tidcounter afs.ubik.up afs.ubik.version.counter afs.ubik.version.epoch afs.ubik.voteend afs.ubik.votestart afs.ubik.votetype afs.ubik.writetran afs.update afs.update.opcode afs.vldb afs.vldb.bkvol afs.vldb.bump afs.vldb.clonevol afs.vldb.count afs.vldb.errcode afs.vldb.ags afs.vldb.ags.bkexists
Field Name Last Yes State Last Yes Time Length Locked Pages Lock Type Lowest Host Lowest Time Now Number of Servers Operation Position Recovery State Site State Sync Host Sync Site Until Sync Time TID Counter Up Counter Epoch Vote Ends Vote Started Vote Type Write Transaction Update Operation VLDB Backup Volume ID Bumped Volume ID Clone Volume ID Volume Count Error Code Flags Backup Exists
Type Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Date/Time stamp Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer IPv4 address Date/Time stamp Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Date/Time stamp Date/Time stamp Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Unsigned 32-bit integer Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean
afs.ubik.writelockedpages Write Locked Pages
114
Field afs.vldb.ags.dfsleset afs.vldb.ags.roexists afs.vldb.ags.rwexists afs.vldb.id afs.vldb.index afs.vldb.name afs.vldb.nextindex afs.vldb.numservers afs.vldb.opcode afs.vldb.partition afs.vldb.rovol afs.vldb.rwvol afs.vldb.server afs.vldb.serverags afs.vldb.serverip afs.vldb.serveruniq afs.vldb.serveruuid afs.vldb.spare1 afs.vldb.spare2 afs.vldb.spare3 afs.vldb.spare4 afs.vldb.spare5 afs.vldb.spare6 afs.vldb.spare7 afs.vldb.spare8 afs.vldb.spare9 afs.vldb.type afs.vol afs.vol.count afs.vol.errcode afs.vol.id afs.vol.name afs.vol.opcode
Field Name DFS Fileset Read-Only Exists Read/Write Exists Volume ID Volume Index Volume Name Next Volume Index Number of Servers Operation Partition Read-Only Volume ID Read-Write Volume ID Server Server Flags Server IP Server Unique Address Server UUID Spare 1 Spare 2 Spare 3 Spare 4 Spare 5 Spare 6 Spare 7 Spare 8 Spare 9 Volume Type Volume Server Volume Count Error Code Volume ID Volume Name Operation
Type Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer
115
Apache JServ Protocol v1.3 (ajp13)

Table A-11. Apache JServ Protocol v1.3 (ajp13) Field ajp13.code ajp13.data ajp13.hname ajp13.hval ajp13.len ajp13.magic ajp13.method ajp13.nhdr ajp13.port ajp13.raddr ajp13.reusep ajp13.rhost ajp13.rlen ajp13.rmsg ajp13.rstatus ajp13.srv ajp13.sslp ajp13.uri ajp13.ver Field Name Code Data HNAME HVAL Length Magic Method NHDR PORT RADDR REUSEP RHOST RLEN RSMSG RSTATUS SRV SSLP URI Version Type String String String String Unsigned 16-bit integer Byte array String Unsigned 16-bit integer Unsigned 16-bit integer String Unsigned 8-bit integer String Unsigned 16-bit integer String Unsigned 16-bit integer String Unsigned 8-bit integer String String
AppleTalk Filing Protocol (afp)

Table A-12. AppleTalk Filing Protocol (afp) Field afp.AFPVersion afp.UAM afp.access afp.access.deny_read afp.access.deny_write afp.access.read afp.access.write Field Name AFP Version UAM Access mode Deny read Deny write Read Write Unsigned 8-bit integer Boolean Boolean Boolean Boolean Type
116
Field afp.actual_count afp.appl_index afp.appl_tag afp.backup_date afp.cat_count afp.cat_position afp.cat_req_matches afp.command afp.comment afp.create_ag afp.creation_date afp.data_fork_len afp.did afp.dir_ar afp.dir_ar.blank afp.dir_ar.e_read afp.dir_ar.e_search afp.dir_ar.e_write afp.dir_ar.g_read afp.dir_ar.g_search afp.dir_ar.g_write afp.dir_ar.o_read afp.dir_ar.o_search afp.dir_ar.o_write afp.dir_ar.u_owner afp.dir_ar.u_read afp.dir_ar.u_search afp.dir_ar.u_write
Field Name Count Index Tag Backup date Cat count Position Max answers Command Comment Hard create Creation date Data fork size DID Access rights Blank access right Everyone has read access
Type Signed 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer Byte array Signed 32-bit integer Unsigned 8-bit integer Boolean Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Boolean
Everyone has search access Boolean Everyone has write access Boolean Group has read access Group has search access Group has write access Owner has read access Owner has search access Owner has write access User is the owner User has read access User has search access User has write access Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
afp.dir_attribute.backup_needed needed Backup afp.dir_attribute.delete_inhibit Delete inhibit afp.dir_attribute.in_exported_folder Shared area afp.dir_attribute.invisible Invisible
afp.dir_attribute.mounted Mounted
117
Field
Field Name
Type Boolean Boolean Boolean Boolean Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Signed 32-bit integer Unsigned 16-bit integer Signed 32-bit integer Unsigned 16-bit integer
afp.dir_attribute.rename_inhibit Rename inhibit afp.dir_attribute.set_clear afp.dir_attribute.share afp.dir_attribute.system afp.dir_bitmap Set Share point System Directory bitmap
afp.dir_bitmap.UTF8_name UTF-8 name afp.dir_bitmap.access_rights Access rights afp.dir_bitmap.attributes Attributes
afp.dir_bitmap.backup_dateBackup date afp.dir_bitmap.create_date Creation date afp.dir_bitmap.did afp.dir_bitmap.d afp.dir_bitmap.group_id afp.dir_bitmap.mod_date DID File ID Group id Modication date
afp.dir_bitmap.nder_info Finder info afp.dir_bitmap.long_name Long name afp.dir_bitmap.offspring_count Offspring count afp.dir_bitmap.owner_id Owner id
afp.dir_bitmap.short_name Short name afp.dir_bitmap.unix_privs UNIX privileges afp.dir_group_id afp.dir_offspring afp.dir_owner_id afp.dt_ref afp.ext_data_fork_len afp.ext_resource_fork_len Group ID Offspring Owner ID DT ref Extended data fork size Extended resource fork size
afp.le_attribute.backup_needed needed Backup afp.le_attribute.copy_protect Copy protect
Boolean Boolean
118
Field
Field Name
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
afp.le_attribute.delete_inhibit Delete inhibit afp.le_attribute.df_open afp.le_attribute.invisible Data fork open Invisible
afp.le_attribute.multi_userMulti user afp.le_attribute.rename_inhibit Rename inhibit afp.le_attribute.rf_open afp.le_attribute.system Resource fork open System
afp.le_attribute.set_clear Set afp.le_attribute.write_inhibit Write inhibit afp.le_bitmap File bitmap
afp.le_bitmap.UTF8_nameUTF-8 name afp.le_bitmap.attributes Attributes
afp.le_bitmap.backup_dateBackup date afp.le_bitmap.create_date Creation date afp.le_bitmap.data_fork_len ata fork size D afp.le_bitmap.did DID
afp.le_bitmap.ex_data_fork_len Extended data fork size afp.le_bitmap.ex_resource_fork_len resource fork Extended size afp.le_bitmap.d File ID afp.le_bitmap.nder_info Finder info afp.le_bitmap.launch_limitLaunch limit afp.le_bitmap.long_name Long name afp.le_bitmap.mod_date Modication date
afp.le_bitmap.resource_fork_len Resource fork size afp.le_bitmap.short_name Short name
119
Field afp.le_creator afp.le_ag afp.le_id afp.le_type afp.nder_info afp.ag afp.fork_type afp.group_ID afp.icon_index afp.icon_length afp.icon_tag afp.icon_type afp.last_written afp.last_written64 afp.lock_from afp.lock_len afp.lock_len64 afp.lock_offset afp.lock_offset64 afp.lock_op afp.lock_range_start afp.lock_range_start64 afp.long_name_offset afp.map_id afp.map_id_type afp.map_name afp.map_name_type afp.modication_date afp.newline_char afp.newline_mask afp.offset afp.offset64 afp.ofork afp.ofork_len afp.pad
Field Name File creator Dir File ID File type Finder info From Resource fork Group ID Index Size Tag Icon type Last written Last written End Length Length Offset Offset unlock Start Start Long name offset ID Type Name Type Modication date Newline char Newline mask Offset Offset Fork New length Pad
Type Boolean String Boolean Unsigned 32-bit integer String Byte array Unsigned 8-bit integer Boolean Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Boolean Signed 32-bit integer Signed 32-bit integer Boolean Signed 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Date/Time stamp Unsigned 8-bit integer Unsigned 8-bit integer Signed 32-bit integer Unsigned 16-bit integer Signed 32-bit integer No value
afp.le_bitmap.unix_privs UNIX privileges
120
Field afp.passwd afp.path_len afp.path_name afp.path_type afp.reply_size afp.req_count afp.reserved afp.resource_fork_len afp.rw_count afp.rw_count64 afp.server_time afp.session_token afp.session_token_len afp.session_token_type afp.short_name_offset afp.start_index afp.struct_size afp.unicode_name_offset afp.unix_privs.gid
Field Name Password Len Name Type Reply size Req count Reserved Resource fork size Count Count Server time Token Len Type Short name offset Start index Struct size Unicode name offset GID
Type String Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Byte array Unsigned 32-bit integer Signed 32-bit integer Date/Time stamp Byte array Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Boolean Boolean Unsigned 8-bit integer Boolean Boolean Boolean Boolean
afp.unix_privs.permissions Permissions afp.unix_privs.ua_permissions Users access rights afp.unix_privs.uid afp.user afp.user_ID afp.user_bitmap afp.user_bitmap.GID afp.user_bitmap.UID afp.user_ag UID User User ID Bitmap Primary group ID User ID Flag
afp.vol_attribute.blank_access_privs Blank access privileges afp.vol_attribute.cat_search Catalog search afp.vol_attribute.leIDs afp.vol_attribute.passwd File IDs Volume password
121
Field
Field Name
Type Boolean Boolean Boolean Unsigned 16-bit integer Date/Time stamp Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Date/Time stamp
afp.vol_attribute.read_only Read only afp.vol_attribute.unix_privsUNIX access privileges afp.vol_attribute.utf8_names TF-8 names U afp.vol_attributes afp.vol_backup_date afp.vol_bitmap afp.vol_bitmap.attributes Attributes Backup date Bitmap Attributes
afp.vol_bitmap.backup_date Backup date afp.vol_bitmap.block_size Block size afp.vol_bitmap.bytes_free Bytes free afp.vol_bitmap.bytes_total Bytes total afp.vol_bitmap.create_date Creation date afp.vol_bitmap.ex_bytes_free xtended bytes free E afp.vol_bitmap.ex_bytes_total Extended bytes total afp.vol_bitmap.id afp.vol_bitmap.name afp.vol_bitmap.signature afp.vol_block_size afp.vol_bytes_free afp.vol_bytes_total afp.vol_creation_date afp.vol_ex_bytes_free afp.vol_ex_bytes_total afp.vol_ag_passwd afp.vol_ag_unix_priv afp.vol_id afp.vol_name afp.vol_name_offset afp.vol_signature ID Name Signature Block size Bytes free Bytes total Creation date Extended bytes free Extended bytes total Password Unix privs Volume id Volume Volume name offset Signature
afp.vol_bitmap.mod_date Modication date
Boolean Boolean Unsigned 16-bit integer Date/Time stamp Unsigned 16-bit integer Unsigned 16-bit integer
afp.vol_modication_date Modication date
122
AppleTalk Session Protocol (asp)

Table A-13. AppleTalk Session Protocol (asp) Field asp.attn_code asp.error asp.function asp.init_error asp.seq asp.server_addr.len asp.server_addr.type asp.server_addr.value asp.server_directory asp.server_ag asp.server_ag.copyle asp.server_ag.directory asp.server_ag.fast_copy Field Name Attn code asp error asp function Error Sequence Length Type Value Directory service Flag Support copyle Support fast copy Unsigned 16-bit integer Boolean Boolean Type Unsigned 16-bit integer Signed 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Byte array
Support directory services Boolean
asp.server_ag.no_save_passwd allow save password Boolean Dont asp.server_ag.notify asp.server_ag.passwd asp.server_ag.reconnect asp.server_ag.srv_msg asp.server_ag.srv_sig asp.server_ag.tcpip asp.server_icon asp.server_name asp.server_signature asp.server_type asp.server_uams asp.server_vers asp.session_id asp.size asp.socket asp.version asp.zero_value Support server notications Support server reconnect Support server message Support server signature Support TCP/IP Icon bitmap Server name Server signature Server type UAM AFP version Session ID size Socket Version Pad (0) Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Byte array Byte array Boolean
Support change password Boolean Boolean Boolean Boolean Boolean Byte array
123
AppleTalk Transaction Protocol packet (atp)

Table A-14. AppleTalk Transaction Protocol packet (atp) Field atp.bitmap atp.ctrlinfo atp.eom atp.fragment atp.fragments atp.function atp.segment.error atp.segment.multipletails atp.segment.overlap Field Name Bitmap Control info EOM ATP Fragment ATP Fragments Function Desegmentation error Multiple tail segments found Segment overlap Type Unsigned 8-bit integer Unsigned 8-bit integer Boolean No value No value Unsigned 8-bit integer No value Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Boolean
atp.segment.overlap.conictConicting data in seagment overlap atp.segment.toolongsegment egment too long S atp.sts atp.tid atp.treltimer atp.user_bytes atp.xo STS TID TRel timer User bytes XO
Appletalk Address Resolution Protocol (aarp)

Table A-15. Appletalk Address Resolution Protocol (aarp) Field aarp.dst.hw aarp.dst.hw_mac aarp.dst.proto aarp.dst.proto_id aarp.hard.size aarp.hard.type aarp.opcode Field Name Target hardware address Target MAC address Target protocol address Target ID Hardware size Hardware type Opcode Type Byte array 6-byte Hardware (MAC) Address Byte array Byte array Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
124
Field aarp.proto.size aarp.proto.type aarp.src.hw aarp.src.hw_mac aarp.src.proto aarp.src.proto_id
Field Name Protocol size Protocol type Sender hardware address Sender MAC address Sender protocol address Sender ID
Type Unsigned 8-bit integer Unsigned 16-bit integer Byte array 6-byte Hardware (MAC) Address Byte array Byte array
Async data over ISDN (V.120) (v120)

Table A-16. Async data over ISDN (V.120) (v120) Field v120.address v120.control v120.header Field Name Link Address Control Field Header Field Type Unsigned 16-bit integer Unsigned 16-bit integer String
Authentication Header (ah)

Table A-17. Authentication Header (ah) Field ah.sequence ah.spi Field Name Sequence SPI Type Unsigned 32-bit integer Unsigned 32-bit integer
BACnet Virtual Link Control (bvlc)

Table A-18. BACnet Virtual Link Control (bvlc) Field bvlc.bdt_ip bvlc.bdt_mask bvlc.bdt_port bvlc.fdt_ip bvlc.fdt_port bvlc.fdt_timeout Field Name IP Mask Port IP Port Timeout Type IPv4 address Byte array Unsigned 16-bit integer IPv4 address Unsigned 16-bit integer Unsigned 16-bit integer
125
Field bvlc.fdt_ttl bvlc.function bvlc.fwd_ip bvlc.fwd_port bvlc.length bvlc.reg_ttl bvlc.result bvlc.type
Field Name TTL Function IP Port Length TTL Result Type
Type Unsigned 16-bit integer Unsigned 8-bit integer IPv4 address Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
Banyan Vines (vines)

Table A-19. Banyan Vines (vines) Field vines.protocol Field Name Protocol Type Unsigned 8-bit integer
Banyan Vines Fragmentation Protocol (vines_frp)

Table A-20. Banyan Vines Fragmentation Protocol (vines_frp) Field Field Name Type
Banyan Vines SPP (vines_spp)

Table A-21. Banyan Vines SPP (vines_spp) Field Field Name Type
Blocks Extensible Exchange Protocol (beep)

Table A-22. Blocks Extensible Exchange Protocol (beep) Field Field Name Type
126
Field beep.ansno beep.channel beep.end beep.more.complete beep.more.intermediate beep.msgno beep.req beep.req.channel beep.rsp beep.rsp.channel beep.seq beep.seq.ackno beep.seq.channel beep.seq.window beep.seqno beep.size beep.status.negative beep.status.positive beep.violation
Field Name Ansno Channel End Complete Intermediate Msgno Request Response Response Channel Number Sequence Ackno
Type Unsigned 32-bit integer Unsigned 32-bit integer Boolean Boolean Boolean Unsigned 32-bit integer Boolean Boolean Unsigned 32-bit integer Boolean Unsigned 32-bit integer
Request Channel Number Unsigned 32-bit integer
Sequence Channel Number Unsigned 32-bit integer Window Seqno Size Negative Positive Protocol Violation Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Boolean Boolean
Boot Parameters (bootparams)

Table A-23. Boot Parameters (bootparams) Field bootparams.domain bootparams.leid bootparams.lepath bootparams.host bootparams.hostaddr bootparams.routeraddr bootparams.type Field Name Client Domain File ID File Path Client Host Client Address Router Address Address Type Type String String String String IPv4 address IPv4 address Unsigned 32-bit integer
127
Bootstrap Protocol (bootp)

Table A-24. Bootstrap Protocol (bootp) Field bootp.cookie bootp.dhcp bootp.le bootp.ags bootp.ags.bc bootp.ags.reserved bootp.hops bootp.hw.addr bootp.hw.len bootp.hw.type bootp.id bootp.ip.client bootp.ip.relay bootp.ip.server bootp.ip.your bootp.secs bootp.server bootp.type bootp.vendor Field Name Magic cookie Frame is DHCP Boot le name Bootp ags Broadcast ag Reserved ags Hops Client hardware address Hardware address length Hardware type Transaction ID Client IP address Relay agent IP address Next server IP address Your (client) IP address Seconds elapsed Server host name Message type Bootp Vendor Options Type IPv4 address Boolean String Unsigned 16-bit integer Boolean Unsigned 16-bit integer Unsigned 8-bit integer Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer IPv4 address IPv4 address IPv4 address IPv4 address Unsigned 16-bit integer String Unsigned 8-bit integer Byte array
Border Gateway Protocol (bgp)

Table A-25. Border Gateway Protocol (bgp) Field bgp.type Field Name BGP message type Type Unsigned 8-bit integer
Building Automation and Control Network APDU (bacapp)

Table A-26. Building Automation and Control Network APDU (bacapp) Field Field Name Type
128
Field bacapp.bacapp_type
Field Name APDU Type
Type Unsigned 8-bit integer
Building Automation and Control Network NPDU (bacnet)

Table A-27. Building Automation and Control Network NPDU (bacnet) Field bacnet.control bacnet.control_dest bacnet.control_expect bacnet.control_net bacnet.control_prio_high bacnet.control_prio_low bacnet.control_res1 bacnet.control_res2 bacnet.control_src bacnet.dadr_eth bacnet.dadr_tmp bacnet.dlen bacnet.dnet bacnet.hopc bacnet.mesgtyp bacnet.perf bacnet.pinfo bacnet.pinfolen bacnet.portid bacnet.rejectreason bacnet.rportnum bacnet.sadr_eth bacnet.sadr_tmp bacnet.slen Field Name Control Destination Specier Expecting Reply NSDU contains Priority Priority Reserved Reserved Source specier Destination ISO 8802-3 MAC Address Unknown Destination MAC Destination MAC Layer Address Length Destination Network Address Hop Count Message Type Performance Index Port Info Port Info Length Port ID Reject Reason SADR Unknown Source MAC Source MAC Layer Address Length Type Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean 6-byte Hardware (MAC) Address Byte array Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer 6-byte Hardware (MAC) Address Byte array Unsigned 8-bit integer
Number of Port Mappings Unsigned 8-bit integer
129
Field bacnet.snet bacnet.vendor bacnet.version
Field Name Source Network Address Vendor ID Version
Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
Checkpoint FW-1 (fw1)

Table A-28. Checkpoint FW-1 (fw1) Field fw1.direction fw1.interface fw1.type Field Name Direction Interface Type Type String String Unsigned 16-bit integer
Cisco Auto-RP (auto_rp)

Table A-29. Cisco Auto-RP (auto_rp) Field auto_rp.group_prex auto_rp.holdtime auto_rp.mask_len auto_rp.pim_ver auto_rp.prex_sign auto_rp.rp_addr auto_rp.rp_count auto_rp.type auto_rp.version Field Name Prex Holdtime Mask length Version Sign RP address RP count Packet type Protocol version Type IPv4 address Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer IPv4 address Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
Cisco Discovery Protocol (cdp)

Table A-30. Cisco Discovery Protocol (cdp) Field cdp.checksum cdp.tlv.len Field Name Checksum Length Type Unsigned 16-bit integer Unsigned 16-bit integer
130
Field cdp.tlv.type cdp.ttl cdp.version
Field Name Type TTL Version
Cisco Group Management Protocol (cgmp)

Table A-31. Cisco Group Management Protocol (cgmp) Field cgmp.count cgmp.gda cgmp.type cgmp.usa cgmp.version Field Name Count Group Destination Address Type Unicast Source Address Version Type Unsigned 8-bit integer 6-byte Hardware (MAC) Address Unsigned 8-bit integer 6-byte Hardware (MAC) Address Unsigned 8-bit integer
Cisco HDLC (chdlc)

Table A-32. Cisco HDLC (chdlc) Field chdlc.address chdlc.protocol Field Name Address Protocol Type Unsigned 8-bit integer Unsigned 16-bit integer
Cisco Hot Standby Router Protocol (hsrp)

Table A-33. Cisco Hot Standby Router Protocol (hsrp) Field hsrp.auth_data hsrp.group hsrp.hellotime hsrp.holdtime hsrp.opcode hsrp.priority Field Name Authentication Data Group Hellotime Holdtime Op Code Priority Type String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
131
Field hsrp.reserved hsrp.state hsrp.version hsrp.virt_ip
Field Name Reserved State Version Virtual IP Address
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer IPv4 address
Cisco ISL (isl)

Table A-34. Cisco ISL (isl) Field isl.addr isl.bpdu isl.crc isl.dst isl.dst_route_desc isl.esize isl.explorer isl.fcs_not_incl isl.hsa isl.index isl.len isl.src isl.src_route_desc isl.src_vlan_id isl.type isl.user isl.user_eth isl.vlan_id Field Name Source or Destination Address BPDU CRC Destination Destination route descriptor Esize Explorer FCS Not Included HSA Index Length Source Source-route descriptor Source VLAN ID Type User User VLAN ID Type 6-byte Hardware (MAC) Address Boolean Unsigned 32-bit integer 6-byte Hardware (MAC) Address Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean Unsigned 24-bit integer Unsigned 16-bit integer Unsigned 16-bit integer 6-byte Hardware (MAC) Address Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer
Cisco Interior Gateway Routing Protocol (igrp)

Table A-35. Cisco Interior Gateway Routing Protocol (igrp)
132
Field igrp.as igrp.update
Field Name Autonomous System Update Release
Type Unsigned 16-bit integer Unsigned 8-bit integer
Cisco SLARP (slarp)

Table A-36. Cisco SLARP (slarp) Field slarp.address slarp.mysequence slarp.ptype slarp.yoursequence Field Name Address Outgoing sequence number Packet type Returned sequence number Type IPv4 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
CoSine IPNOS L2 debug output (cosine)

Table A-37. CoSine IPNOS L2 debug output (cosine) Field cosine.code1 cosine.code2 cosine.err cosine.off cosine.pri cosine.pro cosine.rm Field Name Code1 Code2 Err Pro Pri Pro RM Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
Common Open Policy Service (cops)

Table A-38. Common Open Policy Service (cops) Field cops.accttimer.value cops.c_num Field Name Contents: ACCT Timer Value C-Num Type Unsigned 16-bit integer Unsigned 8-bit integer
133
Field cops.c_type cops.client_type cops.context.m_type cops.context.r_type cops.cperror cops.cperror_sub cops.decision.cmd cops.decision.ags cops.error cops.error_sub cops.ags cops.gperror cops.gperror_sub cops.in-int.ipv4 cops.in-int.ipv6 cops.in-out-int.index cops.integrity.key_id cops.integrity.seq_num cops.katimer.value cops.lastpdpaddr.ipv4 cops.lastpdpaddr.ipv6 cops.msg_len cops.obj.len cops.op_code cops.out-int.ipv4 cops.out-int.ipv6 cops.pdp.tcp_port cops.pdprediraddr.ipv4 cops.pdprediraddr.ipv6 cops.pepid.id cops.reason cops.reason_sub cops.report_type cops.s_num cops.s_type
Field Name C-Type Client Type M-Type R-Type Error Error Sub-code Command-Code Flags Error Error Sub-code Flags Error Error Sub-code IPv4 address IPv6 address ifIndex Contents: Key ID Contents: Sequence Number IPv4 address IPv6 address Message Length Object Length Op Code IPv4 address IPv6 address TCP Port Number IPv4 address IPv6 address Contents: PEP Id Reason Reason Sub-code Contents: Report-Type S-Num S-Type
Type Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer IPv4 address IPv6 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
Contents: KA Timer Value Unsigned 16-bit integer IPv4 address IPv6 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer IPv4 address IPv6 address Unsigned 32-bit integer IPv4 address IPv6 address String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
134
Field cops.ver_ags cops.version
Field Name Version and Flags Version
Common Unix Printing System (CUPS) Browsing Protocol (cups)

Table A-39. Common Unix Printing System (CUPS) Browsing Protocol (cups) Field cups.ptype cups.state Field Name Type State Type Unsigned 32-bit integer Unsigned 8-bit integer
DCE RPC (dcerpc)

Table A-40. DCE RPC (dcerpc) Field dcerpc.array.actual_count dcerpc.array.max_count dcerpc.array.offset dcerpc.auth_ctx_id dcerpc.auth_level dcerpc.auth_pad_len dcerpc.auth_rsrvd dcerpc.auth_type dcerpc.cn_ack_reason dcerpc.cn_ack_result dcerpc.cn_ack_trans_id dcerpc.cn_ack_trans_ver dcerpc.cn_alloc_hint dcerpc.cn_assoc_group dcerpc.cn_auth_len dcerpc.cn_bind_if_ver Field Name Actual Count Max Count Offset Auth Context ID Auth level Auth pad len Auth Rsrvd Auth type Ack reason Ack result Transfer Syntax Syntax ver Alloc hint Assoc Group Auth Length Interface Ver Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer String String
dcerpc.cn_bind_if_ver_minor Interface Ver Minor dcerpc.cn_bind_to_uuid dcerpc.cn_bind_trans_id Interface UUID Transfer Syntax
135
Field dcerpc.cn_call_id dcerpc.cn_cancel_count dcerpc.cn_ctx_id dcerpc.cn_ags
Field Name Call ID Cancel count Context ID Packet Flags
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 32-bit integer String Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
dcerpc.cn_bind_trans_ver Syntax ver
dcerpc.cn_ags.cancel_pending Cancel Pending dcerpc.cn_ags.dne dcerpc.cn_ags.rst_frag dcerpc.cn_ags.last_frag dcerpc.cn_ags.maybe dcerpc.cn_ags.mpx dcerpc.cn_ags.object dcerpc.cn_ags.reserved dcerpc.cn_frag_len dcerpc.cn_max_recv dcerpc.cn_max_xmit dcerpc.cn_num_protocols dcerpc.cn_num_results Did Not Execute First Frag Last Frag Maybe Multiplex Object Reserved Frag Length Max Recv Frag Max Xmit Frag Number of protocols Num results
dcerpc.cn_num_ctx_items Num Ctx Items
dcerpc.cn_num_trans_itemsNum Trans Items dcerpc.cn_protocol_ver_major Protocol major version dcerpc.cn_protocol_ver_minor Protocol minor version dcerpc.cn_reject_reason dcerpc.cn_sec_addr dcerpc.cn_sec_addr_len dcerpc.cn_status dcerpc.dg_act_id dcerpc.dg_ahint dcerpc.dg_auth_proto dcerpc.dg_cancel_id dcerpc.dg_cancel_vers dcerpc.dg_ags1 Reject reason Scndry Addr Scndry Addr len Status Activitiy Activity Hint Auth proto Cancel ID Cancel Version Flags1
136
Field
Field Name
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer String Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
dcerpc.dg_ags1_broadcast Broadcast dcerpc.dg_ags1_frag Fragment
dcerpc.dg_ags1_idempotent Idempotent dcerpc.dg_ags1_last_frag Last Fragment dcerpc.dg_ags1_maybe dcerpc.dg_ags1_nofack Maybe No Fack
dcerpc.dg_ags1_rsrvd_01 Reserved dcerpc.dg_ags1_rsrvd_80 Reserved dcerpc.dg_ags2 Flags2 dcerpc.dg_ags2_cancel_pending Pending Cancel dcerpc.dg_ags2_rsrvd_01 Reserved dcerpc.dg_ags2_rsrvd_04 Reserved dcerpc.dg_ags2_rsrvd_08 Reserved dcerpc.dg_ags2_rsrvd_10 Reserved dcerpc.dg_ags2_rsrvd_20 Reserved dcerpc.dg_ags2_rsrvd_40 Reserved dcerpc.dg_ags2_rsrvd_80 Reserved dcerpc.dg_frag_len dcerpc.dg_frag_num dcerpc.dg_if_id dcerpc.dg_if_ver dcerpc.dg_ihint dcerpc.dg_seqnum dcerpc.dg_serial_hi dcerpc.dg_serial_lo dcerpc.dg_server_boot dcerpc.dg_status dcerpc.drep dcerpc.drep.byteorder dcerpc.drep.character dcerpc.drep.fp Fragment len Fragment num Interface Interface Ver Interface Hint Sequence num Serial High Serial Low Server boot time Status Data Representation Byte order Character Floating-point
dcerpc.fack_max_frag_size Max Frag Size dcerpc.fack_max_tsdu Max TSDU
137
Field dcerpc.fack_selack dcerpc.fack_selack_len dcerpc.fack_serial_num dcerpc.fack_vers dcerpc.fack_window size dcerpc.fragment dcerpc.fragment.error
Field Name Selective ACK Selective ACK Len Serial Num FACK Version Window Size DCE/RPC Fragment Defragmentation error
Type Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer No value No value Boolean Boolean Boolean Boolean No value String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer
dcerpc.fragment.multipletails Multiple tail fragments found dcerpc.fragment.overlap Fragment overlap dcerpc.fragment.overlap.conict Conicting data in fragment overlap dcerpc.fragment.toolongfragment Fragment too long dcerpc.fragments dcerpc.obj_id dcerpc.op dcerpc.opnum dcerpc.pkt_type dcerpc.referent_id dcerpc.request_in dcerpc.response_in DCE/RPC Fragments Object Operation Opnum Packet type Referent ID Request in Response in
dcerpc.server_accepting_cancels accepting cancels Server dcerpc.ver dcerpc.ver_minor Version Version (minor)
DCE/RPC Conversation Manager (conv)

Table A-41. DCE/RPC Conversation Manager (conv) Field Field Name Type
138
DCE/RPC Endpoint Mapper (epm)

Table A-42. DCE/RPC Endpoint Mapper (epm) Field epm.hnd epm.if_id epm.if_id_p epm.inq_type epm.max_ents epm.max_towers epm.num_ents epm.num_towers epm.object epm.object_p epm.opnum epm.rc epm.tower epm.tower.len epm.tower.lhs.len epm.tower.num_oors epm.tower.proto_id epm.tower.rhs.len epm.uuid epm.ver_maj epm.ver_min epm.ver_opt Field Name Handle Interface Interface pointer Inquiry type Max entries Max Towers Num entries Num Towers Object Object pointer Operation Return code Tower Length LHS Length Number of oors Protocol RHS Length UUID Version Major Version Minor Version Option Type Byte array String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer
DCE/RPC Remote Management (mgmt)

Table A-43. DCE/RPC Remote Management (mgmt) Field Field Name Type
139
DCOM OXID Resolver (oxid)

Table A-44. DCOM OXID Resolver (oxid) Field Field Name Type
DCOM Remote Activation (remact)

Table A-45. DCOM Remote Activation (remact) Field Field Name Type
DEC Spanning Tree Protocol (dec_stp)

Table A-46. DEC Spanning Tree Protocol (dec_stp) Field dec_stp.bridge.mac dec_stp.bridge.pri dec_stp.ags dec_stp.ags.tc dec_stp.ags.tcack dec_stp.forward dec_stp.hello dec_stp.max_age dec_stp.msg_age dec_stp.port dec_stp.protocol dec_stp.root.cost dec_stp.root.mac dec_stp.root.pri dec_stp.type Field Name Bridge MAC Bridge Priority BPDU ags Topology Change Topology Change Acknowledgment Forward Delay Hello Time Max Age Message Age Port identier Protocol Identier Root Path Cost Root MAC Root Priority BPDU Type Type 6-byte Hardware (MAC) Address Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer 6-byte Hardware (MAC) Address Unsigned 16-bit integer Unsigned 8-bit integer
dec_stp.ags.short_timers Use short timers
140
Field dec_stp.version
Field Name BPDU Version
DHCPv6 (dhcpv6)
Table A-47. DHCPv6 (dhcpv6) Field dhcpv6.msgtype Field Name Message type Type Unsigned 8-bit integer
Data (data)
Table A-48. Data (data) Field Field Name Type
Data Link SWitching (dlsw)

Table A-49. Data Link SWitching (dlsw) Field Field Name Type
Data Stream Interface (dsi)

Table A-50. Data Stream Interface (dsi) Field dsi.attn_ag dsi.attn_ag.crash dsi.attn_ag.msg dsi.attn_ag.reconnect dsi.attn_ag.shutdown dsi.attn_ag.time dsi.command Field Name Flags Crash Message Dont reconnect Shutdown Minutes Command Type Unsigned 16-bit integer Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 8-bit integer
141
Field dsi.data_offset dsi.error_code dsi.ags dsi.length dsi.open_len dsi.open_option dsi.open_quantum dsi.open_type dsi.requestid dsi.reserved dsi.server_addr.len dsi.server_addr.type dsi.server_addr.value dsi.server_directory dsi.server_ag dsi.server_ag.copyle dsi.server_ag.directory dsi.server_ag.fast_copy
Field Name Data offset Error code Flags Length Length Option Quantum Flags Request ID Reserved Length Type Value Directory service Flag Support copyle Support fast copy
Type Signed 32-bit integer Signed 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Byte array Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Byte array Unsigned 16-bit integer Boolean Boolean
Support directory services Boolean
dsi.server_ag.no_save_passwd allow save password Boolean Dont dsi.server_ag.notify dsi.server_ag.passwd dsi.server_ag.reconnect dsi.server_ag.srv_msg dsi.server_ag.srv_sig dsi.server_ag.tcpip dsi.server_icon dsi.server_name dsi.server_signature dsi.server_type dsi.server_uams dsi.server_vers Support server notications Support server reconnect Support server message Support server signature Support TCP/IP Icon bitmap Server name Server signature Server type UAM AFP version Byte array Boolean
Support change password Boolean Boolean Boolean Boolean Boolean Byte array
142
Datagram Delivery Protocol (ddp)

Table A-51. Datagram Delivery Protocol (ddp) Field ddp.checksum ddp.dst ddp.dst.net ddp.dst.node ddp.dst_socket ddp.hopcount ddp.len ddp.src ddp.src.net ddp.src.node ddp.src_socket ddp.type Field Name Checksum Destination address Destination Net Destination Node Destination Socket Hop count Datagram length Source address Source Net Source Node Source Socket Protocol type Type Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
Diameter Protocol (diameter)

Table A-52. Diameter Protocol (diameter) Field diameter.avp.code diameter.avp.data.bytes diameter.avp.data.int32 diameter.avp.data.int64 diameter.avp.data.string diameter.avp.data.time diameter.avp.data.uint32 diameter.avp.data.uint64 diameter.avp.data.v4addr diameter.avp.data.v6addr diameter.avp.ags Field Name AVP Code Value Value Value Value Time Value Value IPv4 Address IPv6 Address AVP Flags IPv4 address IPv6 address Unsigned 8-bit integer Boolean Boolean String Date/Time stamp Unsigned 32-bit integer Type Unsigned 32-bit integer Byte array Signed 32-bit integer
diameter.avp.ags.protectedProtected diameter.avp.ags.reserved3 Reserved
143
Field
Field Name
Type Boolean Boolean Boolean Boolean Unsigned 24-bit integer Unsigned 32-bit integer Unsigned 24-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 24-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
diameter.avp.ags.reserved4 Reserved diameter.avp.ags.reserved5 Reserved diameter.avp.ags.reserved6 Reserved diameter.avp.ags.reserved7 Reserved diameter.avp.length diameter.avp.vendorId diameter.code diameter.endtoendid diameter.ags diameter.ags.error diameter.ags.mandatory diameter.ags.proxyable diameter.ags.request diameter.ags.reserved3 diameter.ags.reserved4 diameter.ags.reserved5 diameter.ags.reserved6 diameter.ags.reserved7 AVP Length AVP Vendor Id Command Code End-to-End Identier Flags Error Mandatory Proxyable Request Reserved Reserved Reserved Reserved Reserved
diameter.ags.vendorspecic endor-Specic V diameter.hopbyhopid diameter.length diameter.vendorId diameter.version Hop-by-Hop Identier Length VendorId Version
Distance Vector Multicast Routing Protocol (dvmrp)

Table A-53. Distance Vector Multicast Routing Protocol (dvmrp) Field dvmrp.a dvmrp.cap.genid dvmrp.cap.leaf Field Name Address Family Genid Leaf Type Unsigned 8-bit integer Boolean Boolean
144
Field dvmrp.cap.mtrace dvmrp.cap.netmask dvmrp.cap.prune dvmrp.cap.snmp dvmrp.capabilities dvmrp.checksum dvmrp.checksum_bad dvmrp.command dvmrp.commands dvmrp.count dvmrp.dest_unreach dvmrp.genid dvmrp.hold dvmrp.innity dvmrp.lifetime dvmrp.maj_ver dvmrp.metric dvmrp.min_ver dvmrp.route dvmrp.split_horiz dvmrp.type dvmrp.v1.code dvmrp.v3.code dvmrp.version igmp.daddr igmp.maddr igmp.neighbor igmp.netmask igmp.saddr
Field Name Mtrace Netmask Prune SNMP Capabilities Checksum Bad Checksum Command Commands Count Destination Unreachable Generation ID Hold Time Innity Prune lifetime Major Version Metric Minor Version Route Split Horizon Type Code Code DVMRP Version Dest Addr Multicast Addr Neighbor Addr Netmask Source Addr
Type Boolean Boolean Boolean Boolean No value Unsigned 16-bit integer Boolean Unsigned 8-bit integer No value Unsigned 8-bit integer Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer No value Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer IPv4 address IPv4 address IPv4 address IPv4 address IPv4 address
Distributed Checksum Clearinghouse Prototocl (dccp)

Table A-54. Distributed Checksum Clearinghouse Prototocl (dccp) Field Field Name Type
145
Field dccp.adminop dccp.adminval dccp.brand dccp.checksum.length dccp.checksum.sum dccp.checksum.type dccp.clientid dccp.date dccp.oodop dccp.len dccp.max_pkt_vers dccp.op dccp.opnums.host dccp.opnums.pid dccp.opnums.report dccp.opnums.retrans dccp.pkt_vers dccp.qdelay_ms dccp.signature dccp.target dccp.trace dccp.trace.admin dccp.trace.anon dccp.trace.client dccp.trace.ood dccp.trace.query dccp.trace.ridc dccp.trace.rlim
Field Name Admin Op Admin Value Server Brand Length Sum Type Client ID Date Flood Control Operation Packet Length Maximum Packet Version Operation Type Host Process ID Report Retransmission Packet Version Client Delay Signature Target Trace Bits Admin Requests Anonymous Requests Authenticated Client Requests Input/Output Flooding Queries and Reports RID Cache Messages Rate-Limited Requests
Type Unsigned 8-bit integer Unsigned 32-bit integer String Unsigned 8-bit integer Byte array Unsigned 8-bit integer Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer IPv4 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
Domain Name Service (dns)

Table A-55. Domain Name Service (dns) Field dns.count.add_rr Field Name Additional RRs Type Unsigned 16-bit integer
146
Field dns.count.answers dns.count.auth_rr dns.count.queries dns.ags dns.ags.authenticated dns.ags.authoritative dns.ags.checkdisable dns.ags.opcode dns.ags.rcode dns.ags.recavail dns.ags.recdesired dns.ags.response dns.ags.truncated dns.id dns.length
Field Name Answer RRs Authority RRs Questions Flags Answer authenticated Authoritative Non-authenticated data OK Opcode Reply code Recursion available Recursion desired Response Truncated Transaction ID Length
Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer
Dynamic DNS Tools Protocol (ddtp)

Table A-56. Dynamic DNS Tools Protocol (ddtp) Field ddtp.encrypt ddtp.hostid ddtp.ipaddr ddtp.msgtype ddtp.opcode ddtp.status ddtp.version Field Name Encryption Hostid IP address Message type Opcode Status Version Type Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
Encapsulating Security Payload (esp)

Table A-57. Encapsulating Security Payload (esp) Field esp.sequence Field Name Sequence Type Unsigned 32-bit integer
147
Field esp.spi
Field Name SPI
Enhanced Interior Gateway Routing Protocol (eigrp)

Table A-58. Enhanced Interior Gateway Routing Protocol (eigrp) Field eigrp.as eigrp.opcode eigrp.tlv Field Name Autonomous System Opcode Entry Type Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer
Ethernet (eth)
Table A-59. Ethernet (eth) Field eth.addr eth.dst eth.len eth.src eth.trailer eth.type Field Name Source or Destination Address Destination Length Source Trailer Type Type 6-byte Hardware (MAC) Address 6-byte Hardware (MAC) Address Unsigned 16-bit integer 6-byte Hardware (MAC) Address Byte array Unsigned 16-bit integer
Extensible Authentication Protocol (eap)

Table A-60. Extensible Authentication Protocol (eap) Field eap.code eap.id eap.len eap.type eaptls.fragment Field Name Code Id Length Type EAP-TLS Fragment Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer No value
148
Field eaptls.fragment.error
Field Name Defragmentation error
Type No value Boolean Boolean Boolean Boolean No value
eaptls.fragment.multipletails ultiple tail fragments M found eaptls.fragment.overlap Fragment overlap eaptls.fragment.overlap.conict Conicting data in fragment overlap eaptls.fragment.toolongfragment Fragment too long eaptls.fragments EAP-TLS Fragments
FTP Data (ftp-data)

Table A-61. FTP Data (ftp-data) Field Field Name Type
Fiber Distributed Data Interface (fddi)

Table A-62. Fiber Distributed Data Interface (fddi) Field fddi.addr fddi.dst fddi.fc fddi.fc.clf fddi.fc.mac_subtype fddi.fc.prio fddi.fc.smt_subtype fddi.src Field Name Source or Destination Address Destination Frame Control Class/Length/Format MAC Subtype Priority SMT Subtype Source Type 6-byte Hardware (MAC) Address 6-byte Hardware (MAC) Address Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer 6-byte Hardware (MAC) Address
149
File Transfer Protocol (FTP) (ftp)

Table A-63. File Transfer Protocol (FTP) (ftp) Field ftp.request ftp.request.arg ftp.request.command ftp.response ftp.response.arg ftp.response.code Field Name Request Request arg Request command Response Response arg Response code Type Boolean String String Boolean String Unsigned 32-bit integer
Frame (frame)
Table A-64. Frame (frame) Field frame.cap_len frame.le_off frame.marked frame.number frame.p2p_dir frame.pkt_len frame.time frame.time_delta frame.time_relative Field Name Capture Frame Length File Offset Frame is marked Frame Number Point-to-Point Direction Total Frame Length Arrival Time Time delta from previous packet Type Unsigned 32-bit integer Signed 32-bit integer Boolean Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Date/Time stamp Time duration
Time relative to rst packet Time duration
Frame Relay (fr)

Table A-65. Frame Relay (fr) Field fr.becn fr.chdlctype fr.cr fr.dc Field Name BECN Type CR DC Type Boolean Unsigned 16-bit integer Boolean Boolean
150
Field fr.de fr.dlci fr.ea fr.fecn fr.nlpid fr.snap.oui fr.snap.pid fr.snaptype
Field Name DE DLCI EA FECN NLPID Organization Code Protocol ID Type
Type Boolean Unsigned 16-bit integer Boolean Boolean Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
GARP Multicast Registration Protocol (gmrp)

Table A-66. GARP Multicast Registration Protocol (gmrp) Field garp.attribute_event garp.attribute_length garp.attribute_type Field Name Event Length Type Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer 6-byte Hardware (MAC) Address Unsigned 8-bit integer Unsigned 16-bit integer
garp.attribute_value_group_membership Value garp.attribute_value_service_requirement Value garp.protocol_id Protocol ID
GARP VLAN Registration Protocol (gvrp)

Table A-67. GARP VLAN Registration Protocol (gvrp) Field garp.attribute_value Field Name Value Type Unsigned 16-bit integer
GPRS Tunneling Protocol (gtp)

Table A-68. GPRS Tunneling Protocol (gtp) Field Field Name Type
151
GPRS Tunnelling Protocol v0 (gtpv0)

Table A-69. GPRS Tunnelling Protocol v0 (gtpv0) Field gtpv0.apn gtpv0.cause gtpv0.chrg_id gtpv0.chrg_ipv4 gtpv0.chrg_ipv6 gtpv0.ext_ow_label gtpv0.ext_id gtpv0.ext_val gtpv0.ags gtpv0.ags.payload gtpv0.ags.reserved gtpv0.ags.snn gtpv0.ags.version gtpv0.ow_ii gtpv0.ow_label gtpv0.ow_sig gtpv0.gsn_addr_len gtpv0.gsn_addr_type gtpv0.gsn_ipv4 gtpv0.gsn_ipv6 gtpv0.imsi gtpv0.lac gtpv0.length gtpv0.map_cause gtpv0.mcc gtpv0.message gtpv0.mnc gtpv0.ms_reason gtpv0.ms_valid gtpv0.msisdn gtpv0.node_ipv4 gtpv0.node_ipv6 Field Name APN Cause Charging ID CG address IPv4 CG address IPv6 Flow Label Data I Extension identier Extension value Flags Protocol type Reserved Is SNDCP N-PDU included? Version Flow Label Data II Flow label Flow label Signalling GSN address length GSN address type GSN address IPv4 GSN address IPv6 IMSI LAC Length MAP cause MCC Message type MNC MS not reachable reason MS validated MSISDN Node address IPv4 Node address IPv6 Type String Unsigned 8-bit integer Unsigned 32-bit integer IPv4 address IPv6 address Unsigned 16-bit integer Unsigned 16-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer IPv4 address IPv6 address String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean String IPv4 address IPv6 address
152
Field gtpv0.nsapi gtpv0.ptmsi gtpv0.ptmsi_sig gtpv0.qos_delay gtpv0.qos_mean gtpv0.qos_peak gtpv0.qos_precedence gtpv0.qos_reliabilty gtpv0.qos_spare1 gtpv0.qos_spare2 gtpv0.qos_spare3 gtpv0.rac gtpv0.recovery gtpv0.reorder gtpv0.sel_mode gtpv0.seq_number gtpv0.sndcp_number gtpv0.tid gtpv0.tlli gtpv0.tr_comm gtpv0.unknown
Field Name NSAPI P-TMSI P-TMSI signature QoS delay QoS mean QoS peak QoS precedence QoS reliability Spare Spare Spare RAC Recovery Reordering required Selection mode Sequence number SNDCP N-PDU LLC Number TID TLLI Packet transfer command Unknown data (length)
Type Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 24-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer String Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer IPv4 address IPv6 address
gtpv0.user_addr_pdp_org PDP type organization gtpv0.user_addr_pdp_type PDP type number gtpv0.user_ipv4 gtpv0.user_ipv6 End user address IPv4 End user address IPv6
GPRS Tunnelling Protocol v1 (gtpv1)

Table A-70. GPRS Tunnelling Protocol v1 (gtpv1) Field gtpv1.apn gtpv1.cause gtpv1.chrg_char_f Field Name APN Cause Flat rate charging Type String Unsigned 8-bit integer Unsigned 8-bit integer
153
Field gtpv1.chrg_char_h gtpv1.chrg_char_n gtpv1.chrg_char_p gtpv1.chrg_char_r gtpv1.chrg_char_s gtpv1.chrg_id gtpv1.chrg_ipv4 gtpv1.chrg_ipv6 gtpv1.ext_id gtpv1.ext_val gtpv1.ags gtpv1.ags.e gtpv1.ags.payload_type gtpv1.ags.pn gtpv1.ags.s gtpv1.ags.spare gtpv1.ags.version gtpv1.gsn_addr_len gtpv1.gsn_addr_type gtpv1.gsn_ipv4 gtpv1.gsn_ipv6 gtpv1.imsi gtpv1.lac gtpv1.length gtpv1.map_cause gtpv1.mcc gtpv1.message gtpv1.mnc gtpv1.ms_reason gtpv1.ms_valid gtpv1.msisdn gtpv1.next gtpv1.node_ipv4
Field Name Hot billing charging Normal charging Prepaid charging Reserved Spare Charging ID CG address IPv4 CG address IPv6 Extensio Identier Extension Value Flags Is Next Extension Header present? Protocol type
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer IPv4 address IPv6 address Unsigned 16-bit integer String Unsigned 8-bit integer Boolean Unsigned 8-bit integer
Is N-PDU number present? Boolean Is Sequence Number present? Spare bit Version GSN Address Length GSN Address Type GSN address IPv4 GSN address IPv6 IMSI LAC Length MAP cause MCC Message Type MNC MS not reachable reason MS validated MSISDN Next extension header type Node address IPv4 Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer IPv4 address IPv6 address String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean String Unsigned 8-bit integer IPv4 address
154
Field gtpv1.node_ipv6 gtpv1.npdu_number gtpv1.nsapi gtpv1.pkt_ow_id gtpv1.ptmsi gtpv1.ptmsi_sig gtpv1.qos_al_ret_priority gtpv1.qos_del_err_sdu gtpv1.qos_del_order gtpv1.qos_delay gtpv1.qos_guar_dl gtpv1.qos_guar_ul gtpv1.qos_max_dl gtpv1.qos_max_sdu_size gtpv1.qos_max_ul gtpv1.qos_mean gtpv1.qos_peak gtpv1.qos_precedence gtpv1.qos_reliabilty gtpv1.qos_res_ber gtpv1.qos_sdu_err_ratio gtpv1.qos_spare1 gtpv1.qos_spare2 gtpv1.qos_spare3 gtpv1.qos_traf_class gtpv1.qos_trans_delay gtpv1.rab_gtp_dn gtpv1.rab_gtp_up gtpv1.rab_pdu_dn
Field Name Node address IPv6 N-PDU Number NSAPI Packet Flow ID P-TMSI P-TMSI Signature Allocation/Retention priority
Type IPv6 address Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 24-bit integer Unsigned 8-bit integer
Delivery of erroneous SDU Unsigned 8-bit integer Delivery order QoS Delay Guaranteed bit rate for downlink Guaranteed bit rate for uplink Maximum bit rate for downlink Maximum SDU size Maximum bit rate for uplink QoS Mean QoS Peak QoS Precedence QoS Reliability Residual BER SDU Error ratio Spare Spare Spare Trafc class Transfer delay Downlink GTP-U seq number Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer
gtpv1.qos_traf_handl_prio Trafc handling priority
Uplink GTP-U seq number Unsigned 16-bit integer Downlink next PDCP-PDU Unsigned 8-bit integer seq number
155
Field gtpv1.rab_pdu_up gtpv1.rac gtpv1.ranap_cause gtpv1.recovery gtpv1.reorder gtpv1.rnc_ipv4 gtpv1.rnc_ipv6 gtpv1.rp gtpv1.rp_nsapi gtpv1.rp_sms gtpv1.rp_spare gtpv1.sel_mode gtpv1.seq_number gtpv1.tear_ind gtpv1.teid gtpv1.teid_cp gtpv1.teid_data gtpv1.teid_ii gtpv1.tft_code gtpv1.tft_eval gtpv1.tft_number gtpv1.tft_spare gtpv1.tlli gtpv1.tr_comm gtpv1.trace_ref gtpv1.trace_type gtpv1.unknown
Field Name Uplink next PDCP-PDU seq number RAC RANAP cause Recovery Reordering required RNC address IPv4 RNC address IPv6 Radio Priority NSAPI in Radio Priority Radio Priority SMS Reserved Selection Mode Sequence Number Teardown indication TEID TEID Control Plane TEID Data I TEID Data II TFT operation code Evaluation precedence Number of packet lters TFT spare bit TLLI Packet transfer command Trace reference Trace type Unknown data (length)
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean IPv4 address IPv6 address Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer IPv4 address IPv6 address
gtpv1.user_addr_pdp_org PDP type organization gtpv1.user_addr_pdp_type PDP type number gtpv1.user_ipv4 gtpv1.user_ipv6 End user address IPv4 End user address IPv6
156
General Inter-ORB Protocol (giop)

Table A-71. General Inter-ORB Protocol (giop) Field giop.TCKind giop.endianess giop.iiop.host giop.iiop.port giop.iiop.scid giop.iiop.vscid giop.iiop_vmaj giop.iiop_vmin giop.iioptag giop.iortag giop.len giop.prod giop.repoid giop.seqlen giop.strlen giop.tcValueModier giop.tcVisibility giop.tcboolean giop.tcchar giop.tccount giop.tcdefault_used giop.tcdigits giop.tcdouble giop.tcenumdata giop.tcoat giop.tclength giop.tclongdata giop.tcmaxlen giop.tcmemname giop.tcname giop.tcoctet Field Name TypeCode enum Endianess IIOP::Prole_host IIOP::Prole_port SCID VSCID IIOP Major Version IIOP Minor Version IIOP Component TAG IOR Prole TAG Message size Prole ID Repository ID Sequence Length String Length ValueModier Visibility TypeCode boolean data TypeCode char data TypeCode count default_used Digits TypeCode double data TypeCode enum data TypeCode oat data Length TypeCode long data Maximum length TypeCode member name TypeCode name TypeCode octet data Type Unsigned 32-bit integer Unsigned 8-bit integer String Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Signed 16-bit integer Signed 16-bit integer Boolean Unsigned 8-bit integer Unsigned 32-bit integer Signed 32-bit integer Unsigned 16-bit integer Double-precision oating point Unsigned 32-bit integer Double-precision oating point Unsigned 32-bit integer Signed 32-bit integer Unsigned 32-bit integer String String Unsigned 8-bit integer
157
Field giop.tcscale giop.tcshortdata giop.tcstring giop.tculongdata giop.tcushortdata giop.type giop.typeid
Field Name Scale TypeCode short data TypeCode string data TypeCode ulong data TypeCode ushort data Message type IOR::type_id
Type Signed 16-bit integer Signed 16-bit integer String Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer String
Generic Routing Encapsulation (gre)

Table A-72. Generic Routing Encapsulation (gre) Field gre.proto Field Name Protocol Type Type Unsigned 16-bit integer
Gnutella Protocol (gnutella)

Table A-73. Gnutella Protocol (gnutella) Field gnutella.header gnutella.header.hops gnutella.header.id gnutella.header.payload gnutella.header.size gnutella.header.ttl gnutella.pong.les gnutella.pong.ip gnutella.pong.kbytes gnutella.pong.payload gnutella.pong.port gnutella.push.index gnutella.push.ip gnutella.push.payload gnutella.push.port Field Name Descriptor Header Hops ID Payload Length TTL Files Shared IP KBytes Shared Pong Port Index IP Push Port Type No value Unsigned 8-bit integer Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer No value Unsigned 16-bit integer Unsigned 32-bit integer IPv4 address No value Unsigned 16-bit integer
158
Field gnutella.push.servent_id gnutella.query.payload gnutella.query.search gnutella.queryhit.count gnutella.queryhit.extra gnutella.queryhit.hit
Field Name Servent ID Query Search Count Extra Hit
Type Byte array Unsigned 32-bit integer No value String Unsigned 8-bit integer Byte array No value Byte array Unsigned 32-bit integer String Unsigned 32-bit integer IPv4 address No value Unsigned 16-bit integer Byte array Unsigned 32-bit integer No value No value
gnutella.query.min_speed Min Speed
gnutella.queryhit.hit.extra Extra gnutella.queryhit.hit.index Index gnutella.queryhit.hit.name Name gnutella.queryhit.hit.size gnutella.queryhit.ip gnutella.queryhit.port Size IP Port
gnutella.queryhit.payload QueryHit gnutella.queryhit.servent_idServent ID gnutella.queryhit.speed gnutella.stream gnutella.truncated Speed Gnutella Upload / Download Stream Truncated Frame
Hummingbird NFS Daemon (hclnfsd)

Table A-74. Hummingbird NFS Daemon (hclnfsd) Field hclnfsd.access Field Name Access Type Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer
hclnfsd.authorize.ident.obscure Obscure Ident hclnfsd.cookie hclnfsd.copies hclnfsd.device hclnfsd.exclusive hclnfsd.leext hclnfsd.lename hclnfsd.gid Cookie Copies Device Exclusive File Extension Filename GID
159
Field hclnfsd.group hclnfsd.host_ip hclnfsd.hostname hclnfsd.jobstatus hclnfsd.length hclnfsd.lockname hclnfsd.lockowner hclnfsd.logintext hclnfsd.mode hclnfsd.npp hclnfsd.offset hclnfsd.pqn hclnfsd.printername hclnfsd.printparameters
Field Name Group Host IP Hostname Job Status Length Lockname Lockowner Login Text Mode Number of Physical Printers Offset Print Queue Number Printer Name Print Parameters
Type String IPv4 address String Unsigned 32-bit integer Unsigned 32-bit integer String Byte array String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array String
hclnfsd.printqueuecommentComment hclnfsd.printqueuename hclnfsd.queuestatus hclnfsd.request_type hclnfsd.sequence hclnfsd.server_ip hclnfsd.size hclnfsd.status hclnfsd.timesubmitted hclnfsd.uid hclnfsd.unknown_data hclnfsd.username Name Queue Status Request Type Sequence Server IP Size Status Time Submitted UID Unknown Username
Hypertext Transfer Protocol (http)

Table A-75. Hypertext Transfer Protocol (http) Field http.notication http.request Field Name Notication Request Type Boolean Boolean
160
Field http.response
Field Name Response
Type Boolean
ICQ Protocol (icq)

Table A-76. ICQ Protocol (icq) Field icq.checkcode icq.client_cmd icq.decode icq.server_cmd icq.sessionid icq.type icq.uin Field Name Checkcode Client command Decode Server command Session ID Type UIN Type Unsigned 32-bit integer Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer
IEEE 802.11 wireless LAN (wlan)

Table A-77. IEEE 802.11 wireless LAN (wlan) Field wlan.addr wlan.aid wlan.bssid wlan.channel wlan.da wlan.data_rate wlan.duration wlan.fc wlan.fc.ds wlan.fc.frag wlan.fc.fromds wlan.fc.moredata wlan.fc.order Field Name Source or Destination address Association ID BSS Id Channel Destination address Data Rate Duration Frame Control Field DS status More Fragments From DS More Data Order ag Type 6-byte Hardware (MAC) Address Unsigned 16-bit integer 6-byte Hardware (MAC) Address Unsigned 8-bit integer 6-byte Hardware (MAC) Address Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean
161
Field wlan.fc.pwrmgt wlan.fc.retry wlan.fc.subtype wlan.fc.tods wlan.fc.type wlan.fc.type_subtype wlan.fc.version wlan.fc.wep wlan.fcs wlan.ags wlan.frag wlan.fragment wlan.fragment.error
Field Name PWR MGT Retry Subtype To DS Type Type/Subtype Version WEP ag Frame check sequence Protocol Flags Fragment number 802.11 Fragment Defragmentation error
Type Boolean Boolean Unsigned 8-bit integer Boolean Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer No value No value Boolean Boolean Boolean Boolean No value 6-byte Hardware (MAC) Address 6-byte Hardware (MAC) Address Unsigned 16-bit integer Unsigned 8-bit integer 6-byte Hardware (MAC) Address Unsigned 32-bit integer Unsigned 24-bit integer Unsigned 8-bit integer
wlan.fragment.multipletailsMultiple tail fragments found wlan.fragment.overlap Fragment overlap wlan.fragment.overlap.conict Conicting data in fragment overlap wlan.fragment.toolongfragment Fragment too long wlan.fragments wlan.ra wlan.sa wlan.seq wlan.signal_strength wlan.ta wlan.wep.icv wlan.wep.iv wlan.wep.key 802.11 Fragments Receiver address Source address Sequence number Signal Strength Transmitter address WEP ICV (not veried) Initialization Vector Key
IEEE 802.11 wireless LAN management frame (wlan_mgt)

Table A-78. IEEE 802.11 wireless LAN management frame (wlan_mgt)
162
Field wlan_mgt.xed.aid wlan_mgt.xed.all wlan_mgt.xed.auth.alg wlan_mgt.xed.auth_seq wlan_mgt.xed.beacon
Field Name Association ID Fixed parameters Authentication SEQ Beacon Interval
Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Double-precision oating point Unsigned 16-bit integer Boolean Unsigned 16-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean 6-byte Hardware (MAC) Address Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer String String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
Authentication Algorithm Unsigned 16-bit integer
wlan_mgt.xed.capabilities Capabilities wlan_mgt.xed.capabilities.agility Agility Channel wlan_mgt.xed.capabilities.cfpoll.ap CFP participation capabilities wlan_mgt.xed.capabilities.cfpoll.sta CFP participation capabilities wlan_mgt.xed.capabilities.ess capabilities ESS wlan_mgt.xed.capabilities.ibss status IBSS wlan_mgt.xed.capabilities.pbcc PBCC wlan_mgt.xed.capabilities.preamble Short Preamble wlan_mgt.xed.capabilities.privacy Privacy wlan_mgt.xed.current_ap Current AP wlan_mgt.xed.listen_ival Listen Interval wlan_mgt.xed.reason_code Reason code wlan_mgt.xed.status_codeStatus code wlan_mgt.xed.timestamp Timestamp wlan_mgt.tag.interpretationTag interpretation wlan_mgt.tag.length wlan_mgt.tag.number wlan_mgt.tagged.all Tag length Tag Tagged parameters
163
ILMI (ilmi)
Table A-79. ILMI (ilmi) Field Field Name Type
IP Payload Compression (ipcomp)

Table A-80. IP Payload Compression (ipcomp) Field ipcomp.cpi ipcomp.ags Field Name CPI Flags Type Unsigned 16-bit integer Unsigned 8-bit integer
IPX Message (ipxmsg)

Table A-81. IPX Message (ipxmsg) Field ipxmsg.conn ipxmsg.sigchar Field Name Connection Number Signature Char Type Unsigned 8-bit integer Unsigned 8-bit integer
IPX Routing Information Protocol (ipxrip)

Table A-82. IPX Routing Information Protocol (ipxrip) Field ipxrip.request ipxrip.response Field Name Request Response Type Boolean Boolean
ISDN Q.921-User Adaptation Layer (iua)

Table A-83. ISDN Q.921-User Adaptation Layer (iua) Field iua.asp_identier Field Name ASP identier Type Unsigned 32-bit integer
164
Field iua.asp_reason
Field Name Reason
Type Unsigned 32-bit integer Byte array Boolean Unsigned 8-bit integer Unsigned 16-bit integer Boolean Unsigned 8-bit integer Boolean Unsigned 32-bit integer Byte array String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Byte array Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 8-bit integer
iua.diagnostic_information Diagnostic information iua.dlci_one_bit iua.dlci_sapi iua.dlci_spare iua.dlci_spare_bit iua.dlci_tei iua.dlci_zero_bit iua.error_code iua.heartbeat_data iua.info_string iua.interface_range_end iua.interface_range_start iua.message_class iua.message_length iua.message_type iua.parameter_length iua.parameter_padding iua.parameter_tag iua.parameter_value iua.release_reason iua.reserved iua.status_identication iua.status_type iua.tei_status One bit SAPI Spare Spare bit TEI Zero bit Error code Heartbeat data Info string End Start Message class Message length Message Type Parameter length Parameter padding Parameter Tag Parameter value Reason Reserved Status identication Status type TEI status
iua.int_interface_identier Integer interface identier Signed 32-bit integer
iua.text_interface_identier Text interface identier iua.trafc_mode_type iua.version Trafc mode type Version
ISDN User Part (isup)

Table A-84. ISDN User Part (isup)
165
Field isup.access_delivery_ind
Field Name Access delivery indicator
Type Boolean Unsigned 8-bit integer
isup.address_presentation_restricted_indicator Address presentation restricted indicator
isup.automatic_congestion_level Automatic congestion level Unsigned 8-bit integer isup.backw_call_echo_control_device_indicator Echo Control Device Indicator isup.backw_call_end_to_end_information_indicator End-to-end information indicator isup.backw_call_end_to_end_method_indicator End-to-end method indicator isup.backw_call_holding_indicator indicator Holding isup.backw_call_interworking_indicator indicator Interworking isup.backw_call_isdn_access_indicator indicator ISDN access isup.backw_call_isdn_user_part_indicator indicator ISDN user part isup.backw_call_sccp_method_indicator indicator SCCP method isup.call_diversion_may_occur_ind Call diversion may occur indicator isup.call_processing_state Call processing state isup.call_to_be_diverted_ind Call to be diverted indicator Boolean Boolean Unsigned 16-bit integer Boolean Boolean Boolean Boolean Unsigned 16-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer
isup.call_to_be_offered_ind Call to be offered indicator Unsigned 8-bit integer isup.called_party_even_address_signal_digit Address signal digit isup.called_party_nature_of_address_indicator Nature of address indicator isup.called_party_odd_address_signal_digit Address signal digit isup.called_partys_category_indicator Called partys category indicator isup.called_partys_status_indicatorpartys status Called indicator isup.calling_party_address_request_indicator Calling party address request indicator isup.calling_party_address_response_indicator Calling party address response indicator Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 16-bit integer
166
Field
Field Name
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Boolean Unsigned 8-bit integer Unsigned 16-bit integer Boolean Boolean Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean
isup.calling_party_even_address_signal_digit Address signal digit isup.calling_party_nature_of_address_indicator Nature of address indicator isup.calling_party_odd_address_signal_digit Address signal digit isup.calling_partys_category Calling Partys category isup.calling_partys_category_request_indicator Calling partys category request indicator isup.calling_partys_category_response_indicator Calling partys category response indicator isup.cgs_message_type isup.charge_indicator Circuit group supervision message type Charge indicator
isup.charge_information_request_indicator Charge information request indicator isup.charge_information_response_indicator Charge information response indicator isup.cic isup.clg_call_ind CIC Closed user group call indicator
isup.conference_acceptance_ind Conference acceptance indicator isup.connected_line_identity_request_ind identity Connected line request indicator
isup.continuity_check_indicator Continuity Check Indicator Unsigned 8-bit integer isup.continuity_indicator Continuity indicator Boolean Boolean Unsigned 8-bit integer Boolean Boolean Boolean Unsigned 16-bit integer Boolean
isup.echo_control_device_indicator Echo Control Device Indicator isup.event_ind Event indicator isup.event_presentatiation_restr_ind Event presentation restricted indicator isup.extension_ind Extension indicator isup.forw_call_end_to_end_information_indicator End-to-end information indicator isup.forw_call_end_to_end_method_indicator End-to-end method indicator isup.forw_call_interworking_indicator indicator Interworking
167
Field
Field Name
Type Boolean Boolean
isup.forw_call_isdn_access_indicator ISDN access indicator isup.forw_call_isdn_user_part_indicator indicator ISDN user part
isup.forw_call_natnl_inatnl_call_indicator National/international call Boolean indicator isup.forw_call_preferences_indicator part preference Unsigned 16-bit integer ISDN user indicator isup.forw_call_sccp_method_indicator SCCP method indicator isup.hold_provided_indicator Hold provided indicator isup.hw_blocking_state HW blocking state Unsigned 16-bit integer Boolean Unsigned 8-bit integer Boolean Boolean Boolean Boolean Unsigned 8-bit integer Boolean
isup.inband_information_ind In-band information indicator isup.info_req_holding_indicator Holding indicator isup.inn_indicator INN indicator
isup.isdn_odd_even_indicator Odd/even indicator isup.loop_prevention_response_ind indicator Response isup.malicious_call_ident_request_indicator Malicious call identication request indicator (ISUP88) isup.mandatory_variable_parameter_pointer Pointer to Parameter isup.map_type isup.message_type isup.mlpp_user isup.mtc_blocking_state Map Type Message Type MLPP user indicator
Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean
Maintenance blocking state Unsigned 8-bit integer Unsigned 8-bit integer Boolean
isup.network_identication_plan Network identication plan isup.ni_indicator NI indicator
isup.numbering_plan_indicator Numbering plan indicator Unsigned 8-bit integer isup.optional_parameter_part_pointer optional Pointer to parameter part Unsigned 8-bit integer
isup.original_redirection_reason Original redirection reason Unsigned 16-bit integer
168
Field isup.parameter_length isup.parameter_type isup.range_indicator isup.redirecting_ind isup.redirection_counter isup.redirection_reason isup.satellite_indicator isup.screening_indicator
Field Name Parameter Length Parameter Type Range indicator Redirection indicator Redirection counter Redirection reason Satellite Indicator Screening indicator
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
isup.screening_indicator_enhanced indicator Screening isup.simple_segmentation_ind Simple segmentation indicator isup.solicided_indicator Solicited indicator isup.suspend_resume_indicator Suspend/Resume indicator isup.temporary_alternative_routing_ind Temporary alternative routing indicator isup.transmission_medium_requirement medium Transmission requirement isup.transmission_medium_requirement_prime Transmission medium requirement prime isup.type_of_network_identicationnetwork Type of identication
ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol (isis)
Table A-85. ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol (isis) Field isis.csnp.pdu_length isis.hello.circuit_type Field Name PDU length Circuit type Type Unsigned 16-bit integer Unsigned 8-bit integer IPv4 address IPv6 address Unsigned 16-bit integer Unsigned 8-bit integer
isis.hello.clv_ipv4_int_addr IPv4 interface address isis.hello.clv_ipv6_int_addr IPv6 interface address isis.hello.clv_mt isis.hello.clv_ptp_adj MT-ID Point-to-point Adjacency
169
Field isis.hello.holding_timer isis.hello.lan_id isis.hello.local_circuit_id isis.hello.pdu_length isis.hello.priority isis.hello.source_id isis.irpd isis.len isis.lsp.checksum isis.lsp.clv_ipv4_int_addr isis.lsp.clv_ipv6_int_addr isis.lsp.clv_mt isis.lsp.clv_te_router_id isis.lsp.pdu_length isis.lsp.remaining_life isis.lsp.sequence_number isis.max_area_adr isis.psnp.pdu_length isis.reserved isis.sysid_len isis.type isis.version isis.version2
Field Name Holding timer Local circuit ID PDU length Priority
Type Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
SystemID{ Designated IS } Byte array
SystemID{ Sender of PDU } Byte array Intra Domain Routing Protocol Discriminator PDU Header Length Checksum IPv4 interface address IPv6 interface address MT-ID Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer IPv4 address IPv6 address Unsigned 16-bit integer
Trafc Engineering Router IPv4 address ID PDU length Remaining lifetime Sequence number Max.AREAs: (0==3) PDU length Reserved (==0) System ID Length PDU Type Version (==1) Version2 (==1) Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ISO 8073 COTP Connection-Oriented Transport Protocol (cotp)

Table A-86. ISO 8073 COTP Connection-Oriented Transport Protocol (cotp) Field Field Name Type
170
ISO 8473 CLNP ConnectionLess Network Protocol (clnp)

Table A-87. ISO 8473 CLNP ConnectionLess Network Protocol (clnp) Field clnp.checksum clnp.dsap clnp.dsap.len clnp.len clnp.nlpi clnp.pdu.len clnp.segment clnp.segment.error Field Name Checksum DA DAL HDR Length Network Layer Protocol Identier PDU length CLNP Segment Reassembly error Type Unsigned 16-bit integer Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer No value No value Boolean Boolean Boolean Boolean No value Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
clnp.segment.multipletails Multiple tail segments found clnp.segment.overlap Segment overlap clnp.segment.overlap.conict Conicting data in segment overlap clnp.segment.toolongsegment Segment too long clnp.segments clnp.ssap clnp.ssap.len clnp.ttl clnp.type clnp.version CLNP Segments SA SAL Holding Time PDU Type Version
ISO 8602 CLTP ConnectionLess Transport Protocol (cltp)

Table A-88. ISO 8602 CLTP ConnectionLess Transport Protocol (cltp) Field Field Name Type
171
ISO 9542 ESIS Routeing Information Exchange Protocol (esis)

Table A-89. ISO 9542 ESIS Routeing Information Exchange Protocol (esis) Field esis.chksum esis.htime esis.length esis.nlpi esis.res esis.type esis.ver Field Name Checksum Holding Time PDU Length Network Layer Protocol Identier Reserved(==0) PDU Type Version (==1) Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ITU-T Recommendation H.261 (h261)

Table A-90. ITU-T Recommendation H.261 (h261) Field h261.ebit h261.gobn h261.hmvd h261.i h261.mbap h261.quant h261.sbit h261.stream h261.v h261.vmvd Field Name End bit position GOB Number Horizontal motion vector data Intra frame encoded data ag Macroblock address predictor Quantizer Start bit position H.261 stream Motion vector ag Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Byte array Boolean
Vertical motion vector data Unsigned 8-bit integer
Inter-Access-Point Protocol (iapp)

Table A-91. Inter-Access-Point Protocol (iapp) Field Field Name Type
172
Field iapp.type iapp.version
Field Name type Version
Internet Cache Protocol (icp)

Table A-92. Internet Cache Protocol (icp) Field icp.length icp.nr icp.opcode icp.version Field Name Length Request Number Opcode Version Type Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
Internet Content Adaptation Protocol (icap)

Table A-93. Internet Content Adaptation Protocol (icap) Field icap.options icap.other icap.reqmod icap.respmod icap.response Field Name Options Other Reqmod Respmod Response Type Boolean Boolean Boolean Boolean Boolean
Internet Control Message Protocol (icmp)

Table A-94. Internet Control Message Protocol (icmp) Field icmp.checksum icmp.checksum_bad icmp.code icmp.mip.b icmp.mip.challenge icmp.mip.coa Field Name Checksum Bad Checksum Code Busy Challenge Care-Of-Address Type Unsigned 16-bit integer Boolean Unsigned 8-bit integer Boolean Byte array IPv4 address
173
Field icmp.mip.f icmp.mip.ags icmp.mip.g icmp.mip.h icmp.mip.length icmp.mip.life icmp.mip.m icmp.mip.prexlength icmp.mip.r icmp.mip.res icmp.mip.reserved icmp.mip.seq icmp.mip.type icmp.mip.v icmp.type
Field Name Foreign Agent Flags GRE Home Agent Length Registration Lifetime Minimal Encapsulation Prex Length Registration Required Reserved Reserved Sequence Number Extension Type VJ Comp Type
Type Boolean Unsigned 8-bit integer Boolean Boolean Unsigned 8-bit integer Unsigned 16-bit integer Boolean Unsigned 8-bit integer Boolean Boolean Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Unsigned 8-bit integer
Internet Control Message Protocol v6 (icmpv6)

Table A-95. Internet Control Message Protocol v6 (icmpv6) Field icmpv6.checksum icmpv6.checksum_bad icmpv6.code icmpv6.type Field Name Checksum Bad Checksum Code Type Type Unsigned 16-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer
Internet Group Management Protocol (igmp)

Table A-96. Internet Group Management Protocol (igmp) Field igmp.access_key igmp.aux_data igmp.aux_data_len igmp.checksum Field Name Access Key Aux Data Aux Data Len Checksum Type Byte array Byte array Unsigned 8-bit integer Unsigned 16-bit integer
174
Field igmp.checksum_bad igmp.group_type igmp.identier igmp.max_resp igmp.max_resp.exp igmp.max_resp.mant igmp.mtrace.max_hops igmp.mtrace.q_arrival igmp.mtrace.q_fwd_code igmp.mtrace.q_fwd_ttl igmp.mtrace.q_id igmp.mtrace.q_inaddr igmp.mtrace.q_inpkt igmp.mtrace.q_mbz igmp.mtrace.q_outaddr igmp.mtrace.q_outpkt igmp.mtrace.q_prevrtr igmp.mtrace.q_rtg_proto igmp.mtrace.q_s igmp.mtrace.q_src_mask igmp.mtrace.q_total igmp.mtrace.raddr igmp.mtrace.resp_ttl igmp.mtrace.rspaddr igmp.mtrace.saddr igmp.num_grp_recs igmp.num_src igmp.qqic igmp.qrv igmp.record_type igmp.reply igmp.reply.pending igmp.s igmp.type igmp.version
Field Name Bad Checksum Type Of Group Identier Max Resp Time Exponent Mantissa # hops Query Arrival Forwarding Code FwdTTL Query ID In itf addr In pkts MBZ Out itf addr Out pkts Previous rtr addr Rtg Protocol S Src Mask S,G pkt count Receiver Address Response TTL Response Address Source Address Num Group Records Num Src QQIC QRV Record Type Reply Reply Pending S Type IGMP Version
Type Boolean Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 24-bit integer IPv4 address Unsigned 32-bit integer Unsigned 8-bit integer IPv4 address Unsigned 32-bit integer IPv4 address Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer IPv4 address Unsigned 8-bit integer IPv4 address IPv4 address Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer
175
Internet Message Access Protocol (imap)

Table A-97. Internet Message Access Protocol (imap) Field imap.request imap.response Field Name Request Response Type Boolean Boolean
Internet Printing Protocol (ipp)

Table A-98. Internet Printing Protocol (ipp) Field Field Name Type
Internet Protocol (ip)

Table A-99. Internet Protocol (ip) Field ip.addr ip.checksum ip.checksum_bad ip.dseld ip.dseld.ce ip.dseld.dscp ip.dseld.ect ip.dst ip.ags ip.ags.df ip.ags.mf ip.frag_offset ip.fragment ip.fragment.error Field Name Source or Destination Address Header checksum Bad Header checksum Differentiated Services eld ECN-CE Differentiated Services Codepoint ECN-Capable Transport (ECT) Destination Flags Dont fragment More fragments Fragment offset IP Fragment Defragmentation error Type IPv4 address Unsigned 16-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer IPv4 address Unsigned 8-bit integer Boolean Boolean Unsigned 16-bit integer No value No value
176
Field ip.fragment.multipletails ip.fragment.overlap
Field Name Multiple tail fragments found Fragment overlap
Type Boolean Boolean Boolean Boolean No value Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer IPv4 address Unsigned 8-bit integer Boolean Boolean Unsigned 8-bit integer Boolean Boolean Unsigned 8-bit integer Unsigned 8-bit integer
ip.fragment.overlap.conict Conicting data in fragment overlap ip.fragment.toolongfragment Fragment too long ip.fragments ip.hdr_len ip.id ip.len ip.proto ip.src ip.tos ip.tos.cost ip.tos.delay ip.tos.precedence ip.tos.reliability ip.tos.throughput ip.ttl ip.version IP Fragments Header Length Identication Total Length Protocol Source Type of Service Cost Delay Precedence Reliability Throughput Time to live Version
Internet Protocol Version 6 (ipv6)

Table A-100. Internet Protocol Version 6 (ipv6) Field ipv6.addr ipv6.class ipv6.dst ipv6.ow ipv6.fragment ipv6.fragment.error Field Name Address Trafc class Destination Flowlabel IPv6 Fragment Defragmentation error Type IPv6 address Unsigned 8-bit integer IPv6 address Unsigned 32-bit integer No value No value Boolean Boolean
ipv6.fragment.multipletails Multiple tail fragments found ipv6.fragment.overlap Fragment overlap
177
Field
Field Name
Type Boolean Boolean No value Unsigned 8-bit integer Boolean Boolean Boolean Boolean IPv6 address Unsigned 8-bit integer Unsigned 32-bit integer Boolean Unsigned 8-bit integer Boolean Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer IPv6 address Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer IPv6 address Unsigned 8-bit integer
ipv6.fragment.overlap.conict Conicting data in fragment overlap ipv6.fragment.toolongfragment Fragment too long ipv6.fragments ipv6.hlim ipv6.mipv6_a_ag ipv6.mipv6_b_ag ipv6.mipv6_d_ag ipv6.mipv6_h_ag IPv6 Fragments Hop limit Acknowledge (A) Bicasting all (B) Duplicate Address Detection (D) Home Registration (H)
ipv6.mipv6_home_address Home Address ipv6.mipv6_length ipv6.mipv6_life_time ipv6.mipv6_m_ag ipv6.mipv6_r_ag ipv6.mipv6_refresh Option Length Life Time MAP Registration (M) Router (R) Refresh
ipv6.mipv6_prex_length Prex Length
ipv6.mipv6_sequence_number Sequence Number ipv6.mipv6_status Status
ipv6.mipv6_sub_alternative_COA Alternative Care of Address ipv6.mipv6_sub_length ipv6.mipv6_sub_type Sub-Option Length Sub-Option Type
ipv6.mipv6_sub_unique_IDUnique Identier ipv6.mipv6_type ipv6.nxt ipv6.plen ipv6.src ipv6.version Option Type Next header Payload length Source Version
Internet Relay Chat (irc)

Table A-101. Internet Relay Chat (irc)
178
Field irc.command irc.request irc.response
Field Name Command Request Response
Type String Boolean Boolean
Internet Security Association and Key Management Protocol (isakmp)

Table A-102. Internet Security Association and Key Management Protocol (isakmp) Field Field Name Type
Internetwork Packet eXchange (ipx)

Table A-103. Internetwork Packet eXchange (ipx) Field ipx.checksum ipx.dst.net ipx.dst.node ipx.dst.socket ipx.hops ipx.len ipx.packet_type ipx.src.net ipx.src.node ipx.src.socket Field Name Checksum Destination Network Destination Node Destination Socket Transport Control (Hops) Length Packet Type Source Network Source Node Source Socket Type Unsigned 16-bit integer IPX network or server name 6-byte Hardware (MAC) Address Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer IPX network or server name 6-byte Hardware (MAC) Address Unsigned 16-bit integer
Java RMI (rmi)

Table A-104. Java RMI (rmi)
179
Field rmi.endpoint_id.length rmi.endpoint_id.port rmi.inputstream.message rmi.magic rmi.protocol rmi.ser.magic rmi.ser.version rmi.version
Field Name Length Port Input Stream Message Magic Protocol Magic Version Version
Type String Unsigned 16-bit integer Unsigned 16-bit integer String Unsigned 32-bit integer String String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
rmi.endpoint_id.hostname Hostname
rmi.outputstream.message Output Stream Message
Java Serialization (serialization)

Table A-105. Java Serialization (serialization) Field Field Name Type
Kerberos (kerberos)
Table A-106. Kerberos (kerberos) Field Field Name Type
Kernel Lock Manager (klm)

Table A-107. Kernel Lock Manager (klm) Field klm.block klm.exclusive klm.holder klm.len klm.lock Field Name block exclusive holder length lock Type Boolean Boolean No value Unsigned 32-bit integer No value
180
Field klm.offset klm.pid klm.servername klm.stats
Field Name offset pid server name stats
Type Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer
Label Distribution Protocol (ldp)

Table A-108. Label Distribution Protocol (ldp) Field Field Name Type Boolean Unsigned 16-bit integer IPv4 address Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Double-precision oating point Double-precision oating point Double-precision oating point Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 24-bit integer IPv4 address IPv4 address
ldp,msg.tlv.hello.requested Hello Requested ldp.hdr.ldpid.lsid ldp.hdr.ldpid.lsr ldp.hdr.pdu_len ldp.hdr.version ldp.msg.experiment.id ldp.msg.id ldp.msg.len ldp.msg.tlv.addrl.addr Label Space ID LSR ID PDU Length Version Experiment ID Message ID Message Length Address
ldp.msg.tlv.addrl.addr_family Address Family ldp.msg.tlv.atm.label.vbits V-bits ldp.msg.tlv.atm.label.vci ldp.msg.tlv.atm.label.vpi ldp.msg.tlv.cbs ldp.msg.tlv.cdr ldp.msg.tlv.ebs ldp.msg.tlv.er_hop.as VCI VPI CBS CDR EBS AS Number
ldp.msg.tlv.er_hop.locallspid Local CR-LSP ID ldp.msg.tlv.er_hop.loose ldp.msg.tlv.er_hop.lsrid Loose route bit Local CR-LSP ID
ldp.msg.tlv.er_hop.prex4 IPv4 Address
181
Field
Field Name
Type IPv6 address Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer
ldp.msg.tlv.er_hop.prex6 IPv6 Address ldp.msg.tlv.er_hop.prexlenPrex length ldp.msg.tlv.experiment_id Experiment ID ldp.msg.tlv.extstatus.data ldp.msg.tlv.fec.af ldp.msg.tlv.fec.hoval ldp.msg.tlv.fec.len ldp.msg.tlv.fec.pfval ldp.msg.tlv.fec.type Extended Status Data FEC Element Address Type
FEC Element Host Address String Value FEC Element Length FEC Element Prex Value FEC Element Type Unsigned 8-bit integer String Unsigned 8-bit integer Boolean Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer Boolean Unsigned 24-bit integer
ldp.msg.tlv.fec.vc.controlword C-bit ldp.msg.tlv.fec.vc.groupid Group ID ldp.msg.tlv.fec.vc.infolengthVC Info Length ldp.msg.tlv.fec.vc.intparam.cembytesBytes Payload ldp.msg.tlv.fec.vc.intparam.desc Description ldp.msg.tlv.fec.vc.intparam.id ID ldp.msg.tlv.fec.vc.intparam.length Length ldp.msg.tlv.fec.vc.intparam.maxatm of Cells Number ldp.msg.tlv.fec.vc.intparam.mtu MTU ldp.msg.tlv.fec.vc.vcid ldp.msg.tlv.fec.vc.vctype ldp.msg.tlv.ags_cbs ldp.msg.tlv.ags_cdr ldp.msg.tlv.ags_ebs ldp.msg.tlv.ags_pbs ldp.msg.tlv.ags_pdr ldp.msg.tlv.ags_reserv ldp.msg.tlv.ags_weight ldp.msg.tlv.fr.label.dlci VC ID VC Type CBS CDR EBS PBS PDR Reserved Weight DLCI
182
Field ldp.msg.tlv.fr.label.len ldp.msg.tlv.frequency ldp.msg.tlv.generic.label ldp.msg.tlv.hc.value
Field Name Number of DLCI bits Frequency Generic Label Hop Count Value
Type Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 8-bit integer IPv4 address IPv6 address Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer IPv4 address Double-precision oating point Double-precision oating point IPv4 address Unsigned 32-bit integer
ldp.msg.tlv.hello.cnf_seqno Conguration Sequence Number ldp.msg.tlv.hello.hold ldp.msg.tlv.hello.res ldp.msg.tlv.hello.targeted ldp.msg.tlv.hold_prio ldp.msg.tlv.ipv4.taddr ldp.msg.tlv.ipv6.taddr ldp.msg.tlv.len ldp.msg.tlv.lspid.actg Hold Time Reserved Targeted Hello Hold Prio IPv4 Transport Address IPv6 Transport Address TLV Length Action Indicator Flag
ldp.msg.tlv.lspid.locallspid Local CR-LSP ID ldp.msg.tlv.lspid.lsrid ldp.msg.tlv.pbs ldp.msg.tlv.pdr ldp.msg.tlv.pv.lsrid Ingress LSR Router ID PBS PDR LSR Id
ldp.msg.tlv.resource_class Resource Class
ldp.msg.tlv.returned.ldpid.lsid Returned PDU Label Space Unsigned 16-bit integer ID ldp.msg.tlv.returned.ldpid.lsr Returned PDU LSR ID ldp.msg.tlv.returned.msg.id Returned Message ID IPv4 address Unsigned 32-bit integer
ldp.msg.tlv.returned.msg.len Returned Message Length Unsigned 16-bit integer ldp.msg.tlv.returned.msg.type Returned Message Type ldp.msg.tlv.returned.msg.ubit Returned Message Unknown bit ldp.msg.tlv.returned.pdu_len eturned PDU Length R ldp.msg.tlv.returned.versionReturned PDU Version Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
183
Field ldp.msg.tlv.sess.advbit ldp.msg.tlv.sess.atm.dir ldp.msg.tlv.sess.atm.lr
Field Name Session Label Advertisement Discipline Directionality Number of ATM Label Ranges
Type Unsigned 32-bit integer Boolean Boolean Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 16-bit integer Boolean Unsigned 16-bit integer Unsigned 8-bit integer IPv4 address Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Boolean Boolean Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
ldp.msg.tlv.route_pinning Route Pinning
ldp.msg.tlv.sess.atm.maxvciMaximum VCI ldp.msg.tlv.sess.atm.maxvpiMaximum VPI ldp.msg.tlv.sess.atm.merge Session ATM Merge Parameter ldp.msg.tlv.sess.atm.minvci Minimum VCI ldp.msg.tlv.sess.atm.minvpiMinimum VPI ldp.msg.tlv.sess.fr.dir ldp.msg.tlv.sess.fr.len ldp.msg.tlv.sess.fr.lr Directionality Number of DLCI bits Number of Frame Relay Label Ranges Session Frame Relay Merge Parameter Session KeepAlive Time Session Loop Detection Session Max PDU Length Session Path Vector Limit Session Receiver LSR Identier Session Protocol Version Set Prio Status Data E Bit F Bit Message ID
ldp.msg.tlv.sess.fr.maxdlci Maximum DLCI ldp.msg.tlv.sess.fr.merge
ldp.msg.tlv.sess.fr.mindlci Minimum DLCI ldp.msg.tlv.sess.ka ldp.msg.tlv.sess.ldetbit ldp.msg.tlv.sess.mxpdu ldp.msg.tlv.sess.pvlim ldp.msg.tlv.sess.rxlsr ldp.msg.tlv.sess.ver ldp.msg.tlv.set_prio ldp.msg.tlv.status.data ldp.msg.tlv.status.ebit ldp.msg.tlv.status.fbit ldp.msg.tlv.status.msg.id
ldp.msg.tlv.status.msg.type Message Type ldp.msg.tlv.type TLV Type
184
Field ldp.msg.tlv.unknown ldp.msg.tlv.value ldp.msg.tlv.vendor_id ldp.msg.tlv.weight ldp.msg.type ldp.msg.ubit ldp.msg.vendor.id ldp.req ldp.rsp ldp.tlv.lbl_req_msg_id
Field Name TLV Unknown bits TLV Value Vendor ID Weight Message Type U bit Vendor ID Request Response
Type Unsigned 8-bit integer Byte array Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Boolean Unsigned 32-bit integer Boolean Boolean
Label Request Message ID Unsigned 32-bit integer
Layer 2 Tunneling Protocol (l2tp)

Table A-109. Layer 2 Tunneling Protocol (l2tp) Field l2tp.Nr l2tp.Ns l2tp.avp.hidden l2tp.avp.length l2tp.avp.mandatory l2tp.avp.type l2tp.avp.vendor_id l2tp.length l2tp.length_bit l2tp.offset l2tp.offset_bit l2tp.priority l2tp.seq_bit l2tp.session l2tp.tie_breaker l2tp.tunnel l2tp.type l2tp.version Field Name Nr Ns Hidden Length Mandatory Type Vendor ID Length Length Bit Offset Offset bit Priority Sequence Bit Session ID Tie Breaker Tunnel ID Type Version Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Type Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 16-bit integer Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 16-bit integer Boolean Boolean Boolean Unsigned 16-bit integer
185
Lightweight Directory Access Protocol (ldap)

Table A-110. Lightweight Directory Access Protocol (ldap) Field ldap.abandon.msgid ldap.attribute ldap.bind.auth_type ldap.bind.dn ldap.bind.password ldap.bind.version ldap.compare.test ldap.dn ldap.length ldap.message_id ldap.message_length ldap.message_type ldap.modify.add ldap.modify.delete ldap.modify.replace ldap.modrdn.delete ldap.modrdn.name ldap.modrdn.superior ldap.result.code ldap.result.errormsg ldap.result.matcheddn ldap.result.referral ldap.search.basedn ldap.search.dereference ldap.search.lter ldap.search.scope ldap.search.sizelimit ldap.search.timelimit ldap.search.typesonly ldap.value Field Name Abandon Msg Id Attribute Auth Type DN Password Version Test Distinguished Name Length Message Id Message Length Message Type Add Delete Replace Delete Values New Name New Location Result Code Error Message Matched DN Referral Base DN Dereference Filter Scope Size Limit Time Limit Attributes Only Value Type Unsigned 32-bit integer String Unsigned 8-bit integer String String Unsigned 32-bit integer String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer String String String Boolean String String Unsigned 8-bit integer String String String String Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean String
186
Line Printer Daemon Protocol (lpd)

Table A-111. Line Printer Daemon Protocol (lpd) Field lpd.request lpd.response Field Name Request Response Type Boolean Boolean
Link Access Procedure Balanced (LAPB) (lapb)

Table A-112. Link Access Procedure Balanced (LAPB) (lapb) Field lapb.address lapb.control Field Name Address Field Control Field Type Unsigned 8-bit integer Unsigned 8-bit integer
Link Access Procedure Balanced Ethernet (LAPBETHER) (lapbether)

Table A-113. Link Access Procedure Balanced Ethernet (LAPBETHER) (lapbether) Field lapbether.length Field Name Length Field Type Unsigned 16-bit integer
Link Access Procedure, Channel D (LAPD) (lapd)

Table A-114. Link Access Procedure, Channel D (LAPD) (lapd) Field lapd.address lapd.control lapd.cr lapd.ea1 lapd.ea2 lapd.sapi lapd.tei Field Name Address Field Control Field C/R EA1 EA2 SAPI TEI Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
187
Link Aggregation Control Protocol (lacp)

Table A-115. Link Aggregation Control Protocol (lacp) Field lacp.actorInfo lacp.actorInfoLen lacp.actorKey lacp.actorPort lacp.actorPortPriority lacp.actorState lacp.actorState.activity Field Name Actor Information Actor Key Actor Port Actor Port Priority Actor State LACP Activity Type Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer 6-byte Hardware (MAC) Address Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean
Actor Information Length Unsigned 8-bit integer
lacp.actorState.aggregation Aggregation lacp.actorState.collecting lacp.actorState.defaulted Collecting Defaulted
lacp.actorState.distributing Distributing lacp.actorState.expired Expired
lacp.actorState.synchronization Synchronization lacp.actorState.timeout lacp.actorSysPriority lacp.actorSystem lacp.collectorInfo lacp.collectorInfoLen lacp.collectorMaxDelay lacp.partnerInfo lacp.partnerInfoLen lacp.partnerKey lacp.partnerPort lacp.partnerPortPriority lacp.partnerState lacp.partnerState.activity LACP Timeout Actor System Priority Actor System Collector Information Collector Information Length Collector Max Delay Partner Information Partner Information Length Partner Key Partner Port Partner Port Priority Partner State LACP Activity
lacp.partnerState.aggregation ggregation A
188
Field
Field Name
Type Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer 6-byte Hardware (MAC) Address Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
lacp.partnerState.collecting Collecting lacp.partnerState.defaulted Defaulted lacp.partnerState.distributing istributing D lacp.partnerState.expired Expired
lacp.partnerState.synchronization Synchronization lacp.partnerState.timeout lacp.partnerSysPriority lacp.partnerSystem lacp.reserved lacp.subtype lacp.termInfo lacp.termLen lacp.version LACP Timeout Partner System Priority Partner System Reserved Subtype Terminator Information Terminator Length LACP Version Number
Link Management Protocol (LMP) (lmp)

Table A-116. Link Management Protocol (LMP) (lmp) Field lmp.begin_verify.enctype lmp.begin_verify.ags Field Name Encoding Type Flags Type Boolean Unsigned 8-bit integer Unsigned 16-bit integer Boolean Boolean IPv4 address Unsigned 32-bit integer Boolean IPv4 address Unsigned 32-bit integer
lmp.begin_verify.all_links Verify All Links
lmp.begin_verify.link_type Data Link Type lmp.data_link.link_verify lmp.data_link.local_ipv4 Data-Link is Allocated Data-Link Local ID - IPv4
lmp.data_link.local_unnum Data-Link Local ID Unnumbered lmp.data_link.port Data-Link is Individual Port
lmp.data_link.remote_ipv4 Data-Link Remote ID IPv4 lmp.data_link.remote_unnumata-Link Remote ID D Unnumbered
189
Field lmp.data_link_encoding lmp.data_link_ags lmp.data_link_subobj lmp.data_link_switching lmp.error
Field Name LSP Encoding Type Data-Link Flags Subobject Interface Switching Capability Error Code
Type Unsigned 8-bit integer Unsigned 8-bit integer No value Unsigned 8-bit integer Unsigned 32-bit integer Boolean
lmp.error.cong_bad_ccid Cong - Bad CC ID
lmp.error.cong_bad_params Cong - Unacceptable Boolean non-negotiable parameters lmp.error.cong_renegotiateCong - Renegotiate Parametere Boolean
lmp.error.summary_bad_data_link Summary - Bad Data Link Boolean Object lmp.error.summary_bad_params Summary - Unacceptable Boolean non-negotiable parameters lmp.error.summary_bad_remote_linkid Bad Remote Summary Link ID lmp.error.summary_bad_te_link Summary - Bad TE Link Object lmp.error.summary_renegotiate Summary - Renegotiate Parametere lmp.error.verify_te_link_id Verication - TE Link ID Conguration Error Boolean Boolean Boolean Boolean
lmp.error.verify_unsupported_link Verication - Unsupported Boolean for this TE-Link lmp.error.verify_unsupported_transport- Transport Verication Unsupported Boolean
lmp.error.verify_unwilling Verication - Unwilling to Boolean Verify at this time lmp.hdr.auth lmp.hdr.ccdown lmp.hdr.dwdm lmp.hdr.ags lmp.hdr.reboot lmp.hellodeadinterval lmp.hellointerval lmp.local_ccid Authentication ControlChannelDown DWDM Node LMP Header - Flags Reboot HelloDeadInterval HelloInterval Local CCID Value Boolean Boolean Boolean Unsigned 8-bit integer Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer
lmp.local_interfaceid_ipv4 Local Interface ID - IPv4 lmp.local_interfaceid_unnum Local Interface ID Unnumbered
190
Field lmp.local_linkid_ipv4 lmp.local_linkid_unnum lmp.local_nodeid lmp.messageid lmp.messageid_ack lmp.msg lmp.msg.beginverify lmp.msg.beginverifyack lmp.msg.beginverifynack lmp.msg.channelfail lmp.msg.channelfailack lmp.msg.channelfailnack lmp.msg.channelstatus
Field Name Local Link ID - IPv4 Local Link ID Unnumbered Local Node ID Value Message-ID Value Message-ID Ack Value Message Type BeginVerify Message BeginVerifyAck Message ChannelFail Message ChannelFailAck Message ChannelStatus Message
Type IPv4 address Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
BeginVerifyNack Message Boolean
ChannelFailNack Message Boolean
lmp.msg.channelstatusack ChannelStatusAck Message lmp.msg.channelstatusrequest ChannelStatusRequest Message lmp.msg.channelstatusresponse ChannelStatusResponse Message lmp.msg.cong lmp.msg.congack lmp.msg.congnack lmp.msg.endverify lmp.msg.hello lmp.msg.linksummary Cong Message CongAck Message CongNack Message EndVerify Message HELLO Message LinkSummary Message
lmp.msg.linksummaryack LinkSummaryAck Message lmp.msg.linksummarynack LinkSummaryNack Message lmp.msg.test lmp.msg.teststatusack lmp.msg.teststatusfailure lmp.obj.begin_verify lmp.obj.begin_verify_ack lmp.obj.channel_status Test Message TestStatusAck Message
TestStatusFailure Message Boolean BEGIN_VERIFY BEGIN_VERIFY_ACK CHANNEL_STATUS No value No value No value
lmp.msg.teststatussuccess TestStatusSuccess Message Boolean
191
Field
Field Name
Type
lmp.obj.channel_status_request CHANNEL_STATUS_REQUEST No value lmp.obj.cong lmp.obj.ctype lmp.obj.data_link lmp.obj.error lmp.obj.hello lmp.obj.local_ccid lmp.obj.local_interfaceid lmp.obj.local_linkid lmp.obj.local_nodeid lmp.obj.messageid lmp.obj.messageid_ack lmp.obj.remote_ccid CONFIG Object C-Type DATA_LINK ERROR HELLO LOCAL_CCID LOCAL_INTERFACE_ID LOCAL_LINK_ID LOCAL_NODE_ID MESSAGE_ID MESSAGE_ID_ACK REMOTE_CCID No value Unsigned 8-bit integer No value No value No value No value No value No value No value No value No value No value
lmp.obj.remote_interfaceid REMOTE_INTERFACE_ID No value lmp.obj.remote_linkid lmp.obj.remote_nodeid lmp.obj.te_link lmp.obj.verifyid lmp.object lmp.remote_ccid REMOTE_LINK_ID REMOTE_NODE_ID TE_LINK VERIFY_ID LOCAL_CCID Remote CCID Value No value No value No value No value Unsigned 8-bit integer Unsigned 32-bit integer
lmp.remote_interfaceid_ipv4 Remote Interface ID - IPv4 IPv4 address lmp.remote_interfaceid_unnum Remote Interface ID Unnumbered lmp.remote_linkid_ipv4 Remote Link ID - IPv4 lmp.remote_linkid_unnum Remote Link ID Unnumbered lmp.remote_nodeid lmp.rxseqnum lmp.te_link.fault_mgmt lmp.te_link.link_verify lmp.te_link.local_ipv4 lmp.te_link.local_unnum Remote Node ID Value RxSeqNum Fault Management Supported Link Verication Supported TE-Link Local ID - IPv4 TE-Link Local ID Unnumbered Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer Boolean Boolean IPv4 address Unsigned 32-bit integer
192
Field lmp.te_link.remote_ipv4
Field Name TE-Link Remote ID - IPv4
Type IPv4 address Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
lmp.te_link.remote_unnum TE-Link Remote ID Unnumbered lmp.te_link_ags lmp.txseqnum lmp.verifyid TE-Link Flags TxSeqNum Verify-ID
Linux cooked-mode capture (sll)

Table A-117. Linux cooked-mode capture (sll) Field sll.etype sll.halen sll.hatype sll.ltype sll.pkttype sll.src.eth sll.src.other sll.trailer Field Name Protocol Link-layer address length Link-layer address type Protocol Packet type Source Source Trailer Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer 6-byte Hardware (MAC) Address Byte array Byte array
Local Management Interface (lmi)

Table A-118. Local Management Interface (lmi) Field lmi.cmd lmi.dlci_act lmi.dlci_hi lmi.dlci_low lmi.dlci_new lmi.ele_rcd_type lmi.inf_ele lmi.inf_ele_len lmi.inf_ele_type Field Name Call reference DLCI Active DLCI High DLCI Low DLCI New Record Type Information Element Length Type Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
193
Field lmi.msg_type lmi.recv_seq lmi.send_seq
Field Name Message Type Recv Seq Send Seq
LocalTalk Link Access Protocol (llap)

Table A-119. LocalTalk Link Access Protocol (llap) Field llap.dst llap.src llap.type Field Name Destination Node Source Node Type Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
Logical-Link Control (llc)

Table A-120. Logical-Link Control (llc) Field llc.control llc.dsap llc.dsap.ig llc.oui llc.pid llc.ssap llc.ssap.cr llc.type Field Name Control DSAP IG Bit Organization Code Protocol ID SSAP CR Bit Type Type Unsigned 16-bit integer Unsigned 8-bit integer Boolean Unsigned 24-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Unsigned 16-bit integer
Lucent/Ascend debug output (ascend)

Table A-121. Lucent/Ascend debug output (ascend) Field ascend.chunk ascend.number ascend.sess Field Name WDD Chunk Called number Session ID Type Unsigned 32-bit integer String Unsigned 32-bit integer
194
Field ascend.task ascend.type ascend.user
Field Name Task Link type User name
Type Unsigned 32-bit integer Unsigned 32-bit integer String
MMS Message Encapsulation (mmse)

Table A-122. MMS Message Encapsulation (mmse) Field mmse.bcc mmse.cc mmse.content_location mmse.content_type mmse.date mmse.delivery_report mmse.delivery_time.abs mmse.delivery_time.rel mmse.expiry.abs mmse.expiry.rel mmse.ffheader mmse.from mmse.message_class.id mmse.message_class.str mmse.message_id mmse.message_size mmse.message_type mmse.mms_version mmse.priority mmse.read_reply mmse.report_allowed mmse.response_status mmse.response_text mmse.sender_visibility mmse.status mmse.subject Field Name Bcc Cc Content-Location Data Date Delivery-Report Delivery-Time Delivery-Time Expiry Expiry Type String String String No value Date/Time stamp Unsigned 8-bit integer Date/Time stamp Time duration Date/Time stamp Time duration
Free format (not encoded) String header From Message-Class Message-Class Message-Id Message-Size Message-Type MMS-Version Priority Read-Reply Report-Allowed Response-Status Response-Text Sender-Visibility Status Subject String Unsigned 8-bit integer String String Unsigned 32-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer String
195
Field mmse.to mmse.transaction_id
Field Name To Transaction-ID
Type String String
MS Proxy Protocol (msproxy)

Table A-123. MS Proxy Protocol (msproxy) Field msproxy.bindaddr msproxy.bindid msproxy.bindport msproxy.boundport msproxy.clntport msproxy.command msproxy.dstaddr msproxy.dstport msproxy.resolvaddr msproxy.server_ext_addr msproxy.server_ext_port msproxy.server_int_addr msproxy.server_int_port msproxy.serveraddr msproxy.serverport msproxy.srcport Field Name Destination Bound Port Id Bind Port Bound Port Client Port Command Destination Address Destination Port Address Server External Address Server External Port Server Internal Address Server Internal Port Server Address Server Port Source Port Type IPv4 address Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer IPv4 address Unsigned 16-bit integer IPv4 address IPv4 address Unsigned 16-bit integer IPv4 address Unsigned 16-bit integer IPv4 address Unsigned 16-bit integer Unsigned 16-bit integer
MSNIP: Multicast Source Notication of Interest Protocol (msnip)

Table A-124. MSNIP: Multicast Source Notication of Interest Protocol (msnip) Field msnip.checksum msnip.checksum_bad msnip.count msnip.genid msnip.groups Field Name Checksum Bad Checksum Count Generation ID Groups Type Unsigned 16-bit integer Boolean Unsigned 8-bit integer Unsigned 16-bit integer No value
196
Field msnip.holdtime msnip.holdtime16 msnip.maddr msnip.netmask msnip.rec_type msnip.type
Field Name Holdtime Holdtime Multicast group Netmask Record Type Type
Type Unsigned 32-bit integer Unsigned 16-bit integer IPv4 address Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
MTP 2 Transparent Proxy (m2tp)

Table A-125. MTP 2 Transparent Proxy (m2tp) Field m2tp.diagnostic_info m2tp.error_code m2tp.heartbeat_data m2tp.info_string m2tp.interface_identier m2tp.master_slave m2tp.message_class m2tp.message_length m2tp.message_type m2tp.parameter_length m2tp.parameter_padding m2tp.parameter_tag m2tp.parameter_value m2tp.reason m2tp.reserved m2tp.user_identier m2tp.version Field Name Diagnostic information Error code Heartbeat data Info string Interface Identier Master Slave Indicator Message class Message length Message Type Parameter length Padding Parameter Tag Parameter Value Reason Reserved M2tp User Identier Version Type Byte array Unsigned 32-bit integer Byte array String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Byte array Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
MTP 2 User Adaptation Layer (m2ua)

Table A-126. MTP 2 User Adaptation Layer (m2ua) Field Field Name Type
197
Field m2ua.action m2ua.asp_identier m2ua.congestion_status m2ua.data_2_li
Field Name Actions ASP identier Congestion status Length indicator
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Byte array Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
m2ua.correlation identier Correlation identier m2ua.deregistration_status Deregistration status m2ua.diagnostic_information iagnostic information D m2ua.discard_status m2ua.error_code m2ua.event m2ua.heartbeat_data m2ua.info_string Discard status Error code Event Heartbeat data Info string
m2ua.interface_identier_intnterface Identier I (integer) m2ua.interface_identier_start Interface Identier (start) m2ua.interface_identier_stop Interface Identier (stop) m2ua.interface_identier_text Interface identier (text) m2ua.local_lk_identier m2ua.message_class m2ua.message_length m2ua.message_type m2ua.parameter_length m2ua.parameter_tag m2ua.parameter_value m2ua.registration_status m2ua.reserved m2ua.retrieval_result m2ua.sdl_identier m2ua.sdl_reserved m2ua.sdt_identier m2ua.sdt_reserved Local LK identier Message class Message length Message Type Parameter length Parameter Tag Parameter value Registration status Reserved Retrieval result SDL identier Reserved SDT identier Reserved
m2ua.parameter_padding Padding
198
Field m2ua.sequence_number m2ua.state m2ua.status_info m2ua.status_type m2ua.trafc_mode_type m2ua.version
Field Name Sequence number State Status info Status type Trafc mode Type Version
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
MTP 3 User Adaptation Layer (m3ua)

Table A-127. MTP 3 User Adaptation Layer (m3ua) Field Field Name Type Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 16-bit integer Unsigned 24-bit integer Byte array Unsigned 8-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 32-bit integer
m3ua.affected_point_code_mask Mask m3ua.affected_point_code_pc Affected point code m3ua.asp_identier m3ua.cic_range_lower m3ua.cic_range_mask m3ua.cic_range_pc m3ua.cic_range_upper m3ua.concerned_dpc m3ua.congestion_level ASP identier Lower CIC value Mask Originating point code Upper CIC value Concerned DPC Congestion level
m3ua.concerned_reserved Reserved m3ua.congestion_reserved Reserved m3ua.correlation_identier Correlation Identier m3ua.deregistration_result_routing_context Routing context m3ua.deregistration_results_status De-Registration status m3ua.deregistration_status Deregistration status m3ua.diagnostic_information iagnostic information D m3ua.dpc_mask m3ua.dpc_pc m3ua.error_code Mask Destination point code Error code
199
Field m3ua.heartbeat_data m3ua.info_string m3ua.local_rk_identier m3ua.message_class m3ua.message_length m3ua.message_type
Field Name Heartbeat data Info string
Type Byte array String
Local routing key identier Unsigned 32-bit integer Message class Message length Message Type Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Byte array Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
m3ua.network_appearance Network appearance m3ua.opc_list_mask m3ua.opc_list_pc m3ua.parameter_length m3ua.parameter_tag m3ua.parameter_value m3ua.protocol_data_2_li m3ua.protocol_data_dpc m3ua.protocol_data_mp m3ua.protocol_data_ni m3ua.protocol_data_opc m3ua.protocol_data_si m3ua.protocol_data_sls Mask Originating point code Parameter length Parameter Tag Parameter value Length indicator DPC MP NI OPC SI SLS
m3ua.parameter_padding Padding
m3ua.registration_result_identier Local RK-identier value m3ua.registration_result_routing_context Routing context m3ua.registration_results_status Registration status m3ua.registration_status m3ua.reserved m3ua.routing_context m3ua.status_info m3ua.status_type m3ua.trafc_mode_type m3ua.user_identity m3ua.version Registration status Reserved Routing context Status info Status type Trafc mode Type User Identity Version
m3ua.unavailability_cause Unavailability cause
200
Field m3ua_reason m3ua_si m3ua_ssn
Field Name Reason Service indicator Subsystem number
MTP2 Peer Adaptation Layer (m2pa)

Table A-128. MTP2 Peer Adaptation Layer (m2pa) Field m2pa.bsn m2pa.class m2pa.ller m2pa.fsn m2pa.length m2pa.li_priority m2pa.li_spare m2pa.spare m2pa.status m2pa.type m2pa.unknown_data m2pa.version Field Name BSN Message Class Filler FSN Message length Priority Spare Spare Link Status Status Message Type Unknown Data Version Type Unsigned 16-bit integer Unsigned 8-bit integer Byte array Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Byte array Unsigned 8-bit integer
Malformed Packet (malformed)

Table A-129. Malformed Packet (malformed) Field Field Name Type
Message Transfer Part Level 2 (mtp2)

Table A-130. Message Transfer Part Level 2 (mtp2) Field mtp2.bib Field Name Backward indicator bit Type Unsigned 8-bit integer
201
Field mtp2.bsn mtp2.b mtp2.fsn mtp2.li mtp2.long_sf mtp2.sf mtp2.spare
Field Name Backward sequence number Forward indicator bit Length Indicator Status eld Status eld Spare
Forward sequence number Unsigned 8-bit integer
Message Transfer Part Level 3 (mtp3)

Table A-131. Message Transfer Part Level 3 (mtp3) Field mtp3.dpc mtp3.dpc.cluster mtp3.dpc.member mtp3.dpc.network mtp3.network_indicator mtp3.opc mtp3.opc.cluster mtp3.opc.member mtp3.opc.network mtp3.priority mtp3.service_indicator mtp3.sls mtp3.spare Field Name DPC DPC Cluster DPC Member DPC Network Network indicator OPC OPC Cluster OPC Member OPC Network Priority Service indicator Signalling Link Selector Spare Type Unsigned 32-bit integer Unsigned 24-bit integer Unsigned 24-bit integer Unsigned 24-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 24-bit integer Unsigned 24-bit integer Unsigned 24-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
Microsoft Distributed File System (dfs)

Table A-132. Microsoft Distributed File System (dfs) Field dfs.opnum Field Name Operation Type Unsigned 16-bit integer
202
Microsoft Exchange MAPI (mapi)

Table A-133. Microsoft Exchange MAPI (mapi) Field mapi.decrypted.data mapi.decrypted.data.len Field Name Decrypted data Length Type Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Byte array Byte array Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 16-bit integer String
mapi.decrypted.data.maxlen Max Length mapi.decrypted.data.offset Offset mapi.encap_len mapi.hnd mapi.pdu.extra_trailer mapi.pdu.len mapi.pdu.trailer mapi.rc mapi.unknown_data mapi.unknown_short mapi.unknown_string Length Context Handle unknown Length Trailer Return code unknown encrypted data Unknown short Unknown string
Microsoft Local Security Architecture (lsa)

Table A-134. Microsoft Local Security Architecture (lsa) Field lsa.access_mask lsa.acct lsa.attr lsa.auth.blob lsa.auth.len lsa.auth.type lsa.auth.update lsa.controller lsa.count lsa.cur.mtime lsa.domain lsa.at_name Field Name Access Mask Account Attr Auth blob Auth Len Auth Type Update Controller Count Current MTime Domain Flat Name String Unsigned 32-bit integer Date/Time stamp String String Byte array Unsigned 32-bit integer Unsigned 32-bit integer Type Unsigned 32-bit integer String
203
Field lsa.forest lsa.hnd lsa.index lsa.info.level lsa.info_type lsa.key lsa.max_count lsa.mod.mtime lsa.mod.seq_no lsa.name lsa.new_pwd lsa.num_mapped lsa.obj_attr lsa.obj_attr.len lsa.obj_attr.name lsa.old.mtime lsa.old_pwd lsa.opnum lsa.paei.enabled lsa.paei.settings lsa.pali.log_size lsa.pali.percent_full lsa.pali.retention_period
Field Name Forest Context Handle Index Level Info Type Key Max Count MTime Seq No Name New Password Num Mapped Attributes Length Name Old MTime Old Password Operation Enabled Settings Log Size Percent Full Retention Period
Type String Byte array Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Date/Time stamp String Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Date/Time stamp Byte array Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Time duration Unsigned 8-bit integer Time duration Unsigned 16-bit integer String Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
lsa.pali.next_audit_record Next Audit Record
lsa.pali.shutdown_in_progress Shutdown in progress lsa.pali.time_to_shutdown Time to shutdown lsa.policy.info lsa.privilege.name lsa.qos.effective_only lsa.qos.imp_lev lsa.qos.len lsa.qos.track_ctx lsa.quota.max_wss lsa.quota.min_wss Info Class Name Effective only Impersonation level Length Context Tracking Max WSS Min WSS
lsa.quota.non_paged_pool Non Paged Pool
204
Field lsa.quota.paged_pool lsa.quota.pagele lsa.rc lsa.remove_all lsa.resume_handle lsa.rid lsa.rid.offset lsa.rights lsa.sd_size lsa.secret lsa.server lsa.server_role lsa.sid_type lsa.size lsa.size_needed lsa.source lsa.trust.attr lsa.trust.attr.non_trans lsa.trust.attr.tree_parent lsa.trust.attr.tree_root lsa.trust.attr.uplevel_only lsa.trust.direction lsa.trust.type lsa.trusted.info_level lsa.unknown.char lsa.unknown.hyper lsa.unknown.long lsa.unknown.short lsa.unknown_string nt.luid.high nt.luid.low
Field Name Paged Pool Pagele Return code Remove All Resume Handle RID RID Offset Rights Size LSA Secret Server Role SID Type Size Size Needed Source Trust Attr Non Transitive Tree Parent Tree Root Upleve only Trust Direction Trust Type Info Level Unknown char Unknown hyper Unknown long Unknown short Unknown string High Low
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Byte array String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Unsigned 32-bit integer Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer
205
Microsoft Network Logon (rpc_netlogon)

Table A-135. Microsoft Network Logon (rpc_netlogon) Field netlogon.acct.expiry_time netlogon.acct_desc netlogon.acct_name netlogon.alias_name netlogon.alias_rid netlogon.attrs Field Name Acct Expiry Time Acct Desc Acct Name Alias Name Alias RID Attributes Type Date/Time stamp String String String Unsigned 32-bit integer Unsigned 32-bit integer Time duration Unsigned 8-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Byte array Unsigned 32-bit integer Byte array Unsigned 32-bit integer Byte array Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Byte array Date/Time stamp String String Unsigned 32-bit integer Unsigned 16-bit integer String String
netlogon.audit_retention_period Retention Period Audit netlogon.auditing_mode netlogon.auth.data netlogon.auth.size netlogon.auth_ags netlogon.authoritative netlogon.bad_pw_count netlogon.blob netlogon.blob.size netlogon.challenge netlogon.change_log_size Auditing Mode Auth Data Auth Size Auth Flags Authoritative Bad PW Count BLOB Size Challenge Change Log Entry Size
netlogon.bad_pw_count16 Bad PW Count
netlogon.cipher_current_data Cipher Current Data netlogon.cipher_current_set_time Current Set Time Cipher netlogon.cipher_len netlogon.cipher_maxlen netlogon.cipher_old_data Cipher Len Cipher Max Len Cipher Old Data
netlogon.cipher_old_set_time Cipher Old Set Time netlogon.client.name netlogon.client.site_name netlogon.code netlogon.codepage netlogon.comment netlogon.computer_name Client Name Client Site Name Code Codepage Comment Computer Name
206
Field netlogon.count netlogon.country netlogon.credential netlogon.database_id netlogon.db_create_time netlogon.dc.address netlogon.dc.address_type netlogon.dc.name netlogon.dc.site_name netlogon.delta_type netlogon.dir_drive netlogon.dns_host netlogon.domain
Field Name Count Country Credential Database Id DB Create Time DC Address DC Address Type DC Name DC Site Name Delta Type Dir Drive DNS Host Domain
Type Unsigned 32-bit integer Unsigned 16-bit integer Byte array Unsigned 32-bit integer Date/Time stamp Date/Time stamp String Unsigned 32-bit integer String String Unsigned 16-bit integer String String String String Date/Time stamp Date/Time stamp String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String String Unsigned 32-bit integer String String Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Byte array
netlogon.db_modify_time DB Modify Time
netlogon.dns.forest_name DNS Forest Name
netlogon.domain_create_time Domain Create Time netlogon.domain_modify_time Domain Modify Time netlogon.dummy netlogon.entries Dummy Entries
netlogon.event_audit_option Event Audit Option netlogon.ags netlogon.full_name netlogon.group_desc netlogon.group_name netlogon.group_rid netlogon.handle netlogon.home_dir netlogon.kickoff_time netlogon.last_logoff netlogon.last_logon netlogon.len netlogon.level netlogon.level16 netlogon.lm_chal_resp Flags Full Name Group Desc Group Name Group RID Handle Home Dir Kickoff Time Last Logoff Last Logon Len Level Level LM Chal resp
207
Field netlogon.lm_owf_pwd
Field Name LM Pwd
Type Byte array Byte array Unsigned 8-bit integer Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer
netlogon.lm_owf_pwd.encrypted Encrypted LM Pwd netlogon.lm_pwd_present LM PWD Present netlogon.logoff_time netlogon.logon_attempts netlogon.logon_count netlogon.logon_count16 netlogon.logon_id netlogon.logon_script netlogon.logon_time Logoff Time Logon Attempts Logon Count Logon Count Logon ID Logon Script Logon Time
netlogon.max_audit_event_countAudit Event Count Max netlogon.max_log_size netlogon.max_size Max Log Size Max Size
netlogon.max_working_set_size Working Set Size Max netlogon.min_passwd_len Min Password Len netlogon.min_working_set_size Working Set Size Min netlogon.modify_count netlogon.neg_ags netlogon.next_reference Modify Count Neg Flags Next Reference
Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Byte array Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer String Unsigned 16-bit integer Byte array
netlogon.nonpaged_pool_limit Non-Paged Pool Limit netlogon.nt_chal_resp netlogon.nt_owf_pwd netlogon.nt_pwd_present netlogon.num_dc netlogon.num_deltas NT Chal resp NT Pwd NT PWD Present Num DCs Num Deltas
netlogon.num_other_groups Num Other Groups netlogon.num_pwd_pairs Num PWD Pairs netlogon.num_rids netlogon.oem_info netlogon.opnum netlogon.pac.data Num RIDs OEM Info Operation Pac Data
208
Field netlogon.pac.size netlogon.page_le_limit
Field Name Pac Size Page File Limit
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 16-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String Date/Time stamp Unsigned 8-bit integer Date/Time stamp Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Byte array Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String
netlogon.paged_pool_limit Paged Pool Limit netlogon.param_ctrl netlogon.parameters Param Ctrl Parameters
netlogon.passwd_history_lenasswd History Len P netlogon.pdc_connection_status Connection Status PDC netlogon.principal netlogon.priv Principal Priv
netlogon.privilege_control Privilege Control netlogon.privilege_entries Privilege Entries netlogon.privilege_name netlogon.prole_path Privilege Name Prole Path
netlogon.pwd_can_change_time Can Change PWD netlogon.pwd_expired PWD Expired
netlogon.pwd_last_set_timePWD Last Set netlogon.pwd_must_change_timeMust Change PWD netlogon.rc netlogon.reference netlogon.reserved netlogon.restart_state netlogon.rid netlogon.sec_chn_type Return code Reference Reserved Restart State User RID Sec Chn Type
netlogon.security_information Security Information netlogon.sensitive_data Data
netlogon.sensitive_data_agSensitive Data netlogon.sensitive_data_len Length netlogon.serial_number netlogon.server Serial Number Server
209
Field netlogon.site_name netlogon.sync_context netlogon.system_ags
Field Name Site Name Sync Context System Flags
Type String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Time duration Date/Time stamp String String Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Date/Time stamp String Unsigned 32-bit integer Byte array Unsigned 16-bit integer String String String String String
netlogon.tc_connection_status Connection Status TC netlogon.time_limit netlogon.timestamp netlogon.trusted_dc netlogon.trusted_domain netlogon.unknown.char netlogon.unknown.long netlogon.unknown.short netlogon.unknown.time netlogon.user_ags netlogon.validation_level netlogon.wkst.fqdn netlogon.wkst.name netlogon.wkst.os netlogon.wkst.site_name netlogon.wksts Time Limit Timestamp Trusted DC Trusted Domain Unknown char Unknown long Unknown short Unknown time User Flags Validation Level Wkst FQDN Wkst Name Wkst OS Wkst Site Name Workstations
netlogon.unknown_string Unknown string netlogon.user_session_key User Session Key
Microsoft Registry (winreg)

Table A-136. Microsoft Registry (winreg) Field reg.access_mask reg.hnd reg.keyname reg.openentry.unknown1 reg.openhklm.unknown1 reg.openhklm.unknown2 reg.opnum reg.querykey.class Field Name Access mask Context handle Key name Unknown 1 Unknown 1 Unknown 2 Operation Class Type Unsigned 32-bit integer Byte array String Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer String
210
Field
Field Name
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
reg.querykey.max_subkey_len subkey len Max reg.querykey.max_valbuf_size valbuf size Max reg.querykey.max_valname_len valnum len Max reg.querykey.modtime Mod time
reg.querykey.num_subkeys Num subkeys reg.querykey.num_values reg.querykey.reserved reg.querykey.secdesc reg.rc Num values Reserved Secdesc Return code
reg.unknown1A.unknown1 Unknown 1
Microsoft Security Account Manager (samr)

Table A-137. Microsoft Security Account Manager (samr) Field nt.acct_ctrl nt.str.len nt.str.max_len nt.str.offset nt.string.length nt.string.size samr.access samr.acct_desc samr.acct_expiry_time samr.acct_name samr.alias samr.alias_name samr.attr samr.bad_pwd_count samr.codepage samr.comment Field Name Acct Ctrl Length Max Length Offset Length Size Access Mask Account Desc Acct Expiry Account Name Alias Alias Name Attributes Bad Pwd Count Codepage Comment Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer String Date/Time stamp String Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer String
211
Field samr.count samr.country samr.crypt_hash samr.crypt_password samr.dc samr.divisions samr.domain samr.entries samr.full_name samr.group samr.group_name samr.hnd samr.home samr.home_drive samr.index samr.info_type samr.kickoff_time samr.level samr.lm_change samr.lm_pwd_set samr.logoff_time samr.logon_count samr.logon_time samr.mask samr.max_entries samr.max_pwd_age samr.min_pwd_age samr.min_pwd_len samr.nt_pwd_set samr.num_aliases samr.num_groups samr.num_users samr.opnum samr.parameters samr.pref_maxsize samr.prole
Field Name Count Country Hash Password DC Divisions Domain Entries Full Name Group Group Name Context Handle Home Home Drive Index Info Type Kickoff Time Level LM Change LM Pwd Set Logoff Time Logon Count Logon Time Mask Max Entries Max Pwd Age Min Pwd Age Min Pwd Len NT Pwd Set Num Aliases Num Groups Num Users Operation Parameters Pref MaxSize Prole
Type Unsigned 32-bit integer Unsigned 16-bit integer Byte array Byte array String Unsigned 16-bit integer String Unsigned 32-bit integer String Unsigned 32-bit integer String Byte array String String Unsigned 32-bit integer Unsigned 32-bit integer Date/Time stamp Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Date/Time stamp Unsigned 16-bit integer Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Time duration Time duration Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Unsigned 32-bit integer String
212
Field samr.pwd_Expired
Field Name Expired ag
Type Unsigned 8-bit integer Date/Time stamp Unsigned 16-bit integer Date/Time stamp Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Date/Time stamp String
samr.pwd_can_change_timePWD Can Change samr.pwd_history_len samr.pwd_last_set_time Pwd History Len PWD Last Set
samr.pwd_must_change_time PWD Must Change samr.rc samr.resume_hnd samr.ret_size samr.revision samr.rid samr.rid.attrib samr.script samr.server samr.start_idx samr.total_size samr.type samr.unknown.char samr.unknown.hyper samr.unknown.long samr.unknown.short samr.unknown_string samr.unknown_time samr.workstations Return code Resume Hnd Returned Size Revision Rid Rid Attrib Script Server Start Idx Total Size Type Unknown char Unknown hyper Unknown long Unknown short Unknown string Unknown time Workstations
Microsoft Server Service (srvsvc)

Table A-138. Microsoft Server Service (srvsvc) Field srvsvc. Field Name Max Raw Buf Len Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
srvsvc.acceptdownlevelapisAccept Downlevel APIs srvsvc.accessalert srvsvc.activelocks Access Alerts Active Locks
213
Field srvsvc.alerts srvsvc.alertsched srvsvc.alist_mtime srvsvc.ann_delta srvsvc.announce srvsvc.auditedevents srvsvc.auditprole srvsvc.autopath srvsvc.chdevjobs srvsvc.chdevqs srvsvc.chdevs srvsvc.chrdev srvsvc.chrdev_opcode srvsvc.chrdev_status srvsvc.chrdev_time srvsvc.chrdevq
Field Name Alerts Alert Sched Alist mtime Announce Delta Announce Audited Events Audit Prole Autopath Char Dev Jobs Char Devqs Char Devs Char Device Opcode Status Time Device Queue
Type String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String
srvsvc.chrqdev_numahead Num Ahead srvsvc.chrqdev_numusers Num Users srvsvc.chrqdev_pri srvsvc.client.type srvsvc.comment srvsvc.computer srvsvc.con_id srvsvc.con_num_opens srvsvc.con_time srvsvc.con_type srvsvc.connections srvsvc.cur_uses srvsvc.disc srvsvc.disk_name srvsvc.disk_name_len srvsvc.diskalert srvsvc.diskspacetreshold srvsvc.domain srvsvc.emulated_server Priority Client Type Comment Computer Connection ID Num Opens Connection Time Connection Type Connections Current Uses Disc Disk Name Disk Name Length Disk Alerts Diskspace Treshold Domain Emulated Server
214
Field srvsvc.enablefcbopens srvsvc.enableforcedlogoff
Field Name Enable FCB Opens Enable Forced Logoff
srvsvc.enableoplockforceclose Enable Oplock Force Close Unsigned 32-bit integer srvsvc.enableoplocks srvsvc.enableraw Enable Oplocks Enable RAW Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
srvsvc.enablesharednetdrives Enable Shared Net Drives srvsvc.enablesoftcompat srvsvc.enum_hnd srvsvc.erroralert srvsvc.errortreshold srvsvc.le_id srvsvc.le_num_locks srvsvc.glist_mtime srvsvc.guest srvsvc.hidden srvsvc.hnd srvsvc.info.platform_id srvsvc.initconntable srvsvc.initletable srvsvc.initsearchtable srvsvc.initsesstable srvsvc.initworkitems srvsvc.irpstacksize srvsvc.lanmask srvsvc.licences srvsvc.linkinfovalidtime srvsvc.lmannounce srvsvc.logonalert srvsvc.max_uses srvsvc.maxaudits srvsvc.maxcopyreadlen srvsvc.maxcopywritelen Enable Soft Compat Enumeration handle Error Alerts Error Treshold File ID Num Locks Glist mtime Guest Account Hidden Context Handle Platform ID Init Connection Table Init File Table Init Search Table Init Session Table Init Workitems Irp Stack Size LANMask Licences Link Info Valid Time LM Announce Logon Alerts Max Uses Max Audits Max Copy Read Len Max Copy Write Len
srvsvc.maxfreeconnections Max Free Conenctions
215
Field
Field Name
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
srvsvc.maxkeepcomplsearch Max Keep Compl Search srvsvc.maxkeepsearch srvsvc.maxlinkdelay srvsvc.maxmpxct Max Keep Search Max Link Delay MaxMpxCt
srvsvc.maxnonpagedmemoryusage Max Non-Paged Memory Usage
srvsvc.maxpagedmemoryusage Paged Memory Usage Unsigned 32-bit integer Max srvsvc.maxworkitemidletime ax Workitem Idle Time M srvsvc.maxworkitems srvsvc.minfreeworkitems Max Workitems Min Free Workitems Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
srvsvc.minfreeconnections Min Free Conenctions srvsvc.minkeepcomplsearchMin Keep Compl Search srvsvc.minkeepsearch srvsvc.minrcvqueue srvsvc.netioalert Min Keep Search Min Rcv Queue Net I/O Alerts
srvsvc.minlinkthroughput Min Link Throughput
srvsvc.networkerrortresholdNetwork Error Treshold srvsvc.num_admins srvsvc.numbigbufs srvsvc.numblockthreads srvsvc.numletasks srvsvc.openles srvsvc.opensearch Num Admins Num Big Bufs Num Block Threads Num Filetasks Open Files Open Search
srvsvc.oplockbreakresponsewait Oplock Break Response wait srvsvc.oplockbreakwait srvsvc.opnum srvsvc.outbuen srvsvc.parm_error srvsvc.path srvsvc.path_ags srvsvc.path_len srvsvc.path_type Oplock Break Wait Operation OutBufLen Parameter Error Path Flags Len Type
216
Field srvsvc.perm srvsvc.preferred_len srvsvc.prex srvsvc.qualier srvsvc.rawworkitems srvsvc.rc srvsvc.reserved
Field Name Permissions Preferred length Prex Qualier Raw Workitems Return code Reserved
Type Unsigned 32-bit integer Unsigned 32-bit integer String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
srvsvc.scavqosinfoupdatetime QoS Info Update Scav Time srvsvc.scavtimeout srvsvc.security srvsvc.server srvsvc.server.type Scav Timeout Security Server Server Type
srvsvc.server_stat.avresponse Avresponse srvsvc.server_stat.bigbufneed Buf Need Big srvsvc.server_stat.bytesrcvdBytes Rcvd srvsvc.server_stat.bytessent Bytes Sent srvsvc.server_stat.devopensDevopens srvsvc.server_stat.fopens Fopens
Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
srvsvc.server_stat.jobsqueued Queued Jobs srvsvc.server_stat.permerrors Permerrors srvsvc.server_stat.pwerrors Pwerrors srvsvc.server_stat.reqbufneed Buf Need Req srvsvc.server_stat.serrorout Serrorout srvsvc.server_stat.sopens srvsvc.server_stat.start Sopens Start
srvsvc.server_stat.stimeoutsstimeouts srvsvc.server_stat.syserrors Syserrors
217
Field srvsvc.service srvsvc.service_bits
Field Name Service Service Bits
Type String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String
srvsvc.service_bits_of_interest Service Bits Of Interest srvsvc.service_options srvsvc.session srvsvc.session.idle_time srvsvc.session.time srvsvc.session.user_ags srvsvc.sessopens srvsvc.sessreqs srvsvc.sessvcs srvsvc.share srvsvc.share.num_entries srvsvc.share_passwd srvsvc.share_type srvsvc.shares srvsvc.sizreqbufs srvsvc.srvheuristics srvsvc.threadcountadd srvsvc.threadpriority srvsvc.timesource srvsvc.tod.day srvsvc.tod.elapsed srvsvc.tod.hours srvsvc.tod.hunds srvsvc.tod.mins srvsvc.tod.month srvsvc.tod.msecs srvsvc.tod.secs srvsvc.tod.timezone srvsvc.tod.tinterval srvsvc.tod.weekday srvsvc.tod.year srvsvc.transport Options Session Idle Time Time User Flags Sessions Open Sessions Reqs Sessions VCs Share Number of entries Share Passwd Share Type Shares Siz Req Bufs Server Heuristics Thread Count Add Thread Priority Timesource Day Elapsed Hours Hunds Mins Month msecs Secs Timezone Tinterval Weekday Year Transport
srvsvc.session.num_opens Num Opens
218
Field srvsvc.transport.address
Field Name Address
Type Byte array Unsigned 32-bit integer String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
srvsvc.transport.addresslen Address Len srvsvc.transport.name Name
srvsvc.transport.networkaddress Network Address srvsvc.transport.num_vcs srvsvc.ulist_mtime VCs Ulist mtime
srvsvc.update_immediately Update Immediately srvsvc.user srvsvc.user_path srvsvc.users srvsvc.version.major srvsvc.version.minor srvsvc.xactmemsize svrsvc.info_level User User Path Users Major Version Minor Version Xact Mem Size Info Level
Microsoft Spool Subsystem (spoolss)

Table A-139. Microsoft Spool Subsystem (spoolss) Field spoolss.Datatype spoolss.addform.level spoolss.architecture spoolss.buffer.data spoolss.buffer.size Field Name Datatype Level Architecture name Buffer data Buffer size Type String Unsigned 32-bit integer String Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String String String String String
spoolss.clientmajorversion Client major version spoolss.clientminorversion Client minor version spoolss.congle spoolss.datale spoolss.defaultdatatype spoolss.dependentles spoolss.document spoolss.drivername Cong le Data le Default data type Dependent les Document name Driver name
219
Field spoolss.driverpath spoolss.driverversion spoolss.enumforms.num spoolss.enumjobs.rstjob spoolss.enumjobs.level
Field Name Driver path Driver version Num First job Info level
Type String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Boolean
spoolss.enumjobs.numjobs Num jobs spoolss.enumprinterdata.data_needed Data size needed spoolss.enumprinterdata.data_offeredoffered Data size spoolss.enumprinterdata.index Enum index spoolss.enumprinterdata.value_needed Value size needed spoolss.enumprinterdata.value_offered Value size offered spoolss.form.ags spoolss.form.height spoolss.form.horiz spoolss.form.left spoolss.form.level spoolss.form.name spoolss.form.top spoolss.form.unknown spoolss.form.vert spoolss.form.width spoolss.getform.level spoolss.helple spoolss.hnd spoolss.job.id spoolss.job.pagesprinted spoolss.job.position spoolss.job.priority spoolss.job.status spoolss.job.status.blocked spoolss.job.status.deleted Flags Height Horizontal Left margin Level Name Top Unknown Vertical Width Level Help le Context handle Job ID Job pages printed Job position Job priority Job status Blocked Deleted
220
Field spoolss.job.status.error spoolss.job.status.ofine
Field Name Error Ofine
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
spoolss.job.status.deleting Deleting
spoolss.job.status.paperout Paperout spoolss.job.status.paused spoolss.job.status.printed Paused Printed
spoolss.job.status.printing Printing spoolss.job.status.spooling Spooling spoolss.job.status.user_intervention User intervention spoolss.job.totalpages spoolss.monitorname spoolss.needed spoolss.notify_eld spoolss.notify_info.count spoolss.notify_info.ags Job total pages Monitor name Needed Field Count Flags
spoolss.notify_info.version Version spoolss.notify_info_data.buffer Buffer spoolss.notify_info_data.buffer.data Buffer data spoolss.notify_info_data.buffer.len length Buffer spoolss.notify_info_data.bufsize size Buffer spoolss.notify_info_data.count Count spoolss.notify_info_data.jobid Id Job spoolss.notify_info_data.type Type spoolss.notify_info_data.value1 Value1 spoolss.notify_info_data.value2 Value2 spoolss.notify_option.count Count
221
Field
Field Name
Type Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
spoolss.notify_option.reserved1 Reserved1 spoolss.notify_option.reserved2 Reserved2 spoolss.notify_option.reserved3 Reserved3 spoolss.notify_option.type Type spoolss.notify_option_data.count Count spoolss.notify_options.count ount C spoolss.notify_options.ags Flags spoolss.notify_options.version Version spoolss.offered spoolss.opnum spoolss.outputle spoolss.printer_attributes Offered Operation Output le Attributes
spoolss.printer_attributes.default (9x/ME only) Default spoolss.printer_attributes.direct Direct spoolss.printer_attributes.do_complete_rst Do complete rst spoolss.printer_attributes.enable_bidi (9x/ME only) Enable bidi spoolss.printer_attributes.enable_devq Enable devq spoolss.printer_attributes.hidden Hidden spoolss.printer_attributes.keep_printed_jobs Keep printed jobs spoolss.printer_attributes.local Local spoolss.printer_attributes.network Network spoolss.printer_attributes.published Published spoolss.printer_attributes.queued Queued
222
Field
Field Name
Type Boolean Boolean
spoolss.printer_attributes.raw_only Raw only spoolss.printer_attributes.shared Shared
spoolss.printer_attributes.work_ofine (9x/ME only) Boolean Work ofine spoolss.printer_local spoolss.printer_status spoolss.printerdata.data spoolss.printerdata.size spoolss.printerdata.type spoolss.printerdata.value spoolss.printername spoolss.rc spoolss.relstr.offset Printer local Status Data Size Printer data type Printer data value Printer name Return code Relative string offset Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
spoolss.replyopenprinter.unk0 Unknown 0 spoolss.replyopenprinter.unk1 Unknown 1 spoolss.returned spoolss.rffpcnex.ags Returned RFFPCNEX ags
spoolss.rffpcnex.ags.add_driverdriver Add spoolss.rffpcnex.ags.add_form form Add spoolss.rffpcnex.ags.add_job job Add spoolss.rffpcnex.ags.add_port port Add spoolss.rffpcnex.ags.add_printer Add printer spoolss.rffpcnex.ags.add_processor Add processor spoolss.rffpcnex.ags.congure_port port Congure spoolss.rffpcnex.ags.delete_driverdriver Delete spoolss.rffpcnex.ags.delete_form form Delete
223
Field
Field Name
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
spoolss.rffpcnex.ags.delete_job job Delete spoolss.rffpcnex.ags.delete_port port Delete spoolss.rffpcnex.ags.delete_printer Delete printer spoolss.rffpcnex.ags.delete_processor Delete processor spoolss.rffpcnex.ags.failed_connection_printer Failed printer connection spoolss.rffpcnex.ags.set_driver Set driver spoolss.rffpcnex.ags.set_form form Set spoolss.rffpcnex.ags.set_job job Set spoolss.rffpcnex.ags.set_printer Set printer spoolss.rffpcnex.ags.timeout Timeout spoolss.rffpcnex.ags.write_job job Write spoolss.rffpcnex.options Options
spoolss.routerreplyprinter.changeid id Change spoolss.routerreplyprinter.condition Condition spoolss.routerreplyprinter.unknown1 Unknown1 spoolss.rrpcn.changehigh spoolss.rrpcn.changelow spoolss.rrpcn.unk0 spoolss.rrpcn.unk1 Change high Change low Unknown 0 Unknown 1
spoolss.servermajorversion Server major version spoolss.serverminorversion Server minor version spoolss.servername spoolss.setform.level spoolss.setjob.cmd spoolss.setprinter_cmd Server name Level Set job command Command
224
Field spoolss.textstatus spoolss.time.day spoolss.time.dow spoolss.time.hour spoolss.time.minute spoolss.time.month spoolss.time.msec spoolss.time.second spoolss.time.year spoolss.username
Field Name Text status Day Day of week Hour Minute Month Millisecond Second Year User name
Type String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer
spoolss.writeprinter.numwritten written Num
Microsoft Telephony API Service (tapi)

Table A-140. Microsoft Telephony API Service (tapi) Field tapi.hnd tapi.rc tapi.unknown.bytes tapi.unknown.long tapi.unknown.string Field Name Context Handle Return code Unknown bytes Unknown long Unknown string Type Byte array Unsigned 32-bit integer Byte array Unsigned 32-bit integer String
Microsoft Windows Browser Protocol (browser)

Table A-141. Microsoft Windows Browser Protocol (browser) Field browser.backup.count browser.backup.server browser.backup.token Field Name Backup List Requested Count Backup Server Backup Request Token Type Unsigned 8-bit integer String Unsigned 32-bit integer String Unsigned 8-bit integer
browser.browser_to_promote Browser to Promote browser.command Command
225
Field browser.comment browser.election.criteria browser.election.desire
Field Name Host Comment Election Criteria Election Desire
Type String Unsigned 32-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
browser.election.desire.backup Backup browser.election.desire.domain_master Domain Master browser.election.desire.master Master browser.election.desire.nt NT
browser.election.desire.standby Standby browser.election.desire.winsWINS browser.election.os browser.election.os.nts browser.election.os.ntw browser.election.os.wfw browser.election.revision browser.election.version browser.mb_server browser.os_major browser.os_minor browser.period browser.proto_major browser.proto_minor Election OS NT Server NT Workstation WfW Election Revision Election Version Master Browser Server Name OS Major Version OS Minor Version Update Periodicity Browser Protocol Major Version Browser Protocol Minor Version
browser.response_computer_name Computer Name String Response browser.server browser.server_type Server Name Server Type String Unsigned 32-bit integer Boolean Boolean Boolean
browser.server_type.apple Apple browser.server_type.backup_controller Backup Controller browser.server_type.browser.backup Backup Browser
226
Field
Field Name
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
browser.server_type.browser.domain_master Domain Master Browser browser.server_type.browser.master Master Browser browser.server_type.browser.potential Potential Browser browser.server_type.dialin Dialin browser.server_type.domain_controller Domain Controller browser.server_type.domainenum Enum Domain browser.server_type.local Local
browser.server_type.member ember M browser.server_type.novell Novell browser.server_type.nts browser.server_type.ntw browser.server_type.osf browser.server_type.print NT Server NT Workstation OSF Print
browser.server_type.server Server browser.server_type.sql browser.server_type.time browser.server_type.vms browser.server_type.w95 browser.server_type.wfw SQL Time Source VMS Windows 95+ WfW
browser.server_type.workstation Workstation browser.server_type.xenix Xenix browser.sig browser.unused browser.update_count browser.uptime Signature Unused ags Update Count Uptime
227
Microsoft Windows Lanman Remote API Protocol (lanman)

Table A-142. Microsoft Windows Lanman Remote API Protocol (lanman) Field lanman.aux_data_desc lanman.available_bytes lanman.available_count lanman.bad_pw_count lanman.code_page lanman.comment lanman.computer_name Field Name Available Bytes Available Entries Bad Password Count Code Page Comment Computer Name Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer String String Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Date/Time stamp Unsigned 8-bit integer Time duration Unsigned 16-bit integer String String Unsigned 16-bit integer String String Unsigned 8-bit integer Unsigned 8-bit integer Date/Time stamp Date/Time stamp Date/Time stamp Unsigned 16-bit integer Unsigned 16-bit integer Date/Time stamp Unsigned 16-bit integer String Byte array String
Auxiliary Data Descriptor String
lanman.continuation_from Continuation from message in frame lanman.convert lanman.country_code lanman.current_time lanman.day lanman.duration lanman.entry_count Convert Country Code Current Date/Time Day Duration of Session Entry Count
lanman.enumeration_domain Enumeration Domain lanman.full_name lanman.function_code lanman.group_name lanman.homedir lanman.hour lanman.hundredths lanman.kickoff_time lanman.last_logoff lanman.last_logon lanman.level lanman.logoff_code lanman.logoff_time lanman.logon_code lanman.logon_domain lanman.logon_hours lanman.logon_server Full Name Function Code Group Name Home Directory Hour Hundredths of a second Kickoff Date/Time Last Logoff Date/Time Last Logon Date/Time Detail Level Logoff Code Logoff Date/Time Logon Code Logon Domain Logon Hours Logon Server
228
Field lanman.max_storage lanman.minute lanman.month lanman.msecs lanman.new_password lanman.num_logons lanman.old_password
Field Name Max Storage Minute Month Milliseconds New Password Number of Logons Old Password
Type Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Byte array Unsigned 16-bit integer Byte array Unsigned 32-bit integer String String String String Time duration Date/Time stamp Date/Time stamp Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer String String Unsigned 8-bit integer Unsigned 16-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer String String Unsigned 16-bit integer Unsigned 16-bit integer String String String Unsigned 16-bit integer Unsigned 16-bit integer
lanman.operator_privileges Operator Privileges lanman.other_domains lanman.param_desc lanman.parameters lanman.password lanman.password_age Other Domains Parameter Descriptor Parameters Password Password Age
lanman.password_can_change Password Can Change lanman.password_must_change Password Must Change lanman.privilege_level lanman.recv_buf_len lanman.reserved lanman.ret_desc lanman.script_path lanman.second lanman.send_buf_len lanman.server.comment lanman.server.major lanman.server.minor lanman.server.name lanman.share.comment lanman.share.max_uses lanman.share.name lanman.share.password lanman.share.path lanman.share.type Privilege Level Receive Buffer Length Reserved Return Descriptor Script Path Second Send Buffer Length Server Comment Major Version Minor Version Server Name Share Comment Share Max Uses Share Name Share Password Share Path Share Type
lanman.share.current_uses Share Current Uses
lanman.share.permissions Share Permissions
229
Field lanman.status lanman.timeinterval lanman.tzoffset lanman.units_per_week lanman.user_comment lanman.user_name lanman.ustruct_size lanman.weekday
Field Name Status Time Interval Time Zone Offset Units Per Week User Comment User Name Length of UStruct Weekday
Type Unsigned 16-bit integer Unsigned 16-bit integer Signed 16-bit integer Unsigned 16-bit integer String String Unsigned 16-bit integer Unsigned 8-bit integer String
lanman.workstation_domain Workstation Domain
lanman.workstation_major Workstation Major Version Unsigned 8-bit integer lanman.workstation_minor Workstation Minor Version Unsigned 8-bit integer lanman.workstation_name Workstation Name lanman.workstations lanman.year Workstations Year String String Unsigned 16-bit integer
Microsoft Windows Logon Protocol (netlogon)

Table A-143. Microsoft Windows Logon Protocol (netlogon) Field netlogon.command netlogon.date_time netlogon.db_count netlogon.db_index netlogon.domain_name netlogon.ags.autolock netlogon.ags.enabled netlogon.ags.expire netlogon.ags.homedir Field Name Command Date/Time DB Count Database Index Domain Name Autolock Enabled Expire Homedir Type Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean
netlogon.domain_sid_size Domain SID Size
netlogon.ags.interdomain Interdomain Trust netlogon.ags.mns netlogon.ags.normal MNS User Normal User
230
Field netlogon.ags.password netlogon.ags.server netlogon.ags.temp_dup netlogon.large_serial netlogon.lm_token netlogon.lmnt_token netlogon.low_serial netlogon.mailslot_name netlogon.major_version netlogon.minor_version netlogon.nt_date_time netlogon.nt_version netlogon.os_version netlogon.pdc_name netlogon.pulse netlogon.random netlogon.request_count netlogon.script_name netlogon.server_name
Field Name Password Server Trust Temp Duplicate User Large Serial Number LM Token LMNT Token Low Serial Number Mailslot Name
Type Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer String
netlogon.ags.workstation Workstation Trust
Workstation Major Version Unsigned 8-bit integer Workstation Minor Version Unsigned 8-bit integer NT Date/Time NT Version Workstation OS Version PDC Name Pulse Random Request Count Script Name Server Name Date/Time stamp Unsigned 32-bit integer Unsigned 8-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String String
netlogon.unicode_computer_name Computer Name String Unicode netlogon.unicode_pdc_name Unicode PDC Name netlogon.update netlogon.user_name Update Type User Name String Unsigned 16-bit integer String
Microsoft Workstation Service (wkssvc)

Table A-144. Microsoft Workstation Service (wkssvc) Field Field Name Type
231
Mobile IP (mip)
Table A-145. Mobile IP (mip) Field mip.auth.auth mip.auth.spi mip.b mip.coa mip.code mip.d mip.ext.auth.subtype mip.ext.len mip.ext.type mip.extension mip.ags mip.g mip.haaddr mip.homeaddr mip.ident mip.life mip.m mip.nai mip.s mip.t mip.type mip.v Field Name Authenticator SPI Broadcast Datagrams Care of Address Reply Code Gen Auth Ext SubType Extension Length Extension Type Extension Flags GRE Home Agent Home Address Identication Lifetime Minimal Encapsulation NAI Simultaneous Bindings Reverse Tunneling Message Type Van Jacobson Type Byte array Unsigned 32-bit integer Boolean IPv4 address Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Byte array Unsigned 8-bit integer Boolean IPv4 address IPv4 address Date/Time stamp Unsigned 16-bit integer Boolean String Boolean Boolean Unsigned 8-bit integer Boolean
Co-lcated Care-of Address Boolean
Modbus/TCP (mbtcp)
Table A-146. Modbus/TCP (mbtcp) Field modbus_tcp.func_code modbus_tcp.len modbus_tcp.prot_id modbus_tcp.trans_id Field Name function code length protocol identier transaction identier Type Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
232
Field modbus_tcp.unit_id
Field Name unit identier
Mount Service (mount)

Table A-147. Mount Service (mount) Field mount.dump.directory mount.dump.entry mount.dump.hostname mount.export.directory mount.export.entry mount.export.group mount.export.groups mount.avor mount.avors mount.path Field Name Directory Mount List Entry Hostname Directory Export List Entry Group Groups Flavor Flavors Path Type String No value String String No value String No value Unsigned 32-bit integer Unsigned 32-bit integer String
mount.pathconf.link_max Maximum number of links Unsigned 32-bit integer to a le mount.pathconf.mask Reply error/status bits Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean mount.pathconf.mask.chown_restricted CHOWN_RESTRICTED mount.pathconf.mask.error_all ERROR_ALL mount.pathconf.mask.error_link_max ERROR_LINK_MAX mount.pathconf.mask.error_max_canon ERROR_MAX_CANON mount.pathconf.mask.error_max_input ERROR_MAX_INPUT mount.pathconf.mask.error_name_max ERROR_NAME_MAX mount.pathconf.mask.error_path_max ERROR_PATH_MAX mount.pathconf.mask.error_pipe_buf ERROR_PIPE_BUF mount.pathconf.mask.error_vdisable ERROR_VDISABLE
233
Field
Field Name
Type Boolean Unsigned 16-bit integer
mount.pathconf.mask.no_trunc NO_TRUNC mount.pathconf.max_canonMaximum terminal input line length
mount.pathconf.max_input Terminal input buffer size Unsigned 16-bit integer mount.pathconf.name_max Maximum le name length Unsigned 16-bit integer mount.pathconf.path_max Maximum path name length mount.pathconf.pipe_buf Pipe buffer size mount.pathconf.vdisable_char VDISABLE character mount.status Status Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
MultiProtocol Label Switching Header (mpls)

Table A-148. MultiProtocol Label Switching Header (mpls) Field mpls.bottom mpls.exp mpls.label mpls.ttl Field Name MPLS Bottom Of Label Stack MPLS Experimental Bits MPLS Label MPLS TTL Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
Multicast Router DISCovery protocol (mrdisc)

Table A-149. Multicast Router DISCovery protocol (mrdisc) Field mrdisc.adv_int mrdisc.checksum mrdisc.checksum_bad mrdisc.num_opts mrdisc.opt_len mrdisc.option Field Name Advertising Interval Checksum Bad Checksum Number Of Options Length Option Type Unsigned 8-bit integer Unsigned 16-bit integer Boolean Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
234
Field mrdisc.option_data mrdisc.options mrdisc.query_int mrdisc.rob_var mrdisc.type
Field Name Data Options Query Interval Robustness Variable Type
Type Byte array No value Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
Multicast Source Discovery Protocol (msdp)

Table A-150. Multicast Source Discovery Protocol (msdp) Field msdp.length msdp.not.entry_count msdp.not.error msdp.not.error_sub msdp.not.ipv4 msdp.not.o msdp.not.res msdp.not.sprex_len msdp.sa.entry_count msdp.sa.group_addr msdp.sa.reserved msdp.sa.rp_addr msdp.sa.sprex_len msdp.sa.src_addr msdp.sa_req.group_addr msdp.sa_req.res msdp.type Field Name Length Entry Count Error Code Error subode IPv4 address Open-bit Reserved Sprex len Entry Count Group Address Reserved RP Address Sprex len Source Address Group Address Reserved Type Type Unsigned 16-bit integer Unsigned 24-bit integer Unsigned 8-bit integer Unsigned 8-bit integer IPv4 address Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 8-bit integer Unsigned 8-bit integer IPv4 address Unsigned 24-bit integer IPv4 address Unsigned 8-bit integer IPv4 address IPv4 address Unsigned 8-bit integer Unsigned 8-bit integer
NFSACL (nfsacl)
Table A-151. NFSACL (nfsacl) Field Field Name Type
235
NFSAUTH (nfsauth)
Table A-152. NFSAUTH (nfsauth) Field Field Name Type
NIS+ (nisplus)
Table A-153. NIS+ (nisplus) Field .nisplus.dummy nisplus.access.mask nisplus.aticks nisplus.attr nisplus.attr.name nisplus.attr.val nisplus.attributes nisplus.callback.status nisplus.checkpoint.dticks nisplus.checkpoint.status nisplus.checkpoint.zticks nisplus.cookie nisplus.cticks nisplus.ctime nisplus.directory nisplus.directory.mask access mask aticks Attribute name val Attributes status dticks status zticks cookie cticks ctime directory mask Field Name Type Byte array No value Unsigned 32-bit integer No value String Byte array No value Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Date/Time stamp No value No value Boolean Boolean Boolean Boolean Boolean
nisplus.directory.mask.group_create CREATE GROUP nisplus.directory.mask.group_destroy GROUP DESTROY nisplus.directory.mask.group_modify GROUP MODIFY nisplus.directory.mask.group_read READ GROUP nisplus.directory.mask.nobody_create CREATE NOBODY
236
Field
Field Name
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean No value String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Date/Time stamp No value String String String No value No value No value No value Unsigned 32-bit integer Boolean
nisplus.directory.mask.nobody_destroy NOBODY DESTROY nisplus.directory.mask.nobody_modify NOBODY MODIFY nisplus.directory.mask.nobody_read READ NOBODY nisplus.directory.mask.owner_create CREATE OWNER nisplus.directory.mask.owner_destroy OWNER DESTROY nisplus.directory.mask.owner_modify OWNER MODIFY nisplus.directory.mask.owner_read READ OWNER nisplus.directory.mask.world_create CREATE WORLD nisplus.directory.mask.world_destroy WORLD DESTROY nisplus.directory.mask.world_modifyMODIFY WORLD nisplus.directory.mask.world_read READ WORLD nisplus.directory.mask_list mask list nisplus.directory.name nisplus.directory.ttl nisplus.directory.type nisplus.dticks nisplus.dump.dir nisplus.dump.time nisplus.endpoint nisplus.endpoint.family nisplus.endpoint.proto nisplus.endpoint.uaddr nisplus.endpoints nisplus.entry nisplus.entry.col nisplus.entry.cols nisplus.entry.ags nisplus.entry.ags.asn directory name ttl type dticks directory time endpoint family proto addr nis endpoints entry column columns ags ASN.1
237
Field nisplus.entry.ags.binary
Field Name BINARY
Type Boolean Boolean Boolean Boolean String String Byte array String String Byte array No value Unsigned 32-bit integer String No value Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer No value No value No value Unsigned 32-bit integer String Date/Time stamp Date/Time stamp No value String String String No value String Byte array Unsigned 32-bit integer Unsigned 32-bit integer
nisplus.entry.ags.encrypted ENCRYPTED nisplus.entry.ags.modied MODIFIED nisplus.entry.ags.xdr nisplus.entry.type nisplus.entry.val nisplus.fd.dir.data nisplus.fd.dirname nisplus.fd.requester nisplus.fd.sig nisplus.group nisplus.group.ags nisplus.group.name nisplus.grps nisplus.ib.bufsize nisplus.ib.ags nisplus.key.data nisplus.key.type nisplus.link nisplus.log.entries nisplus.log.entry nisplus.log.entry.type nisplus.log.principal nisplus.log.time nisplus.mtime nisplus.object nisplus.object.domain nisplus.object.group nisplus.object.name nisplus.object.oid nisplus.object.owner nisplus.object.private nisplus.object.ttl nisplus.object.type XDR type val data dirname requester signature Group ags group name Groups bufsize ags key data type link log entries log entry type principal time mtime NIS Object domain group name Object Identity Verier owner private ttl type
238
Field nisplus.ping.dir nisplus.ping.time nisplus.server nisplus.server.name nisplus.servers nisplus.status nisplus.table nisplus.table.col nisplus.table.col.ags nisplus.table.col.name nisplus.table.cols nisplus.table.ags.asn nisplus.table.ags.binary
Field Name directory time server name nis servers status table column ags column name columns asn binary
Type String Date/Time stamp No value String No value Unsigned 32-bit integer No value No value No value String No value Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer String Unsigned 8-bit integer String No value Unsigned 32-bit integer String No value Unsigned 32-bit integer
nisplus.table.ags.casesensitive casesensitive nisplus.table.ags.encrypted encrypted nisplus.table.ags.modied modied nisplus.table.ags.searchable earchable s nisplus.table.ags.xdr nisplus.table.maxcol nisplus.table.path nisplus.table.separator nisplus.table.type nisplus.tag nisplus.tag.type nisplus.tag.value nisplus.taglist nisplus.zticks xdr max columns path separator type tag type value taglist zticks
NIS+ Callback (nispluscb)

Table A-154. NIS+ Callback (nispluscb) Field Field Name Type
239
Field nispluscb.entries nispluscb.entry
Field Name entries entry
Type No value No value
NSPI (nspi)
Table A-155. NSPI (nspi) Field nspi.opnum Field Name Operation Type Unsigned 16-bit integer
NTLM Secure Service Provider (ntlmssp)

Table A-156. NTLM Secure Service Provider (ntlmssp) Field dcerpc.negotiateags ntlmssp.auth.domain Field Name Flags Domain name Type Unsigned 32-bit integer String
ntlmssp.auth.domain.maxlen omain name max length Unsigned 16-bit integer D ntlmssp.auth.domain.offset Domain name offset ntlmssp.auth.domain.strlen Domain name length ntlmssp.auth.hostname Host name Unsigned 32-bit integer Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Byte array
ntlmssp.auth.hostname.maxlen Hostname max length ntlmssp.auth.hostname.offset Hostname offset ntlmssp.auth.hostname.strlen ostname length H ntlmssp.auth.lmresponse Lan Manager Response
ntlmssp.auth.lmresponse.maxlen Lan Manager response max length ntlmssp.auth.lmresponse.offset Manager response Lan offset ntlmssp.auth.lmresponse.strlen Manager response Lan length ntlmssp.auth.ntresponse NTLM Response
240
Field
Field Name
Type Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer
ntlmssp.auth.ntresponse.maxlen response max NTLM length ntlmssp.auth.ntresponse.offset NTLM response offset ntlmssp.auth.ntresponse.strlen NTLM response length ntlmssp.auth.unknown1 Unknown1
ntlmssp.auth.unknown1.maxlen Unknown1 max length ntlmssp.auth.unknown1.offset Unknown1 offset ntlmssp.auth.unknown1.strlen Unknown1 length ntlmssp.auth.username User name
ntlmssp.auth.username.maxlen Username max length ntlmssp.auth.username.offset Username offset ntlmssp.auth.username.strlen Username length ntlmssp.challenge.unknown1 nknown1 U ntlmssp.challenge.unknown2 nknown2 U ntlmssp.identier ntlmssp.messagetype NTLMSSP identier NTLM Message Type
ntlmssp.negotiate.callingworkstation Calling workstation name String ntlmssp.negotiate.callingworkstation.buffer Calling workstation name Unsigned 32-bit integer buffer ntlmssp.negotiate.callingworkstation.maxlen Calling workstation name Unsigned 16-bit integer max length ntlmssp.negotiate.callingworkstation.strlen Calling workstation name Unsigned 16-bit integer length ntlmssp.negotiate.domain Calling workstation domain ntlmssp.negotiate.domain.buffer workstation Calling domain buffer ntlmssp.negotiate.domain.maxlen workstation Calling domain max length String Unsigned 32-bit integer Unsigned 16-bit integer
241
Field
Field Name
Type Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
ntlmssp.negotiate.domain.strlen Calling workstation domain length ntlmssp.negotiate00000008 Request 0x00000008 ntlmssp.negotiate00000400 Negotiate 0x00000400 ntlmssp.negotiate00000800 Negotiate 0x00000800 ntlmssp.negotiate128 Negotiate 128 ntlmssp.negotiatealwayssign Negotiate Always Sign ntlmssp.negotiatechallengeacceptresponse Negotiate Challenge Accept Response ntlmssp.negotiatechallengeinitresponse Negotiate Challenge Init Response ntlmssp.negotiatechallengenonntsessionkey Negotiate Challenge Non NT Session Key
ntlmssp.negotiatedatagramstyle Negotiate Datagram Style Boolean ntlmssp.negotiatedomainsupplied Negotiate Domain Supplied ntlmssp.negotiatekeyexch Negotiate Key Exchange ntlmssp.negotiatelmkey Negotiate Lan Manager Key Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
ntlmssp.negotiatenetware Negotiate Netware ntlmssp.negotiatent00100000 Negotiate 0x00100000 ntlmssp.negotiatent00200000 Negotiate 0x00200000 ntlmssp.negotiatent00400000 Negotiate 0x00400000 ntlmssp.negotiatent01000000 Negotiate 0x01000000 ntlmssp.negotiatent02000000 Negotiate 0x02000000 ntlmssp.negotiatent04000000 Negotiate 0x04000000 ntlmssp.negotiatent08000000 Negotiate 0x08000000 ntlmssp.negotiatent10000000 Negotiate 0x10000000 ntlmssp.negotiatent80000000 Negotiate 0x80000000 ntlmssp.negotiatentlm Negotiate NTLM key
242
Field ntlmssp.negotiatentlm2 ntlmssp.negotiateoem ntlmssp.negotiateseal ntlmssp.negotiatesign
Field Name Negotiate NTLM2 key Negotiate OEM Negotiate Seal Negotiate Sign
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Byte array Boolean Byte array
ntlmssp.negotiatetargetinfo Negotiate Target Info ntlmssp.negotiatethisislocalcall Negotiate This is Local Call ntlmssp.negotiateunicode Negotiate UNICODE ntlmssp.negotiateworkstationsuppliedWorkstation Negotiate Supplied ntlmssp.ntlmchallenge ntlmssp.requesttarget ntlmssp.reserved NTLM Challenge Request Target Reserved
Name Binding Protocol (nbp)

Table A-157. Name Binding Protocol (nbp) Field nbp.count nbp.enum nbp.info nbp.net nbp.node nbp.object nbp.op nbp.port nbp.tid nbp.type nbp.zone Field Name Count Enumerator Info Network Node Object Operation Port Transaction ID Type Zone Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer String String
Name Management Protocol over IPX (nmpi)

Table A-158. Name Management Protocol over IPX (nmpi)
243
Field
Field Name
Type
NetBIOS (netbios)
Table A-159. NetBIOS (netbios) Field netbios.ack netbios.ack_expected netbios.ack_with_data netbios.call_name_type netbios.command netbios.data1 netbios.data2 netbios.hdr_len netbios.largest_frame netbios.local_session Field Name Acknowledge Acknowledge expected Acknowledge with data Callers Name Type Command DATA1 value DATA2 value Header Length Largest Frame Local Session No. Type Boolean Boolean Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
netbios.max_data_recv_sizeMaximum data receive size Unsigned 16-bit integer netbios.name_type netbios.nb_name netbios.nb_name_type Name type NetBIOS Name NetBIOS Name Type Unsigned 16-bit integer String Unsigned 8-bit integer Unsigned 16-bit integer Boolean Unsigned 8-bit integer Unsigned 16-bit integer Boolean Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 16-bit integer
netbios.num_data_bytes_accepted of data bytes Number accepted netbios.recv_cont_req netbios.remote_session netbios.resp_corrl netbios.send_no_ack netbios.status netbios.status_buffer_len RECEIVE_CONTINUE requested Remote Session No. Response Correlator Handle SEND.NO.ACK Status Length of status buffer
netbios.termination_indicator Termination indicator netbios.version netbios.xmit_corrl NetBIOS Version Transmit Correlator
244
NetBIOS Datagram Service (nbdgm)

Table A-160. NetBIOS Datagram Service (nbdgm) Field nbdgm.dgram_id nbdgm.rst nbdgm.next nbdgm.node_type nbdgm.src.ip nbdgm.src.port nbdgm.type Field Name Datagram ID This is rst fragment More fragments follow Node Type Source IP Source Port Message Type Type Unsigned 16-bit integer Boolean Boolean Unsigned 8-bit integer IPv4 address Unsigned 16-bit integer Unsigned 8-bit integer
NetBIOS Name Service (nbns)

Table A-161. NetBIOS Name Service (nbns) Field nbns.count.add_rr nbns.count.answers nbns.count.auth_rr nbns.count.queries nbns.ags nbns.ags.authoritative nbns.ags.broadcast nbns.ags.opcode nbns.ags.rcode nbns.ags.recavail nbns.ags.recdesired nbns.ags.response nbns.ags.truncated nbns.id Field Name Additional RRs Answer RRs Authority RRs Questions Flags Authoritative Broadcast Opcode Reply code Recursion available Recursion desired Response Truncated Transaction ID Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Boolean Unsigned 16-bit integer
NetBIOS Session Service (nbss)

Table A-162. NetBIOS Session Service (nbss)
245
Field nbss.ags nbss.type
Field Name Flags Message Type
NetBIOS over IPX (nbipx)

Table A-163. NetBIOS over IPX (nbipx) Field Field Name Type
NetWare Core Protocol (ncp)

Table A-164. NetWare Core Protocol (ncp) Field ncp.Service_type ncp.abort_q_ag Field Name Service Type Abort Queue Flag Type Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
ncp.abs_min_time_since_le_delete Minimum Time Absolute Since File Delete ncp.acc_mode_comp Compatibility Mode ncp.acc_mode_deny_read Deny Read Access ncp.acc_mode_deny_write Deny Write Access ncp.acc_mode_read ncp.acc_mode_write ncp.acc_priv_create ncp.acc_priv_delete ncp.acc_priv_modify Read Access Write Access Create Privileges (les only) Delete Privileges (les only) Modify File Status Flags Privileges (les and directories)
ncp.acc_priv_open ncp.acc_priv_parent
Open Privileges (les only) Boolean Parental Privileges (directories only for creating, deleting, and renaming) Boolean
ncp.acc_priv_read
Read Privileges (les only) Boolean
246
Field ncp.acc_priv_search ncp.acc_priv_write ncp.acc_rights1_create ncp.acc_rights1_delete ncp.acc_rights1_modify ncp.acc_rights1_open ncp.acc_rights1_parent ncp.acc_rights1_read ncp.acc_rights1_search
Field Name Search Privileges (directories only)
Type Boolean
Write Privileges (les only) Boolean Create Rights Delete Rights Modify Rights Open Rights Parental Rights Read Rights Search Rights Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Boolean Boolean Boolean
ncp.acc_rights1_supervisor Supervisor Access Rights ncp.acc_rights1_write ncp.acc_rights_create ncp.acc_rights_delete ncp.acc_rights_modify ncp.acc_rights_open ncp.acc_rights_parent ncp.acc_rights_read ncp.acc_rights_search ncp.acc_rights_write Write Rights Create Rights Delete Rights Modify Rights Open Rights Parental Rights Read Rights Search Rights Write Rights
ncp.accel_cache_node_writeAccelerate Cache Node Write Count ncp.accepted_max_size ncp.access_control ncp.access_mode ncp.access_privileges ncp.access_rights_mask Accepted Max Size Access Control Access Mode Access Privileges Access Rights
ncp.access_rights_mask_word Access Rights ncp.account_balance ncp.acct_version ncp.ack_seqno ncp.act_ag_create ncp.act_ag_open ncp.act_ag_replace Account Balance Acct Version ACK Sequence Number Create Open Replace
247
Field ncp.action_ag ncp.active_conn_bit_list ncp.active_indexed_les
Field Name Action Flag Active Connection List Active Indexed Files
Type Unsigned 8-bit integer String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
ncp.actual_max_bindery_objects Max Bindery Actual Objects ncp.actual_max_indexed_les Actual Max Indexed Files ncp.actual_max_open_les Actual Max Open Files
ncp.actual_max_sim_trans Actual Max Simultaneous Unsigned 16-bit integer Transactions ncp.actual_max_used_directory_entries Used Actual Max Directory Entries Unsigned 16-bit integer
ncp.actual_max_used_routing_buffers Used Routing Unsigned 16-bit integer Actual Max Buffers ncp.actual_response_count Actual Response Count ncp.add_nm_spc_and_vol Add Name Space and Volume ncp.address ncp.aes_event_count ncp.afp_entry_id ncp.alloc_avail_byte ncp.alloc_blck Address AES Event Count AFP Entry ID Bytes Available for Allocation Allocate Block Count Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String
ncp.alloc_blck_already_waitAllocate Block Already Waiting ncp.alloc_blck_frm_avail ncp.alloc_blck_frm_lru Allocate Block From Available Count Allocate Block From LRU Count
ncp.alloc_blck_i_had_to_wait Allocate Block I Had To Wait Count ncp.alloc_blck_i_had_to_wait_for Block I Had To Allocate Wait For Someone Count ncp.alloc_free_count ncp.alloc_waiting ncp.allocate_mode ncp.allocation_block_size Reclaimable Free Bytes Allocate Waiting Count Allocate Mode Allocation Block Size
248
Field
Field Name
Type
ncp.already_doing_realloc Already Doing Re-Allocate Unsigned 32-bit integer Count ncp.application_number ncp.archived_date ncp.archived_time ncp.archiver_id Application Number Archived Date Archived Time Archiver ID Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
ncp.associated_name_space Associated Name Space ncp.async_internl_dsk_get Async Internal Disk Get Count ncp.async_internl_dsk_get_need_to_alloc Disk Get Async Internal Need To Alloc ncp.async_internl_dsk_get_someone_beat Disk Get Async Internal Someone Beat Me ncp.async_read_error ncp.att_def16_archive ncp.att_def16_execute ncp.att_def16_hidden ncp.att_def16_read_audit ncp.att_def16_ro ncp.att_def16_shareable ncp.att_def16_sub_only ncp.att_def16_system ncp.att_def16_transaction ncp.att_def32_archive ncp.att_def32_execute ncp.att_def32_hidden ncp.att_def32_read_audit ncp.att_def32_ro ncp.att_def32_shareable ncp.att_def32_sub_only ncp.att_def32_system ncp.att_def32_transaction ncp.att_def_archive ncp.att_def_comp Async Read Error Count Archive Execute Hidden Read Audit Read Only Shareable Subdirectories Only System Transactional Archive Execute Hidden Read Audit Read Only Shareable Subdirectories Only System Transactional Archive Compressed
ncp.att_def16_write_audit Write Audit
ncp.att_def32_write_audit Write Audit
249
Field ncp.att_def_cpyinhibit ncp.att_def_delinhibit ncp.att_def_execute ncp.att_def_hidden ncp.att_def_im_comp ncp.att_def_purge ncp.att_def_reninhibit ncp.att_def_ro ncp.att_def_shareable ncp.att_def_sub_only ncp.att_def_system
Field Name Copy Inhibit Delete Inhibit Execute Hidden Immediate Compress Purge Rename Inhibit Read Only Shareable Subdirectories Only System
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.attach_during_processing Attach During Processing ncp.attach_while_processing_attach Attach While Processing Attach ncp.attached_indexed_les Attached Indexed Files ncp.attr_def ncp.attr_def_16 ncp.attr_def_32 ncp.attribute_valid_ag ncp.attributes ncp.audit_enable_ag ncp.audit_le_max_size ncp.audit_le_size Attributes Attributes Attributes Attribute Valid Flag Attributes Auditing Enabled Flag Audit File Maximum Size Audit File Size
ncp.audit_le_size_threshold udit File Size Threshold A ncp.audit_le_ver_date ncp.audit_ag ncp.audit_handle ncp.audit_id ncp.audit_id_type ncp.audit_record_count ncp.audit_ver_date ncp.auditing_ags ncp.avail_space ncp.available_blocks Audit File Version Date Audit Flag Audit File Handle Audit ID Audit ID Type Audit Record Count Auditing Version Date Auditing Flags Available Space Available Blocks
250
Field ncp.available_clusters ncp.available_dir_entries
Field Name Available Clusters
Available Directory Entries Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.available_directory_slots vailable Directory Slots A ncp.available_indexed_les Available Indexed Files ncp.background_aged_writes Background Aged Writes ncp.background_dirty_writes Background Dirty Writes ncp.bad_logical_connection_count Bad Logical Connection Count ncp.banner_name ncp.base_directory_id ncp.being_aborted ncp.being_processed ncp.big_forged_packet ncp.big_invalid_packet ncp.big_invalid_slot Banner Name Base Directory ID Being Aborted Count Being Processed Count Big Forged Packet Count Big Invalid Packet Count Big Invalid Slot Count
ncp.big_read_being_torn_downRead Being Torn Down Unsigned 32-bit integer Big Count ncp.big_read_do_it_over Big Read Do It Over Count Unsigned 32-bit integer ncp.big_read_invalid_mess Big Read Invalid Message Unsigned 32-bit integer Number Count ncp.big_read_no_data_availBig Read No Data Available Count ncp.big_read_phy_read_err Big Read Physical Read Error Count ncp.big_read_trying_to_read Read Trying To Read Big Too Much Count ncp.big_repeat_the_le_read Repeat the File Read Big Count Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.big_return_abort_mess Big Return Abort Message Unsigned 32-bit integer Count ncp.big_send_extra_cc_count Send Extra CC Count Big ncp.big_still_transmitting Big Still Transmitting Count Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.big_write_being_abort Big Write Being Aborted Count
251
Field
Field Name
ncp.big_write_being_torn_down Big Write Being Torn Down Count
ncp.big_write_inv_message_num Big Write Invalid Message Unsigned 32-bit integer Number Count ncp.bindery_context ncp.bit_map ncp.block_number ncp.block_size ncp.block_size_in_sectors ncp.board_installed ncp.board_number ncp.board_numbers ncp.buffer_size Bindery Context Bit Map Block Number Block Size Block Size in Sectors Board Installed Board Number Board Numbers Buffer Size Byte array Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Unsigned 8-bit integer
ncp.bumped_out_of_order Bumped Out Of Order Write Count ncp.burst_len ncp.burst_seqno ncp.bus_string ncp.bus_type Burst Length Burst Sequence Number Bus String Bus Type
ncp.bytes_actually_transferred Actually Transferred Unsigned 32-bit integer Bytes ncp.bytes_read ncp.bytes_to_copy ncp.bytes_written ncp.cache_allocations ncp.cache_buffer_count ncp.cache_buffer_size ncp.cache_byte_to_block Bytes Read Bytes to Copy Bytes Written Cache Allocations Cache Buffer Count Cache Buffer Size Cache Byte To Block Shift Factor String Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.cache_block_scrapped Cache Block Scrapped
ncp.cache_dirty_block_thresh Cache Dirty Block Threshold ncp.cache_dirty_wait_time Cache Dirty Wait Time
ncp.cache_full_write_requests Cache Full Write Requests Unsigned 32-bit integer ncp.cache_get_requests Cache Get Requests Unsigned 32-bit integer
252
Field
Field Name
Type
ncp.cache_hit_on_unavailable_block On Unavailable Unsigned 16-bit integer Cache Hit Block ncp.cache_hits Cache Hits Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Byte array Unsigned 8-bit integer ncp.cache_max_concur_writes Cache Maximum Concurrent Writes ncp.cache_misses Cache Misses ncp.cache_partial_write_requests Partial Write Cache Requests ncp.cache_read_requests Cache Read Requests ncp.cache_used_while_check ache Used While C Checking ncp.cache_write_requests ncp.category_name ncp.cc_le_handle ncp.cc_function Cache Write Requests Category Name File Handle OP-Lock Flag
ncp.cfg_max_simultaneous_transactionsMax Congured Unsigned 16-bit integer Simultaneous Transactions ncp.change_bits ncp.change_bits_acc_date ncp.change_bits_adate ncp.change_bits_aid ncp.change_bits_atime ncp.change_bits_cdate ncp.change_bits_ctime ncp.change_bits_fatt Change Bits Access Date Archive Date Archiver ID Archive Time Creation Date Creation Time File Attributes Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
ncp.change_bits_max_acc_mask Maximum Access Mask ncp.change_bits_max_spaceMaximum Space ncp.change_bits_modify ncp.change_bits_owner ncp.change_bits_udate ncp.change_bits_uid ncp.change_bits_utime ncp.channel_state Modify Name Owner ID Update Date Update ID Update Time Channel State
ncp.channel_synchronization_state Synchronization Channel State ncp.charge_amount Charge Amount
253
Field ncp.charge_information
Field Name Charge Information
Type Unsigned 32-bit integer Unsigned 32-bit integer Boolean Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer
ncp.checksum_error_count Checksum Error Count ncp.checksuming ncp.client_comp_ag ncp.client_id_number ncp.client_list ncp.client_list_cnt ncp.client_list_len ncp.client_record_area ncp.client_station ncp.client_station_long ncp.client_task_number Checksumming Completion Flag Client ID Number Client List Client List Count Client List Length Client Record Area Client Station Client Station Client Task Number
ncp.client_task_number_long lient Task Number C ncp.cluster_count Cluster Count
ncp.clusters_used_by_directories Clusters Used by Directories
ncp.clusters_used_by_extended_dirs Used by Extended Unsigned 32-bit integer Clusters Directories ncp.clusters_used_by_fat ncp.cmd_ags_advanced ncp.cmd_ags_hidden ncp.cmd_ags_later ncp.cmd_ags_secure Clusters Used by FAT Advanced Hidden Unsigned 32-bit integer Boolean Boolean
Restart Server Required to Boolean Take Effect Console Secured Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.cmd_ags_startup_onlyStartup.ncf Only ncp.cmpbyteincount ncp.cmpbyteoutcnt ncp.cmphibyteincnt ncp.cmphibyteoutcnt ncp.cmphitickcnt ncp.cmphitickhigh ncp.co_proc_string Compress Byte In Count Compress High Byte In Count Compress High Byte Out Count
Compress Byte Out Count Unsigned 32-bit integer
Compress High Tick Count Unsigned 32-bit integer Compress High Tick CoProcessor String Unsigned 32-bit integer String
254
Field ncp.co_processor_ag ncp.com_cnts ncp.comment ncp.comment_type ncp.complete_signatures ncp.completion_code ncp.compress_volume
Field Name CoProcessor Present Flag Comment Comment Type Complete Signatures Completion Code Volume Compression
Communication Counters Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 8-bit integer Unsigned 32-bit integer
ncp.compressed_data_streams_count Compressed Data Streams Unsigned 32-bit integer Count ncp.compressed_limbo_data_streams_count Compressed Limbo Data Streams Count ncp.compressed_sectors Compressed Sectors ncp.compression_ios_limit Compression IOs Limit Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.compression_lower_limit Compression Lower Limit Unsigned 32-bit integer ncp.compression_stage ncp.cong_major_vn ncp.cong_minor_vn Compression Stage Conguration Major Version Number Conguration Minor Version Number Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ncp.conguration_description Conguration Description String ncp.conguration_text Conguration Text String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
ncp.congured_max_bindery_objects Max Bindery Congured Objects ncp.congured_max_open_les Congured Max Open Files ncp.congured_max_routing_buffers Max Routing Congured Buffers ncp.conn_being_aborted ncp.conn_ctrl_bits ncp.conn_list ncp.conn_list_count ncp.conn_list_len ncp.conn_number_byte ncp.conn_number_word ncp.connected_lan ncp.connection
Connection Being Aborted Unsigned 32-bit integer Count Connection Control Connection List Connection List Count Connection List Length Connection Number Connection Number LAN Adapter Connection Number Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer
255
Field ncp.connection_list ncp.connection_number
Field Name Connection List Connection Number
ncp.connection_number_listConnection Number List ncp.connection_service_type Connection Service Type ncp.connection_status ncp.connection_type ncp.connections_in_use Connection Status Connection Type Connections In Use Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer String Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
ncp.connections_max_used Connections Max Used ncp.connections_supported_max Connections Supported Max ncp.control_being_torn_down Control Being Torn Down Count ncp.control_code ncp.control_ags Control Code Control Flags
ncp.control_invalid_message_number Control Invalid Message Number Count ncp.controller_drive_number Controller Drive Number ncp.controller_number ncp.controller_type ncp.cookie_1 ncp.cookie_2 ncp.copies ncp.copyright ncp.counter_mask ncp.cpu_number ncp.cpu_string ncp.cpu_type ncp.creation_date ncp.creation_time ncp.creator_id Controller Number Controller Type Cookie 1 Cookie 2 Copies Copyright Counter Mask CPU Number CPU String CPU Type Creation Date Creation Time Creator ID
ncp.creator_name_space_number Name Space Creator Number ncp.credit_limit Credit Limit
256
Field ncp.ctl_bad_ack_frag_list ncp.ctl_no_data_read ncp.ctrl_ags
Field Name Control Bad ACK Fragment List Count Control No Data Read Count Control Flags
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.cur_blk_being_dcompress Current Block Being Decompressed ncp.cur_comp_blks ncp.cur_initial_blks ncp.cur_inter_blks ncp.cur_num_of_r_tags Current Compression Blocks Current Initial Blocks Current Intermediate Blocks Current Number of Resource Tags
ncp.curr_num_cache_buff Current Number Of Cache Unsigned 32-bit integer Buffers ncp.curr_ref_id ncp.current_changed_fats ncp.current_entries ncp.current_form_type ncp.current_lfs_counters ncp.current_open_les ncp.current_server_time ncp.current_servers ncp.current_space ncp.current_trans_count Current Reference ID Current Changed FAT Entries Current Entries Current Form Type Current LFS Counters Current Open Files Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer
Time Elapsed Since Server Unsigned 32-bit integer Was Brought Up Current Servers Current Space Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer
Current Transaction Count Unsigned 32-bit integer
ncp.current_used_bindery_objects Used Bindery Current Objects ncp.currently_used_routing_buffers Used Routing Currently Buffers ncp.custom_cnts ncp.custom_count ncp.custom_counters ncp.custom_string ncp.custom_var_value ncp.data ncp.data_bytes Custom Counters Custom Count Custom Counters Custom String Custom Variable Value Data Data Bytes
257
Field ncp.data_fork_rst_fat ncp.data_fork_len ncp.data_fork_size ncp.data_offset ncp.data_size ncp.data_stream ncp.data_stream_name ncp.data_stream_number ncp.data_stream_size
Field Name Data Fork First FAT Entry Data Fork Len Data Fork Size Data Offset Data Size Data Stream Data Stream Name Data Stream Number Size
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.data_stream_space_alloc pace Allocated for Data S Stream ncp.data_streams_count ncp.dc_dirty_wait_time ncp.dc_double_read_ag Data Streams Count DC Dirty Wait Time DC Double Read Flag
ncp.dc_max_concurrent_writes Maximum Concurrent Unsigned 32-bit integer DC Writes ncp.dc_min_non_ref_time DC Minimum Non-Referenced Time Unsigned 32-bit integer
ncp.dc_wait_time_before_new_buff Time Before New Unsigned 32-bit integer DC Wait Buffer ncp.dead_mirror_table ncp.dealloc_being_proc Dead Mirror Table De-Allocate Being Processed Count Byte array Unsigned 32-bit integer
ncp.dealloc_forged_packet De-Allocate Forged Packet Unsigned 32-bit integer Count ncp.dealloc_invalid_slot ncp.dealloc_still_transmit ncp.decpbyteincount ncp.decpbyteoutcnt ncp.decphibyteincnt ncp.decphibyteoutcnt ncp.decphitickcnt ncp.decphitickhigh De-Allocate Invalid Slot Count De-Allocate Still Transmitting Count Unsigned 32-bit integer Unsigned 32-bit integer
DeCompress Byte In Count Unsigned 32-bit integer DeCompress Byte Out Count Unsigned 32-bit integer
DeCompress High Byte In Unsigned 32-bit integer Count DeCompress High Byte Out Count DeCompress High Tick Count DeCompress High Tick Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
258
Field
Field Name
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ncp.dended_name_spaces Dened Name Spaces ncp.dened_data_streams Dened Data Streams ncp.delay_time Delay Time ncp.delete_existing_le_agDelete Existing File Flag ncp.delete_id ncp.deleted_date ncp.deleted_le_time ncp.deleted_time ncp.deny_read_count ncp.deny_write_count ncp.description_string ncp.desired_access_rights Deleted ID Deleted Date Deleted File Time Deleted Time Deny Read Count Deny Write Count Description Desired Access Rights
ncp.desired_response_countDesired Response Count ncp.dest_component_count Destination Path Component Count ncp.dest_dir_handle ncp.dest_name_space ncp.dest_path Destination Directory Handle Destination Name Space Destination Path
ncp.detach_during_processing Detach During Processing Unsigned 16-bit integer ncp.detach_for_bad_connection_number Detach For Bad Connection Number ncp.dir_base ncp.dir_count ncp.dir_handle ncp.dir_handle_long ncp.dir_handle_name Directory Base Directory Count Directory Handle Directory Handle Handle Name Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
ncp.directory_access_rights Directory Access Rights ncp.directory_attributes Directory Attributes
ncp.directory_entry_number Directory Entry Number ncp.directory_entry_number_word Entry Number Directory ncp.directory_id Directory ID
259
Field ncp.directory_name ncp.directory_name_14 ncp.directory_name_len ncp.directory_number ncp.directory_path
Field Name Directory Name Directory Name Directory Name Length Directory Number Directory Path
Type String String Unsigned 8-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer
ncp.directory_services_object_id Directory Services Object ID ncp.directory_stamp ncp.dirty_cache_buffers ncp.disable_brdcasts Dirty Cache Buffers Disable Broadcasts
Directory Stamp (0xD1D1) Unsigned 16-bit integer Unsigned 16-bit integer Boolean Boolean
ncp.disable_personal_brdcasts Disable Personal Broadcasts
ncp.disable_wdog_messages Disable Watchdog Message Boolean ncp.disk_channel_number Disk Channel Number ncp.disk_channel_table ncp.disk_space_limit ncp.dm_ags ncp.dm_info_entries ncp.dm_info_level ncp.dm_major_version ncp.dm_minor_version ncp.dm_present_ag ncp.dma_channels_used ncp.dos_directory_base ncp.dos_directory_entry Disk Channel Table Disk Space Limit DM Flags DM Info Entries DM Info Level DM Major Version DM Minor Version Data Migration Present Flag DMA Channels Used DOS Directory Base DOS Directory Entry Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Unsigned 8-bit integer Byte array
ncp.dos_directory_entry_numberDirectory Entry DOS Number ncp.dos_le_attributes DOS File Attributes ncp.dos_parent_directory_entry Parent Directory DOS Entry ncp.dos_sequence ncp.drive_cylinders DOS Sequence Drive Cylinders
ncp.drive_denition_string Drive Denition ncp.drive_heads ncp.drive_mapping_table Drive Heads Drive Mapping Table
260
Field ncp.drive_mirror_table ncp.drive_size ncp.driver_board_name ncp.driver_log_name ncp.driver_short_name
Field Name Drive Mirror Table Drive Size Driver Board Name Driver Logical Name Driver Short Name
Type Byte array Unsigned 8-bit integer Unsigned 32-bit integer String String String Boolean Boolean Boolean Boolean Boolean Boolean Boolean
ncp.drive_removable_ag Drive Removable Flag
ncp.dsired_acc_rights_compat Compatibility ncp.dsired_acc_rights_del_le_cls File Close Delete ncp.dsired_acc_rights_deny_r Deny Read ncp.dsired_acc_rights_deny_w Write Deny ncp.dsired_acc_rights_read_o Read Only ncp.dsired_acc_rights_w_thru Write Through File ncp.dsired_acc_rights_write_o Write Only ncp.dst_connection ncp.dst_ea_ags ncp.dst_ns_indicator ncp.dst_queue_id ncp.dup_is_being_sent
Destination Connection ID Unsigned 32-bit integer Destination EA Flags Destination Name Space Indicator Destination Queue ID Duplicate Is Being Sent Already Count Current Used Dynamic Space Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer
ncp.duplicate_replies_sent Duplicate Replies Sent ncp.dyn_mem_struct_cur
ncp.dyn_mem_struct_max Max Used Dynamic Space Unsigned 32-bit integer ncp.dyn_mem_struct_total Total Dynamic Space ncp.ea_access_ag ncp.ea_bytes_written ncp.ea_count ncp.ea_data_size EA Access Flag Bytes Written Count Data Size Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.ea_data_size_duplicated Data Size Duplicated ncp.ea_duplicate_count Duplicate Count
261
Field ncp.ea_error_codes ncp.ea_ags ncp.ea_handle
Field Name EA Error Codes EA Flags EA Handle
ncp.ea_handle_or_netware_handle_or_volume EAHandle or NetWare Handle or Volume (see EAFlags) ncp.ea_key ncp.ea_key_size EA Key Key Size
Unsigned 32-bit integer Unsigned 32-bit integer Boolean Unsigned 16-bit integer String Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
ncp.ea_key_size_duplicatedKey Size Duplicated ncp.ea_need_bit_ag ncp.ea_value ncp.ea_value_length ncp.ea_value_rep ncp.ecb_cxl_fails ncp.echo_socket ncp.effective_rights EA Need Bit Flag EA Value Value Length EA Value ECB Cancel Failures Echo Socket Effective Rights
ncp.effective_rights_create Create Rights ncp.effective_rights_delete Delete Rights ncp.effective_rights_modifyModify Rights ncp.effective_rights_open Open Rights
ncp.effective_rights_parental arental Rights P ncp.effective_rights_read Read Rights
ncp.effective_rights_search Search Rights ncp.effective_rights_write Write Rights ncp.enable_brdcasts Enable Broadcasts
ncp.enable_personal_brdcasts Enable Personal Broadcasts Boolean ncp.enable_wdog_messagesEnable Watchdog Message Boolean ncp.encryption ncp.enqueued_send_cnt ncp.enum_info_account ncp.enum_info_auth Encryption Enqueued Send Count Accounting Information Authentication Information Boolean Unsigned 32-bit integer Boolean Boolean
262
Field ncp.enum_info_lock ncp.enum_info_mask ncp.enum_info_name ncp.enum_info_print ncp.enum_info_stats ncp.enum_info_time ncp.enum_info_transport
Field Name Lock Information Return Information Mask Name Information Print Information Statistical Information Time Information Transport Information
Type Boolean Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
ncp.err_doing_async_read Error Doing Async Read Count ncp.error_read_last_fat ncp.event_offset ncp.event_time ncp.expiration_time ncp.ext_info ncp.ext_info_64_bit_fs ncp.ext_info_access ncp.ext_info_dos_name ncp.ext_info_effective ncp.ext_info_ush ncp.ext_info_mac_date ncp.ext_info_mac_nder ncp.ext_info_newstyle ncp.ext_info_parental ncp.ext_info_sibling ncp.ext_info_update Error Reading Last FAT Count Event Offset Event Time Expiration Time Extended Return Information 64 Bit File Sizes Last Access DOS Name Effective Flush MAC Date MAC Finder New Style Parental Sibling Update
ncp.ext_router_active_ag External Router Active Flag
ncp.extended_attribute_extants_used Attribute Extants Unsigned 32-bit integer Extended Used ncp.extended_attributes_dened Extended Attributes Dened Unsigned 32-bit integer
ncp.extra_extra_use_count_node_count Errors allocating an Unsigned 32-bit integer additional use count node for TTS ncp.extra_use_count_node_count allocating a use Errors count node for TTS Unsigned 32-bit integer
263
Field ncp.failed_alloc_req ncp.fat_moved
Field Name Failed Alloc Request Count Number of times the OS has move the location of FAT FAT Scan Errors
ncp.fat_scan_errors ncp.fat_write_err
Unsigned 16-bit integer
Number of write errors in Unsigned 32-bit integer both original and mirrored copies of FAT FAT Write Errors Fatal FAT Write Errors Fields Len Table File Count File Date File/Dir Window File Execute Type File Extended Attributes File Flags File Handle File Limbo File List Count File Lock Count File Mode Filename Filename Filename Filename Length File Offset File Path File Size File System ID File Time File Write Flags File Write State Filler Finder Info Attributes Object Has Bundle Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Boolean String String Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
ncp.fat_write_errors ncp.fatal_fat_write_errors ncp.elds_len_table ncp.le_count ncp.le_date ncp.le_dir_win ncp.le_execute_type ncp.le_ext_attr ncp.le_ags ncp.le_handle ncp.le_limbo ncp.le_list_count ncp.le_lock_count ncp.le_mode ncp.le_name ncp.le_name_12 ncp.le_name_14 ncp.le_name_len ncp.le_offset ncp.le_path ncp.le_size ncp.le_system_id ncp.le_time ncp.le_write_ags ncp.le_write_state ncp.ller ncp.nder_attr ncp.nder_attr_bundle
264
Field ncp.nder_attr_desktop ncp.nder_attr_invisible
Field Name Object on Desktop Object is Invisible
Type Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ncp.rst_packet_isnt_a_writeirst Packet Isnt A Write F Count ncp.xed_bit_mask ncp.xed_bits_dened ncp.ag_bits ncp.ags ncp.ags_def ncp.ush_time ncp.folder_ag ncp.force_ag Fixed Bit Mask Fixed Bits Dened Flag Bits Flags Flags Flush Time Folder Flag Force Server Down Flag
ncp.forged_detached_requests Forged Detached Requests Unsigned 16-bit integer ncp.forged_packet ncp.fork_count ncp.fork_indicator ncp.form_type ncp.form_type_count ncp.found_some_mem ncp.fractional_time ncp.frag_size ncp.fragger_handle Forged Packet Count Fork Count Fork Indicator Form Type Form Types Count Found Some Memory Fragment Size Fragment Handle Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean String Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
Fractional Time in Seconds Unsigned 32-bit integer
ncp.fragment_write_occurred Fragment Write Occurred ncp.free_blocks Free Blocks
ncp.free_directory_entries Free Directory Entries ncp.freeable_limbo_sectors Freeable Limbo Sectors ncp.freed_clusters ncp.fs_engine_ag ncp.full_name ncp.func ncp.generic_block_size ncp.generic_capacity Freed Clusters FS Engine Flag Full Name Function Block Size Capacity
ncp.generic_cartridge_type Cartridge Type
265
Field ncp.generic_child_count ncp.generic_ctl_mask ncp.generic_func_mask ncp.generic_ident_time ncp.generic_ident_type ncp.generic_label ncp.generic_media_slot ncp.generic_media_type ncp.generic_name
Field Name Child Count Control Mask Function Mask Identication Time Identication Type Label Media Slot Media Type Name
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Byte array Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Byte array Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.generic_object_uniq_id Unique Object ID ncp.generic_parent_count Parent Count ncp.generic_pref_unit_size Preferred Unit Size ncp.generic_sib_count ncp.generic_spec_info_sz ncp.generic_status ncp.generic_type ncp.generic_unit_size ncp.get_ecb_buf ncp.get_ecb_fails ncp.get_set_ag ncp.guid ncp.had_an_out_of_order ncp.handle_ag ncp.handle_info_level Sibling Count Specic Information Size Status Type Unit Size Get ECB Buffers Get ECB Failures Get Set Flag GUID Had An Out Of Order Write Count Handle Flag Handle Info Level
ncp.hardware_rx_mismatch_count Hardware Receive Mismatch Count ncp.held_bytes_read ncp.held_bytes_write ncp.held_conn_time ncp.hold_amount ncp.hold_cancel_amount ncp.hold_time ncp.holder_id Held Bytes Read Held Bytes Written Held Connect Time in Minutes Hold Amount Hold Cancel Amount Hold Time Holder ID
266
Field ncp.hops_to_net ncp.horiz_location ncp.host_address
Field Name Hop Count Horizontal Location Host Address
Type Unsigned 16-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.hot_x_blocks_available Hot Fix Blocks Available ncp.hot_x_disabled ncp.hot_x_table_size ncp.hot_x_table_start ncp.huge_bit_mask ncp.huge_bits_dened ncp.huge_data ncp.huge_data_used ncp.huge_state_info Hot Fix Disabled Hot Fix Table Size Hot Fix Table Start Huge Bit Mask Huge Bits Dened Huge Data Huge Data Used Huge State Info
ncp.i_ran_out_someone_else_did_it_0 Someone Else I Ran Out Did It Count 0 ncp.i_ran_out_someone_else_did_it_1 Someone Else I Ran Out Did It Count 1 ncp.i_ran_out_someone_else_did_it_2 Someone Else I Ran Out Did It Count 2 ncp.id_get_no_read_no_waitD Get No Read No Wait I Count ncp.id_get_no_read_no_wait_alloc No Read No Wait ID Get Allocate Count ncp.id_get_no_read_no_wait_buffer Read No Wait ID Get No No Buffer Count ncp.id_get_no_read_no_wait_no_alloc Read No Wait ID Get No No Alloc Count ncp.id_get_no_read_no_wait_no_alloc_alloc No Wait ID Get No Read No Alloc Allocate Count ncp.id_get_no_read_no_wait_no_alloc_semaNo Wait ID Get No Read No Alloc Semaphored Count ncp.id_get_no_read_no_wait_semaNo Read No Wait ID Get Semaphored Count ncp.identication_number Identication Number ncp.ignored_rx_pkts ncp.in_use Ignored Receive Packets Bytes in Use
Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
ncp.incoming_packet_discarded_no_dgroup Incoming Packet Discarded No DGroup ncp.info_count Info Count
267
Field ncp.info_ags ncp.info_ags_all_attr
Field Name Info Flags All Attributes
Type Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
ncp.info_ags_all_dirbase_numDirectory Base All Numbers ncp.info_ags_dos_attr ncp.info_ags_dos_time ncp.info_ags_ds_sizes DOS Attributes DOS Time Data Stream Sizes
ncp.info_ags_ea_present EA Present Flag ncp.info_ags_effect_rights Effective Rights ncp.info_ags_ags ncp.info_ags_ush_time ncp.info_ags_ids ncp.info_ags_mac_time Return Object Flags Flush Time IDs Mac Time
ncp.info_ags_mac_nder Mac Finder Information ncp.info_ags_max_access_mask Maximum Access Mask ncp.info_ags_name ncp.info_ags_ns_attr Return Object Name Name Space Attributes
ncp.info_ags_prnt_base_idParent Base ID ncp.info_ags_ref_count ncp.info_ags_security ncp.info_ags_type ncp.info_level_num ncp.info_mask Reference Count Return Object Security Return Object Type
ncp.info_ags_sibling_cnt Sibling Count
Information Level Number Unsigned 8-bit integer Information Mask Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
ncp.info_mask_c_name_space Creator Name Space & Name ncp.info_mask_dosname ncp.info_mask_name ncp.inh_revoke_create ncp.inh_revoke_delete ncp.inh_revoke_modify ncp.inh_revoke_open ncp.inh_revoke_parent DOS Name Name Create Rights Delete Rights Modify Rights Open Rights Change Access
268
Field ncp.inh_revoke_read ncp.inh_revoke_search
Field Name Read Rights See Files Flag
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
ncp.inh_revoke_supervisor Supervisor ncp.inh_revoke_write ncp.inh_rights_create ncp.inh_rights_delete ncp.inh_rights_modify ncp.inh_rights_open ncp.inh_rights_parent ncp.inh_rights_read ncp.inh_rights_search ncp.inh_rights_write Write Rights Create Rights Delete Rights Modify Rights Open Rights Change Access Read Rights See Files Flag Write Rights
ncp.inh_rights_supervisor Supervisor ncp.inheritance_revoke_mask Revoke Rights Mask ncp.inherited_rights_mask Inherited Rights Mask ncp.initial_semaphore_value Initial Semaphore Value ncp.inspect_size Inspect Size
ncp.internet_bridge_versionInternet Bridge Version ncp.internl_dsk_get Internal Disk Get Count
ncp.internl_dsk_get_need_to_alloc Disk Get Need To Unsigned 32-bit integer Internal Allocate Count ncp.internl_dsk_get_no_read Internal Disk Get No Read Unsigned 32-bit integer Count ncp.internl_dsk_get_no_read_alloc Disk Get No Read Unsigned 32-bit integer Internal Allocate Count ncp.internl_dsk_get_no_read_someone_beat No Read Unsigned 32-bit integer Internal Disk Get Someone Beat Me Count ncp.internl_dsk_get_no_waitnternal Disk Get No Wait Unsigned 32-bit integer I Count ncp.internl_dsk_get_no_wait_need Disk Get No Wait Unsigned 32-bit integer Internal Need To Allocate Count ncp.internl_dsk_get_no_wait_no_blkDisk Get No Wait Unsigned 32-bit integer Internal No Block Count ncp.internl_dsk_get_part_read Internal Disk Get Partial Read Count Unsigned 32-bit integer
269
Field
Field Name
ncp.internl_dsk_get_read_err Internal Disk Get Read Error Count
ncp.internl_dsk_get_someone_beat Disk Get Someone Unsigned 32-bit integer Internal Beat My Count ncp.internl_dsk_write Internal Disk Write Count Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer ncp.internl_dsk_write_alloc Internal Disk Write Allocate Count ncp.internl_dsk_write_someone_beat Internal Disk Write Someone Beat Me Count ncp.interrupt_numbers_used Interrupt Numbers Used ncp.invalid_control_req ncp.invalid_req_type Invalid Control Request Count Invalid Request Type Count
ncp.invalid_sequence_number Invalid Sequence Number Unsigned 32-bit integer Count ncp.invalid_slot ncp.io_addresses_used ncp.io_engine_ag ncp.io_error_count ncp.io_ag ncp.ip.length ncp.ip.packetsig ncp.ip.replybufsize ncp.ip.signature ncp.ip.version ncp.ipx_aes_event ncp.ipx_ecb_cancel_fail ncp.ipx_get_ecb_fail ncp.ipx_get_ecb_req ncp.ipx_get_lcl_targ_fail ncp.ipx_listen_ecb ncp.ipx_malform_pkt Invalid Slot Count IO Addresses Used IO Engine Flag IO Error Count IO Flag NCP over IP length NCP over IP Packet Signature NCP over IP Reply Buffer Size NCP over IP signature NCP over IP Version IPX AES Event Count IPX Get ECB Fail Count IPX Get ECB Request Count IPX Get Local Target Fail Count IPX Listen ECB Count IPX Malformed Packet Count Unsigned 32-bit integer Byte array Boolean Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer
IPX ECB Cancel Fail Count Unsigned 16-bit integer
270
Field ncp.ipx_max_conf_sock ncp.ipx_max_open_sock ncp.ipx_not_my_network ncp.ipx_open_sock_fail ncp.ipx_postponed_aes ncp.ipx_send_pkt ncp.items_changed ncp.items_checked ncp.items_count ncp.items_in_list ncp.items_in_packet
Field Name IPX Max Congured Socket Count IPX Max Open Socket Count IPX Not My Network IPX Open Socket Fail Count IPX Send Packet Count Items Changed Items Checked Items Count Items in List Items in Packet
IPX Postponed AES Count Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Boolean Unsigned 32-bit integer Byte array Unsigned 32-bit integer String Unsigned 16-bit integer Unsigned 32-bit integer
ncp.job_control1_le_open File Open ncp.job_control1_job_recovery Recovery Job ncp.job_control1_operator_hold Operator Hold ncp.job_control1_reservice ReService Job ncp.job_control1_user_hold User Hold ncp.job_control_le_open ncp.job_control_ags File Open Job Control Flags
ncp.job_control_ags_word Job Control Flags ncp.job_control_job_recovery Recovery Job ncp.job_control_operator_hold Operator Hold ncp.job_control_reservice ncp.job_count ncp.job_le_handle ncp.job_le_handle_long ncp.job_le_name ncp.job_number ncp.job_number_list ReService Job Job Count Job File Handle Job File Handle Job File Name Job Number Job Number List
ncp.job_control_user_hold User Hold
271
Field ncp.job_number_long ncp.job_position ncp.job_position_word ncp.job_type ncp.lan_driver_number ncp.lan_drv_bd_inst ncp.lan_drv_bd_num ncp.lan_drv_card_id ncp.lan_drv_card_name ncp.lan_drv_dma_usage1 ncp.lan_drv_dma_usage2 ncp.lan_drv_ags ncp.lan_drv_interrupt1 ncp.lan_drv_interrupt2
Field Name Job Number Job Position Job Position Job Type LAN Driver Number LAN Driver Board Instance LAN Driver Board Number LAN Driver Card ID LAN Driver Card Name Primary DMA Channel Secondary DMA Channel LAN Driver Flags Primary Interrupt Vector
Type Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
Secondary Interrupt Vector Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Unsigned 32-bit integer
ncp.lan_drv_io_ports_and_ranges_1 Base I/O Port Primary ncp.lan_drv_io_ports_and_ranges_2 of I/O Ports Number ncp.lan_drv_io_ports_and_ranges_3 Base I/O Port Secondary ncp.lan_drv_io_ports_and_ranges_4 of I/O Ports Number ncp.lan_drv_io_reserved ncp.lan_drv_line_speed ncp.lan_drv_link ncp.lan_drv_log_name ncp.lan_drv_major_ver LAN Driver IO Reserved LAN Driver Line Speed LAN Driver Link
LAN Driver Logical Name Byte array LAN Driver Major Version Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.lan_drv_max_rcv_size LAN Driver Maximum Receive Size ncp.lan_drv_max_size ncp.lan_drv_media_id LAN Driver Maximum Size LAN Driver Media ID
ncp.lan_drv_mem_decode_0 LAN Driver Memory Decode 0 ncp.lan_drv_mem_decode_1 LAN Driver Memory Decode 1
272
Field
Field Name
ncp.lan_drv_mem_length_0LAN Driver Memory Length 0 ncp.lan_drv_mem_length_1LAN Driver Memory Length 1 ncp.lan_drv_minor_ver ncp.lan_drv_rcv_size ncp.lan_drv_reserved ncp.lan_drv_share ncp.lan_drv_slot ncp.lan_drv_snd_retries ncp.lan_drv_src_route ncp.lan_drv_trans_time
LAN Driver Minor Version Unsigned 8-bit integer LAN Driver Receive Size LAN Driver Reserved LAN Driver Slot LAN Driver Send Retries LAN Driver Source Routing LAN Driver Transport Time Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer
LAN Driver Sharing Flags Unsigned 16-bit integer
ncp.lan_dvr_cfg_major_vrs LAN Driver Cong - Major Unsigned 8-bit integer Version ncp.lan_dvr_cfg_minor_vrs LAN Driver Cong Minor Version ncp.lan_dvr_mode_ags ncp.lan_dvr_node_addr LAN Driver Mode Flags Unsigned 8-bit integer Unsigned 8-bit integer
LAN Driver Node Address Byte array Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer
ncp.large_internet_packets Large Internet Packets (LIP) Disabled ncp.last_access_date ncp.last_access_time ncp.last_garbage_collect ncp.last_instance ncp.last_record_seen ncp.last_search_index ncp.last_seen Last Accessed Date Last Accessed Time Last Garbage Collection Last Instance Last Record Seen Search Index Last Seen
ncp.last_sequence_number Sequence Number
ncp.last_time_rx_buff_was_alloc Time a Receive Buffer Unsigned 32-bit integer Last was Allocated ncp.length ncp.level ncp.lfs_counters ncp.limb_count Packet Length Level LFS Counters Limb Count Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
273
Field
Field Name
Type
ncp.limbo_data_streams_count Limbo Data Streams Count Unsigned 32-bit integer ncp.limbo_used ncp.local_connection_id Limbo Used Local Connection ID Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Byte array
ncp.local_login_info_ccode Local Login Info C Code ncp.local_max_packet_size Local Max Packet Size ncp.local_max_recv_size ncp.local_max_send_size ncp.local_target_socket ncp.lock_area_len Local Max Recv Size Local Max Send Size Local Target Socket Lock Area Length
ncp.lock_areas_start_offset Lock Areas Start Offset ncp.lock_ag ncp.lock_name ncp.lock_status ncp.lock_timeout ncp.lock_type ncp.locked ncp.log_le_ag_high ncp.log_le_ag_low ncp.log_ag_call_back ncp.log_ag_lock_le ncp.log_ttl_rx_pkts ncp.log_ttl_tx_pkts ncp.logged_count ncp.logged_object_id Lock Flag Lock Name Lock Status Lock Timeout Lock Type Locked Flag Log File Flag (byte 2) Log File Flag Call Back Requested Lock File Immediately Total Received Packets Total Transmitted Packets Logged Count Logged in Object ID
ncp.logical_connection_number Logical Connection Number ncp.logical_drive_count Logical Drive Count ncp.logical_drive_number Logical Drive Number ncp.logical_lock_threshold LogicalLockThreshold ncp.logical_record_name ncp.login_key ncp.login_name Logical Record Name Login Key Login Name ncp.login_expiration_time Login Expiration Time
274
Field ncp.long_name ncp.lru_block_was_dirty ncp.lru_sit_time ncp.mac_attr ncp.mac_attr_archive
Field Name Long Name LRU Block Was Dirty LRU Sitting Time Attributes Archive
Type String Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer
ncp.mac_attr_execute_only Execute Only ncp.mac_attr_hidden ncp.mac_attr_index ncp.mac_attr_r_audit ncp.mac_attr_r_only ncp.mac_attr_share ncp.mac_attr_smode1 ncp.mac_attr_smode2 ncp.mac_attr_smode3 ncp.mac_attr_system ncp.mac_attr_transaction ncp.mac_attr_w_audit ncp.mac_backup_date ncp.mac_backup_time Hidden Index Read Audit Read Only Shareable File Search Mode Search Mode Search Mode System Transaction Write Audit Mac Backup Date Mac Backup Time
ncp.mac_attr_subdirectory Subdirectory
ncp.mac_base_directory_id Mac Base Directory ID ncp.mac_create_date ncp.mac_create_time Mac Create Date Mac Create Time
ncp.mac_destination_base_id ac Destination Base ID M ncp.mac_nder_info ncp.mac_last_seen_id ncp.mac_root_ids ncp.mac_source_base_id ncp.major_version Mac Finder Information Mac Last Seen ID MAC Root IDs Mac Source Base ID Major Version
ncp.map_hash_node_count Map Hash Node Count ncp.max_byte_cnt ncp.max_bytes Maximum Byte Count Maximum Number of Bytes
275
Field ncp.max_data_streams ncp.max_dir_depth ncp.max_dirty_time ncp.max_num_of_conn
Field Name Maximum Data Streams
Maximum Directory Depth Unsigned 32-bit integer Maximum Dirty Time Maximum Number of Connections Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.max_num_of_dir_cache_buff Maximum Number Of Directory Cache Buffers ncp.max_num_of_lans Maximum Number Of LANs
ncp.max_num_of_media_types Maximum Number of Media Types ncp.max_num_of_medias Maximum Number Of Medias
ncp.max_num_of_nme_sps Maximum Number Of Name Spaces ncp.max_num_of_protocols Maximum Number of Protocols ncp.max_num_of_spool_pr Maximum Number Of Spool Printers ncp.max_num_of_stacks ncp.max_num_of_users ncp.max_num_of_vol Maximum Number Of Stacks Maximum Number Of Users Maximum Number of Volumes
ncp.max_phy_packet_size Maximum Physical Packet Unsigned 32-bit integer Size ncp.max_space ncp.maxspace Maximum Space Maximum Space Unsigned 16-bit integer Unsigned 32-bit integer
ncp.may_had_out_of_order Maybe Had Out Of Order Unsigned 32-bit integer Writes Count ncp.media_list ncp.media_list_count ncp.media_name ncp.media_number ncp.media_object_type ncp.member_name ncp.member_type ncp.message_language Media List Media List Count Media Name Media Number Object Type Member Name Member Type NLM Language Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
276
Field ncp.migrated_les ncp.migrated_sectors
Field Name Migrated Files Migrated Sectors
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Boolean Boolean Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
ncp.min_cache_report_thresh inimum Cache Report M Threshold ncp.min_num_of_cache_buff inimum Number Of M Cache Buffers ncp.min_num_of_dir_cache_buff Minimum Number Of Directory Cache Buffers ncp.min_time_since_le_delete Minimum Time Since File Delete ncp.minor_version ncp.missing_data_count ncp.missing_data_offset Minor Version Missing Data Count Missing Data Offset
ncp.missing_fraglist_count Missing Fragment List Count ncp.mixed_mode_path_agMixed Mode Path Flag ncp.modied_counter ncp.modied_date ncp.modied_time ncp.modier_id ncp.modify_dos_create ncp.modify_dos_delete Modied Counter Modied Date Modied Time Modier ID Creator ID Archive Date
ncp.modify_dos_info_mask Modify DOS Info Mask ncp.modify_dos_inheritanceInheritance ncp.modify_dos_laccess Last Access
ncp.modify_dos_max_spaceMaximum Space ncp.modify_dos_mdate ncp.modify_dos_mid ncp.modify_dos_mtime ncp.modify_dos_open ncp.modify_dos_parent ncp.modify_dos_read ncp.modify_dos_search ncp.modify_dos_write Modify Date Modier ID Modify Time Creation Time Archive Time Attributes Archiver ID Creation Date
277
Field ncp.more_ag ncp.more_properties ncp.move_cache_node
Field Name More Flag More Properties Move Cache Node Count
ncp.move_cache_node_from_avai Cache Node From Move Avail Count
ncp.moved_the_ack_bit_dn Moved The ACK Bit Down Unsigned 32-bit integer Count ncp.name ncp.name12 ncp.name_len ncp.name_length ncp.name_list ncp.name_space ncp.name_space_name ncp.name_type ncp.ncompletion_code ncp.ncp_data_size Name Name Name Space Length Name Length Name List Name Space Name Space Name nameType Completion Code NCP Data Size Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
ncp.ncp_extension_major_version NCP Extension Major Version ncp.ncp_extension_minor_version NCP Extension Minor Version ncp.ncp_extension_name NCP Extension Name ncp.ncp_extension_number NCP Extension Number ncp.ncp_extension_numbers NCP Extension Numbers ncp.ncp_extension_revision_number NCP Extension Revision Number ncp.ncp_peak_sta_in_use Peak Number of Connections since Server was brought up Number of Workstations Connected to Server Number of Dirty Blocks NDS Flags NDS Request Flags
Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
ncp.ncp_sta_in_use ncp.ndirty_blocks ncp.nds_ags ncp.nds_request_ags
Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Boolean
ncp.nds_request_ags_alias_ref Referral Alias
278
Field
Field Name
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 16-bit integer Boolean Boolean
ncp.nds_request_ags_dn_ref Down Referral ncp.nds_request_ags_local_entryEntry Local ncp.nds_request_ags_no_such_entry No Such Entry ncp.nds_request_ags_output Output Fields ncp.nds_request_ags_reply_data_size Size Reply Data ncp.nds_request_ags_req_cnt Request Count ncp.nds_request_ags_req_data_sizeData Size Request ncp.nds_request_ags_trans_ref Transport Referral ncp.nds_request_ags_trans_ref2 Transport Referral ncp.nds_request_ags_type_ref Referral Type ncp.nds_request_ags_up_ref Referral Up ncp.nds_status ncp.nds_verb ncp.net_id_number ncp.net_status NDS Status NDS Verb Net ID Number Network Status
ncp.netbios_broadcast_was_propogated NetBIOS Broadcast Was Propogated ncp.netbios_progated NetBIOS Propagated Count
ncp.netware_access_handle NetWare Access Handle ncp.network_address Network Address
ncp.network_node_address Network Node Address ncp.network_number ncp.network_socket Network Number Network Socket
ncp.new_access_rights_create Create ncp.new_access_rights_delete Delete
279
Field
Field Name
Type Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer
ncp.new_access_rights_mask ew Access Rights N ncp.new_access_rights_modify Modify ncp.new_access_rights_open Open ncp.new_access_rights_parental Parental ncp.new_access_rights_readRead ncp.new_access_rights_search Search ncp.new_access_rights_supervisor Supervisor ncp.new_access_rights_write rite W ncp.new_directory_id ncp.new_ea_handle ncp.new_le_name ncp.new_le_name_len ncp.new_le_size ncp.new_object_name ncp.new_password ncp.new_path ncp.new_position ncp.next_cnt_block ncp.next_huge_state_info ncp.next_limb_scan_num ncp.next_object_id ncp.next_record ncp.next_request_record ncp.next_search_index ncp.next_search_number ncp.next_trustee_entry ncp.nlm_count ncp.nlm_ags New Directory ID New EA Handle New File Name New File Name New File Size New Object Name New Password New Path New Position Next Count Block Next Huge State Info Next Limb Scan Number Next Object ID Next Record Next Request Record Next Search Index Next Search Number Next Trustee Entry NLM Count Flags
Unsigned 8-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
ncp.next_starting_number Next Starting Number ncp.next_volume_number Next Volume Number
280
Field ncp.nlm_ags_multiple ncp.nlm_ags_pseudo ncp.nlm_ags_reentrant
Field Name Can Load Multiple Times PseudoPreemption ReEntrant
Type Boolean Boolean Boolean Boolean Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
ncp.nlm_ags_synchronize Synchronize Start ncp.nlm_load_options ncp.nlm_name_stringz ncp.nlm_number ncp.nlm_numbers ncp.nlm_start_num ncp.nlm_type ncp.nlms_in_list ncp.no_avail_conns NLM Load Options NLM Name NLM Number NLM Numbers NLM Start Number NLM Type NLMs in List
No Available Connections Unsigned 32-bit integer Count Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Byte array Unsigned 32-bit integer Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Boolean Boolean
ncp.no_ecb_available_countNo ECB Available Count ncp.no_mem_for_station ncp.no_more_mem_avail ncp.no_receive_buff ncp.no_space_for_service ncp.node ncp.node_ags ncp.non_ded_ag No Memory For Station Control Count No More Memory Available Count No Receive Buffers No Space For Service Node Node Flags Non Dedicated Flag
ncp.non_freeable_avail_sub_alloc_sectors Available Non Freeable Sub Alloc Sectors ncp.non_freeable_limbo_sectors Freeable Limbo Non Sectors ncp.not_my_network ncp.not_supported_mask Not My Network Bit Counter Supported
ncp.not_usable_sub_alloc_sectors Not Usable Sub Alloc Sectors ncp.not_yet_purgeable_blocks Yet Purgeable Blocks Not ncp.ns_info_mask Names Space Info Mask
ncp.ns_info_mask_acc_date Access Date ncp.ns_info_mask_adate Archive Date
281
Field ncp.ns_info_mask_aid ncp.ns_info_mask_atime ncp.ns_info_mask_cdate ncp.ns_info_mask_ctime ncp.ns_info_mask_fatt
Field Name Archiver ID Archive Time Creation Date Creation Time File Attributes
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean String Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.ns_info_mask_max_acc_mask Inheritance ncp.ns_info_mask_max_space Maximum Space ncp.ns_info_mask_modify Modify Name ncp.ns_info_mask_owner ncp.ns_info_mask_udate ncp.ns_info_mask_uid ncp.ns_info_mask_utime ncp.ns_specic_info ncp.num_bytes ncp.num_dir_cache_buff ncp.num_of_allocs Owner ID Update Date Update ID Update Time Name Space Specic Info Number of Bytes Number Of Directory Cache Buffers Number of Allocations
ncp.num_of_cache_check_no_wait Of Cache Check Number No Wait ncp.num_of_cache_dirty_checks Number Of Cache Dirty Checks ncp.num_of_cache_hits Number Of Cache Hits
ncp.num_of_cache_checks Number Of Cache Checks Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.num_of_cache_hits_no_wait Number Of Cache Hits No Unsigned 32-bit integer Wait ncp.num_of_cc_in_pkt ncp.num_of_checks Number of Custom Counters in Packet Number of Checks Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.num_of_dir_cache_buffNumber Of Directory Cache Buffers ncp.num_of_dirty_cache_checks Number Of Dirty Cache Checks ncp.num_of_entries Number of Entries
ncp.num_of_les_migrated Number Of Files Migrated Unsigned 32-bit integer ncp.num_of_garb_coll Number of Garbage Collections Unsigned 32-bit integer
282
Field ncp.num_of_ncp_reqs
Field Name
Type
Number of NCP Requests Unsigned 32-bit integer since Server was brought up Number of Referenced Public Symbols Number of Segments Number of CPUs Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
ncp.num_of_ref_publics ncp.num_of_segments ncp.number_of_cpus
ncp.number_of_attributes Number of Attributes ncp.number_of_data_streams Number of Data Streams ncp.number_of_dynamic_memory_areas Number Of Dynamic Memory Areas ncp.number_of_entries ncp.number_of_locks Number of Entries Number of Locks
ncp.number_of_minutes_to_delay of Minutes to Number Delay ncp.number_of_ncp_extensions Number Of NCP Extensions ncp.number_of_ns_loaded Number Of Name Spaces Loaded ncp.number_of_protocols ncp.number_of_records Number of Protocols Number of Records
ncp.number_of_semaphoresNumber Of Semaphores ncp.number_of_service_processes Of Service Number Processes
ncp.number_of_set_categories Number Of Set Categories Unsigned 32-bit integer ncp.number_of_sms ncp.number_of_stations ncp.nxt_search_num ncp.o_c_ret_ags ncp.object_count ncp.object_ags ncp.object_id ncp.object_id_count ncp.object_id_info Number Of Storage Medias Number of Stations Next Search Number Object Count Object Flags Object ID Object ID Count Object Information Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer
Open Create Return Flags Unsigned 8-bit integer
ncp.object_has_properites Object Has Properties
283
Field ncp.object_name ncp.object_name_len ncp.object_name_stringz ncp.object_number ncp.object_security ncp.object_type ncp.old_le_name ncp.old_le_size
Field Name Object Name Object Name Object Name Object Number Object Security Object Type Old File Name Old File Size
Type Unsigned 32-bit integer String String Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Byte array Unsigned 32-bit integer
ncp.object_info_rtn_count Object Information Count
ncp.oldest_deleted_le_age_in_ticks Oldest Deleted File Age in Unsigned 32-bit integer Ticks ncp.open_count ncp.open_create_action Open Count Open Create Action Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer
ncp.open_create_action_compressed Compressed ncp.open_create_action_created Created ncp.open_create_action_opened Opened ncp.open_create_action_read_only Read Only ncp.open_create_action_replaced Replaced ncp.open_create_mode Open Create Mode
ncp.open_create_mode_create Create new le or Boolean subdirectory (le or subdirectory cannot exist) ncp.open_create_mode_open Open existing le (le must exist) ncp.open_create_mode_oplock Callback (Op-Lock) Open ncp.open_create_mode_replace Replace existing le ncp.open_for_read_count ncp.open_rights ncp.open_rights_compat Open For Read Count Open Rights Compatibility Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean
ncp.open_for_write_count Open For Write Count
ncp.open_rights_deny_readDeny Read
284
Field
Field Name
Type Boolean Boolean Boolean Boolean Unsigned 8-bit integer
ncp.open_rights_deny_write Deny Write ncp.open_rights_read_only Read Only ncp.open_rights_write_onlyWrite Only ncp.open_rights_write_thruWrite Through ncp.option_number Option Number
ncp.orig_num_cache_buff Original Number Of Cache Unsigned 32-bit integer Buffers ncp.original_size ncp.os_language_id ncp.os_major_version ncp.os_minor_version ncp.os_revision ncp.other_le_fork_fat ncp.other_le_fork_size Original Size OS Language ID OS Major Version OS Minor Version OS Revision Other File Fork Size Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
Other File Fork FAT Entry Unsigned 32-bit integer
ncp.outgoing_packet_discarded_no_turbo_buffer Outgoing Packet Unsigned 16-bit integer Discarded No Turbo Buffer ncp.outstanding_compression_ios Outstanding Compression Unsigned 32-bit integer IOs ncp.outstanding_ios Outstanding IOs Unsigned 32-bit integer Unsigned 32-bit integer ncp.packet_rs_too_small_count Receive Packet Too Small Count
ncp.packet_rx_misc_error_count Receive Packet Misc Error Unsigned 32-bit integer Count ncp.packet_rx_overow_count Receive Packet Overow Count ncp.packet_rx_too_big_count Receive Packet Too Big Count ncp.packet_seqno Packet Sequence Number Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.packet_tx_misc_error_count Transmit Packet Misc Error Unsigned 32-bit integer Count ncp.packet_tx_too_big_count Transmit Packet Too Big Count Unsigned 32-bit integer
ncp.packet_tx_too_small_count Transmit Packet Too Small Unsigned 32-bit integer Count ncp.packets_discarded_by_hop_count Packets Discarded By Hop Unsigned 16-bit integer Count
285
Field
Field Name
ncp.packets_discarded_unknown_net Packets Discarded Unknown Net ncp.packets_from_invalid_connection Packets From Invalid Connection ncp.packets_received_during_processing Packets Received During Processing
ncp.packets_with_bad_request_typeWith Bad Request Unsigned 16-bit integer Packets Type ncp.packets_with_bad_sequence_numberBad Sequence Unsigned 16-bit integer Packets With Number ncp.page_table_owner_ag Page Table Owner ncp.parent_base_id Parent Base ID Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.parent_directory_base Parent Directory Base
ncp.parent_dos_directory_base Parent DOS Directory Base Unsigned 32-bit integer ncp.parent_id ncp.password ncp.path ncp.path_and_name ncp.path_base Parent ID Password Path Path and Name Path Base String Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.parent_object_number Parent Object Number
ncp.path_component_countPath Component Count ncp.path_component_size Path Component Size ncp.path_cookie_ags ncp.path_count Path Cookie Flags Path Count
ncp.pending_io_commands Pending IO Commands ncp.percent_of_vol_used_by_dirs Of Volume Used Percent By Directories ncp.physical_disk_channel Physical Disk Channel ncp.physical_disk_number Physical Disk Number ncp.physical_drive_count ncp.physical_drive_type Physical Drive Count Physical Drive Type
ncp.physical_lock_thresholdPhysical Lock Threshold ncp.physical_read_errors Physical Read Errors
286
Field
Field Name
Type Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
ncp.physical_read_requests Physical Read Requests ncp.physical_write_errors Physical Write Errors ncp.physical_write_requestsPhysical Write Requests ncp.ping_version ncp.poll_abort_conn Ping Version Poller Aborted The Connnection Count
ncp.poll_rem_old_out_of_order Removed Old Out Poller Of Order Count ncp.positive_acknowledges_sent Positive Acknowledges Sent ncp.post_poned_events Postponed Events ncp.pre_compressed_sectors Precompressed Sectors ncp.previous_control_packet revious Control Packet P Count ncp.previous_record ncp.primary_entry ncp.print_ags ncp.print_ags_banner ncp.print_ags_cr Previous Record Primary Entry Print Flags Print Banner Page Create
ncp.print_ags_del_spool Delete Spool File after Printing ncp.print_ags_exp_tabs ncp.print_ags_ff ncp.print_server_version ncp.print_to_le_ag ncp.printer_halted ncp.printer_ofine ncp.priority ncp.privileges ncp.pro_dos_info ncp.processor_type Expand Tabs in the File Suppress Form Feeds Print Server Version Print to File Flag Printer Halted Printer Off-Line Priority Login Privileges Pro DOS Info Processor Type
ncp.product_major_version Product Major Version ncp.product_minor_versionProduct Minor Version
287
Field
Field Name
Type Unsigned 8-bit integer Unsigned 32-bit integer Byte array Unsigned 8-bit integer
ncp.product_revision_version Product Revision Version ncp.projected_comp_size ncp.property_data Projected Compression Size Property Data
ncp.property_has_more_segments Has More Property Segments ncp.property_name ncp.property_name_16 ncp.property_segment ncp.property_type ncp.property_value ncp.proposed_max_size ncp.protocol_board_num ncp.protocol_ags ncp.protocol_id ncp.protocol_name ncp.protocol_number ncp.purge_c_code ncp.purge_count ncp.purge_ags ncp.purge_list ncp.purgeable_blocks ncp.qms_version ncp.queue_id ncp.queue_name ncp.queue_start_position ncp.queue_status Property Name Property Name Property Segment Property Type Property Value Proposed Max Size Protocol Board Number Protocol Flags Protocol ID Protocol Name Protocol Number Purge Completion Code Purge Count Purge Flags Purge List Purgeable Blocks QMS Version Queue ID Queue Name Queue Start Position Queue Status
String Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
ncp.queue_status_new_jobsOperator does not want to Boolean add jobs to the queue ncp.queue_status_pserver Operator does not want additional servers attaching ncp.queue_status_svc_jobs Operator does not want servers to service jobs ncp.queue_type ncp.r_tag_num Queue Type Resource Tag Number Boolean
Boolean Unsigned 16-bit integer Unsigned 32-bit integer
288
Field
Field Name
ncp.re_mirror_current_offset eMirror Current Offset R ncp.re_mirror_drive_number ReMirror Drive Number ncp.read_beyond_write ncp.read_exist_blck ncp.read_exist_part_read ncp.read_exist_read_err Read Beyond Write
Read Existing Block Count Unsigned 32-bit integer Read Existing Partial Read Unsigned 32-bit integer Count Read Existing Read Error Count Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.read_exist_write_wait Read Existing Write Wait Count ncp.realloc_slot Re-Allocate Slot Count
ncp.realloc_slot_came_too_soon Re-Allocate Slot Came Too Unsigned 32-bit integer Soon Count ncp.rec_lock_count ncp.record_end ncp.record_in_use ncp.record_start ncp.redirected_printer ncp.reexecute_request ncp.reference_count ncp.relations_count ncp.rem_cache_node Record Lock Count Record End Record in Use Record Start Redirected Printer Reference Count Relations Count Remove Cache Node Count Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer
Re-Execute Request Count Unsigned 32-bit integer
ncp.rem_cache_node_from_avail Remove Cache Node From Unsigned 32-bit integer Avail Count ncp.remote_max_packet_size emote Max Packet Size R ncp.remote_target_id ncp.removable_ag ncp.remove_open_rights Remote Target ID Removable Flag Remove Open Rights Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean
ncp.remove_open_rights_comp Compatibility ncp.remove_open_rights_drDeny Read ncp.remove_open_rights_dw Deny Write ncp.remove_open_rights_roRead Only
289
Field
Field Name
Type Boolean Boolean Unsigned 8-bit integer
ncp.remove_open_rights_wo Write Only ncp.remove_open_rights_write_thru Write Through ncp.rename_ag ncp.rename_ag_comp Rename Flag
Compatability allows les Boolean that are marked read only to be opened with read/write access Name Only renames only the specied name space entry name Rename to Myself allows le to be renamed to its original name Replies Cancelled Reply Canceled Count Boolean
ncp.rename_ag_no
ncp.rename_ag_ren
Boolean
ncp.replies_cancelled ncp.reply_canceled
Unsigned 16-bit integer Unsigned 32-bit integer
ncp.reply_queue_job_numbers Reply Queue Job Numbers Unsigned 32-bit integer ncp.req_frame_num ncp.request_bit_map ncp.request_bit_map_ratt Response to Request in Frame Number Request Bit Map Return Attributes Unsigned 32-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
ncp.request_bit_map_ret_acc_date Date Access ncp.request_bit_map_ret_acc_priv Privileges Access ncp.request_bit_map_ret_afp_entEntry ID AFP ncp.request_bit_map_ret_afp_parent Entry ID AFP Parent ncp.request_bit_map_ret_bak_date Date&Time Backup ncp.request_bit_map_ret_cr_date Creation Date ncp.request_bit_map_ret_data_fork Length Data Fork ncp.request_bit_map_ret_nder Info Finder ncp.request_bit_map_ret_long_nm Long Name
290
Field
Field Name
Type Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Byte array Byte array Byte array Byte array Byte array Byte array Byte array Byte array Byte array Byte array Byte array Byte array Byte array Byte array Byte array Byte array Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String
ncp.request_bit_map_ret_mod_date Date&Time Modify ncp.request_bit_map_ret_num_off of Offspring Number ncp.request_bit_map_ret_owner ID Owner ncp.request_bit_map_ret_res_fork Resource Fork Length ncp.request_bit_map_ret_short Name Short ncp.request_code ncp.requests_reprocessed ncp.reserved ncp.reserved10 ncp.reserved12 ncp.reserved120 ncp.reserved16 ncp.reserved2 ncp.reserved20 ncp.reserved28 ncp.reserved3 ncp.reserved36 ncp.reserved4 ncp.reserved44 ncp.reserved48 ncp.reserved51 ncp.reserved56 ncp.reserved6 ncp.reserved64 ncp.reserved8 Request Code Requests Reprocessed Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved
ncp.reserved_or_directory_number or Directory Reserved Number (see EAFlags) ncp.resource_count ncp.resource_fork_len ncp.resource_fork_size ncp.resource_name ncp.resource_sig Resource Count Resource Fork Len Resource Fork Size Resource Name Resource Signature
291
Field ncp.restore_time ncp.restriction ncp.restrictions_enforced ncp.ret_info_mask ncp.ret_info_mask_actual ncp.ret_info_mask_alloc ncp.ret_info_mask_arch ncp.ret_info_mask_attr ncp.ret_info_mask_create ncp.ret_info_mask_dir ncp.ret_info_mask_eattr
Field Name Restore Time Disk Space Restriction Disk Restrictions Enforce Flag Return Information Return Allocation Space Information Return Archive Information Return Attribute Information Return Creation Information Return Directory Information Return Extended Attributes Information
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
Return Actual Information Boolean
ncp.ret_info_mask_fname Return File Name Information ncp.ret_info_mask_id Return ID Information
ncp.ret_info_mask_logical Return Logical Information Boolean ncp.ret_info_mask_mod ncp.ret_info_mask_ns Return Modify Information Return Name Space Information Boolean Boolean Boolean
ncp.ret_info_mask_ns_attr Return Name Space Attributes Information ncp.ret_info_mask_rights ncp.ret_info_mask_size Return Size Information
Return Rights Information Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ncp.ret_info_mask_tspace Return Total Space Information ncp.retry_tx_count ncp.return_info_count ncp.returned_list_count ncp.rev_query_ag ncp.revision ncp.revision_number ncp.rights_grant_mask Transmit Retry Count Returned List Count Revision Revision Grant Rights
Return Information Count Unsigned 32-bit integer Revoke Rights Query Flag Unsigned 8-bit integer
292
Field
Field Name
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 16-bit integer Boolean Unsigned 32-bit integer
ncp.rights_grant_mask_create Create ncp.rights_grant_mask_del Delete ncp.rights_grant_mask_mod Modify ncp.rights_grant_mask_open Open ncp.rights_grant_mask_parent Parental ncp.rights_grant_mask_read Read ncp.rights_grant_mask_search Search ncp.rights_grant_mask_write rite W ncp.rights_revoke_mask Revoke Rights
ncp.rights_revoke_mask_create Create ncp.rights_revoke_mask_del elete D ncp.rights_revoke_mask_mod Modify ncp.rights_revoke_mask_open Open ncp.rights_revoke_mask_parent Parental ncp.rights_revoke_mask_read Read ncp.rights_revoke_mask_search Search ncp.rights_revoke_mask_write Write ncp.rip_socket_num ncp.route_hops ncp.route_time ncp.router_dn_ag ncp.rpc_c_code ncp.rpy_nearest_srv_ag ncp.rx_buffer_size RIP Socket Number Hop Count Route Time Router Down Flag RPC Completion Code Reply to Nearest Server Flag Receive Buffer Size
293
Field ncp.rx_buffers ncp.rx_buffers_75
Field Name Receive Buffers Receive Buffers Warning Level
ncp.rx_buffers_checked_outReceive Buffers Checked Out Count ncp.s_day ncp.s_day_of_week ncp.s_hour ncp.s_m_info ncp.s_minute ncp.s_module_name ncp.s_month ncp.s_second Day Day of Week Hour
Storage Media Information Unsigned 8-bit integer Minutes Storage Module Name Month Seconds Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Unsigned 32-bit integer
ncp.salvageable_le_entry_number Salvageable File Entry Number ncp.sap_socket_number ncp.sattr ncp.sattr_hid ncp.sattr_sub ncp.sattr_sys SAP Socket Number Search Attributes Hidden Subdirectory System
ncp.saved_an_out_of_order_packet Out Of Order Saved An Packet Count ncp.scan_items ncp.search_att_archive
Number of Items returned Unsigned 32-bit integer from Scan Archive Boolean Boolean Boolean Boolean Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer
ncp.search_att_execute_confrim Execute Conrm ncp.search_att_execute_onlyExecute Only ncp.search_att_hidden ncp.search_att_low ncp.search_att_read_only ncp.search_att_shareable ncp.search_att_sub ncp.search_att_system ncp.search_attr_all_les ncp.search_bit_map Hidden Search Attributes Read Only Shareable Subdirectory System All Files and Directories Search Bit Map
294
Field ncp.search_bit_map_les
Field Name Files
Type Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
ncp.search_bit_map_hiddenHidden ncp.search_bit_map_sub ncp.search_bit_map_sys ncp.search_conn_number ncp.search_instance ncp.search_number ncp.search_pattern ncp.search_sequence Subdirectory System Search Connection Number Search Instance Search Number Search Pattern Search Sequence
ncp.search_sequence_word Search Sequence ncp.sec_rel_to_y2k ncp.sector_size ncp.sectors_per_block ncp.sectors_per_cluster Seconds Relative to the Year 2000 Sector Size Sectors Per Block Sectors Per Cluster
ncp.sectors_per_cluster_long Sectors Per Cluster ncp.sectors_per_track ncp.security_equiv_list ncp.security_ag Sectors Per Track Security Equivalent List Security Flag
ncp.security_restriction_version Security Restriction Version ncp.semaphore_handle ncp.semaphore_name Semaphore Handle Semaphore Name
ncp.semaphore_name_len Semaphore Name Len ncp.semaphore_open_countSemaphore Open Count ncp.semaphore_share_countSemaphore Share Count ncp.semaphore_time_out ncp.semaphore_value Semaphore Time Out Semaphore Value
ncp.send_hold_off_messageSend Hold Off Message Count ncp.send_status ncp.sent_a_dup_reply Send Status Sent A Duplicate Reply Count
295
Field ncp.sent_pos_ack ncp.seq ncp.sequence_byte ncp.sequence_number ncp.server_address ncp.server_app_num ncp.server_id_list ncp.server_id_number ncp.server_info_ags ncp.server_list_ags ncp.server_name ncp.server_name_len ncp.server_name_stringz
Field Name
Type
Sent Positive Acknowledge Unsigned 32-bit integer Count Sequence Number Sequence Sequence Number Server Address Server App Number Server ID List Server ID Server Information Flags Server List Flags Server Name Server Name Server Name String Byte array Byte array Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer String Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 32-bit integer String String Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Byte array Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer String
ncp.server_network_address Server Network Address ncp.server_node ncp.server_station ncp.server_station_list ncp.server_station_long ncp.server_status_record ncp.server_task_number Server Node Server Station Server Station List Server Station Server Status Record Server Task Number
ncp.server_serial_number Server Serial Number
ncp.server_task_number_long Server Task Number ncp.server_type ncp.server_utilization Server Type Server Utilization
ncp.server_utilization_percentage Utilization Server Percentage ncp.set_cmd_catagory ncp.set_cmd_ags ncp.set_cmd_name ncp.set_cmd_type ncp.set_cmd_value_num ncp.set_parm_name ncp.sft_error_table Set Command Catagory Set Command Flags Set Command Name Set Command Type Set Command Value Set Parameter Name SFT Error Table
ncp.set_cmd_value_string Set Command Value
296
Field ncp.sft_support_level ncp.shareable_lock_count
Field Name SFT Support Level Shareable Lock Count
ncp.shared_memory_addresses Shared Memory Addresses Byte array ncp.short_name ncp.short_stack_name Short Name Short Stack Name String String
ncp.shouldnt_be_ack_here Shouldnt Be ACKing Here Unsigned 32-bit integer Count ncp.sibling_count ncp.signature ncp.slot ncp.sm_info_size ncp.smids ncp.software_description ncp.software_driver_type Sibling Count Signature Slot Storage Module Information Size Storage Media IDs Software Description Software Driver Type Unsigned 32-bit integer Boolean Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ncp.software_major_version_number Major Version Software Number ncp.software_minor_version_numberMinor Version Software Number
ncp.someone_else_did_it_0 Someone Else Did It Count Unsigned 32-bit integer 0 ncp.someone_else_did_it_1 Someone Else Did It Count Unsigned 32-bit integer 1 ncp.someone_else_did_it_2 Someone Else Did It Count Unsigned 32-bit integer 2 ncp.someone_else_using_this_le Someone Else Using This File Count ncp.source_component_count Source Path Component Count ncp.source_dir_handle ncp.source_path ncp.source_return_time ncp.space_migrated Source Directory Handle Source Path Source Return Time Space Migrated Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer ncp.source_originate_time Source Originate Time Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Byte array
ncp.space_restriction_node_count Restriction Node Space Count ncp.space_used ncp.spx_abort_conn Space Used SPX Aborted Connection
297
Field ncp.spx_bad_in_pkt ncp.spx_bad_listen ncp.spx_bad_send ncp.spx_est_conn_fail ncp.spx_est_conn_req ncp.spx_incoming_pkt ncp.spx_listen_con_fail ncp.spx_listen_con_req ncp.spx_listen_pkt ncp.spx_max_conn ncp.spx_max_used_conn ncp.spx_no_ses_listen ncp.spx_send ncp.spx_send_fail ncp.spx_supp_pkt ncp.spx_watch_dog ncp.spx_window_choke ncp.src_connection ncp.src_name_space ncp.stack_count ncp.stack_full_name_str ncp.stack_major_vn ncp.stack_minor_vn ncp.stack_number ncp.stack_short_name ncp.start_conn_num ncp.start_number
Field Name SPX Bad In Packet Count SPX Bad Listen Count SPX Bad Send Count SPX Establish Connection Fail SPX Establish Connection Requests SPX Incoming Packet Count SPX Listen Connect Fail SPX Listen Connect Request SPX Listen Packet Count SPX Max Connections Count SPX Max Used Connections
Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
SPX No Session Listen ECB Unsigned 16-bit integer Count SPX Send Count SPX Send Fail Count SPX Suppressed Packet Count Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
SPX Watch Dog Unsigned 16-bit integer Destination Session Count SPX Window Choke Count Unsigned 32-bit integer Source Connection ID Source Name Space Stack Count Stack Full Name Stack Major Version Number Stack Minor Version Number Stack Number Stack Short Name Starting Connection Number Start Number Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
298
Field ncp.start_number_ag ncp.start_search_number ncp.start_station_error ncp.starting_block ncp.starting_number ncp.stat_major_version ncp.stat_minor_version
Field Name Start Number Flag Start Search Number Start Station Error Count Starting Block Starting Number Statistics Table Major Version Statistics Table Minor Version
Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Byte array Unsigned 16-bit integer Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
ncp.start_volume_number Starting Volume Number
ncp.stat_table_major_versiontatistics Table Major S Version ncp.stat_table_minor_versiontatistics Table Minor S Version ncp.station_list ncp.station_number ncp.status ncp.status_ag_bits Station List Station Number Status Status Flag
ncp.status_ag_bits_audit Audit ncp.status_ag_bits_comp Compression ncp.status_ag_bits_im_purge Immediate Purge ncp.status_ag_bits_migrate Migration ncp.status_ag_bits_nss ncp.status_ag_bits_ro NSS Volume Read Only
ncp.status_ag_bits_suballoc ub Allocation S ncp.still_doing_the_last_reqStill Doing The Last Request Count ncp.still_transmitting ncp.stream_type ncp.sub_alloc_clusters Still Transmitting Count Stream Type Sub Alloc Clusters
ncp.sub_alloc_freeable_clusters Alloc Freeable Sub Clusters ncp.sub_directory ncp.subfunc ncp.suggested_le_size Subdirectory SubFunction Suggested File Size
299
Field ncp.support_module_id ncp.synch_name ncp.system_ags ncp.system_ags.abt ncp.system_ags.eob ncp.system_ags.sys
Field Name Support Module ID Synch Name System Flags ABT EOB SYS
Type Unsigned 32-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ncp.system_interval_markerSystem Interval Marker ncp.tab_size ncp.target_client_list Tab Size Target Client List
ncp.target_connection_number Target Connection Number Unsigned 16-bit integer ncp.target_dir_handle ncp.target_entry_id ncp.target_le_handle ncp.target_le_offset ncp.target_message ncp.target_ptr ncp.target_receive_time Target Directory Handle Target Entry ID Target File Handle Target File Offset Message Target Printer Target Receive Time Unsigned 8-bit integer Byte array Unsigned 32-bit integer Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Byte array Byte array Unsigned 32-bit integer
ncp.target_execution_time Target Execution Time
ncp.target_server_id_number Target Server ID Number ncp.target_transmit_time ncp.task ncp.task_num_byte ncp.task_number_word ncp.text_job_description ncp.thrashing_count ncp.time_to_net ncp.timeout_limit Target Transmit Time Task Number Task Number Task Number Text Job Description Thrashing Count Time To Net Timeout Limit
ncp.timesync_status_active Time Synchronization is Active ncp.timesync_status_ext_sync External Clock Status ncp.timesync_status_external External Time Synchronization Active ncp.timesync_status_ags Timesync Status
300
Field
Field Name
Type Boolean Unsigned 32-bit integer Boolean
ncp.timesync_status_net_sync Time is Synchronized to the Network ncp.timesync_status_server_type Server Type Time ncp.timesync_status_sync Time is Synchronized ncp.too_many_ack_frag ncp.too_many_hops
Too Many ACK Fragments Unsigned 32-bit integer Count Too Many Hops Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.total_blks_to_dcompress otal Blocks To T Decompress ncp.total_blocks ncp.total_cache_writes ncp.total_changed_fats ncp.total_cnt_blocks ncp.total_common_cnts ncp.total_dir_entries ncp.total_directory_slots Total Blocks Total Cache Writes Total Count Blocks Total Common Counts Total Directory Entries Total Directory Slots
Total Changed FAT Entries Unsigned 32-bit integer
ncp.total_extended_directory_extants Total Extended Directory Extants ncp.total_le_service_packets Total File Service Packets ncp.total_les_opened ncp.total_lfs_counters ncp.total_offspring ncp.total_other_packets ncp.total_queue_jobs ncp.total_read_requests ncp.total_request ncp.total_routed_packets Total Files Opened Total LFS Counters Total Offspring Total Other Packets Total Queue Jobs Total Read Requests Total Requests Total Routed Packets
ncp.total_request_packets Total Request Packets
ncp.total_rx_packet_count Total Receive Packet Count Unsigned 32-bit integer ncp.total_rx_packets ncp.total_rx_pkts ncp.total_server_memory Total Receive Packets Total Receive Packets Total Server Memory Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer
ncp.total_stream_size_struct_space_alloc Total Data Stream Disk Space Alloc
301
Field
Field Name
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.total_trans_backed_out Total Transactions Backed Out ncp.total_trans_performed Total Transactions Performed ncp.total_tx_packet_count Total Transmit Packet Count ncp.total_tx_packets ncp.total_tx_pkts Total Transmit Packets Total Transmit Packets
ncp.total_unlled_backout_requests Total Unlled Backout Requests ncp.total_volume_clusters Total Volume Clusters ncp.total_write_requests Total Write Requests ncp.total_write_trans_performed Write Transactions Total Performed ncp.track_on_ag Track On Flag ncp.transaction_disk_space Transaction Disk Space ncp.transaction_fat_allocations Transaction FAT Allocations ncp.transaction_le_size_changes Transaction File Size Changes
ncp.transaction_les_truncated Transaction Files Truncated Unsigned 32-bit integer ncp.transaction_number Transaction Number Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer
ncp.transaction_tracking_enabled Transaction Tracking Enabled ncp.transaction_tracking_supported Transaction Tracking Supported ncp.transaction_volume_number Transaction Volume Number ncp.transport_addr ncp.transport_type ncp.trustee_id_set Transport Address Communications Type Trustee ID
Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Boolean Unsigned 16-bit integer Boolean Boolean
ncp.trustee_list_node_countTrustee List Node Count ncp.trustee_rights_create ncp.trustee_rights_del ncp.trustee_rights_low ncp.trustee_rights_open Create Delete Trustee Rights Open
ncp.trustee_rights_modify Modify
302
Field ncp.trustee_rights_parent ncp.trustee_rights_read ncp.trustee_rights_search ncp.trustee_rights_super ncp.trustee_rights_write ncp.trustee_set_number
Field Name Parental Read Search Supervisor Write Trustee Set Number
Type Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer
ncp.try_to_write_too_much Trying To Write Too Much Unsigned 32-bit integer Count ncp.ttl_comp_blks Total Compression Blocks Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer ncp.ttl_ds_disk_space_alloc Total Streams Space Allocated ncp.ttl_eas ncp.ttl_eas_data_size ncp.ttl_eas_key_size ncp.ttl_inter_blks ncp.ttl_migrated_size ncp.ttl_num_of_r_tags ncp.ttl_num_of_set_cmds ncp.ttl_pckts_routed ncp.ttl_pckts_srvcd ncp.ttl_values_length ncp.ttl_write_data_size ncp.tts_ag ncp.tts_level Total EAs Total EAs Data Size Total EAs Key Size Total Intermediate Blocks Total Migrated Size
Total Number of Resource Unsigned 32-bit integer Tags Total Number of Set Commands Total Packets Routed Total Packets Serviced Total Values Length Total Write Data Size Transaction Tracking Flag TTS Level Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
ncp.turbo_fat_build_failed Turbo FAT Build Failed Count ncp.turbo_used_for_le_service Used For File Turbo Service ncp.type ncp.un_claimed_packets Type Unclaimed Packets
ncp.un_compressable_data_streams_count Data Uncompressable Streams Count ncp.un_used Unused ncp.un_used_directory_entries Unused Directory Entries
303
Field
Field Name
Type Unsigned 32-bit integer Unsigned 32-bit integer Byte array Byte array Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean
ncp.un_used_extended_directory_extants Unused Extended Directory Extants ncp.unclaimed_packets ncp.undened_28 ncp.undened_8 ncp.unique_id ncp.unknown_network ncp.unused_disk_blocks ncp.update_date ncp.update_id ncp.update_time ncp.used_blocks ncp.used_space ncp.user_id Unclaimed Packets Undened Undened Unique ID Unknown Network Unused Disk Blocks Update Date Update ID Update Time Used Blocks Used Space User ID
ncp.user_info_audit_conn Audit Connection Recorded ncp.user_info_audited ncp.user_info_bindery Audited Bindery Connection ncp.user_info_being_abort Being Aborted ncp.user_info_dsaudit_connDS Audit Connection Recorded ncp.user_info_held_req ncp.user_info_int_login ncp.user_info_logged_in ncp.user_info_logout ncp.user_info_need_sec Held Requests Internal Login Logged In Logout in Progress Needs Security Change
ncp.user_info_mac_station MAC Station
ncp.user_info_temp_authenTemporary Authenticated Boolean ncp.user_info_ttl_bytes_rd Total Bytes Read ncp.user_info_ttl_bytes_wrtTotal Bytes Written ncp.user_info_use_count ncp.user_login_allowed ncp.user_name ncp.user_name_16 ncp.uts_time_in_seconds Use Count Login Status User Name User Name UTC Time in Seconds String Unsigned 32-bit integer Byte array Byte array Unsigned 16-bit integer Unsigned 8-bit integer
304
Field ncp.valid_bfrs_reused ncp.value_available ncp.vap_version ncp.variable_bit_mask ncp.variable_bits_dened ncp.vconsole_rev ncp.vconsole_ver ncp.verb ncp.verb_data ncp.version ncp.version_number ncp.vert_location
Field Name Valid Buffers Reused Value Available VAP Version Variable Bit Mask Variable Bits Dened Console Revision Console Version Verb Verb Data Version Version Vertical Location
Type Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
ncp.virtual_console_versionVirtual Console Version ncp.vol_info_reply_len ncp.volume_active_count ncp.volume_cached_ag ncp.volume_hashed_ag ncp.volume_id
Volume Information Reply Unsigned 16-bit integer Length Volume Active Count Volume Cached Flag Volume Hashed Flag Volume ID Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer String String Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer
ncp.volume_last_modied_date Volume Last Modied Date ncp.volume_last_modied_time Volume Last Modied Time ncp.volume_mounted_ag Volume Mounted Flag ncp.volume_name ncp.volume_name_len ncp.volume_number Volume Name Volume Name Volume Number
ncp.volume_name_stringz Volume Name ncp.volume_number_long Volume Number ncp.volume_reference_count olume Reference Count V ncp.volume_removable_agVolume Removable Flag ncp.volume_request_ags Volume Request Flags ncp.volume_segment_dev_num Volume Segment Device Number
305
Field
Field Name
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.volume_segment_offsetVolume Segment Offset ncp.volume_segment_size Volume Segment Size ncp.volume_size_in_clusters Volume Size in Clusters ncp.volume_type ncp.volume_use_count Volume Type Volume Use Count
ncp.volumes_supported_max Volumes Supported Max ncp.wait_node ncp.wait_node_alloc_fail ncp.wait_on_sema Wait Node Count Wait Node Alloc Failure Count
Wait On Semaphore Count Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.wait_till_dirty_blcks_dec Wait Till Dirty Blocks Decrease Count ncp.wait_time Wait Time ncp.wasted_server_memoryWasted Server Memory ncp.write_curr_trans Write Currently Transmitting Count
ncp.write_didnt_need_but_req_ack Write Didnt Need But Requested ACK Count ncp.write_didnt_need_this_frag Didnt Need This Write Fragment Count ncp.write_dup_req ncp.write_err ncp.write_got_an_ack0 ncp.write_got_an_ack1 ncp.write_held_off Write Duplicate Request Count Write Error Count
Write Got An ACK Count 0 Unsigned 32-bit integer Write Got An ACK Count 1 Unsigned 32-bit integer Write Held Off Count Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ncp.write_held_off_with_dup Write Held Off With Duplicate Request ncp.write_incon_packet_lenWrite Inconsistent Packet Lengths Count
ncp.write_out_of_mem_for_ctl_nodes Of Memory For Unsigned 32-bit integer Write Out Control Nodes Count ncp.write_timeout Write Time Out Count Unsigned 32-bit integer Unsigned 32-bit integer ncp.write_too_many_buf_check Too Many Buffers Write Checked Out Count
306
Field ncp.write_trash_dup_req ncp.write_trash_packet ncp.wrt_blck_cnt ncp.wrt_entire_blck ncp.year ncp.zero_ack_frag
Field Name Write Trashed Duplicate Request Count Write Trashed Packet Count Write Block Count Write Entire Block Count Year
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
Zero ACK Fragment Count Unsigned 32-bit integer
Network Data Management Protocol (ndmp)

Table A-165. Network Data Management Protocol (ndmp) Field ndmp.addr.ip ndmp.addr.ipc ndmp.addr.loop_id ndmp.addr.tcp_port ndmp.addr_type ndmp.addr_types ndmp.auth.challenge ndmp.auth.digest ndmp.auth.id ndmp.auth.password ndmp.auth.types ndmp.auth_type ndmp.bu.destination_dir ndmp.bu.new_name ndmp.bu.operation ndmp.bu.original_path ndmp.bu.other_name ndmp.butype.env.name ndmp.butype.env.value ndmp.butype.info Field Name IP Address IPC Loop ID TCP Port Addr Type Addr Types Challenge Digest ID Password Auth types Auth Type Destination Dir New Name Operation Original Path Other Name Name Value Butype Info Type IPv4 address Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer No value Byte array Byte array String String No value Unsigned 32-bit integer String String Unsigned 32-bit integer String String No value String String No value
ndmp.butype.default_env Default Env
307
Field ndmp.butype.name ndmp.bytes_left_to_read ndmp.connected ndmp.connected.reason ndmp.count ndmp.data
Field Name Butype Name Bytes left to read Connected Reason Count Data
Type String Unsigned 32-bit integer String Unsigned 32-bit integer Byte array
ndmp.data.bytes_processed Bytes Processed ndmp.data.est_bytes_remain Bytes Remain Est ndmp.data.est_time_remainEst Time Remain ndmp.data.halted ndmp.data.state ndmp.data.written ndmp.dirs ndmp.error Halted Reason State Data Written Dirs Error No value Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Byte array Unsigned 32-bit integer Boolean Boolean Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer String Date/Time stamp Date/Time stamp Unsigned 32-bit integer Time duration Unsigned 32-bit integer Unsigned 32-bit integer
ndmp.execute_cdb.cdb_len CDB length ndmp.execute_cdb.datain Data in
ndmp.execute_cdb.datain_len Data in length ndmp.execute_cdb.dataout Data out ndmp.execute_cdb.dataout_len out length Data ndmp.execute_cdb.ags.data_in DATA_IN ndmp.execute_cdb.ags.data_out DATA_OUT ndmp.execute_cdb.sns_len Sense data length ndmp.execute_cdb.status Status
ndmp.execute_cdb.timeout Timeout ndmp.le ndmp.le.atime ndmp.le.ctime ndmp.le.fattr File atime ctime Fattr
308
Field ndmp.le.fh_info ndmp.le.fs_type ndmp.le.group ndmp.le.links ndmp.le.mtime ndmp.le.names ndmp.le.node ndmp.le.owner ndmp.le.parent ndmp.le.size ndmp.le.stats ndmp.le.type ndmp.les ndmp.fs.avail_size ndmp.fs.env ndmp.fs.env.name ndmp.fs.env.value ndmp.fs.info ndmp.fs.logical_device ndmp.fs.physical_device ndmp.fs.status ndmp.fs.total_inodes ndmp.fs.total_size ndmp.fs.type ndmp.fs.used_inodes ndmp.fs.used_size ndmp.halt ndmp.halt.reason ndmp.header ndmp.hostid ndmp.hostname ndmp.log.message ndmp.log.message.id ndmp.log.type ndmp.mover.mode ndmp.mover.pause
Field Name FH Info File FS Type Group Links mtime File Names Node Owner Parent Size File Stats File Type Files Avail Size Env variables Name Value FS Info Logical Device Physical Device Status Total Inodes Total Size Type Used Inodes Used Size Halt Reason NDMP Header HostID Hostname Message Message ID Type Mode Pause
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Date/Time stamp No value Unsigned 32-bit integer
No value Unsigned 32-bit integer No value No value String String No value String String String
String
Unsigned 32-bit integer String No value String String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
309
Field ndmp.mover.state ndmp.msg ndmp.msg_type ndmp.nlist ndmp.nodes ndmp.os.type ndmp.os.version ndmp.record.num ndmp.record.size ndmp.reply_sequence ndmp.resid_count ndmp.scsi.controller ndmp.scsi.device ndmp.scsi.id ndmp.scsi.info ndmp.scsi.lun ndmp.scsi.model ndmp.seek.position ndmp.sequence ndmp.server.product ndmp.server.revision ndmp.server.vendor ndmp.tape.cap.name ndmp.tape.cap.value ndmp.tape.capability ndmp.tape.dev_cap ndmp.tape.device ndmp.tape.info ndmp.tape.model ndmp.tape.mtio.op ndmp.tape.open_mode
Field Name State Message Type Nlist Nodes OS Type OS Version Record Num Record Size Reply Sequence Resid Count Controller Device ID SCSI Info LUN Model Seek Position Sequence Product Revision Vendor Name Value Tape Capabilities Device Capability Device Tape Info Model Operation Mode
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer No value No value String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer No value Unsigned 32-bit integer String Unsigned 32-bit integer String String String String String No value No value String No value String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
ndmp.tape.status.block_no block_no ndmp.tape.status.block_sizeblock_size ndmp.tape.status.le_num le_num
310
Field
Field Name
ndmp.tape.status.partition partition ndmp.tape.status.soft_errors soft_errors ndmp.tape.status.space_remain space_remain ndmp.tape.status.total_spaceotal_space t ndmp.timestamp ndmp.version ndmp.window.length ndmp.window.offset Time Version Window Length Window Offset
Date/Time stamp Unsigned 32-bit integer
Network File System (nfs)

Table A-166. Network File System (nfs) Field nfs.ace nfs.aceag4 nfs.acemask4 nfs.acetype4 nfs.acl nfs.atime nfs.atime.nsec nfs.atime.sec nfs.atime.usec nfs.attr nfs.bytes_per_block nfs.call.operation nfs.callback.ident nfs.cb_location nfs.cb_program nfs.change_info.atomic nfs.changeid4 nfs.changeid4.after nfs.changeid4.before Field Name ace aceag acemask acetype ACL atime nano seconds seconds micro seconds mand_attr bytes_per_block Opcode callback_ident cb_location cb_program Atomic changeid changeid changeid Type String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer No value Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean
311
Field nfs.clientid nfs.cookie3 nfs.cookie4 nfs.cookieverf4 nfs.count3 nfs.count3_dircount nfs.count3_maxcount nfs.count4 nfs.createmode nfs.ctime nfs.ctime.nsec nfs.ctime.sec nfs.ctime.usec nfs.data nfs.delegate_stateid nfs.delegate_type nfs.dircount nfs.dirlist4.eof nfs.dtime nfs.dtime.nsec nfs.dtime.sec nfs.eof nfs.fattr.blocks nfs.fattr.blocksize nfs.fattr.leid nfs.fattr.fsid nfs.fattr.gid nfs.fattr.nlink nfs.fattr.rdev nfs.fattr.size nfs.fattr.type nfs.fattr.uid nfs.fattr3.leid nfs.fattr3.fsid nfs.fattr3.gid nfs.fattr3.nlink
Field Name clientid cookie cookie cookieverf count dircount maxcount count Create Mode ctime nano seconds seconds micro seconds Data delegate_stateid delegate_type dircount eof time delta nano seconds seconds eof blocks blocksize leid fsid gid nlink rdev size type uid leid fsid gid nlink
Type
Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Boolean Time duration Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
312
Field nfs.fattr3.rdev nfs.fattr3.size nfs.fattr3.type nfs.fattr3.uid nfs.fattr3.used nfs.fattr4.aclsupport nfs.fattr4.attr_vals nfs.fattr4.leid nfs.fattr4.les_avail nfs.fattr4.les_free nfs.fattr4.les_total nfs.fattr4.lease_time nfs.fattr4.maxlesize nfs.fattr4.maxlink nfs.fattr4.maxname nfs.fattr4.maxread nfs.fattr4.maxwrite nfs.fattr4.numlinks nfs.fattr4.quota_hard nfs.fattr4.quota_soft nfs.fattr4.quota_used nfs.fattr4.size nfs.fattr4.space_avail nfs.fattr4.space_free nfs.fattr4.space_total nfs.fattr4.space_used nfs.fattr4_archive nfs.fattr4_cansettime
Field Name rdev size Type uid used aclsupport attr_vals leid les_avail les_free les_total lease_time maxlesize maxlink maxname maxread maxwrite numlinks quota_hard quota_soft quota_used size space_avail space_free space_total space_used fattr4_archive fattr4_cansettime
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array
Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean String
nfs.fattr4_case_insensitive fattr4_case_insensitive nfs.fattr4_case_preserving fattr4_case_preserving nfs.fattr4_chown_restricted fattr4_chown_restricted nfs.fattr4_hidden nfs.fattr4_homogeneous nfs.fattr4_link_support nfs.fattr4_mimetype fattr4_hidden fattr4_homogeneous fattr4_link_support fattr4_mimetype
313
Field nfs.fattr4_named_attr nfs.fattr4_no_trunc nfs.fattr4_owner nfs.fattr4_owner_group
Field Name fattr4_named_attr fattr4_no_trunc fattr4_owner fattr4_owner_group
Type Boolean Boolean String String Boolean Boolean Boolean Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
nfs.fattr4_symlink_support fattr4_symlink_support nfs.fattr4_system nfs.fh.auth_type nfs.fh.dentry nfs.fh.dev nfs.fh.dirinode nfs.fh.leid_type nfs.fh.fn nfs.fh.fn.generation nfs.fh.fn.inode nfs.fh.fn.len nfs.fh.fsid.inode nfs.fh.fsid.major nfs.fh.fsid.minor nfs.fh.fsid_type nfs.fh.fstype nfs.fh.hash nfs.fh.hp.len nfs.fh.length nfs.fh.pinode nfs.fh.version nfs.fh.xdev nfs.fh.xfn nfs.fh.xfn.generation nfs.fh.xfn.inode nfs.fh.xfn.len nfs.fh.xfsid.major nfs.fh.xfsid.minor nfs.lesize nfs.fsid4.major fattr4_system auth_type dentry device directory inode leid_type le number generation inode length inode major minor fsid_type le system type hash length length pseudo inode version exported device exported le number generation exported inode length exported major exported minor lesize fsid4.major
nfs.fattr4_unique_handles fattr4_unique_handles
314
Field nfs.fsid4.minor nfs.fsinfo.dtpref nfs.fsinfo.maxlesize nfs.fsinfo.propeties nfs.fsinfo.rtmax nfs.fsinfo.rtmult nfs.fsinfo.rtpref nfs.fsinfo.wtmax nfs.fsinfo.wtmult nfs.fsinfo.wtpref nfs.fsstat.invarsec nfs.fsstat3_resok.abytes nfs.fsstat3_resok.ales nfs.fsstat3_resok.fbytes nfs.fsstat3_resok.fles nfs.fsstat3_resok.tbytes nfs.fsstat3_resok.tles nfs.full_name nfs.gid3 nfs.length4
Field Name fsid4.minor dtpref maxlesize Properties rtmax rtmult rtpref wtmax wtmult wtpref invarsec Available free bytes Available free le slots Free bytes Free le slots Total bytes Total le slots Full Name gid length
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
String Unsigned 32-bit integer Boolean Boolean Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Byte array Unsigned 32-bit integer Unsigned 32-bit integer
nfs.lock.locker.new_lock_owner lock owner? new nfs.lock.reclaim nfs.lock_owner4 nfs.lock_seqid nfs.locktype4 nfs.maxcount nfs.minorversion nfs.mtime nfs.mtime.nsec nfs.mtime.sec nfs.mtime.usec nfs.name nfs.nfs_client_id4.id nfs.nfs_ftype4 nfs.nfstime4.nseconds reclaim? owner lock_seqid locktype maxcount minorversion mtime nano seconds seconds micro seconds Name id nfs_ftype4 nseconds
315
Field nfs.nfstime4.seconds nfs.num_blocks nfs.offset3 nfs.offset4 nfs.open.claim_type nfs.open.delegation_type nfs.open.limit_by nfs.open.opentype nfs.open4.share_access nfs.open4.share_deny nfs.open_owner4 nfs.openattr4.createdir
Field Name seconds num_blocks offset offset Claim Type Delegation Type Space Limit Open Type share_access share_deny owner attribute dir create
Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Boolean String Byte array Byte array Unsigned 32-bit integer Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer No value Unsigned 32-bit integer Unsigned 32-bit integer String
nfs.pathconf.case_insensitive ase_insensitive c nfs.pathconf.case_preserving case_preserving nfs.pathconf.chown_restricted chown_restricted nfs.pathconf.linkmax nfs.pathconf.name_max nfs.pathconf.no_trunc nfs.pathname.component nfs.r_addr nfs.r_netid nfs.read.count nfs.read.eof nfs.read.offset nfs.read.totalcount nfs.readdir.cookie nfs.readdir.count nfs.readdir.entry nfs.readdir.entry.cookie nfs.readdir.entry.leid nfs.readdir.entry.name nfs.readdir.entry3.cookie nfs.readdir.entry3.leid nfs.readdir.entry3.name linkmax name_max no_trunc Filename r_addr r_netid Count EOF Offset Total Count Cookie Count Entry Cookie File ID Name Cookie File ID Name
String
316
Field nfs.readdir.eof
Field Name EOF
nfs.readdirplus.entry.cookieCookie nfs.readdirplus.entry.leid File ID nfs.readdirplus.entry.name Name nfs.readlink.data nfs.recall nfs.recall4 nfs.reclaim4 nfs.reply.operation nfs.secinfo.avor Data EOF recall reclaim Opcode avor String String Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String String
nfs.secinfo.avor_info.rpcsec_gss_info.oid oid nfs.secinfo.avor_info.rpcsec_gss_info.qop qop nfs.secinfo.rpcsec_gss_info.service service nfs.seqid nfs.server nfs.set_it nfs.set_size3.size nfs.specdata1 nfs.specdata2 nfs.stable_how4 nfs.stateid4 nfs.stateid4.other nfs.statfs.bavail nfs.statfs.bfree nfs.statfs.blocks nfs.statfs.bsize nfs.statfs.tsize nfs.status nfs.status2 nfs.symlink.linktext nfs.symlink.to nfs.tag seqid server set_it size specdata1 specdata2 stable_how4 stateid Data Available Blocks Free Blocks Total Blocks Block Size Transfer Size Status Status Name To Tag
317
Field nfs.type nfs.uid3 nfs.verier4 nfs.wcc_attr.size nfs.who nfs.write.beginoffset nfs.write.committed nfs.write.offset nfs.write.stable nfs.write.totalcount
Field Name Type uid verier size who Begin Offset Committed Offset Stable Total Count
String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
Network Lock Manager Protocol (nlm)

Table A-167. Network Lock Manager Protocol (nlm) Field nlm.block nlm.cookie nlm.exclusive nlm.holder nlm.lock nlm.lock.caller_name nlm.lock.l_len nlm.lock.l_offset nlm.lock.owner nlm.lock.svid nlm.msg_in nlm.reclaim nlm.res_in nlm.sequence nlm.share nlm.share.access nlm.share.mode nlm.share.name nlm.stat Field Name block cookie exclusive holder lock caller_name l_len l_offset owner svid Request MSG in reclaim Reply RES in sequence share access mode name stat Byte array Unsigned 32-bit integer Unsigned 32-bit integer Boolean Unsigned 32-bit integer Signed 32-bit integer No value Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Type Boolean Byte array Boolean No value No value String
318
Field nlm.state nlm.test_stat nlm.test_stat.stat nlm.time
Field Name state test_stat stat Time from request
Type Unsigned 32-bit integer No value Unsigned 32-bit integer Time duration
Network News Transfer Protocol (nntp)

Table A-168. Network News Transfer Protocol (nntp) Field nntp.request nntp.response Field Name Request Response Type Boolean Boolean
Network Status Monitor CallBack Protocol (statnotify)

Table A-169. Network Status Monitor CallBack Protocol (statnotify) Field statnotify.name statnotify.priv statnotify.state Field Name Name Priv State Type String Byte array Unsigned 32-bit integer
Network Status Monitor Protocol (stat)

Table A-170. Network Status Monitor Protocol (stat) Field stat.mon stat.mon_id.name stat.my_id stat.my_id.hostname stat.my_id.proc stat.my_id.prog stat.my_id.vers stat.name Field Name Monitor Monitor ID Name My ID Hostname Procedure Program Version Name Type No value String No value String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String
319
Field stat.priv stat.stat_chge stat.stat_res stat.stat_res.res stat.stat_res.state stat.state
Field Name Priv Status Change Status Result Result State State
Type Byte array No value No value Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
Network Time Protocol (ntp)

Table A-171. Network Time Protocol (ntp) Field ntp.ags ntp.ags.li ntp.ags.mode ntp.ags.vn ntp.keyid ntp.mac ntp.org ntp.ppoll ntp.precision ntp.rec ntp.red ntp.reftime ntp.rootdelay ntp.rootdispersion ntp.stratum ntp.xmt Field Name Flags Leap Indicator Mode Version number Key ID Message Authentication Code Originate Time Stamp Peer Polling Interval Peer Clock Precision Receive Time Stamp Reference Clock ID Reference Clock Update Time Root Delay Clock Dispersion Peer Clock Stratum Transmit Time Stamp Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Byte array Byte array Byte array Unsigned 8-bit integer Unsigned 8-bit integer Byte array Byte array Byte array Double-precision oating point Double-precision oating point Unsigned 8-bit integer Byte array
Null/Loopback (null)
Table A-172. Null/Loopback (null)
320
Field null.family null.type
Field Name Family Type
Open Shortest Path First (ospf)

Table A-173. Open Shortest Path First (ospf) Field ospf.advrouter ospf.lsa ospf.lsa.asbr ospf.lsa.asext ospf.lsa.attr ospf.lsa.member ospf.lsa.mpls ospf.lsa.network ospf.lsa.nssa ospf.lsa.opaque ospf.lsa.router ospf.lsa.summary ospf.lsid_opaque_type ospf.lsid_te_lsa.instance ospf.mpls.linkid ospf.mpls.local_addr ospf.mpls.local_id ospf.mpls.remote_addr ospf.mpls.remote_id ospf.mpls.routerid ospf.msg Field Name Advertising Router Link-State Advertisement Type Summary LSA (ASBR) AS-External LSA (ASBR) External Attributes LSA Group Membership LSA MPLS Trafc Engineering LSA Network LSA NSSA AS-External LSA Opaque LSA Router LSA Summary LSA (IP Network) Type IPv4 address Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
Link State ID Opaque Type Unsigned 8-bit integer Link State ID TE-LSA Instance MPLS/TE Link ID MPLS/TE Local Interface Address MPLS/TE Local Interface Index MPLS/TE Remote Interface Address MPLS/TE Remote Interface Index MPLS/TE Router ID Message Type Unsigned 16-bit integer IPv4 address IPv4 address Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer IPv4 address Unsigned 8-bit integer
321
Field ospf.msg.dbdesc ospf.msg.hello ospf.msg.lsack ospf.msg.lsreq ospf.msg.lsupdate ospf.srcrouter
Field Name Database Description Hello Link State Adv Acknowledgement Link State Adv Request Link State Adv Update Source OSPF Router
Type Boolean Boolean Boolean Boolean Boolean IPv4 address
OpenBSD Packet Filter log le (pog)

Table A-174. OpenBSD Packet Filter log le (pog) Field pog.action pog.af pog.dir pog.ifname pog.reason pog.rnr Field Name Action Address Family Direction Interface Reason Rule Number Type Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Unsigned 16-bit integer Signed 16-bit integer
PC NFS (pcnfsd)
Table A-175. PC NFS (pcnfsd) Field pcnfsd.auth.client pcnfsd.auth.ident.clear Field Name Authentication Client Clear Ident Type String String String String String String Signed 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
pcnfsd.auth.ident.obscure Obscure Ident pcnfsd.auth.password.clear Clear Password pcnfsd.auth.password.obscure Obscure Password pcnfsd.comment pcnfsd.def_umask pcnfsd.gid pcnfsd.gids.count Comment def_umask Group ID Group ID Count
322
Field pcnfsd.homedir pcnfsd.status pcnfsd.uid pcnfsd.username
Field Name Home Directory Reply Status User ID User name
Type String Unsigned 32-bit integer Unsigned 32-bit integer String
PPP Bandwidth Allocation Control Protocol (bacp)

Table A-176. PPP Bandwidth Allocation Control Protocol (bacp) Field Field Name Type
PPP Bandwidth Allocation Protocol (bap)

Table A-177. PPP Bandwidth Allocation Protocol (bap) Field Field Name Type
PPP Callback Control Protocol (cbcp)

Table A-178. PPP Callback Control Protocol (cbcp) Field Field Name Type
PPP Challenge Handshake Authentication Protocol (chap)

Table A-179. PPP Challenge Handshake Authentication Protocol (chap) Field Field Name Type
323
PPP Compressed Datagram (comp_data)

Table A-180. PPP Compressed Datagram (comp_data) Field Field Name Type
PPP Compression Control Protocol (ccp)

Table A-181. PPP Compression Control Protocol (ccp) Field Field Name Type
PPP IP Control Protocol (ipcp)

Table A-182. PPP IP Control Protocol (ipcp) Field Field Name Type
PPP Link Control Protocol (lcp)

Table A-183. PPP Link Control Protocol (lcp) Field Field Name Type
PPP Multilink Protocol (mp)

Table A-184. PPP Multilink Protocol (mp) Field mp.rst mp.last mp.seq Field Name First fragment Last fragment Sequence number Type Boolean Boolean Unsigned 24-bit integer
324
PPP Multiplexing (pppmux)

Table A-185. PPP Multiplexing (pppmux) Field Field Name Type
PPP Password Authentication Protocol (pap)

Table A-186. PPP Password Authentication Protocol (pap) Field Field Name Type
PPP VJ Compression (vj)

Table A-187. PPP VJ Compression (vj) Field vj.ack_delta vj.change_mask vj.change_mask_a vj.change_mask_c vj.change_mask_i vj.change_mask_p vj.change_mask_s vj.change_mask_u vj.change_mask_w vj.connection_number vj.ip_id_delta vj.seq_delta vj.tcp_cksum vj.urp vj.win_delta Field Name Ack delta Change mask Ack number changed Connection changed IP ID change != 1 Push bit set Urgent pointer set Window changed Connection number IP ID delta Sequence delta TCP checksum Urgent pointer Window delta Type Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Signed 16-bit integer
Sequence number changed Boolean
325
PPP-over-Ethernet Discovery (pppoed)

Table A-188. PPP-over-Ethernet Discovery (pppoed) Field Field Name Type
PPP-over-Ethernet Session (pppoes)

Table A-189. PPP-over-Ethernet Session (pppoes) Field Field Name Type
PPPMux Control Protocol (pppmuxcp)

Table A-190. PPPMux Control Protocol (pppmuxcp) Field Field Name Type
Point-to-Point Protocol (ppp)

Table A-191. Point-to-Point Protocol (ppp) Field ppp.address ppp.control ppp.protocol Field Name Address Control Protocol Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer
Point-to-Point Tunnelling Protocol (pptp)

Table A-192. Point-to-Point Tunnelling Protocol (pptp) Field pptp.type Field Name Message type Type Unsigned 16-bit integer
326
Portmap (portmap)
Table A-193. Portmap (portmap) Field portmap.answer portmap.args portmap.port portmap.proc portmap.prog portmap.proto portmap.result portmap.rpcb portmap.rpcb.addr portmap.rpcb.netid portmap.rpcb.owner portmap.rpcb.prog portmap.rpcb.version portmap.uaddr portmap.version Field Name Answer Arguments Port Procedure Program Protocol Result RPCB Universal Address Network Id Owner of this Service Program Version Universal Address Version Type Boolean Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array No value String String String Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer
Post Ofce Protocol (pop)

Table A-194. Post Ofce Protocol (pop) Field pop.request pop.response Field Name Request Response Type Boolean Boolean
Pragmatic General Multicast (pgm)

Table A-195. Pragmatic General Multicast (pgm) Field pgm.ack.bitmap pgm.ack.maxsqn Field Name Packet Bitmap Maximum Received Sequence Number Type Unsigned 32-bit integer Unsigned 32-bit integer
327
Field pgm.data.sqn pgm.data.trail pgm.genopts.len pgm.genopts.opx pgm.genopts.type pgm.hdr.cksum pgm.hdr.dport pgm.hdr.gsi pgm.hdr.opts pgm.hdr.opts.netsig pgm.hdr.opts.opt pgm.hdr.opts.parity pgm.hdr.opts.varlen pgm.hdr.sport pgm.hdr.tsdulen pgm.hdr.type pgm.nak.grp pgm.nak.grpa pgm.nak.grpres pgm.nak.sqn pgm.nak.src pgm.nak.srca pgm.nak.srcres pgm.opts.ccdata.acker pgm.opts.ccdata.a pgm.opts.ccdata.lossrate pgm.opts.ccdata.res pgm.opts.ccdata.res2 pgm.opts.ccdata.tstamp pgm.opts.join.min_join pgm.opts.join.res
Field Name Data Packet Sequence Number Trailing Edge Sequence Number Length Option Extensibility Bits Type Checksum Destination Port Global Source Identier Options Network Signicant Options Options Parity Variable length Parity Packet Option Source Port Transport Service Data Unit Length Type Multicast Group NLA Multicast Group AFI Reserved Requested Sequence Number Source NLA Source NLA AFI Reserved Acker Acker AFI Loss Rate Reserved Reserved Time Stamp Minimum Sequence Number Reserved
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Byte array Unsigned 8-bit integer Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer IPv4 address Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer IPv4 address Unsigned 16-bit integer Unsigned 16-bit integer IPv4 address Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
328
Field pgm.opts.len pgm.opts.nak.list pgm.opts.nak.op pgm.opts.parity_prm.op
Field Name Length List Reserved Parity Parameters
Type Unsigned 8-bit integer Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer IPv4 address Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
pgm.opts.parity_prm.prm_grp Transmission Group Size pgm.opts.tlen pgm.opts.type pgm.spm.lead pgm.spm.path pgm.spm.patha pgm.spm.res pgm.spm.sqn pgm.spm.trail Total Length Type Leading Edge Sequence Number Path NLA Path NLA AFI Reserved Sequence number Trailing Edge Sequence Number
Prism (prism)
Table A-196. Prism (prism) Field prism.channel.data prism.frmlen.data prism.hosttime.data prism.istx.data prism.mactime.data prism.msgcode prism.msglen prism.noise.data prism.rate.data prism.rssi.data prism.signal.data prism.sq.data Field Name Channel Time Field Frame Length Field Host Time Field IsTX Field MAC Time Field Message Code Message Length Noise Field Rate Field RSSI Field Signal Field SQ Field Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
329
Protocol Independent Multicast (pim)

Table A-197. Protocol Independent Multicast (pim) Field pim.cksum pim.code pim.type pim.version Field Name Checksum Code Type Version Type Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
Q.2931 (q2931)
Table A-198. Q.2931 (q2931) Field q2931.call_ref q2931.call_ref_len q2931.disc Field Name Call reference value Protocol discriminator Type Byte array Unsigned 8-bit integer Unsigned 8-bit integer Boolean Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
Call reference value length Unsigned 8-bit integer
q2931.message_action_indicator indicator Action q2931.message_ag q2931.message_len q2931.message_type q2931.message_type_ext Flag Message length Message type Message type extension
Q.931 (q931)
Table A-199. Q.931 (q931) Field q931.call_ref q931.call_ref_len q931.disc q931.message_type Field Name Call reference value Protocol discriminator Message type Type Byte array Unsigned 8-bit integer Unsigned 8-bit integer
Call reference value length Unsigned 8-bit integer
330
Quake II Network Protocol (quake2)

Table A-200. Quake II Network Protocol (quake2) Field quake2.c2s quake2.connectionless Field Name Client to Server Connectionless Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
quake2.connectionless.marker Marker quake2.connectionless.text Text quake2.game Game quake2.game.client.command Client Command Type quake2.game.client.command.move Biteld quake2.game.client.command.move.angles Angles (pitch) quake2.game.client.command.move.buttons Buttons quake2.game.client.command.move.chksum Checksum quake2.game.client.command.move.impulse Impulse quake2.game.client.command.move.lframe Last Frame quake2.game.client.command.move.lightlevel Lightlevel quake2.game.client.command.move.movement Movement (fwd) quake2.game.client.command.move.msec Msec quake2.game.qport quake2.game.rel1 quake2.game.rel2 quake2.game.seq1 quake2.game.seq2 QPort Reliable Reliable Sequence Number Sequence Number
quake2.game.server.command Server Command quake2.s2c Server to Client
331
Quake III Arena Network Protocol (quake3)

Table A-201. Quake III Arena Network Protocol (quake3) Field quake3.connectionless Field Name Connectionless Type Unsigned 32-bit integer String Unsigned 32-bit integer String No value Unsigned 32-bit integer Unsigned 32-bit integer Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Unsigned 16-bit integer
quake3.connectionless.command Command quake3.connectionless.marker Marker quake3.connectionless.text Text quake3.direction quake3.game quake3.game.qport quake3.game.rel1 quake3.game.rel2 quake3.game.seq1 quake3.game.seq2 quake3.server.addr quake3.server.port Direction Game QPort Reliable Reliable Sequence Number Sequence Number Server Address Server Port
Quake Network Protocol (quake)

Table A-202. Quake Network Protocol (quake) Field quake.control.accept.port quake.control.command Field Name Port Command Type Unsigned 32-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer String Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
quake.control.connect.gameGame quake.control.connect.version Version quake.control.player_info.address Address quake.control.player_info.colors Colors quake.control.player_info.colors.pants Pants quake.control.player_info.colors.shirt Shirt
332
Field
Field Name
Type Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 8-bit integer String String String String String String String Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer
quake.control.player_info.connect_time Connect Time quake.control.player_info.frags Frags quake.control.player_info.name Name quake.control.player_info.player Player quake.control.reject.reason Reason quake.control.rule_info.lastrule Rule Last quake.control.rule_info.rule Rule quake.control.rule_info.value alue V quake.control.server_info.address Address quake.control.server_info.game Game quake.control.server_info.map Map quake.control.server_info.max_playerNumber of Maximal Players quake.control.server_info.num_player Players Number of quake.control.server_info.server Server quake.control.server_info.version Version quake.header.ags quake.header.length quake.header.sequence Flags Length Sequence
QuakeWorld Network Protocol (quakeworld)

Table A-203. QuakeWorld Network Protocol (quakeworld) Field quakeworld.c2s Field Name Client to Server Type Unsigned 32-bit integer
333
Field
Field Name
Type Unsigned 32-bit integer String String Signed 32-bit integer String String
quakeworld.connectionless Connectionless quakeworld.connectionless.arguments Arguments quakeworld.connectionless.command Command quakeworld.connectionless.connect.challenge Challenge quakeworld.connectionless.connect.infostring Infostring quakeworld.connectionless.connect.infostring.key Key
quakeworld.connectionless.connect.infostring.key_valueString Key/Value quakeworld.connectionless.connect.infostring.value Value quakeworld.connectionless.connect.qport QPort quakeworld.connectionless.connect.version Version quakeworld.connectionless.marker Marker quakeworld.connectionless.rcon.command Command quakeworld.connectionless.rcon.password Password quakeworld.connectionless.text Text quakeworld.game quakeworld.game.qport quakeworld.game.rel1 quakeworld.game.rel2 quakeworld.game.seq1 quakeworld.game.seq2 quakeworld.s2c Game QPort Reliable Reliable Sequence Number Sequence Number Server to Client String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String String Unsigned 32-bit integer Unsigned 32-bit integer Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
Qualied Logical Link Control (qllc)

Table A-204. Qualied Logical Link Control (qllc)
334
Field qllc.address qllc.control
Field Name Address Field Control Field
RFC 2250 MPEG1 (mpeg1)

Table A-205. RFC 2250 MPEG1 (mpeg1) Field mpeg1.stream rtp.payload_mpeg_T rtp.payload_mpeg_an rtp.payload_mpeg_b rtp.payload_mpeg_bfc rtp.payload_mpeg_fbv rtp.payload_mpeg_ffc rtp.payload_mpeg_ffv rtp.payload_mpeg_mbz rtp.payload_mpeg_n rtp.payload_mpeg_p rtp.payload_mpeg_s rtp.payload_mpeg_tr Field Name MPEG-1 stream T AN Beginning-of-slice BFC FBV FFC FFV MBZ New Picture Header Picture type Sequence Header Temporal Reference Type Byte array Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 16-bit integer
RIPng (ripng)
Table A-206. RIPng (ripng) Field ripng.cmd ripng.version Field Name Command Version Type Unsigned 8-bit integer Unsigned 8-bit integer
RPC Browser (rpc_browser)

Table A-207. RPC Browser (rpc_browser) Field Field Name Type
335
Field rpc_browser.rc
Field Name Return code
Type Unsigned 32-bit integer Byte array
rpc_browser.unknown.bytesUnknown bytes rpc_browser.unknown.hyper nknown hyper U rpc_browser.unknown.long Unknown long rpc_browser.unknown.string Unknown string
Unsigned 32-bit integer String
RSTAT (rstat)
Table A-208. RSTAT (rstat) Field Field Name Type
RX Protocol (rx)
Table A-209. RX Protocol (rx) Field rx.abort rx.abort_code rx.ack rx.ack_type rx.bufferspace rx.callnumber rx.challenge rx.cid rx.encrypted rx.epoch rx.rst rx.ags rx.ags.client_init rx.ags.free_packet rx.ags.last_packet Field Name ABORT Packet Abort Code ACK Packet ACK Type Bufferspace Call Number CHALLENGE Packet CID Encrypted Epoch First Packet Flags Client Initiated Free Packet Last Packet Type No value Unsigned 32-bit integer No value Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer No value Unsigned 32-bit integer No value Date/Time stamp Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
336
Field rx.ags.more_packets rx.ags.request_ack rx.if_mtu rx.inc_nonce rx.kvno rx.level rx.max_mtu rx.max_packets rx.maxskew rx.min_level rx.nonce rx.num_acks rx.prev rx.reason rx.response rx.rwind rx.securityindex rx.seq rx.serial rx.serviceid rx.spare rx.ticket rx.ticket_len rx.type rx.userstatus rx.version
Field Name More Packets Request Ack Interface MTU Inc Nonce kvno Level Max MTU Max Packets Max Skew Min Level Nonce Num ACKs Prev Packet Reason RESPONSE Packet rwind Security Index Sequence Number Serial Service ID Spare/Checksum ticket Ticket len Type User Status Version
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer No value Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Byte array Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
Radio Access Network Application Part (ranap)

Table A-210. Radio Access Network Application Part (ranap) Field Field Name Type Unsigned 8-bit integer Byte array
ranap.CN_DomainIndicatorCN-DomainIndicator ranap.Extension_Field_Value xtension Field Value E
337
Field ranap.IuSigConId ranap.NAS_PDU ranap.PLMN_ID
Field Name IuSigConId NAS-PDU PLMN-ID
Type Byte array Byte array Byte array
ranap.ProtocolExtensionContainer_present ProtocolExtensionContainerUnsigned 8-bit integer ranap.ProtocolExtensionFields.octets of octets Number ranap.RAB_ID RAB-ID Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ranap.RAB_SetupOrModifyItemSecond.PDP_Type PDP-Type
ranap.RAB_SetupOrModifyItemSecond.dataVolumeReportingIndication dataVolumeReportingIndication Unsigned 8-bit integer ranap.RAB_SetupOrModifyItemSecond.dl_GTP_PDU_SequenceNumberinteger dl_GTP_PDU_SequenceNumber Unsigned 16-bit ranap.RAB_SetupOrModifyItemSecond.ul_GTP_PDU_SequenceNumberinteger ul_GTP_PDU_SequenceNumber Unsigned 16-bit ranap.RAC ranap.SAC RAC SAC Byte array Byte array
ranap.allocationOrRetentionPriority_present allocationOrRetentionPriority Unsigned 8-bit integer ranap.bindingID ranap.cause_choice ranap.cause_value bindingID cause choice cause value Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ranap.dataVolumeReferencedataVolumeReference ranap.dataVolumeReference_present dataVolumeReference
ranap.dataVolumeReportingIndication_present dataVolumeReportingIndication Unsigned 8-bit integer ranap.dldlUnsigned 32-bit integer UnsuccessfullyTransmittedDataVolume UnsuccessfullyTransmittedDataVolume ranap.dl_GTP_PDU_SequenceNumber_present dl_GTP_PDU_SequenceNumber Unsigned 8-bit integer ranap.dl_N_PDU_SequenceNumber_present dl_N_PDU_SequenceNumber Unsigned 8-bit integer ranap.dl_UnsuccessfullyTransmittedDataVolume_present dlUnsigned 8-bit integer UnsuccessfullyTransmittedDataVolume ranap.dl_dataVolumes_present dl_dataVolumes Unsigned 8-bit integer
338
Field ranap.gTP_TEI
Field Name gTP_TEI
Type Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ranap.guaranteedBitRate_present guaranteedBitRate ranap.iECriticality iECriticality
ranap.iEsCriticalityDiagnostics_present iEsCriticalityDiagnostics
ranap.ie.ProtocolExtensionFields.Id ProtocolExtensionField ID Unsigned 16-bit integer ranap.ie.ProtocolExtensionFields.criticality Criticality of ProtocolExtensionField ranap.ie.criticality ranap.ie.iEExtensions_present ranap.ie.ie_id Criticality of IE iE-Extensions Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
IE-ID
Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ranap.ie.number_of_ProtocolExtensionFields Number of Protocol Extension Fields ranap.ie.number_of_octets Number of Octets in IE ranap.ie.protocol_extension_present Extension Protocol ranap.ie_pair.rst_criticalityFirst Criticality ranap.ie_pair.rst_value.number_of_octets Number of Octets in rst value ranap.ie_pair.second_criticality Second Criticality ranap.ie_pair.second_value.number_of_octets in Number of Octets second value ranap.iuTransportAssociation_present iuTransportAssociation ranap.msg_extension_present Message Extension ranap.nASSynchronisationIndicator nASSynchronisationIndicator
ranap.nASnASSynchronisationIndicator_present SynchronisationIndicator ranap.nas_pdu_length length of NAS-PDU
ranap.num_of_CriticalityDiagnostics_IEs Number of CriticalityDiagnostics-IEs
339
Field
Field Name
ranap.number_of_ProtocolExtensionFields Number of ProtocolExtensionFields ranap.number_of_RABs ranap.number_of_ies Number of RABs Number of IEs in list
ranap.pDP_TypeInformation_present pDP_TypeInformation ranap.pdu.criticality ranap.pdu.num_of_octets Criticality of PDU Number of Octets in PDU
ranap.pdu.number_of_ies Number of IEs in PDU ranap.procedureCode_present procedureCode ranap.procedureCriticality procedureCriticality ranap.procedureCriticality_present procedureCriticality ranap.procedure_code Procedure Code
ranap.rAB_Parameters_present rAB-Parameters ranap.rAB_SubowCombinationBitRate_present subowSDU_Size
ranap.rab_Parameters.allocationOrRetentionPriority.pre_emptionCapability pre-emptionCapability Unsigned 8-bit integer ranap.rab_Parameters.allocationOrRetentionPriority.pre_emptionVulnerability pre-emptionVulnerability Unsigned 8-bit integer ranap.rab_Parameters.allocationOrRetentionPriority.priorityLevel 8-bit integer priorityLevel Unsigned ranap.rab_Parameters.allocationOrRetentionPriority.queuingAllowed integer queuingAllowed Unsigned 8-bit ranap.rab_Parameters.deliveryOrder deliveryOrder ranap.rab_Parameters.guaranteedBitrate guaranteedBitrate ranap.rab_Parameters.maxBitrate maxBitrate ranap.rab_Parameters.maxSDU_Size maxSDU_Size Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer
ranap.rab_Parameters.rAB_AsymmetryIndicator rAB_AsymmetryIndicator Unsigned 8-bit integer ranap.rab_Parameters.rAB_SubowCombinationBitRateUnsigned 32-bit integer rAB_SubowCombinationBitRate ranap.rab_Parameters.ranap_deliveryOfErroneousSDU Unsigned 8-bit integer deliveryOfErroneousSDU
340
Field
Field Name
ranap.rab_Parameters.relocationRequirement relocationRequirement ranap.rab_Parameters.residualBitErrorRatio.exponent residualBitErrorRatio: exponent ranap.rab_Parameters.residualBitErrorRatio.mantissa residualBitErrorRatio: mantissa
ranap.rab_Parameters.sDU_ErrorRatio.exponent sDU_ErrorRatio: exponent Unsigned 8-bit integer ranap.rab_Parameters.sDU_ErrorRatio.mantissa sDU_ErrorRatio: mantissa Unsigned 8-bit integer ranap.rab_Parameters.sourceStatisticsDescriptor sourceStatisticsDescriptor ranap.rab_Parameters.subowSDU_Size subowSDU_Size ranap.rab_Parameters.trafcClass Class Trafc ranap.rab_Parameters.trafcHandlingPriority trafcHandlingPriority ranap.rab_Parameters.transferDelay transferDelay ranap.ranap_pdu_index RANAP-PDU Index Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ranap.relocationRequirement_present relocationRequirement ranap.repetitionNumber repetitionNumber
ranap.repetitionNumber_present repetitionNumber ranap.sDU_ErrorRatio_present sDU_ErrorRatio
ranap.sDU_FormatInformationParameters_present sDU_FormatInformationParameters 8-bit integer Unsigned ranap.service_Handover service-Handover Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
ranap.service_Handover_present service-Handover ranap.sourceStatisticsDescriptor_present sourceStatisticsDescriptor ranap.subowSDU_Size_present subowSDU_Size ranap.trafcHandlingPriority_present trafcHandlingPriority ranap.transferDelay_presenttransferDelay
341
Field
Field Name
Type Byte array Unsigned 8-bit integer Unsigned 8-bit integer
ranap.transportLayerAddress transportLayerAddress ranap.transportLayerAddress_length of bit length transportLayerAddress ranap.transportLayerAddress_present transportLayerAddress
ranap.transportLayerInformation_present transportLayerInformation Unsigned 8-bit integer ranap.triggeringMessage triggeringMessage Unsigned 8-bit integer Unsigned 8-bit integer Byte array
ranap.triggeringMessage_present triggeringMessage ranap.uP_ModeVersions uP_ModeVersions
ranap.ul_GTP_PDU_SequenceNumber_present ul_GTP_PDU_SequenceNumber Unsigned 8-bit integer ranap.ul_N_PDU_SequenceNumber_present ul_N_PDU_SequenceNumber Unsigned 8-bit integer ranap.userPlaneInformation_present userPlaneInformation ranap.userPlaneMode userPlaneMode Unsigned 8-bit integer Unsigned 8-bit integer
Radius Protocol (radius)

Table A-211. Radius Protocol (radius) Field radius.code radius.id radius.length Field Name Code Identier Length Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer
Raw packet data (raw)

Table A-212. Raw packet data (raw) Field Field Name Type
342
Real Time Streaming Protocol (rtsp)

Table A-213. Real Time Streaming Protocol (rtsp) Field rtsp.method rtsp.status rtsp.url Field Name Method Status URL Type String Unsigned 32-bit integer String
Real-Time Transport Protocol (rtp)

Table A-214. Real-Time Transport Protocol (rtp) Field rtp.cc rtp.csrc.item rtp.ext rtp.ext.len rtp.ext.prole rtp.hdr_ext rtp.marker rtp.p_type rtp.padding rtp.padding.count rtp.padding.data rtp.payload rtp.seq rtp.ssrc rtp.timestamp rtp.version Field Name Contributing source identiers count CSRC item Extension Extension length Dened by prole Header extension Marker Payload type Padding Padding count Padding data Payload Sequence number Synchronization Source identier Timestamp Version Type Unsigned 8-bit integer Unsigned 32-bit integer Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Boolean Unsigned 8-bit integer Boolean Unsigned 8-bit integer Byte array Byte array Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
Real-time Transport Control Protocol (rtcp)

Table A-215. Real-time Transport Control Protocol (rtcp) Field Field Name Type
343
Field rtcp.app.data rtcp.app.name rtcp.app.subtype rtcp.length rtcp.nack.blp rtcp.nack.fsn rtcp.padding rtcp.padding.count rtcp.padding.data rtcp.pt rtcp.rc rtcp.sc rtcp.sdes.length rtcp.sdes.prex.length rtcp.sdes.prex.string rtcp.sdes.ssrc_csrc rtcp.sdes.text rtcp.sdes.type rtcp.sender.octetcount rtcp.sender.packetcount rtcp.senderssrc rtcp.ssrc.cum_nr rtcp.ssrc.dlsr rtcp.ssrc.ext_high rtcp.ssrc.fraction rtcp.ssrc.high_cycles rtcp.ssrc.high_seq rtcp.ssrc.identier rtcp.ssrc.jitter rtcp.ssrc.lsr rtcp.timestamp.ntp
Field Name Application specic data Name (ASCII) Subtype Length Bitmask of following lost packets First sequence number Padding Padding count Padding data Packet type Reception report count Source count Length Prex length Prex string SSRC / CSRC identier Text Type Senders octet count Senders packet count Sender SSRC Cumulative number of packets lost Delay since last SR timestamp
Type Byte array String Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 8-bit integer Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer String Unsigned 32-bit integer String Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
Extended highest sequence Unsigned 32-bit integer number received Fraction lost Sequence number cycles count Unsigned 8-bit integer Unsigned 16-bit integer
Highest sequence number Unsigned 16-bit integer received Identier Interarrival jitter Last SR timestamp NTP timestamp Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String
344
Field rtcp.timestamp.rtp rtcp.version
Field Name RTP timestamp Version
Remote Procedure Call (rpc)

Table A-216. Remote Procedure Call (rpc) Field rpc.array.len rpc.auth.avor rpc.auth.gid rpc.auth.length rpc.auth.machinename rpc.auth.stamp rpc.auth.uid rpc.authdes.convkey rpc.authdes.namekind rpc.authdes.netname rpc.authdes.nickname rpc.authdes.timestamp rpc.authdes.timeverf rpc.authdes.window rpc.authdes.windowverf rpc.authgss.checksum rpc.authgss.context rpc.authgss.data rpc.authgss.data.length rpc.authgss.major rpc.authgss.minor rpc.authgss.procedure rpc.authgss.seqnum rpc.authgss.service rpc.authgss.token Field Name num Flavor GID Length Machine Name Stamp UID Conversation Key (encrypted) Namekind Netname Nickname Timestamp (encrypted) Timestamp verier (encrypted) Window (encrypted) Window verier (encrypted) GSS Checksum GSS Context GSS Data Length GSS Major Status GSS Minor Status GSS Procedure GSS Sequence Number GSS Service GSS Token Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Byte array Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array
345
Field rpc.authgss.version rpc.authgss.window rpc.call.dup rpc.dup rpc.fraglen rpc.fragment rpc.fragment.error
Field Name GSS Version GSS Sequence Window Duplicate Call Duplicate Transaction Fragment Length RPC Fragment Defragmentation error
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer No value No value Boolean Boolean Boolean Boolean No value Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Time duration Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
rpc.fragment.multipletails Multiple tail fragments found rpc.fragment.overlap Fragment overlap rpc.fragment.overlap.conict onicting data in C fragment overlap rpc.fragment.toolongfragment Fragment too long rpc.fragments rpc.lastfrag rpc.msgtyp rpc.procedure rpc.program rpc.programversion rpc.programversion.max rpc.programversion.min rpc.reply.dup rpc.replystat rpc.state_accept rpc.state_auth rpc.state_reject rpc.time rpc.value_follows rpc.version rpc.version.max rpc.version.min rpc.xid RPC Fragments Last Fragment Message Type Procedure Program Program Version Program Version (Maximum) Program Version (Minimum) Duplicate Reply Reply State Accept State Auth State Reject State Time from request Value Follows RPC Version RPC Version (Maximum) RPC Version (Minimum) XID
346
Remote Quota (rquota)

Table A-217. Remote Quota (rquota) Field rquota.active rquota.bhardlimit rquota.bsize rquota.bsoftlimit rquota.btimeleft rquota.curblocks rquota.curles rquota.fhardlimit rquota.fsoftlimit rquota.ftimeleft rquota.pathp rquota.rquota rquota.status rquota.uid Field Name active bhardlimit bsize bsoftlimit btimeleft curblocks curles fhardlimit fsoftlimit ftimeleft pathp rquota status uid Type Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String No value Unsigned 32-bit integer Unsigned 32-bit integer
Remote Shell (rsh)

Table A-218. Remote Shell (rsh) Field rsh.request rsh.response Field Name Request Response Type Boolean Boolean
Remote Wall protocol (rwall)

Table A-219. Remote Wall protocol (rwall) Field rwall.message Field Name Message Type String
347
Resource ReserVation Protocol (RSVP) (rsvp)

Table A-220. Resource ReserVation Protocol (RSVP) (rsvp) Field rsvp.acceptable_label_set rsvp.ack rsvp.admin_status rsvp.adspec rsvp.bundle rsvp.conrm rsvp.dclass rsvp.error rsvp.explicit_route rsvp.lter rsvp.owspec rsvp.generalized_uni rsvp.hello rsvp.hello_obj rsvp.hop rsvp.integrity rsvp.label rsvp.label_request rsvp.label_set rsvp.lsp_tunnel_if_id rsvp.msg rsvp.msgid rsvp.msgid_list rsvp.notify_request rsvp.obj_unknown rsvp.object rsvp.path rsvp.perr rsvp.policy rsvp.protection rsvp.ptear rsvp.record_route Field Name Type
ACCEPTABLE LABEL SET No value Ack Message ADMIN STATUS ADSPEC Bundle Message CONFIRM DCLASS ERROR EXPLICIT ROUTE FILTERSPEC FLOWSPEC GENERALIZED UNI HELLO Message HELLO Request/Ack HOP INTEGRITY LABEL LABEL REQUEST LSP INTERFACE-ID Message Type MESSAGE-ID MESSAGE-ID LIST NOTIFY REQUEST Unknown object Object class Path Message Path Error Message POLICY PROTECTION Path Tear Message RECORD ROUTE Boolean No value No value Boolean No value No value No value No value No value No value No value Boolean No value No value No value No value No value No value Unsigned 8-bit integer No value No value No value No value Unsigned 8-bit integer Boolean Boolean No value No value Boolean No value
RESTRICTED LABEL SET No value
348
Field rsvp.recovery_label rsvp.rerr rsvp.restart rsvp.resv rsvp.resvconf rsvp.rtear rsvp.rtearconf rsvp.scope rsvp.sender rsvp.sender.ip rsvp.sender.lsp_id rsvp.sender.port rsvp.session rsvp.session.ip rsvp.session.port rsvp.session.proto rsvp.session.tunnel_id rsvp.session_attribute rsvp.srefresh rsvp.style rsvp.suggested_label rsvp.time rsvp.tspec rsvp.upstream_label
Field Name RECOVERY LABEL Resv Error Message RESTART CAPABILITY Resv Message Resv Conrm Message Resv Tear Message Resv Tear Conrm Message SCOPE SENDER TEMPLATE Sender IPv4 address Sender LSP ID Sender port number SESSION Destination address Port number Protocol Tunnel ID SESSION ATTRIBUTE Srefresh Message STYLE SUGGESTED LABEL TIME VALUES SENDER TSPEC UPSTREAM LABEL
Type No value Boolean No value Boolean Boolean Boolean Boolean No value No value IPv4 address Unsigned 16-bit integer Unsigned 16-bit integer No value Unsigned 32-bit integer IPv4 address Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer No value Boolean No value No value No value No value No value
rsvp.session.ext_tunnel_id Extended tunnel ID
Rlogin Protocol (rlogin)

Table A-221. Rlogin Protocol (rlogin) Field rlogin.user_info rlogin.window_size rlogin.window_size.cols rlogin.window_size.rows Field Name User Info Window Info Columns Rows Type No value No value Unsigned 16-bit integer Unsigned 16-bit integer
349
Field
Field Name
rlogin.window_size.x_pixels Pixels X rlogin.window_size.y_pixels Pixels Y
Routing Information Protocol (rip)

Table A-222. Routing Information Protocol (rip) Field rip.auth.passwd rip.auth.type rip.command rip.family rip.ip rip.metric rip.netmask rip.next_hop rip.route_tag rip.routing_domain rip.version Field Name Password Authentication type Command Address Family IP Address Metric Netmask Next Hop Route Tag Routing Domain Version Type String Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer IPv4 address Unsigned 16-bit integer IPv4 address IPv4 address Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
Routing Table Maintenance Protocol (rtmp)

Table A-223. Routing Table Maintenance Protocol (rtmp) Field nbp.nodeid nbp.nodeid.length rtmp.function rtmp.net rtmp.tuple.dist rtmp.tuple.net rtmp.tuple.range_end rtmp.tuple.range_start Field Name Node Node Length Function Net Distance Net Range End Range Start Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
350
SADMIND (sadmind)
Table A-224. SADMIND (sadmind) Field Field Name Type
SCSI (scsi)
Table A-225. SCSI (scsi) Field scsi.cdb.alloclen scsi.cdb.alloclen16 scsi.cdb.alloclen32 scsi.cdb.control scsi.cdb.defectfmt scsi.cdb.mode.ags scsi.cdb.paramlen scsi.cdb.paramlen16 scsi.formatunit.ags scsi.formatunit.interleave scsi.formatunit.vendor Field Name Allocation Length Allocation Length Allocation Length Control Defect List Format Mode Sense/Select Flags Parameter Length Parameter Length Flags Interleave Vendor Unique Type Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
scsi.inquiry.cmdt.pagecode CMDT Page Code scsi.inquiry.devtype Device Type
scsi.inquiry.evpd.pagecode EVPD Page Code scsi.inquiry.ags scsi.inquiry.normaca scsi.inquiry.version scsi.log.pc scsi.logsel.ags scsi.logsns.ags scsi.logsns.pagecode scsi.mode.ags scsi.mode.mrie scsi.mode.pagecode Flags NormACA Version Page Control Flags Flags Page Code Flags MRIE Page Code
351
Field scsi.mode.pc scsi.mode.qerr scsi.mode.qmod scsi.mode.tac scsi.mode.tst scsi.persresv.scope scsi.persresv.type scsi.persresvin.svcaction scsi.persresvout.svcaction scsi.proto scsi.rdwr10.lba scsi.rdwr10.xferlen scsi.rdwr12.xferlen scsi.rdwr16.lba scsi.rdwr6.lba scsi.rdwr6.xferlen scsi.read.ags scsi.readcapacity.ags scsi.readcapacity.lba scsi.readcapacity.pmi scsi.readdefdata.ags scsi.reassignblks.ags scsi.release.ags scsi.release.thirdpartyid scsi.reportluns.lun scsi.reportluns.mlun scsi.sbc.opcode scsi.sns.addlen scsi.sns.asc scsi.sns.ascascq scsi.sns.ascq
Field Name Page Control
Queue Error Management Boolean Queue Algorithm Modier Unsigned 8-bit integer Task Aborted Status Task Set Type Reservation Scope Reservation Type Service Action Service Action Protocol Logical Block Address (LBA) Transfer Length Transfer Length Logical Block Address (LBA) Logical Block Address (LBA) Transfer Length Flags Flags Logical Block Address PMI Flags Flags Release Flags Third-Party ID LUN Multi-level LUN SBC-2 Opcode Additional Sense Length Additional Sense Code Additional Sense Code+Qualier Additional Sense Code Qualier Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Byte array Unsigned 24-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Byte array Unsigned 8-bit integer Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
352
Field scsi.sns.errtype scsi.sns.fru scsi.sns.info scsi.sns.key scsi.sns.sksv scsi.spc.opcode scsi.spc2.addcdblen scsi.spc2.resv.key scsi.spc2.resv.scopeaddr scsi.spc2.svcaction scsi.ssc.opcode ssci.mode.rac
Field Name SNS Error Type Field Replaceable Unit Code Sense Info Sense Key SKSV SPC-2 Opcode Additional CDB Length Reservation Key Scope Address Service Action SSC-2 Opcode Report a Check
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer Byte array Byte array Unsigned 16-bit integer Unsigned 8-bit integer Boolean
SMB (Server Message Block Protocol) (smb)

Table A-226. SMB (Server Message Block Protocol) (smb) Field smb.access.append smb.access.caching smb.access.delete smb.access.delete_child smb.access.execute smb.access.generic_all Field Name Append Caching Delete Delete Child Execute Generic All Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer Boolean Unsigned 16-bit integer Boolean Boolean Boolean
smb.access.generic_execute Generic Execute smb.access.generic_read smb.access.generic_write smb.access.locality Generic Read Generic Write Locality
smb.access.maximum_allowed Maximum Allowed smb.access.mode smb.access.read smb.access.read_control Access Mode Read Read Control
smb.access.read_attributes Read Attributes
353
Field smb.access.read_ea smb.access.sharing smb.access.smb.date smb.access.smb.time smb.access.synchronize
Field Name Read EA Sharing Mode Last Access Date Last Access Time Synchronize
Type Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Boolean Date/Time stamp Boolean Boolean Boolean Boolean Boolean Boolean String Boolean Boolean Boolean Boolean Boolean Boolean
smb.access.system_security System Security smb.access.time smb.access.write Last Access Write
smb.access.write_attributes Write Attributes smb.access.write_dac smb.access.write_ea smb.access.write_owner smb.access.writethrough smb.account Write DAC Write EA Write Owner Writethrough Account
smb.ace.ags.container_inherit Container Inherit smb.ace.ags.failed_access Audit Failed Accesses smb.ace.ags.inherit_only Inherit Only smb.ace.ags.inherited_ace Inherited ACE smb.ace.ags.non_propagate_inherit Non-Propagate Inherit smb.ace.ags.object_inherit Object Inherit
smb.ace.ags.successful_access Successful Accesses Boolean Audit smb.ace.size smb.ace.type smb.acl.num_aces smb.acl.revision smb.acl.size Size Type Num ACEs Revision Size Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
smb.actual_free_alloc_units Actual Free Units smb.alignment smb.alloc_size smb.andxoffset Alignment Allocation Size AndXOffset Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer
354
Field smb.ansi_password smb.ansi_pwlen smb.avail.units smb.bcc smb.blocksize smb.bpu smb.buffer_format
Field Name ANSI Password ANSI Password Length Available Units Byte Count (BCC) Block Size Blocks Per Unit Buffer Format
Type Byte array Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
smb.caller_free_alloc_units Caller Free Units smb.cancel_to smb.change.time smb.change_count smb.cmd Cancel to Change Change Count SMB Command Unsigned 32-bit integer Date/Time stamp Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
smb.compressed.chunk_shift hunk Shift C smb.compressed.cluster_shift Cluster Shift smb.compressed.le_size smb.compressed.format Compressed Size Compression Format
Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
smb.compressed.unit_shift Unit Shift smb.connect.ags.dtid smb.connect.support.dfs Disconnect TID In Dfs
smb.connect.support.search Search Bits smb.continuation_to smb.copy.ags.dir smb.copy.ags.ea_action smb.copy.ags.le Continuation to Must be directory EA action if EAs not supported on dest Must be le
smb.copy.ags.dest_mode Destination mode
smb.copy.ags.source_modeSource mode smb.copy.ags.tree_copy smb.copy.ags.verify smb.count smb.create.action smb.create.disposition Tree copy Verify writes Count Create action Disposition
355
Field smb.create.le_id smb.create.smb.date smb.create.smb.time smb.create.time smb.data_disp smb.data_len smb.data_offset smb.data_size smb.dc smb.dcm smb.delete_pending smb.destination_name smb.device.oppy smb.device.mounted smb.device.read_only smb.device.remote smb.device.removable smb.device.type smb.device.virtual smb.device.write_once smb.dfs.ags.elding
Field Name Server unique le ID Create Date Create Time Created Data Displacement Data Length Data Offset Data Size Data Count Data Compaction Mode Delete Pending Destination Name Floppy Mounted Read Only Remote Removable Device Type Virtual Write Once Fielding
Type Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Date/Time stamp Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer String Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer String Unsigned 16-bit integer Boolean String Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 16-bit integer
smb.dfs.ags.server_hold_storageStorage Hold smb.dfs.num_referrals smb.dfs.path_consumed smb.dfs.referral.alt_path Num Referrals Path Consumed Alt Path
smb.dfs.referral.alt_path_offset Path Offset Alt smb.dfs.referral.ags.strip Strip smb.dfs.referral.node Node smb.dfs.referral.node_offsetNode Offset smb.dfs.referral.path Path
smb.dfs.referral.path_offset Path Offset smb.dfs.referral.proximity Proximity
356
Field
Field Name
Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Byte array Unsigned 16-bit integer
smb.dfs.referral.server.type Server Type smb.dfs.referral.size smb.dfs.referral.ttl smb.dfs.referral.version smb.dialect.index smb.dialect.name smb.dir_name smb.ea.error_offset smb.ea.length smb.ea_size smb.echo.count smb.echo.data smb.echo.seq_num smb.encryption_key Size TTL Version Selected Index Name Directory EA Error offset EA Length EA Size Echo Count Echo Data Echo Seq Num Encryption Key
smb.encryption_key_length Key Length smb.end_of_le smb.end_of_search smb.error_class smb.error_code smb.ext_attr smb.ff2_loi smb.d smb.le smb.le_attribute.archive End Of File End Of Search Error Class Error Code Extended Attributes Level of Interest FID File Name Archive
Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Unsigned 16-bit integer String Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
smb.le_attribute.backup_semantics Backup smb.le_attribute.compressed Compressed smb.le_attribute.delete_on_close on Close Delete smb.le_attribute.device Device
smb.le_attribute.directory Directory smb.le_attribute.encryptedEncrypted smb.le_attribute.hidden Hidden
357
Field
Field Name
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean
smb.le_attribute.no_buffering Buffering No smb.le_attribute.normal Normal
smb.le_attribute.not_content_indexed Content Indexed smb.le_attribute.ofine Ofine
smb.le_attribute.posix_semantics Posix smb.le_attribute.random_access Random Access smb.le_attribute.read_onlyRead Only smb.le_attribute.reparse Reparse Point
smb.le_attribute.sequential_scan Sequential Scan smb.le_attribute.sparse smb.le_attribute.system Sparse System
smb.le_attribute.temporary Temporary smb.le_attribute.volume Volume ID
smb.le_attribute.write_through Through Write smb.le_data smb.le_index smb.le_name_len smb.le_size smb.le_type smb.les_moved File Data File Index File Name Len File Size File Type Files Moved
smb.nd_rst2.ags.backupBackup Intent smb.nd_rst2.ags.close Close
smb.nd_rst2.ags.continue Continue smb.nd_rst2.ags.eos Close on EOS
smb.nd_rst2.ags.resumeResume smb.ags.canon smb.ags.caseless smb.ags.lock
Canonicalized Pathnames Boolean Case Sensitivity Lock and Read Boolean Boolean
358
Field smb.ags.notify smb.ags.oplock smb.ags.receive_buffer smb.ags.response smb.ags2.dfs smb.ags2.ea smb.ags2.esn
Field Name Notify Oplocks Receive Buffer Posted Request/Response Dfs Extended Attributes Extended Security Negotiation
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer String Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer
smb.ags2.long_names_allowed Names Allowed Long smb.ags2.long_names_used Long Names Used smb.ags2.nt_error smb.ags2.roe smb.ags2.sec_sig smb.ags2.string smb.fn_loi smb.forwarded_name smb.free_alloc_units smb.free_units smb.fs_attr.cpn smb.fs_attr.css smb.fs_attr.dim smb.fs_attr.fc smb.fs_attr.pacls smb.fs_attr.vic smb.fs_attr.vq smb.fs_bytes_per_sector smb.fs_id smb.fs_max_name_len smb.fs_name smb.fs_name.len smb.fs_sector_per_unit smb.fs_units smb.impersonation.level smb.index_number smb.ipc_state.endpoint Error Code Type Execute-only Reads Security Signatures Unicode Strings Level of Interest Forwarded Name Free Units Free Units Case Preserving Case Sensitive Search Mounted Compression Persistent ACLs Compressed Volume Quotas Bytes per Sector FS Id Max name length FS Name Label Length Sectors/Unit Total Units Impersonation Index Number Endpoint
359
Field smb.ipc_state.icount smb.ipc_state.pipe_type smb.ipc_state.read_mode smb.is_directory smb.last_name_offset smb.last_write.smb.date smb.last_write.smb.time smb.last_write.time smb.link_count smb.list_len smb.lock.length smb.lock.offset smb.lock.type.cancel smb.lock.type.change smb.lock.type.large
Field Name Icount Pipe Type Read Mode Is Directory Last Name Offset Last Write Date Last Write Time Last Write Link Count ListLength Length Offset Cancel Change Large Files
Type Unsigned 16-bit integer Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Date/Time stamp Unsigned 32-bit integer Unsigned 32-bit integer
smb.ipc_state.nonblocking Nonblocking
Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
smb.lock.type.oplock_release plock Break O smb.lock.type.shared smb.locking.num_locks smb.locking.oplock.level smb.loi smb.machine_name smb.max_buf smb.max_bufsize smb.max_mpx_count smb.max_raw smb.max_referral_level smb.max_vcs smb.maxcount smb.mdc smb.message smb.message.len smb.mgid smb.mid Shared Number of Locks Oplock Level Level of Interest Machine Name Max Buffer Max Buffer Size Max Mpx Count Max Raw Buffer Max Referral Level Max VCs Max Count Max Data Count Message Message Len Message Group ID Multiplex ID
smb.locking.num_unlocks Number of Unlocks
360
Field smb.mincount smb.monitor_handle smb.move.ags.dir smb.move.ags.le smb.move.ags.verify smb.mpc smb.msc smb.native_fs smb.native_lanman smb.native_os smb.next_entry_offset
Field Name Min Count Monitor Handle Must be directory Must be le Verify writes Max Parameter Count Max Setup Count Native File System Native LAN Manager Native OS Next Entry Offset
Type Unsigned 16-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 8-bit integer String String String Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer Byte array Boolean
smb.nt.create.batch_oplock Batch Oplock smb.nt.create.dir smb.nt.create.oplock Create Directory Exclusive Oplock
smb.nt.create_options.delete_on_close Close Delete On smb.nt.create_options.directory Directory smb.nt.create_options.eight_dot_three_only 8.3 Only smb.nt.create_options.no_ea_knowledge No EA Knowledge smb.nt.create_options.non_directory Non-Directory smb.nt.create_options.random_accessAccess Random smb.nt.create_options.sequential_only Only Sequential smb.nt.create_options.sync_io_alert Alert Sync I/O smb.nt.create_options.sync_io_nonalert Sync I/O Nonalert smb.nt.create_options.write_through Write Through smb.nt.function smb.nt.ioctl.data Function IOCTL Data
smb.nt.ioctl.ags.root_handle Root Handle
361
Field smb.nt.ioctl.function smb.nt.ioctl.isfsctl smb.nt.notify.action smb.nt.notify.attributes smb.nt.notify.creation smb.nt.notify.dir_name smb.nt.notify.ea smb.nt.notify.le_name smb.nt.notify.last_access smb.nt.notify.last_write smb.nt.notify.security smb.nt.notify.size
Field Name Function IsFSctl Action Attribute Change Created Change Directory Name Change EA Change File Name Change Last Access Change Last Write Change Security Change Size Change
Type Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer Unsigned 8-bit integer
smb.nt.notify.stream_name Stream Name Change smb.nt.notify.stream_size smb.nt.notify.watch_tree smb.nt_qsd.dacl smb.nt_qsd.group smb.nt_qsd.owner smb.nt_qsd.sacl smb.nt_status smb.ntr_clu smb.ntr_loi smb.offset smb.offset_high smb.open.action.lock smb.open.action.open smb.open.ags.add_info Stream Size Change Watch Tree DACL Group Owner SACL NT Status Cluster count Level of Interest Offset High Offset Exclusive Open Open Action Additional Info
smb.nt.notify.stream_write Stream Write
smb.open.ags.batch_oplock Batch Oplock smb.open.ags.ealen smb.open.ags.ex_oplock smb.open.function.create smb.open.function.open smb.oplock.level Total EA Len Exclusive Oplock Create Open Oplock level
362
Field smb.originator_name smb.padding smb.password smb.path smb.pc smb.pd smb.pid smb.po smb.primary_domain smb.print.identier smb.print.mode smb.print.queued.date
Field Name Originator Name Padding Password Path Parameter Count Parameter Displacement Process ID Parameter Offset Primary Domain Identier Mode Queued
Type String Byte array Byte array String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer String String Unsigned 16-bit integer Date/Time stamp Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Byte array Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Boolean Boolean Boolean
smb.print.queued.smb.date Queued Date smb.print.queued.smb.time Queued Time smb.print.restart_index smb.print.setup.len Restart Index Setup Len
smb.print.spool.le_numberSpool File Number smb.print.spool.le_size smb.print.spool.name smb.print.start_index smb.print.status smb.pwlen smb.q_loi smb.quota.ags.enabled smb.quota.ags.log_limit Spool File Size Name Start Index Status Password Length Level of Interest Enabled Log Limit
smb.quota.ags.deny_disk Deny Disk
smb.quota.ags.log_warning Log Warning smb.quota.hard.default smb.quota.soft.default smb.quota.used smb.quota.user.offset smb.remaining smb.request.mask (Hard) Quota Limit (Soft) Quota Treshold Quota Used Next Offset Remaining Request Mask
Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
363
Field smb.reserved smb.response.mask smb.response_in smb.response_to smb.resume smb.resume.client.cookie smb.resume.nd_id smb.resume.key_len smb.resume.server.cookie smb.rd smb.rm.read smb.rm.write smb.sc smb.sd.length
Field Name Reserved Response Mask Response in Response to Resume Key Client Cookie Find ID Resume Key Length Server Cookie Root FID Read Raw Write Raw Setup Count SD Length
Type Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 8-bit integer Unsigned 16-bit integer Byte array Unsigned 32-bit integer Boolean Boolean Unsigned 8-bit integer Unsigned 32-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 16-bit integer String Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean
smb.search.attribute.archiveArchive smb.search.attribute.directory Directory smb.search.attribute.hiddenHidden smb.search.attribute.read_only Only Read smb.search.attribute.system System smb.search.attribute.volumeVolume ID smb.search_count smb.search_pattern smb.sec_desc.revision Search Count Search Pattern Revision
smb.sec_desc.type.dacl_auto_inherit_reqInherit DACL Auto Required smb.sec_desc.type.dacl_auto_inherited Inherited DACL Auto smb.sec_desc.type.dacl_defaulted Defaulted DACL smb.sec_desc.type.dacl_present DACL Present smb.sec_desc.type.dacl_protected Protected DACL
364
Field
Field Name
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Boolean Boolean Byte array Unsigned 16-bit integer Unsigned 16-bit integer No value No value Boolean Boolean Boolean No value Boolean Boolean Boolean Boolean
smb.sec_desc.type.group_defaulted Group Defaulted smb.sec_desc.type.owner_defaultedDefaulted Owner smb.sec_desc.type.sacl_auto_inherit_reqInherit SACL Auto Required smb.sec_desc.type.sacl_auto_inherited Inherited SACL Auto smb.sec_desc.type.sacl_defaulted Defaulted SACL smb.sec_desc.type.sacl_present SACL Present smb.sec_desc.type.sacl_protected Protected SACL smb.sec_desc.type.self_relative Relative Self smb.sec_desc_len NT Security Descriptor Length
smb.security.ags.context_tracking Tracking Context smb.security.ags.effective_only Effective Only smb.security_blob smb.security_blob_len smb.seek_mode smb.segment smb.segment.error Security Blob Security Blob Length Seek Mode SMB Segment Defragmentation error
smb.segment.multipletails Multiple tail fragments found smb.segment.overlap Fragment overlap smb.segment.overlap.conict Conicting data in fragment overlap smb.segment.segments SMB Segments smb.segment.toolongfragment Fragment too long smb.server_cap.bulk_transfer Bulk Transfer smb.server_cap.compressed_data Compressed Data smb.server_cap.dfs Dfs
365
Field
Field Name
Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Date/Time stamp Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Byte array Signed 16-bit integer String Unsigned 32-bit integer Boolean Boolean Boolean Boolean
smb.server_cap.extended_security Extended Security smb.server_cap.infolevel_passthru Passthru Infolevel smb.server_cap.large_les Large Files smb.server_cap.large_readx Large ReadX smb.server_cap.large_writex Large WriteX smb.server_cap.level_2_oplocks 2 Oplocks Level smb.server_cap.lock_and_read and Read Lock smb.server_cap.mpx_mode MPX Mode smb.server_cap.nt_nd smb.server_cap.nt_smbs smb.server_cap.nt_status NT Find NT SMBs NT Status Codes
smb.server_cap.raw_mode Raw Mode smb.server_cap.reserved Reserved
smb.server_cap.rpc_remote_apis Remote APIs RPC smb.server_cap.unicode smb.server_cap.unix smb.server_date_time Unicode UNIX Server Date and Time
smb.server_date_time.smb_date Date Server smb.server_date_time.smb_time Time Server smb.server_d smb.server_guid smb.server_timezone smb.service smb.session_key smb.setup.action.guest smb.share.access.delete smb.share.access.read smb.share.access.write Server FID Server GUID Time Zone Service Session Key Guest Delete Read Write
366
Field smb.short_le smb.short_le_name_len smb.sid smb.sid.num_auth smb.sid.revision smb.sm.mode smb.sm.password smb.sm.sig_required smb.sm.signatures smb.storage_type smb.stream_name smb.stream_name_len smb.stream_size smb.system.time smb.tdc smb.tid smb.time smb.timeout smb.total_data_len smb.tpc smb.trans2.cmd smb.trans_name smb.transaction.ags.owt smb.uid smb.unicode_password smb.unicode_pwlen smb.units smb.unknown smb.vc smb.volume.label smb.volume.label.len smb.volume.serial smb.wct
Field Name Short File Name Short File Name Len SID Num Auth Revision Mode Password Sig Req Signatures Storage Type Stream Name Stream Name Length Stream Size System Time Total Data Count Tree ID Time from request Timeout Total Data Length Total Parameter Count Subcommand Transaction Name One Way Transaction User ID Unicode Password Total Units Unknown Data VC Number Label Label Length Volume Serial Number Word Count (WCT)
Type String Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Unsigned 32-bit integer String Unsigned 32-bit integer Date/Time stamp Unsigned 32-bit integer Unsigned 16-bit integer Time duration Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Boolean Boolean Unsigned 16-bit integer Byte array Unsigned 16-bit integer Byte array Unsigned 16-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Boolean
smb.transaction.ags.dtid Disconnect TID
Unicode Password Length Unsigned 16-bit integer
smb.write.mode.connectionless Connectionless
367
Field
Field Name
Type Boolean Boolean Boolean Boolean
smb.write.mode.message_start Message Start smb.write.mode.raw Write Raw
smb.write.mode.return_remaining Remaining Return smb.write.mode.write_through Through Write
SMB MailSlot Protocol (mailslot)

Table A-227. SMB MailSlot Protocol (mailslot) Field mailslot.class mailslot.name mailslot.opcode mailslot.priority mailslot.size Field Name Class Mailslot Name Opcode Priority Size Type Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
SMB Pipe Protocol (pipe)

Table A-228. SMB Pipe Protocol (pipe) Field pipe.fragment pipe.fragment.error Field Name Fragment Defragmentation error Type No value No value Boolean Boolean Boolean Boolean No value Unsigned 16-bit integer Unsigned 8-bit integer
pipe.fragment.multipletails Multiple tail fragments found pipe.fragment.overlap Fragment overlap pipe.fragment.overlap.conict Conicting data in fragment overlap pipe.fragment.toolongfragment Fragment too long pipe.fragments pipe.function Fragments Function
pipe.getinfo.current_instances Current Instances
368
Field pipe.getinfo.info_level
Field Name Information Level
Type Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer String Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
pipe.getinfo.input_buffer_size Input Buffer Size pipe.getinfo.maximum_instances Maximum Instances pipe.getinfo.output_buffer_size Output Buffer Size pipe.getinfo.pipe_name Pipe Name
pipe.getinfo.pipe_name_length Name Length Pipe pipe.peek.available_bytes Available Bytes
pipe.peek.remaining_bytes Bytes Remaining pipe.peek.status pipe.priority Pipe Status Priority
pipe.write_raw.bytes_written ytes Written B
SNA-over-Ethernet (snaeth)
Table A-229. SNA-over-Ethernet (snaeth) Field snaeth_len Field Name Length Type Unsigned 16-bit integer
SNMP Multiplex Protocol (smux)

Table A-230. SNMP Multiplex Protocol (smux) Field Field Name Type
SPRAY (spray)
Table A-231. SPRAY (spray) Field Field Name Type
369
Field spray.clock spray.counter spray.sec spray.sprayarr spray.usec
Field Name clock counter sec Data usec
Type No value Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer
SS7 SCCP-User Adaptation Layer (sua)

Table A-232. SS7 SCCP-User Adaptation Layer (sua) Field Field Name Type Unsigned 8-bit integer Unsigned 24-bit integer Boolean Boolean Boolean Boolean Unsigned 8-bit integer Byte array Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer
sua.affected_point_code.mask Mask sua.affected_pointcode.dpc Affected DPC sua.asp_capabilities.a_bit sua.asp_capabilities.b_bit sua.asp_capabilities.c_bit sua.asp_capabilities.d_bit Protocol Class 3 Protocol Class 2 Protocol Class 1 Protocol Class 0
sua.asp_capabilities.interworking Interworking sua.asp_capabilities.reserved Reserved sua.asp_capabilities.reserved_bits Reserved Bits sua.asp_identier.id sua.cause_user.cause sua.cause_user.user ASP Identier Cause User
sua.congestion_level.level Congestion Level sua.correlation_id.identier Correlation ID sua.credit.credit sua.data.padding Credit Padding
sua.deregistration_result.deregistration_status Deregistration Status sua.deregistration_result.routing_context Routing Context
370
Field
Field Name
Type Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 32-bit integer Byte array Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Byte array Byte array Unsigned 8-bit integer Byte array Byte array String Byte array Unsigned 8-bit integer Byte array Byte array String IPv4 address
sua.destination_address.gt_bit Include GT sua.destination_address.pc_bit Include PC sua.destination_address.reserved_bitsBits Reserved sua.destination_address.routing_indicator Routing Indicator sua.destination_address.ssn_bit Include SSN sua.destination_reference_number Destination Reference Number sua.diagnostic_information.info Diagnostic Information sua.diagnostic_information.padding Padding sua.drn_label.end sua.drn_label.start sua.drn_label.value sua.error_code.code End Start Label Value Error code
sua.global_title.nature_of_address of Address Nature sua.global_title.number_of_digits Number of Digits sua.global_title.numbering_plan Numbering Plan sua.global_title.padding sua.global_title.signals Padding Global Title
sua.global_title.translation_type Translation Type sua.heartbeat.data sua.heartbeat.padding sua.hostname.name sua.hostname.padding sua.importance.reserved sua.info_string.padding sua.info_string.string sua.ipv4.address Heratbeat Data Padding Hostname Padding Reserved Padding Info string IP Version 4 address
sua.importance.inportance Importance
371
Field sua.ipv6.address sua.light.error_code sua.light.message_length sua.light.message_type sua.light.spare_1 sua.light.spare_2
Field Name IP Version 6 address Error Code Message length Message Type Spare Spare
Type IPv6 address Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Byte array Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Byte array Unsigned 8-bit integer Unsigned 24-bit integer Byte array Unsigned 8-bit integer Boolean
sua.light.subsystem_number ubsystem number S sua.light.version sua.message_class sua.message_length Version Message Class Message Length
sua.message_priority.priority essage Priority M sua.message_priority.reserved Reserved sua.message_type Message Type
sua.network_appearance.appearance Appearance Network sua.parameter_length sua.parameter_padding sua.parameter_tag sua.parameter_value sua.point_code.mask sua.point_code.pc sua.protocol_class.class Parameter Length Padding Parameter Tag Parameter Value Mask Point Code Protocol Class
sua.protcol_class.reserved Reserved sua.protocol_class.return_on_error_bit Error Bit Return On
sua.receive_sequence_number.number Receive Sequence Number Unsigned 8-bit integer P(R) sua.receive_sequence_number.reserved Reserved sua.receive_sequence_number.spare_bit Spare Bit sua.registration_result.local_routing_key_identier Local Routing Key Identier sua.registration_result.registration_status Registration Status Byte array Boolean Unsigned 32-bit integer Unsigned 32-bit integer
372
Field
Field Name
Type Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 8-bit integer Unsigned 8-bit integer Boolean Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 32-bit integer Boolean
sua.registration_result.routing_context Routing Context sua.reserved Reserved
sua.routing_context.context Routing context sua.routing_key.identier sua.sccp_cause.reserved sua.sccp_cause.type sua.sccp_cause.value sua.segmentation.rst_bit Local Routing Key Identier Reserved Cause Type Cause Value First Segment Bit
sua.segmentation.number_of_remaining_segments Number of Remaining Segments sua.segmentation.reference Segmentation Reference sua.sequence_control.sequence_control Sequence Control sua.sequence_number.more_data_bit Bit More Data
sua.sequence_number.receive_sequence_number Receive Sequence Number Unsigned 8-bit integer P(R) sua.sequence_number.reserved Reserved sua.sequence_number.sent_sequence_number Sent Sequence Number P(S) sua.sequence_number.spare_bit Bit Spare sua.smi.reserved sua.smi.smi sua.source_address.gt_bit Reserved SMI Include GT Byte array Unsigned 8-bit integer Boolean Byte array Unsigned 8-bit integer Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Boolean
sua.source_address.pc_bit Include PC sua.source_address.reserved_bits Reserved Bits sua.source_address.routing_indicator Routing Indicator sua.source_address.ssn_bit Include SSN
sua.source_reference_number.number Source Reference Number Unsigned 32-bit integer sua.ss7_hop_counter.counter S7 Hop Counter S Unsigned 8-bit integer
373
Field
Field Name
Type Byte array Unsigned 8-bit integer Byte array Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
sua.ss7_hop_counter.reserved Reserved sua.ssn.number sua.ssn.reserved sua.status.info sua.status.type sua.tid_label.end sua.tid_label.start sua.tid_label.value Subsystem Number Reserved Status info Status type End Start Label Value
sua.trafc_mode_type.type Trafc mode Type sua.version Version
SSCOP (sscop)
Table A-233. SSCOP (sscop) Field Field Name Type
Secure Socket Layer (ssl)

Table A-234. Secure Socket Layer (ssl) Field ssl.alert_message ssl.alert_message.desc ssl.alert_message.level ssl.app_data ssl.change_cipher_spec ssl.handshake ssl.handshake.cert_type ssl.handshake.cert_types Field Name Alert Message Description Level Application Data Change Cipher Spec Message Handshake Protocol Certicate type Certicate types Type No value Unsigned 8-bit integer Unsigned 8-bit integer No value No value No value Unsigned 8-bit integer No value Unsigned 8-bit integer
ssl.handshake.cert_types_count Certicate types count
374
Field ssl.handshake.certicate
Field Name Certicate
Type Byte array Unsigned 24-bit integer No value Unsigned 24-bit integer No value Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 24-bit integer Unsigned 16-bit integer No value No value Unsigned 16-bit integer Unsigned 8-bit integer No value Unsigned 8-bit integer No value Unsigned 16-bit integer Byte array Unsigned 16-bit integer No value Unsigned 16-bit integer No value Unsigned 16-bit integer No value
ssl.handshake.certicate_length Certicate Length ssl.handshake.certicates Certicates
ssl.handshake.certicates_length Certicates Length ssl.handshake.challenge Challenge
ssl.handshake.challenge_length Challenge Length ssl.handshake.cipher_spec_len Cipher Spec Length ssl.handshake.cipher_suites_length Suites Length Cipher ssl.handshake.cipherspec ssl.handshake.ciphersuite Cipher Spec Cipher Suite
ssl.handshake.ciphersuites Cipher Suites ssl.handshake.clear_key_data Clear Key Data ssl.handshake.clear_key_length Key Data Length Clear ssl.handshake.comp_method Compression Method ssl.handshake.comp_methods Compression Methods ssl.handshake.comp_methods_length Compression Methods Length ssl.handshake.connection_id Connection ID ssl.handshake.connection_id_length Connection ID Length ssl.handshake.dname ssl.handshake.dname_len ssl.handshake.dnames Distinguished Name Distinguished Name Length Distinguished Names
ssl.handshake.dnames_len Distinguished Names Length ssl.handshake.encrypted_key ncrypted Key E ssl.handshake.encrypted_key_length Key Data Encrypted Length ssl.handshake.key_arg Key Argument
375
Field
Field Name
Type Unsigned 16-bit integer Unsigned 24-bit integer No value No value Date/Time stamp Byte array Boolean Unsigned 8-bit integer No value No value Unsigned 16-bit integer No value Unsigned 8-bit integer Boolean Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer
ssl.handshake.key_arg_length Argument Length Key ssl.handshake.length ssl.handshake.md5_hash ssl.handshake.random Length MD5 Hash Random.bytes
ssl.handshake.random_timeRandom.gmt_unix_time ssl.handshake.session_id Session ID
ssl.handshake.session_id_hit ession ID Hit S ssl.handshake.session_id_length Session ID Length ssl.handshake.sha_hash ssl.handshake.type ssl.handshake.version ssl.pct_handshake.type ssl.record ssl.record.content_type ssl.record.is_escape ssl.record.length ssl.record.version SHA-1 Hash
Handshake Message Type Unsigned 8-bit integer Version Record Layer Content Type Is Escape Length Version
ssl.handshake.verify_data Verify Data
Handshake Message Type Unsigned 8-bit integer
ssl.record.padding_length Padding Length
Sequenced Packet eXchange (spx)

Table A-235. Sequenced Packet eXchange (spx) Field spx.ack spx.alloc spx.ctl spx.dst spx.seq spx.src spx.type Field Name Type
Acknowledgment Number Unsigned 16-bit integer Allocation Number Connection Control Sequence Number Source Connection ID Datastream type Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
Destination Connection ID Unsigned 16-bit integer
376
Service Advertisement Protocol (ipxsap)

Table A-236. Service Advertisement Protocol (ipxsap) Field ipxsap.request ipxsap.response Field Name Request Response Type Boolean Boolean
Service Location Protocol (srvloc)

Table A-237. Service Location Protocol (srvloc) Field srvloc.err srvloc.ags srvloc.function srvloc.version Field Name Error Code Flags Function Version Type Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
Session Announcement Protocol (sap)

Table A-238. Session Announcement Protocol (sap) Field sap.auth sap.auth.ags sap.auth.ags.p sap.auth.ags.t sap.auth.ags.v sap.ags sap.ags.a sap.ags.c sap.ags.e sap.ags.r sap.ags.t sap.ags.v Field Name Authentication data Authentication data ags Padding Bit Authentication Type Version Number Flags Address Type Compression Bit Encryption Bit Reserved Message Type Version Number Type No value Unsigned 8-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer
377
Session Description Protocol (sdp)

Table A-239. Session Description Protocol (sdp) Field sdp.bandwidth sdp.bandwidth.modier sdp.bandwidth.value sdp.connection_info Field Name Type
Bandwidth Information (b) String Bandwidth Modier Bandwidth Value String String
Connection Information (c) String String
sdp.connection_info.addressConnection Address
sdp.connection_info.address_type Connection Address Type String sdp.connection_info.network_type Connection Network Type String sdp.connection_info.num_addr Connection Number of Addresses sdp.connection_info.ttl sdp.email sdp.encryption_key sdp.encryption_key.data sdp.encryption_key.type sdp.invalid sdp.media sdp.media.format sdp.media.media sdp.media.port sdp.media.portcount sdp.media.proto sdp.media_attr sdp.media_attribute.eld Connection TTL E-mail Address (e) Encryption Key (k) Key Data Key Type Invalid line Media Description, name and address (m) Media Format Media Type Media Port Media Port Count Media Proto Media Attribute (a) String String String String String String String String String String String String String String
Media Attribute Fieldname String String String String
sdp.media_attribute.value Media Attribute Value sdp.media_title sdp.misplaced sdp.owner Media Title (i) Misplaced
Owner/Creator, Session Id String (o)
378
Field sdp.owner.address sdp.owner.address_type sdp.owner.network_type sdp.owner.sessionid sdp.owner.username sdp.owner.version sdp.phone sdp.repeat_time sdp.repeat_time.duration sdp.repeat_time.interval sdp.repeat_time.offset sdp.session_attr sdp.session_attr.eld sdp.session_attr.value sdp.session_info sdp.session_name sdp.time sdp.time.start sdp.time.stop sdp.timezone sdp.timezone.offset sdp.timezone.time sdp.unknown sdp.uri sdp.version
Field Name Owner Address Owner Address Type Owner Network Type Session ID Owner Username Session Version Phone Number (p) Repeat Time (r) Repeat Duration Repeat Interval Repeat Offset Session Attribute (a) Session Attribute Fieldname Session Attribute Value Session Information (i) Session Name (s) Time Description, active time (t) Session Start Time Session Stop Time
Type String String String String String String String String String String String String String String String String String String String
Time Zone Adjustments (z) String Timezone Offset Timezone Time Unknown URI of Description (u) Session Description Protocol Version (v) String String String String String
Session Initiation Protocol (sip)

Table A-240. Session Initiation Protocol (sip) Field sip.msg_hdr Field Name Message Header Type No value
379
Short Frame (short)

Table A-241. Short Frame (short) Field Field Name Type
Short Message Peer to Peer (smpp)

Table A-242. Short Message Peer to Peer (smpp) Field Field Name Type String String
smpp.SC_interface_version SMSC-supported version smpp.additional_status_info_text Information smpp.addr_npi smpp.addr_ton smpp.address_range
Numbering plan indicator Unsigned 8-bit integer Type of number Address Unsigned 8-bit integer String No value No value Unsigned 8-bit integer Unsigned 8-bit integer No value Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
smpp.alert_on_message_delivery on delivery Alert smpp.callback_num smpp.callback_num.pres smpp.callback_num.scrn smpp.callback_num_atag smpp.command_id smpp.command_length smpp.command_status smpp.data_coding Callback number Presentation Screening Callback number alphanumeric display tag Operation Length Result Data coding
smpp.delivery_failure_reason Delivery failure reason smpp.dest_addr_npi smpp.dest_addr_subunit smpp.dest_addr_ton smpp.dest_bearer_type smpp.dest_network_type
Numbering plan indicator Unsigned 8-bit integer (recipient) Subunit destination Destination bearer Destination network Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Type of number (recipient) Unsigned 8-bit integer
380
Field smpp.dest_telematics_id smpp.destination_addr smpp.destination_port smpp.display_time smpp.dl_name smpp.dlist smpp.dlist_resp smpp.dpf_result smpp.error_code smpp.error_status_code
Field Name Telematic interworking (dest) Recipient address Destination port Display time Distr. list name Destination list Unsuccesfull delivery list Delivery pending set? Error code Status
Type Unsigned 16-bit integer String Unsigned 16-bit integer Unsigned 8-bit integer String No value No value Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer String
smpp.esm.submit.features GSM features smpp.esm.submit.msg_mode essaging mode M smpp.esm.submit.msg_typeMessage type smpp.esme_addr smpp.esme_addr_npi smpp.esme_addr_ton smpp.nal_date smpp.nal_date_r smpp.interface_version smpp.its_reply_type smpp.its_session.ind smpp.its_session.number smpp.language_indicator smpp.message smpp.message_id smpp.message_payload smpp.message_state ESME address
Numbering plan indicator Unsigned 8-bit integer (ESME) Type of number (ESME) Final date Final date Version (if) Reply method Session indicator Session number Language Message Message id. Payload Message state Unsigned 8-bit integer Date/Time stamp Time duration String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer No value String No value Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
smpp.its_session.sequence Sequence number
smpp.more_messages_to_send messages? More smpp.ms_availability_statusAvailability status smpp.ms_validity Validity info
381
Field smpp.msg_wait.ind smpp.msg_wait.type smpp.network_error.code smpp.network_error.type
Field Name Indication Type Error code Error type
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer No value String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer No value Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Date/Time stamp Time duration Unsigned 32-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer String
smpp.number_of_messages Number of messages smpp.opt_param smpp.password smpp.payload_type smpp.priority_ag smpp.privacy_indicator smpp.protocol_id smpp.qos_time_to_live Optional parameters Password Payload Priority level Privacy indicator Protocol id. Validity period
smpp.receipted_message_idSMSC identier smpp.regdel.acks smpp.regdel.notif smpp.regdel.receipt Message type Intermediate notif Delivery receipt
smpp.replace_if_present_ag eplace R smpp.reserved_op smpp.sar_msg_ref_num Optional parameter Reserved SAR reference number
smpp.sar_segment_seqnum SAR sequence number smpp.sar_total_segments SAR size
smpp.schedule_delivery_time Scheduled delivery time smpp.schedule_delivery_time_r Scheduled delivery time smpp.sequence_number smpp.service_type smpp.set_dpf smpp.sm_length smpp.source_addr smpp.source_addr_npi Sequence # Service type Request DPF set Message length Originator address
smpp.sm_default_msg_id Predened message
Numbering plan indicator Unsigned 8-bit integer (originator)
382
Field
Field Name
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer String String Unsigned 16-bit integer
smpp.source_addr_subunit Subunit origin smpp.source_addr_ton smpp.source_bearer_type Type of number (originator) Originator bearer
smpp.source_network_type Originator network smpp.source_port Source port
smpp.source_telematics_id Telematic interworking (orig) smpp.system_id smpp.system_type System ID System type
smpp.user_message_reference Message reference
smpp.user_response_code Application response code Unsigned 8-bit integer smpp.ussd_service_op smpp.validity_period smpp.validity_period_r smpp.vendor_op USSD service operation Validity period Validity period Optional parameter Vendor-specic Unsigned 8-bit integer Date/Time stamp Time duration No value
Signalling Connection Control Part (sccp)

Table A-243. Signalling Connection Control Part (sccp) Field sccp.called.cluster sccp.called.digits sccp.called.es sccp.called.gti sccp.called.member sccp.called.nai sccp.called.network sccp.called.ni sccp.called.np sccp.called.oe sccp.called.pc Field Name PC Cluster GT Digits Encoding Scheme Global Title Indicator PC Member Nature of Address Indicator PC Network National Indicator Numbering Plan Odd/Even Indicator PC Type Unsigned 24-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer
383
Field sccp.called.pci sccp.called.ri sccp.called.ssn sccp.called.ssni sccp.called.tt sccp.calling.cluster sccp.calling.digits sccp.calling.es sccp.calling.gti sccp.calling.member sccp.calling.nai sccp.calling.network sccp.calling.ni sccp.calling.np sccp.calling.oe sccp.calling.pc sccp.calling.pci sccp.calling.ri sccp.calling.ssn sccp.calling.ssni sccp.calling.tt sccp.class sccp.credit sccp.digits sccp.dlr sccp.error_cause sccp.handling sccp.hops sccp.importance sccp.isni.counter sccp.isni.iri
Field Name Point Code Indicator Routing Indicator SubSystem Number SubSystem Number Indicator Translation Type PC Cluster GT Digits Encoding Scheme Global Title Indicator PC Member Nature of Address Indicator PC Network National Indicator Numbering Plan Odd/Even Indicator PC Point Code Indicator Routing Indicator SubSystem Number SubSystem Number Indicator Translation Type Class Credit
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 24-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
Called or Calling GT Digits String Destination Local Reference Error Cause Message handling Hop Counter Importance ISNI Counter ISNI Routing Indicator Unsigned 24-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
384
Field sccp.isni.mi sccp.isni.netspec sccp.isni.ti sccp.message_type sccp.more sccp.optional_pointer sccp.refusal_cause sccp.release_cause sccp.reset_cause sccp.return_cause sccp.rsn sccp.segmentation.class sccp.segmentation.rst
Field Name ISNI Mark for Identication Indicator ISNI Network Specic (Type 1) ISNI Type Indicator Message Type More data Pointer to Optional parameter Refusal Cause Release Cause Reset Cause Return Cause Segmentation: Class Segmentation: First
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 8-bit integer
Receive Sequence Number Unsigned 8-bit integer
sccp.segmentation.remaining egmentation: Remaining S sccp.segmentation.slr Segmentation: Source Local Reference
sccp.sequencing_segmenting.more Sequencing Segmenting: More
sccp.sequencing_segmenting.rsn Sequencing Segmenting: Unsigned 8-bit integer Receive Sequence Number sccp.sequencing_segmenting.ssn Sequencing Segmenting: Send Sequence Number sccp.slr sccp.ssn sccp.variable_pointer1 sccp.variable_pointer2 Source Local Reference Called or Calling SubSystem Number Unsigned 8-bit integer Unsigned 24-bit integer Unsigned 8-bit integer
Pointer to rst Mandatory Unsigned 8-bit integer Variable parameter Pointer to second Mandatory Variable parameter Unsigned 8-bit integer
sccp.variable_pointer3
Pointer to third Mandatory Unsigned 8-bit integer Variable parameter
385
Simple Mail Transfer Protocol (smtp)

Table A-244. Simple Mail Transfer Protocol (smtp) Field smtp.req smtp.req.command smtp.req.parameter smtp.response.code smtp.rsp smtp.rsp.parameter Field Name Request Command Request parameter Response code Response Response parameter Type Boolean String String Unsigned 32-bit integer Boolean String
Simple Network Management Protocol (snmp)

Table A-245. Simple Network Management Protocol (snmp) Field snmpv3.ags snmpv3.ags.auth snmpv3.ags.crypt snmpv3.ags.report Field Name SNMPv3 Flags Authenticated Encrypted Reportable Type Unsigned 8-bit integer Boolean Boolean Boolean
Sinec H1 Protocol (h1)

Table A-246. Sinec H1 Protocol (h1) Field h1.dbnr h1.dlen h1.dwnr h1.empty h1.empty_len h1.header h1.len h1.opcode h1.opeld Field Name Memory block number Length in words Address within memory block Empty eld Empty eld length H1-Header Length indicator Opcode Operation identier Type Unsigned 8-bit integer Signed 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
386
Field h1.oplen h1.org h1.reqlen h1.request h1.reslen h1.response h1.resvalue
Field Name Operation length Memory type Request length Request identier Response length Response identier Response value
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
Skinny Client Control Protocol (skinny)

Table A-247. Skinny Client Control Protocol (skinny) Field skinny.activeForward skinny.alarmParam1 skinny.alarmParam2 skinny.alarmSeverity skinny.buttonCount skinny.buttonDenition Field Name Active Forward AlarmParam1 AlarmParam2 AlarmSeverity ButtonCount ButtonDenition Type Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer
skinny.buttonInstanceNumber InstanceNumber skinny.buttonOffset skinny.callIdentier skinny.callState skinny.callType skinny.calledParty skinny.calledPartyName skinny.callingPartyName skinny.capCount skinny.conferenceID skinny.data_length skinny.dateMilliseconds skinny.dateSeconds skinny.dateTemplate skinny.day skinny.dayOfWeek ButtonOffset Call Identier CallState Call Type CalledParty Called Party Name Calling Party Name CapCount Conference ID Data Length Milliseconds Seconds DateTemplate Day DayOfWeek
387
Field skinny.detectInterval skinny.deviceName skinny.deviceResetType skinny.deviceTone skinny.deviceType
Field Name HF Detect Interval DeviceName Reset Type Tone DeviceType
Type Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
skinny.deviceUnregisterStatus Unregister Status skinny.directoryNumber skinny.displayMessage skinny.echoCancelType skinny.forwardAllActive Directory Number DisplayMessage Echo Cancel Type Forward All
skinny.forwardBusyActive Forward Busy skinny.forwardNoAnswerActive Forward NoAns skinny.forwardNumber skinny.fqdn skinny.g723BitRate Forward Number DisplayName G723 BitRate
skinny.hookFlashDetectMode Hook Flash Mode skinny.hour skinny.ipAddress skinny.jitter skinny.keepAliveInterval skinny.lampMode skinny.latency skinny.lineDirNumber skinny.lineInstance skinny.lineNumber Hour IP Address Jitter KeepAliveInterval LampMode Latency(ms) Line Dir Number Line Instance LineNumber
skinny.maxFramesPerPacket MaxFramesPerPacket skinny.maxStreams MaxStreams
skinny.mediaEnunciationType Enunciation Type skinny.messageTimeOutValue Message Timeout skinny.messageid skinny.microphoneMode Message ID Microphone Mode
388
Field
Field Name
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
skinny.millisecondPacketSize S/Packet M skinny.minute skinny.month skinny.multicastPort skinny.numberLines skinny.octetsRecv skinny.octetsSent Minute Month Multicast Port Number of Lines Octets Received Octets Sent
skinny.multicastIpAddress Multicast Ip Address
skinny.numberSpeedDials Number of SpeedDials
skinny.openReceiveChannelStatus OpenReceiveChannelStatus Unsigned 32-bit integer skinny.originalCalledParty Original Called Party skinny.originalCalledPartyName Original Called Party Name skinny.packetsLost skinny.packetsRecv skinny.packetsSent skinny.passThruPartyID skinny.payloadCapability skinny.portNumber skinny.precedenceValue skinny.receptionStatus skinny.remoteIpAddr skinny.reserved skinny.ringType Packets Lost Packets Received Packets Sent PassThruPartyID PayloadCapability Port Number Precedence ReceptionStatus Remote Ip Address Reserved Ring Type String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
skinny.remotePortNumber Remote Port
skinny.secondaryKeepAliveInterval SecondaryKeepAliveInterval nsigned 32-bit integer U skinny.serverIdentier skinny.serverIpAddress skinny.serverListenPort skinny.serverName skinny.sessionType skinny.softKeyCount skinny.softKeyEvent Server Identier Server Ip Address Server Port Server Name Session Type SoftKeyCount SoftKeyEvent String IPv4 address Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
skinny.silenceSuppression Silence Suppression
389
Field skinny.softKeyInfoIndex skinny.softKeyLabel skinny.softKeyMap skinny.softKeyMap.0 skinny.softKeyMap.1 skinny.softKeyMap.10 skinny.softKeyMap.11 skinny.softKeyMap.12 skinny.softKeyMap.13 skinny.softKeyMap.14 skinny.softKeyMap.15 skinny.softKeyMap.2 skinny.softKeyMap.3 skinny.softKeyMap.4 skinny.softKeyMap.5 skinny.softKeyMap.6 skinny.softKeyMap.7 skinny.softKeyMap.8 skinny.softKeyMap.9 skinny.softKeyOffset skinny.softKeySetCount
Field Name SoftKeyInfoIndex SoftKeyLabel SoftKeyMap SoftKey0 SoftKey1 SoftKey10 SoftKey11 SoftKey12 SoftKey13 SoftKey14 SoftKey15 SoftKey2 SoftKey3 SoftKey4 SoftKey5 SoftKey6 SoftKey7 SoftKey8 SoftKey9 SoftKeyOffset SoftKeySetCount
Type Unsigned 16-bit integer String Unsigned 16-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer String String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
skinny.softKeySetDescriptionoftKeySet S skinny.softKeySetOffset SoftKeySetOffset
skinny.softKeyTemplateIndex SoftKeyTemplateIndex skinny.speakerMode skinny.speedDialDirNum skinny.speedDialDisplay skinny.speedDialNumber skinny.stationInstance skinny.stationIpPort Speaker SpeedDial Number SpeedDial Display SpeedDialNumber StationInstance StationIpPort
skinny.stationKeypadButtonKeypadButton skinny.stationUserId StationUserId
skinny.statsProcessingType StatsProcessingType
390
Field skinny.stimulus skinny.stimulusInstance skinny.timeStamp skinny.tokenRejWaitTime skinny.totalButtonCount skinny.totalSoftKeyCount
Field Name Stimulus StimulusInstance Timestamp Retry Wait Time TotalButtonCount TotalSoftKeyCount
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String Unsigned 32-bit integer
skinny.totalSoftKeySetCount otalSoftKeySetCount T skinny.unknown skinny.userName skinny.version skinny.year Data Username Version Year
SliMP3 Communication Protocol (slimp3)

Table A-248. SliMP3 Communication Protocol (slimp3) Field slimp3.control slimp3.data slimp3.data_req slimp3.discovery_req Field Name Control Packet Data Data Request Discovery Request Type Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 8-bit integer
slimp3.discovery_response Discovery Response slimp3.display slimp3.hello slimp3.i2c slimp3.ir slimp3.opcode Display Hello I2C Infrared Opcode
Socks Protocol (socks)

Table A-249. Socks Protocol (socks) Field socks.command Field Name Command Type Unsigned 8-bit integer
391
Field socks.dst socks.dstV6 socks.dstport socks.results socks.results_v4 socks.results_v5 socks.username socks.version
Field Name Remote Address Remote Address(ipv6) Remote Port Results(V5) Results(V4) Results(V5) User Name Version
Type IPv4 address IPv6 address Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer
Spanning Tree Protocol (stp)

Table A-250. Spanning Tree Protocol (stp) Field stp.bridge.hw stp.ags stp.ags.agreement stp.ags.forwarding stp.ags.learning stp.ags.port_role stp.ags.proposal stp.ags.tc stp.ags.tcack stp.forward stp.hello stp.max_age stp.msg_age stp.port stp.protocol stp.root.cost stp.root.hw Field Name Bridge Identier BPDU ags Agreement Forwarding Learning Port Role Proposal Topology Change Topology Change Acknowledgment Forward Delay Hello Time Max Age Message Age Port identier Protocol Identier Root Path Cost Root Identier Type 6-byte Hardware (MAC) Address Unsigned 8-bit integer Boolean Boolean Boolean Unsigned 8-bit integer Boolean Boolean Boolean Double-precision oating point Double-precision oating point Double-precision oating point Double-precision oating point Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer 6-byte Hardware (MAC) Address
392
Field stp.type stp.version stp.version_1_length
Field Name BPDU Type Version 1 Length
Protocol Version Identier Unsigned 8-bit integer
Stream Control Transmission Protocol (sctp)

Table A-251. Stream Control Transmission Protocol (sctp) Field sctp.abort.t_bit Field Name T-Bit Type Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Boolean Boolean Boolean
sctp.adapation_layer_indication.indication Indication sctp.asconf.serial_number Serial Number sctp.asconf_ack.serial_number Serial Number sctp.cause.code sctp.cause.length Cause code Cause length
sctp.cause.measure_of_staleness Measure of staleness in usec sctp.cause.missing_parameter_type parameter type Missing sctp.cause.nr_of_missing_parametersof missing Number parameters sctp.cause.stream_identier Stream identier sctp.cause.tsn sctp.checksum sctp.checksum_bad sctp.chunk_ags sctp.chunk_length sctp.chunk_type sctp.correlation_id sctp.cumulative.tsn.ack sctp.cwr.lowest_tsn sctp.data.b_bit sctp.data.e_bit sctp.data.u.bit TSN Checksum Bad checksum Flags Length Identier Correlation_id Cumulative TSN Ack Lowest TSN B-Bit E-Bit U-Bit
393
Field sctp.dstport sctp.ecne.lowest_tsn sctp.forward_tsn.sid sctp.forward_tsn.ssn sctp.forward_tsn.tsn sctp.init.chunk.credit sctp.init.chunk.initial.tsn
Field Name Destination port Lowest TSN Stream identier Stream sequence number New cumulative TSN Advertised reciever window credit (a_rwnd) Initial TSN
Type Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
sctp.init.chunk.initiate.tag Initiate tag sctp.init.chunk.nr.in.streamsNumber of inbound streams sctp.init.chunk.nr.out.streams Number of outbound streams
sctp.parameter.cookie_preservative_incr Suggested Cookie life-span Unsigned 32-bit integer increment (msec) sctp.parameter.hostname.hostname Hostname sctp.parameter.ipv4_address Version 4 address IP sctp.parameter.ipv6_address Version 6 address IP sctp.parameter.length Parameter length String IPv4 address IPv6 address Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer
sctp.parameter.supported_addres_type address type Supported sctp.parameter.type sctp.payload_proto_id sctp.port sctp.sack.a_rwnd Parameter type Port Advertised receiver window credit (a_rwnd)
Payload protocol identier Unsigned 32-bit integer
sctp.sack.cumulative_tsn_ack umulative TSN ACK C sctp.sack.duplicate.tsn sctp.sack.gap_block_end sctp.sack.gap_block_start Duplicate TSN End Start
sctp.sack.number_of_duplicated_tsnsof duplicated Number TSNs sctp.sack.number_of_gap_blocks Number of gap acknowldgement blocks sctp.shutdown.cumulative_tsn_ack Cumulative TSN Ack
394
Field
Field Name
Type Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
sctp.shutdown_complete.t_bit T-Bit sctp.srcport sctp.stream_id sctp.stream_seq_number sctp.tsn sctp.vercation_tag Source port Stream Identier Stream sequence number TSN Verication tag
Syslog message (syslog)

Table A-252. Syslog message (syslog) Field syslog.facility syslog.level syslog.msg Field Name Facility Level Message Type Unsigned 8-bit integer Unsigned 8-bit integer String
Systems Network Architecture (sna)

Table A-253. Systems Network Architecture (sna) Field sna.nlp.frh sna.nlp.nhdr sna.nlp.nhdr.0 sna.nlp.nhdr.1 sna.nlp.nhdr.anr sna.nlp.nhdr.fra sna.nlp.nhdr.ft sna.nlp.nhdr.slowdn1 sna.nlp.nhdr.slowdn2 Field Name Type
Transmission Priority Field Unsigned 8-bit integer Network Layer Packet Header Network Layer Packet Header Byte 0 Network Layer Packet Header Bype 1 Automatic Network Routing Entry No value Unsigned 8-bit integer Unsigned 8-bit integer Byte array
Function Routing Address Byte array Entry Function Type Slowdown 1 Slowdown 2 Unsigned 8-bit integer Boolean Boolean
395
Field sna.nlp.nhdr.sm sna.nlp.nhdr.tpf sna.nlp.nhdr.tspi sna.nlp.thdr sna.nlp.thdr.8 sna.nlp.thdr.9 sna.nlp.thdr.bsn sna.nlp.thdr.cq sna.nlp.thdr.dlf sna.nlp.thdr.eomi sna.nlp.thdr.lmi sna.nlp.thdr.offset sna.nlp.thdr.osi sna.nlp.thdr.rasapi sna.nlp.thdr.retryi sna.nlp.thdr.setupi sna.nlp.thdr.somi sna.nlp.thdr.sri sna.nlp.thdr.tcid sna.rh sna.rh.0 sna.rh.1 sna.rh.2 sna.rh.bbi sna.rh.bci sna.rh.cdi sna.rh.cebi
Field Name Switching Mode Field
Transmission Priority Field Unsigned 8-bit integer Time Sensitive Packet Indicator RTP Transport Header RTP Transport Packet Header Bype 8 RTP Transport Packet Header Bype 9 Byte Sequence Number Boolean No value Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer
Connection Qualifyer Field Boolean Indicator Data Length Field Last Message Indicator Data Offset/4 Unsigned 32-bit integer Boolean Unsigned 16-bit integer End Of Message Indicator Boolean
Optional Segments Present Boolean Indicator Reply ASAP Indicator Retry Indicator Setup Indicator Session Request Indicator Transport Connection Identier Boolean Boolean Boolean Boolean Byte array
Start Of Message Indicator Boolean
Request/Response Header No value Request/Response Header Unsigned 8-bit integer Byte 0 Request/Response Header Unsigned 8-bit integer Byte 1 Request/Response Header Unsigned 8-bit integer Byte 2 Begin Bracket Indicator Begin Chain Indicator Boolean Boolean
Change Direction Indicator Boolean Conditional End Bracket Indicator Boolean
396
Field sna.rh.csi sna.rh.dr1 sna.rh.dr2 sna.rh.ebi sna.rh.eci sna.rh.edi sna.rh.eri sna.rh. sna.rh.lcci sna.rh.pdi sna.rh.pi sna.rh.qri sna.rh.rlwi sna.rh.rri sna.rh.rti sna.rh.ru_category sna.rh.sdi sna.th sna.th.0 sna.th.cmd_fmt sna.th.cmd_sn sna.th.cmd_type sna.th.daf sna.th.dcf sna.th.def sna.th.dsaf sna.th.e
Field Name Code Selection Indicator Denite Response 1 Indicator Denite Response 2 Indicator End Bracket Indicator End Chain Indicator Exception Response Indicator Format Indicator Length-Checked Compression Indicator Padded Data Indicator Pacing Indicator Queued Response Indicator Request Larger Window Indicator Request/Response Indicator Response Type Indicator Request/Response Unit Category Sense Data Included Transmission Header
Type Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer Boolean Unsigned 8-bit integer Boolean No value
Enciphered Data Indicator Boolean
Transmission Header Byte Unsigned 8-bit integer 0 Command Format Command Sequence Number Command Type Data Count Field Destination Subarea Address Field Expedited Flow Indicator Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
Destination Address Field Unsigned 16-bit integer Destination Element Field Unsigned 16-bit integer
397
Field sna.th.er_vr_supp_ind sna.th.ern sna.th.d sna.th.iern sna.th.lsid sna.th.mft sna.th.mpf sna.th.nlp_cp sna.th.nlpoi sna.th.ntwk_prty sna.th.oaf sna.th.odai sna.th.oef sna.th.osaf sna.th.piubf sna.th.sa sna.th.snai sna.th.snf sna.th.tg_nonfo_ind sna.th.tg_snf sna.th.tg_sweep sna.th.tgsf sna.th.tpf sna.th.vr_cwi sna.th.vr_cwri sna.th.vr_pac_cnt_ind
Field Name ER and VR Support Indicator Explicit Route Number Format Identifer Initial Explicit Route Number
Local Session Identication Unsigned 8-bit integer MPR FID4 Type Mapping Field NLP Count or Padding NLP Offset Indicator Network Priority Origin Address Field ODAI Assignment Indicator Origin Element Field Origin Subarea Address Field PIU Blocking Field Session Address SNA Indicator Sequence Number Field Transmission Group Non-FIFO Indicator Transmission Group Sequence Number Field Transmission Group Sweep Transmission Group Segmenting Field Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Byte array Boolean Unsigned 16-bit integer Boolean Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
Transmission Priority Field Unsigned 8-bit integer Virtual Route Change Window Indicator Virtual Route Change Window Reply Indicator Virtual Route Pacing Count Indicator Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
398
Field sna.th.vr_rwi sna.th.vr_snf_send sna.th.vr_sqti sna.th.vrn sna.th.vrprq sna.th.vrprs
Field Name Virtual Route Reset Window Indicator Virtual Route Send Sequence Number Field Virtual Route Sequence and Type Indicator Virtual Route Number Virtual Route Pacing Request Virtual Route Pacing Response
Type Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean
TACACS (tacacs)
Table A-254. TACACS (tacacs) Field tacacs.destaddr tacacs.destport tacacs.line tacacs.nonce tacacs.passlen tacacs.reason tacacs.response tacacs.result1 tacacs.result2 tacacs.result3 tacacs.type tacacs.userlen tacacs.version Field Name Destination address Destination port Line Nonce Password length Reason Response Result 1 Result 2 Result 3 Type Username length Version Type IPv4 address Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
TACACS+ (tacplus)
Table A-255. TACACS+ (tacplus) Field tacplus.ags Field Name Flags Type Unsigned 8-bit integer
399
Field
Field Name
Type Boolean Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Boolean Boolean Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
tacplus.ags.connection_type Connection type tacplus.ags.payload_type Payload type tacplus.majvers tacplus.minvers tacplus.packet_len tacplus.request tacplus.response tacplus.seqno tacplus.session_id tacplus.type Major version Minor version Packet length Request Response Sequence number Session ID Type
TPKT (tpkt)
Table A-256. TPKT (tpkt) Field tpkt.length tpkt.reserved tpkt.version Field Name Length Reserved Version Type Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
Telnet (telnet)
Table A-257. Telnet (telnet) Field Field Name Type
Time Protocol (time)

Table A-258. Time Protocol (time) Field time.time Field Name Time Type Unsigned 32-bit integer
400
Time Synchronization Protocol (tsp)

Table A-259. Time Synchronization Protocol (tsp) Field tsp.hopcnt tsp.name tsp.sec tsp.sequence tsp.type tsp.usec tsp.version Field Name Hop Count Machine Name Seconds Sequence Type Microseconds Version Type Unsigned 8-bit integer String Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer
Token-Ring (tr)
Table A-260. Token-Ring (tr) Field tr.ac tr.addr tr.broadcast tr.direction tr.dst tr.fc tr.frame tr.frame_pcf tr.frame_type tr.max_frame_size tr.monitor_cnt tr.priority tr.priority_reservation tr.rif tr.rif.bridge tr.rif.ring tr.rif_bytes tr.sr Field Name Access Control Source or Destination Address Broadcast Type Direction Destination Frame Control Frame Frame PCF Frame Type Maximum Frame Size Monitor Count Priority Priority Reservation Ring-Bridge Pairs RIF Bridge RIF Ring RIF Bytes Source Routed Type Unsigned 8-bit integer 6-byte Hardware (MAC) Address Unsigned 8-bit integer Unsigned 8-bit integer 6-byte Hardware (MAC) Address Unsigned 8-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean
401
Field tr.src
Field Name Source
Type 6-byte Hardware (MAC) Address
Token-Ring Media Access Control (trmac)

Table A-261. Token-Ring Media Access Control (trmac) Field trmac.dstclass trmac.errors.abort trmac.errors.ac trmac.errors.burst trmac.errors.congestion trmac.errors.fc trmac.errors.freq trmac.errors.internal trmac.errors.iso trmac.errors.line trmac.errors.lost trmac.errors.noniso trmac.errors.token trmac.length trmac.mvec trmac.naun trmac.srcclass trmac.svec Field Name Destination Class Abort Delimiter Transmitted Errors A/C Errors Burst Errors Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
Receiver Congestion Errors Unsigned 8-bit integer Frame-Copied Errors Frequency Errors Internal Errors Isolating Errors Line Errors Lost Frame Errors Non-Isolating Errors Token Errors Total Length Major Vector NAUN Source Class Sub-Vector Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer 6-byte Hardware (MAC) Address Unsigned 8-bit integer Unsigned 8-bit integer
Transmission Control Protocol (tcp)

Table A-262. Transmission Control Protocol (tcp) Field tcp.ack Field Name Acknowledgement number Type Unsigned 32-bit integer
402
Field tcp.analysis.ack_rtt tcp.analysis.acks_frame tcp.checksum tcp.checksum_bad tcp.dstport tcp.ags tcp.ags.ack tcp.ags.cwr tcp.ags.ecn tcp.ags.n tcp.ags.push tcp.ags.reset tcp.ags.syn tcp.ags.urg tcp.hdr_len tcp.len tcp.nxtseq tcp.port tcp.seq tcp.srcport tcp.urgent_pointer tcp.window_size
Field Name The RTT to ACK the segment was This is an ACK to the segment in frame Checksum Bad Checksum Destination Port Flags Acknowledgment Congestion Window Reduced (CWR) ECN-Echo Fin Push Reset Syn Urgent Header Length TCP Segment Len Next sequence number Sequence number Source Port Urgent pointer Window size
Type Time duration Unsigned 32-bit integer Unsigned 16-bit integer Boolean Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
Source or Destination Port Unsigned 16-bit integer
Transparent Network Substrate Protocol (tns)

Table A-263. Transparent Network Substrate Protocol (tns) Field tns.abort tns.abort_data tns.abort_reason_system tns.abort_reason_user tns.accept Field Name Abort Abort Data Abort Reason (User) Abort Reason (User) Accept Type Boolean String Unsigned 8-bit integer Unsigned 8-bit integer Boolean
403
Field tns.accept_data tns.accept_data_length tns.accept_data_offset tns.compat_version tns.connect tns.connect_data tns.connect_data_length tns.connect_data_max tns.connect_data_offset tns.connect_ags.ichg tns.connect_ags.nalink tns.connect_ags.nareq tns.connect_ags.wantna tns.connect_ags0 tns.connect_ags1 tns.control tns.control.cmd tns.control.data tns.data tns.data_ag tns.data_ag.c tns.data_ag.dic tns.data_ag.eof tns.data_ag.more tns.data_ag.rc tns.data_ag.reserved tns.data_ag.rts tns.data_ag.send tns.data_ag.sntt tns.header_checksum tns.length tns.line_turnaround tns.marker
Field Name Accept Data Accept Data Length Offset to Accept Data Version (Compatible) Connect Connect Data Length of Connect Data Maximum Receivable Connect Data Offset to Connect Data Interchange is involved NA services linked in NA services required NA services wanted Connect Flags 0 Connect Flags 1 Control Control Command Control Data Data Data Flag Conrmation Do Immediate Conrmation End of File More Data to Come Request Conrmation Reserved Request To Send Send Token Send NT Trailer Header Checksum Packet Length Line Turnaround Value Marker
Type String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean String Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Unsigned 16-bit integer Byte array Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean
tns.connect_ags.enablena NA services enabled
404
Field tns.marker.data tns.marker.databyte tns.marker.type tns.max_tdu_size
Field Name Marker Data Marker Data Byte Marker Type Maximum Transmission Data Unit Size
Type Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
tns.nt_proto_characteristics NT Protocol Characteristics tns.ntp_ag.asio tns.ntp_ag.cbio tns.ntp_ag.crel tns.ntp_ag.do tns.ntp_ag.dtest tns.ntp_ag.grant tns.ntp_ag.handoff tns.ntp_ag.hangon tns.ntp_ag.pio tns.ntp_ag.sigio tns.ntp_ag.sigpipe tns.ntp_ag.sigurg tns.ntp_ag.srun tns.ntp_ag.tduio tns.ntp_ag.testop tns.ntp_ag.urgentio tns.packet_checksum tns.redirect tns.redirect_data tns.redirect_data_length tns.refuse tns.refuse_data tns.refuse_data_length tns.refuse_reason_system tns.refuse_reason_user tns.request tns.reserved_byte tns.response ASync IO Supported Callback IO supported Conrmed release Full duplex IO supported Data test Can grant connection to another
Can handoff connection to Unsigned 16-bit integer another Hangon to listener connect Unsigned 16-bit integer Packet oriented IO Generate SIGIO signal Generate SIGPIPE signal Generate SIGURG signal Spawner running TDU based IO Test operation Urgent IO supported Packet Checksum Redirect Redirect Data Redirect Data Length Refuse Refuse Data Refuse Data Length Refuse Reason (System) Refuse Reason (User) Request Reserved Byte Response Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean String Unsigned 16-bit integer Boolean String Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Byte array Boolean
405
Field tns.sdu_size tns.service_options tns.so_ag.ap tns.so_ag.bconn tns.so_ag.dc1 tns.so_ag.dc2 tns.so_ag.dio tns.so_ag.fd tns.so_ag.hc tns.so_ag.hd tns.so_ag.pc tns.so_ag.ra tns.so_ag.sa tns.trace_cf1 tns.trace_cf2 tns.trace_cid tns.type tns.value_of_one tns.version
Field Name Session Data Unit Size Service Options Attention Processing Broken Connect Notify Dont Care Dont Care Direct IO to Transport Full Duplex Header Checksum Half Duplex Packet Checksum Can Receive Attention Can Send Attention
Trace Cross Facility Item 1 Unsigned 32-bit integer Trace Cross Facility Item 2 Unsigned 32-bit integer Trace Unique Connection ID Packet Type Value of 1 in Hardware Version Unsigned 8-bit integer Byte array Unsigned 16-bit integer
Trivial File Transfer Protocol (tftp)

Table A-264. Trivial File Transfer Protocol (tftp) Field tftp.block tftp.destination_le tftp.error.code tftp.error.message tftp.opcode tftp.source_le tftp.type Field Name Block DESTINATION File Error code Error message Opcode Source File Type Type Unsigned 16-bit integer String Unsigned 16-bit integer String Unsigned 16-bit integer String String
406
Universal Computer Protocol (ucp)

Table A-265. Universal Computer Protocol (ucp) Field ucp.hdr.LEN ucp.hdr.OT ucp.hdr.O_R ucp.hdr.TRN ucp.message ucp.parm ucp.parm.AAC ucp.parm.AC ucp.parm.ACK ucp.parm.A_D ucp.parm.AdC ucp.parm.BAS ucp.parm.CPg ucp.parm.CS ucp.parm.CT ucp.parm.DAdC ucp.parm.DCs ucp.parm.DD ucp.parm.DDT ucp.parm.DSCTS ucp.parm.Dst ucp.parm.EC ucp.parm.GA ucp.parm.GAdC ucp.parm.HPLMN ucp.parm.IVR5x ucp.parm.L1P ucp.parm.L1R ucp.parm.L3P ucp.parm.L3R ucp.parm.LAC ucp.parm.LAR Field Name Length Operation Type Transaction Reference Number Data Data AAC AC (N)Ack A_D AdC BAS CPg CS CT DAdC DCs DD DDT DSCTS Dst Error code GA GAdC HPLMN IVR5x L1P L1R L3P L3R LAC LAR Type Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer No value No value String String Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer String Unsigned 8-bit integer Date/Time stamp String Unsigned 8-bit integer Unsigned 8-bit integer Date/Time stamp Date/Time stamp Unsigned 8-bit integer Unsigned 8-bit integer String String String String String Unsigned 8-bit integer String Unsigned 8-bit integer String Unsigned 8-bit integer
407
Field ucp.parm.LAdC ucp.parm.LCR ucp.parm.LMN ucp.parm.LNPI ucp.parm.LNo ucp.parm.LPID ucp.parm.LPR ucp.parm.LRAd ucp.parm.LRC ucp.parm.LRP ucp.parm.LRR ucp.parm.LRq ucp.parm.LST ucp.parm.LTON ucp.parm.LUM ucp.parm.LUR ucp.parm.MCLs ucp.parm.MMS ucp.parm.MNo ucp.parm.MT ucp.parm.MVP ucp.parm.NAC ucp.parm.NAdC ucp.parm.NB ucp.parm.NMESS ucp.parm.NMESS_str ucp.parm.NPID ucp.parm.NPL ucp.parm.NPWD ucp.parm.NRq ucp.parm.NT ucp.parm.NoA ucp.parm.NoB ucp.parm.NoN ucp.parm.OAC ucp.parm.OAdC
Field Name LAdC LCR LMN LNPI LNo LPID LPR LRAd LRC LRP LRR LRq LST LTON LUM LUR MCLs MMS MNo MT MVP NAC NAdC NB NMESS NMESS_str NPID NPL NPWD NRq NT NoA NoB NoN OAC OAdC
Type String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 16-bit integer String String String String Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer Date/Time stamp String String String Unsigned 8-bit integer String Unsigned 16-bit integer Unsigned 16-bit integer No value Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer String String
408
Field ucp.parm.ONPI ucp.parm.OPID ucp.parm.OTOA ucp.parm.OTON ucp.parm.PID ucp.parm.PNC ucp.parm.PR ucp.parm.PWD ucp.parm.RC ucp.parm.REQ_OT ucp.parm.RES1 ucp.parm.RES2 ucp.parm.RES4 ucp.parm.RES5 ucp.parm.RP ucp.parm.RPI ucp.parm.RPID ucp.parm.RPLy ucp.parm.RT ucp.parm.R_T ucp.parm.Rsn ucp.parm.SCTS ucp.parm.SM ucp.parm.SP ucp.parm.SSTAT ucp.parm.ST ucp.parm.STYP0 ucp.parm.STYP1 ucp.parm.STx ucp.parm.TNo ucp.parm.UM ucp.parm.VERS ucp.parm.VP ucp.parm.XSer ucp.xser.service
Field Name ONPI OPID OTOA OTON PID PNC PR PWD RC REQ_OT RES1 RES2 RES4 RES5 RP RPI RPID RPLy RT R_T Rsn SCTS SM SP SSTAT ST STYP0 STYP1 STx TNo UM VERS VP Extra services: Type of service
Type Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer No value Unsigned 8-bit integer Unsigned 8-bit integer String String String String Unsigned 8-bit integer Unsigned 8-bit integer String String Unsigned 8-bit integer String Unsigned 16-bit integer Date/Time stamp String Date/Time stamp Unsigned 8-bit integer Date/Time stamp Unsigned 8-bit integer Unsigned 8-bit integer No value String Unsigned 8-bit integer String Date/Time stamp No value Unsigned 8-bit integer
409
Unreassembled Fragmented Packet (unreassembled)

Table A-266. Unreassembled Fragmented Packet (unreassembled) Field Field Name Type
User Datagram Protocol (udp)

Table A-267. User Datagram Protocol (udp) Field udp.checksum udp.checksum_bad udp.dstport udp.length udp.port udp.srcport Field Name Checksum Bad Checksum Destination Port Length Source Port Type Unsigned 16-bit integer Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
Source or Destination Port Unsigned 16-bit integer
Virtual Router Redundancy Protocol (vrrp)

Table A-268. Virtual Router Redundancy Protocol (vrrp) Field vrrp.adver_int vrrp.auth_type vrrp.count_ip_addrs vrrp.ip_addr vrrp.ipv6_addr vrrp.prio vrrp.type vrrp.typever vrrp.version vrrp.virt_rtr_id Field Name Adver Int Auth Type Count IP Addrs IP Address IPv6 Address Priority VRRP packet type VRRP message version and type VRRP protocol version Virtual Rtr ID Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer IPv4 address IPv6 address Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
410
Virtual Trunking Protocol (vtp)

Table A-269. Virtual Trunking Protocol (vtp) Field vtp.code vtp.conf_rev_num vtp.followers vtp.md vtp.md5_digest vtp.md_len vtp.seq_num vtp.start_value vtp.upd_id vtp.upd_ts vtp.version Field Name Code Conguration Revision Number Followers Management Domain MD5 Digest Management Domain Length Sequence Number Start Value Updater Identity Update Timestamp Version Type Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer String Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer IPv4 address String Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer
vtp.vlan_info.802_10_index 802.10 Index vtp.vlan_info.isl_vlan_id vtp.vlan_info.len vtp.vlan_info.mtu_size ISL VLAN ID MTU Size
VLAN Information Length Unsigned 8-bit integer
vtp.vlan_info.status.vlan_susp VLAN suspended vtp.vlan_info.tlv_len vtp.vlan_info.tlv_type vtp.vlan_info.vlan_name Length Type VLAN Name
vtp.vlan_info.vlan_name_len VLAN Name Length vtp.vlan_info.vlan_type VLAN Type
Web Cache Coordination Protocol (wccp)

Table A-270. Web Cache Coordination Protocol (wccp) Field wccp.cache_ip wccp.change_num Field Name Web Cache IP address Change Number Type IPv4 address Unsigned 32-bit integer
411
Field wccp.hash_revision wccp.message wccp.recvd_id wccp.version
Field Name Hash Revision WCCP Message Type Received ID WCCP Version
Welleet Compression (wcp)

Table A-271. Welleet Compression (wcp) Field wcp.alg wcp.alg1 wcp.alg2 wcp.alg3 wcp.alg4 wcp.alg_cnt wcp.checksum wcp.cmd wcp.ext_cmd wcp.ag wcp.hist wcp.init wcp.long_comp wcp.long_len wcp.mark wcp.off wcp.pib wcp.ppc wcp.rev wcp.rexmit wcp.seq wcp.seq_size wcp.short_comp wcp.short_len wcp.tid Field Name Alg Alg 1 Alg 2 Alg 3 Alg 4 Alg Count Checksum Command Extended Command Compress Flag History Initiator Long Compression Compress Length Compress Marker Source offset PIB PerPackComp Revision Rexmit SEQ Seq Size Short Compression Compress Length TID Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer
412
Who (who)
Table A-272. Who (who) Field who.boottime who.hostname who.idle who.loadav_10 who.loadav_15 who.loadav_5 who.recvtime who.sendtime who.timeon who.tty who.type who.uid who.vers who.whoent Field Name Boot Time Hostname Time Idle Type Date/Time stamp String Unsigned 32-bit integer
Load Average Over Past 10 Double-precision oating Minutes point Load Average Over Past 15 Double-precision oating Minutes point Load Average Over Past 5 Double-precision oating Minutes point Receive Time Send Time Time On TTY Name Type User ID Version Who utmp Entry Date/Time stamp Date/Time stamp Date/Time stamp String Unsigned 8-bit integer String Unsigned 8-bit integer No value
Wireless Session Protocol (wap-wsp)

Table A-273. Wireless Session Protocol (wap-wsp) Field wsp.TID wsp.capabilities wsp.capabilities.aliases Field Name Transmission ID Capabilities Aliases Type Unsigned 8-bit integer No value Unsigned 8-bit integer Unsigned 8-bit integer String String Unsigned 8-bit integer
wsp.capabilities.client_SDU Client SDU wsp.capabilities.code_pagesHeader Code Pages wsp.capabilities.extend_methods Extended Methods wsp.capabilities.method_mor Method MOR
413
Field
Field Name
Type String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String String String String String String String Unsigned 32-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 8-bit integer String Unsigned 32-bit integer String Unsigned 16-bit integer String
wsp.capabilities.protocol_opt Protocol Options wsp.capabilities.push_mor Push MOR wsp.capabilities.server_SDU Server SDU wsp.capability.length Capability Length
wsp.content_type.parameter.charset Charset wsp.content_type.parameter.comment Comment wsp.content_type.parameter.domain Domain wsp.content_type.parameter.lename Filename wsp.content_type.parameter.name Name wsp.content_type.parameter.path Path wsp.content_type.parameter.start Start wsp.content_type.parameter.start_info Start-info wsp.content_type.parameter.type Type wsp.content_type.parameter.upart.type Type wsp.content_type.parameter.upart.type.int Type wsp.content_type.type Content Type
wsp.content_type.type.string Content Type wsp.header.accept wsp.header.accept.string Accept Accept
wsp.header.accept_application Accept-Application wsp.header.accept_application.string Accept-Application wsp.header.accept_charset Accept-Charset wsp.header.accept_charset.string Accept-Charset
414
Field
Field Name
Type Unsigned 8-bit integer String Unsigned 8-bit integer String Unsigned 32-bit integer String
wsp.header.accept_language Accept-Language wsp.header.accept_language.string Accept-Language wsp.header.accept_ranges Accept-Ranges wsp.header.accept_ranges.string Accept-Ranges wsp.header.age Age
wsp.header.application_header Application Header
wsp.header.application_header.value Header Value String Application wsp.header.bearer_indicationearer-indication B wsp.header.cache_control Cache-Control Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer String String Unsigned 8-bit integer String String Unsigned 32-bit integer Date/Time stamp String Date/Time stamp Date/Time stamp Date/Time stamp String String String String Unsigned 8-bit integer Unsigned 8-bit integer
wsp.header.cache_control.eld_name Field Name wsp.header.cache_control.eld_name.str Field Name wsp.header.cache_control.string Cache-Control wsp.header.connection wsp.header.content-id Connection Content-ID
wsp.header.connection_str Connection wsp.header.content_length Content-Length wsp.header.date wsp.header.etag wsp.header.expires Date Etag Expires
wsp.header.if_modied_since If-Modied-Since wsp.header.last_modied wsp.header.location wsp.header.pragma wsp.header.prole wsp.header.server wsp.header.shift wsp.header.transfer_enc Last-Modied Location Pragma Prole Server Shift code Transfer Encoding
415
Field
Field Name
Type String String String Unsigned 8-bit integer String No value String Unsigned 32-bit integer String Unsigned 32-bit integer
wsp.header.transfer_enc_strTransfer Encoding wsp.header.user_agent wsp.header.via User-Agent Via
wsp.header.wap_application_id X-Wap-Application-Id wsp.header.wap_application_id.string X-Wap-Application-Id wsp.header.warning wsp.header.warning.code wsp.header.warning.text wsp.header.x-up-devcapem-size wsp.header.x-up-devcapgui wsp.header.x-up-devcaphas-color wsp.header.x-up-devcapimmed-alert wsp.header.x-up-devcapnum-softkeys wsp.header.x-up-devcapscreen-chars wsp.header.x-up-devcapscreen-depth wsp.header.x-up-devcapscreen-pixels wsp.header.x-up-devcapsoftkey-size Warning Warning Code Warning Text x-up-devcap-em-size
wsp.header.warning.agent Warning Agent
x-up-devcap-gui
x-up-devcap-has-color
x-up-devcap-immed-alert
x-up-devcap-num-softkeys Unsigned 8-bit integer
x-up-devcap-screen-chars
x-up-devcap-screen-depth Unsigned 8-bit integer
x-up-devcap-screen-pixels Unsigned 32-bit integer
x-up-devcap-softkey-size
wsp.header.x-up-proxy-ba- x-up-proxy-ba-enable enable
416
Field
Field Name
Type String
wsp.header.x-up-proxy-ba- x-up-proxy-ba-realm realm wsp.header.x-up-proxybookmark wsp.header.x-up-proxyclient-id wsp.header.x-up-proxyenable-trust wsp.header.x-up-proxyhome-page wsp.header.x-up-proxylinger wsp.header.x-up-proxynet-ask wsp.header.x-up-proxynotify wsp.header.x-up-proxyoperator-domain wsp.header.x-up-proxypush-accept wsp.header.x-up-proxypush-addr wsp.header.x-up-proxypush-seq wsp.header.x-up-proxyredirect-enable wsp.header.x-up-proxyredirect-status wsp.header.x-up-proxyrequest-uri x-up-proxy-bookmark
String
x-up-proxy-client-id
Byte array
x-up-proxy-enable-trust
x-up-proxy-home-page
String
x-up-proxy-linger
x-up-proxy-net-ask
x-up-proxy-notify
x-up-proxy-operatordomain x-up-proxy-push-accept
String
String
x-up-proxy-push-addr
Byte array
x-up-proxy-push-seq
x-up-proxy-redirect-enable Unsigned 8-bit integer
x-up-proxy-redirect-status Unsigned 32-bit integer
x-up-proxy-request-uri
String
417
Field wsp.header.x-up-proxytod wsp.header.x-up-proxytrans-charset wsp.header.x-up-proxytrans-charset.string wsp.header.x-up-proxytrust wsp.header.x-up-proxytrust-old wsp.header.x-up-proxyuplink-version wsp.header.x_wap_tod wsp.headers wsp.headers.header wsp.headers_length wsp.multipart wsp.multipart.data wsp.pdu_type wsp.post.data wsp.push.data wsp.redirect_addr wsp.redirect_a
Field Name x-up-proxy-tod
x-up-proxy-trans-charset
x-up-proxy-trans-charset
String
x-up-proxy-trust
x-up-proxy-trust-old
x-up-proxy-uplink-version String
X-WAP.TOD Headers Header Headers Length Part Data in this part PDU Type Data (Post) Push Data Address Flags/Length
Date/Time stamp No value No value Unsigned 32-bit integer Unsigned 32-bit integer No value Unsigned 8-bit integer No value No value Byte array Unsigned 8-bit integer Unsigned 8-bit integer Boolean Boolean Unsigned 8-bit integer Unsigned 8-bit integer Boolean Boolean
wsp.redirect_a.address_lenAddress Len wsp.redirect_a.bearer_type_included Included Bearer Type wsp.redirect_a.port_number_included Included Port Number wsp.redirect_bearer_type wsp.redirect_ags Bearer Type Flags
wsp.redirect_ags.permanent Permanent Redirect wsp.redirect_ags.reuse_security_session Session Reuse Security
418
Field wsp.redirect_ipv4_addr wsp.redirect_ipv6_addr wsp.redirect_port_num wsp.reply.data wsp.reply.status wsp.server.session_id wsp.uri wsp.uri_length wsp.version.major wsp.version.minor
Field Name IP Address IPv6 Address Port Number Data Status Server Session ID URI URI Length Version (Major) Version (Minor)
Type IPv4 address IPv6 address Unsigned 16-bit integer No value Unsigned 8-bit integer Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
Wireless Transaction Protocol (wap-wsp-wtp)

Table A-274. Wireless Transaction Protocol (wap-wsp-wtp) Field wtp.RID wtp.TID wtp.TID.response wtp.abort.reason.user wtp.abort.type wtp.ack.tvetok wtp.continue_ag wtp.fragment wtp.fragment.error Field Name Re-transmission Indicator Transaction ID TID Response Abort Reason Abort Type Tve/Tok ag Continue Flag WTP Fragment Defragmentation error Type Boolean Unsigned 16-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Boolean No value No value Boolean Boolean Boolean Boolean No value Boolean Boolean
wtp.abort.reason.provider Abort Reason
wtp.fragment.multipletails Multiple tail fragments found wtp.fragment.overlap Fragment overlap wtp.fragment.overlap.conict Conicting data in fragment overlap wtp.fragment.toolongfragment Fragment too long wtp.fragments wtp.header.TIDNew wtp.header.UP WTP Fragments TIDNew U/P ag
419
Field
Field Name
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Byte array Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Byte array Unsigned 8-bit integer No value Unsigned 8-bit integer No value Unsigned 8-bit integer Unsigned 8-bit integer
wtp.header.missing_packetsMissing Packets wtp.header.sequence wtp.header.version wtp.header_data wtp.inv.reserved wtp.inv.transaction_class wtp.pdu_type wtp.sub_pdu_size wtp.tpi wtp.tpi.info wtp.tpi.opt wtp.tpi.opt.val wtp.tpi.psn wtp.trailer_ags Packet Sequence Number Version Data Reserved Transaction Class PDU Type Sub PDU size TPI Information Option Option Value Packet sequence number Trailer Flags
wtp.header_variable_part Header: Variable part
Wireless Transport Layer Security (wap-wtls)

Table A-275. Wireless Transport Layer Security (wap-wtls) Field wsp.wtls.alert wsp.wtls.alert.level wsp.wtls.handshake Field Name Alert Level Handshake Type No value Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer No value Date/Time stamp Date/Time stamp Unsigned 16-bit integer String Unsigned 8-bit integer
wsp.wtls.alert.description Description
wsp.wtls.handshake.certicate Certicate wsp.wtls.handshake.certicate.after after Valid not wsp.wtls.handshake.certicate.before before Valid not wsp.wtls.handshake.certicate.issuer.charset Charset wsp.wtls.handshake.certicate.issuer.name Name wsp.wtls.handshake.certicate.issuer.size Size
420
Field
Field Name
Type Unsigned 8-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer No value No value String No value No value Unsigned 16-bit integer No value
wsp.wtls.handshake.certicate.issuer.type Issuer wsp.wtls.handshake.certicate.parameter Parameter Set wsp.wtls.handshake.certicate.parameter_index Parameter Index wsp.wtls.handshake.certicate.public.type Public Key Type wsp.wtls.handshake.certicate.rsa.exponent RSA Exponent Size wsp.wtls.handshake.certicate.rsa.modules RSA Modulus Size wsp.wtls.handshake.certicate.signature.signature Signature Size wsp.wtls.handshake.certicate.signature.type Signature Type wsp.wtls.handshake.certicate.subject.charset Charset wsp.wtls.handshake.certicate.subject.name Name wsp.wtls.handshake.certicate.subject.size Size wsp.wtls.handshake.certicate.subject.type Subject wsp.wtls.handshake.certicate.type Type wsp.wtls.handshake.certicate.version Version wsp.wtls.handshake.certicates Certicates wsp.wtls.handshake.client_hello Hello Client wsp.wtls.handshake.client_hello.cipher Cipher wsp.wtls.handshake.client_hello.ciphers Cipher Suites wsp.wtls.handshake.client_hello.client_keys_id Client Keys wsp.wtls.handshake.client_hello.client_keys_len Length wsp.wtls.handshake.client_hello.comp_methods Compression Methods
421
Field
Field Name
Type Unsigned 8-bit integer Date/Time stamp Unsigned 16-bit integer String Unsigned 8-bit integer Unsigned 8-bit integer No value Unsigned 8-bit integer
wsp.wtls.handshake.client_hello.compression Compression wsp.wtls.handshake.client_hello.gmt Time GMT wsp.wtls.handshake.client_hello.ident_charset Identier CharSet wsp.wtls.handshake.client_hello.ident_name Identier Name wsp.wtls.handshake.client_hello.ident_size Identier Size wsp.wtls.handshake.client_hello.ident_type Identier Type wsp.wtls.handshake.client_hello.identier Identier wsp.wtls.handshake.client_hello.key.key_exchange Key Exchange
wsp.wtls.handshake.client_hello.key.key_exchange.suiteUnsigned 8-bit integer Suite wsp.wtls.handshake.client_hello.parameter Parameter Set wsp.wtls.handshake.client_hello.parameter_index Parameter Index wsp.wtls.handshake.client_hello.random Random wsp.wtls.handshake.client_hello.refresh Refresh wsp.wtls.handshake.client_hello.sequence_mode Sequence Mode wsp.wtls.handshake.client_hello.session.str Session ID wsp.wtls.handshake.client_hello.sessionid Session ID wsp.wtls.handshake.client_hello.trusted_keys_id Trusted Keys wsp.wtls.handshake.client_hello.version Version wsp.wtls.handshake.length Length wsp.wtls.handshake.server_hello Hello Server wsp.wtls.handshake.server_hello.cipher Cipher String Unsigned 8-bit integer No value Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 32-bit integer No value Unsigned 8-bit integer Unsigned 16-bit integer No value No value
422
Field
Field Name
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Date/Time stamp Unsigned 8-bit integer No value Unsigned 8-bit integer Unsigned 8-bit integer String Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer No value Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
wsp.wtls.handshake.server_hello.cipher.bulk Cipher Bulk wsp.wtls.handshake.server_hello.cipher.mac Cipher MAC wsp.wtls.handshake.server_hello.compression Compression wsp.wtls.handshake.server_hello.gmt Time GMT wsp.wtls.handshake.server_hello.key ID Client Key wsp.wtls.handshake.server_hello.random Random wsp.wtls.handshake.server_hello.refresh Refresh wsp.wtls.handshake.server_hello.sequence_mode Sequence Mode wsp.wtls.handshake.server_hello.session.str Session ID wsp.wtls.handshake.server_hello.sessionid Session ID wsp.wtls.handshake.server_hello.version Version wsp.wtls.handshake.type wsp.wtls.rec_cipher wsp.wtls.rec_length wsp.wtls.rec_seq wsp.wtls.rec_type wsp.wtls.record Type Record Ciphered Record Length Record Sequence Record Type Record
X Display Manager Control Protocol (xdmcp)

Table A-276. X Display Manager Control Protocol (xdmcp) Field Field Name Type String String Unsigned 16-bit integer
xdmcp.authentication_nameAuthentication name xdmcp.authorization_name Authorization name xdmcp.display_number Display number
423
Field xdmcp.hostname xdmcp.length xdmcp.opcode xdmcp.session_id xdmcp.status xdmcp.version
Field Name Hostname Message length Opcode Session ID Status Version
Type String Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer String Unsigned 16-bit integer
X.25 (x.25)
Table A-277. X.25 (x.25) Field x.25.a x.25.d x.25.g x.25.lcn x.25.m x.25.mod x.25.p_r x.25.p_s x.25.q x.25.type Field Name A Bit D Bit GFI Logical Channel M Bit Modulo P(R) P(S) Q Bit Packet Type Type Boolean Boolean Unsigned 16-bit integer Unsigned 16-bit integer Boolean Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Unsigned 8-bit integer
X.25 over TCP (xot)

Table A-278. X.25 over TCP (xot) Field xot.length xot.version Field Name Length Version Type Unsigned 16-bit integer Unsigned 16-bit integer
X11 (x11)
Table A-279. X11 (x11)
424
Field x11.accelerationdenominator
Field Name acceleration-denominator
Type Signed 16-bit integer
x11.acceleration-numerator acceleration-numerator x11.access-mode x11.address x11.address-length x11.alloc x11.allow-events-mode x11.allow-exposures x11.arc x11.arc.angle1 x11.arc.angle2 x11.arc.height x11.arc.mode x11.arc.width x11.arc.x x11.arc.y x11.arcs x11.atom access-mode address address-length alloc allow-events-mode allow-exposures arc angle1 angle2 height mode width x y arcs atom
Signed 16-bit integer Unsigned 8-bit integer Byte array Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer No value Signed 16-bit integer Signed 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Signed 16-bit integer Signed 16-bit integer No value Unsigned 32-bit integer String
x11.authorization-protocol- authorization-protocoldata data x11.authorization-protocol- authorization-protocoldata-length data-length x11.authorization-protocol- authorization-protocolname name x11.authorization-protocol- authorization-protocolname-length name-length x11.auto-repeat-mode x11.back-blue x11.back-green x11.back-red x11.background x11.background-pixel auto-repeat-mode back-blue back-green back-red background background-pixel
String
Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer
425
Field x11.background-pixmap x11.backing-pixel x11.backing-planes x11.backing-store x11.bell-duration x11.bell-percent x11.bell-pitch x11.bit-gravity x11.bit-plane x11.blue x11.blues x11.border-pixel x11.border-pixmap x11.border-width x11.button x11.byte-order x11.cap-style x11.change-host-mode x11.cid x11.class x11.clip-mask x11.clip-x-origin x11.clip-y-origin x11.close-down-mode x11.cmap x11.color-items x11.coloritem x11.coloritem.blue x11.coloritem.ags
Field Name background-pixmap backing-pixel backing-planes backing-store bell-duration bell-percent bell-pitch bit-gravity bit-plane blue blues border-pixel border-pixmap border-width button byte-order cap-style change-host-mode cid class clip-mask clip-x-origin clip-y-origin close-down-mode cmap color-items coloritem blue ags
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Signed 16-bit integer Signed 8-bit integer Signed 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Signed 16-bit integer Signed 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer No value No value Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean
x11.coloritem.ags.do-blue do-blue x11.coloritem.ags.dogreen do-green
x11.coloritem.ags.do-red do-red x11.coloritem.ags.unused unused x11.coloritem.green green
Boolean Boolean Unsigned 16-bit integer
426
Field x11.coloritem.pixel x11.coloritem.red x11.coloritem.unused x11.colormap x11.colors x11.congure-windowmask x11.congure-windowmask.border-width x11.congure-windowmask.height x11.congure-windowmask.sibling x11.congure-windowmask.stack-mode x11.congure-windowmask.width x11.congure-windowmask.x x11.congure-windowmask.y x11.conne-to x11.contiguous x11.coordinate-mode x11.count x11.cursor x11.dash-offset x11.dashes x11.dashes-length x11.data x11.data-length x11.delete x11.delta
Field Name pixel red unused colormap colors congure-window-mask
Type Unsigned 32-bit integer Unsigned 16-bit integer No value Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
border-width
Boolean
height
Boolean
sibling
Boolean
stack-mode
Boolean
width
Boolean
Boolean
Boolean
conne-to contiguous coordinate-mode count cursor dash-offset dashes dashes-length data data-length delete delta
Unsigned 32-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Byte array Unsigned 16-bit integer Byte array Unsigned 32-bit integer Boolean Signed 16-bit integer
427
Field x11.depth x11.direction x11.do-acceleration x11.do-not-propagatemask x11.do-not-propagatemask.Button1Motion x11.do-not-propagatemask.Button2Motion x11.do-not-propagatemask.Button3Motion x11.do-not-propagatemask.Button4Motion x11.do-not-propagatemask.Button5Motion x11.do-not-propagatemask.ButtonMotion x11.do-not-propagatemask.ButtonPress x11.do-not-propagatemask.ButtonRelease x11.do-not-propagatemask.KeyPress x11.do-not-propagatemask.KeyRelease x11.do-not-propagatemask.PointerMotion x11.do-not-propagatemask.erroneous-bits x11.do-threshold x11.drawable
Field Name depth direction do-acceleration do-not-propagate-mask
Type Unsigned 8-bit integer Unsigned 8-bit integer Boolean Unsigned 32-bit integer
Button1Motion
Boolean
Button2Motion
Boolean
Button3Motion
Boolean
Button4Motion
Boolean
Button5Motion
Boolean
ButtonMotion
Boolean
ButtonPress
Boolean
ButtonRelease
Boolean
KeyPress
Boolean
KeyRelease
Boolean
PointerMotion
Boolean
erroneous-bits
Boolean
do-threshold drawable
Boolean Unsigned 32-bit integer
428
Field x11.dst-drawable x11.dst-gc x11.dst-window x11.dst-x x11.dst-y x11.event-mask x11.eventmask.Button1Motion x11.eventmask.Button2Motion x11.eventmask.Button3Motion x11.eventmask.Button4Motion x11.eventmask.Button5Motion x11.eventmask.ButtonMotion x11.eventmask.ButtonPress x11.eventmask.ButtonRelease x11.eventmask.ColormapChange x11.eventmask.EnterWindow x11.event-mask.Exposure x11.eventmask.FocusChange x11.event-mask.KeyPress
Field Name dst-drawable dst-gc dst-window dst-x dst-y event-mask Button1Motion
Type Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Signed 16-bit integer Signed 16-bit integer Unsigned 32-bit integer Boolean
Button2Motion
Boolean
Button3Motion
Boolean
Button4Motion
Boolean
Button5Motion
Boolean
ButtonMotion
Boolean
ButtonPress
Boolean
ButtonRelease
Boolean
ColormapChange
Boolean
EnterWindow
Boolean
Exposure FocusChange
Boolean Boolean
KeyPress
Boolean
429
Field x11.eventmask.KeyRelease x11.eventmask.KeymapState x11.eventmask.LeaveWindow x11.eventmask.OwnerGrabButton x11.eventmask.PointerMotion x11.eventmask.PointerMotionHint x11.eventmask.PropertyChange x11.eventmask.ResizeRedirect x11.eventmask.StructureNotify x11.eventmask.SubstructureNotify
Field Name KeyRelease
Type Boolean
KeymapState
Boolean
LeaveWindow
Boolean
OwnerGrabButton
Boolean
PointerMotion
Boolean
PointerMotionHint
Boolean
PropertyChange
Boolean
ResizeRedirect
Boolean
StructureNotify
Boolean
SubstructureNotify
Boolean
x11.eventSubstructureRedirect mask.SubstructureRedirect x11.eventmask.VisibilityChange VisibilityChange
Boolean
Boolean
x11.event-mask.erroneous- erroneous-bits bits x11.exposures x11.family x11.d x11.ll-rule x11.ll-style exposures family d ll-rule ll-style
Boolean
Boolean Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
430
Field x11.rst-keycode x11.focus x11.font x11.fore-blue x11.fore-green x11.fore-red x11.foreground x11.format x11.function x11.gc x11.gc-dashes x11.gc-value-mask x11.gc-value-mask.arcmode x11.gc-valuemask.background x11.gc-value-mask.capstyle x11.gc-value-mask.clipmask x11.gc-value-mask.clip-xorigin x11.gc-value-mask.clip-yorigin x11.gc-value-mask.dashoffset
Field Name rst-keycode focus font fore-blue fore-green fore-red foreground format function gc gc-dashes gc-value-mask arc-mode
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Boolean
background
Boolean
cap-style
Boolean
clip-mask
Boolean
clip-x-origin
Boolean
clip-y-origin
Boolean
dash-offset
Boolean
x11.gc-value-mask.ll-rule ll-rule x11.gc-value-mask.ll-style ll-style x11.gc-value-mask.font x11.gc-valuemask.foreground font foreground
Boolean Boolean Boolean Boolean
431
Field x11.gc-valuemask.function x11.gc-value-mask.gcdashes x11.gc-valuemask.graphics-exposures x11.gc-value-mask.joinstyle x11.gc-value-mask.linestyle x11.gc-value-mask.linewidth x11.gc-value-mask.planemask
Field Name function
Type Boolean
gc-dashes
Boolean
graphics-exposures
Boolean
join-style
Boolean
line-style
Boolean
line-width
Boolean
plane-mask
Boolean
x11.gc-value-mask.stipple stipple x11.gc-valuemask.subwindow-mode x11.gc-value-mask.tile x11.gc-value-mask.tilestipple-x-origin x11.gc-value-mask.tilestipple-y-origin x11.get-property-type x11.grab_window x11.graphics-exposures x11.green x11.greens x11.height x11.image-format x11.interval x11.ip-address subwindow-mode
Boolean Boolean
tile tile-stipple-x-origin
Boolean Boolean
tile-stipple-y-origin
Boolean
get-property-type grab_window graphics-exposures green greens height image-format interval ip-address
Unsigned 32-bit integer Unsigned 32-bit integer Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Signed 16-bit integer IPv4 address
x11.image-pixmap-format image-pixmap-format
432
Field x11.items x11.join-style x11.key x11.key-click-percent x11.keyboard-key x11.keyboard-mode x11.keyboard-value-mask x11.keyboard-valuemask.auto-repeat-mode x11.keyboard-valuemask.bell-duration x11.keyboard-valuemask.bell-percent x11.keyboard-valuemask.bell-pitch x11.keyboard-valuemask.key-click-percent x11.keyboard-valuemask.keyboard-key x11.keyboard-valuemask.led x11.keyboard-valuemask.led-mode x11.keycode-count x11.keycodes x11.keycodes.item x11.keysyms x11.keysyms-per-keycode x11.keysyms.item x11.led x11.led-mode
Field Name items join-style key key-click-percent keyboard-key keyboard-mode keyboard-value-mask auto-repeat-mode
Type No value Unsigned 8-bit integer Unsigned 8-bit integer Signed 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Boolean
bell-duration
Boolean
bell-percent
Boolean
bell-pitch
Boolean
key-click-percent
Boolean
keyboard-key
Boolean
led
Boolean
led-mode
Boolean
keycode-count keycodes item keysyms keysyms-per-keycode item led led-mode
Unsigned 8-bit integer No value Unsigned 8-bit integer Byte array No value Unsigned 8-bit integer No value Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
x11.keycodes-per-modier keycodes-per-modier
x11.keysyms.item.keysym keysym
433
Field x11.left-pad x11.line-style x11.line-width x11.long-length x11.long-offset x11.map x11.map-length x11.mask x11.mask-char x11.mask-font x11.max-names x11.mid x11.mode x11.modiers-mask x11.modiersmask.AnyModier x11.modiersmask.Control x11.modiers-mask.Lock
Field Name left-pad line-style line-width long-length long-offset map map-length mask mask-char mask-font max-names mid mode modiers-mask AnyModier
Type Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer
Control
Boolean
Lock
Boolean Boolean Boolean Boolean Boolean Boolean Boolean Boolean
x11.modiers-mask.Mod1 Mod1 x11.modiers-mask.Mod2 Mod2 x11.modiers-mask.Mod3 Mod3 x11.modiers-mask.Mod4 Mod4 x11.modiers-mask.Mod5 Mod5 x11.modiers-mask.Shift x11.modiersmask.erroneous-bits x11.name x11.name-length x11.odd-length x11.only-if-exists x11.opcode x11.ordering x11.override-redirect Shift erroneous-bits
name name-length odd-length only-if-exists opcode ordering override-redirect
String Unsigned 16-bit integer Boolean Boolean Unsigned 8-bit integer Unsigned 8-bit integer Boolean
434
Field x11.owner x11.owner-events x11.parent x11.path x11.path.string x11.pattern x11.pattern-length x11.percent x11.pid x11.pixel x11.pixels x11.pixels_item x11.pixmap x11.plane-mask x11.planes x11.point x11.point-x x11.point-y x11.pointer-event-mask x11.pointer-eventmask.Button1Motion x11.pointer-eventmask.Button2Motion x11.pointer-eventmask.Button3Motion x11.pointer-eventmask.Button4Motion x11.pointer-eventmask.Button5Motion x11.pointer-eventmask.ButtonMotion x11.pointer-eventmask.ButtonPress
Field Name owner owner-events parent path string pattern pattern-length percent pid pixel pixels pixels_item pixmap plane-mask planes point point-x point-y pointer-event-mask Button1Motion
Type Unsigned 32-bit integer Boolean Unsigned 32-bit integer No value String String Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer No value Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer No value Signed 16-bit integer Signed 16-bit integer Unsigned 16-bit integer Boolean
Button2Motion
Boolean
Button3Motion
Boolean
Button4Motion
Boolean
Button5Motion
Boolean
ButtonMotion
Boolean
ButtonPress
Boolean
435
Field x11.pointer-eventmask.ButtonRelease x11.pointer-eventmask.EnterWindow x11.pointer-eventmask.KeymapState x11.pointer-eventmask.LeaveWindow x11.pointer-eventmask.PointerMotion x11.pointer-eventmask.PointerMotionHint x11.pointer-eventmask.erroneous-bits x11.pointer-mode x11.points x11.prefer-blanking x11.properties x11.properties.item x11.property x11.property-number
Field Name ButtonRelease
Type Boolean
EnterWindow
Boolean
KeymapState
Boolean
LeaveWindow
Boolean
PointerMotion
Boolean
PointerMotionHint
Boolean
erroneous-bits
Boolean
pointer-mode points prefer-blanking properties item property property-number
Unsigned 8-bit integer No value Unsigned 8-bit integer No value Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer No value Unsigned 16-bit integer Unsigned 16-bit integer Signed 16-bit integer Signed 16-bit integer No value Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
x11.protocol-major-version protocol-major-version x11.protocol-minor-version protocol-minor-version x11.rectangle x11.rectangle-height x11.rectangle-width x11.rectangle-x x11.rectangle-y x11.rectangles x11.red x11.reds x11.request rectangle rectangle-height rectangle-width rectangle-x rectangle-y rectangles red reds request
436
Field x11.request-length x11.requestor x11.resource x11.revert-to x11.save-set-mode x11.save-under x11.screen-saver-mode x11.segment x11.segment_x1 x11.segment_x2 x11.segment_y1 x11.segment_y2 x11.segments x11.selection x11.shape x11.sibling x11.source-char x11.source-font x11.source-pixmap x11.src-cmap x11.src-drawable x11.src-gc x11.src-height x11.src-width x11.src-window x11.src-x x11.src-y x11.stack-mode x11.start x11.stipple x11.stop x11.str-number-in-path x11.string x11.string-length x11.string16 x11.string16.bytes
Field Name request-length requestor resource revert-to save-set-mode save-under screen-saver-mode segment segment_x1 segment_x2 segment_y1 segment_y2 segments selection shape sibling source-char source-font source-pixmap src-cmap src-drawable src-gc src-height src-width src-window src-x src-y stack-mode start stipple stop str-number-in-path string string-length string16 bytes
Type Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Boolean Unsigned 8-bit integer No value Signed 16-bit integer Signed 16-bit integer Signed 16-bit integer Signed 16-bit integer No value Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Signed 16-bit integer Signed 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer String Unsigned 32-bit integer String Byte array
437
Field x11.subwindow-mode x11.target x11.textitem x11.textitem.font x11.textitem.string x11.textitem.string.delta
Field Name subwindow-mode target textitem font string delta
Type Unsigned 8-bit integer Unsigned 32-bit integer No value Unsigned 32-bit integer No value Signed 8-bit integer String Byte array String Signed 16-bit integer Unsigned 32-bit integer Signed 16-bit integer Signed 16-bit integer Unsigned 32-bit integer Signed 16-bit integer Unsigned 32-bit integer No value No value Unsigned 32-bit integer Unsigned 32-bit integer
x11.textitem.string.string16 string16 x11.textitem.string.string16.bytes bytes x11.textitem.string.string8 string8 x11.threshold x11.tile x11.tile-stipple-x-origin x11.tile-stipple-y-origin x11.time x11.timeout x11.type x11.undecoded x11.unused x11.visual x11.visualid x11.warp-pointer-dstwindow x11.warp-pointer-srcwindow x11.wid x11.width x11.win-gravity x11.window x11.window-class x11.window-value-mask x11.window-valuemask.background-pixel threshold tile tile-stipple-x-origin tile-stipple-y-origin time timeout type undecoded unused visual visualid
warp-pointer-dst-window Unsigned 32-bit integer
warp-pointer-src-window Unsigned 32-bit integer
wid width win-gravity window window-class window-value-mask background-pixel
Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Boolean
438
Field
Field Name
Type Boolean
x11.window-valuebackground-pixmap mask.background-pixmap x11.window-valuemask.backing-pixel x11.window-valuemask.backing-planes x11.window-valuemask.backing-store x11.window-valuemask.bit-gravity x11.window-valuemask.border-pixel x11.window-valuemask.border-pixmap x11.window-valuemask.colormap x11.window-valuemask.cursor x11.window-valuemask.do-not-propagatemask x11.window-valuemask.event-mask x11.window-valuemask.override-redirect x11.window-valuemask.save-under x11.window-valuemask.win-gravity x11.x x11.y backing-pixel
Boolean
backing-planes
Boolean
backing-store
Boolean
bit-gravity
Boolean
border-pixel
Boolean
border-pixmap
Boolean
colormap
Boolean
cursor
Boolean
do-not-propagate-mask
Boolean
event-mask
Boolean
override-redirect
Boolean
save-under
Boolean
win-gravity
Boolean
x y
Signed 16-bit integer Signed 16-bit integer
439
Xyplex (xyplex)
Table A-280. Xyplex (xyplex) Field xyplex.pad xyplex.reply xyplex.reserved xyplex.return_port xyplex.server_port xyplex.type Field Name Pad Registration Reply Reserved eld Return Port Server Port Type Type Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer
Yahoo Messenger Protocol (yhoo)

Table A-281. Yahoo Messenger Protocol (yhoo) Field yhoo.connection_id yhoo.content yhoo.len yhoo.magic_id yhoo.msgtype yhoo.nick1 yhoo.nick2 yhoo.service yhoo.unknown1 yhoo.version Field Name Connection ID Content Packet Length Magic ID Message Type Real Nick (nick1) Active Nick (nick2) Service Type Unknown 1 Version Type Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer String String Unsigned 32-bit integer Unsigned 32-bit integer String
Yellow Pages Bind (ypbind)

Table A-282. Yellow Pages Bind (ypbind) Field ypbind.addr ypbind.domain ypbind.error ypbind.port Field Name IP Addr Domain Error Port Type IPv4 address String Unsigned 32-bit integer Unsigned 32-bit integer
440
Field ypbind.resp_type ypbind.setdom.version
Field Name Response Type Version
Yellow Pages Passwd (yppasswd)

Table A-283. Yellow Pages Passwd (yppasswd) Field yppasswd.newpw yppasswd.newpw.dir yppasswd.newpw.gecos yppasswd.newpw.gid yppasswd.newpw.name yppasswd.newpw.shell yppasswd.newpw.uid yppasswd.oldpass yppasswd.status Field Name newpw dir gecos gid name shell uid oldpass status Type No value String String Unsigned 32-bit integer String String String Unsigned 32-bit integer String Unsigned 32-bit integer
yppasswd.newpw.passwd passwd
Yellow Pages Service (ypserv)

Table A-284. Yellow Pages Service (ypserv) Field ypserv.domain ypserv.key ypserv.map ypserv.map_parms ypserv.more ypserv.ordernum ypserv.peer ypserv.port ypserv.prog ypserv.servesdomain ypserv.status Field Name Domain Key Map Name YP Map Parameters More Order Number Peer Name Port Program Number Serves Domain Status Type String String String No value Boolean Unsigned 32-bit integer String Unsigned 32-bit integer Unsigned 32-bit integer Boolean Signed 32-bit integer
441
Field ypserv.transid ypserv.value ypserv.xfrstat
Field Name Host Transport ID Value Xfrstat
Type IPv4 address String Signed 32-bit integer
Yellow Pages Transfer (ypxfr)

Table A-285. Yellow Pages Transfer (ypxfr) Field Field Name Type
Zebra Protocol (zebra)

Table A-286. Zebra Protocol (zebra) Field zebra.bandwidth zebra.command zebra.dest4 zebra.dest6 zebra.distance zebra.family zebra.index zebra.indexnum zebra.interface zebra.intags zebra.len zebra.message zebra.message.distance zebra.message.index zebra.message.metric zebra.message.nexthop zebra.metric zebra.mtu zebra.nexthop4 Field Name Bandwidth Command Destination Destination Distance Family Index Index Number Interface Flags Length Message Message Distance Message Index Message Metric Message Nexthop Metric MTU Nexthop Type Unsigned 32-bit integer Unsigned 8-bit integer IPv4 address IPv6 address Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer String Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Boolean Unsigned 32-bit integer Unsigned 32-bit integer IPv4 address
442
Field zebra.nexthop6 zebra.nexthopnum zebra.prex4 zebra.prex6 zebra.prexlen zebra.request zebra.rtags zebra.type
Field Name Nexthop Nexthop Number Prex Prex Prex length Request Flags Type
Type IPv6 address Unsigned 8-bit integer IPv4 address IPv6 address Unsigned 32-bit integer Boolean Unsigned 8-bit integer Unsigned 8-bit integer
Zone Information Protocol (zip)

Table A-287. Zone Information Protocol (zip) Field zip.atp_function zip.count zip.default_zone zip.ags zip.ags.only_one_zone zip.ags.use_broadcast zip.ags.zone_invalid zip.function zip.last_ag zip.multicast_address zip.multicast_length zip.network zip.network_count zip.network_end zip.network_start zip.start_index zip.zero_value zip.zone_name Field Name Function Count Default zone Flags Only one zone Use broadcast Zone invalid Function Last Flag Multicast address Multicast length Network Count Network end Network start Start index Pad (0) Zone Boolean Boolean Boolean Boolean Unsigned 8-bit integer Boolean Byte array Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Byte array Type Unsigned 8-bit integer Unsigned 16-bit integer
443
iSCSI (iscsi)
Table A-288. iSCSI (iscsi) Field iscsi.I iscsi.X iscsi.ahs iscsi.asyncevent iscsi.asyncmessagedata iscsi.bufferOffset iscsi.cid iscsi.cmdsn iscsi.datadigest iscsi.datadigest32 iscsi.datasegmentlength iscsi.datasn iscsi.desireddatalength iscsi.errorpdudata iscsi.eventvendorcode iscsi.expcmdsn iscsi.expdatasn iscsi.expstatsn iscsi.ags iscsi.headerdigest iscsi.headerdigest32 iscsi.immediatedata iscsi.initcmdsn iscsi.initiatortasktag iscsi.initstatsn iscsi.isid iscsi.isid.a iscsi.isid.b iscsi.isid.c iscsi.isid.d iscsi.isid.qualier iscsi.isid.t Field Name I X AHS AsyncEvent AsyncMessageData BufferOffset CID CmdSN DataDigest DataDigest DataSegmentLength DataSN DesiredDataLength ErrorPDUData EventVendorCode ExpCmdSN ExpDataSN ExpStatSN Flags HeaderDigest HeaderDigest ImmediateData InitCmdSN InitiatorTaskTag InitStatSN ISID ISID_a ISID_b ISID_c ISID_d ISID_Qualier ISID_t Type Boolean Boolean Byte array Unsigned 8-bit integer Byte array Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Byte array Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Byte array Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 24-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
iscsi.isid.namingauthority ISID_NamingAuthority
444
Field iscsi.isid.type iscsi.keyvalue iscsi.login.T iscsi.login.X iscsi.login.csg iscsi.login.nsg iscsi.login.status iscsi.logout.reason iscsi.logout.response iscsi.lun iscsi.maxcmdsn iscsi.opcode iscsi.padding iscsi.parameter1 iscsi.parameter2 iscsi.parameter3 iscsi.pingdata iscsi.r2tsn iscsi.readdata iscsi.refcmdsn iscsi.reject.reason iscsi.scsicommand.F iscsi.scsicommand.R iscsi.scsicommand.W iscsi.scsicommand.attr iscsi.scsicommand.crn
Field Name ISID_Type KeyValue T X CSG NSG Status Reason Response LUN MaxCmdSN Opcode Padding Parameter1 Parameter2 Parameter3 PingData R2TSN ReadData RefCmdSN Reason F R W Attr CRN
Type Unsigned 8-bit integer String Boolean Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Byte array Unsigned 32-bit integer Unsigned 8-bit integer Byte array Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Byte array Unsigned 32-bit integer Byte array Unsigned 32-bit integer Unsigned 8-bit integer Boolean Boolean Boolean Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer
iscsi.scsicommand.addcdb AddCDB
iscsi.scsicommand.expecteddatatransferlength ExpectedDataTransferLength nsigned 32-bit integer U iscsi.scsidata.A iscsi.scsidata.F iscsi.scsidata.O iscsi.scsidata.S iscsi.scsidata.U A F O S U Boolean Boolean Boolean Boolean Boolean Unsigned 32-bit integer
iscsi.scsidata.readresidualcount ResidualCount
445
Field iscsi.scsiresponse.O iscsi.scsiresponse.U
Field Name O U
Type Boolean Boolean Unsigned 32-bit integer Boolean Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Boolean Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Unsigned 32-bit integer Unsigned 8-bit integer Boolean Unsigned 16-bit integer Unsigned 16-bit integer Unsigned 8-bit integer Unsigned 16-bit integer Unsigned 16-bit integer Byte array Unsigned 8-bit integer Unsigned 8-bit integer Unsigned 8-bit integer Byte array
iscsi.scsiresponse.bidireadresidualcount BidiReadResidualCount iscsi.scsiresponse.o o
iscsi.scsiresponse.residualcount ResidualCount iscsi.scsiresponse.response Response iscsi.scsiresponse.senselengthenseLength S iscsi.scsiresponse.status iscsi.scsiresponse.u iscsi.snack.begrun iscsi.snack.runlength iscsi.snack.type iscsi.statsn iscsi.targettransfertag iscsi.taskmanfun.function Status u BegRun RunLength S StatSN TargetTransferTag Function
iscsi.taskmanfun.referencedtasktag ReferencedTaskTag iscsi.taskmanfun.response Response iscsi.text.F iscsi.time2retain iscsi.time2wait iscsi.totalahslength iscsi.tsid iscsi.tsih iscsi.vendorspecicdata iscsi.versionactive iscsi.versionmax iscsi.versionmin iscsi.writedata F Time2Retain Time2Wait TotalAHSLength TSID TSIH VendorSpecicData VersionActive VersionMax VersionMin WriteData
446
Appendix B. Ethereal Error Messages

Capture le format not understood
If Ethereal cannot decode the capture le format of the le you have asked it to load, you will receive a warning box similar to that shown in Figure B-1.
Figure B-1. Ethereal Read Format warning
Save le error
If Ethereal cannot open the le you requested it to save captured packets in, you will receive a warning box similar to that shown in Figure B-2.
Figure B-2. Save Error warning
447
Appendix B. Ethereal Error Messages
448
Appendix C. The GNU Free Document Public Licence

Copyright
Version 1.1, March 2000 Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Preamble
The purpose of this License is to make a manual, textbook, or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modications made by others. This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software. We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.
Applicability and Denitions

This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". A "Modied Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modications and/or translated into another language. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Documents overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (For example, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them. The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License.
449
The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specication is available to the general public, whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent le format whose markup has been designed to thwart or discourage subsequent modication by readers is not Transparent. A copy that is not "Transparent" is called "Opaque". Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML designed for human modication. Opaque formats include PostScript, PDF, proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML produced by some word processors for output purposes only. The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the works title, preceding the beginning of the body of the text.
Verbatim Copying
You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3. You may also lend copies, under the same conditions stated above, and you may publicly display copies.
Copying in Quantity
If you publish printed copies of the Document numbering more than 100, and the Documents license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.
450
If the required texts for either cover are too voluminous to t legibly, you should put the rst ones listed (as many as t reasonably) on the actual cover, and continue the rest onto adjacent pages. If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a publicly-accessible computernetwork location containing a complete Transparent copy of the Document, free of added material, which the general network-using public has access to download anonymously at no charge using public-standard network protocols. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.
Modications
You may copy and distribute a Modied Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modied Version under precisely this License, with the Modied Version lling the role of the Document, thus licensing distribution and modication of the Modied Version to whoever possesses a copy of it. In addition, you must do these things in the Modied Version:
Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modications in the Modied Version, together with at least ve of the principal authors of the Document (all of its principal authors, if it has less than ve). State on the Title page the name of the publisher of the Modied Version, as the publisher. Preserve all the copyright notices of the Document. Add an appropriate copyright notice for your modications adjacent to the other copyright notices. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modied Version under the terms of this License, in the form shown in the Addendum below. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Documents license notice. Include an unaltered copy of this License.
451
Preserve the section entitled "History", and its title, and add to it an item stating at least the title, year, new authors, and publisher of the Modied Version as given on the Title Page. If there is no section entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modied Version as stated in the previous sentence. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission. In any section entitled "Acknowledgements" or "Dedications", preserve the sections title, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles. Delete any section entitled "Endorsements". Such a section may not be included in the Modied Version. Do not retitle any existing section as "Endorsements" or to conict in title with any Invariant Section.
If the Modied Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modied Versions license notice. These titles must be distinct from any other section titles. You may add a section entitled "Endorsements", provided it contains nothing but endorsements of your Modied Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative denition of a standard. You may add a passage of up to ve words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modied Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modied Version.
Combining Documents
You may combine the Document with other documents released under this License,
452
under the terms dened in section 4 above for modied versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodied, and list them all as Invariant Sections of your combined work in its license notice. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."
Collections of Documents
You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.
Aggregation with Independent Works

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modied Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Documents Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.
Translation
Translation is considered a kind of modication, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of
453
these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.
Termination
You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
Future Revisions of this License

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/. Each version of the License is given a distinguishing version number. If the Document species that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specied version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.
454

User-Guide - Ethereal PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

User-Guide - Ethereal PDF

Uploaded by

Copyright:

Available Formats

Ethereal Users Guide

V1.1 for Ethereal 0.8.19

Ethereal Users Guide: V1.1 for Ethereal 0.8.19

by Richard Sharpe and Ed Warnicke Copyright 2001 by Richard SharpeEd Warnicke

following are some of the features Ethereal provides:

Save captures to a number of formats:

Filter packets on many criteria.

The status of Ethereal

Development and maintenance of Ethereal

A rose by any other name

A brief history of Ethereal

Platforms Ethereal runs on

Where to get Ethereal

Reporting problems and getting help

You should mail the traceback to the ethereal-dev mailing list.

Where to get the latest copy of this document

Chapter 2. Building and Installing Ethereal

Obtaining the source and binary distributions

Chapter 2. Building and Installing Ethereal

Before you build Ethereal

Chapter 2. Building and Installing Ethereal

Chapter 2. Building and Installing Ethereal

Building from Source under UNIX

Chapter 2. Building and Installing Ethereal

5. Install the software in its nal destination, using the command:

Installing the binaries under UNIX

Chapter 2. Building and Installing Ethereal

Installing from RPMs under Linux

Installing from debs under Debian

Building from source under Windows

Installing Ethereal under Windows

Troubleshooting during the install

Chapter 2. Building and Installing Ethereal

Chapter 2. Building and Installing Ethereal

Chapter 3. Using Ethereal

In fact, most of the functionality of Ethereal is explored in this chapter.

Chapter 3. Using Ethereal

Figure 3-1. Ethereal is comprised of three main windows

Chapter 3. Using Ethereal

Chapter 3. Using Ethereal

Chapter 3. Using Ethereal

libpcap Net Mon Snoop NetXray

Chapter 3. Using Ethereal

The Ethereal menus

Figure 3-2. The Ethereal Menu

Chapter 3. Using Ethereal

The Ethereal File menu

Chapter 3. Using Ethereal

Chapter 3. Using Ethereal

Menu Item Save As...

Print Packet Quit

The Ethereal Edit menu

Chapter 3. Using Ethereal

Mark All Frames

Unmark All Frames

Chapter 3. Using Ethereal

Menu Item Preferences...

The Ethereal Capture menu

Chapter 3. Using Ethereal

The Ethereal Display menu

Chapter 3. Using Ethereal

Match Selected Colorize Display