Network Detection and Response (NDR) automatically collects and generates logs in real time. You can specify log fields to quickly query the logs that you need for log analysis and traffic audit. This topic describes the types and meanings of NDR log fields.
Supported protocol types
NDR supports the identification of 55 protocols. Deep parsing is supported for HTTP, DNS, ICMP, TLS, MySQL, PostgreSQL, FTP, WebSocket, SSH, RDP, MQTT, Syslog, SIP, Kerberos, and SOCKS. For these protocols, NDR extracts and displays specific protocol fields in addition to the common fields. For other protocols, NDR provides identification only and does not extract specific protocol fields.
The following protocol identification types are supported:
FTP_CONTROL, DNS, HTTP, PostgreSQL, MySQL, SSL, ICMP, WebSocket, POP3, SMTP, IMAP, NTP, NetBIOS, NFS, SSDP, SNMP, SMB, Syslog, RTSP, Telnet, LDAP, RTP, RDP, VNC, SSH, TFTP, SIP, Kerberos, MsSQL-TDS, PPTP, Citrix, OpenVPN, RTCP, RSYNC, Oracle, SOCKS, RTMP, Redis, QUIC, MQTT, MongoDB, Memcache, RPC, RPCBind, SVN, Cassandra, Zookeeper, IPsec, Nagios, Oracle_docker, Impala, Zabbix, Kafka, Thrift, SSE
Protocol log field categories
Description of common and additional protocol log fields
Common fields
Field name | Description | Example value |
ndr_log_type | NDR protocol log type. The value varies by protocol. For valid values, see Supported protocol types. | HTTP |
start_time | Session start time in Unix timestamp format, in seconds. | 1750157428 |
end_time | Session end time in Unix timestamp format, in seconds. | 1750157428 |
src_ip | Source IP address of the session. | 8.153.XX.XXX |
src_port | Source port of the session. | 33321 |
dst_ip | Destination IP address of the session. | 203.119.XXX.XXX |
dst_port | Destination port of the session. | 80 |
net_connect_dir | Direction of session traffic relative to your assets.
| in |
l3_protocol | Layer 3 protocol type. | ipv4, ipv6, other |
l4_protocol | Layer 4 protocol type. | tcp, udp, icmp, other |
l7_protocol | Layer 7 protocol type. | HTTP |
tcp_flags | TCP flag information represented as a decimal number. This value is derived by performing a bitwise OR operation on the TCP flags of all packets in this flow. | 26 |
new_conn | Indicates whether the current flow is a new connection.
| 0 |
app_id_extend | Application ID that uniquely identifies the network application. | 72 |
app_name_extend | Application name corresponding to the application ID. | HTTP_POST |
category_id | Application category ID used to classify applications by scenario. | 5 |
category_name | Application category name. | WEB |
country_id | Country or region using the two-letter code defined in ISO 3166-1. Note:
| CN |
city_id | Unique identifier for a city using China's six-digit administrative division code. You can look up the city code using China's administrative division codes. | 110000 |
req_trans_data | Stores raw request data. Note: If the original payload is too long, it may be truncated to a fixed length. | L7PROTODATAL7PROTODATAL7PROTODATAL7PROTODATA |
resp_trans_data | Stores raw response data. Note: If the original payload is too long, it may be truncated to a fixed length. | L7PROTODATAL7PROTODATAL7PROTODATA |
req_trans_offsets | Records the starting position (byte offset in | 0,700,2472,3177,3935 |
resp_trans_offsets | The starting byte offset of each response data segment in | 0,329,1003 |
req_trans_lens | Records the original full length (actual length before truncation) of each request data segment. | 700,1772,705,758,374 |
resp_trans_lens | Records the original full length (actual length before truncation) of each response data segment. | 329,674,1002 |
HTTP, SSL, SSH, RDP, MQTT, Syslog, and SIP logs do not contain the req_trans_data, resp_trans_data, req_trans_offsets, resp_trans_offsets, req_trans_lens, or resp_trans_lens fields.
ICMP protocol
Field name | Description | Example value |
type | Standard ICMP message type code. | 8 |
code | ICMP message code. | 0 |
type_str | Human-readable English description of the ICMP message type. | Echo (ping) reply |
id | Identifier in the ICMP message used to match requests and replies (such as ping session identifiers). Typically generated by the sender and echoed back by the receiver. | 24367 |
seq | Sequence number in the ICMP message that identifies the order of packets within the same session (such as sequence numbers for consecutive ping packets). | 256 |
inner_src_ip | Source IP address of the inner packet encapsulated in the ICMP payload. Valid only when the ICMP payload contains an encapsulated inner packet. | 8.8.X.X |
inner_src_port | Source port of the inner packet (such as the original TCP/UDP port). Valid only when the ICMP payload contains an encapsulated inner packet. | 22546 |
inner_dest_ip | Destination IP address of the inner packet encapsulated in the ICMP payload. Valid only when the ICMP payload contains an encapsulated inner packet. | 1.1.X.X |
inner_dest_port | Destination port of the inner packet (such as the original TCP/UDP port). Valid only when the ICMP payload contains an encapsulated inner packet. | 50988 |
inner_l4_proto | Transport-layer protocol type of the inner packet (such as TCP=6 or UDP=17). Valid only when the ICMP payload contains an encapsulated inner packet. | 17 |
HTTP protocol
Field name | Description | Example value |
host | Target hostname and port number from the Host header in the request. | aliyun.com:8080 |
request_uri |
| /api?key=value |
request_method | HTTP request method (such as GET, POST, PUT, DELETE). | POST |
http_referer | Complete URL of the referring page (Referer header). | https://aliyun.com/workplace |
http_user_agent | Client identifier from the request header. | Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36 |
querystring | Query parameters after the | key=value |
request_path | Path portion of the URI (excluding query parameters). | /api |
http_x_forwarded_for | The original client IP address in the reverse proxy chain (the | 11.11.XX.XX, 22.22.XX.XX |
status | HTTP response status code (three-digit numeric code). | 200 |
response_set_cookie | The session identifier set by the server in the | user=sincerexia; state1=180; state2=135; Secure |
content_type | Media type of the request body. | application/x-www-form-urlencoded; charset=UTF-8 |
response_content_type | Media type of the response body. | text/plain;charset=UTF-8 |
proxy_connection | Proxy server connection control for managing persistent connection reuse between the proxy and client/server. | keep-alive |
proxy_authorization | Proxy server authentication credentials. | Basic Yxxxxxxxxxxxxxxxxxx== |
location | Target URL for redirection. | http://relocation.com |
request_header | Complete content of the original HTTP request header. Includes the request line (method + URI + protocol version) and all header key-value pairs. | |
request_body | Original HTTP request body data (carried by POST/PUT/PATCH methods). | &user=sincerexia |
response_header | Complete content of the original HTTP response header. | |
response_info | Original HTTP response body content. | |
TLS protocol
Field name | Description | Example value |
version | SSL/TLS version indicating the protocol version used for encrypted communication. | TLS 1.3 |
sni | Target server domain name sent by the client during the handshake. | aliyun.com |
state | TLS handshake state. Valid values:
| HANDSHAKE_DONE |
cert_subject | Certificate subject containing the certificate holder's (Subject) information such as domain name, organization, and location in X.500 format. | C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=aliyuncs.com |
cert_issuer | Certificate issuer containing the certification authority (CA) information. | C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R3 OV TLS CA 2024 |
cert_serial | Certificate serial number uniquely assigned by the CA. | 45:33:16:59:11:9B:XX:XX:XX:XX:XX:XX |
cert_fingerprint | Certificate fingerprint, a hash digest that uniquely identifies the certificate content. | 14:2e:56:4b:8f:b1:c2:0f:8c:8b:ce:36:XX:XX:XX:XX:XX:XX:XX:XX |
ja3_str_client | Client JA3 string, a fingerprint string generated based on TLS handshake characteristics to identify client behavior patterns. | 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2 |
ja3_str_server | Server JA3 string, a fingerprint string generated based on TLS handshake characteristics to identify server behavior patterns. | 771,4866,43-51 |
ja3_hash_client | Client JA3 hash, the MD5 hash value (32-character hexadecimal) of the client JA3 string. | 40adfd923eb82b89d8836ba37a19bca1 |
ja3_hash_server | Server JA3 hash, the MD5 hash value (32-character hexadecimal) of the server JA3 string. | 15af977ce25de452b96affa2addb1036 |
cipher_suite | Cipher suite representing the combination of key exchange, authentication, symmetric encryption, and message authentication code (MAC) algorithms used in the TLS connection. | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
DNS protocol
Field name | Description | Example value |
type | DNS message type, either query or response. Valid values:
| query |
id | Transaction ID (16-bit unique identifier) used to match requests with responses. | 40125 |
rcode | Response code indicating the result status of the DNS request. | NOCODE |
query_name | Fully qualified domain name (FQDN) requested by the client for resolution. | oss-cn-hangzhou.aliyuncs.com |
query_type | Resource record type (RR Type) requested, which determines the type of data returned. | A |
answers | Answer section of the response containing resource records that directly answer the query, represented as a JSON array. | |
additional | Additional section of the response providing extra data related to the query, represented as a JSON array. | [ ] |
authority | Authority section of the response providing information about authoritative DNS servers for the domain (NS records), represented as a JSON array. | |
Database protocol
Database protocols, such as MySQL and PostgreSQL, use the same log fields. However, field support varies by protocol. Result set extraction is not supported for some database protocols.
Field name | Description | Example value |
db_type | Identifies the database engine type. Valid values:
| MySQL |
type | Current log type. Valid values:
| Server Greeting & Login Request |
user | Username performing the operation. | root |
db | Target database name (default database specified at connection time). | test_db |
protocol_version | Database protocol version number. | 10 |
salt | Random salt value generated by the server during authentication. | x!2k7Gg^9TqL |
server_version | Database server version string. | 5.7.40-log |
server_status | Server status flags. | 2 |
auth_response | Encrypted authentication response from the client. | 5f28eeab88bfc739938db314591ff3f9501e8cd5 |
command_type | SQL command type. | Query |
sql | Original SQL statement text. | |
fail | Indicates whether the operation failed. Valid values:
| 0 |
result | Operation result summary. | SUCCESS |
error_code | Database-specific error code. | 0 |
error_message | Human-readable error description. | You have an error in your SQL syntax |
return_rows | Number of rows returned by the query. | 1 |
return_rows_data | Specific content of the result set in CSV format. | admin,123456 |
affect_rows | Number of rows affected by DML operations. | 3 |
last_insert_id | Most recently inserted value for an auto-increment primary key. | 42 |
FTP protocol
Field name | Description | Example value |
user | Username used for FTP authentication. This field identifies the client entity initiating the session. | user |
password | Plaintext password submitted by the client during authentication. | password |
cwd | Client's current working directory path. Records the file system location where the user executes commands. This field updates dynamically with the | /test |
request_command | FTP protocol command sent by the client (defined in RFC 959). Represents the type of operation requested by the client, such as:
| USER |
request_arg | Argument accompanying the FTP command sent by the client. Combined with | username |
response_code | Three-digit status code returned by the server (per RFC 959 standard). The first digit indicates the response category:
| 331 |
response_arg | Additional textual information following the server's status code, providing a human-readable explanation or details. | Anonymous access granted, restrictions apply |
WebSocket protocol
Field name | Description | Example value |
opcode | 4-bit unsigned integer in bits 4–7 of the WebSocket frame header that identifies the frame type and data processing logic. | 1 |
masking_key | 4-byte (32-bit) random number used for byte-by-byte masking of payload data. Typically present in client-to-server frames. This field shows the masking key as a hexadecimal string. | pb37e1b69 |
payload_len | Byte length of the payload data. | 15 |
payload | Actual application-layer data carried in the frame. If a | |
SSH protocol
Field name | Description | Example value |
client | Name and version of the SSH client software initiating the connection (such as OpenSSH). Helps identify client types for compatibility analysis, vulnerability assessment, client behavior analysis, and security policy management. | OpenSSH_8.4p1 |
server | Name and version of the SSH server software receiving the connection (such as OpenSSH server). Used for server identification, vulnerability management, and security patch tracking. | OpenSSH_8.4p1 Ubuntu-4ubuntu0.3 |
version | SSH protocol version number (1, 2, or unset) negotiated at connection start. | 2 |
cipher_alg | Symmetric encryption algorithm used in the SSH session to encrypt data transmissions and ensure data confidentiality. Common algorithms include AES-CTR or ChaCha20. Using strong algorithms (such as AES-256) helps prevent eavesdropping attacks. | AES-128-GCM |
compression_alg | Data compression algorithm used in SSH to reduce network bandwidth usage. Values can be none (no compression) or a specific algorithm (such as zlib). Enabling compression may affect performance, requiring a balance between efficiency and security. | none |
host_key | Fingerprint of the SSH server's public key used to verify server identity and prevent man-in-the-middle attacks. The fingerprint is a digest of the public key. Users can compare it to confirm they are connecting to the legitimate server. | cc:aa:aa:b7:********:cc:50:11:2d:71:f0:ee |
host_key_alg | Type of public key algorithm used for the SSH server's host key, such as RSA or ECDSA. Algorithm strength directly affects authentication security. Strong algorithms (such as RSA-SHA2) help prevent forgery attacks. | ECDSA-SHA2-NISTP256 |
kex_alg | Key exchange algorithm used during SSH connection initialization to negotiate session keys and provide forward secrecy. Common algorithms include Curve25519 or Diffie-Hellman. Secure implementations help prevent key compromise. | Curve25519-SHA256 |
mac_alg | Message authentication code (MAC) algorithm used in SSH to ensure data integrity and authenticity and prevent tampering. Common examples include HMAC-SHA2 series. Strong MAC algorithms form the foundation of secure data transmission. | HMAC-SHA2-256-ETM |
auth_attempts | Number of authentication attempts made during the SSH authentication process, including attempts using username, password, public key, or other methods. A value greater than 1 may indicate multiple failed attempts or that the server uses two-factor authentication. This field helps monitor brute-force attacks and audit security events. | 3 |
auth_success | Final result of SSH authentication as a Boolean value (true or false). Success or failure information helps detect unauthorized access, audit logs, and trigger security alerts. It is a critical indicator for preventing account hijacking. | false |
RDP protocol
Field name | Description | Example value |
cert_count | Number of digital certificates used in the RDP session for server authentication and secure communication to enhance connection trustworthiness. | 2 |
cert_type | Certificate issuance type, such as self-signed certificate or certificate issued by a certification authority (CA), affecting the security level of authentication. | RSA |
encryption_level | Encryption strength level of the RDP connection, determining the protection level for data confidentiality and integrity. | Client compatible |
encryption_method | Encryption method for the RDP connection. | 56bit |
result | Final status of the RDP connection attempt, reflecting the reason for session establishment or termination. | Success |
client_build | Software build version number of the RDP client, identifying the specific release version of the client application. | RDP 5.1 |
client_channels | List of channels supported by the RDP client for data transmission functions such as clipboard sharing or printer redirection. | rdpdr, cliprdr, rdpsnd |
client_dig_product_id | Unique digital identifier for the client product, used to identify and track software product origins. | 76487-OEM-******-00107 |
client_name | Client computer name or host identifier initiating the RDP connection, used for session source identification. | UserPC |
cookie | Cookie value used in the RDP connection for session management or state persistence, providing security context and continuity. | session_token |
MQTT protocol
Field name | Description | Example value |
ack | Indicates whether the subscription message was acknowledged by the server. In the MQTT protocol, the server sends an acknowledgment flag when it accepts a subscription request. | true |
action | Indicates the type of subscription operation, such as SUBSCRIBE (subscribe) or UNSUBSCRIBE (unsubscribe). | SUBSCRIBE |
topics | List of topics subscribed to by the client, specifying the scope of messages to receive. | sensor/temperature |
client_id | Unique identifier for the client used for session management and authentication. | client123 |
connect_status | Indicates the connection status between the client and server. | Connection Accepted |
proto_name | Protocol name, usually MQTT (Message Queuing Telemetry Transport). | MQTT |
proto_version | MQTT protocol version number, such as 3.1.1 or 5.0, used for compatibility management. | 3.1.1 |
will_payload | Content of the will message automatically published when the client disconnects unexpectedly. | offline |
will_topic | Topic to which the will message is published, specifying the message destination path. | status/offline |
from_client | Indicates whether the message was published by the client rather than the server. | TRUE |
payload | Actual content of the message, which can be any data format such as text or binary. | Hello World |
payload_len | Byte length of the message content (payload), used to monitor data size. | 11 |
qos | Quality of Service level. | at most once |
retain | Indicates whether the message is retained on the server so new subscribers receive it immediately. | false |
status | Status of message publication. | ok |
topic | Topic path to which the message is published, used for routing and filtering messages. | sensor/data |
Syslog protocol
Field name | Description | Example value |
facility | Indicates the source type of the log message, such as kernel, user program, or mail system. In the Syslog protocol, facility classifies the component that generated the log, aiding log filtering and analysis. | USER |
message | Actual content of the log message, containing detailed information about events, errors, or operations. In the Syslog protocol, the message field stores core log data used for diagnosing and monitoring system behavior. | System rebooted unexpectedly |
severity | Indicates the severity level of the log message, ranging from emergency (highest urgency) to debug. Levels include emergency, alert, critical, error, warning, notice, info, and debug, used to prioritize handling of important events. | INFO |
SIP protocol
Field name | Description | Example value |
call_id | In the SIP protocol, the Call-ID header field value uniquely identifies a call session, associating all request and response messages within the same session. | 101365e0-7e65-****-****-00163e10aabd |
method | SIP request method type, such as INVITE (establish session), ACK (acknowledge), BYE (terminate session), or CANCEL (cancel request), defining the operation type. | INVITE |
seq | CSeq field in the SIP message indicating the command sequence number and method, used to match requests with responses and ensure message order and integrity. | 12345 INVITE |
uri | Uniform Resource Identifier in the SIP request line specifying the target address resource of the request. | sip:bob@example.com |
content_type | Media type of the response message body, such as application/sdp (Session Description Protocol), describing the message content format. | application/sdp |
response_body_len | Length (in bytes) of the response message body, indicating data size for diagnosing network transmission issues. | 256 |
response_from | Source address of the response message, typically corresponding to the SIP From header field, identifying the message originator. | "66666" <sip:66666@example.com> |
response_to | Destination address of the response message, typically corresponding to the SIP To header field, identifying the message recipient, which may include tag parameters. | <sip:777777@example.com>;tag=aaaaaaaaaa |
status_code | SIP response status code indicating the request processing result, such as 200 (success), 404 (not found), or 500 (server error). | 180 |
status_msg | Text description associated with the status code, such as OK or Not Found, providing a human-readable explanation of the status code. | Ringing |
warning | Contains warning text indicating potential issues or non-critical errors, such as session timeout or compatibility problems. | 399 example.com Session expired |
reply_to | Specifies the address for reply messages, used to redirect responses, typically corresponding to the SIP Reply-To header field. | sip:carol@example.com |
request_body_len | Length (in bytes) of the request message body, indicating data size for monitoring bandwidth usage and transmission efficiency. | 128 |
request_from | Source address of the request message, typically corresponding to the SIP From header field, identifying the message originator. | "66666" <sip:66666@example.com> |
request_to | Destination address of the request message, typically corresponding to the SIP To header field, identifying the message recipient. | <sip:777777@example.com>;tag=aaaaaaaaaa |
user_agent | Identifies the client software or device sending the request, used for user agent identification and compatibility checks. | Zoiper/2.0 |
Kerberos protocol
Field name | Description | Example value |
request_type | Identifies the Kerberos message type: Authentication Service ("AS") or Ticket Granting Service ("TGS"). | AS |
client | Principal name of the user or service initiating the Kerberos request. Usually formatted as username@REALM or service/hostname@REALM. This is the core identifier for authentication, used to determine the request origin. | user2/EXAMPLE.COM |
service | Principal name of the target service the client requests to access. Usually formatted as service/hostname@REALM. For TGS-REQ messages, this is the target service for which the client requests a service ticket. For AP-REQ messages, this is the service to which the client presents the service ticket for authentication. | krbtgt/EXAMPLE.COM |
forwardable | Indicates the state of the FORWARDABLE flag set in the Ticket Granting Ticket (TGT). (true/false) | true |
renewable | Indicates the state of the RENEWABLE flag set in the ticket. | true |
success | Indicates whether the Kerberos request was processed successfully. | true |
error_code | When a Kerberos request fails, this field contains the protocol-defined error code. | 24 |
error_msg | When a Kerberos request fails, this field contains the human-readable error description corresponding to error_code. | PREAUTH_FAILED |
from | Start time when the ticket becomes valid. Indicates when the ticket can start being used. | 0 |
till | Expiration time when the ticket becomes invalid. Indicates the moment the ticket validity ends, after which the ticket is no longer valid. | 1763692488 |
cipher | Indicates the encryption algorithm type used to encrypt data in Kerberos tickets or protocol messages. This is usually an enumerated value or string identifier, such as aes256-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1-kd, etc. It reflects the security strength and encryption mechanism used for tickets or session keys. | aes256-cts-hmac-sha1-96 |
Socks protocol
Field name | Description | Example value |
version | Indicates the SOCKS protocol version used (SOCKS4: 4 / SOCKS5: 5). | 5 |
user | Username used by the client for proxy authentication (may be empty). | admin |
status | Proxy server response status. | success |
bound_host | IP address bound by the proxy server. | true |
bound_name | Hostname bound by the proxy server. | localhost |
bound_p | Port bound by the proxy server. | 1080 |
request.host | Destination server IP address that the client requests to access through the proxy. | 0.0.0.0 |
request.name | Destination server domain name that the client requests to access through the proxy. | alibaba.com |
request_p | Destination server port that the client requests to access through the proxy. | 80 |