Agentic NDR continuously captures and generates network traffic logs in real time. Each log entry corresponds to a detected session and contains fields that describe its protocol, endpoints, payload metadata, and protocol-specific details. Use these fields to build log queries, set up alert conditions, and trace session activity across protocols.
Supported protocols
Agentic NDR identifies 55 protocols. Of these, 15 protocols receive deep parsing — meaning the system extracts protocol-specific fields in addition to the common fields shared by all logs: HTTP, DNS, ICMP, TLS, MySQL, PostgreSQL, FTP, WebSocket, SSH, RDP, MQTT, Syslog, SIP, Kerberos, and SOCKS. For all other protocols, Agentic NDR provides identification only.
All 55 supported protocols:
FTP_CONTROL, DNS, HTTP, PostgreSQL, MySQL, SSL, ICMP, WebSocket, POP3, SMTP, IMAP, NTP, NetBIOS, NFS, SSDP, SNMP, SMB, Syslog, RTSP, Telnet, LDAP, RTP, RDP, VNC, SSH, TFTP, SIP, Kerberos, MsSQL-TDS, PPTP, Citrix, OpenVPN, RTCP, RSYNC, Oracle, SOCKS, RTMP, Redis, QUIC, MQTT, MongoDB, Memcache, RPC, RPCBind, SVN, Cassandra, Zookeeper, IPsec, Nagios, Oracle_docker, Impala, Zabbix, Kafka, Thrift, SSE
Field categories by protocol
The table below shows which field categories apply to each protocol.
| Protocol | Field category | Fields |
|---|---|---|
| Common fields | Identification |
ndr_log_type
|
| Session |
start_time
,
end_time
,
src_ip
,
src_port
,
dst_ip
,
dst_port
,
net_connect_dir
,
l3_protocol
,
l4_protocol
,
l7_protocol
,
tcp_flags
,
new_conn
,
app_id_extend
,
app_name_extend
,
category_id
,
category_name
|
|
| Geolocation |
country_id
,
city_id
|
|
| Raw payload |
req_trans_data
,
resp_trans_data
,
req_trans_offsets
,
resp_trans_offsets
,
req_trans_lens
,
resp_trans_lens
|
|
| ICMP | Message type |
type
,
code
,
type_str
|
| Matching |
id
,
seq
|
|
| Encapsulated packet |
inner_src_ip
,
inner_src_port
,
inner_dest_ip
,
inner_dest_port
,
inner_l4_proto
|
|
| HTTP | Summary |
host
,
request_uri
,
request_method
,
http_referer
,
http_user_agent
,
querystring
,
request_path
,
http_x_forwarded_for
,
status
,
response_set_cookie
,
content_type
,
response_content_type
,
proxy_connection
,
proxy_authorization
,
location
|
| Payload |
request_header
,
request_body
,
response_header
,
response_info
|
|
| TLS | Basic info |
version
,
sni
,
state
|
| Certificate |
cert_subject
,
cert_issuer
,
cert_serial
,
cert_fingerprint
|
|
| JA3 fingerprint |
ja3_str_client
,
ja3_str_server
,
ja3_hash_client
,
ja3_hash_server
|
|
| Cipher suite |
cipher_suite
|
|
| DNS | Basic info |
type
,
id
,
rcode
|
| Question section |
query_name
,
query_type
|
|
| Answer section |
answers
,
additional
,
authority
|
|
| Database (MySQL, PostgreSQL) | Basic info |
db_type
,
type
,
user
,
db
|
| Handshake/login |
protocol_version
,
salt
,
server_version
,
server_status
,
auth_response
|
|
| Client command |
command_type
,
sql
|
|
| Server response |
fail
,
result
,
error_code
,
error_message
,
return_rows
,
return_rows_data
,
affect_rows
,
last_insert_id
|
|
| FTP | Basic info |
user
,
password
,
cwd
|
| Commands and responses |
request_command
,
request_arg
,
response_code
,
response_arg
|
|
| WebSocket | Frame info |
opcode
,
masking_key
|
| Payload |
payload_len
,
payload
|
|
| SSH | Version |
client
,
server
,
version
|
| Key parameters |
cipher_alg
,
compression_alg
,
host_key
,
host_key_alg
,
kex_alg
,
mac_alg
|
|
| Authentication |
auth_attempts
,
auth_success
|
|
| RDP | Connection details |
cert_count
,
cert_type
,
encryption_level
,
encryption_method
,
result
|
| Client details |
client_build
,
client_channels
,
client_dig_product_id
,
client_name
,
cookie
|
|
| MQTT | Subscription |
ack
,
action
,
topics
|
| Connection |
client_id
,
connect_status
,
proto_name
,
proto_version
,
will_payload
,
will_topic
|
|
| Published message |
from_client
,
payload
,
payload_len
,
qos
,
retain
,
status
,
topic
|
|
| Syslog | Log details |
facility
,
message
,
severity
|
| SIP | Message identifier |
call_id
,
method
,
seq
,
uri
|
| Response |
content_type
,
response_body_len
,
response_from
,
response_to
,
status_code
,
status_msg
,
warning
|
|
| Request |
reply_to
,
request_body_len
,
request_from
,
request_to
,
user_agent
|
|
| Kerberos | Basic info |
client
,
request_type
,
service
|
| Request options |
forwardable
,
renewable
|
|
| Result |
cipher
,
error_code
,
error_msg
,
from
,
success
,
till
|
|
| SOCKS | Basic info |
status
,
user
,
version
|
| Request options |
bound_host
,
bound_name
|
|
| Result |
bound_p
,
request.host
,
request.name
,
request_p
|
Common fields
All protocol logs share these fields. The platform populates each field from session metadata.
| Field | Description | Example |
|---|---|---|
ndr_log_type
|
The protocol type of this log entry. Valid values correspond to the supported protocol list. |
HTTP
|
start_time
|
Session start time, as a Unix timestamp in seconds. |
1750157428
|
end_time
|
Session end time, as a Unix timestamp in seconds. |
1750157428
|
src_ip
|
Source IP address of the session. |
8.153.XX.XXX
|
src_port
|
Source port of the session. |
33321
|
dst_ip
|
Destination IP address of the session. |
203.119.XXX.XXX
|
dst_port
|
Destination port of the session. |
80
|
net_connect_dir
|
Traffic direction relative to your asset.
in
: traffic originates from the internet or another ECS instance and reaches your asset.
out
: your asset initiates traffic to the internet or another ECS instance. |
in
|
l3_protocol
|
Layer 3 protocol. |
ipv4
,
ipv6
,
other
|
l4_protocol
|
Layer 4 protocol. |
tcp
,
udp
,
icmp
,
other
|
l7_protocol
|
Layer 7 protocol. |
HTTP
|
tcp_flags
|
TCP flags as a decimal number. This value is the result of a bitwise OR over the TCP flags of all packets in the flow. |
26
|
new_conn
|
Whether this flow is a new connection.
0
: not a new connection.
1
: a new connection. |
0
|
app_id_extend
|
Application ID that uniquely identifies the detected network application. |
72
|
app_name_extend
|
Application name corresponding to
app_id_extend
. |
HTTP_POST
|
category_id
|
Application category ID, which classifies applications by scenario. |
5
|
category_name
|
Application category name corresponding to
category_id
. |
WEB
|
country_id
|
Country or region of the remote endpoint, as a two-letter ISO 3166-1 code. An empty value means the country or region is unrecognized. When
net_connect_dir
is
in
, this is the source country or region. When
net_connect_dir
is
out
, this is the destination country or region. |
CN
|
city_id
|
City identifier based on China's six-digit administrative division codes for counties and higher-level divisions. |
110000
|
req_trans_data
|
Raw request payload. May be truncated if the original payload exceeds the capture limit. |
L7PROTODATAL7PROTODATAL7PROTODATAL7PROTODATA
|
resp_trans_data
|
Raw response payload. May be truncated if the original payload exceeds the capture limit. |
L7PROTODATAL7PROTODATAL7PROTODATA
|
req_trans_offsets
|
Byte offset of each request segment within
req_trans_data
. |
0,700,2472,3177,3935
|
resp_trans_offsets
|
Byte offset of each response segment within
resp_trans_data
. |
0,329,1003
|
req_trans_lens
|
Original length of each request segment before truncation. |
700,1772,705,758,374
|
resp_trans_lens
|
Original length of each response segment before truncation. |
329,674,1002
|
HTTP, SSL, SSH, RDP, MQTT, Syslog, and SIP logs do not includereq_trans_data,resp_trans_data,req_trans_offsets,resp_trans_offsets,req_trans_lens, orresp_trans_lens.
ICMP protocol
| Field | Description | Example |
|---|---|---|
type
|
ICMP message type code. |
8
|
code
|
Subtype code that provides further detail about the message type. |
0
|
type_str
|
Human-readable description of the ICMP message type. |
Echo (ping) reply
|
id
|
Identifier used to match ICMP requests with their responses, such as a ping session ID. The sender sets this value, and the receiver returns it unchanged. |
24367
|
seq
|
Sequence number used to order messages within a session, such as consecutive ping packets. |
256
|
inner_src_ip
|
Source IP address of the encapsulated inner packet, if present in the ICMP payload. |
8.8.X.X
|
inner_src_port
|
Source port of the encapsulated inner packet (for example, from the original TCP or UDP packet), if present. |
22546
|
inner_dest_ip
|
Destination IP address of the encapsulated inner packet, if present in the ICMP payload. |
1.1.X.X
|
inner_dest_port
|
Destination port of the encapsulated inner packet, if present. |
50988
|
inner_l4_proto
|
Transport-layer protocol of the encapsulated inner packet, identified by its protocol number (
6
for TCP,
17
for UDP), if present. |
17
|
HTTP protocol
| Field | Description | Example |
|---|---|---|
host
|
Target hostname and port from the request's
Host
header. |
aliyun.com:8080
|
request_uri
|
Complete request URI, including path and query parameters. Unlike
request_path
, this field includes query parameters. Use it for route matching, resource location, and full request path auditing. |
/api?key=value
|
request_method
|
HTTP request method. |
POST
|
http_referer
|
Complete URL of the referring page, from the
Referer
header. |
https://aliyun.com/workplace
|
http_user_agent
|
Client identifier string from the
User-Agent
header. |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
|
querystring
|
Query parameters following
?
in the URL. |
key=value
|
request_path
|
Path portion of the URI, excluding query parameters. See also
request_uri
. |
/api
|
http_x_forwarded_for
|
Original client IP address in the reverse proxy chain, from the
X-Forwarded-For
header. Formatted as a comma-separated list. |
11.11.XX.XX, 22.22.XX.XX
|
status
|
Three-digit HTTP response status code. |
200
|
response_set_cookie
|
Session identifier set by the server in the
Set-Cookie
header. |
user=sincerexia; state1=180; state2=135; Secure
|
content_type
|
Media type of the request body. |
application/x-www-form-urlencoded; charset=UTF-8
|
response_content_type
|
Media type of the response body. |
text/plain;charset=UTF-8
|
proxy_connection
|
Controls persistent connection reuse between a proxy server, the client, and the origin server. |
keep-alive
|
proxy_authorization
|
Authentication credentials for a proxy server. |
Basic Yxxxxxxxxxxxxxxxxxx==
|
location
|
Redirect target URL. |
http://relocation.com
|
request_header
|
Complete raw HTTP request header, including the request line and all header key-value pairs. |
POST /api?key=value HTTP/1.1\nX-Real-IP: 8.8.8.8\nHost: aliyun.com:3080\nContent-Length: 123
|
request_body
|
Raw data of the HTTP request body, carried by methods such as POST, PUT, and PATCH. |
&user=sincerexia
|
response_header
|
Complete raw HTTP response header. |
HTTP/1.1 200 OK\nCache-Control: no-cache\nContent-Type: text/plain;charset=UTF-8
|
response_info
|
Raw content of the HTTP response body. |
{"result": "OK"}
|
TLS protocol
| Field | Description | Example |
|---|---|---|
version
|
SSL/TLS protocol version used for the encrypted session. |
TLS 1.3
|
sni
|
Server Name Indication (SNI) — the target domain sent by the client during the TLS handshake. |
aliyun.com
|
state
|
TLS handshake state.
IN_PROGRESS
: handshake is in progress.
TLS_STATE_CERT_READY
: certificate transmission is complete.
HANDSHAKE_DONE
: handshake is complete. |
HANDSHAKE_DONE
|
cert_subject
|
Certificate subject in X.500 format, including domain, organization, and location. |
C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=aliyuncs.com
|
cert_issuer
|
Certification authority (CA) that issued the certificate. |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R3 OV TLS CA 2024
|
cert_serial
|
Unique serial number assigned to the certificate by the CA. |
45:33:16:59:11:9B:XX:XX:XX:XX:XX:XX
|
cert_fingerprint
|
Hash of the certificate that uniquely identifies its content. |
14:2e:56:4b:8f:b1:c2:0f:8c:8b:ce:36:XX:XX:XX:XX:XX:XX:XX:XX
|
ja3_str_client
|
JA3 fingerprint string derived from the client's TLS handshake, used to identify client behavior. |
771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2
|
ja3_str_server
|
JA3 fingerprint string derived from the server's TLS handshake. |
771,4866,43-51
|
ja3_hash_client
|
32-character hexadecimal MD5 hash of the client's JA3 string. |
40adfd923eb82b89d8836ba37a19bca1
|
ja3_hash_server
|
32-character hexadecimal MD5 hash of the server's JA3 string. |
15af977ce25de452b96affa2addb1036
|
cipher_suite
|
Cipher suite used for the session, covering key exchange, authentication, symmetric encryption, and message authentication code (MAC) algorithms. |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
DNS protocol
| Field | Description | Example |
|---|---|---|
type
|
DNS message type.
query
: a DNS query.
response
: a DNS response. |
query
|
id
|
16-bit transaction ID used to match DNS requests with their responses. |
40125
|
rcode
|
Processing status of the DNS request. |
NOCODE
|
query_name
|
Fully qualified domain name (FQDN) the client requested to resolve. |
oss-cn-hangzhou.aliyuncs.com
|
query_type
|
Requested resource record type, which determines the type of data to return. |
A
|
answers
|
JSON array of resource records that directly answer the query. |
[{"name": "oss-cn-hangzhou.aliyuncs.com", "type": "A", "data": "118.31.XX.XX", "ttl": 131}]
|
additional
|
JSON array of extra information related to the query. |
[]
|
authority
|
JSON array of authoritative DNS server information for the domain (such as NS records). |
[{"name": "", "type": "SOA", "data": "ns1.alidns.com", "ttl": 600}]
|
Database protocol
MySQL and PostgreSQL logs use the same field set. However, not all protocols can extract every field, and some cannot extract result sets.
| Field | Description | Example |
|---|---|---|
db_type
|
Database engine type.
MySQL
: a MySQL database.
PostgreSQL
: a PostgreSQL database. |
MySQL
|
type
|
Log entry type within the database session.
Server Greeting
: server handshake.
Login Request
: client login request.
Server Greeting & Login Request
: combined handshake and login.
Request
: a general command request.
Unknown
: other types. |
Server Greeting & Login Request
|
user
|
Username that initiated the operation. |
root
|
db
|
Target database name specified at connection time. |
test_db
|
protocol_version
|
Database protocol version number. |
10
|
salt
|
Random salt the server generates during the authentication phase. |
x!2k7Gg^9TqL
|
server_version
|
Version string of the database server. |
5.7.40-log
|
server_status
|
Server status flag. |
2
|
auth_response
|
Encrypted authentication response from the client. |
5f28eeab88bfc739938db314591ff3f9501e8cd5
|
command_type
|
Type of the SQL command. |
Query
|
sql
|
Raw SQL statement text. |
SELECT * FROM users;
|
fail
|
Whether the operation failed.
0
: success.
1
: failure.
-1
: unknown. |
0
|
result
|
Summary of the operation result. |
SUCCESS
|
error_code
|
Database-specific error code. |
0
|
error_message
|
Human-readable error description. |
You have an error in your SQL syntax
|
return_rows
|
Number of rows returned by the query. |
1
|
return_rows_data
|
Contents of the result set in comma-separated values (CSV) format. |
admin,123456
|
affect_rows
|
Number of rows affected by a Data Manipulation Language (DML) operation. |
3
|
last_insert_id
|
Most recently inserted value for an auto-increment primary key. |
42
|
FTP protocol
| Field | Description | Example |
|---|---|---|
user
|
Username used for FTP authentication. |
user
|
password
|
Plaintext password submitted by the client during authentication. |
password
|
cwd
|
Client's current working directory. Updated dynamically by the
CWD
(Change Working Directory) command. |
/test
|
request_command
|
FTP command sent by the client, as defined in RFC 959. Common commands:
USER
/
PASS
(authentication),
LIST
/
NLST
(directory listing),
RETR
(download),
STOR
(upload),
DELE
(delete),
PORT
/
PASV
(data connection mode). |
USER
|
request_arg
|
Argument accompanying the client's FTP command. Together with
request_command
, this describes the full operation. |
username
|
response_code
|
Three-digit status code returned by the server, as specified in RFC 959.
1xx
: preliminary response.
2xx
: success.
3xx
: intermediate response requiring further action.
4xx
: temporary error.
5xx
: permanent error. |
331
|
response_arg
|
Explanatory text accompanying the server's status code. |
Anonymous access granted, restrictions apply
|
WebSocket protocol
| Field | Description | Example |
|---|---|---|
opcode
|
4-bit value in bits 4–7 of the WebSocket frame header that identifies the frame type and determines how the payload is interpreted. |
1
|
masking_key
|
4-byte (32-bit) random value used to mask the payload data byte-by-byte. Typically present in client-to-server frames. |
pb37e1b69
|
payload_len
|
Length of the payload data in bytes. |
15
|
payload
|
Application-layer data carried in the frame. If a
masking_key
is present, this is the unmasked data. |
{"request": true}
|
SSH protocol
| Field | Description | Example |
|---|---|---|
client
|
Name and version of the SSH client software. |
OpenSSH_8.4p1
|
server
|
Name and version of the SSH server software. |
OpenSSH_8.4p1 Ubuntu-4ubuntu0.3
|
version
|
SSH protocol version negotiated at connection start (
1
,
2
, or unset). |
2
|
cipher_alg
|
Symmetric encryption algorithm used during the SSH session. Common values include
AES-CTR
and
ChaCha20
. |
AES-128-GCM
|
compression_alg
|
Compression algorithm used during the SSH session.
none
means no compression is applied. |
none
|
host_key
|
Fingerprint of the server's public key, used to verify its identity and detect man-in-the-middle attacks. |
cc:aa:aa:b7:********:cc:50:11:2d:71:f0:ee
|
host_key_alg
|
Public key algorithm for the server's host key, such as RSA or ECDSA. |
ECDSA-SHA2-NISTP256
|
kex_alg
|
Key exchange algorithm used to negotiate the session key and provide forward secrecy. Common values include
Curve25519
and
Diffie-Hellman
. |
Curve25519-SHA256
|
mac_alg
|
Message authentication code (MAC) algorithm that ensures data integrity and prevents tampering. |
HMAC-SHA2-256-ETM
|
auth_attempts
|
Number of authentication attempts during the session, including username/password and public key attempts. Values greater than 1 may indicate failed attempts or two-factor authentication. Use this field to monitor for brute-force attacks. |
3
|
auth_success
|
Whether SSH authentication succeeded.
true
: authentication succeeded.
false
: authentication failed. |
false
|
RDP protocol
| Field | Description | Example |
|---|---|---|
cert_count
|
Number of digital certificates used for server authentication in the RDP session. |
2
|
cert_type
|
Certificate type (for example, self-signed or CA-issued), which determines the authentication security level. |
RSA
|
encryption_level
|
Encryption strength of the RDP connection. |
Client compatible
|
encryption_method
|
Encryption method for the RDP connection. |
56bit
|
result
|
Outcome of the RDP connection attempt. |
Success
|
client_build
|
Build version of the RDP client. |
RDP 5.1
|
client_channels
|
Channels supported by the RDP client, enabling features such as clipboard sharing and printer redirection. |
rdpdr, cliprdr, rdpsnd
|
client_dig_product_id
|
Unique digital identifier for the client product, used to track software origin. |
76487-OEM-****** -00107
|
client_name
|
Computer name or host identifier of the client initiating the RDP connection. |
UserPC
|
cookie
|
Cookie used for session management and state persistence in the RDP connection. |
session_token
|
MQTT protocol
| Field | Description | Example |
|---|---|---|
ack
|
Whether the server acknowledged a subscription request. |
true
|
action
|
Subscription operation type. |
SUBSCRIBE
|
topics
|
List of topics the client subscribes to. |
sensor/temperature
|
client_id
|
Unique client identifier used for session management and authentication. |
client123
|
connect_status
|
Connection status between the client and the server. |
Connection Accepted
|
proto_name
|
Protocol name. |
MQTT
|
proto_version
|
MQTT protocol version. |
3.1.1
|
will_payload
|
Payload of the will message, published by the server if the client disconnects unexpectedly. |
offline
|
will_topic
|
Topic where the server publishes the will message. |
status/offline
|
from_client
|
Whether the message originated from the client rather than the server. |
TRUE
|
payload
|
Message content, in any data format such as text or binary. |
Hello World
|
payload_len
|
Message payload length in bytes. |
11
|
qos
|
Quality of service (QoS) level for message delivery. |
at most once
|
retain
|
Whether the server retains the message for new subscribers. |
false
|
status
|
Publication status of the message. |
ok
|
topic
|
Topic where the message is published. |
sensor/data
|
Syslog protocol
| Field | Description | Example |
|---|---|---|
facility
|
Type of component that generated the log, such as the kernel, a user program, or the mail system. |
USER
|
message
|
Log message content, including event details, errors, or operational information. |
System rebooted unexpectedly
|
severity
|
Severity level of the log message. Levels from most to least severe: emergency, alert, critical, error, warning, notice, info, and debug. |
INFO
|
SIP protocol
| Field | Description | Example |
|---|---|---|
call_id
|
Value of the Call-ID header, which uniquely identifies the call session and associates all requests and responses within it. |
101365e0-7e65-**
-
**-00163e10aabd
|
method
|
SIP request method. Examples:
INVITE
(establish a session),
ACK
(acknowledge),
BYE
(terminate),
CANCEL
(cancel a request). |
INVITE
|
seq
|
CSeq field containing a command sequence number and method, used to match requests with responses and ensure message ordering. |
12345 INVITE
|
uri
|
URI in the SIP request line that specifies the target of the request. |
sip:bob@example.com
|
content_type
|
Media type of the response body. For example,
application/sdp
for the Session Description Protocol (SDP). |
application/sdp
|
response_body_len
|
Length of the response body in bytes. |
256
|
response_from
|
Source address of the response, corresponding to the SIP From header. |
"66666" <sip:66666@example.com>
|
response_to
|
Destination address of the response, corresponding to the SIP To header. May include a tag parameter. |
<sip:777777@example.com>;tag=aaaaaaaaaa
|
status_code
|
SIP response status code. Examples:
200
(OK),
404
(Not Found),
500
(Server Error). |
180
|
status_msg
|
Human-readable text for the status code. |
Ringing
|
warning
|
Warning text indicating a potential issue or non-critical error, such as a session timeout or compatibility problem. |
399 example.com Session expired
|
reply_to
|
Address for redirecting reply messages, corresponding to the SIP Reply-To header. |
sip:carol@example.com
|
request_body_len
|
Length of the request body in bytes. |
128
|
request_from
|
Source address of the request, corresponding to the SIP From header. |
"66666" <sip:66666@example.com>
|
request_to
|
Destination address of the request, corresponding to the SIP To header. |
<sip:777777@example.com>;tag=aaaaaaaaaa
|
user_agent
|
Client software or device that sent the request. |
Zoiper/2.0
|
Kerberos protocol
| Field | Description | Example |
|---|---|---|
request_type
|
Kerberos message type.
AS
: Authentication Service request.
TGS
: Ticket Granting Service request. |
AS
|
client
|
Principal name of the user or service initiating the request, typically formatted as
username@REALM
or
service/hostname@REALM
. |
user2/EXAMPLE.COM
|
service
|
Principal name of the target service. For a TGS-REQ, the client requests a service ticket for this service. For an AP-REQ, the client presents a ticket to authenticate with this service. |
krbtgt/EXAMPLE.COM
|
forwardable
|
Whether the
FORWARDABLE
flag is set in the Ticket Granting Ticket (TGT). |
true
|
renewable
|
Whether the
RENEWABLE
flag is set in the ticket. |
true
|
success
|
Whether the Kerberos request succeeded. |
true
|
error_code
|
Protocol-defined error code, present only if the request fails. |
24
|
error_msg
|
Human-readable description of the error code, present only if the request fails. |
PREAUTH_FAILED
|
from
|
Start time of the ticket's validity period. |
0
|
till
|
Expiration time of the ticket. |
1763692488
|
cipher
|
Encryption algorithm used for the Kerberos ticket or session key, such as
aes256-cts-hmac-sha1-96
,
arcfour-hmac-md5
, or
des3-cbc-sha1-kd
. |
aes256-cts-hmac-sha1-96
|
SOCKS protocol
| Field | Description | Example |
|---|---|---|
version
|
SOCKS protocol version.
4
: SOCKS4.
5
: SOCKS5. |
5
|
user
|
Username used by the client for proxy authentication. May be empty. |
admin
|
status
|
Proxy server response status. |
success
|
bound_host
|
IP address bound by the proxy server. |
127.0.0.1
|
bound_name
|
Hostname bound by the proxy server. |
localhost
|
bound_p
|
Port bound by the proxy server. |
1080
|
request.host
|
IP address of the destination server. |
0.0.0.0
|
request.name
|
Domain name of the destination server. |
alibaba.com
|
request_p
|
Port of the destination server. |
80
|