Network Detection and Response (NDR) automatically collects and generates logs in real time. You can specify log fields to quickly query the log content you need for log analysis and traffic audits. This topic describes the types and meanings of NDR log fields.
Supported protocol types
NDR identifies 55 protocols. It provides deep parsing for protocols such as HTTP, DNS, ICMP, TLS, MySQL, PostgreSQL, FTP, and WebSocket. This allows NDR to extract and display specific protocol fields in addition to common fields. For other protocols, NDR only provides identification and does not extract specific protocol fields.
Protocol log field categories
Descriptions of common and additional protocol log fields
Common fields
Field name | Description | Example value |
ndr_log_type | The NDR protocol log type. This value varies for different protocols. For more information about the value range, see Supported protocol types. | HTTP |
start_time | The start time of the session. This is a UNIX timestamp in seconds. | 1750157428 |
end_time | The end time of the session. This is a UNIX timestamp in seconds. | 1750157428 |
src_ip | The source IP address of the session. | 8.153.XX.XXX |
src_port | The source port of the session. | 33321 |
dst_ip | The destination IP address of the session. | 203.119.XXX.XXX |
dst_port | The destination port of the session. | 80 |
net_connect_dir | The direction of session traffic relative to the asset.
| in |
l3_protocol | The Layer 3 protocol type. | ipv4, ipv6, other |
l4_protocol | The Layer 4 protocol type. | tcp, udp, icmp, other |
l7_protocol | The Layer 7 protocol type. | HTTP |
tcp_flags | The TCP flag information in decimal format. This value is calculated by performing a bitwise OR operation on the TCP flags of all packets in the traffic. | 26 |
new_conn | Indicates whether the current traffic is new traffic.
| 0 |
app_id_extend | The application ID. | 72 |
app_name_extend | The application name. | HTTP_POST |
category_id | The application category ID. | 5 |
category_name | The application category name. | WEB |
country_id | The country or region. The value is a two-letter code from the ISO 3166-1 standard. Note:
| CN |
city_id | A unique identifier for a city. The value is a six-digit administrative region code for counties and above in China. The corresponding city code can be found using the administrative region codes of China. | 110000 |
req_trans_data | Stores the raw request data. Note: If the original payload is too long, it may be truncated to a fixed length. | L7PROTODATAL7PROTODATAL7PROTODATAL7PROTODATA |
resp_trans_data | Stores the raw response data. Note: If the original payload is too long, it may be truncated to a fixed length. | L7PROTODATAL7PROTODATAL7PROTODATA |
req_trans_offsets | Records the starting position (byte offset in | 0,700,2472,3177,3935 |
resp_trans_offsets | Records the starting position (byte offset in | 0,329,1003 |
req_trans_lens | Records the original full length (actual length before truncation) of each request data. | 700,1772,705,758,374 |
resp_trans_lens | Records the original full length (actual length before truncation) of each response data. | 329,674,1002 |
ICMP protocol
Field name | Description | Example value |
type | The standard type code of the ICMP message. | 8 |
code | The ICMP message code. | 0 |
type_str | A readable string description (in English) of the ICMP message type. | Echo (ping) reply |
id | The identifier in the ICMP message. It is used to match requests with responses, such as the session ID in a ping. It is usually generated by the sender and must be returned unchanged by the receiver. | 24367 |
seq | The sequence number in the ICMP message. It identifies the order of different messages in the same session, such as the sequence number of consecutive ping packets. | 256 |
inner_src_ip | The source IP address of the inner packet encapsulated in the ICMP payload. This field is valid only when an inner packet is encapsulated in the ICMP payload. | 8.8.X.X |
inner_src_port | The source port of the inner packet, such as the port of the original TCP/UDP packet. This field is valid only when an inner packet is encapsulated in the ICMP payload. | 22546 |
inner_dest_ip | The destination IP address of the inner packet encapsulated in the ICMP payload. This field is valid only when an inner packet is encapsulated in the ICMP payload. | 1.1.X.X |
inner_dest_port | The destination port of the inner packet, such as the port of the original TCP/UDP packet. This field is valid only when an inner packet is encapsulated in the ICMP payload. | 50988 |
inner_l4_proto | The transport-layer protocol type of the inner packet, such as TCP=6 or UDP=17. This field is valid only when an inner packet is encapsulated in the ICMP payload. | 17 |
HTTP protocol
Field name | Description | Example value |
host | The target hostname and port number from the request header (Host header). | aliyun.com:8080 |
request_uri |
| /api?key=value |
request_method | The HTTP request method, such as GET, POST, PUT, or DELETE. | POST |
http_referer | The full URL of the page from which the request originated (Referer header). | https://aliyun.com/workplace |
http_user_agent | The client ID from the request header. | Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36 |
querystring | The query parameters after the | key=value |
request_path | The path part of the URI, without query parameters. | /api |
http_x_forwarded_for | The original client IP address in a reverse proxy chain ( | 11.11.XX.XX, 22.22.XX.XX |
status | The HTTP response status code (a three-digit code). | 200 |
response_set_cookie | The session ID set by the server through the | user=sincerexia; state1=180; state2=135; Secure |
content_type | Identifies the media type of the request body. | application/x-www-form-urlencoded; charset=UTF-8 |
response_content_type | Identifies the media type of the response body. | text/plain;charset=UTF-8 |
proxy_connection | Controls the connection of the proxy server. It manages the reuse of persistent connections between the proxy and the client or server. | keep-alive |
proxy_authorization | The authentication credentials for the proxy server. | Basic Yxxxxxxxxxxxxxxxxxx== |
location | The redirection target URL. | http://relocation.com |
request_header | The full content of the raw HTTP request header. It includes the request line (method + URI + protocol version) and all header key-value pairs. | |
request_body | The raw HTTP request body data, carried by methods such as POST, PUT, or PATCH. | &user=sincerexia |
response_header | The full content of the raw HTTP response header. | |
response_info | The content of the raw HTTP response body. | |
TLS protocol
Field name | Description | Example value |
version | The SSL/TLS version. It identifies the protocol version used for encrypted communication. | TLS 1.3 |
sni | The target server domain name sent by the client during the handshake. | aliyun.com |
state | The TLS handshake state. Valid values:
| HANDSHAKE_DONE |
cert_subject | The certificate subject. This is the information of the certificate holder (Subject), which includes the domain name, organization, and geographic location in X.500 format. | C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=aliyuncs.com |
cert_issuer | The certificate issuer. This is the information of the certification authority (CA). | C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R3 OV TLS CA 2024 |
cert_serial | The certificate serial number. This is a unique serial number assigned to the certificate by the CA. | 45:33:16:59:11:9B:XX:XX:XX:XX:XX:XX |
cert_fingerprint | The certificate fingerprint. This is a hash summary of the certificate that uniquely identifies the certificate content. | 14:2e:56:4b:8f:b1:c2:0f:8c:8b:ce:36:XX:XX:XX:XX:XX:XX:XX:XX |
ja3_str_client | The client JA3 string. This is a client JA3 fingerprint string generated based on TLS handshake features. It identifies the client behavior pattern. | 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2 |
ja3_str_server | The server JA3 string. This is a server JA3 fingerprint string generated based on TLS handshake features. It identifies the server behavior pattern. | 771,4866,43-51 |
ja3_hash_client | The client JA3 hash. This is the MD5 hash value (32-bit hexadecimal) of the client JA3 string. | 40adfd923eb82b89d8836ba37a19bca1 |
ja3_hash_server | The server JA3 hash. This is the MD5 hash value (32-bit hexadecimal) of the server JA3 string. | 15af977ce25de452b96affa2addb1036 |
cipher_suite | The cipher suite. It indicates the cipher suite used by the TLS connection, which includes a combination of key exchange, authentication, symmetric encryption, and Message Authentication Code (MAC) algorithms. | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
DNS protocol
Field name | Description | Example value |
type | Indicates the DNS message type, which can be a Query or a Response. Valid values:
| query |
id | The transaction ID. This is a 16-bit unique identifier used to match requests with responses. | 40125 |
rcode | The response code. It indicates the processing result status of the DNS request. | NOCODE |
query_name | The fully qualified domain name (FQDN) that the client requests to resolve. | oss-cn-hangzhou.aliyuncs.com |
query_type | The requested resource record (RR) type. It determines the type of data to be returned. | A |
answers | The Answer Section in the response. It contains resource records that directly answer the query and is represented as a JSON array. | |
additional | The Additional Section in the response. It provides extra data related to the query and is represented as a JSON array. | [ ] |
authority | The Authority Section in the response. It provides information about the authoritative DNS servers (NS records) for the domain name and is represented as a JSON array. | |
Database protocols
Database protocols, such as MySQL and PostgreSQL, use the same log fields. However, not all fields can be extracted for every protocol. Result set extraction is not supported for some database protocols.
Field name | Description | Example value |
db_type | Identifies the database engine type. Valid values:
| MySQL |
type | The current log type. Valid values:
| Server Greeting & Login Request |
user | The username that initiated the operation. | root |
db | The target database name (the default database specified during connection). | test_db |
protocol_version | The database protocol version number. | 10 |
salt | The random salt value generated by the server during the authentication phase. | x!2k7Gg^9TqL |
server_version | The database server version string. | 5.7.40-log |
server_status | The server status flag. | 2 |
auth_response | The encrypted authentication response from the client. | 5f28eeab88bfc739938db314591ff3f9501e8cd5 |
command_type | The SQL command type. | Query |
sql | The raw SQL statement text. | |
fail | Indicates whether the operation failed. Valid values:
| 0 |
result | Summary of operation results. | SUCCESS |
error_code | The database-specific error code. | 0 |
error_message | A human-readable description of the error. | You have an error in your SQL syntax |
return_rows | The number of result rows returned by the query. | 1 |
return_rows_data | The specific content of the result set in CSV format. | admin,123456 |
affect_rows | The number of rows affected by the DML operation. | 3 |
last_insert_id | The most recently inserted value of the auto-increment primary key. | 42 |
FTP protocol
Field name | Description | Example value |
user | The username used for authentication over the FTP protocol. This field identifies the client entity that initiated the session. | user |
password | The plaintext password submitted by the client during the authentication phase. | password |
cwd | The current working directory path of the client. This field records the file system location where the user executes commands and is dynamically updated by the | /test |
request_command | The FTP command sent by the client, as defined in RFC 959. It represents the type of operation requested by the client, for example:
| USER |
request_arg | The parameter accompanying the FTP command sent by the client. It combines with | username |
response_code | The three-digit status code from the server in response to a request (RFC 959 standard). The first digit indicates the response category:
| 331 |
response_arg | The additional text information that follows the server response status code. It provides a readable explanation or details. | Anonymous access granted, restrictions apply |
WebSocket protocol
Field name | Description | Example value |
opcode | A 4-bit unsigned integer in the WebSocket frame header (bits 4-7). It identifies the frame type and data processing logic. | 1 |
masking_key | A 4-byte (32-bit) random number used for byte-by-byte masking of the payload data. It is typically present in frames sent from the client to the server. The value of this field is the hexadecimal representation of the masking key. | pb37e1b69 |
payload_len | The length of the payload data in bytes. | 15 |
payload | The actual application layer data carried in the frame. If a | |
SSH protocol
Field name | Description | Example value |
client | The name and version of the client software that initiated the SSH connection, such as OpenSSH. This information is used to analyze compatibility, identify security vulnerabilities, analyze client behavior, and manage security policies. | OpenSSH_8.4p1 |
server | The name and version of the server software that accepted the SSH connection, such as an OpenSSH server. This is used for server identification, vulnerability management, and security patch tracking. | OpenSSH_8.4p1 Ubuntu-4ubuntu0.3 |
version | The version number of the SSH protocol (1, 2, or not set), which is negotiated at the start of the connection. | 2 |
cipher_alg | The symmetric encryption algorithm used in the SSH session to encrypt data transmission and ensure data confidentiality. Common algorithms include AES-CTR or ChaCha20. Selecting a strong algorithm, such as AES-256, can defend against eavesdropping attacks. | AES-128-GCM |
compression_alg | The algorithm used for data compression in SSH to reduce network bandwidth usage. The value can be none (no compression) or a specific algorithm such as zlib. Enabling compression may affect performance, so a balance between efficiency and security is needed. | none |
host_key | The fingerprint of the SSH server's public key. It is used to verify the server's identity and prevent man-in-the-middle attacks. The fingerprint is a summary of the public key, which users can compare to confirm they are connecting to a legitimate server. | cc:aa:aa:b7:********:cc:50:11:2d:71:f0:ee |
host_key_alg | The public key algorithm type used by the SSH server's host key, such as RSA or ECDSA. The strength of the algorithm directly affects the security of identity verification. Strong algorithms, such as RSA-SHA2, can defend against forgery attacks. | ECDSA-SHA2-NISTP256 |
kex_alg | The key exchange algorithm used during the SSH connection initialization phase. It is used to negotiate the session key and provide forward secrecy. Common algorithms include Curve25519 or Diffie-Hellman. A secure implementation can prevent key leakage. | Curve25519-SHA256 |
mac_alg | The algorithm used for the Message Authentication Code (MAC) in SSH. It ensures data integrity and authenticity and prevents tampering. Common examples include the HMAC-SHA2 series. A strong MAC algorithm is fundamental to secure data transmission. | HMAC-SHA2-256-ETM |
auth_attempts | The number of authentication attempts during the SSH authentication process. This includes attempts using methods such as username and password or public key. A value greater than 1 may indicate multiple failed attempts or that the server requires two-factor authentication. This field is used to monitor brute-force attacks and audit security events. | 3 |
auth_success | Indicates the final result of the SSH authentication. The value is a Boolean (true or false). Success or failure information is used to detect unauthorized access, audit logs, and trigger security alerts. It is a key indicator for preventing account hijacking. | false |
RDP protocol
Field name | Description | Example value |
cert_count | The number of digital certificates used in the RDP session. These certificates are used for server authentication and secure communication to enhance connection trust. | 2 |
cert_type | The issuance type of the certificate, such as a self-signed certificate or a certificate issued by a certification authority (CA). This affects the security level of the authentication. | RSA |
encryption_level | The encryption strength level of the RDP connection. It determines the level of confidentiality and integrity protection for data transmission. | Client compatible |
encryption_method | The encryption method of the RDP connection. | 56bit |
result | The final status of the RDP connection attempt. It reflects the reason for session establishment or termination. | Success |
client_build | The software build version number of the RDP client. It identifies the specific release version of the client application. | RDP 5.1 |
client_channels | A list of channels supported by the RDP client. These are used for data transmission features, such as clipboard sharing or printer redirection. | rdpdr, cliprdr, rdpsnd |
client_dig_product_id | A unique digital identifier for the client product. It is used to identify and track the source of the software product. | 76487-OEM-******-00107 |
client_name | The client computer name or host identifier that initiated the RDP connection. It is used for session source identification. | UserPC |
cookie | A cookie value used for session management or state persistence in an RDP connection. It provides security context and continuity. | session_token |
MQTT protocol
Field name | Description | Example value |
ack | Indicates whether the subscription message is acknowledged by the server. In the Message Queuing Telemetry Transport (MQTT) protocol, the server sends an acknowledgement flag when a subscription request is accepted. | true |
action | Indicates the type of subscription operation, such as SUBSCRIBE or UNSUBSCRIBE. | SUBSCRIBE |
topics | A list of topics to which the client subscribes. It is used to specify the scope of message reception. | sensor/temperature |
client_id | The unique identifier of the client. It is used for session management and authentication. | client123 |
connect_status | Indicates the connection status between the client and the server. | Connection Accepted |
proto_name | The name of the protocol used, which is usually MQTT. | MQTT |
proto_version | The version number of the MQTT protocol, such as 3.1.1 or 5.0. It is used for compatibility management. | 3.1.1 |
will_payload | The content of the will message, which is automatically published when the client disconnects unexpectedly. | offline |
will_topic | The topic to which the will message is published. It is used to specify the destination path of the message. | status/offline |
from_client | Indicates whether the message was published by the client, not the server. | TRUE |
payload | The actual content of the message. It can be in any data format, such as text or binary. | Hello World |
payload_len | The length of the message payload in bytes. It is used to monitor data size. | 11 |
qos | The Quality of Service level. | at most once |
retain | Indicates whether the message is retained on the server so that new subscribers can receive it immediately. | false |
status | The status of the message publication. | ok |
topic | The topic path to which the message is published. It is used for routing and filtering messages. | sensor/data |
Syslog protocol
Field name | Description | Example value |
facility | Indicates the source type of the log message, such as the kernel, a user program, or the mail system. In the Syslog protocol, the facility is used to categorize the component that generated the log, which helps with log filtering and analysis. | USER |
message | The actual content of the log message. It contains detailed information about an event, error, or operation. In the Syslog protocol, the message field stores the core log data for diagnosing and monitoring system behavior. | System rebooted unexpectedly |
severity | Indicates the severity level of the log message, ranging from emergency (highest urgency) to debug. Levels include emergency, alert, critical, error, warning, notice, info, and debug. These are used to prioritize important events. | INFO |
SIP protocol
Field name | Description | Example value |
call_id | In the Session Initiation Protocol (SIP), this is the value of the Call-ID header field that uniquely identifies a call session. It is used to associate all requests and responses within the same session. | 101365e0-7e65-****-****-00163e10aabd |
method | The method type of the SIP request, such as INVITE (establish a session), ACK (acknowledge), BYE (terminate a session), or CANCEL (cancel a request). It defines the type of operation. | INVITE |
seq | The CSeq field in a SIP message. It indicates the command sequence number and method. It is used to match requests with responses and ensure message order and integrity. | 12345 INVITE |
uri | The Uniform Resource Identifier (URI) in the SIP request line. It specifies the target address resource of the request. | sip:bob@example.com |
content_type | The media type of the response body, such as application/sdp (Session Description Protocol). It is used to describe the format of the message content. | application/sdp |
response_body_len | The length of the response body in bytes. It indicates the data size and is used to diagnose network transmission issues. | 256 |
response_from | The source address of the response message, which usually corresponds to the SIP From header field. It identifies the message originator. | "66666" <sip:66666@example.com> |
response_to | The destination address of the response message, which usually corresponds to the SIP To header field. It identifies the message recipient and may include a tag parameter. | <sip:777777@example.com>;tag=aaaaaaaaaa |
status_code | The SIP response status code. It indicates the result of the request processing, such as 200 (Success), 404 (Not Found), or 500 (Server Error). | 180 |
status_msg | The text description associated with the status code, such as OK or Not Found. It provides a readable explanation of the status code. | Ringing |
warning | Contains warning text that indicates potential issues or non-critical errors, such as session timeouts or compatibility problems. | 399 example.com Session expired |
reply_to | Specifies the address for reply messages. It is used to redirect responses and usually corresponds to the SIP Reply-To header field. | sip:carol@example.com |
request_body_len | The length of the request body in bytes. It indicates the data size and is used to monitor bandwidth usage and transmission efficiency. | 128 |
request_from | The source address of the request message, which usually corresponds to the SIP From header field. It identifies the message originator. | "66666" <sip:66666@example.com> |
request_to | The destination address of the request message, which usually corresponds to the SIP To header field. It identifies the message recipient. | <sip:777777@example.com>;tag=aaaaaaaaaa |
user_agent | Identifies the client software or device that sent the request. It is used for user agent identification and compatibility checks. | Zoiper/2.0 |