Network

A network event.

JSON representation

JSON representation
{ "sentBytes" : string , "receivedBytes" : string , "totalBytes" : string , "sentPackets" : string , "receivedPackets" : string , "sessionDuration" : string , "sessionId" : string , "parentSessionId" : string , "applicationProtocolVersion" : string , "communityId" : string , "direction" : enum ( `Direction` ) , "ipProtocol" : enum ( `IpProtocol` ) , "applicationProtocol" : enum ( `ApplicationProtocol` ) , "ftp" : { object ( `Ftp` ) } , "email" : { object ( `Email` ) } , "dns" : { object ( `Dns` ) } , "dhcp" : { object ( `Dhcp` ) } , "http" : { object ( `Http` ) } , "tls" : { object ( `Tls` ) } , "smtp" : { object ( `Smtp` ) } , "asn" : string , "dnsDomain" : string , "carrierName" : string , "organizationName" : string , "ipSubnetRange" : string , "isProxy" : boolean , "proxyInfo" : { object ( `ProxyInfo` ) } , "connectionState" : enum ( `ConnectionState` ) }

 { 
 "sentBytes" 
 : 
 string 
 , 
 "receivedBytes" 
 : 
 string 
 , 
 "totalBytes" 
 : 
 string 
 , 
 "sentPackets" 
 : 
 string 
 , 
 "receivedPackets" 
 : 
 string 
 , 
 "sessionDuration" 
 : 
 string 
 , 
 "sessionId" 
 : 
 string 
 , 
 "parentSessionId" 
 : 
 string 
 , 
 "applicationProtocolVersion" 
 : 
 string 
 , 
 "communityId" 
 : 
 string 
 , 
 "direction" 
 : 
 enum (  Direction 
 
) 
 , 
 "ipProtocol" 
 : 
 enum (  IpProtocol 
 
) 
 , 
 "applicationProtocol" 
 : 
 enum (  ApplicationProtocol 
 
) 
 , 
 "ftp" 
 : 
 { 
 object (  Ftp 
 
) 
 } 
 , 
 "email" 
 : 
 { 
 object (  Email 
 
) 
 } 
 , 
 "dns" 
 : 
 { 
 object (  Dns 
 
) 
 } 
 , 
 "dhcp" 
 : 
 { 
 object (  Dhcp 
 
) 
 } 
 , 
 "http" 
 : 
 { 
 object (  Http 
 
) 
 } 
 , 
 "tls" 
 : 
 { 
 object (  Tls 
 
) 
 } 
 , 
 "smtp" 
 : 
 { 
 object (  Smtp 
 
) 
 } 
 , 
 "asn" 
 : 
 string 
 , 
 "dnsDomain" 
 : 
 string 
 , 
 "carrierName" 
 : 
 string 
 , 
 "organizationName" 
 : 
 string 
 , 
 "ipSubnetRange" 
 : 
 string 
 , 
 "isProxy" 
 : 
 boolean 
 , 
 "proxyInfo" 
 : 
 { 
 object (  ProxyInfo 
 
) 
 } 
 , 
 "connectionState" 
 : 
 enum (  ConnectionState 
 
) 
 }

Fields
`sentBytes`	`string` The number of bytes sent.
`receivedBytes`	`string` The number of bytes received.
`totalBytes`	`string ( int64 format)` The number of total bytes.
`sentPackets`	`string ( int64 format)` The number of packets sent.
`receivedPackets`	`string ( int64 format)` The number of packets received.
`sessionDuration`	`string ( Duration format)` The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. A duration in seconds with up to nine fractional digits, ending with ' `s` '. Example: `"3.5s"` .
`sessionId`	`string` The ID of the network session.
`parentSessionId`	`string` The ID of the parent network session.
`applicationProtocolVersion`	`string` The version of the application protocol. e.g. "1.1, 2.0"
`communityId`	`string` Community ID network flow value.
`direction`	`enum ( Direction )` The direction of network traffic.
`ipProtocol`	`enum ( IpProtocol )` The IP protocol.
`applicationProtocol`	`enum ( ApplicationProtocol )` The application protocol.
`ftp`	`object ( Ftp )` FTP info.
`email`	`object ( Email )` Email info for the sender/recipient.
`dns`	`object ( Dns )` DNS info.
`dhcp`	`object ( Dhcp )` DHCP info.
`http`	`object ( Http )` HTTP info.
`tls`	`object ( Tls )` TLS info.
`smtp`	`object ( Smtp )` SMTP info. Store fields specific to SMTP not covered by Email.
`asn`	`string` Autonomous system number.
`dnsDomain`	`string` DNS domain name.
`carrierName`	`string` Carrier identification.
`organizationName`	`string` Organization name (e.g Google).
`ipSubnetRange`	`string` Associated human-readable IP subnet range (e.g. 10.1.2.0/24).
`isProxy`	`boolean` Whether the IP address is a known proxy.
`proxyInfo`	`object ( ProxyInfo )` Proxy information. Only set if isProxy is true.
`connectionState`	`enum ( ConnectionState )` Output only. The state of the network connection.

Ftp

FTP info.

JSON representation
{ "command" : string }

Fields

Fields
`command`	`string` The FTP command.

command

string

The FTP command.

Email

Email info.

JSON representation
{ "from" : string , "replyTo" : string , "to" : [ string ] , "cc" : [ string ] , "bcc" : [ string ] , "mailId" : string , "subject" : [ string ] , "bounceAddress" : string }

Fields
`from`	`string` The 'from' address.
`replyTo`	`string` The 'reply to' address.
`to[]`	`string` A list of 'to' addresses.
`cc[]`	`string` A list of 'cc' addresses.
`bcc[]`	`string` A list of 'bcc' addresses.
`mailId`	`string` The mail (or message) ID.
`subject[]`	`string` The subject line(s) of the email.
`bounceAddress`	`string` The envelope from address. https://en.wikipedia.org/wiki/Bounce_address

Dns

DNS information.

JSON representation

JSON representation
{ "id" : integer , "response" : boolean , "opcode" : integer , "authoritative" : boolean , "truncated" : boolean , "recursionDesired" : boolean , "recursionAvailable" : boolean , "responseCode" : integer , "questions" : [ { object ( `Question` ) } ] , "answers" : [ { object ( `ResourceRecord` ) } ] , "authority" : [ { object ( `ResourceRecord` ) } ] , "additional" : [ { object ( `ResourceRecord` ) } ] }

 { 
 "id" 
 : 
 integer 
 , 
 "response" 
 : 
 boolean 
 , 
 "opcode" 
 : 
 integer 
 , 
 "authoritative" 
 : 
 boolean 
 , 
 "truncated" 
 : 
 boolean 
 , 
 "recursionDesired" 
 : 
 boolean 
 , 
 "recursionAvailable" 
 : 
 boolean 
 , 
 "responseCode" 
 : 
 integer 
 , 
 "questions" 
 : 
 [ 
 { 
 object (  Question 
 
) 
 } 
 ] 
 , 
 "answers" 
 : 
 [ 
 { 
 object (  ResourceRecord 
 
) 
 } 
 ] 
 , 
 "authority" 
 : 
 [ 
 { 
 object (  ResourceRecord 
 
) 
 } 
 ] 
 , 
 "additional" 
 : 
 [ 
 { 
 object (  ResourceRecord 
 
) 
 } 
 ] 
 }

Fields
`id`	`integer ( uint32 format)` DNS query id.
`response`	`boolean` Set to true if the event is a DNS response. See QR field from RFC1035.
`opcode`	`integer ( uint32 format)` The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS).
`authoritative`	`boolean` Other DNS header flags. See RFC1035, section 4.1.1.
`truncated`	`boolean` Whether the DNS response was truncated.
`recursionDesired`	`boolean` Whether a recursive DNS lookup is desired.
`recursionAvailable`	`boolean` Whether a recursive DNS lookup is available.
`responseCode`	`integer ( uint32 format)` Response code. See RCODE from RFC1035.
`questions[]`	`object ( Question )` A list of domain protocol message questions.
`answers[]`	`object ( ResourceRecord )` A list of answers to the domain name query.
`authority[]`	`object ( ResourceRecord )` A list of domain name servers which verified the answers to the domain name queries.
`additional[]`	`object ( ResourceRecord )` A list of additional domain name servers that can be used to verify the answer to the domain.

Question

DNS Questions. See RFC1035, section 4.1.2.

JSON representation
{ "name" : string , "type" : integer , "class" : integer , "prevalence" : { object ( `Prevalence` ) } }

Fields
`name`	`string` The domain name.
`type`	`integer ( uint32 format)` The code specifying the type of the query.
`class`	`integer ( uint32 format)` The code specifying the class of the query.
`prevalence`	`object ( Prevalence )` The prevalence of the domain within the customer's environment.

ResourceRecord

DNS Resource Records. See RFC1035, section 4.1.3.

JSON representation
{ "name" : string , "type" : integer , "class" : integer , "ttl" : integer , "data" : string , "binaryData" : string }

Fields
`name`	`string` The name of the owner of the resource record.
`type`	`integer ( uint32 format)` The code specifying the type of the resource record.
`class`	`integer ( uint32 format)` The code specifying the class of the resource record.
`ttl`	`integer ( uint32 format)` The time interval for which the resource record can be cached before the source of the information should again be queried.
`data`	`string` The payload or response to the DNS question for all responses encoded in UTF-8 format
`binaryData`	`string ( bytes format)` The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. A base64-encoded string.

Dhcp

DHCP information.

JSON representation

JSON representation
{ "opcode" : enum ( `OpCode` ) , "htype" : integer , "hlen" : integer , "hops" : integer , "transactionId" : integer , "seconds" : integer , "flags" : integer , "ciaddr" : string , "yiaddr" : string , "siaddr" : string , "giaddr" : string , "chaddr" : string , "sname" : string , "file" : string , "options" : [ { object ( `Option` ) } ] , "type" : enum ( `MessageType` ) , "leaseTimeSeconds" : integer , "clientHostname" : string , "clientIdentifier" : string , "requestedAddress" : string , "clientIdentifierString" : string }

 { 
 "opcode" 
 : 
 enum (  OpCode 
 
) 
 , 
 "htype" 
 : 
 integer 
 , 
 "hlen" 
 : 
 integer 
 , 
 "hops" 
 : 
 integer 
 , 
 "transactionId" 
 : 
 integer 
 , 
 "seconds" 
 : 
 integer 
 , 
 "flags" 
 : 
 integer 
 , 
 "ciaddr" 
 : 
 string 
 , 
 "yiaddr" 
 : 
 string 
 , 
 "siaddr" 
 : 
 string 
 , 
 "giaddr" 
 : 
 string 
 , 
 "chaddr" 
 : 
 string 
 , 
 "sname" 
 : 
 string 
 , 
 "file" 
 : 
 string 
 , 
 "options" 
 : 
 [ 
 { 
 object (  Option 
 
) 
 } 
 ] 
 , 
 "type" 
 : 
 enum (  MessageType 
 
) 
 , 
 "leaseTimeSeconds" 
 : 
 integer 
 , 
 "clientHostname" 
 : 
 string 
 , 
 "clientIdentifier" 
 : 
 string 
 , 
 "requestedAddress" 
 : 
 string 
 , 
 "clientIdentifierString" 
 : 
 string 
 }

Fields
`opcode`	`enum ( OpCode )` The BOOTP op code.
`htype`	`integer ( uint32 format)` Hardware address type.
`hlen`	`integer ( uint32 format)` Hardware address length.
`hops`	`integer ( uint32 format)` Hardware ops.
`transactionId`	`integer ( uint32 format)` Transaction ID.
`seconds`	`integer ( uint32 format)` Seconds elapsed since client began address acquisition/renewal process.
`flags`	`integer ( uint32 format)` Flags.
`ciaddr`	`string` Client IP address (ciaddr).
`yiaddr`	`string` Your IP address (yiaddr).
`siaddr`	`string` IP address of the next bootstrap server.
`giaddr`	`string` Relay agent IP address (giaddr).
`chaddr`	`string` Client hardware address (chaddr).
`sname`	`string` Server name that the client wishes to boot from.
`file`	`string` Boot image filename.
`options[]`	`object ( Option )` List of DHCP options.
`type`	`enum ( MessageType )` DHCP message type.
`leaseTimeSeconds`	`integer ( uint32 format)` Lease time in seconds. See RFC2132, section 9.2.
`clientHostname`	`string` Client hostname. See RFC2132, section 3.14.
`clientIdentifier`	`string ( bytes format)` Client identifier. See RFC2132, section 9.14. Note: Make sure to update the clientIdentifierString field as well if you update this field. A base64-encoded string.
`requestedAddress`	`string` Requested IP address. See RFC2132, section 9.1.
`clientIdentifierString`	`string` Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the clientIdentifier.

Option

DHCP options.

JSON representation
{ "code" : integer , "data" : string }

Fields

Fields
`code`	`integer ( uint32 format)` Code. See RFC1533.
`data`	`string ( bytes format)` Data. A base64-encoded string.

code

integer ( uint32 format)

Code. See RFC1533.

data

string ( bytes format)

Data.

A base64-encoded string.

Http

Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target".

JSON representation
{ "method" : string , "referralUrl" : string , "userAgent" : string , "responseCode" : integer , "parsedUserAgent" : { object ( `UserAgentProto` ) } }

Fields
`method`	`string` The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE").
`referralUrl`	`string` The URL for the HTTP referer.
`userAgent`	`string` The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
`responseCode`	`integer` The response status code, for example 200, 302, 404, or 500.
`parsedUserAgent`	`object ( UserAgentProto )` The parsed userAgent string.

Tls

Transport Layer Security (TLS) information.

JSON representation

JSON representation
{ "client" : { object ( `Client` ) } , "server" : { object ( `Server` ) } , "cipher" : string , "curve" : string , "version" : string , "versionProtocol" : string , "established" : boolean , "nextProtocol" : string , "resumed" : boolean }

 { 
 "client" 
 : 
 { 
 object (  Client 
 
) 
 } 
 , 
 "server" 
 : 
 { 
 object (  Server 
 
) 
 } 
 , 
 "cipher" 
 : 
 string 
 , 
 "curve" 
 : 
 string 
 , 
 "version" 
 : 
 string 
 , 
 "versionProtocol" 
 : 
 string 
 , 
 "established" 
 : 
 boolean 
 , 
 "nextProtocol" 
 : 
 string 
 , 
 "resumed" 
 : 
 boolean 
 }

Fields
`client`	`object ( Client )` Certificate information for the client certificate.
`server`	`object ( Server )` Certificate information for the server certificate.
`cipher`	`string` Cipher used during the connection.
`curve`	`string` Elliptical curve used for a given cipher.
`version`	`string` TLS version.
`versionProtocol`	`string` Protocol.
`established`	`boolean` Indicates whether the TLS negotiation was successful.
`nextProtocol`	`string` Protocol to be used for tunnel.
`resumed`	`boolean` Indicates whether the TLS connection was resumed from a previous TLS negotiation.

Client

Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash).

JSON representation
{ "certificate" : { object ( `Certificate` ) } , "ja3" : string , "serverName" : string , "supportedCiphers" : [ string ] }

Fields
`certificate`	`object ( Certificate )` Client certificate.
`ja3`	`string` JA3 hash from the TLS ClientHello, as a hex-encoded string.
`serverName`	`string` Host name of the server, that the client is connecting to.
`supportedCiphers[]`	`string` Ciphers supported by the client during client hello.

Certificate

Certificate information

JSON representation
{ "version" : string , "serial" : string , "subject" : string , "issuer" : string , "md5" : string , "sha1" : string , "sha256" : string , "notBefore" : string , "notAfter" : string }

Fields
`version`	`string` Certificate version.
`serial`	`string` Certificate serial number.
`subject`	`string` Subject of the certificate.
`issuer`	`string` Issuer of the certificate.
`md5`	`string` The MD5 hash of the certificate, as a hex-encoded string.
`sha1`	`string` The SHA1 hash of the certificate, as a hex-encoded string.
`sha256`	`string` The SHA256 hash of the certificate, as a hex-encoded string.
`notBefore`	`string ( Timestamp format)` Indicates when the certificate is first valid. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"` , `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"` .
`notAfter`	`string ( Timestamp format)` Indicates when the certificate is no longer valid. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"` , `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"` .

Server

Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash).

JSON representation
{ "certificate" : { object ( `Certificate` ) } , "ja3s" : string }

Fields

Fields
`certificate`	`object ( Certificate )` Server certificate.
`ja3s`	`string` JA3 hash from the TLS ServerHello, as a hex-encoded string.

certificate

object ( Certificate )

Server certificate.

ja3s

string

JA3 hash from the TLS ServerHello, as a hex-encoded string.

Smtp

SMTP info. See RFC 2821.

JSON representation
{ "helo" : string , "mailFrom" : string , "rcptTo" : [ string ] , "serverResponse" : [ string ] , "messagePath" : string , "isWebmail" : boolean , "isTls" : boolean }

Fields
`helo`	`string` The client's 'HELO'/'EHLO' string.
`mailFrom`	`string` The client's 'MAIL FROM' string.
`rcptTo[]`	`string` The client's 'RCPT TO' string(s).
`serverResponse[]`	`string` The server's response(s) to the client.
`messagePath`	`string` The message's path (extracted from the headers).
`isWebmail`	`boolean` If the message was sent via a webmail client.
`isTls`	`boolean` If the connection switched to TLS.

ProxyInfo

Proxy information.

JSON representation
{ "anonymous" : boolean , "anonymousVpn" : boolean , "publicProxy" : boolean , "torExitNode" : boolean , "smartDnsProxy" : boolean , "hostingProvider" : boolean , "vpnDatacenter" : boolean , "residentialProxy" : boolean , "vpnServiceName" : string , "proxyOverVpn" : boolean , "relayProxy" : boolean }

JSON representation

 { 
 "anonymous" 
 : 
 boolean 
 , 
 "anonymousVpn" 
 : 
 boolean 
 , 
 "publicProxy" 
 : 
 boolean 
 , 
 "torExitNode" 
 : 
 boolean 
 , 
 "smartDnsProxy" 
 : 
 boolean 
 , 
 "hostingProvider" 
 : 
 boolean 
 , 
 "vpnDatacenter" 
 : 
 boolean 
 , 
 "residentialProxy" 
 : 
 boolean 
 , 
 "vpnServiceName" 
 : 
 string 
 , 
 "proxyOverVpn" 
 : 
 boolean 
 , 
 "relayProxy" 
 : 
 boolean 
 }

Fields
`anonymous`	`boolean` Whether the IP address is anonymous.
`anonymousVpn`	`boolean` Whether the IP address is an anonymous VPN.
`publicProxy`	`boolean` Whether the IP address is a public proxy.
`torExitNode`	`boolean` Whether the IP address is a tor exit node.
`smartDnsProxy`	`boolean` Whether the IP address is a smart DNS proxy.
`hostingProvider`	`boolean` Whether the IP address is a hosting provider.
`vpnDatacenter`	`boolean` Whether the IP address is a VPN datacenter.
`residentialProxy`	`boolean` Whether the IP address is a residential proxy.
`vpnServiceName`	`string` The name of the VPN service.
`proxyOverVpn`	`boolean` Whether the IP address is a proxy over VPN.
`relayProxy`	`boolean` Whether the IP address is a relay proxy.