2021-05-19 09:22:35 +02:00
# D4 encapsulation protocol version 1
2018-11-26 14:09:35 +01:00
2019-01-13 16:14:27 +01:00
![Overview of the D4 encapsulation protocol ](https://raw.githubusercontent.com/D4-project/architecture/master/docs/diagram/d4-protocol-encapsulation.png )
2018-11-26 14:09:35 +01:00
## Headers
| Name | bit size | Description |
|---------------|-----------|:----------------------------------------------------------------------:|
2018-11-26 16:55:16 +01:00
| version | uint 8 | Version of the header |
2019-01-11 16:48:25 +01:00
| type | uint 8 | Data encapsulated type |
2019-01-13 16:14:27 +01:00
| uuid | uint 128 | Sensor UUID |
2018-11-26 14:09:35 +01:00
| timestamp | uint 64 | Encapsulation time |
2019-02-04 22:22:46 +01:00
| hmac | uint 256 | Authentication header (HMAC-SHA-256-128) |
2018-11-26 14:09:35 +01:00
| size | uint 32 | Payload size |
2019-01-28 17:01:53 +01:00
## Types
2018-11-26 14:09:35 +01:00
2019-01-27 11:36:59 +01:00
The type is the list of format encapsulated within the D4 protocol.
2018-11-26 14:09:35 +01:00
|Type| Description |
2019-01-11 16:48:25 +01:00
|----|:-----------------------------------|
| 0 | Reserved |
| 1 | pcap (libpcap 2.4) |
| 2 | meta header (JSON) |
| 3 | generic log line |
2019-01-15 09:25:40 +01:00
| 4 | [dnscap ](https://github.com/DNS-OARC/dnscap ) output |
| 5 | pcapng (diagnostic) |
2019-01-11 16:48:25 +01:00
| 6 | generic NDJSON or JSON Lines |
2019-01-15 09:25:40 +01:00
| 7 | generic [YAF ](https://tools.netsa.cert.org/yaf/index.html ) (Yet Another Flowmeter)|
2019-01-30 18:21:14 +01:00
| 8 | [passivedns ](https://github.com/gamelinux/passivedns ) CSV stream |
2019-01-28 17:01:53 +01:00
| 254 | type defined by meta header (type 2) |
2018-11-26 14:09:35 +01:00
2019-01-27 11:36:59 +01:00
The D4 type list is [available in JSON format ](https://raw.githubusercontent.com/D4-project/architecture/master/format/type.json ).
2019-01-28 17:01:53 +01:00
## Meta types (via meta header)
2019-01-30 18:15:33 +01:00
Sample meta type JSON (type 2). If a new session is open, before sending D4 packet type 254, a type 2 packet MUST be sent
to describe to the D4 server how to decode packets. A meta header payload contains a single JSON object which describes
the next packet to be decoded as type 254 in the stream. The JSON object MUST at least contain a `type` field.
2019-01-28 17:01:53 +01:00
~~~~json
{
2019-01-30 18:15:33 +01:00
"type": "ja3-jl",
2019-01-28 17:01:53 +01:00
"encoding": "utf-8",
"tags": [
"tlp:white"
],
"misp:org": "5b642239-4db4-4580-adf4-4ebd950d210f"
}
~~~~
|Type| Description |
|----|:-----------------------------------|
2019-01-30 18:15:33 +01:00
| ja3-jl | JA3 fingerprinting JL version |
| d4-telemetry | D4 project sensor telemetry |
| fascia | fascia JSON object |
2019-10-01 15:43:55 +02:00
| maltrail | [maltrail ](https://github.com/stamparm/maltrail ) logging |
The D4 meta-type list is [available in JSON format ](https://raw.githubusercontent.com/D4-project/architecture/master/format/meta-type.json ).