architecture/format/README.md

# D4 encapsulation protocol version 1

![Overview of the D4 encapsulation protocol](https://raw.githubusercontent.com/D4-project/architecture/master/docs/diagram/d4-protocol-encapsulation.png)

## Headers

| Name          | bit size  |                               Description                              |
|---------------|-----------|:----------------------------------------------------------------------:|
| version       | uint 8    | Version of the header                                                  |
| type          | uint 8    | Data encapsulated type                                                 |
| uuid          | uint 128  | Sensor UUID                                                            |
| timestamp     | uint 64   | Encapsulation time                                                     |
| hmac          | uint 256  | Authentication header (HMAC-SHA-256-128)                               |
| size          | uint 32   | Payload size                                                           |

## Types

The type is the list of format encapsulated within the D4 protocol.

|Type| Description |
|----|:-----------------------------------|
| 0  | Reserved                           |
| 1  | pcap (libpcap 2.4)                 |
| 2  | meta header (JSON)                 |
| 3  | generic log line                   |
| 4  | [dnscap](https://github.com/DNS-OARC/dnscap) output                      |
| 5  | pcapng (diagnostic)                |
| 6  | generic NDJSON or JSON Lines       |
| 7  | generic [YAF](https://tools.netsa.cert.org/yaf/index.html) (Yet Another Flowmeter)|
| 8  | [passivedns](https://github.com/gamelinux/passivedns) CSV stream |
| 254 | type defined by meta header (type 2) |

The D4 type list is [available in JSON format](https://raw.githubusercontent.com/D4-project/architecture/master/format/type.json).

## Meta types (via meta header)

Sample meta type JSON (type 2). If a new session is open, before sending D4 packet type 254, a type 2 packet MUST be sent
to describe to the D4 server how to decode packets. A meta header payload contains a single JSON object which describes
the next packet to be decoded as type 254 in the stream. The JSON object MUST at least contain a `type` field.

~~~~json
{
  "type": "ja3-jl",
  "encoding": "utf-8",
  "tags": [
    "tlp:white"
  ],
  "misp:org": "5b642239-4db4-4580-adf4-4ebd950d210f"
}
~~~~

|Type| Description |
|----|:-----------------------------------|
| ja3-jl  | JA3 fingerprinting JL version |
| d4-telemetry | D4 project sensor telemetry |
| fascia       | fascia JSON object |
| maltrail     | [maltrail](https://github.com/stamparm/maltrail) logging |

The D4 meta-type list is [available in JSON format](https://raw.githubusercontent.com/D4-project/architecture/master/format/meta-type.json).
Update README.md 2021-05-19 09:22:35 +02:00			`# D4 encapsulation protocol version 1`
add: [format] brainstorm discussion 2018-11-26 14:09:35 +01:00
chg: [format] diagram added 2019-01-13 16:14:27 +01:00			`![Overview of the D4 encapsulation protocol](https://raw.githubusercontent.com/D4-project/architecture/master/docs/diagram/d4-protocol-encapsulation.png)`

add: [format] brainstorm discussion 2018-11-26 14:09:35 +01:00			`## Headers`

			`\| Name \| bit size \| Description \|`
			`\|---------------\|-----------\|:----------------------------------------------------------------------:\|`
added version field to handle multiple headers 2018-11-26 16:55:16 +01:00			`\| version \| uint 8 \| Version of the header \|`
chg: [doc] updated types 2019-01-11 16:48:25 +01:00			`\| type \| uint 8 \| Data encapsulated type \|`
chg: [format] diagram added 2019-01-13 16:14:27 +01:00			`\| uuid \| uint 128 \| Sensor UUID \|`
add: [format] brainstorm discussion 2018-11-26 14:09:35 +01:00			`\| timestamp \| uint 64 \| Encapsulation time \|`
chg: [format] authentication header fixed 2019-02-04 22:22:46 +01:00			`\| hmac \| uint 256 \| Authentication header (HMAC-SHA-256-128) \|`
add: [format] brainstorm discussion 2018-11-26 14:09:35 +01:00			`\| size \| uint 32 \| Payload size \|`

chg: [format] new meta type to extend d4 type via type 2 Signed-off: jl Signed-off: aurelien Signed-off: adulau 2019-01-28 17:01:53 +01:00			`## Types`
add: [format] brainstorm discussion 2018-11-26 14:09:35 +01:00
chg: [format] add a reference to the JSON output of the D4 types 2019-01-27 11:36:59 +01:00			`The type is the list of format encapsulated within the D4 protocol.`

add: [format] brainstorm discussion 2018-11-26 14:09:35 +01:00			`\|Type\| Description \|`
chg: [doc] updated types 2019-01-11 16:48:25 +01:00			`\|----\|:-----------------------------------\|`
			`\| 0 \| Reserved \|`
			`\| 1 \| pcap (libpcap 2.4) \|`
			`\| 2 \| meta header (JSON) \|`
			`\| 3 \| generic log line \|`
chg: [format] more references 2019-01-15 09:25:40 +01:00			`\| 4 \| [dnscap](https://github.com/DNS-OARC/dnscap) output \|`
			`\| 5 \| pcapng (diagnostic) \|`
chg: [doc] updated types 2019-01-11 16:48:25 +01:00			`\| 6 \| generic NDJSON or JSON Lines \|`
chg: [format] more references 2019-01-15 09:25:40 +01:00			`\| 7 \| generic [YAF](https://tools.netsa.cert.org/yaf/index.html) (Yet Another Flowmeter)\|`
chg: [format] type 8 added (before we use metadata header) 2019-01-30 18:21:14 +01:00			`\| 8 \| [passivedns](https://github.com/gamelinux/passivedns) CSV stream \|`
chg: [format] new meta type to extend d4 type via type 2 Signed-off: jl Signed-off: aurelien Signed-off: adulau 2019-01-28 17:01:53 +01:00			`\| 254 \| type defined by meta header (type 2) \|`
add: [format] brainstorm discussion 2018-11-26 14:09:35 +01:00
chg: [format] add a reference to the JSON output of the D4 types 2019-01-27 11:36:59 +01:00			`The D4 type list is [available in JSON format](https://raw.githubusercontent.com/D4-project/architecture/master/format/type.json).`

chg: [format] new meta type to extend d4 type via type 2 Signed-off: jl Signed-off: aurelien Signed-off: adulau 2019-01-28 17:01:53 +01:00			`## Meta types (via meta header)`

chg: [format] meta header simplified Signed-off: Aurelien Signed-off: adulau 2019-01-30 18:15:33 +01:00			`Sample meta type JSON (type 2). If a new session is open, before sending D4 packet type 254, a type 2 packet MUST be sent`
			`to describe to the D4 server how to decode packets. A meta header payload contains a single JSON object which describes`
			the next packet to be decoded as type 254 in the stream. The JSON object MUST at least contain a `type` field.
chg: [format] new meta type to extend d4 type via type 2 Signed-off: jl Signed-off: aurelien Signed-off: adulau 2019-01-28 17:01:53 +01:00
			`~~~~json`
			`{`
chg: [format] meta header simplified Signed-off: Aurelien Signed-off: adulau 2019-01-30 18:15:33 +01:00			`"type": "ja3-jl",`
chg: [format] new meta type to extend d4 type via type 2 Signed-off: jl Signed-off: aurelien Signed-off: adulau 2019-01-28 17:01:53 +01:00			`"encoding": "utf-8",`
			`"tags": [`
			`"tlp:white"`
			`],`
			`"misp:org": "5b642239-4db4-4580-adf4-4ebd950d210f"`
			`}`
			`~~~~`

			`\|Type\| Description \|`
			`\|----\|:-----------------------------------\|`
chg: [format] meta header simplified Signed-off: Aurelien Signed-off: adulau 2019-01-30 18:15:33 +01:00			`\| ja3-jl \| JA3 fingerprinting JL version \|`
			`\| d4-telemetry \| D4 project sensor telemetry \|`
			`\| fascia \| fascia JSON object \|`
chg: [meta-type] reference added 2019-10-01 15:43:55 +02:00			`\| maltrail \| [maltrail](https://github.com/stamparm/maltrail) logging \|`

			`The D4 meta-type list is [available in JSON format](https://raw.githubusercontent.com/D4-project/architecture/master/format/meta-type.json).`