D4 encapsulation protocol version 1 (DRAFT)
Name |
bit size |
Description |
version |
uint 8 |
Version of the header |
type |
uint 8 |
Data encapsulated type |
uuid |
uint 128 |
Sensor UUID |
timestamp |
uint 64 |
Encapsulation time |
hmac |
uint 256 |
Authentication header (HMAC-SHA-256-128) |
size |
uint 32 |
Payload size |
Types
The type is the list of format encapsulated within the D4 protocol.
Type |
Description |
0 |
Reserved |
1 |
pcap (libpcap 2.4) |
2 |
meta header (JSON) |
3 |
generic log line |
4 |
dnscap output |
5 |
pcapng (diagnostic) |
6 |
generic NDJSON or JSON Lines |
7 |
generic YAF (Yet Another Flowmeter) |
8 |
passivedns CSV stream |
254 |
type defined by meta header (type 2) |
The D4 type list is available in JSON format.
Sample meta type JSON (type 2). If a new session is open, before sending D4 packet type 254, a type 2 packet MUST be sent
to describe to the D4 server how to decode packets. A meta header payload contains a single JSON object which describes
the next packet to be decoded as type 254 in the stream. The JSON object MUST at least contain a type
field.
{
"type": "ja3-jl",
"encoding": "utf-8",
"tags": [
"tlp:white"
],
"misp:org": "5b642239-4db4-4580-adf4-4ebd950d210f"
}
Type |
Description |
ja3-jl |
JA3 fingerprinting JL version |
d4-telemetry |
D4 project sensor telemetry |
fascia |
fascia JSON object |