Skip to main content
Version: 1.4.0

Network Protocol

Network Analysis Protocol Identification Data Enrichment

Synopsis

A network analysis processor that converts IP protocol numbers to their corresponding human-readable protocol names using the IANA protocol number registry, enhancing network traffic analysis and security monitoring.

Schema

- network_protocol:
    field: <ident>
    target_field: <ident>
    description: <text>
    if: <script>
    ignore_failure: <boolean>
    ignore_missing: <boolean>
    on_failure: <processor[]>
    on_success: <processor[]>
    tag: <string>

Configuration

The following fields are used to define the processor:

FieldRequiredDefaultDescription
fieldY-Field containing the protocol number to convert
target_fieldNfieldField to store the protocol name
descriptionN-Explanatory note
ifN-Condition to run
ignore_failureNfalseContinue if conversion fails
ignore_missingNfalseContinue if source field doesn't exist
on_failureN-See Handling Failures
on_successN-See Handling Success
tagN-Identifier

Details

The processor maintains a comprehensive mapping of IANA protocol numbers to their standard names, supporting all registered protocols including TCP, UDP, ICMP, and many specialized protocols used in modern networking.

note

The processor supports multiple input formats including integers, floats, and string representations of protocol numbers.

Protocol number resolution follows the official IANA registry for Internet Protocol Numbers. Unknown or unassigned protocol numbers are handled gracefully by returning a formatted "UNKNOWN(number)" string for debugging purposes.

The processor automatically handles type conversion from various numeric types and string representations. Floating-point values are truncated to integers during conversion.

warning

Ensure protocol number fields contain valid numeric values to avoid conversion errors.

Examples

Basic Protocol Conversion

Converting common protocol numbers...

{
  "protocol": 6,
  "alt_protocol": "17"
}
- network_protocol:
    field: protocol
    target_field: protocol_name
- network_protocol:
    field: alt_protocol
    target_field: alt_protocol_name

produces readable protocol names:

{
  "protocol": 6,
  "alt_protocol": "17",
  "protocol_name": "TCP",
  "alt_protocol_name": "UDP"
}

In-Place Conversion

Converting protocol number in place...

{
  "network": {
    "protocol": 1
  }
}
- network_protocol:
    field: network.protocol

replaces the original field:

{
  "network": {
    "protocol": "ICMP"
  }
}

Multiple Protocol Fields

Processing multiple protocol fields...

{
  "src_protocol": 6,
  "dst_protocol": 17,
  "tunnel_protocol": 47
}
- network_protocol:
    field: src_protocol
    target_field: src_protocol_name
- network_protocol:
    field: dst_protocol
    target_field: dst_protocol_name
- network_protocol:
    field: tunnel_protocol
    target_field: tunnel_protocol_name

identifies all protocols:

{
  "src_protocol": 6,
  "dst_protocol": 17,
  "tunnel_protocol": 47,
  "src_protocol_name": "TCP",
  "dst_protocol_name": "UDP",
  "tunnel_protocol_name": "GRE"
}

Unknown Protocol Handling

Handling unknown protocol numbers...

{
  "custom_protocol": 200,
  "reserved_protocol": 254
}
- network_protocol:
    field: custom_protocol
    target_field: custom_name
- network_protocol:
    field: reserved_protocol
    target_field: reserved_name

provides fallback identification:

{
  "custom_protocol": 200,
  "reserved_protocol": 254,
  "custom_name": "UNKNOWN(200)",
  "reserved_name": ""
}

IPv6 Protocol Conversion

Converting IPv6-specific protocols...

{
  "ipv6_next_header": 58,
  "mobility_header": 135
}
- network_protocol:
    field: ipv6_next_header
    target_field: ipv6_protocol
- network_protocol:
    field: mobility_header
    target_field: mobility_name

identifies IPv6 protocols:

{
  "ipv6_next_header": 58,
  "mobility_header": 135,
  "ipv6_protocol": "IPv6-ICMP",
  "mobility_name": "Mobility Header"
}

Conditional Protocol Analysis

Converting protocols based on conditions...

{
  "protocol_number": 132,
  "packet_type": "data"
}
- network_protocol:
    field: protocol_number
    target_field: transport_protocol
    if: "packet_type == 'data'"

applies conversion when conditions match:

{
  "protocol_number": 132,
  "packet_type": "data",
  "transport_protocol": "SCTP"
}