Protocol

Synopsis

Converts IANA protocol numbers to their corresponding protocol names.

Schema

- protocol:
    field: <ident>
    target_field: <ident>
    description: <text>
    if: <script>
    ignore_failure: <boolean>
    ignore_missing: <boolean>
    on_failure: <processor[]>
    on_success: <processor[]>
    tag: <string>

Configuration

The following fields are used to define the processor:

Field	Required	Default	Description
field	Y	-	Source field containing the protocol number to convert
target_field	N	value of field	Destination field to store the protocol name
description	N	-	Explanatory note
if	N	-	Condition to run
ignore_failure	N	false	Continue processing if conversion fails
ignore_missing	N	false	Skip if source field doesn't exist
on_failure	N	-	Error handling processors
on_success	N	-	Success handling processors
tag	N	-	Identifier

Details

Maps numeric protocol identifiers to their corresponding protocol names according to the IANA Protocol Numbers registry. The processor converts numeric protocol values (such as those found in IP packet headers) to human-readable protocol names, making log data more interpretable.

note

The processor maps protocol numbers according to the IANA Protocol Numbers registry, which is the official reference for IP protocol numbers. For unregistered or unknown protocol numbers, the processor returns "UNKNOWN(n)" where n is the protocol number.

The processor supports various input formats (integer, float, string) and provides detailed protocol names for 140+ standardized protocols, including common ones like TCP, UDP, ICMP, and many others.

warning

The processor expects numeric values or strings that can be converted to integers. Invalid input formats will cause failure unless ignore_failure is set to true.

Examples

Basic

Converting a protocol number to its name...	{ "network": { "protocol_number": 6 } } - protocol: field: network.protocol_number target_field: network.protocol_name
adds a human-readable protocol name:	{ "network": { "protocol_number": 6, "protocol_name": "TCP" } }

In-Place

Replacing the numeric value with its name...	{ "packet": { "ip": { "protocol": 17 } } } - protocol: field: packet.ip.protocol
converts the value in place:	{ "packet": { "ip": { "protocol": "UDP" } } }

Field Formats

Processing protocol numbers in various formats...	{ "network_data": { "proto1": 1, "proto2": "50", "proto3": 47.0 } } - protocol: field: network_data.proto1 target_field: network_data.proto1_name - protocol: field: network_data.proto2 target_field: network_data.proto2_name - protocol: field: network_data.proto3 target_field: network_data.proto3_name
handles different input formats:	{ "network_data": { "proto1": 1, "proto2": "50", "proto3": 47.0, "proto1_name": "ICMP", "proto2_name": "ESP", "proto3_name": "GRE" } }

Firewall Logs

Enriching firewall logs with protocol information...	{ "firewall": { "action": "ALLOW", "src_ip": "192.168.1.100", "dst_ip": "10.0.0.1", "src_port": 49152, "dst_port": 80, "protocol": 6 } } - protocol: field: firewall.protocol target_field: firewall.protocol_name - set: field: firewall.summary value: "{{firewall.action}} {{firewall.protocol_name}} from {{firewall.src_ip}}:{{firewall.src_port}} to {{firewall.dst_ip}}:{{firewall.dst_port}}"
creates a more readable security log:	{ "firewall": { "action": "ALLOW", "src_ip": "192.168.1.100", "dst_ip": "10.0.0.1", "src_port": 49152, "dst_port": 80, "protocol": 6, "protocol_name": "TCP", "summary": "ALLOW TCP from 192.168.1.100:49152 to 10.0.0.1:80" } }

Unknowns

Processing an unregistered protocol number...	{ "packet": { "protocol": 200 } } - protocol: field: packet.protocol target_field: packet.protocol_name
provides informative output for unregistered protocols:	{ "packet": { "protocol": 200, "protocol_name": "UNKNOWN(200)" } }