WARNING: Version 6.2 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
TLS fieldsedit
TLS-specific event fields.
tls.handshake_completededit
type: boolean
Whether the TLS negotiation has been successful and the session has transitioned to encrypted mode.
tls.resumededit
type: boolean
If the TLS session has been resumed from a previous session.
tls.resumption_methodedit
type: keyword
If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension.
tls.client_certificate_requestededit
type: boolean
Whether the server has requested the client to authenticate itself using a client certificate.
tls.client_hello.versionedit
type: keyword
The version of the TLS protocol by which the client wishes to communicate during this session.
tls.client_hello.supported_ciphersedit
type: array
List of ciphers the client is willing to use for this session. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
tls.client_hello.supported_compression_methodsedit
type: array
The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml
extensions fieldsedit
The hello extensions provided by the client.
tls.client_hello.extensions.server_name_indicationedit
type: keyword
List of hostnames
tls.client_hello.extensions.application_layer_protocol_negotiationedit
type: keyword
List of application-layer protocols the client is willing to use.
tls.client_hello.extensions.session_ticketedit
type: keyword
Length of the session ticket, if provided, or an empty string to advertise support for tickets.
tls.server_hello.versionedit
type: keyword
The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.
tls.server_hello.selected_cipheredit
type: keyword
The cipher suite selected by the server from the list provided by in the client hello.
tls.server_hello.selected_compression_methodedit
type: keyword
The compression method selected by the server from the list provided in the client hello.
extensions fieldsedit
The hello extensions provided by the server.
tls.server_hello.extensions.application_layer_protocol_negotiationedit
type: array
Negotiated application layer protocol
tls.server_hello.extensions.session_ticketedit
type: keyword
Used to announce that a session ticket will be provided by the server. Always an empty string.
client_certificate fieldsedit
Certificate provided by the client for authentication.
tls.client_certificate.versionedit
type: long
X509 format version.
tls.client_certificate.serial_numberedit
type: keyword
The certificate’s serial number.
tls.client_certificate.not_beforeedit
type: date
Date before which the certificate is not valid.
tls.client_certificate.not_afteredit
type: date
Date after which the certificate expires.
tls.client_certificate.public_key_algorithmedit
type: keyword
The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.
tls.client_certificate.public_key_sizeedit
type: long
Size of the public key.
tls.client_certificate.signature_algorithmedit
type: keyword
The algorithm used for the certificate’s signature.
tls.client_certificate.alternative_namesedit
type: array
Subject Alternative Names for this certificate.
tls.client_certificate.rawedit
type: keyword
The raw certificate in PEM format.
subject fieldsedit
Subject represented by this certificate.
tls.client_certificate.subject.countryedit
type: keyword
Country code.
tls.client_certificate.subject.organizationedit
type: keyword
Organization name.
tls.client_certificate.subject.organizational_unitedit
type: keyword
Unit within organization.
tls.client_certificate.subject.provinceedit
type: keyword
Province or region within country.
tls.client_certificate.subject.common_nameedit
type: keyword
Name or host name identified by the certificate.
issuer fieldsedit
Entity that issued and signed this certificate.
tls.client_certificate.issuer.countryedit
type: keyword
Country code.
tls.client_certificate.issuer.organizationedit
type: keyword
Organization name.
tls.client_certificate.issuer.organizational_unitedit
type: keyword
Unit within organization.
tls.client_certificate.issuer.provinceedit
type: keyword
Province or region within country.
tls.client_certificate.issuer.common_nameedit
type: keyword
Name or host name identified by the certificate.
server_certificate fieldsedit
Certificate provided by the server for authentication.
tls.server_certificate.versionedit
type: long
X509 format version.
tls.server_certificate.serial_numberedit
type: keyword
The certificate’s serial number.
tls.server_certificate.not_beforeedit
type: date
Date before which the certificate is not valid.
tls.server_certificate.not_afteredit
type: date
Date after which the certificate expires.
tls.server_certificate.public_key_algorithmedit
type: keyword
The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.
tls.server_certificate.public_key_sizeedit
type: long
Size of the public key.
tls.server_certificate.signature_algorithmedit
type: keyword
The algorithm used for the certificate’s signature.
tls.server_certificate.alternative_namesedit
type: array
Subject Alternative Names for this certificate.
tls.server_certificate.rawedit
type: keyword
The raw certificate in PEM format.
subject fieldsedit
Subject represented by this certificate.
tls.server_certificate.subject.countryedit
type: keyword
Country code.
tls.server_certificate.subject.organizationedit
type: keyword
Organization name.
tls.server_certificate.subject.organizational_unitedit
type: keyword
Unit within organization.
tls.server_certificate.subject.provinceedit
type: keyword
Province or region within country.
tls.server_certificate.subject.common_nameedit
type: keyword
Name or host name identified by the certificate.
issuer fieldsedit
Entity that issued and signed this certificate.
tls.server_certificate.issuer.countryedit
type: keyword
Country code.
tls.server_certificate.issuer.organizationedit
type: keyword
Organization name.
tls.server_certificate.issuer.organizational_unitedit
type: keyword
Unit within organization.
tls.server_certificate.issuer.provinceedit
type: keyword
Province or region within country.
tls.server_certificate.issuer.common_nameedit
type: keyword
Name or host name identified by the certificate.
tls.server_certificate_chainedit
type: array
Chain of trust for the server certificate.
tls.client_certificate_chainedit
type: array
Chain of trust for the client certificate.
tls.alert_typesedit
type: keyword
An array containing the TLS alert type for every alert received.
fingerprints fieldsedit
Fingerprints for this TLS session.
ja3 fieldsedit
JA3 TLS client fingerprint
tls.fingerprints.ja3.hashedit
type: keyword
The JA3 fingerprint hash for the client side.
tls.fingerprints.ja3.stredit
type: keyword
The JA3 string used to calculate the hash.