Skip to content
Branch: master
Find file History
Type Name Latest commit message Commit time
Failed to load latest commit information. chg: [format] authentication header fixed Feb 4, 2019
type.json chg: [format.json] add 254 type Mar 4, 2019

D4 encapsulation protocol version 1 (DRAFT)

Overview of the D4 encapsulation protocol


Name bit size Description
version uint 8 Version of the header
type uint 8 Data encapsulated type
uuid uint 128 Sensor UUID
timestamp uint 64 Encapsulation time
hmac uint 256 Authentication header (HMAC-SHA-256-128)
size uint 32 Payload size


The type is the list of format encapsulated within the D4 protocol.

Type Description
0 Reserved
1 pcap (libpcap 2.4)
2 meta header (JSON)
3 generic log line
4 dnscap output
5 pcapng (diagnostic)
6 generic NDJSON or JSON Lines
7 generic YAF (Yet Another Flowmeter)
8 passivedns CSV stream
254 type defined by meta header (type 2)

The D4 type list is available in JSON format.

Meta types (via meta header)

Sample meta type JSON (type 2). If a new session is open, before sending D4 packet type 254, a type 2 packet MUST be sent to describe to the D4 server how to decode packets. A meta header payload contains a single JSON object which describes the next packet to be decoded as type 254 in the stream. The JSON object MUST at least contain a type field.

  "type": "ja3-jl",
  "encoding": "utf-8",
  "tags": [
  "misp:org": "5b642239-4db4-4580-adf4-4ebd950d210f"
Type Description
ja3-jl JA3 fingerprinting JL version
d4-telemetry D4 project sensor telemetry
fascia fascia JSON object
You can’t perform that action at this time.