Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
1555 lines (1246 sloc) 60.6 KB

Protocol Documentation

Table of Contents

Top

trp.proto

trp.proto - Trisul Remote Protocol .proto file TRP : Trisul Remote Protocol is a remote query API that allows clients to connect and retrieve data from Trisul Hub

### AlertT AlertT : an alert in Trisul / all alert types Threshold Crossing, Flow Tracker, Badfellas, custom alerts use / the same object below
Field Type Label Description
sensor_id int64 optional source of alert, usually not used
time Timestamp required timestamp
alert_id string required DB alert ID eg 99:8:98838
source_ip KeyT optional source ip
source_port KeyT optional
destination_ip KeyT optional
destination_port KeyT optional
sigid KeyT optional unique key representing alert type
classification KeyT optional classification (from IDS terminology)
priority KeyT optional priority 1,2,3
dispatch_time Timestamp optional sent time
dispatch_message1 string optional a free format string created by generator of alert
dispatch_message2 string optional second format
occurrances int64 optional number of occurranes, used by QueryAlerts for aggregation Default: 1
group_by_key string optional aggregation key
probe_id string optional probe generating this alert
alert_status string optional FIRE,CLEAR,BLOCK etc
acknowledge_flag int64 optional ACK or NOT
### AsyncRequest AsyncRequest - Asynchrononous query framework / response taken from original , the token
Field Type Label Description
token int64 required
request_message string optional
### AsyncResponse AsyncResponse - a token represnting a future response / you will get an AsyncResponse for TRP Request if you set the run_async=true at the message level
Field Type Label Description
token int64 required use this token in AsyncRequest polling until you get the original Response you expected
response_message string optional
response Message optional
### ContextConfigRequest ContextConfigRequest - start stop status / OK or ERROR response / Status = OK if running with PID etc in message text
Field Type Label Description
context_name string required
profile string optional
params string optional
push_config_blob bytes optional push this ..
query_config NameValue repeated query, leave the .value field blank
set_config_values NameValue repeated push this .. (name=value;name=value ..)
### ContextConfigResponse
Field Type Label Description
context_name string required
profile string optional
params string optional what kind of config you want
pull_config_blob bytes optional config
config_blob bytes optional compress tar.gz ..
endpoints_flush string repeated
endpoints_query string repeated
endpoints_pub string repeated
config_values NameValue repeated query, leave the .value field blank
layers ContextConfigResponse.Layer repeated
### ContextConfigResponse.Layer
Field Type Label Description
layer int64 required
probe_id string required
probe_description string optional
### ContextCreateRequest ContextRequest - Context methods / response Ok or Error, follow up with ContextInfo to print details /
Field Type Label Description
context_name string required
clone_from string optional
### ContextDeleteRequest ContextDelete : initialize / reset data only ..
Field Type Label Description
context_name string required if not set all context get in
reset_data bool optional reset data dont delete everything
### ContextInfoRequest ContextInfo : one or all contexts / use is_init to prime with config
Field Type Label Description
context_name string optional if not set all context get in
get_size_on_disk bool optional get size on disk (expensive) Default: false
### ContextInfoResponse
Field Type Label Description
items ContextInfoResponse.Item repeated
### ContextInfoResponse.Item
Field Type Label Description
context_name string required
is_initialized bool required
is_running bool required
size_on_disk int64 optional
time_interval TimeInterval optional
is_clean bool optional
extrainfo string optional
run_history TimeInterval repeated
profile string optional
runmode string optional
node_version string optional
### ContextStartRequest ContextStart : run / run data only ..
Field Type Label Description
context_name string required if not set all context get in
mode string optional same as trisul cmdline run mode
background bool optional
pcap_path string optional
run_tool string optional snort, suricata supported..
tool_ids_config string optional
tool_av_config string optional
cmd_in string optional maps to trisul -in
cmd_out string optional maps to trisul -out
cmd_args string optional maps to trisul -args
### ContextStopRequest ContextSttop : kill the context processes
Field Type Label Description
context_name string required if not set all context get in
run_tool string optional snort, suricata , trp, flushd supported..
### CounterGroupInfoRequest CounterGroupInfoRequest - retrieve information about enabled counter groups
Field Type Label Description
counter_group string optional
get_meter_info bool optional Default: false
### CounterGroupInfoResponse CounterGroupInfoResponse
Field Type Label Description
group_details CounterGroupT repeated
### CounterGroupT CounterGroupT : Represents a counter group /
Field Type Label Description
guid string required guid identifying the CG
name string required CG name
bucket_size int64 optional bucketsize for all meters in this group
time_interval TimeInterval optional total time interval available in DB
topper_bucket_size int64 optional topper bucketsize (streaming analytics window)
meters MeterInfo repeated array of meter information (m0, m1, .. mn)
### CounterGroupTopperRequest CounterGroupTopperRequest - retrieve toppers for a counter group (top-K)
Field Type Label Description
counter_group string required guid of CG
meter int64 optional meter; eg to get Top Hosts By Connections use cg=Hosts meter = 6(connections) Default: 0
maxitems int64 optional number of top items to retreive Default: 100
time_interval TimeInterval optional time interval
time_instant Timestamp optional
flags int64 optional
resolve_keys bool optional retrieve labels as set in the response for each key Default: true
### CounterGroupTopperResponse CounterGroupTopperResponse
Field Type Label Description
counter_group string required request cgid
meter int64 required from request
sysgrouptotal int64 optional the metric value for "Others.." after Top-K
keys KeyT repeated topper keys, KeyT.metric contains the top-k value
### CounterItemRequest CounterItemRequest : Time series history statistics for an item
Field Type Label Description
counter_group string required guid of counter group
meter int64 optional optional meter, default will retrieve all (same cost)
key KeyT required key (can specify key.key, key.label, etc too
time_interval TimeInterval required Time interval for query
volumes_only int64 optional if '1' ; then only retrieves totals for each meter Default: 0
### CounterItemResponse CounterItemResponse -
Field Type Label Description
counter_group string required guid of CG
key KeyT required key : filled up with readable,label automatically
totals StatsArray optional if volumes_only = 1 in request, this contains totals for each metric
stats StatsArray repeated time series stats - can use to draw charts etc
### DeleteAlertsRequest DeleteAlerts / - very limited exception to Trisul rule of not having delete options
Field Type Label Description
alert_group string required
time_interval TimeInterval required
source_ip KeyT optional
source_port KeyT optional
destination_ip KeyT optional
destination_port KeyT optional
sigid KeyT optional
classification KeyT optional
priority KeyT optional
any_ip KeyT optional
any_port KeyT optional
message_regex string optional delete using regex
### DocumentT DocumentT : a full text document / full HTTP headers, printable TLS certs, etc
Field Type Label Description
dockey string required unique id
fts_attributes string optional attibutes used for facets
fullcontent string optional full document text
flows DocumentT.Flow repeated list of flows where this doc was seen
probe_id string optional
### DocumentT.Flow this document was seen at these time and on this flow
Field Type Label Description
time Timestamp required
key string required
### DomainRequest messages to routerX backend
Field Type Label Description
cmd DomainOperation required
station_id string optional
params string optional
nodetype DomainNodeType optional
### DomainResponse
Field Type Label Description
cmd DomainOperation required
nodes DomainResponse.Node repeated
req_params string optional
params string optional
need_reconnect bool optional Default: false
### DomainResponse.Node
Field Type Label Description
id string required
nodetype DomainNodeType required
station_id string optional
extra_info string optional
register_time Timestamp optional
heartbeat_time Timestamp optional
### EdgeGraphT EdgeGraphT : a graph / subjectnode -> vertices(of a particular type)
Field Type Label Description
time_interval TimeInterval required covers this window
vertex_groups VertexGroupT repeated vertices grouped by type
### ErrorResponse ErrorResponse / All XYZRequest() messages can either generate a XYZResponse() or an ErrorResponse() / you need to handle the error case
Field Type Label Description
original_command int64 required Command ID of request
error_code int64 required numeric error code
error_message string required error string
### FileRequest FileRequest - used to download files from Trisul domain nodes like probes
Field Type Label Description
uri string required uri of resource you want to download , example PcapResponse.save_file
position int64 required seek position in that file
params string optional local meaning sentback n response
context_name string optional context name
delete_on_eof bool optional Default: false
### FileResponse FileResponse / one chunk at at time, Trisul has slightly inefficient File Transfer / for very large files, since most files are data feeds < 100MB fine for now
Field Type Label Description
uri string required requested URI
eof bool required end of all chunks
position int64 optional current position
content bytes optional file chunk content
request_params string optional
context_name string optional
### GraphRequest GraphRequest / given a subject node, retrive a graph for a given time window
Field Type Label Description
time_interval TimeInterval required time window
subject_group string required guid of subject, eg counter or alert guid
subject_key KeyT required key (can specify key.key, key.label, etc too
### GraphResponse
Field Type Label Description
subject_group string required from request
subject_key KeyT required from request
graphs EdgeGraphT repeated graphs - an EdgeGraphT message
### GrepRequest GrepRequest - reconstruct and search for patterns in saved packets
Field Type Label Description
context_name string required
time_interval TimeInterval required
maxitems int64 optional Default: 100
flowcutoff_bytes int64 optional
pattern_hex string optional hex patttern
pattern_text string optional plain text
pattern_file string optional a file - must be available at probe
md5list string repeated a list of MD5 matching the content
resolve_keys bool optional Default: true
### GrepResponse GrepResponse
Field Type Label Description
context_name string required
sessions SessionT repeated sessionT with keys containing the content
hints string repeated some surrounding context for the match
probe_id string optional
### HelloRequest Hello Request : use to check connectivity
Field Type Label Description
station_id string required an id of the query client trying to connect
message string optional a message (will be echoed back in response)
### HelloResponse
Field Type Label Description
station_id string required station id of the query server
station_id_request string optional station id found in the request
message string optional message found in the request
local_timestamp int64 optional local timestamp at server, used to detect drifts
### KeySpaceRequest KeySpaceRequest - search hits in Key Space / for example you can search the key space 10.0.0.0 to 11.0.0.0 to get all IP / seen in that range
Field Type Label Description
counter_group string required
time_interval TimeInterval required
maxitems int64 optional Default: 100
spaces KeySpaceRequest.KeySpace repeated
resolve_keys bool optional Default: true
### KeySpaceRequest.KeySpace
Field Type Label Description
from_key KeyT required from key representing start of keyspace
to_key KeyT required end of key space
### KeySpaceResponse KeySpaceResponse
Field Type Label Description
counter_group string optional
hits KeyT repeated array of keys in the requested space
### KeyStats KeyStats - A full time series item (countergroup, key, timeseries) /
Field Type Label Description
counter_group string required guid of counter group
key KeyT required key representing an item
meters MeterValues repeated array of timeseries (timeseries-meter0, ts-meter1, ...ts-meter-n)
### KeyT KeyT : Represents a Key / Top level objects are named ObjT / eg KeyT - Key Type, SessionT - Session Type etc.
Field Type Label Description
key string optional key in trisul key format eg, C0.A8.01.02 for 192.168.1.2
readable string optional human friendly name
label string optional a user label eg, a hostname or manually assigned name
description string optional description
metric int64 optional optional : a single metric value - relevant to the query used
### LogRequest LogRequest - get log file from a domain node
Field Type Label Description
context_name string required
log_type string required
regex_filter string optional
maxlines int64 optional Default: 1000
continue_logfilename string optional
continue_seekpos int64 optional
latest_run_only bool optional Default: false
### LogResponse
Field Type Label Description
context_name string required
logfilename string optional
seekpos int64 optional
log_lines string repeated compressed gz
### Message Top level message is TRP::Message / wraps the actual request or response / / You must set trp.command = <cmd> for EACH request in addition to / constructing the actual TRP request message /
Field Type Label Description
trp_command Message.Command required
hello_request HelloRequest optional
hello_response HelloResponse optional
ok_response OKResponse optional
error_response ErrorResponse optional
counter_group_topper_request CounterGroupTopperRequest optional
counter_group_topper_response CounterGroupTopperResponse optional
counter_item_request CounterItemRequest optional
counter_item_response CounterItemResponse optional
pcap_request PcapRequest optional
pcap_response PcapResponse optional
search_keys_request SearchKeysRequest optional
search_keys_response SearchKeysResponse optional
counter_group_info_request CounterGroupInfoRequest optional
counter_group_info_response CounterGroupInfoResponse optional
update_key_request UpdateKeyRequest optional
query_sessions_request QuerySessionsRequest optional
query_sessions_response QuerySessionsResponse optional
session_tracker_request SessionTrackerRequest optional
session_tracker_response SessionTrackerResponse optional
probe_stats_request ProbeStatsRequest optional
probe_stats_response ProbeStatsResponse optional
query_alerts_request QueryAlertsRequest optional
query_alerts_response QueryAlertsResponse optional
query_resources_request QueryResourcesRequest optional
query_resources_response QueryResourcesResponse optional
grep_request GrepRequest optional
grep_response GrepResponse optional
topper_trend_request TopperTrendRequest optional
topper_trend_response TopperTrendResponse optional
subscribe_ctl SubscribeCtl optional
query_fts_request QueryFTSRequest optional
query_fts_response QueryFTSResponse optional
time_slices_request TimeSlicesRequest optional
time_slices_response TimeSlicesResponse optional
delete_alerts_request DeleteAlertsRequest optional
metrics_summary_request MetricsSummaryRequest optional
metrics_summary_response MetricsSummaryResponse optional
key_space_request KeySpaceRequest optional
key_space_response KeySpaceResponse optional
pcap_slices_request PcapSlicesRequest optional
log_request LogRequest optional
log_response LogResponse optional
context_create_request ContextCreateRequest optional
context_delete_request ContextDeleteRequest optional
context_start_request ContextStartRequest optional
context_stop_request ContextStopRequest optional
context_config_request ContextConfigRequest optional
context_config_response ContextConfigResponse optional
context_info_request ContextInfoRequest optional
context_info_response ContextInfoResponse optional
domain_request DomainRequest optional
domain_response DomainResponse optional
node_config_request NodeConfigRequest optional
node_config_response NodeConfigResponse optional
async_request AsyncRequest optional
async_response AsyncResponse optional
file_request FileRequest optional
file_response FileResponse optional
graph_request GraphRequest optional
graph_response GraphResponse optional
destination_node string optional
probe_id string optional
run_async bool optional if run_async = true, then you will immediately get a AsynResponse with a token you can poll
### MeterInfo MeterType : information about a particular meter /
Field Type Label Description
id int32 required
type MeterInfo.MeterType required
topcount int32 required
name string required
description string optional
units string optional
### MeterValues MeterValues : a timeseries (meter_id, stat1, stat2, ... statn) / this is rarely used because StatsArray is available .
Field Type Label Description
meter int32 required metric id , eg Hosts:TotalConnections
values StatsTuple repeated
total int64 optional total of all metric values
seconds int64 optional total number of seconds in time series
### MetricsSummaryRequest MetricsSummaryRequest - used to retrieve DB stats
Field Type Label Description
time_interval TimeInterval optional
metric_name string required
totals_only bool optional Default: true
### MetricsSummaryResponse MetricsSummaryResponse
Field Type Label Description
metric_name string required
vals StatsTuple repeated
### NameValue
Field Type Label Description
name string required
value string optional
### NodeConfigRequest
Field Type Label Description
message string optional
add_feed NodeConfigRequest.IntelFeed optional
process_new_feed NodeConfigRequest.IntelFeed optional
get_all_nodes bool optional Default: true
query_config NameValue repeated
### NodeConfigRequest.IntelFeed
Field Type Label Description
guid string required identifying feed group (eg Geo, Badfellas)
name string optional name
download_rules string optional xml file with feed update instructions
uri string repeated individual files in config//.. for FileRequest download
### NodeConfigResponse
Field Type Label Description
domains NodeConfigResponse.Node repeated
hubs NodeConfigResponse.Node repeated
probes NodeConfigResponse.Node repeated
feeds string repeated
config_values NameValue repeated
### NodeConfigResponse.Node
Field Type Label Description
id string required
nodetype DomainNodeType required
description string required
public_key string required
### OKResponse OKResponse / many messages return an OKResponse indicating success of operation
Field Type Label Description
original_command int64 required command id of request
message string optional success message
### PcapRequest PcapRequest - retrieve a PCAP / Sent directly to each probe rather than to the DB query HUB / / the flow is PCAP Request for a file -> put a file on the probe > return a token / > use that token in FileRequest to download the file from the probe / / see app notes and examples / / NOTE - only one of the various filters are supported / sending > 1 will result in error / / Modes / 1. nothing set => PCAP file in contents / 2. save_file_prefix set => file download token / 3. merge_pcap_files => file download token / /
Field Type Label Description
context_name string required
max_bytes int64 optional Default: 100000000
compress_type CompressionType optional Default: UNCOMPRESSED
time_interval TimeInterval optional
save_file_prefix string optional
filter_expression string optional PCAP filter expression in Trisul Filter format
merge_pcap_files string repeated list of PCAP files on probe that you need to merge
delete_after_merge bool optional Default: true
format PcapFormat optional Default: LIBPCAP
### PcapResponse Pcap Response - for small files (<1MB) contents directly contain the PCAP / for larger files, save_file contains a download token for use by FileRequest
Field Type Label Description
context_name string required
format PcapFormat optional Default: LIBPCAP
compress_type CompressionType optional Default: UNCOMPRESSED
time_interval TimeInterval optional
num_bytes int64 optional
sha1 string optional
contents bytes optional
save_file string optional
### PcapSlicesRequest .. response = TimeSlicesResponse / get the PCAP METASLICE based info
Field Type Label Description
context_name string required
get_total_window bool optional Default: false
### ProbeStatsRequest ProbeStatsRequest - DOMAIN / retrieve statistics about probe cpu, mem, etc
Field Type Label Description
context_name string required
param string optional
### ProbeStatsResponse ProbeStatsResponse
Field Type Label Description
context_name string required
instance_name string required
connections int64 required
uptime_seconds int64 required
cpu_usage_percent_trisul double required
cpu_usage_percent_total double required
mem_usage_trisul double required
mem_usage_total double required
mem_total double required
drop_percent_cap double required
drop_percent_trisul double required
proc_bytes int64 optional
proc_packets int64 optional
offline_pcap_file string optional
is_running bool optional
### QueryAlertsRequest QueryAlertsRequest - query alerts in system, can group_by (aggregate) any one field / multiple query fields are treated as AND
Field Type Label Description
alert_group string required
time_interval TimeInterval optional
maxitems int64 optional Default: 100
source_ip KeyT optional
source_port KeyT optional
destination_ip KeyT optional
destination_port KeyT optional
sigid KeyT optional
classification KeyT optional
priority KeyT optional
aux_message1 string optional matches dispatchmessage1 in AlertT
aux_message2 string optional matches dispatchmessage2 in AlertT
group_by_fieldname string optional can group by any field - group by 'sigid' will group results by sigid
idlist string repeated list of alert ids
resolve_keys bool optional Default: true
any_ip KeyT optional search by any_ip (source_dest)
any_port KeyT optional search by any_port (source_dest)
ip_pair KeyT repeated array of 2 ips
message_regex string optional searech via regex of the dispatch message
### QueryAlertsResponse QueryAlertsResponse - response / if you used group_by_fieldname then AlertT.occurrances would contain the count
Field Type Label Description
alert_group string required
alerts AlertT repeated array of matching alerts
### QueryFTSRequest FTS / query to return docs, docids, and flows based on keyword search /
Field Type Label Description
time_interval TimeInterval required
fts_group string required
keywords string required
maxitems int64 optional Default: 100
### QueryFTSResponse
Field Type Label Description
fts_group string required
documents DocumentT repeated
### QueryResourcesRequest QueryResourcesRequest - resource queries
Field Type Label Description
resource_group string required
time_interval TimeInterval optional
maxitems int64 optional Default: 100
source_ip KeyT optional
source_port KeyT optional
destination_ip KeyT optional
destination_port KeyT optional
uri_pattern string optional
userlabel_pattern string optional
regex_uri string repeated
idlist string repeated
resolve_keys bool optional Default: true
any_port KeyT optional
any_ip KeyT optional
ip_pair KeyT repeated
### QueryResourcesResponse QueryResourceResponse
Field Type Label Description
resource_group string required
resources ResourceT repeated
### QuerySessionsRequest QuerySessions - Query flows / fields filled are treated as AND criteria / See SessionT for description of common query fields
Field Type Label Description
session_group string optional Default: "{99A78737-4B41-4387-8F31-8077DB917336}"
time_interval TimeInterval optional
key string optional
source_ip KeyT optional
source_port KeyT optional
dest_ip KeyT optional
dest_port KeyT optional
any_ip KeyT optional source or dest match
any_port KeyT optional source or dest match
ip_pair KeyT repeated array of 2 ips
protocol KeyT optional
flowtag string optional string flow tagger text
nf_routerid KeyT optional
nf_ifindex_in KeyT optional
nf_ifindex_out KeyT optional
subnet_24 string optional ip /24 subnet matching
subnet_16 string optional ip /16 subnet
maxitems int64 optional maximum number of matching flows to retrieve Default: 100
volume_filter int64 optional only retrieve flows > this many bytes (a+z) Default: 0
resolve_keys bool optional Default: true
outputpath string optional write results to a file (CSV) on trisul-hub (for very large dumps)
idlist string repeated array of flow ids , usually from SessionTracker response
### QuerySessionsResponse QuerySessionsResponse / a list of matching flows
Field Type Label Description
session_group string required
sessions SessionT repeated matching flows SessionT objects
outputpath string optional if 'outputpath' set in request, the sessions are here (in CSV format)
### ResourceT ResourceT : represents a "resource" object / examples DNS records, HTTP URLs, TLS Certificates, extracted file hashes, etc
Field Type Label Description
time Timestamp required time resource was seen
resource_id string required DB id format = 988:0:8388383
source_ip KeyT optional
source_port KeyT optional
destination_ip KeyT optional
destination_port KeyT optional
uri string optional raw resource - uniform resource id ,dns names, http url, etc
userlabel string optional additional data
probe_id string optional which probe detected this
### SearchKeysRequest SearchkeysRequest - search for keys
Field Type Label Description
counter_group string required
maxitems int64 optional Default: 100
pattern string optional
label string optional
keys string repeated
offset int64 optional Default: 0
get_totals bool optional Default: false
### SearchKeysResponse SearchKeysResponse
Field Type Label Description
counter_group string required
keys KeyT repeated
total_count int64 optional
### SessionT SessionT : an IP flow /
Field Type Label Description
session_key string optional Trisul format eg 06A:C0.A8.01.02:p-0B94_D1.D8.F9.3A:p-0016
session_id string required SID once stored in DB 883:3:883488
user_label string optional any label assigned by user
time_interval TimeInterval required start and end time of flow
state int64 optional flow state (see docs)
az_bytes int64 optional bytes in A>Z direction, see KeyA>KeyZ
za_bytes int64 optional bytes in Z>A direction
az_packets int64 optional pkts in A>Z direction
za_packets int64 optional pkts in Z>A direction
key1A KeyT required basically IP A End
key2A KeyT required Port Z End (can be a string like ICMP00, GRE00, for non TCP/UDP)
key1Z KeyT required IP Z end
key2Z KeyT required Port Z End
protocol KeyT required IP Protocol
nf_routerid KeyT optional Netflow only : Router ID
nf_ifindex_in KeyT optional Netflow only : Interface Index
nf_ifindex_out KeyT optional Netflow only : Interface Index
tags string optional tags assigned using flow taggers
az_payload int64 optional AZ payload - actual content transferred
za_payload int64 optional ZA payload
setup_rtt int64 optional Round Trip Time for setup : Must have TCPReassmbly enabled on Probe
retransmissions int64 optional Retransmissiosn total
tracker_statval int64 optional Metric for flow trackers
probe_id string optional Probe ID generating this flow
### SessionTrackerRequest SessionTrackerRequest - query session trackers / session trackers are top-k streaming algorithm for network flows / They are Top Sessions fulfilling a particular preset criterion
Field Type Label Description
session_group string optional Default: "{99A78737-4B41-4387-8F31-8077DB917336}"
tracker_id int64 required session tracker id Default: 1
maxitems int64 optional Default: 100
time_interval TimeInterval required
resolve_keys bool optional Default: true
### SessionTrackerResponse SessionTrackerResponse - results of tracker / returns a list of SessionT for the matching sessions. / Note: the returned list of SessionT only contains keys (in key format) and the / tracker_statval reprsenting the tracker metric. You need to send further QuerySession / request with the session_key to retrive the fullflow
Field Type Label Description
session_group string required
sessions SessionT repeated contains session_key and tracker_statval
tracker_id int64 optional
### StatsArray StatsArray : multiple timeseries values (t, v1, v2, v3...vn) / notice we use ts_tv_sec. Most Trisul data have 1 sec resolution.
Field Type Label Description
ts_tv_sec int64 required tv.tv_sec
values int64 repeated array of values
### StatsTuple StatsTuple : a single timeseries vaue (t,v)
Field Type Label Description
ts Timestamp required ts
val int64 required value metric
### SubscribeCtl Subscribe - add a subcription to the Real Time channel
Field Type Label Description
context_name string required
ctl SubscribeCtl.CtlType required
type SubscribeCtl.StabberType required
guid string optional
key string optional
meterid int64 optional
### TimeInterval TimeInterval from and to
Field Type Label Description
from Timestamp required start time
to Timestamp required end time
### TimeSlicesRequest Timeslices - retrieves the backend timeslice details / / get the METERS METASLICE info / .. response = TimeSlicesResponse
Field Type Label Description
get_disk_usage bool optional Default: false
get_all_engines bool optional Default: false
get_total_window bool optional Default: false
### TimeSlicesResponse
Field Type Label Description
slices TimeSlicesResponse.SliceT repeated
total_window TimeInterval optional
context_name string optional
### TimeSlicesResponse.SliceT
Field Type Label Description
time_interval TimeInterval required
name string optional
status string optional
disk_size int64 optional
path string optional
available bool optional
### Timestamp
Field Type Label Description
tv_sec int64 required
tv_usec int64 optional Default: 0
### TopperTrendRequest TopperTrendRequest - raw top-K at each topper snapshot interval / can use this to see "Top apps over 1 Week"
Field Type Label Description
counter_group string required
meter int64 optional Default: 0
maxitems int64 optional Default: 100
time_interval TimeInterval optional
### TopperTrendResponse TopperTrendResponse
Field Type Label Description
counter_group string required
meter int64 required
keytrends KeyStats repeated timeseries - ts, (array of key stats) for each snapshot interval
### UpdateKeyRequest UpdatekeysRequest / Response = OKResponse or ErrorResponse
Field Type Label Description
counter_group string required
keys KeyT repeated key : if you set both key and label, the DB label will be updated
### VertexGroupT VertexGroupT : a group of vertices /
Field Type Label Description
vertex_group string required GUID of vertices in this message
vertex_keys KeyT repeated list of vertices
### AuthLevel Enums / Auth Level
Name Number Description
ADMIN 1
BASIC_USER 2
FORENSIC_USER 3
BLOCKED_USER 4
### CompressionType Compression: Used by PCAP or other content requests
Name Number Description
UNCOMPRESSED 1
GZIP 2
### DomainNodeType
Name Number Description
HUB 0
PROBE 1
CONFIG 2
ROUTER 3
WEB 4
MONITOR 5
### DomainOperation
Name Number Description
GETNODES 1
HEARTBEAT 2
REGISTER 3
### Message.Command
Name Number Description
HELLO_REQUEST 1
HELLO_RESPONSE 2
OK_RESPONSE 3
ERROR_RESPONSE 5
COUNTER_GROUP_TOPPER_REQUEST 6
COUNTER_GROUP_TOPPER_RESPONSE 7
COUNTER_ITEM_REQUEST 8
COUNTER_ITEM_RESPONSE 9
PCAP_REQUEST 14
PCAP_RESPONSE 15
SEARCH_KEYS_REQUEST 18
SEARCH_KEYS_RESPONSE 19
COUNTER_GROUP_INFO_REQUEST 20
COUNTER_GROUP_INFO_RESPONSE 21
SESSION_TRACKER_REQUEST 22
SESSION_TRACKER_RESPONSE 23
UPDATE_KEY_REQUEST 32
UPDATE_KEY_RESPONSE 33
QUERY_SESSIONS_REQUEST 34
QUERY_SESSIONS_RESPONSE 35
PROBE_STATS_REQUEST 38
PROBE_STATS_RESPONSE 39
QUERY_ALERTS_REQUEST 44
QUERY_ALERTS_RESPONSE 45
QUERY_RESOURCES_REQUEST 48
QUERY_RESOURCES_RESPONSE 49
GREP_REQUEST 60
GREP_RESPONSE 61
KEYSPACE_REQUEST 70
KEYSPACE_RESPONSE 71
TOPPER_TREND_REQUEST 72
TOPPER_TREND_RESPONSE 73
STAB_PUBSUB_CTL 80
QUERY_FTS_REQUEST 90
QUERY_FTS_RESPONSE 91
TIMESLICES_REQUEST 92
TIMESLICES_RESPONSE 93
DELETE_ALERTS_REQUEST 94
METRICS_SUMMARY_REQUEST 95
METRICS_SUMMARY_RESPONSE 96
PCAP_SLICES_REQUEST 97
SERVICE_REQUEST 101
SERVICE_RESPONSE 102
CONFIG_REQUEST 103
CONFIG_RESPONSE 104
LOG_REQUEST 105
LOG_RESPONSE 106
CONTEXT_CREATE_REQUEST 108
CONTEXT_DELETE_REQUEST 109
CONTEXT_START_REQUEST 110
CONTEXT_STOP_REQUEST 111
CONTEXT_INFO_REQUEST 112
CONTEXT_INFO_RESPONSE 113
CONTEXT_CONFIG_REQUEST 114
CONTEXT_CONFIG_RESPONSE 115
DOMAIN_REQUEST 116
DOMAIN_RESPONSE 117
NODE_CONFIG_REQUEST 118
NODE_CONFIG_RESPONSE 119
ASYNC_REQUEST 120
ASYNC_RESPONSE 121
FILE_REQUEST 122
FILE_RESPONSE 123
SUBSYSTEM_INIT 124
SUBSYSTEM_EXIT 125
GRAPH_REQUEST 130
GRAPH_RESPONSE 131
### MeterInfo.MeterType types of meters from TrisulAPI
Name Number Description
VT_INVALID 0
VT_RATE_COUNTER_WITH_SLIDING_WINDOW 1 this for top-N type counters
VT_COUNTER 2 basic counter, stores val in the raw
VT_COUNTER_WITH_SLIDING_WINDOW 3 use this for top-N type counters
VT_RATE_COUNTER 4 rate counter stores val/sec
VT_GAUGE 5 basic gauge
VT_GAUGE_MIN_MAX_AVG 6 gauge with 3 additional min/avg/max cols (auto)
VT_AUTO 7 automatic (eg, min/max/avg/stddev/)
VT_RUNNING_COUNTER 8 running counter, no delta calc
VT_AVERAGE 9 average of samples, total/sampl uses 32bt
VT_DELTA_RATE_COUNTER 10 link snmp running counter
### PcapFormat Pcap: format
Name Number Description
LIBPCAP 1 normal libpcap format *.pcap
UNSNIFF 2
LIBPCAPNOFILEHEADER 3 libpcap but without the pcap file header
### SubscribeCtl.CtlType
Name Number Description
CT_SUBSCRIBE 0
CT_UNSUBSCRIBE 1
### SubscribeCtl.StabberType
Name Number Description
ST_COUNTER_ITEM 0
ST_ALERT 1
ST_FLOW 2
ST_TOPPER 3
## Scalar Value Types
.proto Type Notes C++ Type Java Type Python Type
double double double float
float float float float
int32 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. int32 int int
int64 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. int64 long int/long
uint32 Uses variable-length encoding. uint32 int int/long
uint64 Uses variable-length encoding. uint64 long int/long
sint32 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. int32 int int
sint64 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. int64 long int/long
fixed32 Always four bytes. More efficient than uint32 if values are often greater than 2^28. uint32 int int
fixed64 Always eight bytes. More efficient than uint64 if values are often greater than 2^56. uint64 long int/long
sfixed32 Always four bytes. int32 int int
sfixed64 Always eight bytes. int64 long int/long
bool bool boolean boolean
string A string must always contain UTF-8 encoded or 7-bit ASCII text. string String str/unicode
bytes May contain any arbitrary sequence of bytes. string ByteString str