Supported Protocols
The following table lists the protocols supported by the newest versions of Arkime. Arkime’s protocol support falls into two categories: classifiers and parsers.
Classifiers vs Parsers
A classifier identifies a protocol by matching known byte patterns or port numbers in the network traffic.
When Arkime classifies a session, it tags the session with the protocol name so you can filter on it (e.g. protocols == redis), but it does not extract any protocol-specific fields.
Classifiers are lightweight and allow Arkime to recognize a wide range of protocols with minimal overhead.
A parser goes further than classification. In addition to identifying the protocol, a parser deeply inspects the protocol’s content and extracts structured fields into the session metadata. For example, the DNS parser extracts query hostnames, response IPs, query types, and more. Parsed fields are fully searchable and viewable in Arkime’s UI.
Protocol Table
| Protocol | Type | ~Fields |
|---|---|---|
| ADB (Android Debug Bridge) | Parser | ~14 |
| Aerospike | Classifier | |
| ARP | Classifier | |
| Aruba PAPI | Classifier | |
| BACnet | Parser | ~4 |
| BGP | Parser | ~1 |
| Bitcoin | Classifier | |
| BitTorrent | Classifier | |
| BJNP (Canon Printing) | Classifier | |
| BSDP | Classifier | |
| C12.22 | Parser | ~6 |
| CAMEL | Parser | ~4 |
| Cassandra | Classifier | |
| DCE/RPC | Parser | ~5 |
| DHCP | Parser | ~8 |
| Diameter | Parser | ~8 |
| DNP3 | Parser | ~3 |
| DNS | Parser | ~41 |
| Dropbox LAN Sync | Classifier | |
| DTLS | Parser | ~2 |
| Elasticsearch | Classifier | |
| ES-IS | Classifier | |
| ESIO | Classifier | |
| Finger | Classifier | |
| Flash Policy | Classifier | |
| Gearman | Classifier | |
| GTP | Classifier | |
| Hadoop | Classifier | |
| HBase | Classifier | |
| Honeywell TCC | Classifier | |
| HSRP | Classifier | |
| HTTP | Parser | ~32 |
| HTTP/2 | Parser | ~6 |
| ICMP | Parser | ~2 |
| Ident | Classifier | |
| IGMP | Classifier | |
| IMAP | Parser | ~4 |
| IRC | Parser | ~2 |
| ISAKMP/IKE | Parser | ~9 |
| IS-IS | Classifier | |
| Kerberos | Parser | ~5 |
| LDAP | Parser | ~2 |
| LLDP | Classifier | |
| M3UA | Parser | ~1 |
| Memcached | Classifier | |
| Modbus | Parser | ~5 |
| MQTT | Parser | ~7 |
| MySQL | Parser | ~2 |
| NBDS | Classifier | |
| NBNS (NetBIOS Name Service) | Parser | ~5 |
| NFS | Classifier | |
| NSClient | Classifier | |
| NTP | Parser | ~4 |
| NZSQL (Netezza) | Classifier | |
| Omron FINS | Classifier | |
| OpenVPN | Classifier | |
| Oracle TNS | Parser | ~4 |
| OSPF | Classifier | |
| PANA | Parser | ~3 |
| PIM | Classifier | |
| PJL (Printer Job Language) | Classifier | |
| Plex GDM | Classifier | |
| POP3 | Classifier | |
| PostgreSQL | Parser | ~3 |
| PTP (Precision Time Protocol) | Parser | ~2 |
| QUIC | Parser | ~4 |
| RADIUS | Parser | ~4 |
| RDP | Parser | ~5 |
| Redis | Classifier | |
| RMI (Java) | Classifier | |
| RPC (ONC/Sun) | Classifier | |
| RTSP | Classifier | |
| S7comm (Siemens) | Parser | ~6 |
| Safet | Classifier | |
| Samsung SmartView | Classifier | |
| SCCP (Skinny) | Classifier | |
| SCTP | Classifier | |
| SIP | Parser | ~9 |
| SMB | Parser | ~9 |
| SMTP | Parser | ~19 |
| SNMP | Parser | ~6 |
| SOCKS | Parser | ~5 |
| Splunk | Classifier | |
| SSH | Parser | ~4 |
| SSDP | Classifier | |
| Steam Friends | Classifier | |
| Stream IHSCP | Classifier | |
| STUN/TURN | Parser | ~11 |
| Synchrophasor (IEEE C37.118) | Parser | ~6 |
| TCAP | Parser | ~3 |
| TDS (MS SQL) | Parser | ~1 |
| Telnet | Classifier | |
| TFTP | Parser | ~2 |
| Thrift | Classifier | |
| TLS/SSL | Parser | ~30 |
| Ubiquiti UBNT | Classifier | |
| Valve A2S | Classifier | |
| Classifier | ||
| Whois | Classifier | |
| WUDO | Classifier | |
| X11 | Classifier | |
| Zabbix | Classifier | |
| ZooKeeper | Classifier |
The ~Fields column shows the approximate number of protocol-specific fields extracted by each parser. For TLS/SSL this includes certificate fields. The actual number of searchable fields may vary as Arkime continues to evolve.
