Nick Russo PCAP Diagrams
Expand All
Collapse All
Browse A–Z
1070 captures · 41 protocols · 11 categories
🛣️
Routing Protocols
204
🔷
Babel
Routing
4
🎞️
babel v4v6 diversity intf
Babel routing protocol with interface-level diversity extension carrying IPv4 and IPv6 routes between neighbors.
🎞️
babel v4v6 diversity nonintf
Babel routing protocol with non-interface diversity metrics exchanging IPv4 and IPv6 routes between neighbors.
🎞️
babel v4v6 init
Babel neighbor initialization: Hello, IHU, Router-ID, Next-Hop and Update TLVs establishing IPv4/IPv6 adjacency.
🎞️
babel v4v6 timestamps
Babel IPv4/IPv6 exchange showing Hello/IHU timestamp TLVs used for RTT measurement between neighbors.
🔷
BGP
Routing
68
📂
ipv4
27
🎞️
bgp bmp basic init
BGP Monitoring Protocol initialization from a monitored router to BMP collector: Initiation, Peer Up Notifications and Route Monitoring updates.
🎞️
bgp v4 flowspec ibgp init
iBGP IPv4 Flowspec (SAFI 133) initialization distributing traffic filtering rules between speakers.
🎞️
bgp v4m ebgp init
eBGP IPv4 Multicast (SAFI 2) session initialization exchanging multicast RPF routes.
🎞️
bgp v4u confed ebgp init
Confederation eBGP IPv4 Unicast session initialization between member-AS peers: OPEN, KEEPALIVE and UPDATEs.
🎞️
bgp v4u ebgp agg as set
eBGP IPv4 Unicast showing aggregate-address with AS_SET: aggregator advertises summarized prefix carrying component ASNs.
🎞️
bgp v4u ebgp agg basic
eBGP IPv4 Unicast showing basic aggregate-address: summary prefix advertised with AGGREGATOR attribute, components suppressed.
🎞️
bgp v4u ebgp as4byte both init
eBGP IPv4 Unicast init between two 4-byte ASN speakers using AS4 capability (RFC 6793).
🎞️
bgp v4u ebgp as4byte interop init
eBGP IPv4 Unicast interop between 2-byte and 4-byte ASN speakers using AS4_PATH/AS4_AGGREGATOR attributes.
🎞️
bgp v4u ebgp carry v6u
eBGP session over IPv4 transport carrying IPv6 unicast NLRI via MP-BGP (AFI 2/SAFI 1).
🎞️
bgp v4u ebgp gr
eBGP IPv4 Unicast Graceful Restart: GR capability negotiated, End-of-RIB markers and stale route preservation across restart.
🎞️
bgp v4u ebgp init
eBGP IPv4 Unicast session initialization: OPEN/KEEPALIVE/UPDATE establishing adjacency between two ASes.
🎞️
bgp v4u ebgp qppb comm
eBGP IPv4 Unicast carrying community values used for QoS Policy Propagation via BGP (QPPB) classification.
🎞️
bgp v4u ebgp reset
eBGP IPv4 Unicast session reset via NOTIFICATION (Cease) followed by re-establishment OPEN/KEEPALIVE.
🎞️
bgp v4u ebgp route flap
eBGP IPv4 Unicast showing route flap: repeated UPDATE announce and withdraw cycles for the same prefix.
🎞️
bgp v4u ebgp tcpao aes128
eBGP IPv4 Unicast protected by TCP-AO (RFC 5925) with AES-128-CMAC MAC; session establishes successfully.
🎞️
bgp v4u ebgp tcpao sha1
eBGP IPv4 Unicast protected by TCP-AO with HMAC-SHA1 MAC; session establishes successfully.
🎞️
bgp v4u ebgp tcpao sha256
eBGP IPv4 Unicast protected by TCP-AO with HMAC-SHA256 MAC; session establishes successfully.
🎞️
bgp v4u ebgp ttlsec md5
eBGP IPv4 Unicast using GTSM (TTL security) and TCP MD5 authentication; session establishes successfully.
🎞️
bgp v4u ebgp wrong as
eBGP IPv4 Unicast with mismatched remote-AS: OPEN triggers NOTIFICATION Bad Peer AS, session fails.
🎞️
bgp v4u ebgp wrong md5
eBGP IPv4 Unicast with mismatched TCP MD5 key: TCP handshake fails, BGP session never establishes.
🎞️
bgp v4u ebgp wrong rid
eBGP IPv4 Unicast with duplicate/bad Router-ID in OPEN: NOTIFICATION Bad BGP Identifier, session fails.
🎞️
bgp v4u ibgp add paths
iBGP IPv4 Unicast with ADD-PATH capability (RFC 7911): multiple paths per prefix advertised with path identifiers.
🎞️
bgp v4u ibgp cost comm
iBGP IPv4 Unicast carrying Cisco Cost Community for fine-grained best-path tie-breaking.
🎞️
bgp v4u ibgp dmz linkbw
iBGP IPv4 Unicast carrying DMZ Link-Bandwidth extended community for BGP multipath load sharing.
🎞️
bgp v4u ibgp rr init
iBGP IPv4 Unicast Route Reflector initialization: client/RR session with ORIGINATOR_ID and CLUSTER_LIST.
🎞️
bgp v4u ibgp std comm
iBGP IPv4 Unicast advertising prefixes with standard BGP communities (RFC 1997).
🎞️
bgp v4u unnumbered
BGP Unnumbered (RFC 5549) over IPv6 link-local using IPv4 NLRI with IPv6 next-hop via extended next-hop capability.
📂
ipv6
23
🎞️
bgp v6 flowspec ibgp init
iBGP IPv6 Flowspec (AFI 2/SAFI 133) initialization distributing IPv6 traffic filtering rules between speakers.
🎞️
bgp v6m ebgp init
eBGP IPv6 Multicast (AFI 2/SAFI 2) session initialization exchanging IPv6 multicast RPF routes.
🎞️
bgp v6u confed ebgp init
Confederation eBGP IPv6 Unicast session initialization between member-AS peers: OPEN, KEEPALIVE and UPDATEs.
🎞️
bgp v6u ebgp agg as set
eBGP IPv6 Unicast aggregate-address with AS_SET: summary prefix advertised carrying component ASNs.
🎞️
bgp v6u ebgp agg basic
eBGP IPv6 Unicast basic aggregate-address: summary prefix advertised with AGGREGATOR, components suppressed.
🎞️
bgp v6u ebgp as4byte init
eBGP IPv6 Unicast init between 4-byte ASN speakers using AS4 capability (RFC 6793).
🎞️
bgp v6u ebgp carry v4u
eBGP session over IPv6 transport carrying IPv4 unicast NLRI via MP-BGP.
🎞️
bgp v6u ebgp gr
eBGP IPv6 Unicast Graceful Restart: GR capability, End-of-RIB markers and stale route preservation across restart.
🎞️
bgp v6u ebgp init
eBGP IPv6 Unicast session initialization: OPEN/KEEPALIVE/UPDATE establishing adjacency between two ASes.
🎞️
bgp v6u ebgp reset
eBGP IPv6 Unicast session reset via NOTIFICATION (Cease) followed by re-establishment OPEN/KEEPALIVE.
🎞️
bgp v6u ebgp route flap
eBGP IPv6 Unicast showing route flap: repeated UPDATE announce/withdraw cycles for the same prefix.
🎞️
bgp v6u ebgp tcpao aes128
eBGP IPv6 Unicast protected by TCP-AO with AES-128-CMAC MAC; session establishes successfully.
🎞️
bgp v6u ebgp tcpao sha1
eBGP IPv6 Unicast protected by TCP-AO with HMAC-SHA1 MAC; session establishes successfully.
🎞️
bgp v6u ebgp tcpao sha256
eBGP IPv6 Unicast protected by TCP-AO with HMAC-SHA256 MAC; session establishes successfully.
🎞️
bgp v6u ebgp ttlsec md5
eBGP IPv6 Unicast using GTSM (TTL security) with TCP MD5 authentication; session establishes successfully.
🎞️
bgp v6u ebgp wrong as
eBGP IPv6 Unicast with mismatched remote-AS: OPEN triggers NOTIFICATION Bad Peer AS, session fails.
🎞️
bgp v6u ebgp wrong md5
eBGP IPv6 Unicast with mismatched TCP MD5 key: TCP handshake fails, BGP session never establishes.
🎞️
bgp v6u ebgp wrong rid
eBGP IPv6 Unicast with duplicate/bad Router-ID in OPEN: NOTIFICATION Bad BGP Identifier, session fails.
🎞️
bgp v6u ibgp add paths
iBGP IPv6 Unicast with ADD-PATH capability advertising multiple paths per prefix with path identifiers.
🎞️
bgp v6u ibgp cost comm
iBGP IPv6 Unicast carrying Cisco Cost Community for best-path tie-breaking.
🎞️
bgp v6u ibgp dmz linkbw
iBGP IPv6 Unicast carrying DMZ Link-Bandwidth extended community for BGP multipath load sharing.
🎞️
bgp v6u ibgp rr init
iBGP IPv6 Unicast Route Reflector initialization: client/RR session with ORIGINATOR_ID and CLUSTER_LIST.
🎞️
bgp v6u ibgp std comm
iBGP IPv6 Unicast advertising prefixes with standard BGP communities (RFC 1997).
📂
mpls
18
🎞️
bgp evpn ibgp vlan
iBGP EVPN (AFI/SAFI 25/70) session exchanging MAC/IP advertisement and Ethernet Auto-Discovery routes for VLAN-based L2VPN.
🎞️
bgp linkstate ibgp
iBGP BGP-LS (AFI 16388) session distributing link-state NLRI (nodes, links, prefixes) from IGP to a BGP-LS consumer.
🎞️
bgp mdt ibgp init flow
iBGP MDT SAFI (66) session exchanging Multicast Distribution Tree NLRI for draft-rosen mVPN setup.
🎞️
bgp mvpn46 ibgp init
iBGP mVPN (MCAST-VPN SAFI 5) initialization for IPv4 and IPv6 with Intra-AS I-PMSI A-D routes between PEs.
🎞️
bgp mvpn46 ibgp ipmsi
iBGP mVPN IPv4/IPv6 exchange advertising I-PMSI (Inclusive PMSI) A-D routes for default MDT setup between PEs.
🎞️
bgp mvpn46 ibgp rpt join
iBGP mVPN IPv4/IPv6 advertising Shared-Tree (*,G) C-multicast Join routes (Type-6) between PEs.
🎞️
bgp mvpn46 ibgp spmsi
iBGP mVPN IPv4/IPv6 advertising S-PMSI (Selective PMSI) A-D routes (Type-3) to signal data MDT for high-rate groups.
🎞️
bgp mvpn46 ibgp spt join
iBGP mVPN IPv4/IPv6 advertising Source-Tree (S,G) C-multicast Join routes (Type-7) between PEs.
🎞️
bgp mvpn46 ibgp spt switch
iBGP mVPN IPv4/IPv6 showing SPT switchover: receiver PE transitioning from shared-tree to source-tree via Type-7 Join.
🎞️
bgp rtc ibgp init
iBGP Route Target Constrain (SAFI 132) initialization: PEs advertise RT memberships to filter VPN route distribution.
🎞️
bgp v4lu ebgp init
eBGP IPv4 Labeled-Unicast (SAFI 4) session initialization: OPEN, KEEPALIVE and UPDATE with MPLS labels.
🎞️
bgp v6lu ibgp init
iBGP IPv6 Labeled-Unicast (AFI 2/SAFI 4) session initialization with MPLS labels in UPDATE.
🎞️
bgp vpls ibgp bgp sig
iBGP VPLS (AFI 25/SAFI 65) with BGP auto-discovery and BGP signaling (RFC 4761) establishing pseudowires between PEs.
🎞️
bgp vpls ibgp ldp sig
iBGP VPLS auto-discovery (RFC 6074) with LDP pseudowire signaling between PEs for L2VPN transport.
🎞️
bgp vpnv46 flowspec ibgp init
iBGP VPNv4/VPNv6 Flowspec (SAFI 134) initialization distributing per-VRF traffic filtering rules.
🎞️
bgp vpnv46 ibgp init
iBGP VPNv4 and VPNv6 (SAFI 128) session initialization: MP-BGP UPDATEs with RD, labels and RT extended communities.
🎞️
bgp vpnv46 ibgp vrf eigrp
iBGP VPNv4/VPNv6 redistributing EIGRP PE-CE routes: EIGRP extended communities carried across the MPLS VPN core.
🎞️
bgp vpnv46 ibgp vrf ospf
iBGP VPNv4/VPNv6 redistributing OSPF PE-CE routes: OSPF Domain-ID and Route-Type extended communities carried across the VPN core.
🔷
EIGRP
Routing
35
📂
ipv4
18
🎞️
eigrp v4 init interop
EIGRP IPv4 neighbor initialization showing interop between classic and named-mode routers, with Hello, Update/INIT and Ack forming the adjacency.
🎞️
eigrp v4 init md5
EIGRP IPv4 neighbor formation with HMAC-MD5 authentication: authenticated Hellos and INIT Updates bring up the adjacency.
🎞️
eigrp v4 init noauth
EIGRP IPv4 neighbor initialization with no authentication: Hellos, INIT Update, Ack, and topology exchange establish adjacency.
🎞️
eigrp v4 init sha256
EIGRP IPv4 neighbor formation with HMAC-SHA-256 authentication: authenticated Hellos and INIT Updates bring up the adjacency.
🎞️
eigrp v4 init stub
EIGRP IPv4 adjacency where one router advertises stub flags in its Hello, restricting the routes it will advertise.
🎞️
eigrp v4 init ucast
EIGRP IPv4 unicast-neighbor adjacency using statically configured neighbor addressing instead of the 224.0.0.10 multicast Hellos.
🎞️
eigrp v4 ip unnumbered
EIGRP IPv4 adjacency formed over an IP-unnumbered interface, exchanging Hellos/Updates without a subnet on the link.
🎞️
eigrp v4 otp data
EIGRP Over-the-Top (OTP) IPv4 data-plane flow: LISP-encapsulated user traffic between sites after OTP adjacency is up.
🎞️
eigrp v4 otp init
EIGRP Over-the-Top (OTP) IPv4 control-plane initialization: EIGRP neighbors form over LISP with route exchange across the OTP overlay.
🎞️
eigrp v4 query reply
EIGRP IPv4 route-loss diffusing computation: a Query is flooded to neighbors and each returns a Reply so the router can pick a successor.
🎞️
eigrp v4 sia query reply
EIGRP IPv4 Stuck-in-Active recovery using SIA-Query/SIA-Reply to confirm the distant neighbor is still processing the active route.
🎞️
eigrp v4 stub noquery
EIGRP IPv4 stub behavior: queries are not sent toward the stub neighbor, demonstrating query-scope reduction.
🎞️
eigrp v4 stub query
EIGRP IPv4 topology where a stub router receives a query but, per stub rules, replies with Inaccessible rather than propagating.
🎞️
eigrp v4 wrong asn
EIGRP IPv4 adjacency fails because the routers are configured with mismatched Autonomous System numbers; Hellos are ignored.
🎞️
eigrp v4 wrong kvalues
EIGRP IPv4 adjacency fails due to mismatched K-values; peer logs K-value mismatch and the neighborship is torn down.
🎞️
eigrp v4 wrong md5
EIGRP IPv4 adjacency fails because of mismatched MD5 authentication keys; Hellos are dropped and no neighbor forms.
🎞️
eigrp v4 wrong sha256
EIGRP IPv4 adjacency fails due to mismatched SHA-256 authentication keys; Hellos are dropped and no neighbor forms.
🎞️
eigrp v4 wrong ucast
EIGRP IPv4 unicast-neighbor misconfiguration (one side unicast, other multicast, or wrong address), adjacency never forms.
📂
ipv6
17
🎞️
eigrp v6 init interop
EIGRP IPv6 neighbor initialization showing classic/named-mode interop over link-local addresses to FF02::A.
🎞️
eigrp v6 init md5
EIGRP IPv6 neighbor formation with HMAC-MD5 authentication bringing up the adjacency over link-local Hellos.
🎞️
eigrp v6 init noauth
EIGRP IPv6 neighbor initialization with no authentication; Hellos to FF02::A, INIT Update and Ack form the adjacency.
🎞️
eigrp v6 init sha256
EIGRP IPv6 neighbor formation with HMAC-SHA-256 authentication over link-local Hellos.
🎞️
eigrp v6 init stub
EIGRP IPv6 adjacency where one router advertises stub flags in Hello, restricting its advertised routes.
🎞️
eigrp v6 init ucast
EIGRP IPv6 unicast-neighbor adjacency using configured neighbor addresses rather than link-local multicast.
🎞️
eigrp v6 otp data
EIGRP Over-the-Top (OTP) IPv6 data-plane flow: LISP-encapsulated user traffic between sites after OTP adjacency is up.
🎞️
eigrp v6 otp init
EIGRP Over-the-Top (OTP) IPv6 control-plane initialization: EIGRP neighbors form over LISP with route exchange across the overlay.
🎞️
eigrp v6 query reply
EIGRP IPv6 diffusing computation: Query flooded and Replies returned so the router can choose a new successor.
🎞️
eigrp v6 sia query reply
EIGRP IPv6 Stuck-in-Active recovery using SIA-Query/SIA-Reply to keep the active route from timing out.
🎞️
eigrp v6 stub noquery
EIGRP IPv6 stub behavior: queries are suppressed toward the stub neighbor, reducing query scope.
🎞️
eigrp v6 stub query
EIGRP IPv6 topology where a stub router that does receive a query replies Inaccessible per stub rules.
🎞️
eigrp v6 wrong asn
EIGRP IPv6 adjacency fails due to mismatched AS numbers; Hellos are ignored by the peer.
🎞️
eigrp v6 wrong kvalues
EIGRP IPv6 adjacency fails due to mismatched K-values; peer logs K-value mismatch and tears down the neighbor.
🎞️
eigrp v6 wrong md5
EIGRP IPv6 adjacency fails because of mismatched MD5 authentication keys; Hellos are dropped.
🎞️
eigrp v6 wrong sha256
EIGRP IPv6 adjacency fails due to mismatched SHA-256 authentication keys; Hellos are dropped.
🎞️
eigrp v6 wrong ucast
EIGRP IPv6 unicast-neighbor misconfiguration, adjacency never forms.
🔷
IS-IS
Routing
18
🎞️
isis l1 bcast att init
IS-IS Level-1 initialization on a broadcast LAN where the DIS sets the attached bit to signal reachability to L2 backbone.
🎞️
isis l1 mismatch net
IS-IS Level-1 adjacency failure due to mismatched area (NET) addresses, so neighbors never progress past the Hello stage.
🎞️
isis l1 new ia route
IS-IS Level-1 injection of a new inter-area route, showing LSP flooding and SPF updates in response to the topology change.
🎞️
isis l1 p2p auth both md5 init
IS-IS L1 point-to-point adjacency bring-up with HMAC-MD5 authentication on both Hellos and LSP/CSNP/PSNP PDUs.
🎞️
isis l1 p2p auth both text init
IS-IS L1 p2p adjacency init using cleartext-password authentication on both Hello and LSP-class PDUs.
🎞️
isis l1 p2p auth hello md5 init
IS-IS L1 p2p init where only Hello PDUs are protected with HMAC-MD5 authentication while LSPs remain unauthenticated.
🎞️
isis l1 p2p auth hello text init
IS-IS L1 p2p init with cleartext authentication applied only to Hello PDUs during adjacency formation.
🎞️
isis l1 p2p auth pdu md5 init
IS-IS L1 p2p init with HMAC-MD5 authentication on LSP/CSNP/PSNP PDUs only, leaving Hellos unauthenticated.
🎞️
isis l1 p2p auth pdu text init
IS-IS L1 p2p init using cleartext-password authentication applied only to LSP-class PDUs.
🎞️
isis l1 p2p ol init
IS-IS L1 p2p adjacency initialization with the overload (OL) bit set, signaling the router should not be used for transit.
🎞️
isis l1 p2p pad first
IS-IS L1 p2p init where Hellos are padded to MTU only on the first few exchanges to verify MTU before trimming.
🎞️
isis l1 p2p pad never
IS-IS L1 p2p init with Hello padding disabled entirely, so PDUs are sent at minimum size from the start.
🎞️
isis l1l2 p2p ietf3way init
IS-IS L1/L2 p2p adjacency using the IETF 3-way handshake TLV to unambiguously confirm bidirectional reachability.
🎞️
isis l1l2 p2p narrow init
IS-IS L1/L2 p2p init using narrow (original) 6-bit TLV metrics for interface and IP reachability.
🎞️
isis l1l2 p2p wide init
IS-IS L1/L2 p2p init using wide-metric TLVs (TLV 22/135) enabling 24/32-bit metrics needed for MPLS-TE.
🎞️
isis l2 bcast dis change
IS-IS Level-2 broadcast LAN scenario showing a DIS election change and pseudonode LSP re-origination.
🎞️
isis l2 bcast init
IS-IS Level-2 adjacency initialization on a broadcast LAN including DIS election and CSNP/PSNP synchronization.
🎞️
isis l2 p2p gre init
IS-IS Level-2 p2p adjacency brought up across a GRE tunnel interface between two routers.
🔷
OSPF
Routing
67
📂
ospfv2
26
🎞️
ospfv2 add new prefix
OSPFv2 routers flood a new Type 1 Router LSA and ack it after an interface prefix is added, converging on the new route across the area.
🎞️
ospfv2 auth md5
OSPFv2 neighbor adjacency brought up using cryptographic MD5 authentication on Hello and DBD/LSU exchanges.
🎞️
ospfv2 auth sha256
OSPFv2 neighbor adjacency established using HMAC-SHA256 cryptographic authentication (RFC 5709) on all OSPF packets.
🎞️
ospfv2 auth text
OSPFv2 neighbor adjacency forms with simple plaintext password authentication in the OSPF header.
🎞️
ospfv2 dr election
OSPFv2 broadcast-segment DR/BDR election via Hello packets, with routers comparing priority and RID before forming full adjacencies with the DR.
🎞️
ospfv2 flood war
OSPFv2 LSA flooding war where two routers repeatedly flood newer instances of the same LSA, illustrating unstable re-origination behavior.
🎞️
ospfv2 lls disable
OSPFv2 adjacency bring-up with Link-Local Signaling (LLS) disabled; Hellos and DBDs omit the LLS block normally used for capability signaling.
🎞️
ospfv2 lsa1 lsa2
OSPFv2 flooding of Type 1 Router LSAs and Type 2 Network LSAs describing intra-area topology on a broadcast segment.
🎞️
ospfv2 lsa3
OSPFv2 Type 3 Summary LSAs originated by an ABR advertising inter-area prefixes into a connected area.
🎞️
ospfv2 lsa4
OSPFv2 Type 4 ASBR Summary LSAs originated by an ABR advertising reachability to an ASBR across area boundaries.
🎞️
ospfv2 lsa5 e1
OSPFv2 Type 5 AS External LSAs with metric-type E1 flooded throughout the OSPF domain for external redistributed prefixes.
🎞️
ospfv2 lsa5 e2
OSPFv2 Type 5 AS External LSAs with metric-type E2 (default) flooded throughout the OSPF domain for external redistributed prefixes.
🎞️
ospfv2 lsa6
OSPFv2 Type 6 Group Membership LSAs (MOSPF) used to advertise multicast group membership within an area.
🎞️
ospfv2 lsa7 n1
OSPFv2 Type 7 NSSA External LSAs with metric-type N1 originated inside an NSSA area for external prefixes, later translated to Type 5 at the ABR.
🎞️
ospfv2 lsa7 n2
OSPFv2 Type 7 NSSA External LSAs with metric-type N2 originated inside an NSSA area, subject to Type 7 to Type 5 translation at the NSSA ABR.
🎞️
ospfv2 mismatch net bcast p2p
OSPFv2 Hellos between a broadcast-type interface and a point-to-point-type interface fail to form adjacency due to network type mismatch.
🎞️
ospfv2 mtu mismatch
OSPFv2 neighbors get stuck in ExStart/Exchange because DBD packets advertise mismatched interface MTU values, blocking the adjacency.
🎞️
ospfv2 multi area
OSPFv2 topology spanning multiple areas with an ABR originating Type 3 summaries between area 0 and non-zero areas.
🎞️
ospfv2 net nonbcast
OSPFv2 Non-Broadcast (NBMA) network type adjacency where Hellos are unicast to manually configured neighbors and a DR is elected.
🎞️
ospfv2 net p2mp
OSPFv2 Point-to-Multipoint network type adjacency forming without DR/BDR, treating each neighbor as an individual point-to-point link.
🎞️
ospfv2 nssa init
OSPFv2 NSSA area initial adjacency with the N-bit set in Hello options, enabling Type 7 LSAs inside the NSSA.
🎞️
ospfv2 prefix supp
OSPFv2 prefix suppression in action: interface prefixes are omitted from Router LSAs, shrinking the LSDB while preserving transit connectivity.
🎞️
ospfv2 stub init
OSPFv2 stub area initial adjacency with the E-bit cleared in Hello options, preventing Type 5 external LSAs from entering the area.
🎞️
ospfv2 ttl security
OSPFv2 neighbor adjacency protected by GTSM TTL security, accepting only packets arriving with TTL equal to 255 for spoofing protection.
🎞️
ospfv2 unnumbered init
OSPFv2 adjacency over an IP unnumbered point-to-point link, forming full neighbor state without a subnet on the interface.
🎞️
ospfv2 vl over area1
OSPFv2 virtual link tunneled across non-backbone area 1 to reconnect a disconnected ABR to the backbone area 0.
📂
ospfv3_v4
20
🎞️
ospfv3 v4 add new prefix
OSPFv3 for IPv4 address family floods updated Router/Intra-Area-Prefix LSAs after a new IPv4 prefix is added to an interface.
🎞️
ospfv3 v4 auth sha256
OSPFv3 for IPv4 AF with IPsec/authentication trailer using HMAC-SHA256 to authenticate OSPFv3 packets between neighbors.
🎞️
ospfv3 v4 dr election
OSPFv3 for IPv4 broadcast DR/BDR election driven by Hello priorities and Router IDs before full adjacencies form with the DR.
🎞️
ospfv3 v4 esp null
OSPFv3 for IPv4 adjacency protected by IPsec ESP with null encryption, providing integrity without confidentiality on OSPF packets.
🎞️
ospfv3 v4 flood war
OSPFv3 for IPv4 flooding war with routers repeatedly re-originating newer sequence numbers of the same LSA, an unstable LSDB condition.
🎞️
ospfv3 v4 lsa2001 2002 0008 2009
OSPFv3 for IPv4 flooding Router (0x2001), Network (0x2002), Link (0x0008), and Intra-Area-Prefix (0x2009) LSAs describing the topology.
🎞️
ospfv3 v4 lsa2003
OSPFv3 for IPv4 Inter-Area-Prefix LSAs (type 0x2003) originated by an ABR to advertise inter-area IPv4 prefixes.
🎞️
ospfv3 v4 lsa2004
OSPFv3 for IPv4 Inter-Area-Router LSAs (type 0x2004) advertising ASBR reachability across area boundaries.
🎞️
ospfv3 v4 lsa2007 n1
OSPFv3 for IPv4 NSSA External LSAs (type 0x2007) with metric type N1 originated inside an NSSA area.
🎞️
ospfv3 v4 lsa2007 n2
OSPFv3 for IPv4 NSSA External LSAs (type 0x2007) with metric type N2 inside an NSSA area, translated to 0x4005 at the ABR.
🎞️
ospfv3 v4 lsa4005 e1
OSPFv3 for IPv4 AS-External LSAs (type 0x4005) with metric type E1 flooded domain-wide for external redistributed IPv4 prefixes.
🎞️
ospfv3 v4 lsa4005 e2
OSPFv3 for IPv4 AS-External LSAs (type 0x4005) with default metric type E2 flooded domain-wide for external redistributed IPv4 prefixes.
🎞️
ospfv3 v4 mismatch net bcast p2p
OSPFv3 for IPv4 Hellos fail to form adjacency due to a network-type mismatch between broadcast and point-to-point interfaces.
🎞️
ospfv3 v4 mtu mismatch
OSPFv3 for IPv4 neighbors stall in ExStart/Exchange because DBD MTU values disagree, blocking database exchange.
🎞️
ospfv3 v4 multi area
OSPFv3 for IPv4 deployment spanning multiple areas, with an ABR originating Inter-Area-Prefix LSAs between backbone and non-zero areas.
🎞️
ospfv3 v4 net nonbcast
OSPFv3 for IPv4 Non-Broadcast network-type adjacency with unicast Hellos to configured neighbors and DR election.
🎞️
ospfv3 v4 net p2mp
OSPFv3 for IPv4 Point-to-Multipoint network-type adjacency forming without DR/BDR across multiple neighbors.
🎞️
ospfv3 v4 nssa init
OSPFv3 for IPv4 NSSA area bring-up with the N-bit in Hello options, enabling type 0x2007 NSSA External LSAs.
🎞️
ospfv3 v4 prefix supp
OSPFv3 for IPv4 prefix suppression: interface prefixes are omitted from Intra-Area-Prefix LSAs while transit links stay reachable.
🎞️
ospfv3 v4 stub init
OSPFv3 for IPv4 stub area bring-up with the E-bit cleared, blocking AS-External (0x4005) LSAs from entering the area.
📂
ospfv3_v6
21
🎞️
ospfv3 v6 add new prefix
OSPFv3 for IPv6 floods updated Router and Intra-Area-Prefix LSAs after a new IPv6 prefix is added to an interface.
🎞️
ospfv3 v6 auth sha256
OSPFv3 for IPv6 with the OSPFv3 authentication trailer using HMAC-SHA256 to protect packets between neighbors.
🎞️
ospfv3 v6 dr election
OSPFv3 for IPv6 broadcast DR/BDR election via Hellos before full adjacencies form with the elected DR.
🎞️
ospfv3 v6 esp null
OSPFv3 for IPv6 adjacency secured by IPsec ESP with null encryption, providing integrity without encryption.
🎞️
ospfv3 v6 flood war
OSPFv3 for IPv6 flooding war where routers continuously re-originate newer instances of the same LSA, an unstable condition.
🎞️
ospfv3 v6 lsa2001 2002 0008 2009
OSPFv3 for IPv6 flooding Router, Network, Link, and Intra-Area-Prefix LSAs (0x2001/0x2002/0x0008/0x2009) describing topology and prefixes.
🎞️
ospfv3 v6 lsa2003
OSPFv3 for IPv6 Inter-Area-Prefix LSAs (0x2003) originated by an ABR advertising inter-area IPv6 prefixes.
🎞️
ospfv3 v6 lsa2004
OSPFv3 for IPv6 Inter-Area-Router LSAs (0x2004) advertising ASBR reachability across area boundaries.
🎞️
ospfv3 v6 lsa2007 n1
OSPFv3 for IPv6 NSSA External LSAs (0x2007) with metric type N1 originated inside an NSSA area.
🎞️
ospfv3 v6 lsa2007 n2
OSPFv3 for IPv6 NSSA External LSAs (0x2007) with metric type N2 inside an NSSA, translated to 0x4005 at the ABR.
🎞️
ospfv3 v6 lsa4005 e1
OSPFv3 for IPv6 AS-External LSAs (0x4005) with metric type E1 flooded domain-wide for redistributed external IPv6 prefixes.
🎞️
ospfv3 v6 lsa4005 e2
OSPFv3 for IPv6 AS-External LSAs (0x4005) with default metric type E2 flooded domain-wide for redistributed external IPv6 prefixes.
🎞️
ospfv3 v6 mismatch net bcast p2p
OSPFv3 for IPv6 Hellos fail to form adjacency due to broadcast vs point-to-point network-type mismatch between interfaces.
🎞️
ospfv3 v6 mtu mismatch
OSPFv3 for IPv6 neighbors stall in ExStart/Exchange because DBD interface MTU values disagree.
🎞️
ospfv3 v6 multi area
OSPFv3 for IPv6 deployment spanning multiple areas with an ABR originating Inter-Area-Prefix LSAs between backbone and non-zero areas.
🎞️
ospfv3 v6 net nonbcast
OSPFv3 for IPv6 Non-Broadcast network-type adjacency using unicast Hellos to configured neighbors with DR election.
🎞️
ospfv3 v6 net p2mp
OSPFv3 for IPv6 Point-to-Multipoint network-type adjacency forming per-neighbor without DR/BDR.
🎞️
ospfv3 v6 nssa init
OSPFv3 for IPv6 NSSA area bring-up with the N-bit in Hello options, enabling NSSA External (0x2007) LSAs.
🎞️
ospfv3 v6 prefix supp
OSPFv3 for IPv6 prefix suppression omits interface prefixes from Intra-Area-Prefix LSAs while preserving transit reachability.
🎞️
ospfv3 v6 stub init
OSPFv3 for IPv6 stub area bring-up with the E-bit cleared, blocking AS-External (0x4005) LSAs from the area.
🎞️
ospfv3 v6 vl over area1
OSPFv3 for IPv6 virtual link tunneled across non-backbone area 1 to reconnect an ABR to backbone area 0.
🔷
RIP
Routing
12
🎞️
rip ng init
RIPng initial exchange over IPv6 UDP 521 with Request and Response messages seeding the IPv6 routing tables between neighbors.
🎞️
rip ng reach
RIPng Response messages advertising a reachable IPv6 prefix with a valid metric (under 16) between neighbors.
🎞️
rip ng unreach
RIPng Response messages advertising an unreachable IPv6 prefix with metric 16 (infinity) to trigger route poisoning.
🎞️
rip v1 init
RIPv1 initial exchange over IPv4 UDP 520 with broadcast Request and Response messages populating initial routing tables.
🎞️
rip v1 reach
RIPv1 Response messages advertising a reachable IPv4 network with a valid hop-count metric (under 16).
🎞️
rip v1 unreach
RIPv1 Response messages advertising an unreachable IPv4 network with metric 16 (infinity) to poison the route.
🎞️
rip v2 init md5
RIPv2 initial exchange over UDP 520 with multicast 224.0.0.9 Request/Response messages authenticated using MD5 keyed hashing.
🎞️
rip v2 init noauth
rip_v2_init_noauth: R1 and R2 exchange RIPv2 Requests and Responses via the RIP multicast group (224.0.0.9) with no authentication, completing initial route advertisement.
🎞️
rip v2 init text
rip_v2_init_text: R1 and R2 bring up a RIPv2 adjacency over the RIP multicast group using plaintext password authentication; Requests are followed by Responses carrying routes.
🎞️
rip v2 init ucast bcast
rip_v2_init_ucast_bcast: R2 issues a broadcast RIPv2 Request then Responses are sent both via broadcast and unicast (R1 to R2), illustrating mixed RIP neighbor update styles.
🎞️
rip v2 reach vlsm
rip_v2_reach_vlsm: R1 and R2 multicast RIPv2 Responses advertising reachable VLSM prefixes, showing that RIPv2 (unlike RIPv1) carries subnet masks per route.
🎞️
rip v2 unreach
rip_v2_unreach: R1 and R2 flood many RIPv2 Responses on the RIP multicast group, poisoning unreachable prefixes with metric 16 as part of RIP's triggered-update convergence.
🔀
Switching & Layer 2
72
🔷
Layer 2
Ethernet / PPP / Frame Relay
29
📂
ethernet
14
🎞️
eth dot1ad etype 88A8
802.1ad Q-in-Q with the standard 0x88A8 S-Tag EtherType, showing double-tagged provider-bridged Ethernet frames.
🎞️
eth dot1ad etype 9100
802.1ad-style Q-in-Q using legacy 0x9100 outer EtherType for S-Tag, commonly seen on older provider-bridge gear.
🎞️
eth dot1ad etype 9200
802.1ad-style Q-in-Q using legacy 0x9200 outer EtherType for the service tag on older vendor implementations.
🎞️
eth dot1ah priority dei
802.1ah MAC-in-MAC (PBB) frame demonstrating I-Tag priority and DEI bit encoding in a provider-backbone-bridged network.
🎞️
eth dot1q priority dei
802.1Q VLAN-tagged frame showing PCP priority and DEI (drop-eligible) bits in the TCI field.
🎞️
eth dot1q trunk
802.1Q trunk link carrying multiple VLAN-tagged frames between switches, identifying each frame by VLAN ID.
🎞️
eth isl trunk
Cisco ISL trunk encapsulation, legacy VLAN tagging that wraps Ethernet frames in a 26-byte ISL header.
🎞️
eth jumbo frames
Ethernet jumbo frames exceeding the standard 1500-byte MTU, showing large-payload transmission on capable links.
🎞️
eth pppoe basic
Basic PPPoE session: Discovery (PADI/PADO/PADR/PADS) followed by LCP/IPCP negotiation over the established session.
🎞️
eth pppoe bng
PPPoE session to a Broadband Network Gateway, including PPPoE discovery and subscriber PPP authentication/IPCP.
🎞️
eth pppoe cisco ftd confrej
PPPoE session to a Cisco FTD where LCP Configure-Reject is sent for unsupported options, showing negotiation fallback.
🎞️
eth qinisl
Q-in-ISL encapsulation where 802.1Q-tagged frames are further wrapped inside a legacy Cisco ISL trunk header.
🎞️
eth qinq tunnel
Q-in-Q service provider tunnel double-tagging customer VLANs with an outer S-Tag to transport them transparently.
🎞️
eth untagged
Plain untagged Ethernet frames on an access port with no VLAN tag in the header.
📂
serial
15
🎞️
atm aal5snap
ATM AAL5 with LLC/SNAP encapsulation carrying IP traffic across a PVC, typical of classical IP-over-ATM.
🎞️
fr cisco
Frame Relay with Cisco proprietary encapsulation on a PVC, commonly used between Cisco routers.
🎞️
fr de fecn becn
Frame Relay frames illustrating congestion signaling via the DE, FECN, and BECN bits in the address field.
🎞️
fr eth bridging
Frame Relay bridging Ethernet frames over a PVC using RFC 1490/2427 bridged encapsulation.
🎞️
fr ietf
Frame Relay with IETF (RFC 2427) multiprotocol encapsulation carrying IP over a PVC.
🎞️
hdlc cisco
Cisco HDLC encapsulation on a serial link, using the proprietary 4-byte header to multiplex IP and CDP.
🎞️
ppp chap failure
PPP link where CHAP authentication fails: the authenticator returns Failure after validating the peer's response.
🎞️
ppp chap refuse
PPP negotiation in which the peer refuses CHAP via LCP Configure-Reject/Nak, forcing a different auth method or teardown.
🎞️
ppp chap success
PPP link bring-up with successful CHAP authentication, followed by NCP (IPCP) negotiation to bring up IP.
🎞️
ppp ipcp protrej
PPP IPCP negotiation where one side sends Protocol-Reject for IPCP, preventing IP from coming up over the link.
🎞️
ppp noauth
PPP link bring-up with no authentication configured: LCP opens and NCPs negotiate immediately.
🎞️
ppp pap failure
PPP link where PAP authentication fails: the authenticator returns Authenticate-Nak and the link is torn down.
🎞️
ppp pap refuse
PPP negotiation where the peer refuses PAP via LCP Configure-Reject/Nak, refusing to use the cleartext method.
🎞️
ppp pap success
PPP link bring-up with successful PAP authentication (Authenticate-Ack), followed by NCP negotiation.
🎞️
ppp pfc confrej
PPP LCP negotiation where Protocol Field Compression is rejected via Configure-Reject, so PFC is not used on the link.
🔷
Legacy
IPX / AppleTalk / DECnet
10
🎞️
appletalk phase1 init
AppleTalk Phase 1 initialization showing legacy non-extended AARP/RTMP exchanges on a single network number.
🎞️
appletalk phase2 routing
AppleTalk Phase 2 routing with extended network ranges, exchanging RTMP updates and ZIP zone information between routers.
🎞️
clns isis l2 routing
CLNS network carrying IS-IS Level-2 routing PDUs, showing pure OSI routing without an IP overlay.
🎞️
clns iso igrp routing
CLNS network running Cisco's ISO-IGRP distance-vector routing protocol to exchange NSAP reachability information.
🎞️
decnet dna routing
DECnet Phase IV DNA routing exchange showing Hello and Level-1 routing messages between DECnet nodes.
🎞️
dlsw bridging init
DLSw (Data Link Switching) initialization between peers, establishing TCP capabilities exchange to bridge SNA/NetBIOS over IP.
🎞️
ipx eigrp routing
Novell IPX network running Cisco EIGRP for IPX, exchanging Hello and Update packets to advertise IPX routes.
🎞️
ipx network arpa init
IPX network initialization using Ethernet II (ARPA) framing, showing RIP/SAP exchanges on the segment.
🎞️
ipx network novell init
IPX network initialization using Novell raw 802.3 framing (ethernet_ii disabled), with RIP/SAP traffic.
🎞️
ipx network snap init
IPX network initialization using 802.2 LLC/SNAP framing to carry IPX RIP and SAP on the LAN.
🔷
Non-IP
ARP / CDP / LLDP / LACP
20
📂
arp
5
🎞️
arp broadcast
Standard ARP resolution: broadcast Request for an IPv4 address and unicast Reply from the owning host with its MAC.
🎞️
arp gratuitous
Gratuitous ARP: host broadcasts an ARP announcing its own IP→MAC binding, used for duplicate address detection and cache updates.
🎞️
arp proxy
Proxy ARP: a router answers ARP requests on behalf of a host on another subnet, replying with its own MAC.
🎞️
arp unicast
Unicast ARP Request/Reply (RFC 5227): targeted ARP refresh between two known peers rather than broadcasting.
🎞️
rarp
Reverse ARP request and reply, where a station broadcasts its MAC address asking the network for its assigned IPv4 address (legacy bootstrap mechanism).
📂
misc
9
🎞️
cdp
Cisco Discovery Protocol neighbor advertisement: device multicasts CDP frame with device ID, platform, capabilities and port info.
🎞️
dtp
Dynamic Trunking Protocol frames negotiate trunking mode (desirable/auto) between two Cisco switch ports.
🎞️
lacp
IEEE 802.3ad LACP exchange: partners send LACPDUs negotiating Actor/Partner state until the link aggregation bundle becomes active.
🎞️
lldp
Link Layer Discovery Protocol advertisement: device multicasts LLDP frame with chassis/port IDs and TLVs describing capabilities.
🎞️
n9k vpc peer cfs
Cisco Nexus 9000 vPC peers exchange CFS (Cisco Fabric Services) messages over the peer link to synchronize vPC configuration and state between the two peer switches.
🎞️
n9k vpc peer ka
Cisco Nexus 9000 vPC peer keepalive heartbeats exchanged over a dedicated management path to detect peer liveness and prevent dual-active (split-brain) conditions.
🎞️
pagp
Cisco PAgP (Port Aggregation Protocol) hello exchange between switches negotiating EtherChannel bundle membership on participating links.
🎞️
udld aggressive
Cisco UDLD in aggressive mode exchanges unidirectional link detection hellos; aggressive mode err-disables the port on loss to protect against one-way link faults.
🎞️
udld standard
Cisco UDLD in standard (normal) mode exchanges periodic neighbor hellos to detect unidirectional Ethernet links without forcing an err-disable on loss.
📂
vtp
6
🎞️
vtp v2 vlan add
VTP version 2 summary and subset advertisements propagating a VLAN addition from the VTP server to clients, incrementing the domain revision.
🎞️
vtp v2 vlan delete
VTP version 2 summary and subset advertisements propagating a VLAN deletion across the VTP domain, with an incremented configuration revision.
🎞️
vtp v3 mst
VTP version 3 advertisements carrying MST (Multiple Spanning Tree) region configuration updates across VTPv3 primary and secondary servers.
🎞️
vtp v3 vlan add
VTP version 3 advertisements propagating a VLAN addition from the VTPv3 primary server through the domain using authenticated summary and subset frames.
🎞️
vtp v3 vlan delete
VTP version 3 advertisements propagating a VLAN deletion from the primary server to VTPv3 clients and secondary servers across the domain.
🎞️
vtp v3 vlan init
VTP version 3 initial domain bring-up with summary, subset, and request advertisements synchronizing VLAN database state between primary server and peers.
🔷
STP
RSTP / PVST / MST
13
🎞️
nonstp flexlink
nonstp_flexlink: Cisco FlexLink pair (non-STP): after active link failure, SW-F ports send L2 MAT (MAC Address Table) Flush frames to the Cisco multicast group for ARP/LLC/IPX; ICMP between SW1 and SW2 resumes after failover.
📂
mst
5
🎞️
mst bpdu
mst_bpdu: Single MST BPDU observed: SW1 sends an RSTP Agreement to the STP multicast group, showing the MSTI agreement frame format.
🎞️
mst interregion change
mst_interregion_change: Inter-region MST topology change: SW3 Proposes, SW4 Agrees then floods RSTP Topology Change notifications; SW3 continues sending Agreements to stabilize.
🎞️
mst pvst sim bpdu
mst_pvst_sim_bpdu: SW3 in MST PVST-simulation mode emits legacy STP Config BPDUs to both the Cisco PVST+ and IEEE STP multicast addresses, ensuring interop with PVST neighbors.
🎞️
mst pvst sim vlan10 fail
mst_pvst_sim_vlan10_fail: In MST/PVST simulation, SW3 sends STP Config BPDUs while SW4 keeps raising RSTP Topology Change; indicates PVST simulation failure for VLAN 10 (inconsistent blocking).
🎞️
mst topo change
mst_topo_change: SW1 sends RSTP Agreements and Topology Change BPDUs, SW3 injects an RSTP Proposal, and SW1 re-agrees as the MST topology reconverges.
📂
pvst
7
🎞️
bpdu dispute
bpdu_dispute: SW3 keeps sending RSTP Proposals while SW4 responds with RSTP Forwarding (agreement-less), illustrating an STP dispute condition on a half-duplex link.
🎞️
pvst bpdu
pvst_bpdu: SW1 emits RSTP Topology Change BPDUs to both the Cisco PVST+ and IEEE STP multicast groups, the basic per-VLAN PVST+ BPDU format.
🎞️
pvst topo change
pvst_topo_change: SW3 triggers topology change with STP TCNs and Config BPDUs; SW1 (root) acknowledges by sending Config BPDUs and then RSTP Topology Change floods to PVST+.
🎞️
pvst uplinkfast
pvst_uplinkfast: UplinkFast on SW-C: SW-C sends STP Config BPDUs, then on uplink failure injects multiple RSTP Topology Change BPDUs toward PVST+ to flush upstream MAC tables quickly.
🎞️
rpvst bpdu
rpvst_bpdu: SW3 sends RSTP Topology Change BPDUs on both Cisco PVST+ and IEEE STP multicast addresses, illustrating Rapid PVST+ BPDU format.
🎞️
rpvst to pvst
rpvst_to_pvst: RPVST (SW4) interoperates with legacy PVST peer (SW3): SW4 floods RSTP Topology Change while SW3 answers with classic RSTP Proposals, later joining in Topology Change flooding.
🎞️
rpvst topo change
rpvst_topo_change: Rapid PVST+ convergence: SW3 sends RSTP Proposals, SW1 (root) responds with RSTP Forwarding/Agreement, followed by RSTP Topology Change flooding to reconverge.
🌐
IP Services
82
🔷
BFD
Detection
7
🎞️
bfd auth fail
BFD session with authentication mismatch between peers: control packets exchanged but authentication fails, session never reaches Up.
🎞️
bfd echo noauth
BFD asynchronous session plus Echo function between peers, no authentication; session reaches Up state.
🎞️
bfd echo sha1
BFD asynchronous session with Echo function and SHA1 keyed authentication between peers; session reaches Up.
🎞️
bfd mhop noauth
BFD Multihop session (UDP/4784) between non-adjacent peers without authentication; session transitions to Up.
🎞️
bfd mhop sha1
BFD Multihop session (UDP/4784) with SHA1 authentication between non-adjacent peers; session reaches Up.
🎞️
bfd noecho noauth
BFD asynchronous-only session (no Echo) without authentication; Down/Init/Up state transitions between peers.
🎞️
bfd noecho sha1
BFD asynchronous-only session (no Echo) with SHA1 keyed authentication between peers; session reaches Up.
🔷
Diagnostics
ICMP / IP SLA
16
📂
ipsla
8
🎞️
ipsla icmp jitter
Cisco IP SLA ICMP jitter probe sending timed ICMP echo bursts between source and responder to measure latency/jitter/loss.
🎞️
ipsla path echo
Cisco IP SLA Path Echo: hop-by-hop probing along the route using increasing-TTL ICMP echoes to measure per-hop reachability.
🎞️
ipsla path jitter
Cisco IP SLA Path Jitter: per-hop jitter measurements along the traceroute path between source and responder.
🎞️
ipsla tcp connect
Cisco IP SLA TCP Connect probe measuring TCP three-way-handshake completion time to a target port.
🎞️
ipsla udp echo
Cisco IP SLA UDP Echo operation between source and IP SLA Responder measuring round-trip time.
🎞️
ipsla voice g711alaw
Cisco IP SLA Voice (UDP jitter) using G.711 A-law payload to estimate MOS/ICPIF quality between source and responder.
🎞️
ipsla voice g711ulaw
Cisco IP SLA Voice (UDP jitter) using G.711 u-law payload to estimate MOS/ICPIF voice quality.
🎞️
ipsla voice g729a
Cisco IP SLA Voice (UDP jitter) using G.729a payload simulating compressed-codec voice to estimate MOS/ICPIF.
📂
service
8
🎞️
service tcp chargen
TCP Chargen (RFC 864, port 19) service streaming a repeating character pattern to the connected client until disconnect.
🎞️
service tcp daytime
TCP Daytime (RFC 867, port 13) service returning the current date/time as ASCII then closing the connection.
🎞️
service tcp discard
TCP Discard (RFC 863, port 9) service silently consuming and discarding all data sent by the client.
🎞️
service tcp echo
TCP Echo (RFC 862, port 7) service echoing each byte the client sends back over the same connection.
🎞️
service tcp finger
TCP Finger (RFC 1288, port 79) query returning user/login information to the requesting client.
🎞️
service udp chargen
UDP Chargen (RFC 864, port 19) service replying to each datagram with a randomly-sized character-pattern response.
🎞️
service udp discard
UDP Discard (RFC 863, port 9) service silently dropping each datagram received, producing no response.
🎞️
service udp echo
UDP Echo (RFC 862, port 7) service echoing each received datagram back to the sender unchanged.
🔷
Extras
IPv4 Options / Fragments
18
📂
ipv4_options
7
🎞️
ipv4 fragments
IPv4 fragmented datagram flow where a large payload is split into multiple fragments and reassembled at the destination based on identification and fragment offset.
🎞️
ipv4 option lsr success
IPv4 Loose Source Routing option success flow, where a packet traverses specified intermediate hops and reaches the destination via the LSR-directed path.
🎞️
ipv4 option record
IPv4 Record Route option probe, with each router along the path appending its IP address to the option field for path visibility.
🎞️
ipv4 option ssr param problem
IPv4 Strict Source Routing failing with an ICMP Parameter Problem response, indicating a router could not honor the strict next-hop requirement.
🎞️
ipv4 option ssr return fail
IPv4 Strict Source Route forward succeeds but the return path fails, showing asymmetric routing breakage when SSR cannot be satisfied on the reverse leg.
🎞️
ipv4 option ssr success
IPv4 Strict Source Routing success flow where the packet traverses the exact hop list specified in the SSR option and is delivered to the destination.
🎞️
ipv4 option timestamp
IPv4 Timestamp option probe where each router stamps its time (and optionally address) into the IP header, useful for latency and path analysis.
📂
ipv6_extheader
9
🎞️
ipv6 extheader ah v6v4
IPv6-over-IPv4 tunneled traffic carrying an IPsec Authentication Header extension, providing integrity and origin authentication across the transition tunnel.
🎞️
ipv6 extheader ah v6v6
Pure IPv6 flow with an Authentication Header extension, authenticating the packet end-to-end without encryption.
🎞️
ipv6 extheader dest
IPv6 packet carrying a Destination Options extension header, delivering options processed only by the final destination node.
🎞️
ipv6 extheader esp v6v4
IPv6-in-IPv4 tunnel carrying an ESP-encrypted payload, showing IPsec confidentiality applied over a transition tunnel.
🎞️
ipv6 extheader esp v6v6
Native IPv6 flow protected by an IPsec ESP extension header, providing encrypted confidential transport end-to-end.
🎞️
ipv6 extheader hopbyhop
IPv6 packet with a Hop-by-Hop Options extension header processed by every router along the path, used for features like Jumbo payloads or router alerts.
🎞️
ipv6 extheader hopbyhop dest
IPv6 packet carrying both Hop-by-Hop and Destination Options extension headers in a single datagram, demonstrating chained extension-header processing.
🎞️
ipv6 extheader routing
IPv6 packet with a Routing extension header specifying intermediate nodes to visit, analogous to IPv4 source routing for explicit path steering.
🎞️
ipv6 fragments
IPv6 flow using the Fragment extension header at the source, splitting a large datagram for reassembly at the destination (IPv6 does not fragment in-transit).
📂
misc
2
🎞️
udp lite v4
UDP-Lite over IPv4 flow where only a partial checksum covers the header and a portion of the payload, useful for loss-tolerant real-time media.
🎞️
udp lite v6
UDP-Lite over IPv6 flow with partial-checksum coverage, delivering loss-tolerant payloads where corrupted bytes may still be useful to the application.
🔷
FHRP
HSRP / VRRP / GLBP
13
📂
ipv4
6
🎞️
hsrp v1 fail and preempt
HSRPv1 failure and preempt scenario where the active router goes down, a standby takes over, then a higher-priority router preempts to reclaim the active role.
🎞️
hsrp v1 init
HSRPv1 initialization with Hello messages electing the active and standby routers for the virtual IP gateway.
🎞️
irdp broadcast
ICMP Router Discovery Protocol using broadcast Router Advertisements and Solicitations so hosts can learn default gateways on the LAN.
🎞️
irdp multicast
ICMP Router Discovery Protocol using multicast Router Advertisements to 224.0.0.1, with host Solicitations to 224.0.0.2 learning available gateways.
🎞️
vrrp v2 fail and preempt
VRRPv2 failover and preempt flow where the master fails, a backup promotes to master, then a higher-priority router preempts to reclaim mastership.
🎞️
vrrp v2 init
VRRPv2 initialization with multicast Advertisements on 224.0.0.18 electing the master router for the virtual IP address.
📂
ipv6
7
🎞️
anycast failover
Anycast first-hop redundancy failover where the active next-hop becomes unreachable and clients transparently converge on a secondary anycast instance.
🎞️
glbp avf failover
GLBP Active Virtual Forwarder failover, where a secondary AVF assumes forwarding responsibility for a virtual MAC after the primary AVF fails.
🎞️
glbp init
GLBP initialization with Hello and Request/Response messages electing the Active Virtual Gateway and assigning virtual MACs to Active Virtual Forwarders.
🎞️
hsrp v2 fail and preempt
HSRPv2 failover and preempt flow over IPv4/IPv6, demonstrating active-router loss, standby promotion, and subsequent preemption by a higher-priority peer.
🎞️
hsrp v2 init
HSRPv2 startup with Hellos using the 224.0.0.102 multicast group, electing active and standby routers for the virtual gateway.
🎞️
vrrp v3 fail and preempt
VRRPv3 failure and preempt flow supporting IPv4/IPv6, with master loss, backup takeover, and higher-priority preemption.
🎞️
vrrp v3 init
VRRPv3 initialization exchanging Advertisements to elect the master router for both IPv4 and IPv6 virtual addresses.
🔷
ICMP
Ping / Traceroute / NDP
14
📂
ipv4
7
🎞️
address mask
ICMP Address Mask Request and Reply, where a host queries its subnet mask and a router responds with the correct mask for the interface.
🎞️
information
Legacy ICMP Information Request/Reply exchange, originally used for hosts to discover the network number before BOOTP/DHCP existed.
🎞️
mobile adv
ICMP Mobility Agent Advertisement messages used by Mobile IP foreign and home agents to announce themselves to mobile nodes.
🎞️
redirect
ICMP Redirect message informing a host of a better first-hop router for a specific destination on the local subnet.
🎞️
timestamp
ICMP Timestamp Request and Reply exchange returning originate, receive, and transmit timestamps for time synchronization and one-way delay estimation.
🎞️
traceroute mpls ipv4
Traceroute across an MPLS IPv4 core where LSRs return ICMP Time Exceeded with MPLS label-stack extensions, exposing label hops along the path.
🎞️
traceroute mpls vpnv4
Traceroute through an MPLS L3VPN (VPNv4) showing PE/P hops, ICMP Time Exceeded with label-stack extensions, and VRF-aware return path.
📂
ipv6
7
🎞️
admin unr80
ICMP Destination Unreachable with code 13 (communication administratively prohibited), returned for traffic to TCP port 80 blocked by an ACL or firewall.
🎞️
nd nsna
IPv6 Neighbor Discovery with Neighbor Solicitation and Neighbor Advertisement, performing address resolution and reachability confirmation on the link.
🎞️
nd rsra
IPv6 Neighbor Discovery Router Solicitation and Router Advertisement, where hosts learn on-link prefixes, default routers, and SLAAC parameters.
🎞️
packet too big
ICMPv6 Packet Too Big message returned by a router when an IPv6 datagram exceeds the next-hop MTU, driving Path MTU Discovery on the source.
🎞️
ping
Classic ICMP Echo Request and Echo Reply exchange used to verify end-to-end IP reachability and round-trip latency.
🎞️
traceroute
UDP/ICMP traceroute using incrementing TTLs to elicit ICMP Time Exceeded from each hop, revealing the path to the destination.
🎞️
traceroute mpls vpnv6
Traceroute through an MPLS L3VPN carrying IPv6 (6VPE/VPNv6), with ICMP Time Exceeded messages exposing MPLS label hops across the provider core.
🔷
NAT
NAT44 / NAT64 / NAT66
14
🎞️
nat44 pat icmp
NAT44 with PAT (overload) for ICMP: inside host's echo request is translated using a rewritten ICMP identifier to share the outside IP.
🎞️
nat44 pat udp
NAT44 PAT (overload) for UDP: inside source IP:port is translated to a shared outside IP with a unique port for the session.
🎞️
nat44 pool icmp
NAT44 with a pool (one-to-one dynamic) for ICMP: inside host gets a dedicated outside IPv4 address for echo translation.
🎞️
nat44 pool udp
NAT44 dynamic pool translation for UDP: inside host is mapped to a free pool address without port overloading.
🎞️
nat44 twice icmp
NAT44 twice-NAT translating both source and destination IPv4 addresses of an ICMP flow, typical for overlapping address space scenarios.
🎞️
nat44 twice udp
NAT44 twice-NAT translating both source and destination of a UDP flow to bridge overlapping inside/outside IPv4 networks.
🎞️
nat64 pat icmp
Stateful NAT64 with PAT for ICMP: IPv6 echo is translated into an IPv4 echo with a rewritten ICMP identifier sharing the outside v4 IP.
🎞️
nat64 pat udp
Stateful NAT64 PAT for UDP: IPv6 host's UDP flow is translated to a shared IPv4 outside address using port overloading.
🎞️
nat64 pool icmp
Stateful NAT64 with an IPv4 pool for ICMP: each IPv6 host is dynamically mapped to a dedicated v4 address for echo translation.
🎞️
nat64 pool udp
Stateful NAT64 pool translation for UDP: IPv6 sources are mapped 1:1 to IPv4 pool addresses without port overloading.
🎞️
nat64 stateless icmp
Stateless NAT64 (RFC 6145) translating ICMPv6 echo to ICMPv4 using algorithmic IPv4-embedded IPv6 address mapping.
🎞️
nat64 stateless udp
Stateless NAT64 translation of a UDP flow between IPv6 and IPv4 using algorithmic address mapping, with no per-flow state.
🎞️
nat66 stateless icmp
Stateless NPTv6 (NAT66) translating ICMPv6 echo between two IPv6 prefixes via algorithmic prefix rewriting.
🎞️
nat66 stateless udp
Stateless NPTv6 (NAT66) translating a UDP flow between IPv6 prefixes using 1:1 prefix substitution, preserving end-to-end transparency.
🏷️
MPLS & Segment Routing
88
🔷
MPLS
LDP / RSVP-TE / LSP Ping
73
📂
dmvpn
3
🎞️
mpls over dmvpn1
MPLS labels carried over a DMVPN phase 1 hub-and-spoke GRE tunnel, extending MPLS forwarding across an IPsec-protected overlay.
🎞️
mpls over dmvpn2
MPLS over DMVPN phase 2: spoke-to-spoke dynamic NHRP shortcuts carry labeled traffic directly between spokes over the mGRE overlay.
🎞️
mpls over dmvpn3
MPLS over DMVPN phase 3 with NHRP redirect/resolution enabling summarized routing and spoke-to-spoke MPLS forwarding.
📂
igp_extension
3
🎞️
isis mpls te
IS-IS extensions for MPLS-TE showing wide-metric TLVs with TE sub-TLVs (bandwidth, admin-group) advertising link attributes.
🎞️
ospf mpls te
OSPF TE opaque LSA flooding: routers advertise MPLS-TE link attributes (bandwidth, admin groups, metrics) to populate the TED.
🎞️
ospf mpls te meshid
OSPF MPLS-TE opaque LSAs including the Mesh Group ID sub-TLV, used for auto-mesh RSVP-TE tunnel creation among mesh members.
📂
ldp
17
🎞️
ldp address mapping
LDP Address and Label Mapping exchange where peers advertise their interface addresses and FEC-to-label bindings.
🎞️
ldp pwire ac down
LDP pseudowire with attachment-circuit down: the PE signals AC status TLV indicating the local access side is inactive.
🎞️
ldp pwire atom fr
AToM pseudowire (LDP-signaled) carrying Frame Relay frames across an MPLS core between PEs.
🎞️
ldp pwire atom hdlc
AToM pseudowire transporting Cisco HDLC frames across MPLS via LDP-signaled VC labels.
🎞️
ldp pwire atom ip iwrk
AToM IP-interworking pseudowire allowing different Layer-2 encapsulations to interwork at the IP layer over MPLS.
🎞️
ldp pwire atom ppp
AToM pseudowire carrying PPP frames between PEs, with LDP signaling the PW label binding.
🎞️
ldp pwire cword
LDP pseudowire using a control word to preserve sequencing and to avoid misordering by ECMP load balancers.
🎞️
ldp pwire cword flowlabel
LDP pseudowire with control word plus a flow label (RFC 6391) to enable per-flow load balancing across the core.
🎞️
ldp pwire lsp down
LDP pseudowire scenario where the underlying LSP goes down, triggering PW status signaling and traffic loss.
🎞️
ldp pwire no cword
LDP pseudowire operating without a control word, suitable for encapsulations where one is not required.
🎞️
ldp setup md5
LDP session setup between peers secured with TCP MD5 authentication, progressing through Hello, Init, and KeepAlive.
🎞️
ldp setup noauth
LDP session setup without authentication: UDP Hellos discover the peer, then TCP Init/KeepAlive bring the session up.
🎞️
ldp stable ka
Established LDP session in steady state exchanging periodic KeepAlive messages to maintain the adjacency.
🎞️
ldp withdraw release
LDP label withdraw and label release exchange, showing how peers revoke and free FEC-label bindings when a route is removed.
🎞️
ldpv6 init expnull md5
LDPv6 session init using IPv6 transport with explicit-null label advertisement and TCP MD5 authentication.
🎞️
ldpv6 init noauth
LDPv6 session initialization over IPv6 transport with no authentication, completing Hello/Init/KeepAlive.
🎞️
tdp setup
Cisco TDP (Tag Distribution Protocol, pre-LDP) neighbor discovery and tag binding exchange establishing label forwarding state.
📂
lspv
33
🎞️
lspv ipv4 basic draft init
MPLS LSP Ping (LSPV) basic IPv4 echo request/reply per the early draft, used to verify LSP data-plane connectivity.
🎞️
lspv ipv4 basic draft rev1
MPLS LSP Ping over IPv4 using an early pre-RFC4379 draft revision 1 echo request/reply exchange, verifying basic label switched path connectivity.
🎞️
lspv ipv4 basic draft rev2
MPLS LSP Ping over IPv4 using pre-RFC4379 draft revision 2 echo request/reply format, testing an early iteration of the LSP verification protocol.
🎞️
lspv ipv4 basic rfc4379
Standard RFC 4379 MPLS LSP Ping over IPv4: egress LSR returns an echo reply confirming the FEC is reachable along the tested label switched path.
🎞️
lspv ipv4 exp null
MPLS LSP Ping over IPv4 where the PHP advertises explicit-null (label 0), verifying EXP preservation on the final hop before IP forwarding.
🎞️
lspv ipv4 fec bgp no mapping
MPLS LSP Ping over an IPv4 BGP-labeled FEC that fails: the transit LSR has no mapping for the FEC, returning a 'No FEC Mapping' return code.
🎞️
lspv ipv4 fec generic success
MPLS LSP Ping with a Generic IPv4 FEC TLV; egress returns an echo reply with success code, validating LSP reachability without protocol-specific FEC info.
🎞️
lspv ipv4 fec ldp success
MPLS LSP Ping over an LDP IPv4 prefix FEC completing successfully: egress LSR replies 'Egress for FEC at stack depth', confirming the LDP path.
🎞️
lspv ipv4 labeled output iface
MPLS LSP Ping over IPv4 where the transit LSR's reply indicates a labeled outgoing interface, confirming continued label switching toward egress.
🎞️
lspv ipv4 packet too big
MPLS LSP Ping over IPv4 hitting an MTU limit: a transit LSR returns an error/PTB indication, signaling the echo request exceeded path MTU.
🎞️
lspv ipv4 router alert
MPLS LSP Ping over IPv4 using the Router Alert label (1) so each transit LSR punts the echo request to the control plane for per-hop processing.
🎞️
lspv ipv4 traceroute rfc4379
MPLS LSP Traceroute per RFC 4379: incremented TTL causes each transit LSR to reply in turn, mapping the full IPv4 label switched path.
🎞️
lspv ipv4 unlabeled output iface
MPLS LSP Ping over IPv4 where the transit LSR reports an unlabeled outgoing interface, indicating the LSP terminates (PHP) at that hop.
🎞️
lspv ipv4 unsupported tlv
MPLS LSP Ping over IPv4 fails because the receiver does not understand a mandatory TLV, returning a 'Malformed/Unsupported TLV' error return code.
🎞️
lspv ipv4 verify fec
MPLS LSP Ping over IPv4 with FEC verification enabled: egress checks the received FEC against its own binding and replies with the match status.
🎞️
lspv ipv6 basic rfc4379
RFC 4379 MPLS LSP Ping over IPv6: echo request carries an IPv6 FEC and the egress LSR returns a successful echo reply confirming reachability.
🎞️
lspv mldp mp2mp mdt
MPLS LSP Ping across an mLDP multipoint-to-multipoint MDT tree, verifying the multicast LSP used for default MDT distribution in MVPN.
🎞️
lspv mldp p2mp inband
MPLS LSP Ping over an mLDP point-to-multipoint inband-signaled tree, validating the multicast LSP built for a specific (S,G) flow.
🎞️
lspv pwire basic rfc4379
RFC 4379 MPLS LSP Ping across an L2 pseudowire using the control word, verifying VC label connectivity between PE endpoints.
🎞️
lspv pwire basic rfc4379 no cw
RFC 4379 MPLS LSP Ping over a pseudowire negotiated without a control word, verifying VC label forwarding on the bare PW.
🎞️
lspv pwire control reply
MPLS LSP Ping over a pseudowire where the echo reply traverses the PW control channel, validating the bidirectional VC.
🎞️
lspv pwire control reply no cw
MPLS LSP Ping over a pseudowire without control word where the reply uses the PW control channel for return path validation.
🎞️
lspv pwire entropy label
MPLS LSP Ping over a pseudowire using an entropy label for ECMP hashing, verifying load-balanced PW forwarding between PEs.
🎞️
lspv pwire malformed req
MPLS LSP Ping over a pseudowire fails: echo request is malformed and the receiver returns a 'Malformed echo request' error return code.
🎞️
lspv pwire no reply
MPLS LSP Ping over a pseudowire times out with no echo reply received, indicating a broken VC or unreachable remote PE.
🎞️
lspv pwire ra label
MPLS LSP Ping over a pseudowire using the Router Alert label so each LSR punts the echo to control plane for PW validation.
🎞️
lspv pwire router alert
MPLS LSP Ping across a pseudowire leveraging Router Alert processing at every hop for per-LSR PW fault detection.
🎞️
lspv pwire ttl expiry
MPLS LSP Ping over a pseudowire where the TTL expires at a transit LSR, which returns a TTL-expired echo reply for PW traceroute.
🎞️
lspv rsvpte basic rfc4379
RFC 4379 MPLS LSP Ping over an RSVP-TE tunnel: egress LSR confirms the signaled TE LSP is operational by returning an echo reply.
🎞️
lspv rsvpte traceroute rfc4379
MPLS LSP Traceroute across an RSVP-TE tunnel: each transit LSR replies with its role along the explicit-routed TE path.
🎞️
lspv tp cv channel
MPLS-TP LSP Ping via the G-ACh Continuity Verification (CV) channel, used for OAM on transport profile LSPs.
🎞️
lspv tp ip channel
MPLS-TP LSP Ping using an IP-encapsulated G-ACh channel to verify connectivity of a transport profile LSP.
🎞️
lspv tp pwire basic
MPLS-TP LSP Ping across a transport-profile pseudowire, exercising basic OAM echo request/reply over the PW.
📂
misc
3
🎞️
mpls ip tunnel
MPLS-in-IP tunneling where labeled packets are encapsulated in IP (protocol 137) for traversal across non-MPLS segments.
🎞️
mpls reserved labels 0 15
Traffic exercising the MPLS reserved label range 0-15 (IPv4 explicit null, router alert, IPv6 explicit null, implicit null, entropy indicator, etc.).
🎞️
mpls tp bfd setup
MPLS-TP BFD session establishment over the G-ACh: endpoints negotiate BFD Down→Init→Up for transport LSP continuity monitoring.
📂
multicast
5
🎞️
draft rosen pim gre
Draft-Rosen multicast VPN: customer PIM control traffic carried inside a GRE MDT tunnel across the provider core.
🎞️
mldp datamdt p2mp
mLDP signaling of a point-to-multipoint Data MDT: label mapping messages build an on-demand multicast LSP for a high-bandwidth (S,G).
🎞️
mldp defmdt mp2mp
mLDP signaling of a multipoint-to-multipoint Default MDT: PEs exchange label mappings to build the always-on MVPN multicast tree.
🎞️
mldp inband ipv46
mLDP inband signaling carrying IPv4 and IPv6 multicast state directly in the LDP FEC, building per-(S,G) LSPs without PIM.
🎞️
mldp inband vpnv46
mLDP inband signaling for VPNv4/VPNv6 multicast: per-VRF (S,G) FECs are encoded in LDP to build MVPN LSPs without a default MDT.
📂
rsvp
9
🎞️
rsvp te 500k bw
RSVP-TE Path/Resv signaling establishing a tunnel reserving 500 kbps, demonstrating successful admission control with the requested bandwidth.
🎞️
rsvp te basic
Basic RSVP-TE LSP setup: ingress sends Path, egress replies with Resv carrying the label, and the tunnel becomes Up.
🎞️
rsvp te frr multicast mldp
RSVP-TE Fast Reroute protecting an mLDP multicast LSP: backup tunnel is signaled to bypass a link/node for mcast traffic.
🎞️
rsvp te frr nhop
RSVP-TE Fast Reroute with next-hop (link) protection: a backup bypass LSP is signaled around the protected link.
🎞️
rsvp te frr nnhop
RSVP-TE Fast Reroute with next-next-hop (node) protection: backup bypass LSP is signaled around the protected node.
🎞️
rsvp te frr unicast l3vpn
RSVP-TE Fast Reroute protecting an L3VPN unicast LSP, ensuring sub-50ms failover for VPNv4 traffic over the TE backbone.
🎞️
rsvp te no bw
RSVP-TE signaling with zero bandwidth reservation: the LSP is set up without CAC, useful for best-effort TE paths.
🎞️
rsvp te preempt
RSVP-TE preemption scenario: a higher-priority LSP preempts an existing lower-priority tunnel via PathErr and teardown.
🎞️
rsvp te shutdown
RSVP-TE tunnel teardown: ingress sends PathTear (and/or ResvTear) to gracefully remove the LSP state across all LSRs.
🔷
Segment Routing
PCEP / BGP-LS / SRv6
15
🎞️
sr bgp ls isis init
sr_bgp_ls_isis_init: R1 and R2 open a BGP session (OPEN, KEEPALIVE) then R2 floods BGP-LS UPDATEs carrying IS-IS link-state topology and Segment Routing info to R1.
🎞️
sr bgp ls ospf init
sr_bgp_ls_ospf_init: R1 and R2 exchange BGP OPEN and a long stream of BGP-LS UPDATEs distributing OSPF-derived link-state topology and SR SIDs, ending with KEEPALIVEs.
🎞️
sr igp isis init
sr_igp_isis_init: R1, R2 and R3 bring up IS-IS L2 adjacencies with HELLOs, exchange LSPs advertising SR capabilities/SIDs and synchronize databases via CSNP.
🎞️
sr igp ospf init
sr_igp_ospf_init: R2/R3/R4 form OSPF neighbors with Hellos, elect DR/BDR, exchange DB Descriptions, LS Requests and LS Updates carrying Segment Routing extensions.
🎞️
sr oam reply fail
sr_oam_reply_fail: R2 sends MPLS Echo Requests toward the LSPV loopback and R3 replies with MPLS Echo Replies indicating LSP trace failure (transit/label mismatch).
🎞️
sr oam reply ip
sr_oam_reply_ip: R2 issues MPLS Echo Requests (reply mode = IPv4 UDP) to the LSPV loopback; R4 returns MPLS Echo Replies verifying the SR LSP end-to-end.
🎞️
sr oam reply none
sr_oam_reply_none: R2 sends repeated MPLS Echo Requests to the LSPV loopback with reply mode Do Not Reply; no responses are expected or received.
🎞️
sr oam reply rtr alert
sr_oam_reply_rtr_alert: R2 issues MPLS Echo Requests with reply mode Router Alert; R4 returns MPLS Echo Replies confirming the SR LSP path.
🎞️
sr pcep nopath tunnel
sr_pcep_nopath_tunnel: R2 sends PCEP PCReq messages asking R1 (PCE) for an SR path; R1 returns PCRep NO-PATH responses indicating no feasible constrained path.
🎞️
sr pcep stateful init noauth
sr_pcep_stateful_init_noauth: R2 and R1 establish a stateful PCEP session with OPEN and Keepalive messages (no TCP MD5), then R2 begins sending PCRpt LSP state reports.
🎞️
sr pcep stateful tunnel
sr_pcep_stateful_tunnel: R2 asks PCE R1 for an SR tunnel path with PCReq, receives PCRep with an explicit path, and then reports LSP state back via stateful PCRpt.
🎞️
sr pcep stateless init md5
sr_pcep_stateless_init_md5: R2 and R1 bring up a stateless PCEP session protected by TCP MD5, exchanging PCEP OPEN and Keepalive messages successfully.
🎞️
sr pcep stateless tunnel
sr_pcep_stateless_tunnel: R2 issues a stateless PCEP PCReq for an SR path and R1 (PCE) returns a PCRep carrying the computed ERO.
🎞️
srv6 fal2
srv6_fal2: R1/R2 maintain IS-IS P2P HELLO adjacencies (advertising SRv6 locators) while R6 pings R7 with ICMP Echo, verifying SRv6 Flex-Algo L2 data plane.
🎞️
srv6 usid
srv6_usid: R3/R5 exchange IS-IS L2 LSP/PSNP/HELLOs distributing SRv6 uSID locators; R7 pings R6 over IPv4 then IPv6 to verify uSID forwarding.
🔒
Tunneling & VPN
76
🔷
IP L2VPN
L2TP / VXLAN / OTV
19
📂
l2tp
8
🎞️
l2tp v3 auth 4byte
L2TPv3 control-plane bring-up using 4-byte authentication cookies, establishing a pseudowire between PE devices.
🎞️
l2tp v3 auth 8byte
L2TPv3 control-plane bring-up using 8-byte authentication cookies for additional session-id protection on the pseudowire.
🎞️
l2tp v3 basic
L2TPv3 basic session establishment with SCCRQ/SCCRP/SCCCN and ICRQ/ICRP/ICCN, building a point-to-point L2 pseudowire.
🎞️
l2tp v3 fail auth
L2TPv3 session establishment failing due to authentication mismatch, with a StopCCN or CDN message tearing down the session.
🎞️
l2tp v3 fail no exist
L2TPv3 session failing because the requested pseudowire or peer does not exist, producing a Call-Disconnect-Notify teardown.
🎞️
l2tp v3 ietf
L2TPv3 session using IETF-standard AVP encoding, showing interoperable control-channel setup for pseudowire transport.
🎞️
l2tp v3 udp
L2TPv3 pseudowire encapsulated in UDP (rather than native IP protocol 115), traversing NAT or firewall-friendly paths.
🎞️
l2tp v3 uti
L2TPv3 Universal Transport Interface variant carrying arbitrary Layer 2 payloads across the pseudowire.
📂
netvirt
5
🎞️
geneve v4v6
Geneve tunnel encapsulating IPv4 and IPv6 inner traffic over a UDP overlay, demonstrating extensible TLV-based tunnel options.
🎞️
nvgre v4v6
NVGRE tunnel carrying IPv4 and IPv6 inner frames using GRE with the Virtual Subnet ID, providing network virtualization overlay transport.
🎞️
stt v4v6
Stateless Transport Tunneling of IPv4 and IPv6 inner frames using a TCP-like header to leverage NIC offloads on overlay traffic.
🎞️
vxlan basic multicast
VXLAN overlay using multicast in the underlay for BUM traffic replication, flooding ARP and unknown unicast across VTEPs.
🎞️
vxlan basic unicast
VXLAN overlay using head-end (unicast) replication, where the source VTEP unicasts encapsulated BUM traffic to each remote VTEP individually.
📂
otv
6
🎞️
otv intrasite hello
OTV intra-site IS-IS Hello exchange between edge devices, electing the site's Authoritative Edge Device for the overlay.
🎞️
otv intrasite mismatch
OTV intra-site Hello mismatch scenario where site-identifier or VLAN misconfiguration prevents proper AED election.
🎞️
otv mac isis lsp
OTV MAC address advertisement via IS-IS Link State PDUs, distributing learned unicast MACs to remote edge devices in the overlay.
🎞️
otv overlay init
OTV overlay adjacency initialization between edge devices, establishing IS-IS neighborship over the transport network.
🎞️
otv traffic ipv4
OTV-encapsulated IPv4 data traffic traversing the overlay between sites, extending Layer 2 VLANs across the IP transport.
🎞️
otv traffic ipv6
OTV-encapsulated IPv6 data traffic crossing the overlay, providing Layer 2 extension for IPv6 hosts between sites.
🔷
IP Tunnel
GRE / DMVPN / LISP
26
📂
dmvpn
4
🎞️
dmvpn phase1 flow
DMVPN Phase 1 hub-and-spoke flow where spokes tunnel all traffic through the hub via mGRE and IPsec, without spoke-to-spoke shortcuts.
🎞️
dmvpn phase2 flow
DMVPN Phase 2 flow with NHRP resolution enabling dynamic spoke-to-spoke tunnels, bypassing the hub after initial NHRP resolution.
🎞️
dmvpn phase3 flow
DMVPN Phase 3 data-plane flow showing NHRP shortcut redirect and resolution between hub and spokes, enabling spoke-to-spoke dynamic tunnels over mGRE.
🎞️
dmvpn registration
DMVPN spoke-to-hub NHRP registration exchange over mGRE, binding the spoke's NBMA address to its tunnel IP so the hub can forward traffic.
📂
gre
8
🎞️
gre all options
GRE tunnel capture exercising all optional header fields (checksum, key, sequence number) to illustrate the full GRE option set between endpoints.
🎞️
gre checksum
GRE tunnel with the checksum option enabled, showing how the optional checksum field is carried in the GRE header between tunnel endpoints.
🎞️
gre entropy key
GRE encapsulation using the key field as an entropy label to aid ECMP hashing of tunneled flows across the underlay.
🎞️
gre erspan
ERSPAN over GRE capture showing mirrored Ethernet frames encapsulated with an ERSPAN header for remote traffic analysis.
🎞️
gre keepalives
GRE tunnel keepalive exchange where the sender injects a self-addressed GRE packet that the peer loops back to prove liveness.
🎞️
gre key
GRE tunnel with the optional 32-bit key field set, commonly used to demultiplex multiple GRE tunnels between the same endpoint pair.
🎞️
gre no options
Minimal GRE tunnel capture with no optional header fields, showing the baseline GRE encapsulation between two endpoints.
🎞️
gre seq nums
GRE tunnel using the optional sequence number field so that in-order delivery of encapsulated packets can be tracked.
📂
lisp
9
🎞️
lisp registration
LISP ETR-to-Map-Server registration flow where the ETR advertises its EID-to-RLOC mapping and the Map-Server acknowledges.
🎞️
lisp v4 iid0 mapreq
LISP IPv4 Map-Request in instance-ID 0, showing the control-plane lookup from an ITR through the Map-Resolver to obtain RLOC mappings.
🎞️
lisp v4 iid0 pxtr encap
LISP PxTR handling IPv4 traffic in IID 0 by LISP-encapsulating native packets from a non-LISP site toward the destination ETR.
🎞️
lisp v4 iid0 pxtr native
LISP PxTR decapsulating IPv4 traffic in IID 0 and forwarding it natively into a non-LISP network segment.
🎞️
lisp v4 iid100 mapreq
LISP IPv4 Map-Request in instance-ID 100, showing EID-to-RLOC resolution within a specific VRF/VPN context.
🎞️
lisp v6 iid0 mapreq
LISP IPv6 Map-Request in instance-ID 0 where an ITR queries the mapping system for an IPv6 EID's RLOC set.
🎞️
lisp v6 iid0 pxtr encap
LISP PxTR encapsulating native IPv6 traffic into LISP for delivery toward a registered IPv6 ETR in instance-ID 0.
🎞️
lisp v6 iid0 pxtr native
LISP PxTR decapsulating IPv6 LISP traffic in IID 0 and forwarding the inner packet natively to a non-LISP IPv6 destination.
🎞️
lisp v6 iid100 mapreq
LISP IPv6 Map-Request in instance-ID 100, resolving an IPv6 EID to its RLOCs within a segmented VPN context.
📂
other
5
🎞️
amt v4
Automatic Multicast Tunneling over IPv4, with Relay Discovery, Request, Membership Query/Update, and Multicast Data delivering multicast to unicast-only hosts.
🎞️
amt v6
Automatic Multicast Tunneling for IPv6, using AMT Gateway/Relay signaling to deliver IPv6 multicast across unicast-only networks.
🎞️
ipinip
IP-in-IP (protocol 4) tunnel capture where an outer IPv4 header encapsulates an inner IPv4 packet between tunnel endpoints.
🎞️
nos kaq9
KA9Q NOS IP-over-IP tunnel (protocol 94) capture showing legacy amateur-radio-style IP encapsulation between endpoints.
🎞️
rbscp
RBSCP (Rate-Based Satellite Control Protocol) tunnel capture used to accelerate TCP over long-delay satellite links.
🔷
IPsec / MACsec
IKE / ESP / AH
26
📂
direct_encap
8
🎞️
ah direct transport
IPsec AH in transport mode directly between two hosts, authenticating the original IP payload without encapsulation.
🎞️
ah direct tunnel
IPsec AH in tunnel mode between gateways, authenticating the entire inner IP packet carried inside an outer IP header.
🎞️
espaes direct transport
IPsec ESP with AES encryption in transport mode between two hosts, protecting the original IP payload end-to-end.
🎞️
espaes direct tunnel
IPsec ESP-AES in tunnel mode between gateways, encrypting the full inner IP packet inside a new outer IP header.
🎞️
espnull direct transport
IPsec ESP with null encryption in transport mode, providing authentication only so the payload remains inspectable in capture.
🎞️
espnull direct transport natt
ESP-null transport mode between hosts with NAT-Traversal, wrapping the ESP in UDP/4500 for NAT compatibility.
🎞️
espnull direct tunnel
ESP-null tunnel mode between gateways, authenticating the encapsulated inner IP packet without encryption.
🎞️
espnull direct tunnel natt
ESP-null tunnel mode with NAT-Traversal, carrying the authenticated-only ESP inside UDP/4500 across NAT.
📂
getvpn
2
🎞️
espaes getvpn tunnel
Cisco GETVPN data-plane flow using ESP-AES with a group-shared SA, preserving the original IP header for any-to-any encrypted delivery.
🎞️
espnull getvpn tunnel
GETVPN data plane using ESP-null, preserving original IP headers and allowing inspection of the authenticated payload.
📂
gre
10
🎞️
ah gre transport
IPsec AH in transport mode protecting a GRE tunnel, authenticating the GRE-encapsulated payload between endpoints.
🎞️
ah gre tunnel
IPsec AH in tunnel mode wrapping a GRE tunnel, authenticating both the outer tunnel and the GRE-carried inner traffic.
🎞️
espaes gre transport
ESP-AES in transport mode protecting a GRE tunnel, encrypting GRE-encapsulated payloads between the tunnel endpoints.
🎞️
espaes gre transport natt
ESP-AES transport mode over GRE with NAT-Traversal, encapsulating ESP in UDP/4500 to traverse NAT devices.
🎞️
espaes gre tunnel
ESP-AES tunnel mode wrapping a GRE tunnel, providing full encryption of the GRE-tunneled inner traffic.
🎞️
espaes mgre tunnel natt
ESP-AES tunnel mode protecting mGRE (DMVPN) traffic with NAT-Traversal via UDP/4500 encapsulation.
🎞️
espnull gre transport
ESP-null transport mode protecting GRE, authenticating the GRE-tunneled payload while leaving it readable.
🎞️
espnull gre transport natt
ESP-null transport mode over GRE with NAT-T, encapsulating the authentication-only ESP in UDP/4500.
🎞️
espnull gre tunnel
ESP-null tunnel mode wrapping GRE, providing authentication-only protection of the GRE-tunneled inner traffic.
🎞️
espnull mgre tunnel natt
ESP-null tunnel mode protecting mGRE (DMVPN) with NAT-Traversal via UDP/4500, authentication only.
📂
macsec
6
🎞️
macsec conf offset 30
MACsec frame with confidentiality offset of 30 bytes, leaving the first 30 bytes of the payload in cleartext and encrypting the remainder.
🎞️
macsec conf offset 50
MACsec frame using a confidentiality offset of 50 bytes so that 50 bytes of header remain visible while the rest is encrypted.
🎞️
macsec dot1q clear
MACsec frame carrying a 802.1Q VLAN tag in the clear outside the MACsec protection, allowing VLAN-aware transit devices to see the tag.
🎞️
macsec dot1q hidden
MACsec frame with the 802.1Q VLAN tag hidden inside the encrypted payload, so the tag is only visible after MACsec decryption.
🎞️
macsec no icv indicator
MACsec frame captured without the ICV indicator bit set, illustrating an alternative TCI/AN encoding of the SecTAG.
🎞️
macsec untagged init
Initial MACsec handshake on an untagged link, establishing the SecY session before user frames are protected.
🔷
IPv6 Transition
6to4 / 6rd / ISATAP
5
🎞️
ipv6 trans 6rd
IPv6 Rapid Deployment (6rd) capture where IPv6 packets are encapsulated in IPv4 using the provider's 6rd prefix for transit.
🎞️
ipv6 trans 6to4
6to4 tunneling where IPv6 packets are carried inside IPv4 (protocol 41) using the 2002::/16 prefix derived from the IPv4 address.
🎞️
ipv6 trans gre ipv4
IPv6 transition using GRE over IPv4 to tunnel IPv6 traffic across an IPv4-only underlay between dual-stack endpoints.
🎞️
ipv6 trans isatap
ISATAP capture where IPv6 is tunneled over IPv4 with the IPv4 address embedded in the interface ID of the IPv6 address.
🎞️
ipv6 trans plain ipv4
Plain IPv6-in-IPv4 encapsulation (protocol 41) showing static manual tunneling of IPv6 packets over an IPv4 network.
📡
Multicast
36
🔷
IGMP
Multicast / MLD
10
📂
ipv4
7
🎞️
igmpv1
IGMPv1 Membership Query and Membership Report exchange, where hosts announce interest in a multicast group to the local router.
🎞️
igmpv2
IGMPv2 flow with Queries, Membership Reports, and Leave Group messages, managing multicast group membership on a LAN.
🎞️
igmpv2-ssm-dns
IGMPv2 used with Source-Specific Multicast semantics driven by DNS-discovered sources, joining specific (S,G) channels.
🎞️
igmpv2-ssm-urd
IGMPv2 with SSM using URL Rendezvous Directory (URD) for source discovery, allowing hosts to join specific (S,G) multicast channels.
🎞️
igmpv3
IGMPv3 with source-filtered Reports allowing hosts to include or exclude specific source addresses for each multicast group (SSM/ASM).
🎞️
mtrace fail
Multicast traceroute (mtrace) query failing to return a complete response, indicating a broken RPF path or unsupported hop in the multicast tree.
🎞️
mtrace pass
Multicast traceroute (mtrace) successfully walking the reverse-path tree from receiver to source, reporting each hop's multicast state.
📂
ipv6
3
🎞️
mldv1
MLDv1 (Multicast Listener Discovery) flow for IPv6 with Listener Query, Report, and Done messages managing multicast membership.
🎞️
mldv1-ssm-dns
MLDv1 over IPv6 used with Source-Specific Multicast semantics driven by DNS source discovery, joining specific (S,G) channels.
🎞️
mldv2
MLDv2 for IPv6 with source-filtered Listener Reports enabling include/exclude semantics per multicast group, supporting SSM.
🔷
PIM
Multicast / MSDP
26
📂
ipv4
13
🎞️
pim v4 asm bidir auto rp
PIM-SM/Bidir IPv4 ASM with Auto-RP Announce and Discovery messages distributing RP-to-group mappings via 224.0.1.39/.40.
🎞️
pim v4 asm register no rx
PIM-SM IPv4 ASM source registration to the RP where there are no active receivers, leading the RP to send Register-Stop back to the DR.
🎞️
pim v4 asm rp join prune
PIM-SM IPv4 ASM receiver-side (*,G) Join/Prune messages sent toward the RP to build the shared tree.
🎞️
pim v4 asm spt switchover
PIM-SM IPv4 ASM SPT switchover where the last-hop router joins (S,G) and prunes (*,G) toward the RP after traffic thresholds are crossed.
🎞️
pim v4 bidir df election
PIM Bidir IPv4 Designated Forwarder election with Offer, Winner, Backoff, and Pass messages on a multi-access segment.
🎞️
pim v4 bidir join prune
PIM Bidir IPv4 (*,G) Join/Prune messages building the bidirectional shared tree toward the RPA through elected DFs.
🎞️
pim v4 bsr asm bidir
PIM IPv4 Bootstrap Router (BSR) distributing RP-set via Candidate-RP advertisements and BSR messages for ASM and Bidir ranges.
🎞️
pim v4 dm assert
PIM-DM IPv4 Assert messages exchanged on a multi-access LAN to elect a single forwarder for an (S,G) to eliminate duplicate multicast traffic.
🎞️
pim v4 dm prune graft
PIM-DM IPv4 flood-and-prune behavior with Prune messages removing unwanted branches and Graft/Graft-Ack restoring them on receiver join.
🎞️
pim v4 hello init
PIM IPv4 initial Hello exchange on a multi-access segment establishing neighbor relationships and DR election.
🎞️
pim v4 ssm join prune
PIM-SSM IPv4 (S,G) Join/Prune messages sent toward the source to build the shortest-path tree directly, bypassing any RP.
🎞️
pim v4 version1 queries
Legacy PIM version 1 IPv4 query messages (encapsulated over IGMP type 0x14) used for neighbor and RP discovery in early PIM deployments.
🎞️
pim v4 version1 rp reach
Legacy PIM version 1 IPv4 RP-Reachability messages announcing RP liveness to downstream routers in the pre-BSR era.
📂
ipv6
9
🎞️
pim v6 asm emb rp join prune
PIM-SM IPv6 ASM (*,G) Join/Prune toward an embedded-RP address derived from the IPv6 group itself, no explicit RP configuration needed.
🎞️
pim v6 asm register no rx
PIM-SM IPv6 ASM source Register to the RP with no active receivers, causing the RP to return a Register-Stop to the DR.
🎞️
pim v6 asm rp join prune
PIM-SM IPv6 ASM receiver-side (*,G) Join/Prune messages sent toward the RP to build the shared tree.
🎞️
pim v6 asm spt switchover
PIM-SM IPv6 ASM SPT switchover: last-hop router joins (S,G) and prunes (*,G) toward the RP after data thresholds are crossed.
🎞️
pim v6 bidir df election
PIM Bidir IPv6 Designated Forwarder election using Offer, Winner, Backoff, and Pass messages on a multi-access segment.
🎞️
pim v6 bidir join prune
PIM Bidir IPv6 (*,G) Join/Prune messages building the bidirectional shared tree toward the RPA via elected DFs.
🎞️
pim v6 bsr asm bidir
PIM IPv6 Bootstrap Router (BSR) distributing RP-set via Candidate-RP advertisements and BSR messages for ASM and Bidir group ranges.
🎞️
pim v6 hello init
PIM IPv6 initial Hello exchange between routers establishing neighbor relationships and DR election on a link.
🎞️
pim v6 ssm join prune
PIM-SSM IPv6 (S,G) Join/Prune messages sent toward the source to build the SPT directly, without any RP involvement.
📂
msdp
4
🎞️
msdp v4 init md5
MSDP IPv4 peering session establishment between RPs using TCP port 639 and TCP MD5 signature authentication.
🎞️
msdp v4 init noauth
MSDP IPv4 peering session established between RPs over TCP port 639 without authentication, exchanging Keepalives.
🎞️
msdp v4 src active flow
MSDP IPv4 Source-Active (SA) messages announcing active multicast sources from one RP to peer RPs across PIM-SM domains.
🎞️
msdp v4 src active rpf fail
MSDP IPv4 Source-Active messages arrive but fail the peer-RPF check against the MSDP peer, causing the SA to be dropped rather than forwarded.
🛠️
Network Management
91
🔷
AAA
RADIUS / TACACS+
8
🎞️
cts sxp sgt map md5
Cisco TrustSec SXP exchange with MD5/TCP-MD5 authentication between speaker and listener, propagating IP-to-SGT bindings over TCP/64999.
🎞️
cts sxp sgt map noauth
Cisco TrustSec SXP session without authentication between speaker and listener, distributing IP-to-SGT mappings over TCP/64999.
🎞️
dot1x mschapv2 failure
802.1X EAPoL plus RADIUS EAP-MSCHAPv2 between supplicant R1, authenticator R3 (NAS), and AAA Server. Ends in Access-Reject and EAP Failure (bad credentials).
🎞️
dot1x mschapv2 success
802.1X EAPoL plus RADIUS EAP-MSCHAPv2 between supplicant R1, authenticator R3 (NAS), and AAA Server. Ends in Access-Accept and EAP Success.
🎞️
radius authc failure
RADIUS authentication between NAS and AAA Server: Access-Request followed by Access-Reject (credentials failure).
🎞️
radius authc success
RADIUS authentication between NAS and AAA Server: Access-Request followed by Access-Accept granting user access.
🎞️
tacacs authc
TACACS+ authentication START/REPLY/CONTINUE exchange between NAS and TACACS+ server, ending in PASS.
🎞️
tacacs authz
TACACS+ authorization REQUEST/RESPONSE between NAS and TACACS+ server granting the authenticated user command/service privileges.
🔷
Ethernet OAM
CFM / OAM PDU / E-LMI
13
🎞️
cfm l3 l7 ccm init core
Ethernet CFM Continuity Check Messages initializing between L3 and L7 MEPs in a core domain, establishing MEP adjacency and fault monitoring baseline.
🎞️
cfm l3 ping traceroute core
CFM Loopback (ping) and Linktrace (traceroute) exchange at maintenance level 3, validating core-domain reachability and path discovery between MEPs.
🎞️
cfm l3 y1731 1dm core
Y.1731 one-way delay measurement (1DM) frames sent between core MEPs at level 3, used to measure unidirectional latency across the Ethernet OAM domain.
🎞️
cfm l3 y1731 dmm dmr core
Y.1731 two-way delay measurement using DMM requests and DMR responses at core level 3, computing round-trip delay between MEPs.
🎞️
cfm l3 y1731 slm slr core
Y.1731 synthetic loss measurement with SLM probes and SLR replies at core level 3, calculating frame loss ratios between MEPs.
🎞️
cfm l7 ais ac down core
CFM Alarm Indication Signal at level 7 triggered by an attachment circuit down event in the core domain, propagating fault notification upward.
🎞️
cfm l7 ais ac down edge
CFM AIS at level 7 generated on edge when an attachment circuit fails, alerting upstream MEPs of the service-affecting condition.
🎞️
cfm l7 ping mcast core
CFM multicast Loopback ping at level 7 in the core, discovering all reachable MEPs in the maintenance association via a single multicast probe.
🎞️
cfm l7 ping traceroute core
CFM Loopback and Linktrace at level 7 within the core domain, verifying service-level connectivity and hop-by-hop path between MEPs.
🎞️
cfm l7 ping traceroute edge
CFM Loopback and Linktrace operations at level 7 from the edge, validating end-to-end service reachability across the provider network.
🎞️
elmi status init
E-LMI status exchange initialization between CE and PE, with STATUS ENQUIRY and STATUS messages reporting EVC and UNI configuration to the customer device.
🎞️
oampdu init
IEEE 802.3ah Ethernet OAM PDU discovery handshake where peers exchange Information OAMPDUs to negotiate OAM capabilities on a point-to-point link.
🎞️
oampdu remote loopback
Ethernet OAMPDU remote loopback control sequence, enabling then disabling the remote peer's loopback mode for link diagnostics.
🔷
NetFlow
v5 / v9 / IPFIX
7
🎞️
netflow v10 ipv4
IPFIX (NetFlow v10) export of IPv4 flow records: exporter sends templates followed by data sets to the collector over UDP.
🎞️
netflow v10 ipv6
IPFIX (NetFlow v10) export of IPv6 flow records with templates describing v6 source/destination fields.
🎞️
netflow v10 mpls
IPFIX (NetFlow v10) export of MPLS-labeled flow records including label stack fields within the flow template.
🎞️
netflow v5 ipv4
Classic NetFlow v5 export of IPv4 flows: fixed-format records sent from exporter to collector, no templates.
🎞️
netflow v9 ipv4
NetFlow v9 template-based export of IPv4 flow records, with template FlowSet followed by data FlowSets.
🎞️
netflow v9 ipv6
NetFlow v9 template-based export of IPv6 flow records, using v9 templates that define IPv6 address fields.
🎞️
netflow v9 mpls
NetFlow v9 export of MPLS-tagged flow records: templates include label stack entries alongside IP flow fields.
🔷
Network Services
DHCP / DNS / SNMP / NTP
55
📂
cmp
2
🎞️
cmp cert request
CMP (Certificate Management Protocol) certificate request: client sends a cert request PKIMessage and the CA responds with the issued certificate.
🎞️
cmp init reg
CMP initialization/registration exchange: client performs ir/ip (initialization request/response) to enroll with the CA for its first certificate.
📂
dhcp
11
🎞️
dhcp v4 basic
Standard DHCPv4 DORA handshake: client Discover, server Offer, client Request, server Ack — address successfully leased.
🎞️
dhcp v4 dmvpn eigrp
DHCPv4 lease acquired by a DMVPN spoke that subsequently forms EIGRP adjacency over the mGRE tunnel.
🎞️
dhcp v4 relay
DHCPv4 with a relay agent (giaddr set) forwarding Discover/Request between client subnet and remote DHCP server.
🎞️
dhcp v4 renewal
DHCPv4 lease renewal (T1): client unicasts Request to its server and receives an Ack extending the existing lease.
🎞️
dhcp v6 dmvpn pd
DHCPv6 Prefix Delegation over DMVPN: spoke requests an IA_PD and server delegates an IPv6 prefix used on LAN interfaces.
🎞️
dhcp v6 flags m
IPv6 RA with M flag set drives stateful DHCPv6: client performs Solicit/Advertise/Request/Reply for an address.
🎞️
dhcp v6 flags mo
IPv6 RA with both M and O flags: client obtains address via stateful DHCPv6 and also requests other configuration options.
🎞️
dhcp v6 flags o
IPv6 RA with only O flag: client uses SLAAC for addressing but runs DHCPv6 Information-Request for other options (DNS, etc.).
🎞️
dhcp v6 relay
DHCPv6 relay agent wraps client messages in Relay-Forward and server responses in Relay-Reply between client link and server.
🎞️
dhcp v6 release
DHCPv6 Release: client relinquishes its assigned address/prefix and server acknowledges with Reply.
🎞️
dhcp v6 renewal
DHCPv6 Renew/Reply exchange at T1: client extends its existing IA_NA lease with the original server.
📂
dns
12
🎞️
dns v4 a cisco
DNS A-record query over IPv4 for a cisco.com hostname; resolver returns the IPv4 address in the response.
🎞️
dns v4 aaaa cisco
DNS AAAA-record query over IPv4 for a cisco.com name; resolver returns the IPv6 address.
🎞️
dns v4 basic
Basic DNS query/response over IPv4 UDP: client asks for a record and authoritative server answers successfully.
🎞️
dns v4 mx cisco
DNS MX-record query over IPv4 for cisco.com, returning the mail exchanger hostnames and preferences.
🎞️
dns v4 ns cisco
DNS NS-record query over IPv4 for cisco.com, returning the authoritative name servers for the zone.
🎞️
dns v4 ptr cisco
DNS PTR reverse lookup over IPv4 for a Cisco IP address, returning the in-addr.arpa hostname mapping.
🎞️
dns v4 rfc6555 failover
RFC 6555 Happy Eyeballs over IPv4 DNS: AAAA/A queries with the IPv6 path failing, client falls back to IPv4 connectivity.
🎞️
dns v4 rfc6555 success
RFC 6555 Happy Eyeballs: parallel A and AAAA lookups with successful IPv6-preferred connection establishment.
🎞️
dns v4 soa cisco
DNS SOA-record query over IPv4 for cisco.com, returning the zone's start-of-authority parameters.
🎞️
dns v4 txt query
DNS TXT-record query over IPv4 returning free-form text strings (e.g., SPF/DKIM policies).
🎞️
dns v6 rfc6555 failover
RFC 6555 Happy Eyeballs over IPv6 transport: AAAA preferred fails, client fails over to the IPv4 candidate address.
🎞️
dns v6 rfc6555 success
RFC 6555 Happy Eyeballs on IPv6 transport: parallel AAAA/A resolution and successful IPv6 connection.
📂
misc
7
🎞️
rdp windows login
Microsoft RDP session establishment for Windows login: TCP/3389 connection, X.224, MCS, and security negotiation complete successfully.
🎞️
rsh failure
Berkeley rsh session fails: remote shell rejects the authentication or command, returning an error on the stderr channel.
🎞️
rsh success
Berkeley rsh remote command executes successfully: client connects on TCP/514, server runs command and returns output.
🎞️
telnet failure
Telnet login fails: client connects to TCP/23, option negotiation occurs, but authentication is rejected and session closes.
🎞️
telnet success
Telnet login succeeds: client negotiates options on TCP/23, authenticates, and an interactive shell session is established.
🎞️
vnc windows login
RFB/VNC remote desktop login to a Windows host: version handshake, security type selection, auth, and ClientInit/ServerInit succeed.
🎞️
wol
Wake-on-LAN magic packet: UDP/broadcast frame carrying the target MAC repeated 16 times wakes the sleeping host.
📂
ntp
5
🎞️
ntp broadcast init
NTP broadcast mode initialization: server multicasts/broadcasts time packets and clients synchronize from them.
🎞️
ntp client server init
NTP client/server mode (mode 3/4): client queries server and server replies with authoritative time.
🎞️
ntp multicast init
NTP multicast mode initialization: server sends time packets to an NTP multicast group and listening clients sync.
🎞️
ntp symmetric active init
NTP symmetric-active association initiation: peer sends mode-1 packets to form a mutual symmetric peer relationship.
🎞️
ntp symmetric passive init
NTP symmetric-passive response: peer replies in mode 2 to a symmetric-active request, forming a mutual peering.
📂
snmp
10
🎞️
snmp v1 poll
SNMPv1 get/get-next polling: manager queries an OID and the agent returns the requested variable bindings.
🎞️
snmp v1 trap
SNMPv1 trap notification: agent asynchronously sends a trap PDU (generic/specific trap code) to the manager on UDP/162.
🎞️
snmp v2c poll
SNMPv2c GetRequest/GetBulk polling with community authentication; agent replies with the requested varbinds.
🎞️
snmp v2c trap
SNMPv2c trap (SNMPv2-Trap-PDU) sent from agent to manager on UDP/162 with community string.
🎞️
snmp v3 poll noauth nopriv
SNMPv3 polling using noAuthNoPriv security level: engine discovery then GetRequest without authentication or encryption.
🎞️
snmp v3 poll sha1 aes128
SNMPv3 polling with authPriv (SHA1 authentication, AES128 encryption) after initial engine-ID/boot discovery.
🎞️
snmp v3 poll sha1 nopriv
SNMPv3 polling with authNoPriv (SHA1 authentication, no encryption) after engine discovery.
🎞️
snmp v3 trap noauth nopriv
SNMPv3 notification at noAuthNoPriv: agent sends SNMPv2-Trap-PDU in a v3 message with no auth/priv.
🎞️
snmp v3 trap sha1 aes128
SNMPv3 trap with authPriv (SHA1/AES128): notification is authenticated and encrypted end-to-end.
🎞️
snmp v3 trap sha1 nopriv
SNMPv3 trap with authNoPriv (SHA1 authentication only): message is authenticated but not encrypted.
📂
syslog
8
🎞️
syslog facility local
Syslog messages sent with a local-use facility (local0-7) over UDP/514 from device to collector.
🎞️
syslog facility user
Syslog messages using the 'user' facility code, transported via UDP/514 to the log collector.
🎞️
syslog include hostname
Syslog (RFC 3164) messages including the hostname field in the header along with the priority and timestamp.
🎞️
syslog include hostname seqnum
Cisco syslog with hostname plus sequence number prefix, helping detect lost messages on UDP transport.
🎞️
syslog include hostname seqnum xml
Cisco syslog with hostname, sequence number and XML-formatted message body for structured log parsing.
🎞️
syslog include hostname xml
Syslog messages with hostname and XML-encoded message payload for structured ingestion by collectors.
🎞️
syslog tcp transport
Syslog delivered over TCP (RFC 6587) rather than UDP, providing reliable transport between sender and collector.
🎞️
syslog xml
Syslog messages with XML-formatted payload, enabling structured fields to be parsed by the log receiver.
🔷
QoS
DSCP / ECN / RSVP / Pause
8
🎞️
eth dot1Qbb pfc
IEEE 802.1Qbb Priority Flow Control (PFC) PAUSE frames signaling per-CoS pause to the upstream port to prevent frame loss in lossless Ethernet.
🎞️
eth dot3x pause
IEEE 802.3x MAC PAUSE frames signaling link-level flow control to halt all Ethernet transmission from the upstream port for a specified quanta.
🎞️
qos v4 ipp specialty
IPv4 QoS sample showing specialty IP Precedence markings (Internetwork Control, Network Control) on forwarded traffic.
🎞️
qos v4 rfc 4594
IPv4 DSCP markings from RFC 4594 configuration guidelines applied across multiple service classes (voice, video, data, control).
🎞️
qos v4 rsvp voip
RSVP Path and Resv signaling reserving bandwidth for a VoIP flow, followed by marked voice media packets traversing the reserved path.
🎞️
qos v4 tcp ecn init
IPv4 TCP three-way handshake negotiating ECN capability using ECE/CWR flags and ECT codepoints in the IP header.
🎞️
qos v4 tcp ecn mark
IPv4 TCP ECN in action: router marks CE codepoint on congestion; receiver echoes ECE, sender reduces rate and signals CWR.
🎞️
qos v6 rfc 4594
IPv6 DSCP markings following RFC 4594 service-class guidelines across voice, video, data, and control flows.
📦
Application Protocols
106
🔷
Database
InfluxDB / MySQL / MongoDB
20
📂
influx
7
🎞️
influx auth fail
InfluxDB HTTP API login attempt rejected with authentication failure (401 Unauthorized) due to invalid credentials.
🎞️
influx create db
InfluxDB CREATE DATABASE query issued over the HTTP API, server responds with success creating the database.
🎞️
influx drop db
InfluxDB DROP DATABASE query issued over the HTTP API, server acknowledges removal of the database.
🎞️
influx drop series
InfluxDB DROP SERIES query removing specific measurement series, acknowledged by the server.
🎞️
influx read empty
InfluxDB SELECT query returning an empty result set because no points match the time range or tags.
🎞️
influx read value
InfluxDB SELECT query returning measurement point values over HTTP to the client.
🎞️
influx write point
InfluxDB line-protocol write of a measurement point via the HTTP /write endpoint, server responds 204 No Content on success.
📂
mongo
5
🎞️
mongo auth fail
MongoDB wire-protocol authentication (SASL SCRAM) rejected due to bad credentials, returning an auth failure to the client.
🎞️
mongo delete
MongoDB delete operation over the wire protocol removing matching documents from a collection and returning n deleted.
🎞️
mongo find
MongoDB find query returning matching documents from a collection over the wire protocol.
🎞️
mongo insert
MongoDB insert of one or more documents into a collection via the wire protocol, acknowledged by the server.
🎞️
mongo serverstatus
MongoDB serverStatus admin command returning runtime metrics (connections, memory, ops) to the client.
📂
mysql
8
🎞️
mysql auth fail
MySQL handshake with failed Native Password authentication; server responds with ERR access-denied packet and closes the connection.
🎞️
mysql bad syntax
MySQL query rejected with ERR 1064 syntax-error response due to malformed SQL.
🎞️
mysql create table
MySQL CREATE TABLE DDL statement acknowledged by the server with OK packet.
🎞️
mysql delete where
MySQL DELETE ... WHERE statement removing matching rows, server returns OK with affected-rows count.
🎞️
mysql drop table
MySQL DROP TABLE DDL removing a table, server responds with OK packet.
🎞️
mysql insert commit
MySQL INSERT followed by COMMIT in a transaction, server acknowledges both and persists the row.
🎞️
mysql select
MySQL SELECT query returning a result set with column definitions and row packets to the client.
🎞️
mysql show tables
MySQL SHOW TABLES metadata query returning the list of tables in the current database.
🔷
Email
IMAP / POP3 / SMTP
19
🎞️
dns mail mx a
DNS resolution for email delivery: client queries MX for the domain then A records for the returned mail exchangers.
📂
imap4
6
🎞️
imap4 fetch fail
IMAP4 FETCH command fails (e.g., NO/BAD response) because the message UID or mailbox state is invalid.
🎞️
imap4 list
IMAP4 LIST command enumerating mailbox folders; server returns the mailbox hierarchy and OK completion.
🎞️
imap4 login fail
IMAP4 LOGIN attempt rejected with NO Authentication failed due to invalid credentials.
🎞️
imap4 noop
IMAP4 NOOP keepalive/poll command, server responds OK possibly with untagged status updates.
🎞️
imap4 search fail
IMAP4 SEARCH command returns NO/BAD because of invalid criteria or no selected mailbox.
🎞️
imap4 search fetch
IMAP4 SEARCH returning matching UIDs followed by FETCH to retrieve those messages.
📂
pop3
6
🎞️
pop3 capabilities
POP3 CAPA command returning the server's advertised capability list (STLS, USER, UIDL, SASL) to the client.
🎞️
pop3 enable utf8
POP3 client negotiates UTF-8 capability with server using the CAPA and UTF8 commands, enabling internationalized mailbox handling before authentication.
🎞️
pop3 list retr
pop3_list_retr: Unresolved-endpoint POP3 session: DNS lookup, TCP 3-way handshake, USER/PASS login, LIST mailbox, RETR message, and TCP teardown (FIN,ACK).
🎞️
pop3 noop err
POP3 NOOP keepalive attempt returning an error response, illustrating server-side rejection of the no-op command, likely due to session or state issues.
🎞️
pop3 stat
POP3 STAT command exchange where the client queries mailbox size and message count, and the server returns the current mailbox statistics.
🎞️
pop3 welcome quit
POP3 minimal session showing the server greeting banner followed by an immediate QUIT, demonstrating connection setup and graceful teardown without mail transfer.
📂
smtp
6
🎞️
smtp ehlo
SMTP extended handshake where the client issues EHLO and the server replies with its supported ESMTP extensions such as SIZE, 8BITMIME, and STARTTLS.
🎞️
smtp helo
SMTP legacy handshake using the HELO verb, showing basic mail-server identification without ESMTP extension advertisement.
🎞️
smtp noop
SMTP NOOP keepalive exchange where the client sends NOOP and the server replies 250 OK, used to keep a connection alive without affecting mail state.
🎞️
smtp send mail
SMTP mail submission flow with MAIL FROM, RCPT TO, DATA, and message body followed by a 250 accepted response, showing end-to-end email delivery.
🎞️
smtp vrfy fail
SMTP VRFY recipient verification returning a failure response, indicating the queried username does not exist or VRFY is disabled on the server.
🎞️
smtp vrfy success
SMTP VRFY recipient verification succeeding with a 250 response, confirming the queried user mailbox exists on the server.
🔷
FTP
FTP / SFTP / TFTP
13
📂
ipv4
1
🎞️
ftp pas get minmax
FTP passive-mode GET using min/max passive port range negotiation, demonstrating how the server advertises a port within a constrained range for the data channel.
📂
ipv6
12
🎞️
ftp act get
FTP active-mode download where the client issues PORT then RETR, the server opens a data connection back to the client, and the file is transferred.
🎞️
ftp act put
FTP active-mode upload using PORT and STOR, with the server initiating the data connection back to the client to receive the file.
🎞️
ftp pas get
FTP passive-mode download using PASV and RETR, with the client initiating the data connection to the server-supplied port to download the file.
🎞️
ftp pas put
FTP passive-mode upload with PASV and STOR, where the client opens the data connection to the server and streams the file for storage.
🎞️
ftps act get
FTPS (FTP over TLS) active-mode download with AUTH TLS securing the control channel and an encrypted data channel for the RETR transfer.
🎞️
ftps act put
FTPS active-mode upload with TLS-protected control and data channels, using STOR to push an encrypted file to the server.
🎞️
ftps pas get
FTPS passive-mode download where PASV plus TLS data-channel protection secure the RETR file transfer end to end.
🎞️
ftps pas put
FTPS passive-mode upload with TLS-secured control and data channels, delivering the STOR payload under encryption.
🎞️
sftp get
SFTP download over SSH where after key exchange and authentication the client issues OPEN and READ operations to retrieve a file from the server.
🎞️
sftp put
SFTP upload over SSH, with the authenticated client using OPEN and WRITE operations to store a file on the server through the encrypted channel.
🎞️
tftp get
TFTP Read Request (RRQ) download using UDP, with the server streaming DATA blocks and the client returning ACKs until the transfer completes.
🎞️
tftp put
TFTP Write Request (WRQ) upload using UDP, with the server acknowledging each DATA block sent by the client until the file is fully stored.
🔷
gRPC
gNMI / Telemetry
14
🎞️
grpc gnmi capabilities
gNMI Capabilities RPC over gRPC/HTTP2, where the client requests supported models and encodings and the target returns its capability response.
🎞️
grpc gnmi get
gNMI Get RPC retrieving configuration or state data from a network device, returning a Notification with the requested paths and values.
🎞️
grpc gnmi set delete
gNMI Set RPC with a delete operation removing a configuration path from the target, acknowledged via SetResponse.
🎞️
grpc gnmi set replace
gNMI Set RPC using replace semantics to fully overwrite a configuration subtree on the target device.
🎞️
grpc gnmi set update
gNMI Set RPC using update semantics to merge configuration changes into the target's existing configuration.
🎞️
grpc gnmi subscribe
gNMI Subscribe RPC establishing a streaming telemetry subscription, with the target pushing periodic or on-change updates for the subscribed paths.
🎞️
grpc gnmi unimplemented
gNMI RPC returning an Unimplemented gRPC status, indicating the target does not support the requested operation.
🎞️
grpc rpc deleteconfig
gRPC network management DeleteConfig RPC removing a configuration element on the target, with success/failure status returned to the client.
🎞️
grpc rpc getconfig
gRPC GetConfig RPC fetching the current configuration from the target device over HTTP/2.
🎞️
grpc rpc mergeconfig
gRPC MergeConfig RPC applying a partial configuration merge on the target, preserving existing settings not referenced in the request.
🎞️
grpc rpc replaceconfig
gRPC ReplaceConfig RPC fully replacing a configuration subtree on the target, overwriting previous values.
🎞️
grpc telemetry gpb
gRPC streaming telemetry using Google Protocol Buffers (compact GPB) encoding, pushing device metrics to a collector.
🎞️
grpc telemetry json
gRPC streaming telemetry using JSON-encoded payloads, delivering human-readable device state updates to the collector.
🎞️
grpc telemetry kvgpb
gRPC streaming telemetry using the self-describing key-value GPB encoding, providing schema-agnostic telemetry to the collector.
🔷
HTTP
HTTP/2 / HTTP/3 / QUIC
12
📂
http
4
🎞️
http2 tls
HTTP/2 over TLS session with ALPN negotiation, HEADERS and DATA frames multiplexed over a single encrypted TCP connection.
🎞️
http3 quic
HTTP/3 session over QUIC, with the client and server exchanging encrypted QUIC packets carrying request/response streams without TCP.
🎞️
http port5000
HTTP traffic on non-standard TCP port 5000, showing a GET request and server response for a service hosted outside the default port 80.
🎞️
http proxy caching
HTTP proxy caching flow where the client requests content through a proxy, the proxy fetches from origin, caches the response, and serves later requests from cache.
📂
jsonrpc
2
🎞️
http jsonrpc create intf
HTTP-based JSON-RPC call that creates a new network interface on the device, returning a success result from the RPC endpoint.
🎞️
http jsonrpc get intfs
HTTP-based JSON-RPC call retrieving the list of interfaces from the device, with the server returning the interface inventory as JSON.
📂
wccp
6
🎞️
wccp init password
WCCP service group initialization with password-protected Here-I-Am and I-See-You negotiation between router and cache engines.
🎞️
wccp removal query
WCCP Removal Query exchange where the router probes a cache engine's liveness and removes it from the service group if unresponsive.
🎞️
wccp serv123 redirect gre
WCCP services 1/2/3 redirecting traffic from router to cache engine via GRE encapsulation for content and DNS optimization.
🎞️
wccp serv123 redirect layer2
WCCP services 1/2/3 redirecting traffic using Layer 2 MAC rewrite instead of GRE, requiring cache engines to be L2-adjacent to the router.
🎞️
wccp web0 redirect gre
WCCP web-cache service 0 redirecting HTTP traffic via GRE tunnel to the cache engine for content acceleration.
🎞️
wccp web0 redirect layer2
WCCP web-cache service 0 redirecting HTTP traffic using Layer 2 forwarding to the directly attached cache engine.
🔷
RESTCONF
HTTP REST API
11
📂
device
7
🎞️
restconf delete device
RESTCONF DELETE request to remove a device resource from the controller, expecting a 204 No Content success response.
🎞️
restconf get device cli type
RESTCONF GET retrieving the cli-type leaf of a device resource, returning a JSON/XML representation over HTTPS.
🎞️
restconf get device full
RESTCONF GET retrieving the full device resource tree with all configured and operational data.
🎞️
restconf head device
RESTCONF HEAD request on a device resource, returning headers only to probe existence and metadata without the body.
🎞️
restconf post device create
RESTCONF POST creating a new device resource under the devices collection, expecting a 201 Created response.
🎞️
restconf post device sync from
RESTCONF POST invoking the sync-from action RPC on a device to pull configuration from the live device into the controller.
🎞️
restconf put device cli type
RESTCONF PUT replacing the cli-type leaf of a device resource with a new value.
📂
service
4
🎞️
restconf delete service
RESTCONF DELETE request to remove a service resource from the controller, expecting a 204 No Content success response.
🎞️
restconf get device lb config
RESTCONF GET retrieving the load-balancer configuration subtree of a device resource.
🎞️
restconf get service lb
RESTCONF GET retrieving a load-balancer service resource from the controller.
🎞️
restconf patch service add
RESTCONF PATCH request adding content to an existing service resource via a partial update.
🔷
Storage
SMB / NFS / iSCSI
17
🎞️
storage iscsi chap fail
storage_iscsi_chap_fail: iSCSI initiator and target exchange Login Command/Response pairs; the final server Login Response carries a CHAP authentication failure status, aborting login.
🎞️
storage iscsi data xfer
storage_iscsi_data_xfer: Established iSCSI session moves SCSI Read/Write via Command, Data-Ready-to-Transfer (R2T) and Response PDUs between initiator and target.
🎞️
storage iscsi format fs
storage_iscsi_format_fs: Very large iSCSI session (~1600 PDUs) of Commands, R2T and Responses as the initiator formats a filesystem on the target LUN.
🎞️
storage iscsi login chap
storage_iscsi_login_chap: iSCSI initiator completes a 4-step CHAP Login, runs SCSI Commands and Data-In reads, Text negotiations, then Logout and NOP keepalives.
🎞️
storage iscsi login nochap
storage_iscsi_login_nochap: iSCSI initiator performs a 2-step Login without CHAP, then exchanges SCSI Commands and Data-In PDUs, ending with Logout and NOP-Out keepalives.
🎞️
storage iscsi sendtargets
storage_iscsi_sendtargets: iSCSI discovery session: initiator Logins to target, issues a Text Command with SendTargets=All, receives the target list and logs out.
🎞️
storage nfsv3 auth fail
storage_nfsv3_auth_fail: Client probes the NFSv3 MOUNT service with NULL and MNT calls; server replies MNT with an auth error (AUTH_ERROR/access denied) on each attempt.
🎞️
storage nfsv3 download
storage_nfsv3_download: Client reads a file via NFSv3 using GETATTR and ACCESS RPCs; server returns attributes and permit status enabling the read.
🎞️
storage nfsv3 init
storage_nfsv3_init: NFSv3 session bring-up via Portmap GETPORT lookups, MOUNT MNT, then NFS GETATTR, FSINFO, PATHCONF, FSSTAT and ACCESS calls to initialize the mount.
🎞️
storage nfsv3 perm denied
storage_nfsv3_perm_denied: Client queries Portmap and issues Mount MNT twice; server returns MNT responses denying access (permission denied export restriction).
🎞️
storage nfsv3 showmount
storage_nfsv3_showmount: Client opens a TCP session to showmount/mountd, issues an RPC Call (dump exports) and gets an RPC Reply, then tears down with FIN,ACK.
🎞️
storage nfsv3 upload
storage_nfsv3_upload: Client creates and uploads a file via NFSv3 ACCESS, LOOKUP, CREATE, SETATTR, WRITE and COMMIT, with GETATTR polling and a final READ verification.
🎞️
storage smb auth fail
storage_smb_auth_fail: SMB1/SMB2 Negotiate succeeds but repeated SMB2 Session Setup exchanges never complete, with KeepAlives in between, indicating NTLM authentication failure.
🎞️
storage smb badshare
storage_smb_badshare: After SMB negotiate and session setup, client repeatedly attempts Tree Connect which the server rejects (bad share name / STATUS_BAD_NETWORK_NAME), then logs off.
🎞️
storage smb download
storage_smb_download: SMB2 session issues Create opens, Read operations and Close on a remote file, demonstrating a file download over an established tree.
🎞️
storage smb init
storage_smb_init: Full SMB session setup: SMB1 to SMB2 Negotiate, Session Setup (NTLM), Tree Connect, Create/Ioctl exchanges, and teardown via Close, Tree Disconnect and Session Logoff.
🎞️
storage smb upload
storage_smb_upload: Large SMB2 session (~200 msgs) with Create, Notify, Write and Close operations uploading a file to the server share.
🎥
Collaboration & Media
108
🔷
Collaboration
SIP / RTP / SCCP
108
📂
dtmf_relay
11
🎞️
dtmf relay asymm
SIP voice call with asymmetric DTMF relay: endpoints negotiate different DTMF methods in offer/answer SDP.
🎞️
dtmf relay digitdrop
DTMF relay scenario exhibiting digit drop: initial digits lost during mode negotiation or transcoding between gateways.
🎞️
dtmf relay iwrk rtpnte
DTMF relay interworking using RTP Named Telephone Events (RFC 2833/4733) between SIP endpoints via a gateway.
🎞️
dtmf relay iwrk standard
DTMF relay standard interworking: gateway translates between in-band, NTE and out-of-band signaling methods.
🎞️
dtmf relay mtp rfc4733 passthru
DTMF relay via MTP with RFC 4733 NTE passthrough: MTP passes named-event RTP packets end-to-end.
🎞️
dtmf relay no iwrk
DTMF relay with no interworking: both endpoints use the same method (e.g. RFC 2833) end-to-end.
🎞️
dtmf relay noasymm
DTMF relay with symmetric negotiation: both endpoints agree on the same method in SDP offer/answer.
🎞️
dtmf relay notify mtp nte rfc2833
SIP NOTIFY-based DTMF relay across MTP with RFC 2833 NTE for the RTP leg.
🎞️
dtmf relay nte notify forbidden
DTMF relay failure: SIP NOTIFY for DTMF rejected with 403 Forbidden when NTE is expected instead.
🎞️
dtmf relay sip rfc4733
SIP voice call using RFC 4733 (telephone-event) RTP payload for in-band DTMF relay end-to-end.
🎞️
dtmf relay unsol notify nodigitdrop
SIP unsolicited NOTIFY DTMF relay without digit drop: all digits delivered cleanly between endpoints.
📂
fax
21
🎞️
fax h323 passthru ogw
H.323 fax pass-through from the originating gateway perspective: voice-band fax tones carried in G.711 RTP.
🎞️
fax h323 passthru tgw
H.323 fax pass-through from the terminating gateway perspective: voice-band fax tones received over G.711 RTP.
🎞️
fax sip passthru ogw
SIP fax pass-through at the originating gateway: fax carried end-to-end as G.711 without T.38 switchover.
🎞️
fax sip passthru tgw
SIP fax pass-through at the terminating gateway: fax received over G.711 RTP without T.38 switchover.
🎞️
fax t38 h323 ogw
H.323 fax call switching to T.38 at the originating gateway: H.245 OpenLogicalChannel for T38FaxUdp, then T.38 UDPTL.
🎞️
fax t38 h323 tgw
H.323 fax call switching to T.38 at the terminating gateway: H.245 T38 capability and T.38 UDPTL packets received.
🎞️
fax t38 nse h323 ogw
H.323 fax call using Cisco NSE (Named Signaling Events) to trigger T.38 fax switchover at originating gateway.
🎞️
fax t38 nse h323 tgw
H.323 fax call using Cisco NSE to trigger T.38 fax switchover at terminating gateway.
🎞️
fax t38 nse mgcp ogw
MGCP-controlled fax call using Cisco NSE to trigger T.38 switchover at originating gateway.
🎞️
fax t38 nse sccp ogw
SCCP-controlled fax call using Cisco NSE to trigger T.38 switchover at originating gateway.
🎞️
fax t38 nse sccp tgw
SCCP-controlled fax call using Cisco NSE to trigger T.38 switchover at terminating gateway.
🎞️
fax t38 nse sip ogw
SIP fax call using Cisco NSE to trigger mid-call T.38 reINVITE switchover at originating gateway.
🎞️
fax t38 nse sip tgw
SIP fax call using Cisco NSE to trigger mid-call T.38 reINVITE switchover at terminating gateway.
🎞️
modem h323 passthru nse ogw
H.323 modem pass-through using Cisco NSE to signal modem tone detection and switch to clear-channel codec at OGW.
🎞️
modem h323 passthru nse tgw
H.323 modem pass-through using Cisco NSE to signal modem tone detection and switch to clear-channel codec at TGW.
🎞️
modem mgcp passthru nse ogw
MGCP modem pass-through using Cisco NSE at originating gateway: switch to clear-channel codec for modem traffic.
🎞️
modem mgcp passthru nse tgw
MGCP modem pass-through using Cisco NSE at terminating gateway: switch to clear-channel codec for modem traffic.
🎞️
modem sccp passthru nse ogw
SCCP modem pass-through using Cisco NSE at originating gateway: switch to clear-channel codec for modem traffic.
🎞️
modem sccp passthru nse tgw
SCCP modem pass-through using Cisco NSE at terminating gateway: switch to clear-channel codec for modem traffic.
🎞️
modem sip passthru nse ogw
SIP modem pass-through using Cisco NSE at originating gateway: reINVITE to clear-channel codec for modem traffic.
🎞️
modem sip passthru nse tgw
SIP modem pass-through using Cisco NSE at terminating gateway: reINVITE to clear-channel codec for modem traffic.
📂
h323
4
🎞️
h245 alpha
H.245 control channel exchange showing alphanumeric UserInput messages for DTMF/keypad input over H.323.
🎞️
h245 signal
H.245 control channel exchange showing signal-type UserInput (signal/signalUpdate) messages for DTMF over H.323.
🎞️
h323 ss hold resume
H.323 supplementary service Hold/Resume: H.450.4 invoke APDUs and H.245 CLC/OLC to mute/unmute media.
🎞️
h323 ss hold transfer
H.323 supplementary service Hold then Transfer: H.450.4 Hold followed by H.450.2 Call Transfer invoke APDUs.
📂
mgcp
10
🎞️
mgcp dtmf oob
MGCP call with out-of-band DTMF: gateway reports digits to Call Agent via NTFY with D/digit observed events.
🎞️
mgcp dtmf rtp nte
MGCP call with in-band DTMF via RTP Named Telephone Events (RFC 2833) carried end-to-end.
🎞️
mgcp fxo registration
MGCP FXO endpoint registration with Call Agent: RSIP restart-in-progress and RQNT provisioning.
🎞️
mgcp fxs inbound
MGCP FXS inbound call: Call Agent sends CRCX/MDCX to gateway, NTFY off-hook and digit events drive call setup.
🎞️
mgcp fxs outbound
MGCP FXS outbound call: NTFY off-hook plus dialed digits trigger Call Agent to set up connection via CRCX/MDCX.
🎞️
mgcp fxs registration
MGCP FXS endpoint registration with Call Agent: RSIP restart and RQNT provisioning of line events.
🎞️
mgcp fxs reset
MGCP FXS endpoint reset: gateway sends RSIP (graceful/forced) to Call Agent; endpoints re-register.
🎞️
mgcp isdn pri call
MGCP-controlled ISDN PRI call: Q.931 backhaul over MGCP between gateway and Call Agent for call setup/teardown.
🎞️
mgcp isdn pri registration
MGCP ISDN PRI endpoint registration: RSIP and Q.931 backhaul channel establishment with Call Agent.
🎞️
mgcp restart
MGCP gateway restart: RSIP (restart-in-progress) sent to Call Agent followed by endpoint re-provisioning.
📂
rtp
14
🎞️
rtp g729abr8
RTP voice stream using G.729 Annex A/B at 8 kbps with VAD/CNG silence suppression between endpoints.
🎞️
rtp g729ar8
RTP media stream carrying G.729a voice payload at 8 kbps between endpoints, showing the compressed-codec audio flow after call setup.
🎞️
rtp lmr g711ulaw mcast holler
RTP multicast Land Mobile Radio 'holler' push-to-talk audio using G.711 u-law, with a transmitter streaming to the multicast group of receivers.
🎞️
rtp lmr g711ulaw mcast hoot
RTP multicast Land Mobile Radio 'hoot-n-holler' always-on intercom using G.711 u-law, streaming one-way audio to the multicast group.
🎞️
rtp mcast moh
RTP multicast Music-on-Hold stream from a CUCM MoH server to subscribed phones, delivering held-call audio over an IP multicast group.
🎞️
rtp sip g711alaw 30ms
SIP-negotiated RTP audio call using G.711 A-law encoding with 30 ms packetization, showing bidirectional voice flow between the endpoints.
🎞️
rtp sip g711ulaw 10ms
SIP-negotiated RTP audio call using G.711 u-law with 10 ms packetization, yielding high packet rate and low latency between endpoints.
🎞️
rtp sip g711ulaw 20ms
SIP-negotiated RTP audio call using G.711 u-law with the standard 20 ms packetization between endpoints.
🎞️
rtp sip g711ulaw 30ms
SIP-negotiated RTP audio call using G.711 u-law with 30 ms packetization, reducing packet rate at the cost of slightly higher latency.
🎞️
rtp sip g722 h264
SIP video call carrying wideband G.722 audio and H.264 video over RTP between the endpoints.
🎞️
rtp sip ilbc 20ms 15dot2kbps
SIP-negotiated RTP call using iLBC codec at 20 ms frames and 15.2 kbps, a loss-resilient narrowband voice stream.
🎞️
rtp sip ilbc 30ms 13dot33kbps
SIP-negotiated RTP call using iLBC codec at 30 ms frames and 13.33 kbps for efficient loss-resilient voice.
🎞️
rtp sip isac
SIP-negotiated RTP call using the adaptive iSAC wideband codec between the endpoints.
🎞️
rtp sip opus
SIP-negotiated RTP call using the Opus codec, delivering adaptive wideband audio between endpoints.
📂
sccp
18
🎞️
sccp cme init
SCCP phone initializing against a Cisco CallManager Express (CME), exchanging registration and keepalive messages to become active.
🎞️
sccp dtmf oob
SCCP out-of-band DTMF signalling: the phone reports keypad digits to CUCM via KeypadButton messages rather than in the RTP stream.
🎞️
sccp fxs inbound
SCCP-controlled FXS analog gateway accepting an inbound call, with CUCM driving OffHook, CallInfo and media setup toward the analog port.
🎞️
sccp fxs outbound
SCCP-controlled FXS analog gateway placing an outbound call, with CUCM sending dialed digits and opening RTP media channels.
🎞️
sccp fxs register
SCCP registration of an FXS analog voice port with CUCM, including RegisterReq, capabilities exchange and LineStatReq for each port.
🎞️
sccp hw conf
SCCP hardware conference bridge handling a three-party conference, with CUCM allocating the conference resource and mixing RTP streams.
🎞️
sccp hw conf register
SCCP registration of a hardware conference bridge DSP resource with CUCM, announcing conference capabilities.
🎞️
sccp hw gway tls
SCCP hardware voice gateway registering with CUCM over a TLS-secured signalling channel for encrypted control plane.
🎞️
sccp hw mtp
SCCP hardware Media Termination Point bridging two RTP streams under CUCM control, used for transcoding/DTMF interworking.
🎞️
sccp hw mtp register
SCCP registration of a hardware MTP (Media Termination Point) DSP resource with CUCM, advertising MTP capabilities.
🎞️
sccp hw mtp trp
SCCP hardware MTP acting as a Trusted Relay Point, anchoring RTP for a call under CUCM control for policy enforcement.
🎞️
sccp hw xcode
SCCP hardware transcoder converting between codecs (e.g., G.711 and G.729) for a call under CUCM control.
🎞️
sccp hw xcode register
SCCP registration of a hardware transcoder DSP farm with CUCM, advertising supported codec conversion capabilities.
🎞️
sccp inbound call
SCCP (Skinny) inbound call to an IP phone: CUCM sends CallInfo/Ringer, user goes off-hook, and RTP media channels open.
🎞️
sccp outbound call
SCCP (Skinny) outbound call from an IP phone: OffHook, KeypadButton digits, then CUCM establishes RTP toward the far end.
🎞️
sccp phone register
SCCP Skinny phone registration with CUCM, including RegisterReq, version/capabilities exchange, softkey/button templates and line status.
🎞️
srst cred handshake
Cisco SRST credentials-service handshake where a secure phone downloads SRST certificate/credentials before failover registration.
🎞️
srst secure
Cisco SRST failover with secure (TLS/encrypted) phone registration to the SRST router when CUCM connectivity is lost.
📂
sip
30
🎞️
sip basic do 183
Basic SIP call using delayed-offer model where the callee returns SDP in a 183 Session Progress for early media, then 200 OK and ACK complete setup.
🎞️
sip basic eo 180
Basic SIP early-offer call: caller sends SDP in INVITE, callee replies 100 Trying, 180 Ringing, 200 OK with answer SDP, then ACK.
🎞️
sip bye also transfer
SIP call transfer using the legacy BYE/Also header: the transferor sends BYE with an Also URI, instructing the transferee to call the target.
🎞️
sip cpa
SIP Call Progress Analysis flow where the gateway analyses answer tones/voice to distinguish human vs machine before proceeding.
🎞️
sip dtmf info
SIP INFO method carrying DTMF digits out-of-band in the signalling channel between the endpoints during an active call.
🎞️
sip dtmf kpml
SIP KPML DTMF reporting: subscriber NOTIFY messages carry Key Press Markup Language digit events after a SUBSCRIBE for kpml events.
🎞️
sip dtmf nte rfc2833
DTMF via RTP Named Telephone Events per RFC 2833, with event packets interleaved in the audio stream negotiated over SIP/SDP.
🎞️
sip dtmf nte rfc4733
DTMF via RTP Named Telephone Events per RFC 4733 (RFC 2833 successor), carrying digit events in-band alongside the audio stream.
🎞️
sip dtmf raw inband
Raw in-band DTMF tones carried directly in the G.711 RTP audio stream without any named-event or signalling encoding.
🎞️
sip hold resume
SIP call hold and resume using re-INVITE with a=sendonly/inactive then a=sendrecv SDP to pause and restart the media flow.
🎞️
sip hold transfer
SIP consultative transfer: the transferor holds the first call, consults the target, then transfers using REFER or re-INVITE sequences.
🎞️
sip mcast paging
SIP-initiated multicast paging: a page server streams G.711 audio to an RTP multicast group that paging-zone phones join.
🎞️
sip mwi off
SIP Message Waiting Indicator deactivation via NOTIFY with Messages-Waiting:no, turning off the phone's MWI lamp after voicemail retrieval.
🎞️
sip mwi on
SIP Message Waiting Indicator activation via NOTIFY with Messages-Waiting:yes for the message-summary event, lighting the phone's MWI lamp.
🎞️
sip options inband
SIP OPTIONS in-dialog keepalive pings exchanged during an active session to verify peer liveness.
🎞️
sip options oob
SIP OPTIONS out-of-dialog keepalive between SIP peers to verify reachability and exchange capabilities.
🎞️
sip prack do 183
SIP reliable provisional responses (PRACK, RFC 3262) with delayed-offer: 183 Session Progress is ACKed by PRACK before 200 OK.
🎞️
sip prack eo 180
SIP reliable provisional responses (PRACK) with early-offer: 180 Ringing sent reliably and acknowledged by PRACK before 200 OK.
🎞️
sip prack eo 183
SIP reliable provisional responses (PRACK) with early-offer: 183 Session Progress sent reliably and acknowledged by PRACK before 200 OK.
🎞️
sip recording ora
SIP-based call recording using Cisco MediaSense-style Ora/Built-in-Bridge forking, with the gateway forking RTP to the recorder.
🎞️
sip recording siprec
SIPREC (RFC 7866) call recording: the Session Recording Client sends INVITE with recording metadata to the SRS, which receives forked RTP.
🎞️
sip refer transfer
SIP attended or blind transfer via REFER: the transferor sends REFER to the transferee with Refer-To the target, followed by NOTIFY sipfrag progress.
🎞️
sip register
SIP REGISTER flow: UA authenticates to the registrar (likely with 401 Unauthorized challenge and digest credentials) and receives 200 OK binding its AOR.
🎞️
sip session refresh 422
SIP session timer refresh rejected with 422 Session Interval Too Small; UA re-INVITEs with a larger Session-Expires and succeeds.
🎞️
sip tls aead aes 128 gcm
SIP over TLS with SRTP media secured by AEAD_AES_128_GCM, negotiated via SDES in the encrypted SIP signalling.
🎞️
sip tls aead aes 256 gcm
SIP over TLS with SRTP media secured by AEAD_AES_256_GCM, negotiated via SDES in the encrypted SIP signalling.
🎞️
sip tls aes cm 128 hmac sha1 32
SIP over TLS with SRTP media using AES_CM_128_HMAC_SHA1_32 crypto suite for encrypted audio with 32-bit auth tags.
🎞️
sip tls aes cm 128 hmac sha1 80
SIP over TLS with SRTP media using AES_CM_128_HMAC_SHA1_80 crypto suite for encrypted audio with 80-bit auth tags.
🎞️
sip xmf recording cube
Cisco CUBE network-based recording via XMF/MediaForking API, forking RTP from the CUBE to a recording server.
🎞️
sip xmf recording cucm
CUCM network-based recording via XMF/MediaForking, with CUCM instructing the phone or gateway to fork RTP to a recording server.
📶
IoT & Wireless
201
🔷
IoT
CoAP / MQTT
6
🎞️
coap get
CoAP GET request over UDP retrieving a resource from a constrained IoT server, with a piggybacked ACK carrying the response payload.
🎞️
coap post delete
CoAP POST creating a resource followed by DELETE removing it, demonstrating REST-style resource manipulation on a constrained IoT device.
🎞️
mqtt tls
MQTT over TLS session with CONNECT/CONNACK handshake, SUBSCRIBE/PUBLISH exchanges, and DISCONNECT, all protected by TLS encryption.
🎞️
mqtt tls ws
MQTT over WebSockets secured by TLS, tunneling MQTT CONNECT, PUBLISH, and SUBSCRIBE frames through an encrypted WSS connection.
🎞️
mqtt unenc
MQTT session in the clear with CONNECT, SUBSCRIBE, PUBLISH, and DISCONNECT messages exchanged without TLS protection.
🎞️
mqtt unenc ws
MQTT over plain WebSockets without TLS, carrying CONNECT, PUBLISH, and SUBSCRIBE frames through an unencrypted WS upgrade.
🔷
Meraki
MR / MX / MV
3
🎞️
meraki mr20 init
Cisco Meraki MR20 access point initialization traffic: DHCP, DNS, and cloud-controller TLS registration to the Meraki dashboard.
🎞️
meraki mv12we init
Cisco Meraki MV12WE camera initialization flow: address acquisition, time sync, and secure check-in to Meraki cloud services.
🎞️
meraki mx64
Cisco Meraki MX64 security appliance traffic showing management check-in to the Meraki cloud and typical WAN services.
🔷
WLAN
802.11 / CAPWAP / Roaming
192
📂
apple-iphone6
10
🎞️
qos marking appleiphone6 alloy wired
Wired egress of iPhone 6 traffic under 'alloy' QoS profile: DSCP markings observed on the WLC uplink validate that wireless UP-to-DSCP translation preserves the intended class of service.
🎞️
qos marking appleiphone6 alloy wlan
Over-the-air 802.11 QoS Data frames from iPhone 6 tagged per 'alloy' profile; UP/TID values on the WLAN confirm how the client marks upstream traffic before WLC remapping.
🎞️
qos marking appleiphone6 bronze wired
Wired capture of iPhone 6 traffic under 'bronze' QoS profile showing DSCP values exiting the WLC to verify UP-to-DSCP mapping policy on the wired side.
🎞️
qos marking appleiphone6 bronze wlan
802.11 QoS Data frames from iPhone 6 with 'bronze' profile applied; TID/priority values captured over-the-air confirm the client's upstream WMM marking.
🎞️
qos marking appleiphone6 gold wired
Wired DSCP values for iPhone 6 traffic under 'gold' QoS profile, verifying that the WLC translates wireless UP into the expected DSCP class on egress.
🎞️
qos marking appleiphone6 gold wlan
Over-the-air QoS Data from iPhone 6 on 'gold' profile; captured TID/WMM access-category values document client upstream marking before WLC policy applies.
🎞️
qos marking appleiphone6 platinum wired
Wired DSCP capture for iPhone 6 'platinum' QoS profile, confirming voice-class mapping between the wireless UP and the DSCP value placed on the wire.
🎞️
qos marking appleiphone6 platinum wlan
802.11 QoS Data from iPhone 6 under 'platinum' profile; over-the-air TID/priority shows the client's voice-grade WMM marking upstream.
🎞️
qos marking appleiphone6 silver wired
Wired DSCP values for iPhone 6 'silver' QoS profile, verifying WLC UP-to-DSCP translation on the wired egress path.
🎞️
qos marking appleiphone6 silver wlan
Over-the-air QoS Data from iPhone 6 on 'silver' profile with TID/priority values showing client WMM marking upstream before WLC remapping.
📂
bittium-sd41
10
🎞️
qos marking bittiumsd41 alloy wired
Wired capture showing DSCP markings applied by the WLC for Bittium SD41 traffic under 'alloy' QoS profile on the wired egress.
🎞️
qos marking bittiumsd41 alloy wlan
Over-the-air 802.11 QoS Data from Bittium SD41 under 'alloy' profile documenting client-side WMM UP/TID values.
🎞️
qos marking bittiumsd41 bronze wired
Wired DSCP capture for Bittium SD41 traffic under 'bronze' profile to validate UP-to-DSCP mapping on the WLC.
🎞️
qos marking bittiumsd41 bronze wlan
Bittium SD41 over-the-air QoS Data with 'bronze' profile; TID and WMM access category confirm upstream wireless marking.
🎞️
qos marking bittiumsd41 gold wired
Wired DSCP values for Bittium SD41 traffic under 'gold' profile, verifying WLC QoS mapping for video-class service.
🎞️
qos marking bittiumsd41 gold wlan
802.11 QoS Data from Bittium SD41 on 'gold' profile; WMM access-category values captured over-the-air for upstream traffic.
🎞️
qos marking bittiumsd41 platinum wired
Wired DSCP capture for Bittium SD41 'platinum' voice-grade QoS profile showing expected voice-class markings on egress.
🎞️
qos marking bittiumsd41 platinum wlan
Over-the-air 802.11 QoS Data from Bittium SD41 under 'platinum' profile with voice TID/priority values from the client.
🎞️
qos marking bittiumsd41 silver wired
Wired DSCP values for Bittium SD41 under 'silver' QoS profile verifying WLC UP-to-DSCP remap on the wire.
🎞️
qos marking bittiumsd41 silver wlan
802.11 QoS Data from Bittium SD41 with 'silver' profile; captured WMM UP/TID show upstream client marking.
📂
boeing-blk1
10
🎞️
qos marking boeingblk1 alloy wired
Wired DSCP values on the WLC egress for Boeing BLK1 device under 'alloy' QoS profile, validating policy mapping.
🎞️
qos marking boeingblk1 alloy wlan
Over-the-air 802.11 QoS Data from Boeing BLK1 under 'alloy' profile; TID/priority confirms WMM upstream marking.
🎞️
qos marking boeingblk1 bronze wired
Wired capture of Boeing BLK1 DSCP markings under 'bronze' profile to confirm WLC UP-to-DSCP translation.
🎞️
qos marking boeingblk1 bronze wlan
802.11 QoS Data from Boeing BLK1 under 'bronze' profile; WMM access-category values document client upstream marking.
🎞️
qos marking boeingblk1 gold wired
Boeing BLK1 traffic under 'gold' QoS profile captured on the wired side with DSCP values verifying video-class mapping.
🎞️
qos marking boeingblk1 gold wlan
Over-the-air QoS Data from Boeing BLK1 under 'gold' profile; TID/priority show video-grade WMM marking.
🎞️
qos marking boeingblk1 platinum wired
Wired DSCP capture for Boeing BLK1 under 'platinum' voice profile, verifying voice-class mapping on WLC egress.
🎞️
qos marking boeingblk1 platinum wlan
802.11 QoS Data from Boeing BLK1 under 'platinum' profile with voice TID/priority shown over-the-air.
🎞️
qos marking boeingblk1 silver wired
Wired capture of Boeing BLK1 DSCP under 'silver' QoS profile validating WLC UP-to-DSCP policy.
🎞️
qos marking boeingblk1 silver wlan
Over-the-air QoS Data from Boeing BLK1 'silver' profile with WMM TID values showing upstream client marking.
📂
c3602uwgb
5
🎞️
qos marking c3602uwgb alloy 1to1 wired
Cisco 3602 UWGB workgroup bridge wired capture under 'alloy' 1:1 QoS profile; DSCP preserved end-to-end through the UWGB.
🎞️
qos marking c3602uwgb alloy 1to1 wlan
Over-the-air 802.11 QoS Data through Cisco 3602 UWGB under 'alloy' 1:1 profile; WMM TID mirrors wired DSCP class.
🎞️
qos marking c3602uwgb alloy rfc4594 scavmap wired
Wired DSCP capture via Cisco 3602 UWGB 'alloy' profile with RFC 4594 scavenger mapping, verifying CS1 demotion of low-priority traffic.
🎞️
qos marking c3602uwgb alloy rfc4594 wired
Wired DSCP markings through Cisco 3602 UWGB under 'alloy' profile using RFC 4594 mapping; DSCP classes align with RFC-defined service classes.
🎞️
qos marking c3602uwgb alloy rfc4594 wlan
Over-the-air QoS Data via Cisco 3602 UWGB under RFC 4594 'alloy' profile; WMM UP/TID match RFC 4594-derived access categories.
📂
dot1x
32
🎞️
clientassoc dot1x eap passthrough wired
clientassoc_dot1x_eap_passthrough_wired: Wired view of 802.1X EAP-passthrough: iPhone client associates to AP; AP-AP DTLS tunnel forwards EAP frames to controller for authentication.
🎞️
clientassoc dot1x eap passthrough wlan
clientassoc_dot1x_eap_passthrough_wlan: WLAN 802.1X EAP-passthrough: iPhone probes, 802.11 authenticates and associates, then exchanges QoS Data/Action frames during EAP passthrough to RADIUS.
🎞️
clientassoc dot1x wpa2 eapfast fail wired
clientassoc_dot1x_wpa2_eapfast_fail_wired: Wired view of EAP-FAST failure: client associates and AP-AP DTLS carries EAP exchange that ultimately fails (no 4-way EAPOL Key follows).
🎞️
clientassoc dot1x wpa2 eapfast fail wlan
clientassoc_dot1x_wpa2_eapfast_fail_wlan: WLAN WPA2/EAP-FAST failure: iPhone associates but EAP-FAST authentication does not succeed and client ends with a Disassociate (no keys installed).
🎞️
clientassoc dot1x wpa2 eapmd5 fail wired
clientassoc_dot1x_wpa2_eapmd5_fail_wired: Wired view of EAP-MD5 failure: client associates and AP-AP DTLS carries EAP exchange; no successful 4-way handshake completes.
🎞️
clientassoc dot1x wpa2 eapmd5 fail wlan
clientassoc_dot1x_wpa2_eapmd5_fail_wlan: WLAN WPA2/EAP-MD5 failure: iPhone associates, exchanges Action frames, but EAP-MD5 is rejected and client issues Disassociate.
🎞️
clientassoc dot1x wpa2 eaptls fail wired
clientassoc_dot1x_wpa2_eaptls_fail_wired: Wired view of EAP-TLS failure: client associates and AP-AP DTLS carries EAP-TLS exchange that fails before keys are derived.
🎞️
clientassoc dot1x wpa2 eaptls fail wlan
clientassoc_dot1x_wpa2_eaptls_fail_wlan: WLAN WPA2/EAP-TLS failure: iPhone authenticates and associates but EAP-TLS cert validation fails, ending in Disassociate.
🎞️
clientassoc dot1x wpa2 leap fail wired
clientassoc_dot1x_wpa2_leap_fail_wired: Wired view of LEAP failure: client associates, AP-AP DTLS forwards LEAP EAP messages which are rejected by the server.
🎞️
clientassoc dot1x wpa2 leap fail wlan
clientassoc_dot1x_wpa2_leap_fail_wlan: WLAN WPA2/LEAP failure: iPhone associates, LEAP Action frame exchange fails, client issues Disassociate and no keys installed.
🎞️
clientassoc dot1x wpa2 peapv1 wired
clientassoc_dot1x_wpa2_peapv1_wired: Wired view of WPA2 PEAPv1 success: AP-AP DTLS carries the PEAP/EAP exchange, then client completes 4-way EAPOL Key handshake.
🎞️
clientassoc dot1x wpa2 peapv1 wlan
clientassoc_dot1x_wpa2_peapv1_wlan: WLAN WPA2 PEAPv1 success: iPhone associates, runs PEAPv1 via Action frames, then finishes 4-way EAPOL Key handshake and sends data.
🎞️
clientassoc dot1x wpa peapv1 wired
clientassoc_dot1x_wpa_peapv1_wired: Wired view of WPA PEAPv1: client associates, AP-AP DTLS relays PEAP EAP, and 4-way EAPOL Key handshake completes (TKIP) before data flows.
🎞️
clientassoc dot1x wpa peapv1 wlan
clientassoc_dot1x_wpa_peapv1_wlan: WLAN WPA PEAPv1: iPhone probes, auths, associates, completes PEAPv1 via Action frames then 4-way EAPOL Key handshake and data.
🎞️
roam interL2 dot1x basic wired
Inter-controller L2 roam with basic 802.1X: wired capture of CAPWAP control/data and RADIUS EAP exchange; full reauth successful with no FT key caching.
🎞️
roam interL2 dot1x basic wlan
Over-the-air inter-AP L2 roam with basic 802.1X: Open Auth, Reassociation Response Successful, then full 4-way EAPOL key handshake after EAP reauth.
🎞️
roam interL2 dot1x ft ota wired
Inter-controller L2 roam with 802.11r FT over-the-air, wired side: CAPWAP exchange and PMK-R1 distribution; no full RADIUS round-trip required thanks to FT.
🎞️
roam interL2 dot1x ft ota wlan
Over-the-air 802.11r FT (OTA) inter-AP L2 roam: FT Auth algorithm in Auth frames followed by Reassociation Successful — no EAPOL 4-way after roam.
🎞️
roam interL2 dot1x ft otds wired
Inter-controller L2 roam with 802.11r FT over-the-DS: wired CAPWAP and FT Action frames exchanged between APs via the distribution system.
🎞️
roam interL2 dot1x ft otds wlan
Over-the-air 802.11r FT (OTDS) L2 roam: client sends FT Action Request through current AP, receives Reassociation Successful at target AP.
🎞️
roam interL3 dot1x basic wired
Inter-controller L3 roam with basic 802.1X, wired: CAPWAP plus mobility anchor/foreign EoIP tunnel between WLCs; full RADIUS EAP reauth.
🎞️
roam interL3 dot1x basic wlan
Over-the-air L3 roam with basic 802.1X: Open Auth, Reassociation Successful, full EAP/EAPOL handshake; client traffic tunneled back to anchor WLC.
🎞️
roam interL3 dot1x ft ota wired
Inter-controller L3 roam with 802.11r FT over-the-air, wired: CAPWAP and mobility tunnel setup; PMK-R1 cached so no full RADIUS reauth.
🎞️
roam interL3 dot1x ft ota wlan
Over-the-air 802.11r FT (OTA) L3 roam: FT Auth frames then Reassociation Successful; subsequent traffic tunneled to anchor WLC via EoIP.
🎞️
roam interL3 dot1x ft otds wired
Inter-controller L3 roam with 802.11r FT over-the-DS, wired: FT Action frames and CAPWAP mobility tunnel; no full EAP round-trip.
🎞️
roam interL3 dot1x ft otds wlan
Over-the-air 802.11r FT (OTDS) L3 roam: FT Action Request via current AP, Reassociation Successful at target — fast roam across subnets.
🎞️
roam intra wpa2dot1x ft ota wired
Intra-WLC WPA2-Enterprise 802.11r FT over-the-air, wired: CAPWAP exchange; PMK-R1 delivered to target AP for fast reauth.
🎞️
roam intra wpa2dot1x ft ota wlan
Over-the-air intra-WLC WPA2-Enterprise FT (OTA) roam: FT Auth frames then Reassociation Successful — no RADIUS round-trip.
🎞️
roam intra wpa2dot1x ft otds wired
Intra-WLC WPA2-Enterprise FT over-the-DS roam, wired: FT Action frames routed through DS; fast roam without full EAP.
🎞️
roam intra wpa2dot1x ft otds wlan
Over-the-air intra-WLC WPA2-Enterprise FT (OTDS) roam: FT Action Request via current AP, Reassociation Successful at target — optimized for voice.
🎞️
roam intra wpa2dot1x wired
Intra-WLC WPA2-Enterprise roam without FT, wired: CAPWAP exchange and full RADIUS EAP reauth round-trip.
🎞️
roam intra wpa2dot1x wlan
Over-the-air intra-WLC WPA2-Enterprise roam: Open Auth, Reassociation Successful, full EAP/EAPOL 4-way handshake — slower roam.
📂
flex
4
🎞️
flex centralsw dot1x peap wired
flex_centralsw_dot1x_peap_wired: FlexConnect central-switching 802.1X/PEAP (wired view): iPhone associates via Client C (AP), AP-AP DTLS carries EAP, 4-way EAPOL Key completes, data flows to Server B.
🎞️
flex centralsw joindata wired
flex_centralsw_joindata_wired: FlexConnect central-switching join/data: iPhone associates via Client C AP; AP-AP DTLS tunnel carries client data to broadcast and Server B.
🎞️
flex localsw dot1x peap wired
flex_localsw_dot1x_peap_wired: FlexConnect local-switching 802.1X/PEAP (wired view): client associates locally, 4-way EAPOL Key completes, then DHCP Request and WLC-WLC ICMP keepalives.
🎞️
flex localsw joindata wired
flex_localsw_joindata_wired: FlexConnect local-switching join/data: client DHCP Request answered by WLC G, followed by ICMP Echo Request/Reply keepalives between WLC G and H.
📂
guest-anchor
8
🎞️
guest anchor data wlan
guest_anchor_data_wlan: Guest anchor WLAN data: only bidirectional QoS Data frames to/from the iPhone client captured over the anchor tunnel.
🎞️
guest anchor dhcp fail wired2
guest_anchor_dhcp_fail_wired2: Guest-anchor wired view where DHCP never completes: iPhone associates via AP 1b but only broadcasts Data (no DHCP Offer), indicating DHCP failure on the anchor.
🎞️
guest anchor dhcp fail wlan2
guest_anchor_dhcp_fail_wlan2: Guest-anchor WLAN side of DHCP failure: client associates and runs 4-way EAPOL Key, but anchor AP 1b later Deauthenticates because DHCP did not complete.
🎞️
guest anchor eoip data wired
guest_anchor_eoip_data_wired: Guest anchor EoIP tunnel: WLC C and WLC D exchange ICMP Echo Req/Reply across the EoIP tunnel while iPhone client data traverses the anchor.
🎞️
guest anchor newmob data wired
guest_anchor_newmob_data_wired: Guest-anchor new-mobility data: only bidirectional Data frames to/from iPhone client captured over the new-mobility anchor tunnel.
🎞️
guest anchor newmob half encr data wired
guest_anchor_newmob_half_encr_data_wired: Guest-anchor new-mobility half-encrypted data: only the AP-to-AP DTLS Application Data frames captured, showing the CAPWAP control plane.
🎞️
guest anchor webauth wired
guest_anchor_webauth_wired: Guest-anchor web-auth wired flow: AP-AP DTLS, WLC-to-WLC TCP handshakes, redirects and TCP resets as the client is web-authenticated via the anchor WLC.
🎞️
guest anchor webpassthru wired
guest_anchor_webpassthru_wired: Guest-anchor web-passthrough wired flow: AP associates, client DHCP Discover/Offer/Request/ACK through the anchor, then TCP sessions and ICMP Type 3 indicate redirect path.
📂
interop
2
🎞️
interop 11b 11g wlan
interop_11b_11g_wlan: 802.11b/g interop: Client K beacons, iPhone uses Null function power-save frames and exchanges QoS Data with the server showing mixed-rate BSS.
🎞️
interop 11g 11n wlan
interop_11g_11n_wlan: 802.11g/n interop: multiple APs emit Beacons with varying HT capabilities while iPhone exchanges QoS Data with Server E across the mixed-rate BSS.
📂
intra-controller
1
🎞️
roam intra dot11k actions
Intra-WLC roam leveraging 802.11k: client Probe, Open Auth Successful, Association Successful, then Radio Measurement Action Neighbor Report Request/Response for AP list.
📂
ipv4
6
🎞️
capwap-discovery ipv4 broadcast
capwap-discovery_ipv4_broadcast: AP gets IP via DHCP, broadcasts CAPWAP Discovery Request, WLC responds with CAPWAP Discovery Response, then DTLS handshake establishes the CAPWAP tunnel.
🎞️
capwap-discovery ipv4 dhcp-opt43
capwap-discovery_ipv4_dhcp-opt43: AP obtains IP with DHCP option 43 (controller list), resolves DNS, sends CAPWAP Discovery Requests to WLC and completes DTLS handshake to join.
🎞️
capwap-discovery ipv4 dns
capwap-discovery_ipv4_dns: AP gets DHCP lease, uses DNS (CISCO-CAPWAP-CONTROLLER) to find WLC, exchanges CAPWAP Discovery Request/Response, then completes DTLS handshake.
🎞️
capwap-discovery ipv4 failed
capwap-discovery_ipv4_failed: AP completes DHCP, sends many DNS Queries and CAPWAP Discovery Requests to broadcast but receives no WLC response, then DHCP Releases and retries (discovery failure).
🎞️
capwap-discovery ipv4 ip-helper
capwap-discovery_ipv4_ip-helper: AP uses DHCP plus broadcast CAPWAP Discovery Requests forwarded by ip-helper; AP wired A (WLC) replies with Discovery Response and DTLS handshake follows.
🎞️
capwap-discovery ipv4 primed
capwap-discovery_ipv4_primed: Primed AP (pre-configured WLC) sends unicast and broadcast CAPWAP Discovery Requests; WLC responds and DTLS handshake joins the AP.
📂
ipv6
5
🎞️
capwap-discovery ipv6 dhcp-opt52
capwap-discovery_ipv6_dhcp-opt52: IPv6 AP only emits DHCP Discover frames (shown as broadcast) using DHCPv6 option 52 for CAPWAP controller address; no controller response in trace.
🎞️
capwap-discovery ipv6 dns
capwap-discovery_ipv6_dns: IPv6 CAPWAP discovery via DNS variant; only DHCP Discover broadcasts captured, no controller reply or DTLS present in this slice.
🎞️
capwap-discovery ipv6 failed
capwap-discovery_ipv6_failed: IPv6 CAPWAP discovery failure: AP issues repeated DHCP Discover broadcasts with no successful DHCP lease or controller discovery response.
🎞️
capwap-discovery ipv6 localmcast
capwap-discovery_ipv6_localmcast: IPv6 CAPWAP discovery using link-local multicast (IPv6 All Nodes) alongside DHCP Discover broadcasts from the AP.
🎞️
capwap-discovery ipv6 primed
capwap-discovery_ipv6_primed: IPv6 primed AP: only DHCP Discover broadcasts observed in the capture, CAPWAP controller already seeded but no reply in this slice.
📂
lg-nexus5x
10
🎞️
qos marking lgnexus5x alloy wired
Wired WLC egress DSCP values for LG Nexus 5X under 'alloy' QoS profile, verifying UP-to-DSCP mapping.
🎞️
qos marking lgnexus5x alloy wlan
Over-the-air 802.11 QoS Data from LG Nexus 5X under 'alloy' profile; WMM TID shows upstream client marking.
🎞️
qos marking lgnexus5x bronze wired
LG Nexus 5X wired DSCP capture under 'bronze' QoS profile on WLC egress.
🎞️
qos marking lgnexus5x bronze wlan
802.11 QoS Data from LG Nexus 5X under 'bronze' profile with WMM UP/TID captured over-the-air.
🎞️
qos marking lgnexus5x gold wired
Wired capture of LG Nexus 5X DSCP under 'gold' QoS profile verifying video-class mapping.
🎞️
qos marking lgnexus5x gold wlan
Over-the-air QoS Data from LG Nexus 5X under 'gold' profile; WMM access-category shows video-grade upstream marking.
🎞️
qos marking lgnexus5x platinum wired
Wired DSCP for LG Nexus 5X 'platinum' profile verifying voice-class (EF) marking on WLC egress.
🎞️
qos marking lgnexus5x platinum wlan
802.11 QoS Data from LG Nexus 5X under 'platinum' profile with voice TID/priority captured over-the-air.
🎞️
qos marking lgnexus5x silver wired
Wired WLC egress DSCP for LG Nexus 5X under 'silver' QoS profile, validating policy.
🎞️
qos marking lgnexus5x silver wlan
Over-the-air QoS Data from LG Nexus 5X 'silver' profile; WMM TID values document upstream client marking.
📂
mesh
7
🎞️
mesh data remotewap wired
mesh_data_remotewap_wired: Wired view of mesh data via remote WAP: multiple AP-AP DTLS CAPWAP tunnels carry the client traffic between mesh APs, with client probe and data frames.
🎞️
mesh data remotewap wlan
mesh_data_remotewap_wlan: WLAN mesh data via remote WAP: a few QoS Data frames and a broadcast Data frame from AP 2b illustrate mesh backhaul data forwarding.
🎞️
mesh data wired
mesh_data_wired: Wired view of mesh data: multiple AP-AP DTLS CAPWAP tunnels between mesh APs, DNS Queries, and WLC B pings AP wired F confirming mesh reachability via ICMP Echo.
🎞️
mesh data wlan
mesh_data_wlan: WLAN mesh data: two QoS Data frames with unresolved endpoints plus a Beacon from Client AY, a minimal sample of mesh backhaul WLAN traffic.
🎞️
mesh mapdown wlan
Mesh AP (MAP) teardown captured over-the-air: broadcast data frame from Cisco AP advertises link-down; no reassociation follows, indicating the mesh child AP detached from its parent.
🎞️
mesh mapjoin wired
Wired CAPWAP join of a mesh AP to its WLC: DHCP Discover/Offer/Request/ACK for AP address, CAPWAP Discovery Request/Response, then DTLS Handshake setting up the secure control tunnel.
🎞️
mesh mapjoin wlan
Over-the-air mesh MAP join to parent RAP: beacons, probe/authentication handshakes and 802.11 data frames show the child mesh AP discovering and linking to the root access point.
📂
misc
6
🎞️
beamform poll
beamform_poll: Empty ndjson (0 events) for the 802.11 beamforming poll capture; no decoded frames present in the sequence.
🎞️
ccx client linktest wlan
ccx_client_linktest_wlan: CCX link test on WLAN: AP beacons, then Client A and AP exchange bidirectional QoS Data frames used to measure link quality.
🎞️
ccx client request wlan
ccx_client_request_wlan: CCX client request exchange: AP beacon followed by QoS Data between AP and Client A carrying CCX management measurement requests.
🎞️
ccx mfp wlan
ccx_mfp_wlan: CCX/Management Frame Protection: Client A associates (probe, auth, assoc), runs 4-way EAPOL Key, then AP sends MFP-protected Beacons before a Disassociate.
🎞️
dot11w pmf wlan
dot11w_pmf_wlan: 802.11w PMF: client associates, runs 4-way EAPOL Key handshake with protected management frames; later probe triggers a protected Disassociate.
🎞️
ps poll
802.11 power-save exchange: iPhone client probes and authenticates to Cisco AP, reassociates successfully, then toggles Null-function 'STA will stay up' frames and exchanges QoS Data / Block Ack action frames.
📂
psk-open
36
🎞️
clientassoc no matching rates wlan
clientassoc_no_matching_rates_wlan: Association fails because BSS and client have no matching basic rates: only Beacon and repeated Probe Request/Response pairs are seen, no Auth or Assoc.
🎞️
clientassoc open wlan
clientassoc_open_wlan: Open-system WLAN association: iPhone probes, 802.11 open-authenticates, receives Association Response, then sends a Null function (power-save) frame.
🎞️
clientassoc unsupported algorithm fail wlan
clientassoc_unsupported_algorithm_fail_wlan: Repeated 802.11 Authentication and Association Requests never complete because the AP rejects the unsupported auth algorithm requested by the client.
🎞️
clientassoc wep fail wlan
clientassoc_wep_fail_wlan: WEP shared-key authentication failure: client and AP exchange multiple Authentication frames (challenge/response) but AP never returns a successful Association Response.
🎞️
clientassoc wep wlan
clientassoc_wep_wlan: WEP shared-key success: iPhone completes 4-message WEP Authentication challenge, receives Association Response, then sends QoS Data frames.
🎞️
clientassoc wpa2psk fail wlan
clientassoc_wpa2psk_fail_wlan: WPA2-PSK failure: client associates but 4-way EAPOL Key handshake fails (wrong PSK); AP finally sends Deauthentication.
🎞️
clientassoc wpa2psk wlan
clientassoc_wpa2psk_wlan: WPA2-PSK success: iPhone authenticates, associates, runs a clean 4-way EAPOL Key handshake, then transmits QoS Data.
🎞️
clientassoc wpapsk fail wlan
clientassoc_wpapsk_fail_wlan: WPA-PSK failure: iPhone associates but 4-way EAPOL Key handshake fails (MIC mismatch), AP ends with a Deauthentication.
🎞️
clientassoc wpapsk wlan
clientassoc_wpapsk_wlan: WPA-PSK success: iPhone authenticates, associates, completes 4-way EAPOL Key handshake (TKIP) then exchanges QoS Data frames.
🎞️
roam interL2 open wired
Inter-controller L2 roam with open authentication, wired side: CAPWAP mobility exchange, no EAPOL or RADIUS since SSID is open.
🎞️
roam interL2 open wlan
Over-the-air open-auth L2 roam: Open System Authentication Successful, Reassociation Response Successful, then immediate data traffic — no key handshake.
🎞️
roam interL2 wep wired
Inter-controller L2 roam with WEP encryption, wired: CAPWAP mobility exchange; WEP uses static keys so no EAPOL handshake needed.
🎞️
roam interL2 wep wlan
Over-the-air WEP L2 roam: Open System Auth Successful and Reassociation Successful; WEP static key reused across roam, no 4-way handshake.
🎞️
roam interL2 wpa2psk ft ota wired
Inter-controller L2 roam with WPA2-PSK and 802.11r FT over-the-air, wired: CAPWAP exchange; no full 4-way handshake thanks to FT PMK-R1.
🎞️
roam interL2 wpa2psk ft ota wlan
Over-the-air WPA2-PSK FT (OTA) L2 roam: FT Auth Request/Response carry MIC/RSNIE, Reassociation Successful — no 4-way EAPOL post-roam.
🎞️
roam interL2 wpa2psk ft otds wired
Inter-controller WPA2-PSK FT over-the-DS L2 roam, wired: FT Action frames tunneled through distribution system between current and target APs.
🎞️
roam interL2 wpa2psk ft otds wlan
Over-the-air WPA2-PSK FT (OTDS) L2 roam: client sends FT Action Request via current AP, gets Reassociation Successful at target AP — fast roam.
🎞️
roam interL2 wpa2psk wired
Inter-controller L2 roam with plain WPA2-PSK (no FT), wired: CAPWAP mobility exchange triggering full EAPOL 4-way handshake on the WLAN.
🎞️
roam interL2 wpa2psk wlan
Over-the-air WPA2-PSK L2 roam without FT: Open Auth, Reassociation Successful, then full 4-way EAPOL key handshake before data resumes.
🎞️
roam interL3 open wired
Inter-controller L3 roam with open auth, wired: CAPWAP plus mobility tunnel between anchor/foreign WLCs for the client session.
🎞️
roam interL3 open wlan
Over-the-air open-auth L3 roam: Open Auth Successful and Reassociation Successful; no keys needed, client traffic tunneled to anchor WLC.
🎞️
roam interL3 wep wired
Inter-controller L3 roam with WEP, wired: CAPWAP plus EoIP mobility tunnel; static WEP keys reused, no key handshake.
🎞️
roam interL3 wep wlan
Over-the-air WEP L3 roam: Open Auth Successful, Reassociation Successful; encrypted data tunneled back via mobility anchor.
🎞️
roam interL3 wpa2psk ft ota wired
Inter-controller L3 roam WPA2-PSK with 802.11r FT over-the-air, wired: CAPWAP and mobility anchor tunnel; FT avoids full 4-way handshake.
🎞️
roam interL3 wpa2psk ft ota wlan
Over-the-air WPA2-PSK FT (OTA) L3 roam: FT Auth exchange and Reassociation Successful; no full EAPOL handshake required.
🎞️
roam interL3 wpa2psk ft otds wired
Inter-controller WPA2-PSK FT over-the-DS L3 roam, wired: FT Action frames via DS and CAPWAP mobility tunnel between WLCs.
🎞️
roam interL3 wpa2psk ft otds wlan
Over-the-air WPA2-PSK FT (OTDS) L3 roam: client FT Action Request through current AP, Reassociation Successful at target AP — fast roam.
🎞️
roam interL3 wpa2psk wired
Inter-controller L3 roam with plain WPA2-PSK, wired: CAPWAP plus mobility tunnel; full 4-way EAPOL handshake on WLAN triggers re-keying.
🎞️
roam interL3 wpa2psk wlan
Over-the-air WPA2-PSK L3 roam without FT: Open Auth, Reassociation Successful, full 4-way EAPOL key handshake, then tunneled traffic.
🎞️
roam intra open
Intra-controller roam with open auth: Probe, Open Auth Successful, Reassociation Successful — clean handoff between APs sharing one WLC.
🎞️
roam intra wep
Intra-controller roam with WEP: Open Auth Successful and Reassociation Successful; static key reused so no EAPOL handshake follows.
🎞️
roam intra wpa2psk
Intra-WLC roam with WPA2-PSK (no FT): Probe, Open Auth Successful, Reassociation Successful, then full 4-way EAPOL key handshake.
🎞️
roam intra wpa2psk ft ota wired
Intra-WLC WPA2-PSK 802.11r FT over-the-air, wired: CAPWAP control; FT PMK-R1 keying avoids 4-way handshake on WLAN.
🎞️
roam intra wpa2psk ft ota wlan
Over-the-air intra-WLC WPA2-PSK FT (OTA) roam: FT Auth Request/Response and Reassociation Successful — fast roam, no EAPOL 4-way.
🎞️
roam intra wpa2psk ft otds wired
Intra-WLC WPA2-PSK FT over-the-DS roam, wired: FT Action frames over DS plus CAPWAP updates — fast secure handoff.
🎞️
roam intra wpa2psk ft otds wlan
Over-the-air intra-WLC WPA2-PSK FT (OTDS) roam: client FT Action Request via current AP, Reassociation Successful at target AP.
📂
roaming
2
🎞️
qos roaming eoip wired
Wired QoS roaming scenario over EoIP mobility tunnel between WLCs; ICMP Echo Request/Reply pairs validate reachability and DSCP preservation across the mobility tunnel.
🎞️
qos roaming eoip wlan
Over-the-air companion to the EoIP roaming test: 802.11 data frames on the BSS during an inter-WLC roam carried via EoIP mobility tunnel.
📂
rogue
5
🎞️
rogue assoc wired
Wired view of a client associating to a rogue AP: no CAPWAP seen for the rogue BSS, confirming the AP is not managed by the WLC.
🎞️
rogue assoc wlan
Over-the-air rogue association: client probes, Open Auth Successful, Association Response Successful to rogue AP MAC 34:a8:4e:d2:bf:10, then data flows.
🎞️
rogue detector wired
Wired rogue-detector AP scenario: AP forwards rogue client MAC/ARP observations back to the WLC over CAPWAP so the controller can classify the rogue.
🎞️
rogue test and contain wired
Rogue containment on wired side: WLC instructs trusted AP via CAPWAP to transmit spoofed deauth/disassoc frames against the rogue AP and its clients.
🎞️
rogue test and contain wlan
Over-the-air rogue containment: trusted AP transmits spoofed Deauthentication/Disassociation frames to disrupt clients associated with the rogue BSS.
📂
samsung-note5
10
🎞️
qos marking samsungnote5 alloy wired
Samsung Note 5 wired DSCP capture under 'alloy' QoS profile on WLC egress verifying UP-to-DSCP mapping.
🎞️
qos marking samsungnote5 alloy wlan
Over-the-air 802.11 QoS Data from Samsung Note 5 under 'alloy' profile; WMM TID shows upstream marking.
🎞️
qos marking samsungnote5 bronze wired
Wired DSCP capture for Samsung Note 5 under 'bronze' QoS profile validating WLC QoS remap.
🎞️
qos marking samsungnote5 bronze wlan
802.11 QoS Data from Samsung Note 5 under 'bronze' profile; TID/priority captured over-the-air.
🎞️
qos marking samsungnote5 gold wired
Samsung Note 5 wired DSCP values under 'gold' QoS profile verifying video-class mapping.
🎞️
qos marking samsungnote5 gold wlan
Over-the-air QoS Data from Samsung Note 5 'gold' profile with WMM video-access-category markings.
🎞️
qos marking samsungnote5 platinum wired
Wired DSCP capture for Samsung Note 5 'platinum' voice profile verifying EF voice-class on WLC egress.
🎞️
qos marking samsungnote5 platinum wlan
802.11 QoS Data from Samsung Note 5 under 'platinum' profile with voice TID captured over-the-air.
🎞️
qos marking samsungnote5 silver wired
Wired WLC egress DSCP for Samsung Note 5 'silver' QoS profile validating UP-to-DSCP policy.
🎞️
qos marking samsungnote5 silver wlan
Over-the-air QoS Data from Samsung Note 5 'silver' profile; WMM UP/TID document client upstream marking.
📂
stateless-ha
3
🎞️
stateless ha n1
Stateless N+1 HA between WLCs: ICMP Echo Request/Reply keepalives between WLC C and WLC D plus 802.11 data frames on the BSS — standby WLC monitors active.
🎞️
stateless ha nn
Stateless N:N HA between peer WLCs: mutual ICMP keepalive pairs between multiple controllers, each backing up a portion of the other's APs.
🎞️
stateless ha nn1
Stateless N+N:1 HA: ICMP keepalives among multiple active WLCs plus one common standby; Echo Replies validate standby reachability for failover.
📂
uwgb
10
🎞️
bridge uwgb cckm peap wired
bridge_uwgb_cckm_peap_wired: Wired side of uWGB CCKM/PEAP bridging: AP-to-AP DTLS CAPWAP tunnel carries client Assoc Req/Resp and 4-way EAPOL Key handshake for Client A.
🎞️
bridge uwgb cckm peap wlan
bridge_uwgb_cckm_peap_wlan: WLAN side of uWGB CCKM/PEAP: Client A probes, authenticates and associates to Cisco AP 1, then completes a 4-way EAPOL Key handshake for CCKM keys.
🎞️
bridge uwgb dot1x peap wired
bridge_uwgb_dot1x_peap_wired: Wired view of uWGB 802.1X/PEAP: AP-to-AP DTLS tunnel transports client association and EAPOL Key 4-way handshake between Client A and the AP.
🎞️
bridge uwgb dot1x peap wlan
bridge_uwgb_dot1x_peap_wlan: WLAN view of uWGB 802.1X/PEAP: Client A probes, 802.11 authenticates, associates, then 4-way EAPOL Key handshake installs PTK/GTK.
🎞️
bridge uwgb open wired
bridge_uwgb_open_wired: Wired side of uWGB open-auth bridge: Client A associates (Assoc Req/Resp) while the AP-AP DTLS tunnel carries encapsulated traffic.
🎞️
bridge uwgb open wlan
bridge_uwgb_open_wlan: WLAN side of uWGB open authentication: Client A probes, receives Probe Response and Beacon, 802.11 open-authenticates and associates to the AP.
🎞️
bridge uwgb opendata wired
bridge_uwgb_opendata_wired: Wired path for uWGB open-auth data: DHCP Discover/Offer/Request/ACK via WLC, client data through AP, with ICMP keepalives between WLCs.
🎞️
bridge uwgb opendata wlan
bridge_uwgb_opendata_wlan: WLAN open-auth data: Client A sends QoS Data to the broadcast address and unicast via the AP, showing post-association data forwarding.
🎞️
bridge uwgb wpa2psk wired
bridge_uwgb_wpa2psk_wired: Wired trace of uWGB WPA2-PSK: AP-AP DTLS CAPWAP tunnel carries Client A's Association exchange and 4-way EAPOL Key handshake.
🎞️
bridge uwgb wpa2psk wlan
bridge_uwgb_wpa2psk_wlan: WLAN WPA2-PSK association: Client A probes, open-authenticates, associates, then completes the 4-way EAPOL Key handshake to derive PTK/GTK.
📂
wgb
10
🎞️
bridge wgb cckm peap wired
bridge_wgb_cckm_peap_wired: Wired path for WGB CCKM/PEAP: AP-AP DTLS tunnel while Client B associates and finishes 4-way EAPOL Key handshake under CCKM fast roam.
🎞️
bridge wgb cckm peap wlan
bridge_wgb_cckm_peap_wlan: WLAN view of WGB CCKM/PEAP: Client B probes, authenticates, associates to AP and completes 4-way EAPOL Key handshake for CCKM.
🎞️
bridge wgb dot1x peap wired
bridge_wgb_dot1x_peap_wired: Wired side of WGB 802.1X/PEAP: AP-AP DTLS tunnel, Client B associates to Cisco AP 1, then 4-way EAPOL Key handshake installs keys.
🎞️
bridge wgb dot1x peap wlan
bridge_wgb_dot1x_peap_wlan: WLAN view of WGB 802.1X/PEAP: Client B probes, authenticates, associates and runs 4-way EAPOL Key handshake after EAP-PEAP success.
🎞️
bridge wgb open wired
bridge_wgb_open_wired: Wired view of WGB open-auth: Client B associates to AP and AP-AP DTLS tunnel forwards encapsulated data frames.
🎞️
bridge wgb open wlan
bridge_wgb_open_wlan: WLAN open-auth WGB: Client B probes, 802.11 authenticates, and associates to Cisco AP 1, then exchanges QoS Data.
🎞️
bridge wgb opendata wired
bridge_wgb_opendata_wired: Wired open-auth WGB data: clients broadcast then DHCP Request/ACK through WLC, data relayed via AP, with ICMP WLC-to-WLC keepalives.
🎞️
bridge wgb opendata wlan
bridge_wgb_opendata_wlan: WLAN open-auth WGB data: Clients A and B send QoS Data frames via the AP to broadcast and unicast destinations.
🎞️
bridge wgb wpa2psk wired
bridge_wgb_wpa2psk_wired: Wired view of WGB WPA2-PSK: AP-AP DTLS tunnel while Client B associates and completes 4-way EAPOL Key handshake.
🎞️
bridge wgb wpa2psk wlan
bridge_wgb_wpa2psk_wlan: WLAN WPA2-PSK WGB: Client B probes, authenticates, associates, then runs multiple EAPOL Key exchanges (4-way + group key) with the AP.
🧠
SDN & Programmability
6
🔷
OpenFlow
SDN
6
🎞️
openflow ovs flow arp
OpenFlow controller programs Open vSwitch with flow rules, then an ARP packet-in/packet-out round trip demonstrates reactive handling of ARP traffic.
🎞️
openflow ovs flow cdp
OpenFlow controller and Open vSwitch exchange flow-mod and packet-in messages handling a CDP frame punted from the data plane.
🎞️
openflow ovs flow ospfv3
OpenFlow controller installs flows on Open vSwitch and processes OSPFv3 traffic via packet-in and packet-out, exercising IPv6 OSPF handling.
🎞️
openflow ovs init complex
Complex OpenFlow channel initialization between controller and Open vSwitch: Hello, Features Request/Reply, Set Config, multipart description and flow programming.
🎞️
openflow ovs init simple
Simple OpenFlow channel initialization between controller and Open vSwitch: Hello exchange, Features Request/Reply, and basic Set Config.
🎞️
openflow ovs port stats
OpenFlow multipart port statistics request/reply exchange between controller and Open vSwitch, retrieving per-port counters.
No captures match your filter.
Select a capture from the tree to view its sequence diagram.
Use ↑/↓ to navigate, ←/→ to collapse/expand, Enter to open.