Network

A network event.

JSON representation
{"sentBytes":string,"receivedBytes":string,"totalBytes":string,"sentPackets":string,"receivedPackets":string,"sessionDuration":string,"sessionId":string,"parentSessionId":string,"applicationProtocolVersion":string,"communityId":string,"direction":enum (Direction),"ipProtocol":enum (IpProtocol),"ipv6":boolean,"applicationProtocol":enum (ApplicationProtocol),"ftp":{object (Ftp)},"email":{object (Email)},"dns":{object (Dns)},"dhcp":{object (Dhcp)},"http":{object (Http)},"tls":{object (Tls)},"smtp":{object (Smtp)},"asn":string,"dnsDomain":string,"carrierName":string,"organizationName":string,"ipSubnetRange":string,"isProxy":boolean,"proxyInfo":{object (ProxyInfo)},"connectionState":enum (ConnectionState)}
Fields
sentBytes

string

The number of bytes sent.

receivedBytes

string

The number of bytes received.

totalBytes

string (int64 format)

The number of total bytes.

sentPackets

string (int64 format)

The number of packets sent.

receivedPackets

string (int64 format)

The number of packets received.

sessionDuration

string (Duration format)

The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer.

A duration in seconds with up to nine fractional digits, ending with 's'. Example:"3.5s".

sessionId

string

The ID of the network session.

parentSessionId

string

The ID of the parent network session.

applicationProtocolVersion

string

The version of the application protocol. e.g. "1.1, 2.0"

communityId

string

Community ID network flow value.

direction

enum (Direction)

The direction of network traffic.

ipProtocol

enum (IpProtocol)

The IP protocol.

ipv6

boolean

True if IPv6 is used.

applicationProtocol

enum (ApplicationProtocol)

The application protocol.

ftp

object (Ftp)

FTP info.

email

object (Email)

Email info for the sender/recipient.

dns

object (Dns)

DNS info.

dhcp

object (Dhcp)

DHCP info.

http

object (Http)

HTTP info.

tls

object (Tls)

TLS info.

smtp

object (Smtp)

SMTP info. Store fields specific to SMTP not covered by Email.

asn

string

Autonomous system number.

dnsDomain

string

DNS domain name.

carrierName

string

Carrier identification.

organizationName

string

Organization name (e.g Google).

ipSubnetRange

string

Associated human-readable IP subnet range (e.g. 10.1.2.0/24).

isProxy

boolean

Whether the IP address is a known proxy.

proxyInfo

object (ProxyInfo)

Proxy information. Only set if isProxy is true.

connectionState

enum (ConnectionState)

The state of the network connection.

Ftp

FTP info.

JSON representation
{"command":string}
Fields
command

string

The FTP command.

Email

Email info.

JSON representation
{"from":string,"replyTo":string,"to":[string],"cc":[string],"bcc":[string],"mailId":string,"subject":[string],"bounceAddress":string}
Fields
from

string

The 'from' address.

replyTo

string

The 'reply to' address.

to[]

string

A list of 'to' addresses.

cc[]

string

A list of 'cc' addresses.

bcc[]

string

A list of 'bcc' addresses.

mailId

string

The mail (or message) ID.

subject[]

string

The subject line(s) of the email.

bounceAddress

string

The envelope from address.https://en.wikipedia.org/wiki/Bounce_address

Dns

DNS information.

JSON representation
{"id":integer,"response":boolean,"opcode":integer,"authoritative":boolean,"truncated":boolean,"recursionDesired":boolean,"recursionAvailable":boolean,"responseCode":integer,"questions":[{object (Question)}],"answers":[{object (ResourceRecord)}],"authority":[{object (ResourceRecord)}],"additional":[{object (ResourceRecord)}]}
Fields
id

integer (uint32 format)

DNS query id.

response

boolean

Set to true if the event is a DNS response. See QR field from RFC1035.

opcode

integer (uint32 format)

The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS).

authoritative

boolean

Other DNS header flags. See RFC1035, section 4.1.1.

truncated

boolean

Whether the DNS response was truncated.

recursionDesired

boolean

Whether a recursive DNS lookup is desired.

recursionAvailable

boolean

Whether a recursive DNS lookup is available.

responseCode

integer (uint32 format)

Response code. See RCODE from RFC1035.

questions[]

object (Question)

A list of domain protocol message questions.

answers[]

object (ResourceRecord)

A list of answers to the domain name query.

authority[]

object (ResourceRecord)

A list of domain name servers which verified the answers to the domain name queries.

additional[]

object (ResourceRecord)

A list of additional domain name servers that can be used to verify the answer to the domain.

Question

DNS Questions. See RFC1035, section 4.1.2.

JSON representation
{"name":string,"type":integer,"class":integer,"prevalence":{object (Prevalence)}}
Fields
name

string

The domain name.

type

integer (uint32 format)

The code specifying the type of the query.

class

integer (uint32 format)

The code specifying the class of the query.

prevalence

object (Prevalence)

The prevalence of the domain within the customer's environment.

ResourceRecord

DNS Resource Records. See RFC1035, section 4.1.3.

JSON representation
{"name":string,"type":integer,"class":integer,"ttl":integer,"data":string,"binaryData":string}
Fields
name

string

The name of the owner of the resource record.

type

integer (uint32 format)

The code specifying the type of the resource record.

class

integer (uint32 format)

The code specifying the class of the resource record.

ttl

integer (uint32 format)

The time interval for which the resource record can be cached before the source of the information should again be queried.

data

string

The payload or response to the DNS question for all responses encoded in UTF-8 format

binaryData

string (bytes format)

The raw bytes of any non-UTF8 strings that might be included as part of a DNS response.

A base64-encoded string.

Dhcp

DHCP information.

JSON representation
{"opcode":enum (OpCode),"htype":integer,"hlen":integer,"hops":integer,"transactionId":integer,"seconds":integer,"flags":integer,"ciaddr":string,"yiaddr":string,"siaddr":string,"giaddr":string,"chaddr":string,"sname":string,"file":string,"options":[{object (Option)}],"type":enum (MessageType),"leaseTimeSeconds":integer,"clientHostname":string,"clientIdentifier":string,"requestedAddress":string,"clientIdentifierString":string}
Fields
opcode

enum (OpCode)

The BOOTP op code.

htype

integer (uint32 format)

Hardware address type.

hlen

integer (uint32 format)

Hardware address length.

hops

integer (uint32 format)

Hardware ops.

transactionId

integer (uint32 format)

Transaction ID.

seconds

integer (uint32 format)

Seconds elapsed since client began address acquisition/renewal process.

flags

integer (uint32 format)

Flags.

ciaddr

string

Client IP address (ciaddr).

yiaddr

string

Your IP address (yiaddr).

siaddr

string

IP address of the next bootstrap server.

giaddr

string

Relay agent IP address (giaddr).

chaddr

string

Client hardware address (chaddr).

sname

string

Server name that the client wishes to boot from.

file

string

Boot image filename.

options[]

object (Option)

List of DHCP options.

type

enum (MessageType)

DHCP message type.

leaseTimeSeconds

integer (uint32 format)

Lease time in seconds. See RFC2132, section 9.2.

clientHostname

string

Client hostname. See RFC2132, section 3.14.

clientIdentifier

string (bytes format)

Client identifier. See RFC2132, section 9.14. Note: Make sure to update the clientIdentifierString field as well if you update this field.

A base64-encoded string.

requestedAddress

string

Requested IP address. See RFC2132, section 9.1.

clientIdentifierString

string

Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the clientIdentifier.

Option

DHCP options.

JSON representation
{"code":integer,"data":string}
Fields
code

integer (uint32 format)

Code. See RFC1533.

data

string (bytes format)

Data.

A base64-encoded string.

Http

Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target".

JSON representation
{"method":string,"referralUrl":string,"userAgent":string,"responseCode":integer,"parsedUserAgent":{object (UserAgentProto)}}
Fields
method

string

The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE").

referralUrl

string

The URL for the HTTP referer.

userAgent

string

The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.

responseCode

integer

The response status code, for example 200, 302, 404, or 500.

parsedUserAgent

object (UserAgentProto)

The parsed userAgent string.

Tls

Transport Layer Security (TLS) information.

JSON representation
{"client":{object (Client)},"server":{object (Server)},"cipher":string,"curve":string,"version":string,"versionProtocol":string,"established":boolean,"nextProtocol":string,"resumed":boolean}
Fields
client

object (Client)

Certificate information for the client certificate.

server

object (Server)

Certificate information for the server certificate.

cipher

string

Cipher used during the connection.

curve

string

Elliptical curve used for a given cipher.

version

string

TLS version.

versionProtocol

string

Protocol.

established

boolean

Indicates whether the TLS negotiation was successful.

nextProtocol

string

Protocol to be used for tunnel.

resumed

boolean

Indicates whether the TLS connection was resumed from a previous TLS negotiation.

Client

Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash).

JSON representation
{"certificate":{object (Certificate)},"ja3":string,"serverName":string,"supportedCiphers":[string]}
Fields
certificate

object (Certificate)

Client certificate.

ja3

string

JA3 hash from the TLS ClientHello, as a hex-encoded string.

serverName

string

Host name of the server, that the client is connecting to.

supportedCiphers[]

string

Ciphers supported by the client during client hello.

Certificate

Certificate information

JSON representation
{"version":string,"serial":string,"subject":string,"issuer":string,"md5":string,"sha1":string,"sha256":string,"notBefore":string,"notAfter":string}
Fields
version

string

Certificate version.

serial

string

Certificate serial number.

subject

string

Subject of the certificate.

issuer

string

Issuer of the certificate.

md5

string

The MD5 hash of the certificate, as a hex-encoded string.

sha1

string

The SHA1 hash of the certificate, as a hex-encoded string.

sha256

string

The SHA256 hash of the certificate, as a hex-encoded string.

notBefore

string (Timestamp format)

Indicates when the certificate is first valid.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples:"2014-10-02T15:01:23Z","2014-10-02T15:01:23.045123456Z" or"2014-10-02T15:01:23+05:30".

notAfter

string (Timestamp format)

Indicates when the certificate is no longer valid.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples:"2014-10-02T15:01:23Z","2014-10-02T15:01:23.045123456Z" or"2014-10-02T15:01:23+05:30".

Server

Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash).

JSON representation
{"certificate":{object (Certificate)},"ja3s":string}
Fields
certificate

object (Certificate)

Server certificate.

ja3s

string

JA3 hash from the TLS ServerHello, as a hex-encoded string.

Smtp

SMTP info. See RFC 2821.

JSON representation
{"helo":string,"mailFrom":string,"rcptTo":[string],"serverResponse":[string],"messagePath":string,"isWebmail":boolean,"isTls":boolean}
Fields
helo

string

The client's 'HELO'/'EHLO' string.

mailFrom

string

The client's 'MAIL FROM' string.

rcptTo[]

string

The client's 'RCPT TO' string(s).

serverResponse[]

string

The server's response(s) to the client.

messagePath

string

The message's path (extracted from the headers).

isWebmail

boolean

If the message was sent via a webmail client.

isTls

boolean

If the connection switched to TLS.

ProxyInfo

Proxy information.

JSON representation
{"anonymous":boolean,"anonymousVpn":boolean,"publicProxy":boolean,"torExitNode":boolean,"smartDnsProxy":boolean,"hostingProvider":boolean,"vpnDatacenter":boolean,"residentialProxy":boolean,"vpnServiceName":string,"proxyOverVpn":boolean,"relayProxy":boolean}
Fields
anonymous

boolean

Whether the IP address is anonymous.

anonymousVpn

boolean

Whether the IP address is an anonymous VPN.

publicProxy

boolean

Whether the IP address is a public proxy.

torExitNode

boolean

Whether the IP address is a tor exit node.

smartDnsProxy

boolean

Whether the IP address is a smart DNS proxy.

hostingProvider

boolean

Whether the IP address is a hosting provider.

vpnDatacenter

boolean

Whether the IP address is a VPN datacenter.

residentialProxy

boolean

Whether the IP address is a residential proxy.

vpnServiceName

string

The name of the VPN service.

proxyOverVpn

boolean

Whether the IP address is a proxy over VPN.

relayProxy

boolean

Whether the IP address is a relay proxy.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-13 UTC.