++

Author: Zainullin Damir

src/plugins/process/dnssd/README.md

@@ -8,10 +8,9 @@ The **DNSSD Plugin** extends flow records with DNS-SD (DNS Service Discovery) qu
 
 ## Parameters
 
-| Long name                                                                                                                        | Short name | Type           | Default      | Description                                           |
-| -------------------------------------------------------------------------------------------------------------------------------- | ---------- | -------------- | ------------ | ----------------------------------------------------- |
-| `txt`                                                                                                                            | `t`        | `Path to file` | **Disabled** | If no file provided, processes all DNSSD TXT records. |
-| If a file is provided, only processes TXT records listed in the file. Whitelist format is `service.domain,txt_key1,txt_key2,...` |
+| Long name | Short name | Type           | Default      | Description                                                                                                                                                                            |
+| --------- | ---------- | -------------- | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `txt`     | `t`        | `Path to file` | **Disabled** | If no file provided, processes all DNSSD TXT records. If a file is provided, only processes TXT records listed in the file. Whitelist format is `service.domain,txt_key1,txt_key2,...` |
 
 ## Output Fields
 

src/plugins/process/flowHash/README.md

@@ -8,9 +8,9 @@ The **FlowHash Plugin** extends flow records with flow hashing information.
 
 ## Output Fields
 
-| Field Name      | Data Type | Description                                                 |
-|-----------------|-----------|----------------------------------------|
-| `FLOW_ID`| `uint64_t`  | Assigned flow hash | 
+| Field Name | Data Type  | Description        |
+| ---------- | ---------- | ------------------ |
+| `FLOW_ID`  | `uint64_t` | Assigned flow hash |
 
 ## Usage
 
@@ -20,11 +20,11 @@ Add the plugin to your ipfixprobe YAML configuration:
 
 ```yaml
 process_plugins:
-  - flowhash 
+  - flowhash
 ```
 
 ### CLI Usage
 
 You can also enable the plugin directly from the command line:
 
-```ipfixprobe -p flowhash ...```
+`ipfixprobe -p flowhash ...`

src/plugins/process/http/README.md

@@ -10,17 +10,17 @@ Plugin enables detailed analysis of HTTP traffic by extracting key fields from H
 
 ## Output Fields
 
-| Field Name      | Data Type | Description                                                 |
-|-----------------|-----------|----------------------------------------|
-| `HTTP_REQUEST_METHOD`| `string`  | HTTP request method (e.g., GET, POST) | 
-| `HTTP_REQUEST_HOST`| `string`  | Requested HTTP host | 
-| `HTTP_REQUEST_URL`| `string`  | Requested URL | 
-| `HTTP_REQUEST_AGENT`| `string`  | User agent of the requester | 
-| `HTTP_REQUEST_REFERER`| `string`  | HTTP request referer | 
-| `HTTP_RESPONSE_STATUS_CODE`| `uint16_t`  | Response status code | 
-| `HTTP_RESPONSE_CONTENT_TYPE`| `string`  | Response content type | 
-| `HTTP_RESPONSE_SERVER`| `string`  | Response server | 
-| `HTTP_RESPONSE_SET_COOKIE_NAMES`| `string`  | Concatenated names of cookies that were set | 
+| Field Name                       | Data Type  | Description                                 |
+| -------------------------------- | ---------- | ------------------------------------------- |
+| `HTTP_REQUEST_METHOD`            | `string`   | HTTP request method (e.g., GET, POST)       |
+| `HTTP_REQUEST_HOST`              | `string`   | Requested HTTP host                         |
+| `HTTP_REQUEST_URL`               | `string`   | Requested URL                               |
+| `HTTP_REQUEST_AGENT`             | `string`   | User agent of the requester                 |
+| `HTTP_REQUEST_REFERER`           | `string`   | HTTP request referer                        |
+| `HTTP_RESPONSE_STATUS_CODE`      | `uint16_t` | Response status code                        |
+| `HTTP_RESPONSE_CONTENT_TYPE`     | `string`   | Response content type                       |
+| `HTTP_RESPONSE_SERVER`           | `string`   | Response server                             |
+| `HTTP_RESPONSE_SET_COOKIE_NAMES` | `string`   | Concatenated names of cookies that were set |
 
 ## Usage
 
@@ -37,4 +37,4 @@ process_plugins:
 
 You can also enable the plugin directly from the command line:
 
-```ipfixprobe -p http ...```
+`ipfixprobe -p http ...`

src/plugins/process/icmp/README.md

@@ -4,9 +4,9 @@ Plugin extracts and exports ICMP type and code if present.
 
 ## Output Fields
 
-| Field Name      | Data Type | Description                                                 |
-|-----------------|-----------|----------------------------------------|
-| `L4_ICMP_TYPE_CODE`     | `uint16_t` | ICMP type in first byte and code in the second byte |
+| Field Name          | Data Type  | Description                                         |
+| ------------------- | ---------- | --------------------------------------------------- |
+| `L4_ICMP_TYPE_CODE` | `uint16_t` | ICMP type in first byte and code in the second byte |
 
 ## Usage
 
@@ -23,6 +23,4 @@ process_plugins:
 
 You can also enable the plugin directly from the command line:
 
-```ipfixprobe -p icmp ...```
-
-
+`ipfixprobe -p icmp ...`

src/plugins/process/idpContent/README.md

@@ -8,10 +8,10 @@ Plugin captures and exports the payloads of the first packets.
 
 ## Output Fields
 
-| Field Name      | Data Type | Description                                                 |
-|-----------------|-----------|----------------------------------------|
-| `IDP_CONTENT`| `bytes`  | Payload of first packet (source → destination) |
-| `IDP_CONTENT_REV`| `bytes`  | Payload of first packet (destination → source) | 
+| Field Name        | Data Type | Description                                    |
+| ----------------- | --------- | ---------------------------------------------- |
+| `IDP_CONTENT`     | `bytes`   | Payload of first packet (source → destination) |
+| `IDP_CONTENT_REV` | `bytes`   | Payload of first packet (destination → source) |
 
 ## Usage
 
@@ -28,5 +28,4 @@ process_plugins:
 
 You can also enable the plugin directly from the command line:
 
-```ipfixprobe -p idpcontent ...```
-
+`ipfixprobe -p idpcontent ...`

src/plugins/process/mpls/README.md

@@ -4,9 +4,9 @@ Plugin extracts and exports MPLS top label if present.
 
 ## Output Fields
 
-| Field Name      | Data Type | Description                                                 |
-|-----------------|-----------|----------------------------------------|
-| `MPLS_TOP_LABEL_STACK_SECTION`     | `uint32_t` | MPLS top label from the packet |
+| Field Name                     | Data Type  | Description                    |
+| ------------------------------ | ---------- | ------------------------------ |
+| `MPLS_TOP_LABEL_STACK_SECTION` | `uint32_t` | MPLS top label from the packet |
 
 ## Usage
 
@@ -23,4 +23,4 @@ process_plugins:
 
 You can also enable the plugin directly from the command line:
 
-```ipfixprobe -p mpls ...```
+`ipfixprobe -p mpls ...`

src/plugins/process/mqtt/README.md

@@ -6,28 +6,28 @@ The **MQTT Plugin** extends flow records with MQTT (Message Queuing Telemetry Tr
 
 - Extracts and exports MQTT fields if flow contains MQTT information.
 - Only MQTT v3.1.1 and v5.0 are supported.
-- Flow is finished when *disconect* message is received.
+- Flow is finished when _disconect_ message is received.
 
 ## Parameters
 
-| Long name | Short name | Type   | Default | Description                                                 |
-|-----------|------------|--------|---------|-------------------------------------------------------------|
-| `tc`     | `topiccount`       | `int`   | 10 | Maximal count of topics from *publish* messages to save |
+| Long name | Short name   | Type  | Default | Description                                             |
+| --------- | ------------ | ----- | ------- | ------------------------------------------------------- |
+| `tc`      | `topiccount` | `int` | 10      | Maximal count of topics from _publish_ messages to save |
 
 ## Output Fields
 
-| Field Name      | Data Type | Description                                                 |
-|-----------------|-----------|----------------------------------------|
-| `MQQT_TYPE_CUMULATIVE`| `uint16_t`  | Bitfield of messages that were detected during the communication. Each value takes 1 bit. 
-DISCONNECT \| PINGRESP \| PINGREQ \| UNSUBACK \| UNSUBSCRIBE \|
-	SUBACK \| SUBSCRIBE \| PUBCOMP \| PUBREL \| PUBREC \| PUBACK \| PUBLISH \|
-	CONNACK \| CONNECT \| session present flag from *connection* message\|
-| `MQTT_VERSION`| `uint8_t`  | Identifies the MQTT version being used. |
-| `MQTT_CONNECTION_FLAGS`| `uint8_t`  | Flags of *connection* message. |
-| `MQTT_KEEP_ALIVE`| `uint16_t`  | MQTT connection keep alive |
-| `MQTT_CONNECTION_RETURN_CODE`| `uint8_t`  | Return code value from *connack* message. |
-| `MQTT_PUBLISH_FLAGS`| `uint8_t`  | Cumulative of *publish* message flags. |
-| `MQTT_TOPICS`| `string`  | Concatenation of **topiccount** topics from *publish* messages. |
+| Field Name                                                                 | Data Type  | Description                                                                               |
+| -------------------------------------------------------------------------- | ---------- | ----------------------------------------------------------------------------------------- |
+| `MQQT_TYPE_CUMULATIVE`                                                     | `uint16_t` | Bitfield of messages that were detected during the communication. Each value takes 1 bit. |
+| DISCONNECT \| PINGRESP \| PINGREQ \| UNSUBACK \| UNSUBSCRIBE \|            |
+| SUBACK \| SUBSCRIBE \| PUBCOMP \| PUBREL \| PUBREC \| PUBACK \| PUBLISH \| |
+| CONNACK \| CONNECT \| session present flag from _connection_ message\|     |
+| `MQTT_VERSION`                                                             | `uint8_t`  | Identifies the MQTT version being used.                                                   |
+| `MQTT_CONNECTION_FLAGS`                                                    | `uint8_t`  | Flags of _connection_ message.                                                            |
+| `MQTT_KEEP_ALIVE`                                                          | `uint16_t` | MQTT connection keep alive                                                                |
+| `MQTT_CONNECTION_RETURN_CODE`                                              | `uint8_t`  | Return code value from _connack_ message.                                                 |
+| `MQTT_PUBLISH_FLAGS`                                                       | `uint8_t`  | Cumulative of _publish_ message flags.                                                    |
+| `MQTT_TOPICS`                                                              | `string`   | Concatenation of **topiccount** topics from _publish_ messages.                           |
 
 ## Usage
 
@@ -37,12 +37,12 @@ Add the plugin to your ipfixprobe YAML configuration:
 
 ```yaml
 process_plugins:
-  - mqtt 
+  - mqtt
 ```
 
 ### CLI Usage
 
 You can also enable the plugin directly from the command line:
 
-```ipfixprobe -p mqtt ...```
-```ipfixprobe -p "mqtt;tc=<topic_count>" ...```
+`ipfixprobe -p mqtt ...`
+`ipfixprobe -p "mqtt;tc=<topic_count>" ...`

src/plugins/process/netbios/README.md

@@ -9,10 +9,10 @@ This plugin provides in-depth analysis of NetBIOS traffic by capturing and expor
 
 ## Output Fields
 
-| Field Name      | Data Type | Description                                                 |
-|-----------------|-----------|-------------------------------------------------------------|
-| `NB_NAME`       | `string`  | NetBIOS name extracted from the packet                     |
-| `NB_SUFFIX`    | `char`    | NetBIOS suffix extracted from the packet                   |
+| Field Name  | Data Type | Description                              |
+| ----------- | --------- | ---------------------------------------- |
+| `NB_NAME`   | `string`  | NetBIOS name extracted from the packet   |
+| `NB_SUFFIX` | `char`    | NetBIOS suffix extracted from the packet |
 
 ## Usage
 
@@ -29,5 +29,4 @@ process_plugins:
 
 You can also enable the plugin directly from the command line:
 
-```ipfixprobe -p netbios ...```
-
+`ipfixprobe -p netbios ...`

src/plugins/process/ntp/README.md

@@ -10,24 +10,21 @@ Plugin extract and export various data from NTP packets.
 
 ## Output Fields
 
-NTP_LEAP = 0,
-
-    NTP_VERSION,
-    NTP_MODE,
-    NTP_STRATUM,
-    NTP_POLL,
-    NTP_PRECISION,
-    NTP_DELAY,
-    NTP_DISPERSION,
-    NTP_REF_ID,
-    NTP_REF,
-    NTP_ORIG,
-    NTP_RECV,
-    NTP_SENT
-
-| Field Name | Data Type | Description     |
-| ---------- | --------- | --------------- |
-| `NTP_LEAP` | `uint8_t` | Leap indicator. |
+| Field Name       | Data Type  | Description                                                                                                                                |
+| ---------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
+| `NTP_LEAP`       | `uint8_t`  | Leap from Network Time header.                                                                                                             |
+| `NTP_MODE`       | `uint8_t`  | Mode from Network Time header.                                                                                                             |
+| `NTP_VERSION`    | `uint8_t`  | Version from Network Time header.                                                                                                          |
+| `NTP_STRATUM`    | `uint8_t`  | Stratum used to identify the distance from the reference clock.                                                                            |
+| `NTP_POLL`       | `int8_t`   | The poll interval in seconds (as a power of 2) indicating how often the client queries the server.                                         |
+| `NTP_PRECISION`  | `int8_t`   | The precision of the local clock, i.e., the smallest distinguishable time interval, usually expressed as a negative power of 2 in seconds. |
+| `NTP_DELAY`      | `uint32_t` | The round-trip network delay between the client and the NTP server, measured in milliseconds or seconds.                                   |
+| `NTP_DISPERSION` | `uint32_t` | The estimated error or uncertainty of the server's time relative to the true time, increases over time since last update.                  |
+| `NTP_REF_ID`     | `string`   | Identifier of the reference clock or server the NTP server is synchronized to as a string.                                                 |
+| `NTP_REF`        | `string`   | Timestamp of the last time the server clock was set or corrected as a string.                                                              |
+| `NTP_ORIG`       | `string`   | Timestamp sent by the client in the request packet as a string.                                                                            |
+| `NTP_RECV`       | `string`   | Timestamp when the request was received by the server as a string.                                                                         |
+| `NTP_SENT`       | `string`   | Timestamp when the response was sent by the server as a string.                                                                            |
 
 ## Usage
 
@@ -37,13 +34,11 @@ Add the plugin to your ipfixprobe YAML configuration:
 
 ```yaml
 process_plugins:
-  - nettisa
+  - ntp
 ```
 
 ### CLI Usage
 
 You can also enable the plugin directly from the command line:
 
-```
-ipfixprobe -p nettisa ...
-```
+`ipfixprobe -p ntp ...`

src/plugins/process/osquery/README.md

@@ -0,0 +1,40 @@
+# OSQuery Plugin
+
+Plugin for querying operating system about the flows.
+
+## Features
+
+- Uses osqueryi to query the operating system and exports relevant information.
+
+## Output Fields
+
+| Field Name                 | Data Type  | Description                               |
+| -------------------------- | ---------- | ----------------------------------------- |
+| `OSQUERY_PROGRAM_NAME`     | `string`   | Name of the program generating the flow.  |
+| `OSQUERY_USERNAME`         | `string`   | Username of the user running the program. |
+| `OSQUERY_OS_NAME`          | `string`   | Operating system name.                    |
+| `OSQUERY_OS_MAJOR`         | `uint16_t` | Operating system major version.           |
+| `OSQUERY_OS_MINOR`         | `uint16_t` | Operating system minor version.           |
+| `OSQUERY_OS_BUILD`         | `string`   | Operating system build.                   |
+| `OSQUERY_OS_PLATFORM`      | `string`   | Operating system platform.                |
+| `OSQUERY_OS_PLATFORM_LIKE` | `string`   | Windows/Linux/Darwin.                     |
+| `OSQUERY_OS_ARCH`          | `string`   | Operating system architecture.            |
+| `OSQUERY_KERNEL_VERSION`   | `string`   | Operating system kernel version.          |
+| `OSQUERY_SYSTEM_HOSTNAME`  | `string`   | System hostname.                          |
+
+## Usage
+
+### YAML Configuration
+
+Add the plugin to your ipfixprobe YAML configuration:
+
+```yaml
+process_plugins:
+  - osquery
+```
+
+### CLI Usage
+
+You can also enable the plugin directly from the command line:
+
+`ipfixprobe -p osquery ...`