NEDS: Network Events Data Stream v0.9

A Log Format for Network Traffic Reporting

Overview

This format is a logging format for reporting events related to network traffic. Each record starts with an Event Identifier that specifies the format for the rest of record. The format for event records is fixed and versioned.

The overall format is Comma Separate Values ( If a string value has a double quote (“) in it,it should be escaped as two double quotes (“”). There should be flexibility in handling record formats. Certain transports or logging systems may prefix the records with additional information such as a timestamp. This is outside of this specification. Consumers of these records should ignore anything that appears before the “neds.f5” or equivalent prefix for field 1.

String fields should be limited to a maximum length. This should be configured to the same number for the consumer and producer. A default maximum of 256 characters is suggested.If Unicode text is transported, it should be encoded using UTF8.

Example:

"neds.f5.conn.end.v1","1.1.1.1:53-1.1.1.1:",1255047810.47,5,5,1040,621

Note that this format is being defined with proxy semantics in mind. That means that this format tries to address the fact that network connections often go through a proxy or load balancer on their way to a server. In this case, there is a client side connection and a server side connection. There may be significant differences between these connections.

Consider that in a cacheing scenario, there may not even be a server side connection. In order to get a full picture of network traffic, network proxies need to report traffic handled directly as well as traffic passed on to other servers.

For example, the proxy may compress data on the way to the client and so the client side will have less packets and bytes transmitted. Vendors defining NEDS formats should be clear about whether information is being described for the client side connections or server side connections. Generally the client side is the “primary” connection to be reported on. Nevertheless, some of the fields belowmay refer to the “server side of the proxy”. Generally these fields may be blank in the case where the connection is handled by the network equipment itself.

Syslog is a valid transport for this format. Further transports may be defined that specify compression or other features.

Note this specification is in “beta” testing and should be considered subject to change until it reaches version 1.0.

Field 1: Event Identifier

The format for this field is "neds.Vendor.Context.Event.Version".

Also, this format is supported: "neds.Vendor.Context.Event.Version.Format".

neds is the literal string ‘neds’.

Vendor is a short string (e.g. ‘f5’).

Context is the protocol or area of interest (conn,http,ssl,etc)

Event is a short string.

Format is a short string (e.g. ‘AES+base64’)

Versions are specific to event and must be incremented when it changes. Only the vendor responsible fororiginating a version should define a subsequent version. Vendors should add fields to the end of a format so that consumers of earlier formats can try to consume the new format. New versions which are not compatible with early versions in this way should not be introduced without a long warning ahead of time (by publishing the format).

Example: neds.f5.conn.start.v1

The vendor is 'f5' networks.

The context is the connection level.

The event is 'start'.

The version is 'v1'.

Connection Events

neds.f5.conn.start.v1

The client connection has been established.

Field 2:

Name: Device

Format: String

Description: Identifies the device handling the flow

Examples: “mybigip.test.net”

Field 3:

Name: Flow

Format: "ClientIP:ClientPort-ServerIP:ServerPort@DateTimeSecs"

Description: These are the addresses and ports of the connection on

the client side in the case of a proxy.

Field 4:

Name: DateTimeSecs

Format: Floating Point Unix Time

Description:

Field 5:

Name: Ingress Interface/VLAN

Format: Any short string

Description: Identifies the ingress Interface or VLAN

Examples: “eth0”, “vlan32”, “external”, “internal”, “myvlan”, “4023”

Field 6:

Name: Protocol

Format: Integer

Description: IP Protocol from the IP header.

Field 7:

Name: DiffServ

Format: Integer

Description: Differentiated Services. From the IP header.

Field 8:

Name: TTL

Format: Integer

Description: Time to Live, from the IP header.

Field 9:

Name: PolicyName

Format: String

Description: The name of the virtual server or traffic policy

that intercepted the connection. Although this should always

be present for F5 traffic, consumers of this format should accept

an empty string here.

Field 10:

Name: Direction

Format: String

Description: A short string that describes the directional nature of the connection, such as whether it is ‘Inbound’ or ‘Outbound’. This may be blank, which should be considered unknown. Other strings may be configured on a site by site basis (e.g. ‘DMZ’). Users should check with their vendor for support before using arbitrary strings here.

neds.F5.conn.end.v1

The client connection has been closed.

Field 2:

Name: Device

Format: String

Description: Identifies the device handling the flow

Examples: “mybigip.test.net”

Field 3:

Name: Flow

Format: "ClientIP:ClientPort-ServerIP:ServerPort@DateTimeSecs"

Field 4:

Name: DateTimeSecs

Format: Floating Point Unix Time

Description:

Field 5:

Name: PktsIn

Format: Integer

Description: Total packets in on the client side of proxy

Field 6:

Name: PktsOut

Format: Integer

Description: Total packets out on the client side of proxy

Field 7:

Name: BytesIn

Format: Integer

Description: Total bytes in on the client side of proxy

Field 8:

Name: BytesOut

Format: Integer

Description: Total bytes out on the client side of proxy

HTTP Events

neds.f5.http.req.v1

The client has sent an HTTP request.

Field 2:

Name: Device

Format: String

Description: Identifies the device handling the flow

Examples: “mybigip.test.net”

Field 3:

Name: Flow

Format: "ClientIP:ClientPort-ServerIP:ServerPort@DateTimeSecs"

Description: These are the addresses and ports of the connection on

the client side in the case of a proxy.

Field 4:

Name: DateTimeSecs

Format: Floating Point Unix Time

Description:

Field 5:

Name: Request #

Format: Integer

Description: The number of the reply within TCP connection

(HTTP KeepAlive count). Starts at 1.

Field 6:

Name: Host

Field 7:

Name: URI

Field 8:

Name: User Name

Field 9:

Name: User Agent

neds.f5.http.resp.v1

The server has sent an HTTP response.

Field 2:

Name: Device

Format: String

Description: Identifies the device handling the flow

Examples: “mybigip.test.net”

Field 3:

Name: Flow

Format: "ClientIP:ClientPort-ServerIP:ServerPort@DateTimeSecs"

Description: These are the addresses and ports of the connection on

the client side in the case of a proxy.

Field 4:

Name: DateTimeSecs

Format: Floating Point Unix Time

Description:

Field 5:

Name: Reply #

Format: Integer

Description: The number of the reply within TCP connection

(HTTP KeepAlive count). Starts at 1.

Field 6:

Name: ResponseCode

Format: String

Field 7:

Name: ContentType

Format: String

Field 8:

Name: ContentLength

Format: String

Description: This is taken directly from the HTTP reply.It may

not be present, in which case the field may be a blank string.

Field 9:

Name: Load balance target

Description: A string identifying the resource used in the load balancing operation. This may be the internal IP address of the server that handled the connection. It may be the IP address of the next hop router chosen for load balancing. It may be a firewall that the connection was load balanced to. This field may also be blank.

Field 10:

Name: Server flow

Format: "ClientIP:ClientPort-ServerIP:ServerPort"

Description: These are the addresses and ports of the connection on

the server side in the case of a proxy. This field may also be blank if the connection is handled directly be the proxy. Note that the “ClientIP/Port” referred to above specifies the source address on the way to the server. This may not be the same as the address used by the client on the client side connection. The proxy may source a new address and port if source NAT is used. Also, the ServerIP/Port may not be the same as the destination on the client connection, since the client may be connecting to a virtual address which is then mapped to a real server address/port.

Encryption

F5 supports the following events:

neds.f5.conn.start.v1.AES+base64

neds.f5.conn.end.v1.AES+base64

neds.f5.http.req.v1.AES+base64

neds.f5.http.resp.v1.AES+base64

In each case, the event is the same as the event without the AES+base64 except that all fields except the event identifier are encrypted into one string using AES and a key string. The resulting encrypted binary is then encoded in base64. The same key string should be configured on the producer and consumer.

Here are samples of this using the key string (without the quotes): "F(NY$*@&TYY%($&@(%SLJSDLF"

Encrypted Sample Output

"neds.f5.conn.start.v1.AES+base64",rP1+HCrIaLLZ3g33tnoI6upKmYK6nyBPOj6aOKIU7LcDjt7/Se5IVLxDvO7QorULlXtNVcG9Ih7r+ciwp7g0l9uS5by62nWIyWq1Bt2sKjUhIiUtOsgYEywZI26mrK+EopZ0LXt9RMDGM/+G+yCK4f5Hzd/ckklIK8yVdS+GJA7cUaYvL0Y/NELCyBHR/+Iod1grW6zZPzRCwrV3+BVLJMUNPdfOmXAd3D3U

"neds.f5.http.req.v1.AES+base64",BYacg4/rBMpvmZ/3tnoI6upKmYK6nzj7yTNVbKoHjMpBLMUNm8y9+lP31RaMRqCvpK4gCE3DuRM3p4AxLD5gQOMjZ5mRVVd5nP6yD7JvehWyqjnkSKe1wrhYNU9HnfH0Lr22p2QRI2SFqluytmWJmDfjUGIEs0PXQ4B5IfnhHn3gJO0L/BLpb0f3UEP5fd6N5TEoWzpt1bg0/292DjHQ5zn5c4GhVOpz20tMvuZXKp1zIH5UH76C43T4pcomK4dxHclWE0aspaaP/QdqaU4Eyj+WgvMNOqTjz96YxglHEjLNTKBcbheaLRbMUpqZncTS9JMLamEHLKXMLteIvdAwW4R3mgA82mGs3ErmzIYHb0sWsyPOLaWnhv8K

"neds.f5.http.resp.v1.AES+base64",JPoeaIPtBozZ2XP3tnoI6upKmYK6n96WcJqSy4ickGUWiyJqTZpHBZdBC9XFPXCqxcbXJWzBcB9nliYOL9uXrvRBaTCRJlkXoMKJoTc0OR4JgXh6YsyYf/F4DfPOXbYWTeUVKRhpPfUzXj1xUXS97xYwMhePfY2Z4jC/kzP85qZjsdmBAHEaQeAuO8dP1gbbq8xpNDcaWo7KuzQfJBKHScYtDxtAGYreOKa6uE7wuvMQU8oOZtdh8PeQNg7lVU2SnTAY9PpNGz4rFX3ifTd9NR834zMvXgyinLBBOIJbz1jERIr+VxE=

Unencrypted Sample Output

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:57462-216.34.181.45:400",1256144869.394523,1,"slashdot.org","/","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:57462-216.34.181.45:400",1256144869.562362,1,"200","text/html; charset=iso-8859-1","","216.34.181.45:80","172.27.27.85:15132-216.34.181.45:80"

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:48461-74.125.155.149:451",1256144870.410451,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:48461-74.125.155.149:451",1256144870.410574,1,"ad.doubleclick.net","/adj/ostg.slashdot/mainpage_p6_imu;pg=index;logged_in=0;tile=1;ord=9597903616872270?","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:48461-74.125.155.149:451",1256144870.556686,1,"200","application/x-javascript","214","74.125.155.149:80","172.27.27.85:15136-74.125.155.149:80"

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:53276-74.125.155.156:530",1256144870.656530,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:53276-74.125.155.156:530",1256144870.656654,1,"googleads.g.doubleclick.net","/pagead/ads?client=ca-ostg_js&output=js&image_size=300x250&lmt=1256146621&num_ads=3&channel=SD_Entertainment&region=slashdot&ea=0&feedback_link=on&flash=10.0.12&url=http%3A%2F%2Fslashdot.org%2F&dt=1256146622902&correlator=1256146622907&frm=0&ga_vid=11378126","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:53276-74.125.155.156:530",1256144870.741738,1,"200","text/javascript; charset=UTF-8","698","74.125.155.156:80","172.27.27.85:53276-74.125.155.156:80"

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:42417-74.125.127.101:656",1256144871.887656,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:42417-74.125.127.101:656",1256144871.887781,1," (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:42417-74.125.127.101:656",1256144871.917682,1,"200","image/gif","35","74.125.127.101:80","172.27.27.85:15140-74.125.127.101:80"

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:46617-66.179.5.20:916",1256144872.250916,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:46617-66.179.5.20:916",1256144872.251044,1,"data.coremetrics.com","/eluminate?ci=90240314&st=1256146622616&vn1=4.2.7&ec=ISO-8859-1&vn2=e4.0&pi=ARTICLE%20DETAIL%3A%20slashdot&ul=http%3A//slashdot.org/&cjen=1&cjuid=54781073012412532979900&cjsid=1256146624&cjvf=3&tid=6&rnd=1256151370175&pc=Y&jv=1.6&np0=Shockwave%2520Flash&np1","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:46617-66.179.5.20:916",1256144872.317822,1,"200","image/gif","","66.179.5.20:80","172.27.27.85:15144-66.179.5.20:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:46617-66.179.5.20:916",1256144877.634877,2,"data.coremetrics.com","/eluminate?ci=90240314&st=1256146622616&vn1=4.2.7&ec=ISO-8859-1&pi=ARTICLE%20DETAIL%3A%20slashdot&ul=http%3A//slashdot.org&cjen=1&cjuid=54781073012412532979900&cjsid=1256146624&cjvf=1&tid=8&ti=1256146629894&hr=http%3A// (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:46617-66.179.5.20:916",1256144877.697111,2,"200","image/gif","","66.179.5.20:80","172.27.27.85:15144-66.179.5.20:80"

"neds.f5.conn.end.v1","mybigip.test.net","172.27.27.81:46617-66.179.5.20:916",1256144877.697849,7,5,2154,1300

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:38068-204.179.240.180:586",1256144877.864586,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:38068-204.179.240.180:586",1256144877.864707,1," (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:38068-204.179.240.180:586",1256144878.040607,1,"200","text/html;charset=UTF-8","","204.179.240.180:80","172.27.27.85:38068-204.179.240.180:80"

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:38069-204.179.240.180:217",1256144878.087217,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:38069-204.179.240.180:217",1256144878.087303,1," (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:38069-204.179.240.180:217",1256144878.243969,1,"200","text/css","13196","204.179.240.180:80","172.27.27.85:15148-204.179.240.180:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:38068-204.179.240.180:586",1256144878.448795,2," (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:38068-204.179.240.180:586",1256144878.529100,2,"200","text/css","2490","204.179.240.180:80","172.27.27.85:38068-204.179.240.180:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:38069-204.179.240.180:217",1256144878.689249,2," (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:38069-204.179.240.180:217",1256144878.854762,2,"200","text/css","805","204.179.240.180:80","172.27.27.85:15148-204.179.240.180:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:38068-204.179.240.180:586",1256144878.860605,3," (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:38068-204.179.240.180:586",1256144878.939969,3,"200","text/css","6653","204.179.240.180:80","172.27.27.85:38068-204.179.240.180:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:38069-204.179.240.180:217",1256144878.959476,3," (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:38069-204.179.240.180:217",1256144879.039346,3,"200","text/css","2243","204.179.240.180:80","172.27.27.85:15148-204.179.240.180:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:38068-204.179.240.180:586",1256144879.045893,4," (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:38068-204.179.240.180:586",1256144879.125016,4,"200","application/x-javascript","8116","204.179.240.180:80","172.27.27.85:38068-204.179.240.180:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:38069-204.179.240.180:217",1256144879.142332,4," (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:38069-204.179.240.180:217",1256144879.221941,4,"200","application/x-javascript","5551","204.179.240.180:80","172.27.27.85:15148-204.179.240.180:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:38068-204.179.240.180:586",1256144879.231461,5," (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:38068-204.179.240.180:586",1256144879.309821,5,"200","application/x-javascript","443","204.179.240.180:80","172.27.27.85:38068-204.179.240.180:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:38069-204.179.240.180:217",1256144879.313946,5," (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:38069-204.179.240.180:217",1256144879.396950,5,"200","application/x-javascript","11515","204.179.240.180:80","172.27.27.85:15148-204.179.240.180:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:38068-204.179.240.180:586",1256144879.537575,6," (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:38068-204.179.240.180:586",1256144879.617908,6,"200","application/x-javascript","143416","204.179.240.180:80","172.27.27.85:38068-204.179.240.180:80"

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:53617-204.160.122.126:797",1256144880.764797,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:53617-204.160.122.126:797",1256144880.764918,1,"cdn.images.bloomberg.com","/r06/navigation/bg_logo.png","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:53618-204.160.122.126:012",1256144880.765012,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:53618-204.160.122.126:012",1256144880.765069,1,"cdn.images.bloomberg.com","/r06/navigation/banywhere467x24.png","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:45569-204.179.240.184:102",1256144880.772102,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:45569-204.179.240.184:102",1256144880.772164,1,"images.bloomberg.com","/r06/navigation/HP1x31.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:53618-204.160.122.126:012",1256144880.811918,1,"200","image/png","2439","204.160.122.126:80","172.27.27.85:15156-204.160.122.126:80"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:53617-204.160.122.126:797",1256144880.812629,1,"200","image/png","1962","204.160.122.126:80","172.27.27.85:15152-204.160.122.126:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:53617-204.160.122.126:797",1256144880.813133,2,"cdn.images.bloomberg.com","/r06/navigation/quoteBtn2.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:53618-204.160.122.126:012",1256144880.813213,2,"cdn.images.bloomberg.com","/r06/navigation/qmarkNEW.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:33350-208.71.122.64:546",1256144880.826546,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:33350-208.71.122.64:546",1256144880.826618,1,"ads.bloomberg.com","/adstream_mjx.ads/bloomberg/news/regions/us/story/1110641358@x70,x60,x20?nullTEC&","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:53618-204.160.122.126:012",1256144880.835580,2,"200","image/gif","586","204.160.122.126:80","172.27.27.85:15156-204.160.122.126:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:53618-204.160.122.126:012",1256144880.836316,3,"cdn.images.bloomberg.com","/r06/navigation/searchNews.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:53617-204.160.122.126:797",1256144880.837043,2,"200","image/gif","1371","204.160.122.126:80","172.27.27.85:15152-204.160.122.126:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:53617-204.160.122.126:797",1256144880.838260,3,"cdn.images.bloomberg.com","/r06/homepage/arrow-green-blue.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:53618-204.160.122.126:012",1256144880.859990,3,"200","image/gif","1809","204.160.122.126:80","172.27.27.85:15156-204.160.122.126:80"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:53617-204.160.122.126:797",1256144880.860231,3,"200","image/gif","67","204.160.122.126:80","172.27.27.85:15152-204.160.122.126:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:53617-204.160.122.126:797",1256144880.860982,4,"cdn.images.bloomberg.com","/r06/navigation/radioIcon.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:53618-204.160.122.126:012",1256144880.861049,4,"cdn.images.bloomberg.com","/r06/navigation/tvIcon.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:53618-204.160.122.126:012",1256144880.883674,4,"200","image/gif","333","204.160.122.126:80","172.27.27.85:15156-204.160.122.126:80"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:53617-204.160.122.126:797",1256144880.883760,4,"200","image/gif","558","204.160.122.126:80","172.27.27.85:15152-204.160.122.126:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:53617-204.160.122.126:797",1256144880.884651,5,"cdn.images.bloomberg.com","/r06/navigation/podIcon.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:53618-204.160.122.126:012",1256144880.884721,5,"cdn.images.bloomberg.com","/r06/navigation/mobileIcon.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:53618-204.160.122.126:012",1256144880.907858,5,"200","image/gif","324","204.160.122.126:80","172.27.27.85:15156-204.160.122.126:80"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:53617-204.160.122.126:797",1256144880.907986,5,"200","image/gif","619","204.160.122.126:80","172.27.27.85:15152-204.160.122.126:80"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:45569-204.179.240.184:102",1256144880.927612,1,"200","image/gif","156","204.179.240.184:80","172.27.27.85:15160-204.179.240.184:80"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:33350-208.71.122.64:546",1256144881.016988,1,"200","application/x-javascript","2142","208.71.122.64:80","172.27.27.85:15164-208.71.122.64:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:45569-204.179.240.184:102",1256144881.028195,2,"images.bloomberg.com","/r06/global/obox.png","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:45571-204.179.240.184:590",1256144881.032590,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:45571-204.179.240.184:590",1256144881.032659,1,"images.bloomberg.com","/r06/homepage/arrow-green-blue.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:38069-204.179.240.180:217",1256144881.060419,6," (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:58446-65.203.229.41:620",1256144881.093620,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:58446-65.203.229.41:620",1256144881.093696,1,"view.atdmt.com","/FNN/iview/181458094/direct/011951512805?click= (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:45569-204.179.240.184:102",1256144881.105354,2,"200","image/png","134","204.179.240.184:80","172.27.27.85:15160-204.179.240.184:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:45569-204.179.240.184:102",1256144881.106329,3,"images.bloomberg.com","/r06/homepage/login_reg_blk.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:38069-204.179.240.180:217",1256144881.140005,6,"200","image/jpeg","","204.179.240.180:80","172.27.27.85:15148-204.179.240.180:80"

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:50535-209.234.234.12:470",1256144881.172470,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:50535-209.234.234.12:470",1256144881.172538,1,"ad.wsod.com","/embed/8bec9b10877d5d7fd7c0fb6e6a631357/405.0.iframe.300x250/Insert_Random_Number?click=Insert_Click_Track_URL","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:45569-204.179.240.184:102",1256144881.184931,3,"200","image/gif","1796","204.179.240.184:80","172.27.27.85:15160-204.179.240.184:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:45569-204.179.240.184:102",1256144881.185903,4,"images.bloomberg.com","/r06/global/heading/news_hd.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:45571-204.179.240.184:590",1256144881.188830,1,"200","image/gif","67","204.179.240.184:80","172.27.27.85:15168-204.179.240.184:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:45571-204.179.240.184:590",1256144881.189318,2,"images.bloomberg.com","/r06/global/odot.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.conn.start.v1","mybigip.test.net","172.27.27.81:58214-208.50.77.166:609",1256144881.208609,"4094",6,0,64,"outbound_http","Outbound"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:58214-208.50.77.166:609",1256144881.208707,1,"imagec12.247realmedia.com","/RealMedia/ads/Creatives/default/empty.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:58214-208.50.77.166:609",1256144881.217659,1,"200","image/gif","43","208.50.77.166:80","172.27.27.85:15180-208.50.77.166:80"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:58446-65.203.229.41:620",1256144881.219343,1,"200","text/html","6984","65.203.229.41:80","172.27.27.85:15172-65.203.229.41:80"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:45569-204.179.240.184:102",1256144881.264042,4,"200","image/gif","747","204.179.240.184:80","172.27.27.85:15160-204.179.240.184:80"

"neds.f5.http.req.v1","mybigip.test.net","172.27.27.81:45569-204.179.240.184:102",1256144881.265491,5,"images.bloomberg.com","/r06/news/story_tl.gif","","Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10"

"neds.f5.http.resp.v1","mybigip.test.net","172.27.27.81:45571-204.179.240.184:590",1256144881.266709,2,"200","image/gif","43","204.179.240.184:80","172.27.27.85:15168-204.179.240.184:80"