Restructuring files and folders
authorrtrimana <rtrimana@uci.edu>
Mon, 6 Nov 2017 18:49:18 +0000 (10:49 -0800)
committerrtrimana <rtrimana@uci.edu>
Mon, 6 Nov 2017 18:49:18 +0000 (10:49 -0800)
base_gefx_generator.py [new file with mode: 0644]
extract_from_tshark.py [new file with mode: 0644]
json/eth1.dump.json [new file with mode: 0644]
origin/base_gefx_generator.py [deleted file]
origin/extract_from_tshark.py [deleted file]
parser/__init__.py [new file with mode: 0644]

diff --git a/base_gefx_generator.py b/base_gefx_generator.py
new file mode 100644 (file)
index 0000000..af39ffc
--- /dev/null
@@ -0,0 +1,126 @@
+#!/usr/bin/python
+
+"""
+Script that constructs a graph in which hosts are nodes.
+An edge between two hosts indicate that the hosts communicate.
+Hosts are labeled and identified by their IPs.
+The graph is written to a file in Graph Exchange XML format for later import and visual inspection in Gephi.
+
+The input to this script is the JSON output by extract_from_tshark.py by Anastasia Shuba.
+
+This script is a simplification of Milad Asgari's parser_data_to_gephi.py script.
+It serves as a baseline for future scripts that want to include more information in the graph.
+"""
+
+import socket
+import json
+import tldextract
+import networkx as nx
+import sys
+from decimal import *
+
+import parser.parse_dns
+
+JSON_KEY_ETH_SRC = "eth.src"
+JSON_KEY_ETH_DST = "eth.dst"
+
+def parse_json(file_path):
+
+    device_dns_mappings = parser.parse_dns.parse_json_dns("./json/dns.json")
+
+    # Init empty graph
+    G = nx.DiGraph() 
+    with open(file_path) as jf:
+        # Read JSON.
+        # data becomes reference to root JSON object (or in our case json array)
+        data = json.load(jf)
+        # Loop through json objects in data
+        for k in data:
+            # Fetch timestamp of packet
+            packet_timestamp = Decimal(data[k]["ts"])
+            # Fetch eth source and destination info
+            eth_src = data[k][JSON_KEY_ETH_SRC]
+            eth_dst = data[k][JSON_KEY_ETH_DST]
+            # Traffic can be both outbound and inbound.
+            # Determine which one of the two by looking up device MAC in DNS map.
+            iot_device = None
+            if eth_src in device_dns_mappings:
+                iot_device = eth_src
+            elif eth_dst in device_dns_mappings:
+                iot_device = eth_dst
+            else:
+                print "[ WARNING: DNS mapping not found for device with MAC", eth_src, "OR", eth_dst, "]"
+                # This must be local communication between two IoT devices OR an IoT device talking to a hardcoded IP.
+                # For now let's assume local communication.
+                # Add a node for each device and an edge between them.
+                G.add_node(eth_src)
+                G.add_node(eth_dst)
+                G.add_edge(eth_src, eth_dst)
+                # TODO add regex check on src+dst IP to figure out if hardcoded server IP (e.g. check if one of the two are NOT a 192.168.x.y IP)
+                continue
+            # It is outbound traffic if iot_device matches src, otherwise it must be inbound traffic.
+            outbound_traffic = iot_device == eth_src
+
+            ''' Graph construction '''
+            # No need to check if the Nodes and/or Edges we add already exist:
+            # NetworkX won't add already existing nodes/edges (except in the case of a MultiGraph or MultiDiGraph (see NetworkX doc)).
+            
+            # Add a node for each host.
+            # First add node for IoT device.
+            G.add_node(iot_device)
+            # Then add node for the server.
+            # For this we need to distinguish between outbound and inbound traffic so that we look up the proper IP in our DNS map.
+            # For outbound traffic, the server's IP is the destination IP.
+            # For inbound traffic, the server's IP is the source IP.
+            server_ip = data[k]["dst_ip"] if outbound_traffic else data[k]["src_ip"]
+            hostname = device_dns_mappings[iot_device].hostname_for_ip_at_time(server_ip, packet_timestamp)
+            if hostname is None:
+                # TODO this can occur when two local devices communicate OR if IoT device has hardcoded server IP.
+                # However, we only get here for the DNS that have not performed any DNS lookups
+                # We should use a regex check early in the loop to see if it is two local devices communicating.
+                # This way we would not have to consider these corner cases later on.
+                print "[ WARNING: no ip-hostname mapping found for ip", server_ip, " -- adding eth.src->eth.dst edge, but note that this may be incorrect if IoT device has hardcoded server IP ]"
+                G.add_node(eth_src)
+                G.add_node(eth_dst)
+                G.add_edge(eth_src, eth_dst)
+                continue
+            G.add_node(hostname)
+            # Connect the two nodes we just added.
+            if outbound_traffic:
+                G.add_edge(iot_device, hostname)
+            else:
+                G.add_edge(hostname, iot_device)
+    return G
+
+# ------------------------------------------------------
+# Not currently used.
+# Might be useful later on if we wish to resolve IPs.
+def get_domain(host):
+    ext_result = tldextract.extract(str(host))
+    # Be consistent with ReCon and keep suffix
+    domain = ext_result.domain + "." + ext_result.suffix
+    return domain
+
+def is_IP(addr):
+    try:
+        socket.inet_aton(addr)
+        return True
+    except socket.error:
+        return False
+# ------------------------------------------------------
+
+if __name__ == '__main__':
+    if len(sys.argv) < 3:
+        print "Usage:", sys.argv[0], "input_file output_file"
+        print "outfile_file should end in .gexf"
+        sys.exit(0)
+    # Input file: Path to JSON file generated from tshark JSON output using Anastasia's script (extract_from_tshark.py).
+    input_file = sys.argv[1]
+    print "[ input_file  =", input_file, "]"
+    # Output file: Path to file where the Gephi XML should be written.
+    output_file = sys.argv[2]
+    print "[ output_file =", output_file, "]"
+    # Construct graph from JSON
+    G = parse_json(input_file)
+    # Write Graph in Graph Exchange XML format
+    nx.write_gexf(G, output_file)
diff --git a/extract_from_tshark.py b/extract_from_tshark.py
new file mode 100644 (file)
index 0000000..5704a97
--- /dev/null
@@ -0,0 +1,176 @@
+#!/usr/bin/python\r
+\r
+"""\r
+Script used to extract only the needed information from JSON packet traces generated by\r
+tshark from PCAPNG format\r
+"""\r
+\r
+import os, sys\r
+import json\r
+import uuid\r
+\r
+from collections import OrderedDict\r
+\r
+json_key_source = "_source"\r
+json_key_layers = "layers"\r
+\r
+json_key_ip = "ip"\r
+json_key_tcp = "tcp"\r
+\r
+json_key_http = "http"\r
+json_key_method = "method"\r
+json_key_uri = "uri"\r
+json_key_headers = "headers"\r
+json_key_host = "host"\r
+\r
+json_key_http_req = json_key_http + ".request."\r
+json_key_http_req_method = json_key_http_req + json_key_method\r
+json_key_http_req_uri = json_key_http_req + json_key_uri\r
+json_key_http_req_line = json_key_http_req + "line"\r
+\r
+json_key_pkt_comment = "pkt_comment"\r
+\r
+json_key_frame = "frame"\r
+json_key_frame_num = json_key_frame + ".number"\r
+json_key_frame_comment = json_key_frame + ".comment"\r
+json_key_frame_ts = json_key_frame + ".time_epoch"\r
+\r
+\r
+JSON_KEY_ETH = "eth"\r
+JSON_KEY_ETH_SRC = "eth.src"\r
+JSON_KEY_ETH_DST = "eth.dst"\r
+\r
+\r
+def make_unique(key, dct):\r
+    counter = 0\r
+    unique_key = key\r
+\r
+    while unique_key in dct:\r
+        counter += 1\r
+        unique_key = '{}_{}'.format(key, counter)\r
+    return unique_key\r
+\r
+\r
+def parse_object_pairs(pairs):\r
+    dct = OrderedDict()\r
+    for key, value in pairs:\r
+        if key in dct:\r
+            key = make_unique(key, dct)\r
+        dct[key] = value\r
+\r
+    return dct\r
+\r
+def change_file(fpath):\r
+    for fn in os.listdir(fpath):\r
+        full_path = fpath + '/' + fn\r
+\r
+        # Recursively go through all directories\r
+        if os.path.isdir(full_path):\r
+            change_file(full_path)\r
+            continue\r
+\r
+        print full_path\r
+        with open(full_path, "r+") as jf:\r
+            # Since certain json 'keys' appear multiple times in our data, we have to make them\r
+            # unique first (we can't use regular json.load() or we lose some data points). From:\r
+            # https://stackoverflow.com/questions/29321677/python-json-parser-allow-duplicate-keys\r
+            decoder = json.JSONDecoder(object_pairs_hook=parse_object_pairs)\r
+            pcap_data = decoder.decode(jf.read())\r
+\r
+            # Prepare new data structure for re-formatted JSON storage\r
+            data = {}\r
+            for packet in pcap_data:\r
+                layers = packet[json_key_source][json_key_layers]\r
+\r
+                # All captured traffic should have a frame + frame number, but check anyway\r
+                frame_num = " Frame: "\r
+                if json_key_frame not in layers or json_key_frame_num not in layers[json_key_frame]:\r
+                    print "WARNING: could not find frame number! Using -1..."\r
+                    frame_num = frame_num + "-1"\r
+                else:\r
+                    # Save frame number for error-reporting\r
+                    frame_num = frame_num + layers[json_key_frame][json_key_frame_num]\r
+\r
+                # All captured traffic should be IP, but check anyway\r
+                if not json_key_ip in layers:\r
+                    print "WARNING: Non-IP traffic detected!" + frame_num\r
+                    continue\r
+\r
+                # For now, focus on HTTP only\r
+                if json_key_tcp not in layers or json_key_http not in layers:\r
+                    continue\r
+\r
+                # Fill our new JSON packet with TCP/IP info\r
+                new_packet = {}\r
+                new_packet["dst_ip"] = layers[json_key_ip][json_key_ip + ".dst"]\r
+                new_packet["dst_port"] = int(layers[json_key_tcp][json_key_tcp + ".dstport"])\r
+\r
+                # JV: Also include src so we can see what device initiates the traffic\r
+                new_packet["src_ip"] = layers[json_key_ip][json_key_ip + ".src"]\r
+                new_packet["src_port"] = int(layers[json_key_tcp][json_key_tcp + ".srcport"])\r
+                #JV: Also include eth soure/destination info so that we can map traffic to physical device using MAC\r
+                new_packet[JSON_KEY_ETH_SRC] = layers[JSON_KEY_ETH][JSON_KEY_ETH_SRC]\r
+                new_packet[JSON_KEY_ETH_DST] = layers[JSON_KEY_ETH][JSON_KEY_ETH_DST]\r
+\r
+                # Go through all HTTP fields and extract the ones that are needed\r
+                http_data = layers[json_key_http]\r
+                for http_key in http_data:\r
+                    http_value = http_data[http_key]\r
+\r
+                    if http_key.startswith(json_key_http_req_line):\r
+                        header_line = http_value.split(":", 1)\r
+                        if len(header_line) != 2:\r
+                            print ("WARNING: could not parse header '" + str(header_line) + "'"\r
+                                   + frame_num)\r
+                            continue\r
+\r
+                        # Prepare container for HTTP headers\r
+                        if json_key_headers not in new_packet:\r
+                            new_packet[json_key_headers] = {}\r
+\r
+                        # Use lower case for header keys to stay consistent with our other data\r
+                        header_key = header_line[0].lower()\r
+\r
+                        # Remove the trailing carriage return\r
+                        header_val = header_line[1].strip()\r
+\r
+                        # Save the header key-value pair\r
+                        new_packet[json_key_headers][header_key] = header_val\r
+\r
+                        # If this is the host header, we also save it to the main object\r
+                        if header_key == json_key_host:\r
+                            new_packet[json_key_host] = header_val\r
+\r
+                    if json_key_http_req_method in http_value:\r
+                        new_packet[json_key_method] = http_value[json_key_http_req_method]\r
+                    if json_key_http_req_uri in http_value:\r
+                        new_packet[json_key_uri] = http_value[json_key_http_req_uri]\r
+\r
+                # End of HTTP parsing\r
+\r
+                # Check that we found the minimum needed HTTP headers\r
+                if (json_key_uri not in new_packet or json_key_method not in new_packet or\r
+                        json_key_host not in new_packet):\r
+                    print "Missing some HTTP Headers!" + frame_num\r
+                    continue\r
+\r
+                # Extract timestamp\r
+                if json_key_frame_ts not in layers[json_key_frame]:\r
+                    print "WARNING: could not find timestamp!" + frame_num\r
+                    continue\r
+\r
+                new_packet["ts"] = layers[json_key_frame][json_key_frame_ts]\r
+\r
+                # Create a unique key for each packet to keep consistent with ReCon\r
+                # Also good in case packets end up in different files\r
+                data[str(uuid.uuid4())] = new_packet\r
+\r
+            # Write the new data\r
+            #print json.dumps(data, sort_keys=True, indent=4)\r
+            jf.seek(0)\r
+            jf.write(json.dumps(data, sort_keys=True, indent=4))\r
+            jf.truncate()\r
+\r
+if __name__ == '__main__':\r
+    # Needed to re-use some JSON keys\r
+    change_file(sys.argv[1])
\ No newline at end of file
diff --git a/json/eth1.dump.json b/json/eth1.dump.json
new file mode 100644 (file)
index 0000000..d61fcaa
--- /dev/null
@@ -0,0 +1,1215830 @@
+[
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:31.460686000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493591.460686000",
+          "frame.time_delta": "0.000000000",
+          "frame.time_delta_displayed": "0.000000000",
+          "frame.time_relative": "0.000000000",
+          "frame.number": "1",
+          "frame.len": "42",
+          "frame.cap_len": "42",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "00:17:88:69:ee:e4",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "1",
+          "arp.src.hw_mac": "b0:b9:8a:73:69:8e",
+          "arp.src.proto_ipv4": "192.168.0.1",
+          "arp.dst.hw_mac": "00:00:00:00:00:00",
+          "arp.dst.proto_ipv4": "192.168.0.160"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:31.461239000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493591.461239000",
+          "frame.time_delta": "0.000553000",
+          "frame.time_delta_displayed": "0.000553000",
+          "frame.time_relative": "0.000553000",
+          "frame.number": "2",
+          "frame.len": "60",
+          "frame.cap_len": "60",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "00:17:88:69:ee:e4",
+          "eth.src_tree": {
+            "eth.src_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806",
+          "eth.padding": "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "2",
+          "arp.src.hw_mac": "00:17:88:69:ee:e4",
+          "arp.src.proto_ipv4": "192.168.0.160",
+          "arp.dst.hw_mac": "b0:b9:8a:73:69:8e",
+          "arp.dst.proto_ipv4": "192.168.0.1"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:31.525095000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493591.525095000",
+          "frame.time_delta": "0.063856000",
+          "frame.time_delta_displayed": "0.063856000",
+          "frame.time_relative": "0.064409000",
+          "frame.number": "3",
+          "frame.len": "120",
+          "frame.cap_len": "120",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp:ssl"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "d0:52:a8:a3:60:0f",
+          "eth.src_tree": {
+            "eth.src_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "106",
+          "ip.id": "0x000094e8",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "6",
+          "ip.checksum": "0x00007861",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.src_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "ip.dst": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.dst_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.dst_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.dst_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.dst_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.dst_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          }
+        },
+        "tcp": {
+          "tcp.srcport": "44970",
+          "tcp.dstport": "443",
+          "tcp.port": "44970",
+          "tcp.port": "443",
+          "tcp.stream": "0",
+          "tcp.len": "54",
+          "tcp.seq": "1",
+          "tcp.nxtseq": "55",
+          "tcp.ack": "1",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000018",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "1",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7AP\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "661",
+          "tcp.window_size": "661",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x00001f54",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:00:24:b0:f1:a7:9a:fb:27",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2404593, TSecr 2811951911": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2404593",
+              "tcp.options.timestamp.tsecr": "2811951911"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.bytes_in_flight": "54",
+            "tcp.analysis.push_bytes_sent": "54"
+          }
+        },
+        "ssl": {
+          "ssl.record": {
+            "ssl.record.content_type": "23",
+            "ssl.record.version": "0x00000303",
+            "ssl.record.length": "49",
+            "ssl.app_data": "13:6b:24:d2:9f:7e:44:8f:40:fd:3b:3e:a4:2f:33:d8:3d:bc:c6:60:44:79:44:61:7e:ac:88:d7:ed:89:13:61:c2:de:36:ba:86:be:cb:cd:ac:1a:a3:07:bd:e3:0a:70:8a"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:31.585328000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493591.585328000",
+          "frame.time_delta": "0.060233000",
+          "frame.time_delta_displayed": "0.060233000",
+          "frame.time_relative": "0.124642000",
+          "frame.number": "4",
+          "frame.len": "66",
+          "frame.cap_len": "66",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp"
+        },
+        "eth": {
+          "eth.dst": "d0:52:a8:a3:60:0f",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "52",
+          "ip.id": "0x00002be8",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "232",
+          "ip.proto": "6",
+          "ip.checksum": "0x00003997",
+          "ip.checksum.status": "2",
+          "ip.src": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.src_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "ip.dst": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.dst_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "Source GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.src_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.src_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.src_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.src_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          },
+          "Destination GeoIP: Unknown": ""
+        },
+        "tcp": {
+          "tcp.srcport": "443",
+          "tcp.dstport": "44970",
+          "tcp.port": "443",
+          "tcp.port": "44970",
+          "tcp.stream": "0",
+          "tcp.len": "0",
+          "tcp.seq": "1",
+          "tcp.ack": "55",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000010",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "0",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7A\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "422",
+          "tcp.window_size": "422",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x0000fbf4",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:a7:9a:fb:74:00:24:b0:f1",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2811951988, TSecr 2404593": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2811951988",
+              "tcp.options.timestamp.tsecr": "2404593"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.acks_frame": "3",
+            "tcp.analysis.ack_rtt": "0.060233000"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:33.000259000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493593.000259000",
+          "frame.time_delta": "1.414931000",
+          "frame.time_delta_displayed": "1.414931000",
+          "frame.time_relative": "1.539573000",
+          "frame.number": "5",
+          "frame.len": "136",
+          "frame.cap_len": "136",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:mdns"
+        },
+        "eth": {
+          "eth.dst": "01:00:5e:00:00:fb",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv4mcast_fb",
+            "eth.addr": "01:00:5e:00:00:fb",
+            "eth.addr_resolved": "IPv4mcast_fb",
+            "eth.lg": "0",
+            "eth.ig": "1"
+          },
+          "eth.src": "64:bc:0c:43:3f:40",
+          "eth.src_tree": {
+            "eth.src_resolved": "LgElectr_43:3f:40",
+            "eth.addr": "64:bc:0c:43:3f:40",
+            "eth.addr_resolved": "LgElectr_43:3f:40",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "122",
+          "ip.id": "0x0000affd",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "255",
+          "ip.proto": "17",
+          "ip.checksum": "0x0000295c",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.117",
+          "ip.addr": "192.168.0.117",
+          "ip.src_host": "192.168.0.117",
+          "ip.host": "192.168.0.117",
+          "ip.dst": "224.0.0.251",
+          "ip.addr": "224.0.0.251",
+          "ip.dst_host": "224.0.0.251",
+          "ip.host": "224.0.0.251",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "5353",
+          "udp.dstport": "5353",
+          "udp.port": "5353",
+          "udp.port": "5353",
+          "udp.length": "102",
+          "udp.checksum": "0x0000302a",
+          "udp.checksum.status": "2",
+          "udp.stream": "0"
+        },
+        "mdns": {
+          "dns.id": "0x00000003",
+          "dns.flags": "0x00000000",
+          "dns.flags_tree": {
+            "dns.flags.response": "0",
+            "dns.flags.opcode": "0",
+            "dns.flags.truncated": "0",
+            "dns.flags.recdesired": "0",
+            "dns.flags.z": "0",
+            "dns.flags.checkdisable": "0"
+          },
+          "dns.count.queries": "2",
+          "dns.count.answers": "0",
+          "dns.count.auth_rr": "0",
+          "dns.count.add_rr": "0",
+          "Queries": {
+            "_%9E5E7C8F47989526C9BCD95D24084F6F0B27C5ED._sub._googlecast._tcp.local: type PTR, class IN, \"QM\" question": {
+              "dns.qry.name": "_%9E5E7C8F47989526C9BCD95D24084F6F0B27C5ED._sub._googlecast._tcp.local",
+              "dns.qry.name.len": "70",
+              "dns.count.labels": "5",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "0"
+            },
+            "_googlecast._tcp.local: type PTR, class IN, \"QM\" question": {
+              "dns.qry.name": "_googlecast._tcp.local",
+              "dns.qry.name.len": "22",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "0"
+            }
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:34.421324000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493594.421324000",
+          "frame.time_delta": "1.421065000",
+          "frame.time_delta_displayed": "1.421065000",
+          "frame.time_relative": "2.960638000",
+          "frame.number": "6",
+          "frame.len": "60",
+          "frame.cap_len": "60",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "00:17:88:69:ee:e4",
+          "eth.src_tree": {
+            "eth.src_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800",
+          "eth.padding": "00:00:00:00:00:00"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "40",
+          "ip.id": "0x000057ce",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "6",
+          "ip.checksum": "0x0000a6c3",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.src_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "ip.dst": "104.155.18.91",
+          "ip.addr": "104.155.18.91",
+          "ip.dst_host": "104.155.18.91",
+          "ip.host": "104.155.18.91",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: United States, AS15169 Google Inc., Mountain View, CA, 37.419201, -122.057404": {
+            "ip.geoip.dst_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.dst_asnum": "AS15169 Google Inc.",
+            "ip.geoip.asnum": "AS15169 Google Inc.",
+            "ip.geoip.dst_city": "Mountain View, CA",
+            "ip.geoip.city": "Mountain View, CA",
+            "ip.geoip.dst_lat": "37.419201",
+            "ip.geoip.lat": "37.419201",
+            "ip.geoip.dst_lon": "-122.057404",
+            "ip.geoip.lon": "-122.057404"
+          }
+        },
+        "tcp": {
+          "tcp.srcport": "47009",
+          "tcp.dstport": "443",
+          "tcp.port": "47009",
+          "tcp.port": "443",
+          "tcp.stream": "1",
+          "tcp.len": "0",
+          "tcp.seq": "1",
+          "tcp.ack": "1",
+          "tcp.hdr_len": "20",
+          "tcp.flags": "0x00000010",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "0",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7A\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "4015",
+          "tcp.window_size": "4015",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x000006bf",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:34.559535000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493594.559535000",
+          "frame.time_delta": "0.138211000",
+          "frame.time_delta_displayed": "0.138211000",
+          "frame.time_relative": "3.098849000",
+          "frame.number": "7",
+          "frame.len": "120",
+          "frame.cap_len": "120",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp:ssl"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "d0:52:a8:a3:60:0f",
+          "eth.src_tree": {
+            "eth.src_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "106",
+          "ip.id": "0x000094e9",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "6",
+          "ip.checksum": "0x00007860",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.src_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "ip.dst": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.dst_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.dst_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.dst_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.dst_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.dst_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          }
+        },
+        "tcp": {
+          "tcp.srcport": "44970",
+          "tcp.dstport": "443",
+          "tcp.port": "44970",
+          "tcp.port": "443",
+          "tcp.stream": "0",
+          "tcp.len": "54",
+          "tcp.seq": "55",
+          "tcp.nxtseq": "109",
+          "tcp.ack": "1",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000018",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "1",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7AP\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "661",
+          "tcp.window_size": "661",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x0000714d",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:00:24:b2:21:a7:9a:fb:74",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2404897, TSecr 2811951988": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2404897",
+              "tcp.options.timestamp.tsecr": "2811951988"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.bytes_in_flight": "54",
+            "tcp.analysis.push_bytes_sent": "54"
+          }
+        },
+        "ssl": {
+          "ssl.record": {
+            "ssl.record.content_type": "23",
+            "ssl.record.version": "0x00000303",
+            "ssl.record.length": "49",
+            "ssl.app_data": "13:6b:24:d2:9f:7e:44:90:47:73:e4:b3:40:55:49:ce:dd:2d:ea:3a:54:db:c0:d8:86:e7:de:c4:47:a6:dd:55:5f:9a:ba:06:d3:2b:bb:33:22:7d:1e:03:fd:43:97:1b:90"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:34.564399000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493594.564399000",
+          "frame.time_delta": "0.004864000",
+          "frame.time_delta_displayed": "0.004864000",
+          "frame.time_relative": "3.103713000",
+          "frame.number": "8",
+          "frame.len": "54",
+          "frame.cap_len": "54",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp"
+        },
+        "eth": {
+          "eth.dst": "00:17:88:69:ee:e4",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "40",
+          "ip.id": "0x00000fc0",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "49",
+          "ip.proto": "6",
+          "ip.checksum": "0x0000fdd1",
+          "ip.checksum.status": "2",
+          "ip.src": "104.155.18.91",
+          "ip.addr": "104.155.18.91",
+          "ip.src_host": "104.155.18.91",
+          "ip.host": "104.155.18.91",
+          "ip.dst": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.dst_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "Source GeoIP: United States, AS15169 Google Inc., Mountain View, CA, 37.419201, -122.057404": {
+            "ip.geoip.src_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.src_asnum": "AS15169 Google Inc.",
+            "ip.geoip.asnum": "AS15169 Google Inc.",
+            "ip.geoip.src_city": "Mountain View, CA",
+            "ip.geoip.city": "Mountain View, CA",
+            "ip.geoip.src_lat": "37.419201",
+            "ip.geoip.lat": "37.419201",
+            "ip.geoip.src_lon": "-122.057404",
+            "ip.geoip.lon": "-122.057404"
+          },
+          "Destination GeoIP: Unknown": ""
+        },
+        "tcp": {
+          "tcp.srcport": "443",
+          "tcp.dstport": "47009",
+          "tcp.port": "443",
+          "tcp.port": "47009",
+          "tcp.stream": "1",
+          "tcp.len": "0",
+          "tcp.seq": "1",
+          "tcp.ack": "2",
+          "tcp.hdr_len": "20",
+          "tcp.flags": "0x00000010",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "0",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7A\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "1337",
+          "tcp.window_size": "1337",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x00001134",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.analysis": {
+            "tcp.analysis.flags": {
+              "_ws.expert": {
+                "tcp.analysis.ack_lost_segment": "",
+                "_ws.expert.message": "ACKed segment that wasn't captured (common at capture start)",
+                "_ws.expert.severity": "6291456",
+                "_ws.expert.group": "33554432"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:34.619651000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493594.619651000",
+          "frame.time_delta": "0.055252000",
+          "frame.time_delta_displayed": "0.055252000",
+          "frame.time_relative": "3.158965000",
+          "frame.number": "9",
+          "frame.len": "66",
+          "frame.cap_len": "66",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp"
+        },
+        "eth": {
+          "eth.dst": "d0:52:a8:a3:60:0f",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "52",
+          "ip.id": "0x00002be9",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "232",
+          "ip.proto": "6",
+          "ip.checksum": "0x00003996",
+          "ip.checksum.status": "2",
+          "ip.src": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.src_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "ip.dst": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.dst_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "Source GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.src_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.src_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.src_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.src_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          },
+          "Destination GeoIP: Unknown": ""
+        },
+        "tcp": {
+          "tcp.srcport": "443",
+          "tcp.dstport": "44970",
+          "tcp.port": "443",
+          "tcp.port": "44970",
+          "tcp.stream": "0",
+          "tcp.len": "0",
+          "tcp.seq": "1",
+          "tcp.ack": "109",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000010",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "0",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7A\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "422",
+          "tcp.window_size": "422",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x0000f797",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:a7:9a:fe:6b:00:24:b2:21",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2811952747, TSecr 2404897": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2811952747",
+              "tcp.options.timestamp.tsecr": "2404897"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.acks_frame": "7",
+            "tcp.analysis.ack_rtt": "0.060116000"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:35.983656000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493595.983656000",
+          "frame.time_delta": "1.364005000",
+          "frame.time_delta_displayed": "1.364005000",
+          "frame.time_relative": "4.522970000",
+          "frame.number": "10",
+          "frame.len": "86",
+          "frame.cap_len": "86",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:data"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "60:57:18:8e:aa:94",
+          "eth.src_tree": {
+            "eth.src_resolved": "IntelCor_8e:aa:94",
+            "eth.addr": "60:57:18:8e:aa:94",
+            "eth.addr_resolved": "IntelCor_8e:aa:94",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "72",
+          "ip.id": "0x00005ab2",
+          "ip.flags": "0x00000000",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "0",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "128",
+          "ip.proto": "17",
+          "ip.checksum": "0x00005d37",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.108",
+          "ip.addr": "192.168.0.108",
+          "ip.src_host": "192.168.0.108",
+          "ip.host": "192.168.0.108",
+          "ip.dst": "192.168.0.255",
+          "ip.addr": "192.168.0.255",
+          "ip.dst_host": "192.168.0.255",
+          "ip.host": "192.168.0.255",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "57621",
+          "udp.dstport": "57621",
+          "udp.port": "57621",
+          "udp.port": "57621",
+          "udp.length": "52",
+          "udp.checksum": "0x0000199e",
+          "udp.checksum.status": "2",
+          "udp.stream": "1"
+        },
+        "data": {
+          "data.data": "53:70:6f:74:55:64:70:30:fb:51:3e:9d:68:73:23:53:00:01:00:04:48:95:c2:03:32:d0:2f:5b:95:bc:88:2d:c5:fe:3a:aa:80:f4:96:c1:f5:8d:ba:30",
+          "data.len": "44"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:40.218247000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493600.218247000",
+          "frame.time_delta": "4.234591000",
+          "frame.time_delta_displayed": "4.234591000",
+          "frame.time_relative": "8.757561000",
+          "frame.number": "11",
+          "frame.len": "130",
+          "frame.cap_len": "130",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:data"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "d0:73:d5:02:41:da",
+          "eth.src_tree": {
+            "eth.src_resolved": "LifiLabs_02:41:da",
+            "eth.addr": "d0:73:d5:02:41:da",
+            "eth.addr_resolved": "LifiLabs_02:41:da",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "116",
+          "ip.id": "0x00000a7c",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "255",
+          "ip.proto": "17",
+          "ip.checksum": "0x0000ee14",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.152",
+          "ip.addr": "192.168.0.152",
+          "ip.src_host": "192.168.0.152",
+          "ip.host": "192.168.0.152",
+          "ip.dst": "192.168.0.255",
+          "ip.addr": "192.168.0.255",
+          "ip.dst_host": "192.168.0.255",
+          "ip.host": "192.168.0.255",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "56700",
+          "udp.dstport": "56700",
+          "udp.port": "56700",
+          "udp.port": "56700",
+          "udp.length": "96",
+          "udp.checksum": "0x0000af75",
+          "udp.checksum.status": "2",
+          "udp.stream": "2"
+        },
+        "data": {
+          "data.data": "58:00:00:54:42:52:4b:52:d0:73:d5:02:41:da:00:00:4c:49:46:58:56:32:00:00:c4:01:79:55:6e:cc:f2:14:6b:00:00:00:52:a0:21:21:33:33:34:21:00:00:00:00:4c:49:46:58:20:30:32:34:31:64:61:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
+          "data.len": "88"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:53.696454000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493613.696454000",
+          "frame.time_delta": "13.478207000",
+          "frame.time_delta_displayed": "13.478207000",
+          "frame.time_relative": "22.235768000",
+          "frame.number": "12",
+          "frame.len": "42",
+          "frame.cap_len": "42",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "50:c7:bf:59:d5:84",
+          "eth.src_tree": {
+            "eth.src_resolved": "Tp-LinkT_59:d5:84",
+            "eth.addr": "50:c7:bf:59:d5:84",
+            "eth.addr_resolved": "Tp-LinkT_59:d5:84",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "1",
+          "arp.src.hw_mac": "50:c7:bf:59:d5:84",
+          "arp.src.proto_ipv4": "192.168.0.221",
+          "arp.dst.hw_mac": "00:00:00:00:00:00",
+          "arp.dst.proto_ipv4": "192.168.0.1"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:54.771721000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493614.771721000",
+          "frame.time_delta": "1.075267000",
+          "frame.time_delta_displayed": "1.075267000",
+          "frame.time_relative": "23.311035000",
+          "frame.number": "13",
+          "frame.len": "54",
+          "frame.cap_len": "54",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:igmp:igmp"
+        },
+        "eth": {
+          "eth.dst": "01:00:5e:00:00:16",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv4mcast_16",
+            "eth.addr": "01:00:5e:00:00:16",
+            "eth.addr_resolved": "IPv4mcast_16",
+            "eth.lg": "0",
+            "eth.ig": "1"
+          },
+          "eth.src": "64:bc:0c:43:3f:40",
+          "eth.src_tree": {
+            "eth.src_resolved": "LgElectr_43:3f:40",
+            "eth.addr": "64:bc:0c:43:3f:40",
+            "eth.addr_resolved": "LgElectr_43:3f:40",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "24",
+          "ip.dsfield": "0x000000c0",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "48",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "40",
+          "ip.id": "0x00000000",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "1",
+          "ip.proto": "2",
+          "ip.checksum": "0x000042dc",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.117",
+          "ip.addr": "192.168.0.117",
+          "ip.src_host": "192.168.0.117",
+          "ip.host": "192.168.0.117",
+          "ip.dst": "224.0.0.22",
+          "ip.addr": "224.0.0.22",
+          "ip.dst_host": "224.0.0.22",
+          "ip.host": "224.0.0.22",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": "",
+          "Options: (4 bytes), Router Alert": {
+            "Router Alert (4 bytes): Router shall examine packet (0)": {
+              "ip.opt.type": "148",
+              "ip.opt.type_tree": {
+                "ip.opt.type.copy": "1",
+                "ip.opt.type.class": "0",
+                "ip.opt.type.number": "20"
+              },
+              "ip.opt.len": "4",
+              "ip.opt.ra": "0"
+            }
+          }
+        },
+        "igmp": {
+          "igmp.version": "3",
+          "igmp.type": "0x00000022",
+          "igmp.reserved": "00",
+          "igmp.checksum": "0x0000fa02",
+          "igmp.checksum.status": "1",
+          "igmp.reserved": "00:00",
+          "igmp.num_grp_recs": "1",
+          "Group Record : 224.0.0.251  Change To Include Mode": {
+            "igmp.record_type": "3",
+            "igmp.aux_data_len": "0",
+            "igmp.num_src": "0",
+            "igmp.maddr": "224.0.0.251"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:55.758033000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493615.758033000",
+          "frame.time_delta": "0.986312000",
+          "frame.time_delta_displayed": "0.986312000",
+          "frame.time_relative": "24.297347000",
+          "frame.number": "14",
+          "frame.len": "20",
+          "frame.cap_len": "20",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:llc"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "ac:cf:23:5a:9c:e2",
+          "eth.src_tree": {
+            "eth.src_resolved": "Hi-Flyin_5a:9c:e2",
+            "eth.addr": "ac:cf:23:5a:9c:e2",
+            "eth.addr_resolved": "Hi-Flyin_5a:9c:e2",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.len": "6"
+        },
+        "llc": {
+          "llc.dsap": "0x00000000",
+          "llc.dsap_tree": {
+            "llc.dsap.sap": "0",
+            "llc.dsap.ig": "0"
+          },
+          "llc.ssap": "0x00000001",
+          "llc.ssap_tree": {
+            "llc.ssap.sap": "0",
+            "llc.ssap.cr": "1"
+          },
+          "llc.control": "0x000000af",
+          "llc.control_tree": {
+            "llc.control.u_modifier_resp": "0x0000002b",
+            "llc.control.ftype": "0x00000003"
+          }
+        },
+        "basicxid": {
+          "basicxid.llc.xid.format": "0x00000081",
+          "basicxid.llc.xid.types": "0x00000001",
+          "basicxid.llc.xid.wsize": "0"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:56.017456000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493616.017456000",
+          "frame.time_delta": "0.259423000",
+          "frame.time_delta_displayed": "0.259423000",
+          "frame.time_relative": "24.556770000",
+          "frame.number": "15",
+          "frame.len": "350",
+          "frame.cap_len": "350",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:bootp"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "ac:cf:23:5a:9c:e2",
+          "eth.src_tree": {
+            "eth.src_resolved": "Hi-Flyin_5a:9c:e2",
+            "eth.addr": "ac:cf:23:5a:9c:e2",
+            "eth.addr_resolved": "Hi-Flyin_5a:9c:e2",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "336",
+          "ip.id": "0x00000000",
+          "ip.flags": "0x00000000",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "0",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "255",
+          "ip.proto": "17",
+          "ip.checksum": "0x0000ba9d",
+          "ip.checksum.status": "2",
+          "ip.src": "0.0.0.0",
+          "ip.addr": "0.0.0.0",
+          "ip.src_host": "0.0.0.0",
+          "ip.host": "0.0.0.0",
+          "ip.dst": "255.255.255.255",
+          "ip.addr": "255.255.255.255",
+          "ip.dst_host": "255.255.255.255",
+          "ip.host": "255.255.255.255",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "68",
+          "udp.dstport": "67",
+          "udp.port": "68",
+          "udp.port": "67",
+          "udp.length": "316",
+          "udp.checksum": "0x00004f9e",
+          "udp.checksum.status": "2",
+          "udp.stream": "3"
+        },
+        "bootp": {
+          "bootp.type": "1",
+          "bootp.hw.type": "0x00000001",
+          "bootp.hw.len": "6",
+          "bootp.hops": "0",
+          "bootp.id": "0xabcd0001",
+          "bootp.secs": "0",
+          "bootp.flags": "0x00000000",
+          "bootp.flags_tree": {
+            "bootp.flags.bc": "0",
+            "bootp.flags.reserved": "0x00000000"
+          },
+          "bootp.ip.client": "0.0.0.0",
+          "bootp.ip.your": "0.0.0.0",
+          "bootp.ip.server": "0.0.0.0",
+          "bootp.ip.relay": "0.0.0.0",
+          "bootp.hw.mac_addr": "ac:cf:23:5a:9c:e2",
+          "bootp.hw.addr_padding": "00:00:00:00:00:00:00:00:00:00",
+          "bootp.server": "",
+          "bootp.file": "",
+          "bootp.dhcp": "1",
+          "bootp.cookie": "99.130.83.99",
+          "bootp.option.type": "53",
+          "bootp.option.type_tree": {
+            "bootp.option.length": "1",
+            "bootp.option.value": "01",
+            "bootp.option.dhcp": "1"
+          },
+          "bootp.option.type": "12",
+          "bootp.option.type_tree": {
+            "bootp.option.length": "14",
+            "bootp.option.value": "55:53:52:2d:57:49:46:49:32:33:32:2d:47:32",
+            "bootp.option.hostname": "USR-WIFI232-G2"
+          },
+          "bootp.option.type": "57",
+          "bootp.option.type_tree": {
+            "bootp.option.length": "2",
+            "bootp.option.value": "05:dc",
+            "bootp.option.dhcp_max_message_size": "1500"
+          },
+          "bootp.option.type": "55",
+          "bootp.option.type_tree": {
+            "bootp.option.length": "4",
+            "bootp.option.value": "01:03:1c:06",
+            "bootp.option.request_list_item": "1",
+            "bootp.option.request_list_item": "3",
+            "bootp.option.request_list_item": "28",
+            "bootp.option.request_list_item": "6"
+          },
+          "bootp.option.type": "0",
+          "bootp.option.type_tree": {
+            "bootp.option.end": "255"
+          },
+          "bootp.option.padding": "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:56.033832000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493616.033832000",
+          "frame.time_delta": "0.016376000",
+          "frame.time_delta_displayed": "0.016376000",
+          "frame.time_relative": "24.573146000",
+          "frame.number": "16",
+          "frame.len": "350",
+          "frame.cap_len": "350",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:bootp"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "ac:cf:23:5a:9c:e2",
+          "eth.src_tree": {
+            "eth.src_resolved": "Hi-Flyin_5a:9c:e2",
+            "eth.addr": "ac:cf:23:5a:9c:e2",
+            "eth.addr_resolved": "Hi-Flyin_5a:9c:e2",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "336",
+          "ip.id": "0x00000001",
+          "ip.flags": "0x00000000",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "0",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "255",
+          "ip.proto": "17",
+          "ip.checksum": "0x0000ba9c",
+          "ip.checksum.status": "2",
+          "ip.src": "0.0.0.0",
+          "ip.addr": "0.0.0.0",
+          "ip.src_host": "0.0.0.0",
+          "ip.host": "0.0.0.0",
+          "ip.dst": "255.255.255.255",
+          "ip.addr": "255.255.255.255",
+          "ip.dst_host": "255.255.255.255",
+          "ip.host": "255.255.255.255",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "68",
+          "udp.dstport": "67",
+          "udp.port": "68",
+          "udp.port": "67",
+          "udp.length": "316",
+          "udp.checksum": "0x000080b3",
+          "udp.checksum.status": "2",
+          "udp.stream": "3"
+        },
+        "bootp": {
+          "bootp.type": "1",
+          "bootp.hw.type": "0x00000001",
+          "bootp.hw.len": "6",
+          "bootp.hops": "0",
+          "bootp.id": "0xabcd0002",
+          "bootp.secs": "0",
+          "bootp.flags": "0x00000000",
+          "bootp.flags_tree": {
+            "bootp.flags.bc": "0",
+            "bootp.flags.reserved": "0x00000000"
+          },
+          "bootp.ip.client": "0.0.0.0",
+          "bootp.ip.your": "0.0.0.0",
+          "bootp.ip.server": "0.0.0.0",
+          "bootp.ip.relay": "0.0.0.0",
+          "bootp.hw.mac_addr": "ac:cf:23:5a:9c:e2",
+          "bootp.hw.addr_padding": "00:00:00:00:00:00:00:00:00:00",
+          "bootp.server": "",
+          "bootp.file": "",
+          "bootp.dhcp": "1",
+          "bootp.cookie": "99.130.83.99",
+          "bootp.option.type": "53",
+          "bootp.option.type_tree": {
+            "bootp.option.length": "1",
+            "bootp.option.value": "03",
+            "bootp.option.dhcp": "3"
+          },
+          "bootp.option.type": "12",
+          "bootp.option.type_tree": {
+            "bootp.option.length": "14",
+            "bootp.option.value": "55:53:52:2d:57:49:46:49:32:33:32:2d:47:32",
+            "bootp.option.hostname": "USR-WIFI232-G2"
+          },
+          "bootp.option.type": "57",
+          "bootp.option.type_tree": {
+            "bootp.option.length": "2",
+            "bootp.option.value": "05:dc",
+            "bootp.option.dhcp_max_message_size": "1500"
+          },
+          "bootp.option.type": "50",
+          "bootp.option.type_tree": {
+            "bootp.option.length": "4",
+            "bootp.option.value": "c0:a8:00:72",
+            "bootp.option.requested_ip_address": "192.168.0.114"
+          },
+          "bootp.option.type": "54",
+          "bootp.option.type_tree": {
+            "bootp.option.length": "4",
+            "bootp.option.value": "c0:a8:00:01",
+            "bootp.option.dhcp_server_id": "192.168.0.1"
+          },
+          "bootp.option.type": "55",
+          "bootp.option.type_tree": {
+            "bootp.option.length": "4",
+            "bootp.option.value": "01:03:1c:06",
+            "bootp.option.request_list_item": "1",
+            "bootp.option.request_list_item": "3",
+            "bootp.option.request_list_item": "28",
+            "bootp.option.request_list_item": "6"
+          },
+          "bootp.option.type": "0",
+          "bootp.option.type_tree": {
+            "bootp.option.end": "255"
+          },
+          "bootp.option.padding": "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:56.048621000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493616.048621000",
+          "frame.time_delta": "0.014789000",
+          "frame.time_delta_displayed": "0.014789000",
+          "frame.time_relative": "24.587935000",
+          "frame.number": "17",
+          "frame.len": "42",
+          "frame.cap_len": "42",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "ac:cf:23:5a:9c:e2",
+          "eth.src_tree": {
+            "eth.src_resolved": "Hi-Flyin_5a:9c:e2",
+            "eth.addr": "ac:cf:23:5a:9c:e2",
+            "eth.addr_resolved": "Hi-Flyin_5a:9c:e2",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "1",
+          "arp.src.hw_mac": "ac:cf:23:5a:9c:e2",
+          "arp.src.proto_ipv4": "0.0.0.0",
+          "arp.dst.hw_mac": "00:00:00:00:00:00",
+          "arp.dst.proto_ipv4": "192.168.0.114"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:56.132571000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493616.132571000",
+          "frame.time_delta": "0.083950000",
+          "frame.time_delta_displayed": "0.083950000",
+          "frame.time_relative": "24.671885000",
+          "frame.number": "18",
+          "frame.len": "42",
+          "frame.cap_len": "42",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "ac:cf:23:5a:9c:e2",
+          "eth.src_tree": {
+            "eth.src_resolved": "Hi-Flyin_5a:9c:e2",
+            "eth.addr": "ac:cf:23:5a:9c:e2",
+            "eth.addr_resolved": "Hi-Flyin_5a:9c:e2",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "1",
+          "arp.src.hw_mac": "ac:cf:23:5a:9c:e2",
+          "arp.src.proto_ipv4": "0.0.0.0",
+          "arp.dst.hw_mac": "00:00:00:00:00:00",
+          "arp.dst.proto_ipv4": "192.168.0.114"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:58.485460000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493618.485460000",
+          "frame.time_delta": "2.352889000",
+          "frame.time_delta_displayed": "2.352889000",
+          "frame.time_relative": "27.024774000",
+          "frame.number": "19",
+          "frame.len": "90",
+          "frame.cap_len": "90",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:ntp"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "00:17:88:69:ee:e4",
+          "eth.src_tree": {
+            "eth.src_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000010",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "4",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "76",
+          "ip.id": "0x00004864",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "17",
+          "ip.checksum": "0x0000106c",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.src_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "ip.dst": "74.117.214.3",
+          "ip.addr": "74.117.214.3",
+          "ip.dst_host": "74.117.214.3",
+          "ip.host": "74.117.214.3",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: United States, AS4539 Schweitzer Engineering Laboratories, Inc., Pullman, WA, 46.732201, -117.245598": {
+            "ip.geoip.dst_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.dst_asnum": "AS4539 Schweitzer Engineering Laboratories, Inc.",
+            "ip.geoip.asnum": "AS4539 Schweitzer Engineering Laboratories, Inc.",
+            "ip.geoip.dst_city": "Pullman, WA",
+            "ip.geoip.city": "Pullman, WA",
+            "ip.geoip.dst_lat": "46.732201",
+            "ip.geoip.lat": "46.732201",
+            "ip.geoip.dst_lon": "-117.245598",
+            "ip.geoip.lon": "-117.245598"
+          }
+        },
+        "udp": {
+          "udp.srcport": "34835",
+          "udp.dstport": "123",
+          "udp.port": "34835",
+          "udp.port": "123",
+          "udp.length": "56",
+          "udp.checksum": "0x0000311c",
+          "udp.checksum.status": "2",
+          "udp.stream": "4"
+        },
+        "ntp": {
+          "ntp.flags": "0x00000023",
+          "ntp.flags_tree": {
+            "ntp.flags.li": "0",
+            "ntp.flags.vn": "4",
+            "ntp.flags.mode": "3"
+          },
+          "ntp.stratum": "0",
+          "ntp.ppoll": "0",
+          "ntp.precision": "0",
+          "ntp.rootdelay": "0",
+          "ntp.rootdispersion": "0",
+          "ntp.refid": "00:00:00:00",
+          "ntp.reftime": "Dec 31, 1969 16:00:00.000000000 PST",
+          "ntp.org": "Dec 31, 1969 16:00:00.000000000 PST",
+          "ntp.rec": "Dec 31, 1969 16:00:00.000000000 PST",
+          "ntp.xmt": "Jan  7, 2089 02:20:12.279176000 PST"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:46:58.525889000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493618.525889000",
+          "frame.time_delta": "0.040429000",
+          "frame.time_delta_displayed": "0.040429000",
+          "frame.time_relative": "27.065203000",
+          "frame.number": "20",
+          "frame.len": "90",
+          "frame.cap_len": "90",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:ntp"
+        },
+        "eth": {
+          "eth.dst": "00:17:88:69:ee:e4",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "76",
+          "ip.id": "0x0000c8eb",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "44",
+          "ip.proto": "17",
+          "ip.checksum": "0x0000a3f4",
+          "ip.checksum.status": "2",
+          "ip.src": "74.117.214.3",
+          "ip.addr": "74.117.214.3",
+          "ip.src_host": "74.117.214.3",
+          "ip.host": "74.117.214.3",
+          "ip.dst": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.dst_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "Source GeoIP: United States, AS4539 Schweitzer Engineering Laboratories, Inc., Pullman, WA, 46.732201, -117.245598": {
+            "ip.geoip.src_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.src_asnum": "AS4539 Schweitzer Engineering Laboratories, Inc.",
+            "ip.geoip.asnum": "AS4539 Schweitzer Engineering Laboratories, Inc.",
+            "ip.geoip.src_city": "Pullman, WA",
+            "ip.geoip.city": "Pullman, WA",
+            "ip.geoip.src_lat": "46.732201",
+            "ip.geoip.lat": "46.732201",
+            "ip.geoip.src_lon": "-117.245598",
+            "ip.geoip.lon": "-117.245598"
+          },
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "123",
+          "udp.dstport": "34835",
+          "udp.port": "123",
+          "udp.port": "34835",
+          "udp.length": "56",
+          "udp.checksum": "0x000063c1",
+          "udp.checksum.status": "2",
+          "udp.stream": "4"
+        },
+        "ntp": {
+          "ntp.flags": "0x00000024",
+          "ntp.flags_tree": {
+            "ntp.flags.li": "0",
+            "ntp.flags.vn": "4",
+            "ntp.flags.mode": "4"
+          },
+          "ntp.stratum": "1",
+          "ntp.ppoll": "3",
+          "ntp.precision": "-23",
+          "ntp.rootdelay": "0",
+          "ntp.rootdispersion": "0.001068115234375",
+          "ntp.refid": "50:50:53:00",
+          "ntp.reftime": "Oct 31, 2017 16:46:53.114475000 PDT",
+          "ntp.org": "Jan  7, 2089 02:20:12.279176000 PST",
+          "ntp.rec": "Oct 31, 2017 16:46:58.514446000 PDT",
+          "ntp.xmt": "Oct 31, 2017 16:46:58.514477000 PDT"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:00.543661000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493620.543661000",
+          "frame.time_delta": "2.017772000",
+          "frame.time_delta_displayed": "2.017772000",
+          "frame.time_relative": "29.082975000",
+          "frame.number": "21",
+          "frame.len": "115",
+          "frame.cap_len": "115",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp:ssl"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "d0:52:a8:a3:60:0f",
+          "eth.src_tree": {
+            "eth.src_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "101",
+          "ip.id": "0x000094ea",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "6",
+          "ip.checksum": "0x00007864",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.src_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "ip.dst": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.dst_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.dst_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.dst_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.dst_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.dst_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          }
+        },
+        "tcp": {
+          "tcp.srcport": "44970",
+          "tcp.dstport": "443",
+          "tcp.port": "44970",
+          "tcp.port": "443",
+          "tcp.stream": "0",
+          "tcp.len": "49",
+          "tcp.seq": "109",
+          "tcp.nxtseq": "158",
+          "tcp.ack": "1",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000018",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "1",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7AP\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "661",
+          "tcp.window_size": "661",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x00005de4",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:00:24:bc:47:a7:9a:fe:6b",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2407495, TSecr 2811952747": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2407495",
+              "tcp.options.timestamp.tsecr": "2811952747"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.bytes_in_flight": "49",
+            "tcp.analysis.push_bytes_sent": "49"
+          }
+        },
+        "ssl": {
+          "ssl.record": {
+            "ssl.record.content_type": "23",
+            "ssl.record.version": "0x00000303",
+            "ssl.record.length": "44",
+            "ssl.app_data": "13:6b:24:d2:9f:7e:44:91:96:6d:d1:4d:44:24:23:66:a2:95:ac:22:a2:1e:a9:8c:7d:3a:ba:54:0b:7a:83:23:4b:76:94:8b:6a:3b:c2:e4:f3:9b:15:67"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:00.603876000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493620.603876000",
+          "frame.time_delta": "0.060215000",
+          "frame.time_delta_displayed": "0.060215000",
+          "frame.time_relative": "29.143190000",
+          "frame.number": "22",
+          "frame.len": "66",
+          "frame.cap_len": "66",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp"
+        },
+        "eth": {
+          "eth.dst": "d0:52:a8:a3:60:0f",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "52",
+          "ip.id": "0x00002bea",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "232",
+          "ip.proto": "6",
+          "ip.checksum": "0x00003995",
+          "ip.checksum.status": "2",
+          "ip.src": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.src_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "ip.dst": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.dst_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "Source GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.src_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.src_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.src_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.src_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          },
+          "Destination GeoIP: Unknown": ""
+        },
+        "tcp": {
+          "tcp.srcport": "443",
+          "tcp.dstport": "44970",
+          "tcp.port": "443",
+          "tcp.port": "44970",
+          "tcp.stream": "0",
+          "tcp.len": "0",
+          "tcp.seq": "1",
+          "tcp.ack": "158",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000010",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "0",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7A\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "422",
+          "tcp.window_size": "422",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x0000d3e0",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:a7:9b:17:cb:00:24:bc:47",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2811959243, TSecr 2407495": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2811959243",
+              "tcp.options.timestamp.tsecr": "2407495"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.acks_frame": "21",
+            "tcp.analysis.ack_rtt": "0.060215000"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:00.604430000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493620.604430000",
+          "frame.time_delta": "0.000554000",
+          "frame.time_delta_displayed": "0.000554000",
+          "frame.time_relative": "29.143744000",
+          "frame.number": "23",
+          "frame.len": "121",
+          "frame.cap_len": "121",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp:ssl"
+        },
+        "eth": {
+          "eth.dst": "d0:52:a8:a3:60:0f",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "107",
+          "ip.id": "0x00002beb",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "232",
+          "ip.proto": "6",
+          "ip.checksum": "0x0000395d",
+          "ip.checksum.status": "2",
+          "ip.src": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.src_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "ip.dst": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.dst_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "Source GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.src_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.src_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.src_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.src_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          },
+          "Destination GeoIP: Unknown": ""
+        },
+        "tcp": {
+          "tcp.srcport": "443",
+          "tcp.dstport": "44970",
+          "tcp.port": "443",
+          "tcp.port": "44970",
+          "tcp.stream": "0",
+          "tcp.len": "55",
+          "tcp.seq": "1",
+          "tcp.nxtseq": "56",
+          "tcp.ack": "158",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000018",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "1",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7AP\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "422",
+          "tcp.window_size": "422",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x0000913d",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:a7:9b:17:cb:00:24:bc:47",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2811959243, TSecr 2407495": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2811959243",
+              "tcp.options.timestamp.tsecr": "2407495"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.bytes_in_flight": "55",
+            "tcp.analysis.push_bytes_sent": "55"
+          }
+        },
+        "ssl": {
+          "ssl.record": {
+            "ssl.record.content_type": "23",
+            "ssl.record.version": "0x00000303",
+            "ssl.record.length": "50",
+            "ssl.app_data": "34:cd:34:17:47:48:0e:2d:cd:91:0a:2a:7b:f0:0d:6f:02:ea:4c:c2:c1:25:61:5c:a0:94:d4:c7:75:e1:78:0d:a0:ed:b3:8c:e2:31:ea:1a:39:f2:81:f0:4e:c0:99:a3:a6:f9"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:00.638103000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493620.638103000",
+          "frame.time_delta": "0.033673000",
+          "frame.time_delta_displayed": "0.033673000",
+          "frame.time_relative": "29.177417000",
+          "frame.number": "24",
+          "frame.len": "66",
+          "frame.cap_len": "66",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "d0:52:a8:a3:60:0f",
+          "eth.src_tree": {
+            "eth.src_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "52",
+          "ip.id": "0x000094eb",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "6",
+          "ip.checksum": "0x00007894",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.src_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "ip.dst": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.dst_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.dst_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.dst_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.dst_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.dst_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          }
+        },
+        "tcp": {
+          "tcp.srcport": "44970",
+          "tcp.dstport": "443",
+          "tcp.port": "44970",
+          "tcp.port": "443",
+          "tcp.stream": "0",
+          "tcp.len": "0",
+          "tcp.seq": "158",
+          "tcp.ack": "56",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000010",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "0",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7A\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "661",
+          "tcp.window_size": "661",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x0000d2b0",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:00:24:bc:51:a7:9b:17:cb",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2407505, TSecr 2811959243": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2407505",
+              "tcp.options.timestamp.tsecr": "2811959243"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.acks_frame": "23",
+            "tcp.analysis.ack_rtt": "0.033673000"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:01.221862000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493621.221862000",
+          "frame.time_delta": "0.583759000",
+          "frame.time_delta_displayed": "0.583759000",
+          "frame.time_relative": "29.761176000",
+          "frame.number": "25",
+          "frame.len": "42",
+          "frame.cap_len": "42",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "ac:cf:23:5a:9c:e2",
+          "eth.src_tree": {
+            "eth.src_resolved": "Hi-Flyin_5a:9c:e2",
+            "eth.addr": "ac:cf:23:5a:9c:e2",
+            "eth.addr_resolved": "Hi-Flyin_5a:9c:e2",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "1",
+          "arp.src.hw_mac": "ac:cf:23:5a:9c:e2",
+          "arp.src.proto_ipv4": "192.168.0.114",
+          "arp.dst.hw_mac": "00:00:00:00:00:00",
+          "arp.dst.proto_ipv4": "192.168.0.1"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:03.491176000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493623.491176000",
+          "frame.time_delta": "2.269314000",
+          "frame.time_delta_displayed": "2.269314000",
+          "frame.time_relative": "32.030490000",
+          "frame.number": "26",
+          "frame.len": "60",
+          "frame.cap_len": "60",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "00:17:88:69:ee:e4",
+          "eth.src_tree": {
+            "eth.src_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806",
+          "eth.padding": "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "1",
+          "arp.src.hw_mac": "00:17:88:69:ee:e4",
+          "arp.src.proto_ipv4": "192.168.0.160",
+          "arp.dst.hw_mac": "00:00:00:00:00:00",
+          "arp.dst.proto_ipv4": "192.168.0.1"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:03.491268000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493623.491268000",
+          "frame.time_delta": "0.000092000",
+          "frame.time_delta_displayed": "0.000092000",
+          "frame.time_relative": "32.030582000",
+          "frame.number": "27",
+          "frame.len": "42",
+          "frame.cap_len": "42",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "00:17:88:69:ee:e4",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "2",
+          "arp.src.hw_mac": "b0:b9:8a:73:69:8e",
+          "arp.src.proto_ipv4": "192.168.0.1",
+          "arp.dst.hw_mac": "00:17:88:69:ee:e4",
+          "arp.dst.proto_ipv4": "192.168.0.160"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:03.527902000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493623.527902000",
+          "frame.time_delta": "0.036634000",
+          "frame.time_delta_displayed": "0.036634000",
+          "frame.time_relative": "32.067216000",
+          "frame.number": "28",
+          "frame.len": "275",
+          "frame.cap_len": "275",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:mdns"
+        },
+        "eth": {
+          "eth.dst": "01:00:5e:00:00:fb",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv4mcast_fb",
+            "eth.addr": "01:00:5e:00:00:fb",
+            "eth.addr_resolved": "IPv4mcast_fb",
+            "eth.lg": "0",
+            "eth.ig": "1"
+          },
+          "eth.src": "d0:73:d5:12:8e:30",
+          "eth.src_tree": {
+            "eth.src_resolved": "LifiLabs_12:8e:30",
+            "eth.addr": "d0:73:d5:12:8e:30",
+            "eth.addr_resolved": "LifiLabs_12:8e:30",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "261",
+          "ip.id": "0x00001cc7",
+          "ip.flags": "0x00000000",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "0",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.ttl_tree": {
+            "_ws.expert": {
+              "ip.ttl.lncb": "",
+              "_ws.expert.message": "\"Time To Live\" != 255 for a packet sent to the Local Network Control Block (see RFC 3171)",
+              "_ws.expert.severity": "4194304",
+              "_ws.expert.group": "33554432"
+            }
+          },
+          "ip.proto": "17",
+          "ip.checksum": "0x0000bb29",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.84",
+          "ip.addr": "192.168.0.84",
+          "ip.src_host": "192.168.0.84",
+          "ip.host": "192.168.0.84",
+          "ip.dst": "224.0.0.251",
+          "ip.addr": "224.0.0.251",
+          "ip.dst_host": "224.0.0.251",
+          "ip.host": "224.0.0.251",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1315",
+          "udp.dstport": "5353",
+          "udp.port": "1315",
+          "udp.port": "5353",
+          "udp.length": "241",
+          "udp.checksum": "0x000013a3",
+          "udp.checksum.status": "2",
+          "udp.stream": "5"
+        },
+        "mdns": {
+          "dns.id": "0x0000025a",
+          "dns.flags": "0x00000000",
+          "dns.flags_tree": {
+            "dns.flags.response": "0",
+            "dns.flags.opcode": "0",
+            "dns.flags.truncated": "0",
+            "dns.flags.recdesired": "0",
+            "dns.flags.z": "0",
+            "dns.flags.checkdisable": "0"
+          },
+          "dns.count.queries": "2",
+          "dns.count.answers": "0",
+          "dns.count.auth_rr": "0",
+          "dns.count.add_rr": "2",
+          "Queries": {
+            "_alljoyn._tcp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._tcp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            },
+            "_alljoyn._udp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._udp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            }
+          },
+          "Additional records": {
+            "search.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "search.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "39",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "24",
+              "dns.txt": "n_1=org.alljoyn.BusNode*",
+              "dns.txt.length": "3",
+              "dns.txt": "m=1"
+            },
+            "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "61",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "7",
+              "dns.txt": "ajpv=10",
+              "dns.txt.length": "4",
+              "dns.txt": "pv=2",
+              "dns.txt.length": "7",
+              "dns.txt": "sid=602",
+              "dns.txt.length": "17",
+              "dns.txt": "ipv4=192.168.0.84",
+              "dns.txt.length": "11",
+              "dns.txt": "upcv4=58873"
+            }
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:03.528427000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493623.528427000",
+          "frame.time_delta": "0.000525000",
+          "frame.time_delta_displayed": "0.000525000",
+          "frame.time_relative": "32.067741000",
+          "frame.number": "29",
+          "frame.len": "275",
+          "frame.cap_len": "275",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:mdns"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "d0:73:d5:12:8e:30",
+          "eth.src_tree": {
+            "eth.src_resolved": "LifiLabs_12:8e:30",
+            "eth.addr": "d0:73:d5:12:8e:30",
+            "eth.addr_resolved": "LifiLabs_12:8e:30",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "261",
+          "ip.id": "0x00001cc8",
+          "ip.flags": "0x00000000",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "0",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "17",
+          "ip.checksum": "0x00009c24",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.84",
+          "ip.addr": "192.168.0.84",
+          "ip.src_host": "192.168.0.84",
+          "ip.host": "192.168.0.84",
+          "ip.dst": "255.255.255.255",
+          "ip.addr": "255.255.255.255",
+          "ip.dst_host": "255.255.255.255",
+          "ip.host": "255.255.255.255",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1315",
+          "udp.dstport": "5353",
+          "udp.port": "1315",
+          "udp.port": "5353",
+          "udp.length": "241",
+          "udp.checksum": "0x0000f49e",
+          "udp.checksum.status": "2",
+          "udp.stream": "6"
+        },
+        "mdns": {
+          "dns.id": "0x0000025a",
+          "dns.flags": "0x00000000",
+          "dns.flags_tree": {
+            "dns.flags.response": "0",
+            "dns.flags.opcode": "0",
+            "dns.flags.truncated": "0",
+            "dns.flags.recdesired": "0",
+            "dns.flags.z": "0",
+            "dns.flags.checkdisable": "0"
+          },
+          "dns.count.queries": "2",
+          "dns.count.answers": "0",
+          "dns.count.auth_rr": "0",
+          "dns.count.add_rr": "2",
+          "Queries": {
+            "_alljoyn._tcp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._tcp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            },
+            "_alljoyn._udp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._udp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            }
+          },
+          "Additional records": {
+            "search.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "search.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "39",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "24",
+              "dns.txt": "n_1=org.alljoyn.BusNode*",
+              "dns.txt.length": "3",
+              "dns.txt": "m=1"
+            },
+            "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "61",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "7",
+              "dns.txt": "ajpv=10",
+              "dns.txt.length": "4",
+              "dns.txt": "pv=2",
+              "dns.txt.length": "7",
+              "dns.txt": "sid=602",
+              "dns.txt.length": "17",
+              "dns.txt": "ipv4=192.168.0.84",
+              "dns.txt.length": "11",
+              "dns.txt": "upcv4=58873"
+            }
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:03.529067000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493623.529067000",
+          "frame.time_delta": "0.000640000",
+          "frame.time_delta_displayed": "0.000640000",
+          "frame.time_relative": "32.068381000",
+          "frame.number": "30",
+          "frame.len": "295",
+          "frame.cap_len": "295",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ipv6:udp:mdns"
+        },
+        "eth": {
+          "eth.dst": "33:33:00:00:00:fb",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv6mcast_fb",
+            "eth.addr": "33:33:00:00:00:fb",
+            "eth.addr_resolved": "IPv6mcast_fb",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "d0:73:d5:12:8e:30",
+          "eth.src_tree": {
+            "eth.src_resolved": "LifiLabs_12:8e:30",
+            "eth.addr": "d0:73:d5:12:8e:30",
+            "eth.addr_resolved": "LifiLabs_12:8e:30",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x000086dd"
+        },
+        "ipv6": {
+          "ipv6.version": "6",
+          "ip.version": "6",
+          "ipv6.tclass": "0x00000000",
+          "ipv6.tclass_tree": {
+            "ipv6.tclass.dscp": "0",
+            "ipv6.tclass.ecn": "0"
+          },
+          "ipv6.flow": "0x00000000",
+          "ipv6.plen": "241",
+          "ipv6.nxt": "17",
+          "ipv6.hlim": "1",
+          "ipv6.src": "fe80::d273:d5ff:fe12:8e30",
+          "ipv6.addr": "fe80::d273:d5ff:fe12:8e30",
+          "ipv6.src_host": "fe80::d273:d5ff:fe12:8e30",
+          "ipv6.host": "fe80::d273:d5ff:fe12:8e30",
+          "ipv6.src_sa_mac": "d0:73:d5:12:8e:30",
+          "ipv6.sa_mac": "d0:73:d5:12:8e:30",
+          "ipv6.dst": "ff02::fb",
+          "ipv6.addr": "ff02::fb",
+          "ipv6.dst_host": "ff02::fb",
+          "ipv6.host": "ff02::fb",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1316",
+          "udp.dstport": "5353",
+          "udp.port": "1316",
+          "udp.port": "5353",
+          "udp.length": "241",
+          "udp.checksum": "0x00008264",
+          "udp.checksum.status": "2",
+          "udp.stream": "7"
+        },
+        "mdns": {
+          "dns.id": "0x0000025a",
+          "dns.flags": "0x00000000",
+          "dns.flags_tree": {
+            "dns.flags.response": "0",
+            "dns.flags.opcode": "0",
+            "dns.flags.truncated": "0",
+            "dns.flags.recdesired": "0",
+            "dns.flags.z": "0",
+            "dns.flags.checkdisable": "0"
+          },
+          "dns.count.queries": "2",
+          "dns.count.answers": "0",
+          "dns.count.auth_rr": "0",
+          "dns.count.add_rr": "2",
+          "Queries": {
+            "_alljoyn._tcp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._tcp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            },
+            "_alljoyn._udp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._udp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            }
+          },
+          "Additional records": {
+            "search.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "search.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "39",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "24",
+              "dns.txt": "n_1=org.alljoyn.BusNode*",
+              "dns.txt.length": "3",
+              "dns.txt": "m=1"
+            },
+            "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "61",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "7",
+              "dns.txt": "ajpv=10",
+              "dns.txt.length": "4",
+              "dns.txt": "pv=2",
+              "dns.txt.length": "7",
+              "dns.txt": "sid=602",
+              "dns.txt.length": "17",
+              "dns.txt": "ipv4=192.168.0.84",
+              "dns.txt.length": "11",
+              "dns.txt": "upcv4=58873"
+            }
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:04.561273000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493624.561273000",
+          "frame.time_delta": "1.032206000",
+          "frame.time_delta_displayed": "1.032206000",
+          "frame.time_relative": "33.100587000",
+          "frame.number": "31",
+          "frame.len": "60",
+          "frame.cap_len": "60",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "00:17:88:69:ee:e4",
+          "eth.src_tree": {
+            "eth.src_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800",
+          "eth.padding": "00:00:00:00:00:00"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "40",
+          "ip.id": "0x000057cf",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "6",
+          "ip.checksum": "0x0000a6c2",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.src_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "ip.dst": "104.155.18.91",
+          "ip.addr": "104.155.18.91",
+          "ip.dst_host": "104.155.18.91",
+          "ip.host": "104.155.18.91",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: United States, AS15169 Google Inc., Mountain View, CA, 37.419201, -122.057404": {
+            "ip.geoip.dst_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.dst_asnum": "AS15169 Google Inc.",
+            "ip.geoip.asnum": "AS15169 Google Inc.",
+            "ip.geoip.dst_city": "Mountain View, CA",
+            "ip.geoip.city": "Mountain View, CA",
+            "ip.geoip.dst_lat": "37.419201",
+            "ip.geoip.lat": "37.419201",
+            "ip.geoip.dst_lon": "-122.057404",
+            "ip.geoip.lon": "-122.057404"
+          }
+        },
+        "tcp": {
+          "tcp.srcport": "47009",
+          "tcp.dstport": "443",
+          "tcp.port": "47009",
+          "tcp.port": "443",
+          "tcp.stream": "1",
+          "tcp.len": "0",
+          "tcp.seq": "1",
+          "tcp.ack": "1",
+          "tcp.hdr_len": "20",
+          "tcp.flags": "0x00000010",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "0",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7A\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "4015",
+          "tcp.window_size": "4015",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x000006bf",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.analysis": {
+            "tcp.analysis.flags": {
+              "tcp.analysis.duplicate_ack": ""
+            },
+            "tcp.analysis.duplicate_ack_num": "1",
+            "tcp.analysis.duplicate_ack_frame": "6",
+            "tcp.analysis.duplicate_ack_frame_tree": {
+              "_ws.expert": {
+                "tcp.analysis.duplicate_ack": "",
+                "_ws.expert.message": "Duplicate ACK (#1)",
+                "_ws.expert.severity": "4194304",
+                "_ws.expert.group": "33554432"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:04.704683000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493624.704683000",
+          "frame.time_delta": "0.143410000",
+          "frame.time_delta_displayed": "0.143410000",
+          "frame.time_relative": "33.243997000",
+          "frame.number": "32",
+          "frame.len": "54",
+          "frame.cap_len": "54",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp"
+        },
+        "eth": {
+          "eth.dst": "00:17:88:69:ee:e4",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "40",
+          "ip.id": "0x00000fc1",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "49",
+          "ip.proto": "6",
+          "ip.checksum": "0x0000fdd0",
+          "ip.checksum.status": "2",
+          "ip.src": "104.155.18.91",
+          "ip.addr": "104.155.18.91",
+          "ip.src_host": "104.155.18.91",
+          "ip.host": "104.155.18.91",
+          "ip.dst": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.dst_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "Source GeoIP: United States, AS15169 Google Inc., Mountain View, CA, 37.419201, -122.057404": {
+            "ip.geoip.src_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.src_asnum": "AS15169 Google Inc.",
+            "ip.geoip.asnum": "AS15169 Google Inc.",
+            "ip.geoip.src_city": "Mountain View, CA",
+            "ip.geoip.city": "Mountain View, CA",
+            "ip.geoip.src_lat": "37.419201",
+            "ip.geoip.lat": "37.419201",
+            "ip.geoip.src_lon": "-122.057404",
+            "ip.geoip.lon": "-122.057404"
+          },
+          "Destination GeoIP: Unknown": ""
+        },
+        "tcp": {
+          "tcp.srcport": "443",
+          "tcp.dstport": "47009",
+          "tcp.port": "443",
+          "tcp.port": "47009",
+          "tcp.stream": "1",
+          "tcp.len": "0",
+          "tcp.seq": "1",
+          "tcp.ack": "2",
+          "tcp.hdr_len": "20",
+          "tcp.flags": "0x00000010",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "0",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7A\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "1337",
+          "tcp.window_size": "1337",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x00001134",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.analysis": {
+            "tcp.analysis.flags": {
+              "_ws.expert": {
+                "tcp.analysis.ack_lost_segment": "",
+                "_ws.expert.message": "ACKed segment that wasn't captured (common at capture start)",
+                "_ws.expert.severity": "6291456",
+                "_ws.expert.group": "33554432"
+              },
+              "tcp.analysis.duplicate_ack": ""
+            },
+            "tcp.analysis.duplicate_ack_num": "1",
+            "tcp.analysis.duplicate_ack_frame": "8",
+            "tcp.analysis.duplicate_ack_frame_tree": {
+              "_ws.expert": {
+                "tcp.analysis.duplicate_ack": "",
+                "_ws.expert.message": "Duplicate ACK (#1)",
+                "_ws.expert.severity": "4194304",
+                "_ws.expert.group": "33554432"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:05.302997000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493625.302997000",
+          "frame.time_delta": "0.598314000",
+          "frame.time_delta_displayed": "0.598314000",
+          "frame.time_relative": "33.842311000",
+          "frame.number": "33",
+          "frame.len": "352",
+          "frame.cap_len": "352",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:ssdp"
+        },
+        "eth": {
+          "eth.dst": "01:00:5e:7f:ff:fa",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv4mcast_7f:ff:fa",
+            "eth.addr": "01:00:5e:7f:ff:fa",
+            "eth.addr_resolved": "IPv4mcast_7f:ff:fa",
+            "eth.lg": "0",
+            "eth.ig": "1"
+          },
+          "eth.src": "00:17:88:69:ee:e4",
+          "eth.src_tree": {
+            "eth.src_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "338",
+          "ip.id": "0x00003bf8",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "255",
+          "ip.proto": "17",
+          "ip.checksum": "0x00008d5f",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.src_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "ip.dst": "239.255.255.250",
+          "ip.addr": "239.255.255.250",
+          "ip.dst_host": "239.255.255.250",
+          "ip.host": "239.255.255.250",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1900",
+          "udp.dstport": "1900",
+          "udp.port": "1900",
+          "udp.port": "1900",
+          "udp.length": "318",
+          "udp.checksum": "0x0000d568",
+          "udp.checksum.status": "2",
+          "udp.stream": "8"
+        },
+        "ssdp": {
+          "NOTIFY * HTTP\/1.1\\r\\n": {
+            "_ws.expert": {
+              "http.chat": "",
+              "_ws.expert.message": "NOTIFY * HTTP\/1.1\\r\\n",
+              "_ws.expert.severity": "2097152",
+              "_ws.expert.group": "33554432"
+            },
+            "http.request.method": "NOTIFY",
+            "http.request.uri": "*",
+            "http.request.version": "HTTP\/1.1"
+          },
+          "http.host": "239.255.255.250:1900",
+          "http.cache_control": "max-age=100",
+          "http.location": "http:\/\/192.168.0.160:80\/description.xml",
+          "http.server": "Linux\/3.14.0 UPnP\/1.0 IpBridge\/1.21.0",
+          "http.unknown_header": "NTS: ssdp:alive\\r\\n",
+          "http.unknown_header": "hue-bridgeid: 001788FFFE69EEE4\\r\\n",
+          "http.unknown_header": "NT: upnp:rootdevice\\r\\n",
+          "http.unknown_header": "USN: uuid:2f402f80-da50-11e1-9b23-00178869eee4::upnp:rootdevice\\r\\n",
+          "\\r\\n": "",
+          "http.request.full_uri": "http:\/\/239.255.255.250:1900*",
+          "http.notification": "1"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:05.355881000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493625.355881000",
+          "frame.time_delta": "0.052884000",
+          "frame.time_delta_displayed": "0.052884000",
+          "frame.time_relative": "33.895195000",
+          "frame.number": "34",
+          "frame.len": "352",
+          "frame.cap_len": "352",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:ssdp"
+        },
+        "eth": {
+          "eth.dst": "01:00:5e:7f:ff:fa",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv4mcast_7f:ff:fa",
+            "eth.addr": "01:00:5e:7f:ff:fa",
+            "eth.addr_resolved": "IPv4mcast_7f:ff:fa",
+            "eth.lg": "0",
+            "eth.ig": "1"
+          },
+          "eth.src": "00:17:88:69:ee:e4",
+          "eth.src_tree": {
+            "eth.src_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "338",
+          "ip.id": "0x00003bfc",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "255",
+          "ip.proto": "17",
+          "ip.checksum": "0x00008d5b",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.src_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "ip.dst": "239.255.255.250",
+          "ip.addr": "239.255.255.250",
+          "ip.dst_host": "239.255.255.250",
+          "ip.host": "239.255.255.250",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1900",
+          "udp.dstport": "1900",
+          "udp.port": "1900",
+          "udp.port": "1900",
+          "udp.length": "318",
+          "udp.checksum": "0x0000d568",
+          "udp.checksum.status": "2",
+          "udp.stream": "8"
+        },
+        "ssdp": {
+          "NOTIFY * HTTP\/1.1\\r\\n": {
+            "_ws.expert": {
+              "http.chat": "",
+              "_ws.expert.message": "NOTIFY * HTTP\/1.1\\r\\n",
+              "_ws.expert.severity": "2097152",
+              "_ws.expert.group": "33554432"
+            },
+            "http.request.method": "NOTIFY",
+            "http.request.uri": "*",
+            "http.request.version": "HTTP\/1.1"
+          },
+          "http.host": "239.255.255.250:1900",
+          "http.cache_control": "max-age=100",
+          "http.location": "http:\/\/192.168.0.160:80\/description.xml",
+          "http.server": "Linux\/3.14.0 UPnP\/1.0 IpBridge\/1.21.0",
+          "http.unknown_header": "NTS: ssdp:alive\\r\\n",
+          "http.unknown_header": "hue-bridgeid: 001788FFFE69EEE4\\r\\n",
+          "http.unknown_header": "NT: upnp:rootdevice\\r\\n",
+          "http.unknown_header": "USN: uuid:2f402f80-da50-11e1-9b23-00178869eee4::upnp:rootdevice\\r\\n",
+          "\\r\\n": "",
+          "http.request.full_uri": "http:\/\/239.255.255.250:1900*",
+          "http.notification": "1"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:05.408741000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493625.408741000",
+          "frame.time_delta": "0.052860000",
+          "frame.time_delta_displayed": "0.052860000",
+          "frame.time_relative": "33.948055000",
+          "frame.number": "35",
+          "frame.len": "361",
+          "frame.cap_len": "361",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:ssdp"
+        },
+        "eth": {
+          "eth.dst": "01:00:5e:7f:ff:fa",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv4mcast_7f:ff:fa",
+            "eth.addr": "01:00:5e:7f:ff:fa",
+            "eth.addr_resolved": "IPv4mcast_7f:ff:fa",
+            "eth.lg": "0",
+            "eth.ig": "1"
+          },
+          "eth.src": "00:17:88:69:ee:e4",
+          "eth.src_tree": {
+            "eth.src_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "347",
+          "ip.id": "0x00003c01",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "255",
+          "ip.proto": "17",
+          "ip.checksum": "0x00008d4d",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.src_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "ip.dst": "239.255.255.250",
+          "ip.addr": "239.255.255.250",
+          "ip.dst_host": "239.255.255.250",
+          "ip.host": "239.255.255.250",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1900",
+          "udp.dstport": "1900",
+          "udp.port": "1900",
+          "udp.port": "1900",
+          "udp.length": "327",
+          "udp.checksum": "0x0000d264",
+          "udp.checksum.status": "2",
+          "udp.stream": "8"
+        },
+        "ssdp": {
+          "NOTIFY * HTTP\/1.1\\r\\n": {
+            "_ws.expert": {
+              "http.chat": "",
+              "_ws.expert.message": "NOTIFY * HTTP\/1.1\\r\\n",
+              "_ws.expert.severity": "2097152",
+              "_ws.expert.group": "33554432"
+            },
+            "http.request.method": "NOTIFY",
+            "http.request.uri": "*",
+            "http.request.version": "HTTP\/1.1"
+          },
+          "http.host": "239.255.255.250:1900",
+          "http.cache_control": "max-age=100",
+          "http.location": "http:\/\/192.168.0.160:80\/description.xml",
+          "http.server": "Linux\/3.14.0 UPnP\/1.0 IpBridge\/1.21.0",
+          "http.unknown_header": "NTS: ssdp:alive\\r\\n",
+          "http.unknown_header": "hue-bridgeid: 001788FFFE69EEE4\\r\\n",
+          "http.unknown_header": "NT: uuid:2f402f80-da50-11e1-9b23-00178869eee4\\r\\n",
+          "http.unknown_header": "USN: uuid:2f402f80-da50-11e1-9b23-00178869eee4\\r\\n",
+          "\\r\\n": "",
+          "http.request.full_uri": "http:\/\/239.255.255.250:1900*",
+          "http.notification": "1"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:05.461937000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493625.461937000",
+          "frame.time_delta": "0.053196000",
+          "frame.time_delta_displayed": "0.053196000",
+          "frame.time_relative": "34.001251000",
+          "frame.number": "36",
+          "frame.len": "361",
+          "frame.cap_len": "361",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:ssdp"
+        },
+        "eth": {
+          "eth.dst": "01:00:5e:7f:ff:fa",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv4mcast_7f:ff:fa",
+            "eth.addr": "01:00:5e:7f:ff:fa",
+            "eth.addr_resolved": "IPv4mcast_7f:ff:fa",
+            "eth.lg": "0",
+            "eth.ig": "1"
+          },
+          "eth.src": "00:17:88:69:ee:e4",
+          "eth.src_tree": {
+            "eth.src_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "347",
+          "ip.id": "0x00003c05",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "255",
+          "ip.proto": "17",
+          "ip.checksum": "0x00008d49",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.src_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "ip.dst": "239.255.255.250",
+          "ip.addr": "239.255.255.250",
+          "ip.dst_host": "239.255.255.250",
+          "ip.host": "239.255.255.250",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1900",
+          "udp.dstport": "1900",
+          "udp.port": "1900",
+          "udp.port": "1900",
+          "udp.length": "327",
+          "udp.checksum": "0x0000d264",
+          "udp.checksum.status": "2",
+          "udp.stream": "8"
+        },
+        "ssdp": {
+          "NOTIFY * HTTP\/1.1\\r\\n": {
+            "_ws.expert": {
+              "http.chat": "",
+              "_ws.expert.message": "NOTIFY * HTTP\/1.1\\r\\n",
+              "_ws.expert.severity": "2097152",
+              "_ws.expert.group": "33554432"
+            },
+            "http.request.method": "NOTIFY",
+            "http.request.uri": "*",
+            "http.request.version": "HTTP\/1.1"
+          },
+          "http.host": "239.255.255.250:1900",
+          "http.cache_control": "max-age=100",
+          "http.location": "http:\/\/192.168.0.160:80\/description.xml",
+          "http.server": "Linux\/3.14.0 UPnP\/1.0 IpBridge\/1.21.0",
+          "http.unknown_header": "NTS: ssdp:alive\\r\\n",
+          "http.unknown_header": "hue-bridgeid: 001788FFFE69EEE4\\r\\n",
+          "http.unknown_header": "NT: uuid:2f402f80-da50-11e1-9b23-00178869eee4\\r\\n",
+          "http.unknown_header": "USN: uuid:2f402f80-da50-11e1-9b23-00178869eee4\\r\\n",
+          "\\r\\n": "",
+          "http.request.full_uri": "http:\/\/239.255.255.250:1900*",
+          "http.notification": "1"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:05.514848000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493625.514848000",
+          "frame.time_delta": "0.052911000",
+          "frame.time_delta_displayed": "0.052911000",
+          "frame.time_relative": "34.054162000",
+          "frame.number": "37",
+          "frame.len": "355",
+          "frame.cap_len": "355",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:ssdp"
+        },
+        "eth": {
+          "eth.dst": "01:00:5e:7f:ff:fa",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv4mcast_7f:ff:fa",
+            "eth.addr": "01:00:5e:7f:ff:fa",
+            "eth.addr_resolved": "IPv4mcast_7f:ff:fa",
+            "eth.lg": "0",
+            "eth.ig": "1"
+          },
+          "eth.src": "00:17:88:69:ee:e4",
+          "eth.src_tree": {
+            "eth.src_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "341",
+          "ip.id": "0x00003c06",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "255",
+          "ip.proto": "17",
+          "ip.checksum": "0x00008d4e",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.src_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "ip.dst": "239.255.255.250",
+          "ip.addr": "239.255.255.250",
+          "ip.dst_host": "239.255.255.250",
+          "ip.host": "239.255.255.250",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1900",
+          "udp.dstport": "1900",
+          "udp.port": "1900",
+          "udp.port": "1900",
+          "udp.length": "321",
+          "udp.checksum": "0x00005094",
+          "udp.checksum.status": "2",
+          "udp.stream": "8"
+        },
+        "ssdp": {
+          "NOTIFY * HTTP\/1.1\\r\\n": {
+            "_ws.expert": {
+              "http.chat": "",
+              "_ws.expert.message": "NOTIFY * HTTP\/1.1\\r\\n",
+              "_ws.expert.severity": "2097152",
+              "_ws.expert.group": "33554432"
+            },
+            "http.request.method": "NOTIFY",
+            "http.request.uri": "*",
+            "http.request.version": "HTTP\/1.1"
+          },
+          "http.host": "239.255.255.250:1900",
+          "http.cache_control": "max-age=100",
+          "http.location": "http:\/\/192.168.0.160:80\/description.xml",
+          "http.server": "Linux\/3.14.0 UPnP\/1.0 IpBridge\/1.21.0",
+          "http.unknown_header": "NTS: ssdp:alive\\r\\n",
+          "http.unknown_header": "hue-bridgeid: 001788FFFE69EEE4\\r\\n",
+          "http.unknown_header": "NT: urn:schemas-upnp-org:device:basic:1\\r\\n",
+          "http.unknown_header": "USN: uuid:2f402f80-da50-11e1-9b23-00178869eee4\\r\\n",
+          "\\r\\n": "",
+          "http.request.full_uri": "http:\/\/239.255.255.250:1900*",
+          "http.notification": "1"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:05.567770000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493625.567770000",
+          "frame.time_delta": "0.052922000",
+          "frame.time_delta_displayed": "0.052922000",
+          "frame.time_relative": "34.107084000",
+          "frame.number": "38",
+          "frame.len": "355",
+          "frame.cap_len": "355",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:ssdp"
+        },
+        "eth": {
+          "eth.dst": "01:00:5e:7f:ff:fa",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv4mcast_7f:ff:fa",
+            "eth.addr": "01:00:5e:7f:ff:fa",
+            "eth.addr_resolved": "IPv4mcast_7f:ff:fa",
+            "eth.lg": "0",
+            "eth.ig": "1"
+          },
+          "eth.src": "00:17:88:69:ee:e4",
+          "eth.src_tree": {
+            "eth.src_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "341",
+          "ip.id": "0x00003c08",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "255",
+          "ip.proto": "17",
+          "ip.checksum": "0x00008d4c",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.src_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "ip.dst": "239.255.255.250",
+          "ip.addr": "239.255.255.250",
+          "ip.dst_host": "239.255.255.250",
+          "ip.host": "239.255.255.250",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1900",
+          "udp.dstport": "1900",
+          "udp.port": "1900",
+          "udp.port": "1900",
+          "udp.length": "321",
+          "udp.checksum": "0x00005094",
+          "udp.checksum.status": "2",
+          "udp.stream": "8"
+        },
+        "ssdp": {
+          "NOTIFY * HTTP\/1.1\\r\\n": {
+            "_ws.expert": {
+              "http.chat": "",
+              "_ws.expert.message": "NOTIFY * HTTP\/1.1\\r\\n",
+              "_ws.expert.severity": "2097152",
+              "_ws.expert.group": "33554432"
+            },
+            "http.request.method": "NOTIFY",
+            "http.request.uri": "*",
+            "http.request.version": "HTTP\/1.1"
+          },
+          "http.host": "239.255.255.250:1900",
+          "http.cache_control": "max-age=100",
+          "http.location": "http:\/\/192.168.0.160:80\/description.xml",
+          "http.server": "Linux\/3.14.0 UPnP\/1.0 IpBridge\/1.21.0",
+          "http.unknown_header": "NTS: ssdp:alive\\r\\n",
+          "http.unknown_header": "hue-bridgeid: 001788FFFE69EEE4\\r\\n",
+          "http.unknown_header": "NT: urn:schemas-upnp-org:device:basic:1\\r\\n",
+          "http.unknown_header": "USN: uuid:2f402f80-da50-11e1-9b23-00178869eee4\\r\\n",
+          "\\r\\n": "",
+          "http.request.full_uri": "http:\/\/239.255.255.250:1900*",
+          "http.notification": "1"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:05.610387000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493625.610387000",
+          "frame.time_delta": "0.042617000",
+          "frame.time_delta_displayed": "0.042617000",
+          "frame.time_relative": "34.149701000",
+          "frame.number": "39",
+          "frame.len": "42",
+          "frame.cap_len": "42",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "d0:52:a8:a3:60:0f",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "1",
+          "arp.src.hw_mac": "b0:b9:8a:73:69:8e",
+          "arp.src.proto_ipv4": "192.168.0.1",
+          "arp.dst.hw_mac": "00:00:00:00:00:00",
+          "arp.dst.proto_ipv4": "192.168.0.242"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:05.610787000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493625.610787000",
+          "frame.time_delta": "0.000400000",
+          "frame.time_delta_displayed": "0.000400000",
+          "frame.time_relative": "34.150101000",
+          "frame.number": "40",
+          "frame.len": "60",
+          "frame.cap_len": "60",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "d0:52:a8:a3:60:0f",
+          "eth.src_tree": {
+            "eth.src_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806",
+          "eth.padding": "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "2",
+          "arp.src.hw_mac": "d0:52:a8:a3:60:0f",
+          "arp.src.proto_ipv4": "192.168.0.242",
+          "arp.dst.hw_mac": "b0:b9:8a:73:69:8e",
+          "arp.dst.proto_ipv4": "192.168.0.1"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:05.984178000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493625.984178000",
+          "frame.time_delta": "0.373391000",
+          "frame.time_delta_displayed": "0.373391000",
+          "frame.time_relative": "34.523492000",
+          "frame.number": "41",
+          "frame.len": "86",
+          "frame.cap_len": "86",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:data"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "60:57:18:8e:aa:94",
+          "eth.src_tree": {
+            "eth.src_resolved": "IntelCor_8e:aa:94",
+            "eth.addr": "60:57:18:8e:aa:94",
+            "eth.addr_resolved": "IntelCor_8e:aa:94",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "72",
+          "ip.id": "0x00005ab9",
+          "ip.flags": "0x00000000",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "0",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "128",
+          "ip.proto": "17",
+          "ip.checksum": "0x00005d30",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.108",
+          "ip.addr": "192.168.0.108",
+          "ip.src_host": "192.168.0.108",
+          "ip.host": "192.168.0.108",
+          "ip.dst": "192.168.0.255",
+          "ip.addr": "192.168.0.255",
+          "ip.dst_host": "192.168.0.255",
+          "ip.host": "192.168.0.255",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "57621",
+          "udp.dstport": "57621",
+          "udp.port": "57621",
+          "udp.port": "57621",
+          "udp.length": "52",
+          "udp.checksum": "0x0000199e",
+          "udp.checksum.status": "2",
+          "udp.stream": "1"
+        },
+        "data": {
+          "data.data": "53:70:6f:74:55:64:70:30:fb:51:3e:9d:68:73:23:53:00:01:00:04:48:95:c2:03:32:d0:2f:5b:95:bc:88:2d:c5:fe:3a:aa:80:f4:96:c1:f5:8d:ba:30",
+          "data.len": "44"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:07.419592000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493627.419592000",
+          "frame.time_delta": "1.435414000",
+          "frame.time_delta_displayed": "1.435414000",
+          "frame.time_relative": "35.958906000",
+          "frame.number": "42",
+          "frame.len": "130",
+          "frame.cap_len": "130",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:data"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "d0:73:d5:02:41:da",
+          "eth.src_tree": {
+            "eth.src_resolved": "LifiLabs_02:41:da",
+            "eth.addr": "d0:73:d5:02:41:da",
+            "eth.addr_resolved": "LifiLabs_02:41:da",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "116",
+          "ip.id": "0x00000a7e",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "255",
+          "ip.proto": "17",
+          "ip.checksum": "0x0000ee12",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.152",
+          "ip.addr": "192.168.0.152",
+          "ip.src_host": "192.168.0.152",
+          "ip.host": "192.168.0.152",
+          "ip.dst": "192.168.0.255",
+          "ip.addr": "192.168.0.255",
+          "ip.dst_host": "192.168.0.255",
+          "ip.host": "192.168.0.255",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "56700",
+          "udp.dstport": "56700",
+          "udp.port": "56700",
+          "udp.port": "56700",
+          "udp.length": "96",
+          "udp.checksum": "0x0000a334",
+          "udp.checksum.status": "2",
+          "udp.stream": "2"
+        },
+        "data": {
+          "data.data": "58:00:00:54:50:48:53:52:d0:73:d5:02:41:da:00:00:4c:49:46:58:56:32:00:28:84:cf:a8:aa:74:cc:f2:14:6b:00:00:00:52:a0:21:21:33:33:34:21:00:00:00:00:4c:49:46:58:20:30:32:34:31:64:61:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
+          "data.len": "88"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:08.528314000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493628.528314000",
+          "frame.time_delta": "1.108722000",
+          "frame.time_delta_displayed": "1.108722000",
+          "frame.time_relative": "37.067628000",
+          "frame.number": "43",
+          "frame.len": "275",
+          "frame.cap_len": "275",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:mdns"
+        },
+        "eth": {
+          "eth.dst": "01:00:5e:00:00:fb",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv4mcast_fb",
+            "eth.addr": "01:00:5e:00:00:fb",
+            "eth.addr_resolved": "IPv4mcast_fb",
+            "eth.lg": "0",
+            "eth.ig": "1"
+          },
+          "eth.src": "d0:73:d5:12:8e:30",
+          "eth.src_tree": {
+            "eth.src_resolved": "LifiLabs_12:8e:30",
+            "eth.addr": "d0:73:d5:12:8e:30",
+            "eth.addr_resolved": "LifiLabs_12:8e:30",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "261",
+          "ip.id": "0x00001ccc",
+          "ip.flags": "0x00000000",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "0",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.ttl_tree": {
+            "_ws.expert": {
+              "ip.ttl.lncb": "",
+              "_ws.expert.message": "\"Time To Live\" != 255 for a packet sent to the Local Network Control Block (see RFC 3171)",
+              "_ws.expert.severity": "4194304",
+              "_ws.expert.group": "33554432"
+            }
+          },
+          "ip.proto": "17",
+          "ip.checksum": "0x0000bb24",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.84",
+          "ip.addr": "192.168.0.84",
+          "ip.src_host": "192.168.0.84",
+          "ip.host": "192.168.0.84",
+          "ip.dst": "224.0.0.251",
+          "ip.addr": "224.0.0.251",
+          "ip.dst_host": "224.0.0.251",
+          "ip.host": "224.0.0.251",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1315",
+          "udp.dstport": "5353",
+          "udp.port": "1315",
+          "udp.port": "5353",
+          "udp.length": "241",
+          "udp.checksum": "0x000013a3",
+          "udp.checksum.status": "2",
+          "udp.stream": "5"
+        },
+        "mdns": {
+          "dns.id": "0x0000025a",
+          "dns.flags": "0x00000000",
+          "dns.flags_tree": {
+            "dns.flags.response": "0",
+            "dns.flags.opcode": "0",
+            "dns.flags.truncated": "0",
+            "dns.flags.recdesired": "0",
+            "dns.flags.z": "0",
+            "dns.flags.checkdisable": "0"
+          },
+          "dns.count.queries": "2",
+          "dns.count.answers": "0",
+          "dns.count.auth_rr": "0",
+          "dns.count.add_rr": "2",
+          "Queries": {
+            "_alljoyn._tcp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._tcp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            },
+            "_alljoyn._udp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._udp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            }
+          },
+          "Additional records": {
+            "search.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "search.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "39",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "24",
+              "dns.txt": "n_1=org.alljoyn.BusNode*",
+              "dns.txt.length": "3",
+              "dns.txt": "m=1"
+            },
+            "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "61",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "7",
+              "dns.txt": "ajpv=10",
+              "dns.txt.length": "4",
+              "dns.txt": "pv=2",
+              "dns.txt.length": "7",
+              "dns.txt": "sid=602",
+              "dns.txt.length": "17",
+              "dns.txt": "ipv4=192.168.0.84",
+              "dns.txt.length": "11",
+              "dns.txt": "upcv4=58873"
+            }
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:08.528845000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493628.528845000",
+          "frame.time_delta": "0.000531000",
+          "frame.time_delta_displayed": "0.000531000",
+          "frame.time_relative": "37.068159000",
+          "frame.number": "44",
+          "frame.len": "275",
+          "frame.cap_len": "275",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:mdns"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "d0:73:d5:12:8e:30",
+          "eth.src_tree": {
+            "eth.src_resolved": "LifiLabs_12:8e:30",
+            "eth.addr": "d0:73:d5:12:8e:30",
+            "eth.addr_resolved": "LifiLabs_12:8e:30",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "261",
+          "ip.id": "0x00001ccd",
+          "ip.flags": "0x00000000",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "0",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "17",
+          "ip.checksum": "0x00009c1f",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.84",
+          "ip.addr": "192.168.0.84",
+          "ip.src_host": "192.168.0.84",
+          "ip.host": "192.168.0.84",
+          "ip.dst": "255.255.255.255",
+          "ip.addr": "255.255.255.255",
+          "ip.dst_host": "255.255.255.255",
+          "ip.host": "255.255.255.255",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1315",
+          "udp.dstport": "5353",
+          "udp.port": "1315",
+          "udp.port": "5353",
+          "udp.length": "241",
+          "udp.checksum": "0x0000f49e",
+          "udp.checksum.status": "2",
+          "udp.stream": "6"
+        },
+        "mdns": {
+          "dns.id": "0x0000025a",
+          "dns.flags": "0x00000000",
+          "dns.flags_tree": {
+            "dns.flags.response": "0",
+            "dns.flags.opcode": "0",
+            "dns.flags.truncated": "0",
+            "dns.flags.recdesired": "0",
+            "dns.flags.z": "0",
+            "dns.flags.checkdisable": "0"
+          },
+          "dns.count.queries": "2",
+          "dns.count.answers": "0",
+          "dns.count.auth_rr": "0",
+          "dns.count.add_rr": "2",
+          "Queries": {
+            "_alljoyn._tcp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._tcp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            },
+            "_alljoyn._udp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._udp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            }
+          },
+          "Additional records": {
+            "search.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "search.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "39",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "24",
+              "dns.txt": "n_1=org.alljoyn.BusNode*",
+              "dns.txt.length": "3",
+              "dns.txt": "m=1"
+            },
+            "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "61",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "7",
+              "dns.txt": "ajpv=10",
+              "dns.txt.length": "4",
+              "dns.txt": "pv=2",
+              "dns.txt.length": "7",
+              "dns.txt": "sid=602",
+              "dns.txt.length": "17",
+              "dns.txt": "ipv4=192.168.0.84",
+              "dns.txt.length": "11",
+              "dns.txt": "upcv4=58873"
+            }
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:08.529437000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493628.529437000",
+          "frame.time_delta": "0.000592000",
+          "frame.time_delta_displayed": "0.000592000",
+          "frame.time_relative": "37.068751000",
+          "frame.number": "45",
+          "frame.len": "295",
+          "frame.cap_len": "295",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ipv6:udp:mdns"
+        },
+        "eth": {
+          "eth.dst": "33:33:00:00:00:fb",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv6mcast_fb",
+            "eth.addr": "33:33:00:00:00:fb",
+            "eth.addr_resolved": "IPv6mcast_fb",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "d0:73:d5:12:8e:30",
+          "eth.src_tree": {
+            "eth.src_resolved": "LifiLabs_12:8e:30",
+            "eth.addr": "d0:73:d5:12:8e:30",
+            "eth.addr_resolved": "LifiLabs_12:8e:30",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x000086dd"
+        },
+        "ipv6": {
+          "ipv6.version": "6",
+          "ip.version": "6",
+          "ipv6.tclass": "0x00000000",
+          "ipv6.tclass_tree": {
+            "ipv6.tclass.dscp": "0",
+            "ipv6.tclass.ecn": "0"
+          },
+          "ipv6.flow": "0x00000000",
+          "ipv6.plen": "241",
+          "ipv6.nxt": "17",
+          "ipv6.hlim": "1",
+          "ipv6.src": "fe80::d273:d5ff:fe12:8e30",
+          "ipv6.addr": "fe80::d273:d5ff:fe12:8e30",
+          "ipv6.src_host": "fe80::d273:d5ff:fe12:8e30",
+          "ipv6.host": "fe80::d273:d5ff:fe12:8e30",
+          "ipv6.src_sa_mac": "d0:73:d5:12:8e:30",
+          "ipv6.sa_mac": "d0:73:d5:12:8e:30",
+          "ipv6.dst": "ff02::fb",
+          "ipv6.addr": "ff02::fb",
+          "ipv6.dst_host": "ff02::fb",
+          "ipv6.host": "ff02::fb",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1316",
+          "udp.dstport": "5353",
+          "udp.port": "1316",
+          "udp.port": "5353",
+          "udp.length": "241",
+          "udp.checksum": "0x00008264",
+          "udp.checksum.status": "2",
+          "udp.stream": "7"
+        },
+        "mdns": {
+          "dns.id": "0x0000025a",
+          "dns.flags": "0x00000000",
+          "dns.flags_tree": {
+            "dns.flags.response": "0",
+            "dns.flags.opcode": "0",
+            "dns.flags.truncated": "0",
+            "dns.flags.recdesired": "0",
+            "dns.flags.z": "0",
+            "dns.flags.checkdisable": "0"
+          },
+          "dns.count.queries": "2",
+          "dns.count.answers": "0",
+          "dns.count.auth_rr": "0",
+          "dns.count.add_rr": "2",
+          "Queries": {
+            "_alljoyn._tcp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._tcp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            },
+            "_alljoyn._udp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._udp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            }
+          },
+          "Additional records": {
+            "search.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "search.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "39",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "24",
+              "dns.txt": "n_1=org.alljoyn.BusNode*",
+              "dns.txt.length": "3",
+              "dns.txt": "m=1"
+            },
+            "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "61",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "7",
+              "dns.txt": "ajpv=10",
+              "dns.txt.length": "4",
+              "dns.txt": "pv=2",
+              "dns.txt.length": "7",
+              "dns.txt": "sid=602",
+              "dns.txt.length": "17",
+              "dns.txt": "ipv4=192.168.0.84",
+              "dns.txt.length": "11",
+              "dns.txt": "upcv4=58873"
+            }
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:09.719995000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493629.719995000",
+          "frame.time_delta": "1.190558000",
+          "frame.time_delta_displayed": "1.190558000",
+          "frame.time_relative": "38.259309000",
+          "frame.number": "46",
+          "frame.len": "42",
+          "frame.cap_len": "42",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "00:17:88:69:ee:e4",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "1",
+          "arp.src.hw_mac": "b0:b9:8a:73:69:8e",
+          "arp.src.proto_ipv4": "192.168.0.1",
+          "arp.dst.hw_mac": "00:00:00:00:00:00",
+          "arp.dst.proto_ipv4": "192.168.0.160"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:09.720362000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493629.720362000",
+          "frame.time_delta": "0.000367000",
+          "frame.time_delta_displayed": "0.000367000",
+          "frame.time_relative": "38.259676000",
+          "frame.number": "47",
+          "frame.len": "60",
+          "frame.cap_len": "60",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "00:17:88:69:ee:e4",
+          "eth.src_tree": {
+            "eth.src_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806",
+          "eth.padding": "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "2",
+          "arp.src.hw_mac": "00:17:88:69:ee:e4",
+          "arp.src.proto_ipv4": "192.168.0.160",
+          "arp.dst.hw_mac": "b0:b9:8a:73:69:8e",
+          "arp.dst.proto_ipv4": "192.168.0.1"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:13.528861000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493633.528861000",
+          "frame.time_delta": "3.808499000",
+          "frame.time_delta_displayed": "3.808499000",
+          "frame.time_relative": "42.068175000",
+          "frame.number": "48",
+          "frame.len": "275",
+          "frame.cap_len": "275",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:mdns"
+        },
+        "eth": {
+          "eth.dst": "01:00:5e:00:00:fb",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv4mcast_fb",
+            "eth.addr": "01:00:5e:00:00:fb",
+            "eth.addr_resolved": "IPv4mcast_fb",
+            "eth.lg": "0",
+            "eth.ig": "1"
+          },
+          "eth.src": "d0:73:d5:12:8e:30",
+          "eth.src_tree": {
+            "eth.src_resolved": "LifiLabs_12:8e:30",
+            "eth.addr": "d0:73:d5:12:8e:30",
+            "eth.addr_resolved": "LifiLabs_12:8e:30",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "261",
+          "ip.id": "0x00001cce",
+          "ip.flags": "0x00000000",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "0",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.ttl_tree": {
+            "_ws.expert": {
+              "ip.ttl.lncb": "",
+              "_ws.expert.message": "\"Time To Live\" != 255 for a packet sent to the Local Network Control Block (see RFC 3171)",
+              "_ws.expert.severity": "4194304",
+              "_ws.expert.group": "33554432"
+            }
+          },
+          "ip.proto": "17",
+          "ip.checksum": "0x0000bb22",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.84",
+          "ip.addr": "192.168.0.84",
+          "ip.src_host": "192.168.0.84",
+          "ip.host": "192.168.0.84",
+          "ip.dst": "224.0.0.251",
+          "ip.addr": "224.0.0.251",
+          "ip.dst_host": "224.0.0.251",
+          "ip.host": "224.0.0.251",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1315",
+          "udp.dstport": "5353",
+          "udp.port": "1315",
+          "udp.port": "5353",
+          "udp.length": "241",
+          "udp.checksum": "0x000013a3",
+          "udp.checksum.status": "2",
+          "udp.stream": "5"
+        },
+        "mdns": {
+          "dns.id": "0x0000025a",
+          "dns.flags": "0x00000000",
+          "dns.flags_tree": {
+            "dns.flags.response": "0",
+            "dns.flags.opcode": "0",
+            "dns.flags.truncated": "0",
+            "dns.flags.recdesired": "0",
+            "dns.flags.z": "0",
+            "dns.flags.checkdisable": "0"
+          },
+          "dns.count.queries": "2",
+          "dns.count.answers": "0",
+          "dns.count.auth_rr": "0",
+          "dns.count.add_rr": "2",
+          "Queries": {
+            "_alljoyn._tcp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._tcp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            },
+            "_alljoyn._udp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._udp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            }
+          },
+          "Additional records": {
+            "search.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "search.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "39",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "24",
+              "dns.txt": "n_1=org.alljoyn.BusNode*",
+              "dns.txt.length": "3",
+              "dns.txt": "m=1"
+            },
+            "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "61",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "7",
+              "dns.txt": "ajpv=10",
+              "dns.txt.length": "4",
+              "dns.txt": "pv=2",
+              "dns.txt.length": "7",
+              "dns.txt": "sid=602",
+              "dns.txt.length": "17",
+              "dns.txt": "ipv4=192.168.0.84",
+              "dns.txt.length": "11",
+              "dns.txt": "upcv4=58873"
+            }
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:13.529225000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493633.529225000",
+          "frame.time_delta": "0.000364000",
+          "frame.time_delta_displayed": "0.000364000",
+          "frame.time_relative": "42.068539000",
+          "frame.number": "49",
+          "frame.len": "275",
+          "frame.cap_len": "275",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:mdns"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "d0:73:d5:12:8e:30",
+          "eth.src_tree": {
+            "eth.src_resolved": "LifiLabs_12:8e:30",
+            "eth.addr": "d0:73:d5:12:8e:30",
+            "eth.addr_resolved": "LifiLabs_12:8e:30",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "261",
+          "ip.id": "0x00001ccf",
+          "ip.flags": "0x00000000",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "0",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "17",
+          "ip.checksum": "0x00009c1d",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.84",
+          "ip.addr": "192.168.0.84",
+          "ip.src_host": "192.168.0.84",
+          "ip.host": "192.168.0.84",
+          "ip.dst": "255.255.255.255",
+          "ip.addr": "255.255.255.255",
+          "ip.dst_host": "255.255.255.255",
+          "ip.host": "255.255.255.255",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1315",
+          "udp.dstport": "5353",
+          "udp.port": "1315",
+          "udp.port": "5353",
+          "udp.length": "241",
+          "udp.checksum": "0x0000f49e",
+          "udp.checksum.status": "2",
+          "udp.stream": "6"
+        },
+        "mdns": {
+          "dns.id": "0x0000025a",
+          "dns.flags": "0x00000000",
+          "dns.flags_tree": {
+            "dns.flags.response": "0",
+            "dns.flags.opcode": "0",
+            "dns.flags.truncated": "0",
+            "dns.flags.recdesired": "0",
+            "dns.flags.z": "0",
+            "dns.flags.checkdisable": "0"
+          },
+          "dns.count.queries": "2",
+          "dns.count.answers": "0",
+          "dns.count.auth_rr": "0",
+          "dns.count.add_rr": "2",
+          "Queries": {
+            "_alljoyn._tcp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._tcp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            },
+            "_alljoyn._udp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._udp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            }
+          },
+          "Additional records": {
+            "search.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "search.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "39",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "24",
+              "dns.txt": "n_1=org.alljoyn.BusNode*",
+              "dns.txt.length": "3",
+              "dns.txt": "m=1"
+            },
+            "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "61",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "7",
+              "dns.txt": "ajpv=10",
+              "dns.txt.length": "4",
+              "dns.txt": "pv=2",
+              "dns.txt.length": "7",
+              "dns.txt": "sid=602",
+              "dns.txt.length": "17",
+              "dns.txt": "ipv4=192.168.0.84",
+              "dns.txt.length": "11",
+              "dns.txt": "upcv4=58873"
+            }
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:13.530911000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493633.530911000",
+          "frame.time_delta": "0.001686000",
+          "frame.time_delta_displayed": "0.001686000",
+          "frame.time_relative": "42.070225000",
+          "frame.number": "50",
+          "frame.len": "295",
+          "frame.cap_len": "295",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ipv6:udp:mdns"
+        },
+        "eth": {
+          "eth.dst": "33:33:00:00:00:fb",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "IPv6mcast_fb",
+            "eth.addr": "33:33:00:00:00:fb",
+            "eth.addr_resolved": "IPv6mcast_fb",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "d0:73:d5:12:8e:30",
+          "eth.src_tree": {
+            "eth.src_resolved": "LifiLabs_12:8e:30",
+            "eth.addr": "d0:73:d5:12:8e:30",
+            "eth.addr_resolved": "LifiLabs_12:8e:30",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x000086dd"
+        },
+        "ipv6": {
+          "ipv6.version": "6",
+          "ip.version": "6",
+          "ipv6.tclass": "0x00000000",
+          "ipv6.tclass_tree": {
+            "ipv6.tclass.dscp": "0",
+            "ipv6.tclass.ecn": "0"
+          },
+          "ipv6.flow": "0x00000000",
+          "ipv6.plen": "241",
+          "ipv6.nxt": "17",
+          "ipv6.hlim": "1",
+          "ipv6.src": "fe80::d273:d5ff:fe12:8e30",
+          "ipv6.addr": "fe80::d273:d5ff:fe12:8e30",
+          "ipv6.src_host": "fe80::d273:d5ff:fe12:8e30",
+          "ipv6.host": "fe80::d273:d5ff:fe12:8e30",
+          "ipv6.src_sa_mac": "d0:73:d5:12:8e:30",
+          "ipv6.sa_mac": "d0:73:d5:12:8e:30",
+          "ipv6.dst": "ff02::fb",
+          "ipv6.addr": "ff02::fb",
+          "ipv6.dst_host": "ff02::fb",
+          "ipv6.host": "ff02::fb",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "1316",
+          "udp.dstport": "5353",
+          "udp.port": "1316",
+          "udp.port": "5353",
+          "udp.length": "241",
+          "udp.checksum": "0x00008264",
+          "udp.checksum.status": "2",
+          "udp.stream": "7"
+        },
+        "mdns": {
+          "dns.id": "0x0000025a",
+          "dns.flags": "0x00000000",
+          "dns.flags_tree": {
+            "dns.flags.response": "0",
+            "dns.flags.opcode": "0",
+            "dns.flags.truncated": "0",
+            "dns.flags.recdesired": "0",
+            "dns.flags.z": "0",
+            "dns.flags.checkdisable": "0"
+          },
+          "dns.count.queries": "2",
+          "dns.count.answers": "0",
+          "dns.count.auth_rr": "0",
+          "dns.count.add_rr": "2",
+          "Queries": {
+            "_alljoyn._tcp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._tcp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            },
+            "_alljoyn._udp.local: type PTR, class IN, \"QU\" question": {
+              "dns.qry.name": "_alljoyn._udp.local",
+              "dns.qry.name.len": "19",
+              "dns.count.labels": "3",
+              "dns.qry.type": "12",
+              "dns.qry.class": "0x00000001",
+              "dns.qry.qu": "1"
+            }
+          },
+          "Additional records": {
+            "search.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "search.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "39",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "24",
+              "dns.txt": "n_1=org.alljoyn.BusNode*",
+              "dns.txt.length": "3",
+              "dns.txt": "m=1"
+            },
+            "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local: type TXT, class IN": {
+              "dns.resp.name": "sender-info.daccb9c1d32eeb2b4c1579b854d2ab20.local",
+              "dns.resp.type": "16",
+              "dns.resp.class": "0x00000001",
+              "dns.resp.cache_flush": "0",
+              "dns.resp.ttl": "120",
+              "dns.resp.len": "61",
+              "dns.txt.length": "9",
+              "dns.txt": "txtvers=0",
+              "dns.txt.length": "7",
+              "dns.txt": "ajpv=10",
+              "dns.txt.length": "4",
+              "dns.txt": "pv=2",
+              "dns.txt.length": "7",
+              "dns.txt": "sid=602",
+              "dns.txt.length": "17",
+              "dns.txt": "ipv4=192.168.0.84",
+              "dns.txt.length": "11",
+              "dns.txt": "upcv4=58873"
+            }
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:13.541745000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493633.541745000",
+          "frame.time_delta": "0.010834000",
+          "frame.time_delta_displayed": "0.010834000",
+          "frame.time_relative": "42.081059000",
+          "frame.number": "51",
+          "frame.len": "90",
+          "frame.cap_len": "90",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:ntp"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "00:17:88:69:ee:e4",
+          "eth.src_tree": {
+            "eth.src_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000010",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "4",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "76",
+          "ip.id": "0x000075f1",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "17",
+          "ip.checksum": "0x000038ed",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.src_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "ip.dst": "216.93.242.12",
+          "ip.addr": "216.93.242.12",
+          "ip.dst_host": "216.93.242.12",
+          "ip.host": "216.93.242.12",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: United States, AS27552 TowardEX Technologies International, Inc., Boston, MA, 42.358398, -71.059799": {
+            "ip.geoip.dst_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.dst_asnum": "AS27552 TowardEX Technologies International, Inc.",
+            "ip.geoip.asnum": "AS27552 TowardEX Technologies International, Inc.",
+            "ip.geoip.dst_city": "Boston, MA",
+            "ip.geoip.city": "Boston, MA",
+            "ip.geoip.dst_lat": "42.358398",
+            "ip.geoip.lat": "42.358398",
+            "ip.geoip.dst_lon": "-71.059799",
+            "ip.geoip.lon": "-71.059799"
+          }
+        },
+        "udp": {
+          "udp.srcport": "40339",
+          "udp.dstport": "123",
+          "udp.port": "40339",
+          "udp.port": "123",
+          "udp.length": "56",
+          "udp.checksum": "0x00009ecf",
+          "udp.checksum.status": "2",
+          "udp.stream": "9"
+        },
+        "ntp": {
+          "ntp.flags": "0x00000023",
+          "ntp.flags_tree": {
+            "ntp.flags.li": "0",
+            "ntp.flags.vn": "4",
+            "ntp.flags.mode": "3"
+          },
+          "ntp.stratum": "0",
+          "ntp.ppoll": "0",
+          "ntp.precision": "0",
+          "ntp.rootdelay": "0",
+          "ntp.rootdispersion": "0",
+          "ntp.refid": "00:00:00:00",
+          "ntp.reftime": "Dec 31, 1969 16:00:00.000000000 PST",
+          "ntp.org": "Dec 31, 1969 16:00:00.000000000 PST",
+          "ntp.rec": "Dec 31, 1969 16:00:00.000000000 PST",
+          "ntp.xmt": "Jun 10, 2096 18:29:07.167176000 PDT"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:13.621058000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493633.621058000",
+          "frame.time_delta": "0.079313000",
+          "frame.time_delta_displayed": "0.079313000",
+          "frame.time_relative": "42.160372000",
+          "frame.number": "52",
+          "frame.len": "90",
+          "frame.cap_len": "90",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:ntp"
+        },
+        "eth": {
+          "eth.dst": "00:17:88:69:ee:e4",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "PhilipsL_69:ee:e4",
+            "eth.addr": "00:17:88:69:ee:e4",
+            "eth.addr_resolved": "PhilipsL_69:ee:e4",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "76",
+          "ip.id": "0x000086d8",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "48",
+          "ip.proto": "17",
+          "ip.checksum": "0x00003816",
+          "ip.checksum.status": "2",
+          "ip.src": "216.93.242.12",
+          "ip.addr": "216.93.242.12",
+          "ip.src_host": "216.93.242.12",
+          "ip.host": "216.93.242.12",
+          "ip.dst": "192.168.0.160",
+          "ip.addr": "192.168.0.160",
+          "ip.dst_host": "192.168.0.160",
+          "ip.host": "192.168.0.160",
+          "Source GeoIP: United States, AS27552 TowardEX Technologies International, Inc., Boston, MA, 42.358398, -71.059799": {
+            "ip.geoip.src_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.src_asnum": "AS27552 TowardEX Technologies International, Inc.",
+            "ip.geoip.asnum": "AS27552 TowardEX Technologies International, Inc.",
+            "ip.geoip.src_city": "Boston, MA",
+            "ip.geoip.city": "Boston, MA",
+            "ip.geoip.src_lat": "42.358398",
+            "ip.geoip.lat": "42.358398",
+            "ip.geoip.src_lon": "-71.059799",
+            "ip.geoip.lon": "-71.059799"
+          },
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "123",
+          "udp.dstport": "40339",
+          "udp.port": "123",
+          "udp.port": "40339",
+          "udp.length": "56",
+          "udp.checksum": "0x00003b96",
+          "udp.checksum.status": "2",
+          "udp.stream": "9"
+        },
+        "ntp": {
+          "ntp.flags": "0x00000024",
+          "ntp.flags_tree": {
+            "ntp.flags.li": "0",
+            "ntp.flags.vn": "4",
+            "ntp.flags.mode": "4"
+          },
+          "ntp.stratum": "2",
+          "ntp.ppoll": "3",
+          "ntp.precision": "-23",
+          "ntp.rootdelay": "0.0053558349609375",
+          "ntp.rootdispersion": "0.03155517578125",
+          "ntp.refid": "c8:62:c4:d4",
+          "ntp.reftime": "Oct 31, 2017 16:33:49.359642000 PDT",
+          "ntp.org": "Jun 10, 2096 18:29:07.167176000 PDT",
+          "ntp.rec": "Oct 31, 2017 16:47:13.588613000 PDT",
+          "ntp.xmt": "Oct 31, 2017 16:47:13.588671000 PDT"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:13.746762000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493633.746762000",
+          "frame.time_delta": "0.125704000",
+          "frame.time_delta_displayed": "0.125704000",
+          "frame.time_relative": "42.286076000",
+          "frame.number": "53",
+          "frame.len": "42",
+          "frame.cap_len": "42",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "60:f1:89:96:45:f6",
+          "eth.src_tree": {
+            "eth.src_resolved": "MurataMa_96:45:f6",
+            "eth.addr": "60:f1:89:96:45:f6",
+            "eth.addr_resolved": "MurataMa_96:45:f6",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "1",
+          "arp.src.hw_mac": "60:f1:89:96:45:f6",
+          "arp.src.proto_ipv4": "192.168.0.86",
+          "arp.dst.hw_mac": "00:00:00:00:00:00",
+          "arp.dst.proto_ipv4": "192.168.0.1"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:25.218154000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493645.218154000",
+          "frame.time_delta": "11.471392000",
+          "frame.time_delta_displayed": "11.471392000",
+          "frame.time_relative": "53.757468000",
+          "frame.number": "54",
+          "frame.len": "80",
+          "frame.cap_len": "80",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:udp:data"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "d0:73:d5:02:41:da",
+          "eth.src_tree": {
+            "eth.src_resolved": "LifiLabs_02:41:da",
+            "eth.addr": "d0:73:d5:02:41:da",
+            "eth.addr_resolved": "LifiLabs_02:41:da",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "66",
+          "ip.id": "0x00000a80",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "255",
+          "ip.proto": "17",
+          "ip.checksum": "0x0000ee42",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.152",
+          "ip.addr": "192.168.0.152",
+          "ip.src_host": "192.168.0.152",
+          "ip.host": "192.168.0.152",
+          "ip.dst": "192.168.0.255",
+          "ip.addr": "192.168.0.255",
+          "ip.dst_host": "192.168.0.255",
+          "ip.host": "192.168.0.255",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: Unknown": ""
+        },
+        "udp": {
+          "udp.srcport": "56700",
+          "udp.dstport": "56700",
+          "udp.port": "56700",
+          "udp.port": "56700",
+          "udp.length": "46",
+          "udp.checksum": "0x00007e94",
+          "udp.checksum.status": "2",
+          "udp.stream": "2"
+        },
+        "data": {
+          "data.data": "26:00:00:54:42:52:4b:52:d0:73:d5:02:41:da:00:00:4c:49:46:58:56:32:00:00:84:41:9f:cf:78:cc:f2:14:6f:00:00:00:c1:0b",
+          "data.len": "38"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:26.083960000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493646.083960000",
+          "frame.time_delta": "0.865806000",
+          "frame.time_delta_displayed": "0.865806000",
+          "frame.time_relative": "54.623274000",
+          "frame.number": "55",
+          "frame.len": "264",
+          "frame.cap_len": "264",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp:ssl"
+        },
+        "eth": {
+          "eth.dst": "d0:52:a8:a3:60:0f",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "250",
+          "ip.id": "0x00002bec",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "232",
+          "ip.proto": "6",
+          "ip.checksum": "0x000038cd",
+          "ip.checksum.status": "2",
+          "ip.src": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.src_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "ip.dst": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.dst_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "Source GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.src_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.src_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.src_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.src_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          },
+          "Destination GeoIP: Unknown": ""
+        },
+        "tcp": {
+          "tcp.srcport": "443",
+          "tcp.dstport": "44970",
+          "tcp.port": "443",
+          "tcp.port": "44970",
+          "tcp.stream": "0",
+          "tcp.len": "198",
+          "tcp.seq": "56",
+          "tcp.nxtseq": "254",
+          "tcp.ack": "158",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000018",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "1",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7AP\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "422",
+          "tcp.window_size": "422",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x00007695",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:a7:9b:30:ad:00:24:bc:51",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2811965613, TSecr 2407505": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2811965613",
+              "tcp.options.timestamp.tsecr": "2407505"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.bytes_in_flight": "198",
+            "tcp.analysis.push_bytes_sent": "198"
+          }
+        },
+        "ssl": {
+          "ssl.record": {
+            "ssl.record.content_type": "23",
+            "ssl.record.version": "0x00000303",
+            "ssl.record.length": "193",
+            "ssl.app_data": "34:cd:34:17:47:48:0e:2e:ee:3f:a7:c9:bc:b0:9f:d9:c7:77:ff:f8:d5:80:aa:68:73:b1:2f:53:62:1f:d4:32:93:57:02:85:54:a8:6e:f7:42:17:b5:18:2d:f5:51:18:5f:e5:0b:6c:64:e2:90:d4:46:86:b7:f8:ed:69:35:4e:50:5b:8c:78:d3:4a:4e:6f:0e:12:ce:69:c3:ea:b8:31:ca:f4:92:44:78:b1:c6:3c:1b:a2:5b:47:0e:55:bb:72:63:e2:17:87:e6:fe:0c:1d:a2:0f:df:eb:6c:db:de:93:3e:87:04:4e:67:6e:9b:71:0e:2a:ef:43:0f:22:47:f7:a9:84:3f:b8:d2:24:ed:8a:a1:1c:9b:d6:b4:1e:ab:30:42:20:20:79:f3:c9:cf:66:e0:9e:3e:38:45:1c:d7:b3:37:e7:0b:b3:89:f9:c8:54:2a:b7:f8:b6:ec:31:d9:65:73:65:f8:7c:d2:b5:41:38:ec:78:be:b1:75:8c:07:8c:5b"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:26.084449000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493646.084449000",
+          "frame.time_delta": "0.000489000",
+          "frame.time_delta_displayed": "0.000489000",
+          "frame.time_relative": "54.623763000",
+          "frame.number": "56",
+          "frame.len": "66",
+          "frame.cap_len": "66",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "d0:52:a8:a3:60:0f",
+          "eth.src_tree": {
+            "eth.src_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "52",
+          "ip.id": "0x000094ec",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "6",
+          "ip.checksum": "0x00007893",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.src_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "ip.dst": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.dst_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.dst_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.dst_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.dst_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.dst_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          }
+        },
+        "tcp": {
+          "tcp.srcport": "44970",
+          "tcp.dstport": "443",
+          "tcp.port": "44970",
+          "tcp.port": "443",
+          "tcp.stream": "0",
+          "tcp.len": "0",
+          "tcp.seq": "158",
+          "tcp.ack": "254",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000010",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "0",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7A\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "661",
+          "tcp.window_size": "661",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x0000af18",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:00:24:c6:41:a7:9b:30:ad",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2410049, TSecr 2811965613": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2410049",
+              "tcp.options.timestamp.tsecr": "2811965613"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.acks_frame": "55",
+            "tcp.analysis.ack_rtt": "0.000489000"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:26.093607000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493646.093607000",
+          "frame.time_delta": "0.009158000",
+          "frame.time_delta_displayed": "0.009158000",
+          "frame.time_relative": "54.632921000",
+          "frame.number": "57",
+          "frame.len": "119",
+          "frame.cap_len": "119",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp:ssl"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "d0:52:a8:a3:60:0f",
+          "eth.src_tree": {
+            "eth.src_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "105",
+          "ip.id": "0x000094ed",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "6",
+          "ip.checksum": "0x0000785d",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.src_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "ip.dst": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.dst_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.dst_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.dst_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.dst_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.dst_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          }
+        },
+        "tcp": {
+          "tcp.srcport": "44970",
+          "tcp.dstport": "443",
+          "tcp.port": "44970",
+          "tcp.port": "443",
+          "tcp.stream": "0",
+          "tcp.len": "53",
+          "tcp.seq": "158",
+          "tcp.nxtseq": "211",
+          "tcp.ack": "254",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000018",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "1",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7AP\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "661",
+          "tcp.window_size": "661",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x00001096",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:00:24:c6:42:a7:9b:30:ad",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2410050, TSecr 2811965613": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2410050",
+              "tcp.options.timestamp.tsecr": "2811965613"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.bytes_in_flight": "53",
+            "tcp.analysis.push_bytes_sent": "53"
+          }
+        },
+        "ssl": {
+          "ssl.record": {
+            "ssl.record.content_type": "23",
+            "ssl.record.version": "0x00000303",
+            "ssl.record.length": "48",
+            "ssl.app_data": "13:6b:24:d2:9f:7e:44:92:ea:b5:ea:52:5f:79:7f:ed:24:82:0c:61:88:ff:f9:75:9c:b5:d1:61:d4:68:42:e7:9f:b5:88:74:80:8d:23:8d:e6:97:e8:4e:34:b2:67:f8"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:26.190175000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493646.190175000",
+          "frame.time_delta": "0.096568000",
+          "frame.time_delta_displayed": "0.096568000",
+          "frame.time_relative": "54.729489000",
+          "frame.number": "58",
+          "frame.len": "66",
+          "frame.cap_len": "66",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp"
+        },
+        "eth": {
+          "eth.dst": "d0:52:a8:a3:60:0f",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "52",
+          "ip.id": "0x00002bed",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "232",
+          "ip.proto": "6",
+          "ip.checksum": "0x00003992",
+          "ip.checksum.status": "2",
+          "ip.src": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.src_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "ip.dst": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.dst_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "Source GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.src_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.src_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.src_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.src_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          },
+          "Destination GeoIP: Unknown": ""
+        },
+        "tcp": {
+          "tcp.srcport": "443",
+          "tcp.dstport": "44970",
+          "tcp.port": "443",
+          "tcp.port": "44970",
+          "tcp.stream": "0",
+          "tcp.len": "0",
+          "tcp.seq": "254",
+          "tcp.ack": "211",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000010",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "0",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7A\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "422",
+          "tcp.window_size": "422",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x0000afb6",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:a7:9b:30:c8:00:24:c6:42",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2811965640, TSecr 2410050": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2811965640",
+              "tcp.options.timestamp.tsecr": "2410050"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.acks_frame": "57",
+            "tcp.analysis.ack_rtt": "0.096568000"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:26.190781000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493646.190781000",
+          "frame.time_delta": "0.000606000",
+          "frame.time_delta_displayed": "0.000606000",
+          "frame.time_relative": "54.730095000",
+          "frame.number": "59",
+          "frame.len": "1442",
+          "frame.cap_len": "1442",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp:ssl"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "d0:52:a8:a3:60:0f",
+          "eth.src_tree": {
+            "eth.src_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "1428",
+          "ip.id": "0x000094ee",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "6",
+          "ip.checksum": "0x00007331",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.src_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "ip.dst": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.dst_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.dst_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.dst_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.dst_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.dst_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          }
+        },
+        "tcp": {
+          "tcp.srcport": "44970",
+          "tcp.dstport": "443",
+          "tcp.port": "44970",
+          "tcp.port": "443",
+          "tcp.stream": "0",
+          "tcp.len": "1376",
+          "tcp.seq": "211",
+          "tcp.nxtseq": "1587",
+          "tcp.ack": "254",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000018",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "1",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7AP\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "661",
+          "tcp.window_size": "661",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x0000ee28",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:00:24:c6:4c:a7:9b:30:c8",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2410060, TSecr 2811965640": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2410060",
+              "tcp.options.timestamp.tsecr": "2811965640"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.bytes_in_flight": "1376",
+            "tcp.analysis.push_bytes_sent": "1376"
+          }
+        },
+        "ssl": {
+          "ssl.record": {
+            "ssl.record.content_type": "23",
+            "ssl.record.version": "0x00000303",
+            "ssl.record.length": "49",
+            "ssl.app_data": "13:6b:24:d2:9f:7e:44:93:8b:91:05:ee:e1:b3:91:e0:b7:a8:b8:72:99:dc:43:29:06:04:59:82:24:7f:11:37:e9:6a:e7:9f:b6:55:9c:6f:1a:7f:29:19:f0:e2:34:43:fa"
+          },
+          "ssl.record": {
+            "ssl.record.content_type": "23",
+            "ssl.record.version": "0x00000303",
+            "ssl.record.length": "96",
+            "ssl.app_data": "13:6b:24:d2:9f:7e:44:94:c6:c7:78:fd:42:3c:36:57:cb:d3:53:48:5e:98:fa:d5:72:6e:ec:c1:99:dc:37:45:63:10:04:af:37:34:75:b8:8a:b6:3f:5c:71:4b:d9:0c:49:11:d6:88:85:8d:4d:88:97:bd:98:d6:c6:d2:e4:e0:2d:51:88:75:63:1f:9b:5d:a2:0e:ed:31:d0:5d:f7:d5:2d:c8:96:fa:03:4a:51:64:c6:85:ff:e3:4d:b1:b2:5e"
+          },
+          "ssl.record": {
+            "ssl.record.content_type": "23",
+            "ssl.record.version": "0x00000303",
+            "ssl.record.length": "1078",
+            "ssl.app_data": "13:6b:24:d2:9f:7e:44:95:c7:e4:55:6e:36:ac:bf:c2:43:35:cf:b0:b8:3e:22:5b:8f:f7:f8:df:56:c3:5d:35:fd:27:5c:27:05:67:ac:81:9d:3a:c4:85:3b:64:35:65:11:ca:d1:49:2a:b6:8a:fb:ec:bf:38:67:a9:b6:d8:3e:01:32:9e:c0:06:e0:49:66:32:fe:45:24:dc:a7:0d:bd:2b:e2:1d:48:50:5d:ee:74:b9:68:4e:79:15:9f:60:59:3a:23:ad:bd:1d:0a:de:a7:e4:a0:78:5e:08:34:1b:21:8c:0e:94:6f:03:92:8f:8d:5c:2a:5b:67:0a:b4:c5:d4:0a:fa:af:bc:ff:2c:a2:a9:c0:de:b3:81:69:5e:f2:a3:0b:f9:de:c8:e1:0b:da:35:d6:ac:48:47:3d:f2:d8:47:8f:ce:6b:30:4a:fa:d4:e8:ff:11:dd:92:64:b3:1a:2b:d5:0b:2a:b9:cf:37:19:0d:e6:22:f4:e6:dc:0a:16:17:e4:1f:a3:fc:e5:5b:73:d9:df:82:4f:bd:04:0b:b7:b8:35:29:e4:10:5e:1f:09:10:4b:25:d4:83:9e:f4:ea:24:05:00:a9:fc:b0:dc:8a:54:ad:2b:ae:3c:97:1c:d7:1c:6a:8a:5d:ac:8a:78:54:c9:d9:fe:da:2c:cd:d7:7e:bf:ad:da:06:b7:47:3f:49:bf:27:ec:13:63:c1:08:22:99:b6:e3:03:0b:0d:15:45:ae:81:b9:05:ea:3e:74:82:89:eb:2a:f0:e9:91:e9:44:bb:c5:a3:c5:9e:55:9c:52:45:1b:04:7f:94:7d:0e:50:c1:6a:3c:58:3e:59:8f:ff:36:d8:27:64:ec:1f:b0:c8:d2:ae:ef:e4:f1:4c:19:cb:3a:2e:44:04:8d:38:10:13:d5:df:fb:6a:56:67:76:95:30:01:77:b8:fc:cd:7d:f6:9d:bc:dd:bf:50:13:00:43:58:19:35:7b:2d:d0:2a:8b:d0:2e:b2:fc:20:97:14:58:b6:19:f8:7e:69:61:43:45:d1:3c:0e:85:27:b1:a4:90:78:92:a8:4f:ef:de:a4:ee:37:df:31:00:98:ee:88:7b:e6:4e:44:3d:22:11:74:c2:75:68:1b:d7:e7:f9:9d:bc:2d:3e:be:af:6d:0f:b7:3a:64:48:13:c0:ce:49:68:cb:a3:6d:52:54:27:4e:4f:65:10:2c:0b:63:d4:d9:a4:57:65:63:08:4b:24:d8:46:d7:74:d5:20:b0:db:e0:26:ee:67:f4:1b:c2:a5:32:26:56:4b:d3:c2:c8:c5:71:e6:91:4b:0d:83:95:ae:4f:c1:a3:7a:9e:2b:14:d3:d4:23:ca:b7:16:d3:0b:d1:0a:ae:b9:6e:8a:e2:88:6d:e4:e4:a0:b5:ca:7a:81:19:1e:6b:27:dd:2e:22:8e:7d:55:79:71:7a:67:5e:90:a2:17:8f:22:d9:dd:15:e8:21:7a:17:6c:4e:00:45:4c:37:4c:77:6b:8a:3f:43:65:6c:93:91:48:7e:0e:0f:ed:0d:a8:3e:bd:44:4b:00:d2:52:76:31:7f:54:2b:f2:78:96:5e:61:67:f4:0a:64:ad:1b:39:3b:b7:0b:b1:a9:13:77:18:27:8f:61:87:36:2b:93:aa:fc:35:4d:05:04:76:a7:0a:31:e9:c4:6e:4a:f7:e1:11:79:10:bc:98:f9:19:a4:fb:82:1f:ea:1f:6b:a4:5a:25:d7:3e:c6:9d:fa:b9:16:22:1f:e6:93:10:0d:17:d7:5c:c0:53:69:9d:d2:f0:f6:71:57:35:c5:6b:5f:d9:f2:67:83:65:81:87:1a:74:96:c0:50:79:85:88:ab:bc:26:56:58:e0:da:e7:f5:a6:3b:f5:cb:70:76:ea:70:42:97:7f:4e:ec:56:34:99:82:e0:40:ad:99:80:f6:81:5d:1a:55:e0:68:44:0e:b3:f4:cf:5c:01:02:e3:16:f8:d7:47:52:79:72:bb:07:2a:d8:7e:1b:89:36:37:2e:70:32:67:f2:51:fe:c0:c3:24:de:34:c3:b5:37:52:85:0a:13:ec:04:55:a6:60:13:80:4c:ff:f1:66:c9:5f:ca:a4:69:e5:42:cf:b6:7e:b6:7f:70:de:7a:1a:09:35:e7:d5:1a:1f:89:a4:3e:3a:cb:c1:7b:41:77:80:52:81:84:37:7b:28:5f:ad:b9:6d:cc:71:c3:30:12:5d:99:93:c7:ef:7b:4b:ce:a3:d4:12:90:41:20:4b:d6:0c:43:96:5d:fc:35:07:e1:14:6a:b3:8f:c8:54:6c:8b:2d:df:d1:e7:81:aa:6b:74:d4:54:8b:41:b2:86:fc:0e:a2:85:10:d5:03:41:8b:e7:e9:00:52:79:32:3c:08:68:f8:e4:66:af:7c:04:0d:2a:6c:b4:a6:82:0b:1f:b3:45:60:d6:ba:5f:b7:3e:72:f4:cd:b6:47:79:db:82:65:59:4d:3c:66:1f:73:cc:6e:08:3d:6d:04:54:dc:3a:23:e3:06:81:ce:99:e9:07:0a:c5:f4:d0:19:b5:55:40:d0:40:37:31:66:da:5d:0f:0e:47:0d:73:48:cc:75:7e:79:b6:a8:82:3e:a3:76:b4:3d:86:51:e2:ff:b3:dd:67:d5:29:ab:e6:cd:ac:e2:9f:48:b1:e3:e1:ee:27:47:ab:d5:4a:8b:23:3f:60:49:96:3b:c6:a6:f3:83:53:17:6a:8b:d9:f8:5d:9f:66:31:12:5a:ae:c6:e3:7c:8a:ba:ed:61:0f:43:e4:bb:06:ae:34:33:6c:3d:a6:76:e7:76:4f:9e:88:14:ec:be:84:e1:9d:6e:fc:09:16:b4:72:a6:1f:e2:29:26"
+          },
+          "ssl.record": {
+            "ssl.record.content_type": "23",
+            "ssl.record.version": "0x00000303",
+            "ssl.record.length": "133",
+            "ssl.app_data": "13:6b:24:d2:9f:7e:44:96:01:34:45:a8:77:0f:e6:a5:79:36:ee:5e:94:9b:6a:23:38:63:d3:30:11:7d:3f:78:e5:b0:ff:1a:7c:4a:46:4b:37:6f:c4:dc:e0:10:8a:8a:fd:2f:02:38:dd:0e:cb:f7:b4:52:b0:e1:c9:ed:0b:0f:a9:eb:e6:4e:c6:41:07:37:ca:57:33:51:d1:b0:7f:17:54:7c:41:48:77:35:bb:50:f3:35:af:17:da:99:d5:9f:7c:99:1e:d8:5c:65:ac:94:5f:d1:ab:c0:da:ed:80:8c:07:17:a2:e5:18:00:d1:72:7f:ac:ad:57:6e:b0:71:3b:d3:ec:00:61:5e"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:26.319405000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493646.319405000",
+          "frame.time_delta": "0.128624000",
+          "frame.time_delta_displayed": "0.128624000",
+          "frame.time_relative": "54.858719000",
+          "frame.number": "60",
+          "frame.len": "66",
+          "frame.cap_len": "66",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp"
+        },
+        "eth": {
+          "eth.dst": "d0:52:a8:a3:60:0f",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "52",
+          "ip.id": "0x00002bee",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "232",
+          "ip.proto": "6",
+          "ip.checksum": "0x00003991",
+          "ip.checksum.status": "2",
+          "ip.src": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.src_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "ip.dst": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.dst_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "Source GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.src_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.src_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.src_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.src_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          },
+          "Destination GeoIP: Unknown": ""
+        },
+        "tcp": {
+          "tcp.srcport": "443",
+          "tcp.dstport": "44970",
+          "tcp.port": "443",
+          "tcp.port": "44970",
+          "tcp.stream": "0",
+          "tcp.len": "0",
+          "tcp.seq": "254",
+          "tcp.ack": "1587",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000010",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "0",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7A\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "422",
+          "tcp.window_size": "422",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x0000aa3d",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:a7:9b:30:d7:00:24:c6:4c",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2811965655, TSecr 2410060": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2811965655",
+              "tcp.options.timestamp.tsecr": "2410060"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.acks_frame": "59",
+            "tcp.analysis.ack_rtt": "0.128624000"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:26.508912000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493646.508912000",
+          "frame.time_delta": "0.189507000",
+          "frame.time_delta_displayed": "0.189507000",
+          "frame.time_relative": "55.048226000",
+          "frame.number": "61",
+          "frame.len": "120",
+          "frame.cap_len": "120",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp:ssl"
+        },
+        "eth": {
+          "eth.dst": "b0:b9:8a:73:69:8e",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "d0:52:a8:a3:60:0f",
+          "eth.src_tree": {
+            "eth.src_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "106",
+          "ip.id": "0x000094ef",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "64",
+          "ip.proto": "6",
+          "ip.checksum": "0x0000785a",
+          "ip.checksum.status": "2",
+          "ip.src": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.src_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "ip.dst": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.dst_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "Source GeoIP: Unknown": "",
+          "Destination GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.dst_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.dst_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.dst_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.dst_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          }
+        },
+        "tcp": {
+          "tcp.srcport": "44970",
+          "tcp.dstport": "443",
+          "tcp.port": "44970",
+          "tcp.port": "443",
+          "tcp.stream": "0",
+          "tcp.len": "54",
+          "tcp.seq": "1587",
+          "tcp.nxtseq": "1641",
+          "tcp.ack": "254",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000018",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "1",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7AP\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "661",
+          "tcp.window_size": "661",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x0000bbc2",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:00:24:c6:6c:a7:9b:30:d7",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2410092, TSecr 2811965655": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2410092",
+              "tcp.options.timestamp.tsecr": "2811965655"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.bytes_in_flight": "54",
+            "tcp.analysis.push_bytes_sent": "54"
+          }
+        },
+        "ssl": {
+          "ssl.record": {
+            "ssl.record.content_type": "23",
+            "ssl.record.version": "0x00000303",
+            "ssl.record.length": "49",
+            "ssl.app_data": "13:6b:24:d2:9f:7e:44:97:3c:9f:c9:ef:3f:50:f0:6f:40:e1:3b:93:b6:11:d8:1a:1d:95:50:a9:77:6e:4a:1f:d5:eb:c9:f0:48:c7:6e:d3:59:5e:d2:11:7d:75:38:35:65"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:26.569125000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493646.569125000",
+          "frame.time_delta": "0.060213000",
+          "frame.time_delta_displayed": "0.060213000",
+          "frame.time_relative": "55.108439000",
+          "frame.number": "62",
+          "frame.len": "66",
+          "frame.cap_len": "66",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:ip:tcp"
+        },
+        "eth": {
+          "eth.dst": "d0:52:a8:a3:60:0f",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Physical_a3:60:0f",
+            "eth.addr": "d0:52:a8:a3:60:0f",
+            "eth.addr_resolved": "Physical_a3:60:0f",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.src": "b0:b9:8a:73:69:8e",
+          "eth.src_tree": {
+            "eth.src_resolved": "Netgear_73:69:8e",
+            "eth.addr": "b0:b9:8a:73:69:8e",
+            "eth.addr_resolved": "Netgear_73:69:8e",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000800"
+        },
+        "ip": {
+          "ip.version": "4",
+          "ip.hdr_len": "20",
+          "ip.dsfield": "0x00000000",
+          "ip.dsfield_tree": {
+            "ip.dsfield.dscp": "0",
+            "ip.dsfield.ecn": "0"
+          },
+          "ip.len": "52",
+          "ip.id": "0x00002bef",
+          "ip.flags": "0x00000002",
+          "ip.flags_tree": {
+            "ip.flags.rb": "0",
+            "ip.flags.df": "1",
+            "ip.flags.mf": "0"
+          },
+          "ip.frag_offset": "0",
+          "ip.ttl": "232",
+          "ip.proto": "6",
+          "ip.checksum": "0x00003990",
+          "ip.checksum.status": "2",
+          "ip.src": "13.59.94.111",
+          "ip.addr": "13.59.94.111",
+          "ip.src_host": "13.59.94.111",
+          "ip.host": "13.59.94.111",
+          "ip.dst": "192.168.0.242",
+          "ip.addr": "192.168.0.242",
+          "ip.dst_host": "192.168.0.242",
+          "ip.host": "192.168.0.242",
+          "Source GeoIP: United States, Norwalk, CT, 41.127102, -73.441597": {
+            "ip.geoip.src_country": "United States",
+            "ip.geoip.country": "United States",
+            "ip.geoip.src_city": "Norwalk, CT",
+            "ip.geoip.city": "Norwalk, CT",
+            "ip.geoip.src_lat": "41.127102",
+            "ip.geoip.lat": "41.127102",
+            "ip.geoip.src_lon": "-73.441597",
+            "ip.geoip.lon": "-73.441597"
+          },
+          "Destination GeoIP: Unknown": ""
+        },
+        "tcp": {
+          "tcp.srcport": "443",
+          "tcp.dstport": "44970",
+          "tcp.port": "443",
+          "tcp.port": "44970",
+          "tcp.stream": "0",
+          "tcp.len": "0",
+          "tcp.seq": "254",
+          "tcp.ack": "1641",
+          "tcp.hdr_len": "32",
+          "tcp.flags": "0x00000010",
+          "tcp.flags_tree": {
+            "tcp.flags.res": "0",
+            "tcp.flags.ns": "0",
+            "tcp.flags.cwr": "0",
+            "tcp.flags.ecn": "0",
+            "tcp.flags.urg": "0",
+            "tcp.flags.ack": "1",
+            "tcp.flags.push": "0",
+            "tcp.flags.reset": "0",
+            "tcp.flags.syn": "0",
+            "tcp.flags.fin": "0",
+            "tcp.flags.str": "\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7A\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7\u00c2\u00b7"
+          },
+          "tcp.window_size_value": "422",
+          "tcp.window_size": "422",
+          "tcp.window_size_scalefactor": "-1",
+          "tcp.checksum": "0x0000a998",
+          "tcp.checksum.status": "2",
+          "tcp.urgent_pointer": "0",
+          "tcp.options": "01:01:08:0a:a7:9b:31:26:00:24:c6:6c",
+          "tcp.options_tree": {
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "No-Operation (NOP)": {
+              "tcp.options.type": "1",
+              "tcp.options.type_tree": {
+                "tcp.options.type.copy": "0",
+                "tcp.options.type.class": "0",
+                "tcp.options.type.number": "1"
+              }
+            },
+            "Timestamps: TSval 2811965734, TSecr 2410092": {
+              "tcp.option_kind": "8",
+              "tcp.option_len": "10",
+              "tcp.options.timestamp.tsval": "2811965734",
+              "tcp.options.timestamp.tsecr": "2410092"
+            }
+          },
+          "tcp.analysis": {
+            "tcp.analysis.acks_frame": "61",
+            "tcp.analysis.ack_rtt": "0.060213000"
+          }
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:28.852812000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493648.852812000",
+          "frame.time_delta": "2.283687000",
+          "frame.time_delta_displayed": "2.283687000",
+          "frame.time_relative": "57.392126000",
+          "frame.number": "63",
+          "frame.len": "60",
+          "frame.cap_len": "60",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",
+            "eth.addr": "ff:ff:ff:ff:ff:ff",
+            "eth.addr_resolved": "Broadcast",
+            "eth.lg": "1",
+            "eth.ig": "1"
+          },
+          "eth.src": "3c:ef:8c:6f:79:5a",
+          "eth.src_tree": {
+            "eth.src_resolved": "Zhejiang_6f:79:5a",
+            "eth.addr": "3c:ef:8c:6f:79:5a",
+            "eth.addr_resolved": "Zhejiang_6f:79:5a",
+            "eth.lg": "0",
+            "eth.ig": "0"
+          },
+          "eth.type": "0x00000806",
+          "eth.padding": "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
+        },
+        "arp": {
+          "arp.hw.type": "1",
+          "arp.proto.type": "0x00000800",
+          "arp.hw.size": "6",
+          "arp.proto.size": "4",
+          "arp.opcode": "1",
+          "arp.isgratuitous": "1",
+          "arp.src.hw_mac": "3c:ef:8c:6f:79:5a",
+          "arp.src.proto_ipv4": "192.168.0.71",
+          "arp.dst.hw_mac": "00:00:00:00:00:00",
+          "arp.dst.proto_ipv4": "192.168.0.71"
+        }
+      }
+    }
+  }
+
+  ,
+  {
+    "_index": "packets-2017-11-01",
+    "_type": "pcap_file",
+    "_score": null,
+    "_source": {
+      "layers": {
+        "frame": {
+          "frame.encap_type": "1",
+          "frame.time": "Oct 31, 2017 16:47:30.286678000 PDT",
+          "frame.offset_shift": "0.000000000",
+          "frame.time_epoch": "1509493650.286678000",
+          "frame.time_delta": "1.433866000",
+          "frame.time_delta_displayed": "1.433866000",
+          "frame.time_relative": "58.825992000",
+          "frame.number": "64",
+          "frame.len": "42",
+          "frame.cap_len": "42",
+          "frame.marked": "0",
+          "frame.ignored": "0",
+          "frame.protocols": "eth:ethertype:arp"
+        },
+        "eth": {
+          "eth.dst": "ff:ff:ff:ff:ff:ff",
+          "eth.dst_tree": {
+            "eth.dst_resolved": "Broadcast",