I got this list by monitoring the Dynamic Update release emails from Palo Alto Networks.

Remember a “decoder” is effectivly a “base protocol”. You can also detect these within the App-ID database as any application that does not have a “depends on” or “implicily uses”. However, if we take this definition then the following list is wrong. In the list below we list some dependencies.

Listed as a decoder by the dynamic update emails and we have an App-ID for it.

• asterisk-iax
• bacnet
• cip-ethernet-ip
• corba
• cotp
• dhcp
• dicom
• dns
• ed137
• ftp
• gds-db
• gtp
• hp-data-protector
• icmp
• iec-60870-5-104
• igmp
• ike
• imap
• ipsec-esp-udp
• ldap
• llmnr
• lpd
• mms-ics
• modbus
• msrpc
• mssql-db
• mysql
• netbios-ss
• ntp
• oracle
• pop3
• postgres
• radius
• rpc
• rtsp
• sip
• smtp
• ssh
• ssl
• stun
• teamviewer
• tftp
• vnc
• unknown-tcp
• unknown-udp
• unknown-p2p

Listed as a decoder by the dynamic update emails and we have no App-ID for it.

• ftp-data
• functions
• generic
• http
• http2
• medical
• scada
• sctp
• smb
• smb-8-1

Listed as a decoder by the dynamic update emails and we have an App-ID for it but it implicitly uses another App-ID. Thus, is it actually a decoder?

• kerberos - implicitly uses rpc
• vmware - implicitly uses ssl and web-browsing

Listed as a decoder by the dynamic update emails and we have an App-ID for it but it depends on another App-ID. Thus, is it actually a decoder?

• open-vpn - depends on ssl and web-browsing
• sccp - depends on tftp

Also remember, there are 147 members of the “ip-protocol” list in Application Filters in August 2020. This includes all the IPv6 stuff.