Filter Syntax

The filter syntax is similar to the well-known pcap library used by tcpdump. The filter can span several lines. Anything after a '#' is treated as a comment and ignored to the end of the line. There is virtually no limit on the length of the filter expression. All keywords are case-independent (for example, IP is the same as ip) unless noted otherwise. The strings are enclosed in double-quotes. String values are case sensitive (for example, "windowsupdate.COM" is not the same as "windowsupdate.com").

For several keywords you can use the autocomplete function for entering the desired value - see the picture below.

The filter consists of individual expressions. Expressions can be connected with logical operators: “and” or “or”. When two expressions are connected with the logical operator “and”, the filtered data must satisfy conditions in both expressions to be included in the results. The logical operator “or” means that the data must match at least one of the expressions. All data matching the expression can be excluded by applying the operator “not”. Brackets can be used to create more complex filters:

<expression>
<expression> and <expression>
<expression> or
<expression> not
<expression>
( <expression> )

See the following subchapters for possible content of the <expression> element, that is, primitives.

Any

Use any as a dummy filter. Use not any to block all flows.

Protocol Primitives

Protocol version

• inet or ipv4 for IPv4

• inet6 or ipv6 for IPv6

Protocol

• proto <protocol> where <protocol> can be any known protocol such as TCP, UDP, ICMP, ICMP6, ARP, GRE, ESP, AH, and so on.

• proto <num> where <num> is the protocol number (for example, 1 for ICMP).

Protocol and protocol version examples

• inet6 - matches only IPv6 communication.

The following four filters all have the same meaning.

• inet6 and proto udp - matches only UDP communication over IPv6.

• inet6 and proto 17 - because UDP = 17.

• ipv6 and proto 17 - because inet6 and ipv6 are interchangeable.

• IPV6 AND PROTO 17 - because the expressions are not case sensitive.

• proto icmp or proto udp - matches both ICMP and UDP.

• (proto icmp or proto udp) and ipv4 - matches both ICMP and UDP communication only over IPv4.

• ipv4 and (proto icmp or proto udp) - is identical to the previous (the order does not matter in this case).

• ipv4 and proto icmp or proto udp - ambiguous, brackets are missing (UDP would be using both IPv4 and IPv6).

• not (proto tcp or proto udp or proto icmp) - excludes TCP, UDP, and ICMP communication (ARP, ICMP6, IGMP, and other protocols can be explored).

IP Address Primitives

IP address

• [src|dst] IP <ipaddr> or [src|dst] HOST <ipaddr> with <ipaddr> as any valid IPv4 or IPv6 address. [src|dst] defines the IP address to be selected - SRC for source, DST for destination. Omitting [src|dst] means any direction (it is equivalent to “SRC or DST”).

• [src|dst] IP addresses, networks, ports, AS numbers, and so on, can be specifically selected using a direction qualifier, such as src or dst. These can also be used in combination with “and” and “or” (for example, “as src and dst ip”).

IP address - examples

• ip 192.168.2.4 - matches specific IP address (both source and destination).

• src or dst ip 192.168.2.4 - is identical to the previous.

• src ip 192.168.2.4 - matches the specific source IP address.

• src host 192.168.2.4 - is identical to the previous (IP and host are interchangeable).

• proto tcp and (src ip 192.168.2.3 or dst ip 192.168.0.1) - matches TCP communication with either first source address or second destination address.

List of IP addresses

• [src|dst] IP IN [<iplist>] or [src|dst] HOST IN [<iplist>] where iplist is a space-separated list of individual <ipaddr>.

List of IP addresses - examples

• src ip in [192.168.2.3 192.168.2.4] - matches records with these two addresses as sources.

• ip in [192.168.2.3 192.168.2.4] and proto tcp - matches only TCP communication of these addresses.

Network Primitives

Network

• [src|dst] net a.b.c.d m.n.r.s - selects the IPv4 network a.b.c.d with netmask m.n.r.s.

• [src|dst] net <net>/<num> with <net> as a valid IPv4 or IPv6 network and <num> as maskbits. The number of mask bits must match the appropriate address family in IPv4 or IPv6. Networks may be abbreviated such as 172.16/16 if they are unambiguous.

• [src|dst] net in [<ip/masklist>] - where <ip/masklist> is list of subnet addresses (see examples)

Network - examples

• src net 192.168.0.0/16 - matches IPs starting with 192.168 (the first 16 bits of the IP address are masked).

• src net 192.168.0.0 255.255.0.0 - is identical to the previous (first 16 bits are 1s).

• src net 192.168.0.0 255.255.255.240 - matches IPs in a range from 192.168.0.0 to 192.168.0.15 (last number of mask 240 is 1111 0000 in binary).

• src net 192.168.0.0 255.255.255.240 and not ip [192.168.0.14 192.168.0.15] - matches IPs in a range from 192.168.0.0 to 192.168.0.13.

• src net in [192.168.10.0/24, 192.168.20.0/24] and dst net in [192.168.50.0/24, 192.168.60.0/24] - matches IPs with source of subnet 192.168.10.0/24 or 192.168.20.0/24 and destination subnet 192.168.50.0/24 or 192.168.60.0/24

Port Primitives

Port

• [src|dst] PORT [<comp>] <num>

• [src|dst] PORT IN [ <portlist> ]

• [src|dst] PORT "<portname>"

The <portlist> is a space-separated list of individual port numbers. The <num> is a valid port number. The <portname> is a name of a service assigned to a specific port number by IANA. Use the autocomplete function to enter the service name.

The <comp> is a comparator. The following comparators are supported:

=, ==, \>, <, EQ, LT, GT. If <comp> is omitted, '=' is assumed.

Port - examples

• dst port 110 - matches destination port 110 (pop3).

• dst port "pop3" - is identical to the previous (“pop3” is a text name for this port).

• port in [20, 21] - matches FTP communication.

• src port < 1024 and not port in [80,443] - matches well-known source ports (0-1023) in use, but ignores HTTP(S).

• dst port > 1023 and dst port < 49152 and proto udp - matches registered destination ports (1024-49151) in use over UDP.

ICMP

• icmp-type <num>

• icmp-code <num>

with <num> as a valid icmp type/code. This automatically implies proto icmp.

Router ID

• engine-type <num>

• engine-id <num>

with <num> as a valid router engine type/id (0..255).

HTTP Primitives

HTTP hostname

• hhost [<strcomp>] "<string> with <string> as a part or complete HTTP hostname."

The <strcomp> is a comparator. The following comparators are supported:

= - compared strings are identical.

\> - <string> begins with a compared string.

< - <string> ends with a compared string.

If <comp> is omitted, compared string is a substring of <string>.

HTTP URL

• hurl [<strcomp>] "<string>" with <string> as a part or complete URL.

HTTP - Operating System in User Agent

• hos "<string>" with <string> as a name of operating system (use the autocomplete function).

HTTP - Operating System Major Version

• hosmaj [<comp>] <num> with <num> as a major version number.

HTTP - Operating System Minor Version

• hosmin [<comp>] <num> with <num> as a minor version number.

HTTP - Operating System Build Number

• hosbld [<comp>] <num> with <num> as a build number.

HTTP - Client Application in User Agent

• happ "<string>" with <string> as a name of client application (use the autocomplete function).

HTTP - Client Application Major Version

• happmaj [<comp>] <num> with <num> as a major version number.

HTTP - Client Application Minor Version

• happmin [<comp>] <num> with <num> as a minor version number.

HTTP - Client Application Build Number

• happbld [<comp>] <num> with <num> as a build number.

HTTP - HTTP Method

• hmethod "<string>" with <string> as a name of HTTP method (use the autocomplete function).

HTTP - HTTP Return Code

• hrcode [<comp>] <num> with <num> as a return code.

Autonomous System Numbers Primitives

Autonomous system numbers

• [src|dst|prev|next] as [ <comp> ] <num> - selects source, destination, previous, next or any AS number with <num> as any valid as number. 32bit AS numbers are supported. If <comp> is omitted, '=' is assumed.

• [src|dst|prev|next] as in [ <ASlist> ] - an AS number can be compared against a known list, where <ASlist> is a space or comma separated list of individual AS numbers.

Autonomous system number - examples

• as 15169 - includes whole communication involving Google LLC AS (15169).

• not src as 8068 - excludes communication from Microsoft Corporation AS (8068).

VLAN labels

• [src|dst] vlan <num> with <num> as any valid VLAN label.

User identity of IP

• [src|dst] uid <user ID> with <user ID> as a user identifier provided by DHCP, VPN, directory service, and so on, using syslog.

Country of origin of IP

• [src|dst] ctry "<country name>"

• [src|dst] ctry <num>

with <country name> as a name of the country. Use the autocomplete function to enter the name of a country. The <num> is the number of the country according to ISO 3166-2.

Flow Source Identification

• flowident "<string>" with <string> as a flow source identification (use the autocomplete function).

TCP Flags Primitives

TCP flags

tcpflags [=] "<flagstring>" with flagstring in the following format:

• flagstring ::= <flagstringexp>

• <flagstringexp> ::= <exp>

• <flagstringexp> ::= <exp-and>

• <flagstringexp> ::= <exp-or>

• <exp> ::= <flag> | <exp><flag>

• <exp-and> ::= <flag> | <exp-and> "&" <flag>

• <exp-or> ::= <flag> | <exp-or> "|" <flag>

<flag> - "A" | "S" | "F" | "R" | "P" | "U" | "C" | "E" | "X"

<flag> has the following meaning:

• A - ACK S - SYN F - FIN

• R - Reset

• P - Push

• U - Urgent

• C - Congestion Window Reduced

• E - ECN-Echo

• X - All flags on

<exp>, <exp-and> and <exp-or> have the following meaning:

• The <exp> filter selects flows containing all flags listed in <exp>. To include these flags only, use operator "=".

• The <exp-and> is equivalent to <exp>.

• The <exp-or> filter selects flows containing at least one of the flags listed in <exp-or>. To include these flags only, use operator "=".

TCP Flags - examples

• tcpflags S - matches any flow which includes the S flag in TCP flags (e.g. ...AP.S. or ...A..SF).

• tcpflags = S - matches records with only the SYN flag set (i.e...... S.).

• tcpflags "S|F" - either S or F flag must be present.

• tcpflags = "A&P&F" - only specified flags ( ...AP..F) are allowed.

Extended TCP

• tcpttl [=|==|<|>|eq|lt|gt] <number> - filters by TCP TTL (Time to live).

• tcpwinsize [=|==|<|>|eq|lt|gt] <number> - filters by TCP window size.

• tcpsynsize [=|==|<|>|eq|lt|gt] <number> - filters by TCP syn packet size.

Next Hop IP Primitive

• next ip <ipaddr> with <ipaddr> as IPv4/IPv6 IP address of next hop router.

Next-hop router's IP in the BGP domain

• bgpnext ip <ipaddr> with <ipaddr> as IPv4/IPv6 next-hop router's IP in the BGP domain.

Router IP Primitive

• router ip <ipaddr> - filters the flows according to the IP address of the exporting source (router or probe).

Flow Source Name Primitive

• source "<sourcename>" - filters the flows according to the name of exporting source (router or probe). Use autocomplete function to enter the name of the source. Only names shown on page "Sources" are supported.

Source ID Primitive

• sourceid [ <comp> ] <number> - filters flows with specific source ID (one exporting device might use multiple source IDs for different exporting engines). Supported for sFlow only.

Interface Primitives

Interface

• [<inout>] if <num> - selects input or output interface ID. Omitting [in|out] is equivalent to IN or OUT (selects either IN or OUT interfaces). The <num> is SNMP interface number.

Interface - Examples

• in if 3 - selects input interface #3.

Flow Source Network Interface Name

• sourceport "<sourcename>":"<interfacename>" - filters flows exported from network interface <interfacename> on source <sourcename>. Use autocomplete function to enter the name of the source and interface. Only names shown on page "Sources" are supported.

MAC Address Primitive

• [<in src|in dst|out src|out dst>] mac <addr> with <addr> any valid MAC. The <mac> can be specified more by using any combinations of a direction specifier as defined by CISCO v9: in src, in dst, out src, out dst.

MPLS Labels Primitives

• mpls label<n> [<comp>] <num> with <n> as any MPLS label number in range 1..10. It filters exactly specified label<n>.

• mpls eos [<comp>] <num> - filters End of Stack label for a given value <num>.

• mpls exp<n> [<comp>] <bits> - filters experimental bits of label <n> with <bits> in range 0..7.

TOS Primitives

TOS

• tos <value> for the Type of Service. Both ToS numerical values 0..255 and DSCP name strings are supported.

TOS examples

• not tos "Best Effort & Default" - excludes the best effort communication.

• not tos 0 - is identical to the previous (0 stands for the best effort).

• tos “CS7” - is the same as tos 224

For further information, visit https://en.wikipedia.org/wiki/Type_of_service.

NBAR2 Primitives

NBAR2 AppTag

• apptag "<appname>"

• apptag <AppEID>:<AppID>

with <appname> as a name of application recognized by NBAR2. Use autocomplete function to enter the application name. The <AppEID> is Classification Engine ID and <AppID> is Application ID (defined in RFC 6759 and NBAR2 Protocol Pack).

NBAR2 AppEID

• appeid <value> with <value> as a number (0..255).

NBAR2 AppID

• appid <value> with <value> as a number (0..16777216).

DNS Primitives

DNS filters

A correct DNS filter should be preceded with the keyword "dns" to correctly process only the valid DNS flows (e.g. dns and dns-qrflag 0).

DNS ID

• dns-id [=|==|<|>|eq|lt|gt] <value> with <value> as a number (0..65535).

DNS question count

• dns-qcount [=|==|<|>|eq|lt|gt] <value> with <value> as a number (0..65535).

DNS answer count

• dns-answcount [=|==|<|>|eq|lt|gt] <value> with <value> as a number (0..65535).

DNS authority count

• dns-authcount [=|==|<|>|eq|lt|gt] <value> with <value> as a number (0..65535).

DNS additional count

• dns-addtcount [=|==|<|>|eq|lt|gt] <value> with <value> as a number (0..65535).

DNS flags

• dns-flags [=] "<flagstring>" with <flagstring> in the following format:

  • flagstring ::= ’"’ <flagstringexp> ’"’

  • <flagstringexp> ::= <exp>

  • <flagstringexp> ::= <exp-and>

  • <flagstringexp> ::= <exp-or>

  • <exp> ::= <flag> | <exp><flag>

  • <exp-and> ::= <flag> | <exp-and> "&" <flag>

  • <exp-or> ::= <flag> | <exp-or> "|" <flag>

  • <flag> "AA" | "TC" | "RD" | "RA" | "AD" | "CD"

  • <flag> has the following meaning:

AA - Authoritative Answer Flag

TC - Truncation Flag

RD - Recursion Desired

RA - Recursion Available

AD - Authentic Data

CD - Checking Disabled

<exp>, <exp-and> and <exp-or> have the following meaning:

1. The <exp> filter selects flows containing all flags listed in <exp>. To include these flags only, use operator "=".

2. The <exp-and> is equivalent to <exp>.

3. The <exp-or> filter selects flows containing at least one of the flags listed in <exp-or>. To include these flags only, use operator "=".

• dns-qrflag [=|==|<|>|eq|lt|gt] <value>, where value "0" is a DNS Query and "1" is a DNS Response.

• dns-opcode [=|==|<|>|eq|lt|gt] <value> with <value> as a DNS operation code.

• dns-rcode [=|==|<|>|eq|lt|gt] <value> with <value> as a DNS response code.

DNS question

• dns-qname [<strcomp>] "<string>" with <string> as a question name.

• dns-qtype [=|==|<|>|eq|lt|gt] <value> with <value> as a question type.

• dns-qclass [=|==|<|>|eq|lt|gt] <value> with <value> as a question class.

• dns-qname1 "<string>" with <string> as a question name (1st level domain).

• dns-qname2 "<string>" with <string> as a question name (1st & 2nd level domain).

• dns-qname3 "<string>" with <string> as a question name (1st, 2nd & 3nd level domain).

DNS response

• dns-rname [<strcomp>] "<string>" with <string> as a question response name.

• dns-rtype [=|==|<|>|eq|lt|gt] <value> with <value> as a response type.

• dns-rclass [=|==|<|>|eq|lt|gt] <value> with <value> as a response class.

• dns-rttl [=|==|<|>|eq|lt|gt] <value> with <value> as a response TTL.

• dns-rdata [<strcomp>] "<string>" with <string> as a response data.

• dns-rname1 "<string>" with <string> as a question response name (1st level domain).

• dns-rname2 "<string>" with <string> as a question response name (1st & 2nd level domain).

• dns-rname3 "<string>" with <string> as a question response name (1st, 2nd & 3nd level domain).

• dns-rdata1 "<string>" with <string> as response data (1st level domain). Only for response types CNAME, DNAME, NS, SOA, MX, SRV.

• dns-rdata2 "<string>" with <string> as response data (1st & 2nd level domain). Only for response types CNAME, DNAME, NS, SOA, MX, SRV.

• dns-rdata3 "<string>" with <string> as response data (1st, 2nd & 3nd level domain). Only for response types CNAME, DNAME, NS, SOA, MX, SRV.

DHCP Primitives

DHCP offered IP address

• dhcp-offeredip <ip> with <ip> as the IP address, which DHCP server offered to the host.

DHCP MAC address of host

• dhcp-hostmac <macaddr> with <macaddr> as a MAC address of the host.

DHCP message type

• dhcp-type [=|==|<|>|eq|lt|gt] <value>, with <value> as a combination of (RFC 2132, RFC 3203, RFC 4388, RFC 6926, draft-ietf-dhc-dhcpv4-active-leasequery-07):

1 - Discover

2 - Offer

3 - Request

4 - Decline

5 - ACK

6 - NAK

7 - Release

8 - Inform

9 - Force Renew

10 - Lease Query

11 - Lease Unassigned

12 - Lease Unknown

13 - Lease Active

14 - Lease Bulk Lease Query

15 - Lease Query Done

DHCP IP address lease time

• dhcp-leasetime [=|==|<|>|eq|lt|gt] <value> with <value> as the IP address lease time. Value is specified in seconds.

DHCP server IP address

• dhcp-servip <ip> where <ip> is the IP address of the DHCP server.

DHCP server domain name

• dhcp-domname [<strcomp>] "<string>" with <string> as the domain name of the DHCP server.

DHCP hostname

• dhcp-hostname [<strcomp>] "<octalstring>" with <octalstring> as a combination of:

– <string>

– <octalval> where <octalval> is a string in the following format \&nnn, where nnn is the octal number in range 0..255.

DHCP requested IP address

• dhcp-ipreq <ip> with <ip> as the requested IP address.

Samba Primitives

Samba operation code version 1

• smb1-cmd [=|==|<|>|eq|lt|gt] <smbopcode1> with <smbopcode1> as a samba operation code version 1.

Samba operation code version 2

• smb2-cmd "<flagstring>" with <flagstring> in following format:

– flagstring ::= ’"’ <flagstringexp> ’"’

– <flagstringexp> ::= <exp>

– <flagstringexp> ::= <exp-and>

– <flagstringexp> ::= <exp-or>

– <exp> ::= <flag> | <exp><flag>

– <exp-and> ::= <flag> | <exp-and> "&" <flag>

– <exp-or> ::= <flag> | <exp-or> "|" <flag>

– <flag> - "NE" | "SS" | "LO" | "TC" | "TD" | "CR" | "CL" | "FL" | "RE" | "WR" | "LC" | "IO" | "CA" | "EC" | "QD" | "CN" | "QI" | "SI" | OB" | "EN"

<flag> has the following meaning:

NE - Negotiate

SS - Session setup

LO - Logoff

TC - Tree connect

TD - Tree disconnect

CR - Create

CL - Close

FL - Flush

RE - Read

WR - Write

LC - Lock

IO - Ioctl

CA - Cancel

EC - Echo

QD - Query directory

CN - Change notify

QI - Query info

SI - Set info

OB - Oplock break

EN - Encrypted packet (in SMB3)

<exp>, <exp-and> and <exp-or> have the following meaning:

– The <exp> filter selects flows containing all flags listed in <exp>. To include these flags only, use operator "=".

– The <exp-and> is equivalent to <exp>.

– The <exp-or> filter selects flows containing at least one of the flags listed in <exp-or>. To include these flags only, use operator "=".

smb2-scmd "<smbopcode2>". Only flows matching exactly the specified flags will be processed.

Samba tree structure

• smb-tree [strcomp] "<string>" with <string> as a tree structure.

Samba file name

• smb-file [strcomp] "string" with <string> as a file name.

Samba file type

• smb-filetype [=|==|<|>|eq|lt|gt] <value> where value "1" is a directory and "2" is a file.

Samba file operation type

• smb-op [=|==|<|>|eq|lt|gt] <sambaoptype> with <sambaoptype> as a combination of:

0 - Supersede

1 - Open

2 - Create

3 - Overwrite

4 - Open if (Open the file if it already exists; otherwise, create the file.)

5 - Overwrite if (Overwrite the file if it already exists; otherwise, create the file.)

Samba delete flag

• smb-del [=|==|<|>|eq|lt|gt] <value> where value "1" indicates file deletion and "0" indicates no deletion.

Samba error flag

• smb-err [=|==|<|>|eq|lt|gt] <value> where value "1" indicates error and "0" indicates no error.

SIP Primitives

SIP call ID

sip-callid [<strcomp>] "<str>"

SIP calling party

• sip-calling [<strcomp>] "<str>"

SIP called party

• sip-called [<strcomp>] "<str>"

SIP VIA

• sip-via [<strcomp>] "<str>"

SIP ringing time

• sip-ringtime [<comp>] <number>

SIP OK time

• sip-oktime [<comp>] <number>

SIP bye time

• sip-byetime [<comp>] <number>

SIP RTP IP (IPv4/IPv6)

• sip-ip <ip>

SIP RTP audio

• sip-audio [<comp>] <number>

SIP RTP video

• sip-video [<comp>] <number>

VOIP Packet Type

• voip-pkttype [<comp>] <number>

VOIP packet type list:

0 - Non-VOIP data

1 - SIP service requests

2 - SIP responses on service requests

3 - SIP call requests

4 - SIP responses on call requests

8 - RTP voice data

16 - RTCP control and statistical data

RTCP Primitives

RTCP packets count

• rtcp-pkts [<comp>] <number>

RTCP octets count

• rtcp-octets [<comp>] <number>

RTP jitter

• rtp-jitter [<comp>] <number>

RTP jitter is measured in RTP timestamp units. RTP timestamp unit is based on the sampling rate. For example, for the sampling rate of 8000 Hz (PCMA) one unit is equal to 1/8000 of a second. For details, refer to RFC 3550 - interarrival jitter.

RTCP lost packets on client side

• rtcp-lost [<comp>] <number>

RTP codec type

• rtp-codec [<comp>] <number>

RTCP source count

• rtcp-sources [<comp>] <number>

MSSQL Primitives

MSSQL TDS

• tds-req [<comp>] <number> - TDS request type

• tds-ver [<comp>] <number> - TDS protocol type (<number> should be a 32bit hex number, e.g. 0x71000001)

• tds-cver [<comp>] <version> - TDS client version (<version> in format unsigned.unsigned.unsigned)

• tds-sver [<comp>] <version> - TDS server version

• tds-db [<strcomp>] "<str>" - TDS database context

• tds-user [<strcomp>] "<str>" - TDS username

• tds-host [<strcomp>] "<str>" - TDS hostname

Filters can be used without parameters to select the elements with valid values.

MSSQL TDS Experimental

• tds-res [<comp>] <number> - TDS response type

• tds-token [<comp>] <number> - TDS 1st token of response

• tds-tmr [<comp>] <number> - TDS transaction manager request type

• tds-err [<comp>] <number> - TDS error code

• tds-envch [<comp>] <number> - TDS environment change type

• tds-sql [<strcomp>] "<str>" - TDS SQL query (search for case-sensitive string)

• tds-isql [<istrcomp>] "<str>" - TDS SQL query (search for case-insensitive string)

• tds-rpc [<strcomp>] "<str>" - TDS remote procedure name

• tds-servname [<strcomp>] "<str>" - TDS server name

Filters can be used without parameters to select elements with valid values.

MySQL Primitives

MySQL Protocol Version

• mysql-ver [<comp>] <number>

MySQL Server Version

• mysql-sver [<strcomp>] "<str>"

MySQL User Authentication Status

• mysql-auths "<authstr>"

• mysql-auths [<comp>] <authnum>

• with <authnum> - <authstr> as information about successful authentication:

0 - no

1 - yes

MySQL Username

• mysql-user [<strcomp>] "<str>"

MySQL Authentication Method

• mysql-authm [<strcomp>] "<str>"

MySQL Database

• mysql-db [<strcomp>] "<str>"

MySQL Server and Client Capabilities

• mysql-cpblts [=] "<flagstring>"

• mysql-cpbltc [=] "<flagstring>" with <flagstring> in following format:

– flagstring ::= ’"’ <flagstringexp> ’"’

– <flagstringexp> ::= <exp>

– <flagstringexp> ::= <exp-and>

– <flagstringexp> ::= <exp-or>

– <exp> ::= <flag> | <exp><flag>

– <exp-and> ::= <flag> | <exp-and> "&" <flag>

– <exp-or> ::= <flag> | <exp-or> "|" <flag>

– <flag> - "RO" | "VC" | "MO" | "NE" | "TR" | "HE" | "LD" | "AB" | "AP" | "MP" | "MS" | "MQ"

| "NP" | "RD" | "TS" | "IP" | "CY" | "IE" | "41" | "IS" | "LF" | "OD" | "CS" | "NS" | "HD" | "LG" | "RF" | "LP"

<flag> has the following meaning:

RO - Remember Options

VC - SSL Verify Server Certificate

MO - MariaDB: Obsolete (old Client Progress flag)

NE - No EOF Packets (Deprecate EOF)

TR - Session Tracking

HE - Handle Expired Passwords

LD - Length Encoded Client Authentication Data

AB - Connection Attributes

AP - Authentication Plugin (Pluggable Authentication)

MP - Multi Result Set in Prepared Statements

MS - Multi Result Set

MQ - Multiple Queries (Statements)

NP - Native ("Secure") Password Authentication

RD - Reserved (old Client Protocol 4.1 flag)

TS - Transactions

IP - Ignore SIGPIPE

CY - Encryption

IE - Interactive Session

41 - Client Protocol 4.1

IS - Ignore Spaces

LF - Local Files

OD - ODBC support

CS - Compression

NS - No "schema.table.column" Expressions

HD - Handshake (Connect) With Database

LG - Long Flags

RF - Found Rows

LP - Long Password

<exp>, <exp-and> and <exp-or> have the following meaning:

– The <exp> filter selects flows containing all flags listed in <exp>. To include these flags only, use operator "=".

– The <exp-and> is equivalent to <exp>.

– The <exp-or> filter selects flows containing at least one of the flags listed in <exp-or>. To include these flags only, use operator "=".

MySQL Error Code

• mysql-err [<comp>] <number>

MySQL Command

• mysql-cmd [<comp>] <cmdnum>

• mysql-cmd "<cmdstr>"

• with <cmdnum> - <cmdstr> as a combination of:

0 - SLEEP

1 - QUIT

2 - INIT_DB

3 - QUERY

4 - FIELD_LIST

5 - CREATE_DB

6 - DROP_DB

7 - REFRESH

8 - SHUTDOWN

9 - STATISTICS

10 - PROCESS_INFO

11 - CONNECT

12 - PROCESS_KILL

13 - DEBUG

14 - PING

15 - TIME

16 - DELAYED_INSERT

17 - CHANGE_USER

18 - BINLOG_DUMP

19 - TABLE_DUMP

20 - CONNECT_OUT

21 - REGISTER_SLAVE

22 - STMT_PREPARE

23 - STMT_EXECUTE

24 - STMT_SEND_LONG_DATA

25 - STMT_CLOSE

26 - STMT_RESET

27 - SET_OPTION

28 - STMT_FETCH

29 - DAEMON

30 - BINLOG_DUMP_GTID

31 - RESET_CONNECTION

250 - STMT_BULK_EXECUTE

254 - MULTI

MySQL SQL Query

• mysql-sql [<strcomp>] "<str>"

PostgreSQL Primitives

PostgreSQL Protocol Version

• pgsql-ver "<verstr>" where <verstr> should be a string of format "<major>.<minor>" or any prefix thereof, where <major> and <minor> is a numeric value or the ’*’ character. The ’*’ character acts as a wildcard (i.e. matches any value).

PostgreSQL Server Version

• pgsql-sver "<sverstr>" Where <sverstr> should be a string of format "<major>.<minor>.<bugfix>" (server versions up to 9.6) or "<major>.<bugfix>" (server versions 10 onwards) or any prefix thereof, where <major>, <minor> and <bugfix> is a numeric value or the ’*’ character. The ’*’ character acts as a wildcard (i.e. matches any value, including not present).

Note

"<sverstr>" of format "*.1" will match all server versions where the minor version is 1 for servers of major version 9 or lower and all server versions where bugfix version is 1 for servers of major version 10 or higher.

PostgreSQL Authentication Method

• pgsql-authm "<authstr>"

• pgsql-authm [<comp>] <authnum>

• Where <authstr> and <authnum> are used to specify one of the following authentication methods:

0 - NO AUTHENTICATION

1 - KERBEROS V4

2 - KERBEROS V5

3 - CLEAR PASSWORD

4 - CRYPT PASSWORD

5 - MD5 PASSWORD

6 - SCM CREDENTIALS

7 - GSS

8 - UNKNOWN

9 - SSPI

10 - SASL

PostgreSQL Username

• pgsql-user [<strcomp>] "<str>"

PostgreSQL Database

• pgsql-db [<strcomp>] "<str>"

PostgreSQL SQLSTATE Error Code

• pgsql-errc "<sqlstate>" where <sqlstate> should be an exactly 5 character long string according to the SQLSTATE standard. You may substitute any of its characters for the ’*’ character, which acts as a wildcard (i.e. matches any character).

PostgreSQL Error Severity

• pgsql-errs "<errsstr>"

• pgsql-errs [<comp>] <errsnum>

• Where <errsstr> and <errsnum> are used to specify one of the following error severities:

1 - PANIC

2 - FATAL

3 - ERROR

4 - WARNING

5 - NOTICE

6 - INFO

7 - LOG

8 - DEBUG

254 - UNRECOGNIZED

255 - UNKNOWN

PostgreSQL SQL Query

• pgsql-sql [<strcomp>] "<str>"

PostgreSQL Client Message Type

• pgsql-msgc [=] "<flagstring>" with <flagstring> in following format:

  • flagstring ::= ’"’ <flagstringexp> ’"’

  • <flagstringexp> ::= <exp>

  • <flagstringexp> ::= <exp-and>

  • <flagstringexp> ::= <exp-or>

  • <exp> ::= <flag> | <exp><flag>

  • <exp-and> ::= <flag> | <exp-and> "&" <flag>

  • <exp-or> ::= <flag> | <exp-or> "|" <flag>

  • <flag> - "?" | "+" | "

    quot; | "#" | "B" | "C" | "D" | "E" | "H" | "F" | "P" | "p" | "Q" | "S" | "X" |"r" | "h" | "d" | "c" | "f"

<flag> has the following meaning:

? - Unknown message

+ - Startup message

$ - SSL request

# - Cancel request

B - Bind

C - Close

D - Describe

E - Execute

H - Flush

F - Function call

P - Parse

p - Password message

Q - Query

S - Sync

X - Terminate

r - Standby status update

h - Hot standby feedback

d - Copy data

c - Copy done

f - Copy fail

<exp>, <exp-and> and <exp-or> have the following meaning:

• The <exp> filter selects flows containing all flags listed in <exp>. To include these flags only, use operator "=".

• The <exp-and> is equivalent to <exp>.

• The <exp-or> filter selects flows containing at least one of the flags listed in <exp-or>. To include these flags only, use operator "=".

PostgreSQL Server Message Type

• pgsql-msgs [=] "<flagstring>" with <flagstring> in following format:

  • flagstring ::= ’"’ <flagstringexp> ’"’

  • <flagstringexp> ::= <exp>

  • <flagstringexp> ::= <exp-and>

  • <flagstringexp> ::= <exp-or>

  • <exp> ::= <flag> | <exp><flag>

  • <exp-and> ::= <flag> | <exp-and> "&" <flag>

  • <exp-or> ::= <flag> | <exp-or> "|" <flag>

  • <flag> - "?" | "R" | "K" | "2" | "3" | "C" | "G" | "H" | "W" | "D" | "I" | "E" | "V" | "n" | "N" |"A" | "t" | "S" | "1" | "s" | "Z" | "T" | "w" | "k" | "

    quot; | "%" | "d" | "c"

<flag> has the following meaning:

? - Unknown message

R - Authentication

K - Backend key data

2 - Bind complete

3 - Close complete

C - Command complete

G - Copy in response

H - Copy out response

W - Copy both response

D - Data row

I - Empty query response

E - Error response

V - Function call response

n - No data

N - Notice response

A - Notification response

t - Parameter description

S - Parameter status

1 - Parse complete

s - Portal suspended

Z - Ready for query

T - Row description

w - Xlog data

k - Primary keepalive

$ - SSL accept

% - SSL deny

d - Copy data

c - Copy done

<exp>, <exp-and> and <exp-or> have the following meaning:

• The <exp> filter selects flows containing all flags listed in <exp>. To include these flags only, use operator "=".

• The <exp-and> is equivalent to <exp>.

• The <exp-or> filter selects flows containing at least one of the flags listed in <exp-or>. To include these flags only, use operator "=".

RADIUS Primitives

RADIUS Username

• radius-login [comp] "<string>"

RADIUS Calling Station ID

• radius-calling-station-id [comp] "<string>"

RADIUS Called Station ID

• radius-called-station-id [comp] "<string>"

RADIUS NAT IP address

• radius-nat-address [comp] <ipaddr>

RADIUS NAT port start

• radius-port-start [comp] <number>

RADIUS NAT port end

• radius-port-end [comp] <number>

TLS Primitives

TLS Content type

• tls-cont [flcomp] "<flagtokens>" where <flagtokens> is list of tokens representing desired flags. These are valid TLS content type flags:

• CCS - Content type CCS

• ALERT - Content type ALERT

• HS - Content type HANDSHAKE

• DATA - Content type APP DATA

The tokens in <flagtokens> can be joined by either ’&’ (all specified flags are set) or ’|’ (at least one of the specified flags is set). A combination of ’&’ and ’|’ in one filter is not permitted.

TLS Handshake type

• tls-hshk [flcomp] "<flagtokens>" where <flagtokens> is list of tokens representing desired flags. These are valid TLS handshake type flags:

• HR - Hello request

• CH - Client hello

• SH - Server hello

• HVER - Hello verify request

• NST - New session ticket

• EED - End of early data

• HRET - Hello retry request

• ENC - Encrypted extensions

• CER - Certificate

• KSRV - Server key exchange

• CRQ - Certificate request

• SHD - Server hello done

• CVER - Certificate verify

• KCL - Client key exchange

• FIN - Finished

• CURL - Certificate url

• CST - Certificate status

• SUPL - Supplemental data

• KUPD - Key update

• MSGH - Message hash

• UNKN - Unknown

The tokens in <flagtokens> can be joined by either ’&’ (all specified flags are set) or ’|’ (at least one of the specified flags is set). A combination of ’&’ and ’|’ in one filter is not permitted.

TLS Setup time

• tls-setup [comp] <time-milli>

TLS Server version

• tls-sver [comp] "<string>"

• tls-sver [comp] <number>

The argument can be either a numeric representation of tls version or its text name. The numeric value can be hexadecimal (prefixed with "0x") or decimal. Supported TLS versions are "SSL 2.0", "SSL 3.0", "TLS 1.0", "TLS 1.1" and "TLS 1.2". Hexadecimal values are 0x002, 0x0300, 0x0301, 0x0302 and 0x0303 in respective order.

TLS Server random ID

• tls-srnd "<bytes>"

<bytes> is some part of a random ID byte sequence (entered as hexadecimal digits). One hexadecimal digit corresponds to one nibble (4bits). For example filter tls-srnd "90a0b0" will match all flows in which TLS Server random ID contains sequence of 3 bytes 0x90 0xa0 0xb0 or sequence of 4 bytes 0x*9 0x0a 0x0b 0x0*, where "*" is any nibble.

TLS Server session ID

• tls-ssid [comp] <number>

<bytes> is some part of the session ID byte sequence (entered as hexadecimal digits). One hexadecimal digit corresponds to one nibble (4bits). For example filter tls-ssid "90a0b0" will match all flows in which TLS Server session ID contains sequence of 3 bytes 0x90 0xa0 0xb0 or sequence of 4 bytes 0x*9 0x0a 0x0b 0x0*, where "*" is any nibble.

TLS Cipher suite

• tls-ciph "<bytes>"

• tls-ciph [=] "<string>"

TLS Application layer protocol negotiation

• tls-alpn [strcomp] "<string>"

TLS Server name indication

• tls-sni [strcomp] "<string>"

TLS Server name length

• tls-snlen [comp] <number>

TLS server compression method

• tls-sscm [comp] <number>

• tls-sscm [comp] <method>

With <number> and <method> as one of these:

• 0 - NULL

• 1 - DEFLATE

• 64 - LZS

TLS Client version

• tls-cver [comp] "<string>"

• tls-cver [comp] <number>

The argument can be either a numeric representation of tls version or its text name. The numeric value can be hexadecimal (prefixed with "0x") or decimal. Supported TLS versions are "SSL 2.0", "SSL 3.0", "TLS 1.0", "TLS 1.1" and "TLS 1.2". Hexadecimal values are 0x002, 0x0300, 0x0301, 0x0302 and 0x0303 in respective order.

TLS Cipher suites and Elliptic curves

• tls-ciphs [=] "<tokens>"

• tls-ciphse [=] "<tokens>" - exact order match

• tls-ece [=] "<tokens>" - exact order match

• tls-ec [=] "<tokens>"

<tokens> is comma separated list of either cipher suite / elliptic curve text names or their hexadecimal representations. Combination is not allowed, so all values in the list will be treated either as hexadecimal numbers or text. Filters will match only if all values are found inside the record. Exact order filters will match only if the sequence of values is found inside the record array in the specified order. The exact filter (optional equal sign is used) will match only if there are no other values in the record array than those specified. Hexadecimal representation of one cipher suite has form 0xAAAA. The cipher suite / elliptic curve is represented as a two-byte number, so the maximum number of digits is four. For text tokens, there are no input rules. Partial text names are also allowed (the substring compare method is used).

TLS Client random ID and Client session ID

• tls-crnd "<bytes>"

• tls-csid "<bytes>"

<bytes> is some part of a random ID / session ID byte sequence (entered as hexadecimal digits). One hexadecimal digit corresponds to one nibble (4bits).

TLS Extensions

• tls-ext [=] "<tokens>" - Extension types

• tls-exte [=] "<tokens>" - Extension types (exact order)

• tls-exl [=] "<tokens>" - Extension lengths

• tls-exle [=] "<tokens>" - Extension lengths (exact order)

<tokens> is comma separated list of decimal values. Filters will match only if all values are found inside the record. Exact order filters will match only if the sequence of values is found inside the record array in the specified order. The exact filter (optional equal sign is used) will match only if there are no other values in the record array than those specified. Extension type and extension length are represented as a two-byte number, so the maximum allowed value is 65535.

TLS Elliptic curves point formats

• tls-ecpf "<tokens>"

<tokens> is comma separated list of either decimal or text values. The maximum allowed decimal number is 254. For text values, only full-text names are allowed. Numeric and text tokens may be combined. Recognized names are "uncompressed" (0), "ansiX962_compressed_prime" (1) and "ansiX962_compressed_char2" (2).

TLS Client key length

• tls-cklen [comp] <number>

TLS Certificate

• tls-icn [strcomp] "<string>" - Certificate issuer common name

• tls-scn [strcomp] "<string>" - Subject common name

• tls-son [strcomp] "<string>" - Subject organisation name. Comparison is case insensitive.

• tls-vfrom [comp] <timestamp> - Certificate validity since

• tls-vfrom [comp] "<date>" - Certificate validity since

• tls-vto [comp] <timestamp> - Certificate validity until

• tls-vto [comp] "<date>" - Certificate validity until <date> is text specification of date/time in format "YYYY-MM-DD HH:MM:SS". <timestamp> is date/time represented seconds since epoch. The special value "now" is also accepted and interpreted as the current time.

• tls-salg "<algorithm name>" - Signature algorithm

• tls-pkalg "<algorithm name>" - Public key algorithm

• tls-pklen [comp] <number> - Public key length

• tls-snum "<bytes>" - TLS certificate serial number. <bytes> is a part of the TLS certificate serial number (entered as hexadecimal digits). One hexadecimal digit corresponds to one nibble (4bits).

• tls-san [strcomp] "<string>" - TLS certificate subject alternate names

TLS JA3 Fingerprint

• tls-ja3 "<bytes>" <bytes> is some part of JA3 Fingerprint byte sequence (entered as hexadecimal digits). One hexadecimal digit corresponds to one nibble (4bits).

VxLAN Primitives

VxLAN VNI

• vxlan-vni [comp] <number>

IEC104

• iec104-pktlen [comp] <number> - IEC104 Packet Length

• iec104-fmt [strcomp] "<fmtstr>" - IEC104 Frame Format with <fmtstr> as one of these characters:

  • I - I-frame

  • S - S-frame

  • U - U-frame

• iec104-asdu-type [comp] <number> - IEC104 ASDU Type

• iec104-asdu-objcount [comp] <number> - IEC104 ASDU Object Count

• iec104-asdu-cot [comp] <number> - IEC104 ASDU Cause Of Transmission

• iec104-asdu-org [comp] <number> - IEC104 ASDU Originator Address

• iec104-asdu-addr [comp] <number> - IEC104 Common ASDU Address

CoAP

• coap-ver [comp] <number>

• coap-mid [comp] <number>

• coap-code [strcomp] "<str>" - with <str> as a number in format "0.00"

• coap-opcount [comp] <number>

• coap-type "<str>" - with <str> as one of these:

  • CNF - Confirmable message

  • NCNF - Nonconfirmable message

  • ACK - Acknowledge

  • RST - Reset

• coap-accept [comp] <number>

• coap-contentfmt [comp] <number>

• coap-token [strcomp] "<str>" - hexadecimal representation of bytestream (maximal length 16 characters). Example: coap-token = "b38a4e20"

• coap-uripath [strcomp] "<str>"

• coap-uriquery [strcomp] "<str>"

• coap-urihost [strcomp] "<str>"

GOOSE

• goose-appid [comp] <number>

• goose-cbref [strcomp] "<str>"

• goose-dataset [strcomp] "<str>"

• goose-id [strcomp] "<str>"

• goose-stnum [comp] <number>

MMS

• mms-type [comp] <number> - with <number> as one of these:

  • 0 - confirmed-Request

  • 1 - confirmed-Response

  • 2 - confirmed-Error

  • 3 - unconfirmed

  • 4 - reject

  • 5 - cancel-Request

  • 6 - cancel-Response

  • 7 - cancel-Error

  • 8 - initiate-Request

  • 9 - initiate-Response

  • 10 - initiate-Error

  • 11 - conclude-Request

  • 12 - conclude-Response

  • 13 - conclude-Error

• mms-conf-service-req [comp] <number>

• mms-conf-service-resp [comp] <number> -with <number> for mms-conf-service-req and mms-conf-service-resp as one of these:

  • 0 - status

  • 1 - getNameList

  • 2 - identify

  • 3 - rename

  • 4 - read

  • 5 - write

  • 6 - getVariableAccessAttributes

  • 7 - defineNamedVariable

  • 8 - defineScatteredAccess

  • 9 - getScatteredAccessAttributes

  • 10 - deleteVariableAccess

  • 11 - defineNamedVariableList

  • 12 - getNamedVariableListAttributes

  • 13 - deleteNamedVariableList

  • 14 - defineNamedType

  • 15 - getNamedTypeAttributes

  • 16 - deleteNamedType

  • 17 - input

  • 18 - output

  • 19 - takeControl

  • 20 - relinquishControl

  • 21 - defineSemaphore

  • 22 - deleteSemaphore

  • 23 - reportSemaphoreStatus

  • 24 - reportPoolSemaphoreStatus

  • 25 - reportSemaphoreEntryStatus

  • 26 - initiateDownloadSequence

  • 27 - downloadSegment

  • 28 - terminateDownloadSequence

  • 29 - initiateUploadSequence

  • 30 - uploadSegment

  • 31 - terminateUploadSequence

  • 32 - requestDomainDownload

  • 33 - requestDomainUpload

  • 34 - loadDomainContent

  • 35 - storeDomainContent

  • 36 - deleteDomain

  • 37 - getDomainAttributes

  • 38 - createProgramInvocation

  • 39 - deleteProgramInvocation

  • 40 - start

  • 41 - stop

  • 42 - resume

  • 43 - reset

  • 44 - kill

  • 45 - getProgramInvocationAttributes

  • 46 - obtainFile

  • 47 - defineEventCondition

  • 48 - deleteEventCondition

  • 49 - getEventConditionAttributes

  • 50 - reportEventConditionStatus

  • 51 - alterEventConditionMonitoring

  • 52 - triggerEvent

  • 53 - defineEventAction

  • 54 - deleteEventAction

  • 55 - getEventActionAttributes

  • 56 - reportEventActionStatus

  • 57 - defineEventEnrollment

  • 58 - deleteEventEnrollment

  • 59 - alterEventEnrollment

  • 60 - reportEventEnrollmentStatus

  • 61 - getEventEnrollmentAttributes

  • 62 - acknowledgeEventNotification

  • 63 - getAlarmSummary

  • 64 - getAlarmEnrollmentSummary

  • 65 - readJournal

  • 66 - writeJournal

  • 67 - initializeJournal

  • 68 - reportJournalStatus

  • 69 - createJournal

  • 70 - deleteJournal

  • 71 - getCapabilityList

  • 72 - fileOpen

  • 73 - fileRead

  • 74 - fileClose

  • 75 - fileRename

  • 76 - fileDelete

  • 77 - fileDirectory

  • 78 - additionalService

  • 80 - getDataExchangeAttributes

  • 81 - exchangeData

  • 82 - defineAccessControlList

  • 83 - getAccessControlListAttributes

  • 84 - reportAccessControlledObjects

  • 85 - deleteAccessControlList

  • 86 - changeAccessControl

  • 87 - reconfigureProgramInvocation - only for mss-conf-service-resp

• mms-unconf-service [comp] <number> - with <number> as one of these:

  • 0 - informationReport

  • 1 - unsolicitedStatus

  • 2 - eventNotification

DLMS

• dlms-type [comp] <number> - with <number> as one of these:

  • 192 - get-request

  • 193 - set-request

  • 194 - event-notification-request

  • 195 - action-request

  • 196 - get-response

  • 197 - set-response

  • 199 - action-response

• dlms-subtype [comp] <number>

  • 3073 (0xc001) - get-request-normal

  • 3074 (0xc002) - get-request-next

  • 3075 (0xc003) - get-request-with-list

  • 49409 (0xc101) - set-request-normal

  • 49410 (0xc102) - set-request-with-first-data-block

  • 49411 (0xc103) - set-request-with-datablock

  • 49412 (0xc104) - set-request-with-list

  • 49413 (0xc105) - set-request-with-list-and-first-data-block

  • 49921 (0xc301) - action-request-normal

  • 49922 (0xc302) - action-request-next-pblock

  • 49923 (0xc303) - action-request-with-list

  • 49924 (0xc304) - action-request-with-first-pblock

  • 49925 (0xc305) - action-request-with-list-and-first-pblock

  • 49926 (0xc306) - action-request-with-pblock

  • 50177 (0xc401) - get-response-normal

  • 50178 (0xc402) - get-response-with-datablock

  • 50179 (0xc403) - get-response-with-list

  • 50433 (0xc501) - set-response-normal

  • 50434 (0xc502) - set-response-datablock

  • 50435 (0xc503) - set-response-last-data-block

  • 50436 (0xc504) - set-response-last-data-block-with-list

  • 50437 (0xc505) - set-response-with-list

  • 50945 (0xc701) - action-response-normal

  • 50946 (0xc702) - action-response-with-pblock

  • 50947 (0xc703) - action-response-with-list

  • 50948 (0xc704) - action-response-next-pblock

• dlms-classid [comp] <number>

• dlms-obis [arraycomp] <obidnum> Where <obidnum> is ID consisting of 6 digits delimited with . (dot), each digit has a maximal size of one byte, arraycomp is the array comparator, and only = (array exact equality) is supported. Example: dlms-obis = 1.0.99.1.0.255 To filter a group of IDs use a common prefix terminated with the character ’.’ (dot) Example: "dlms-obis 1.0.99." filters all IDs with the first 3 digits same, last 3 digits are treated as don’t care.

• dlms-attr-method-id [comp] <number>

• dlms-data-type [comp] <number> - with <number> as one of these:

  • 0 - null-data

  • 1 - array

  • 2 - structure

  • 3 - boolean

  • 4 - bit-string

  • 5 - double-long

  • 6 - double-long-unsigned

  • 9 - octet-string

  • 10 - visible-string

  • 13 - bcd

  • 15 - integer

  • 16 - long

  • 17 - unsigned

  • 18 - long-unsigned

  • 19 - compact-array

  • 20 - long64

  • 21 - long64-unsigned

  • 22 - enum

  • 23 - float32

  • 24 - float64

  • 25 - date-time

  • 26 - date

  • 27 - time

  • dlms-data-length [comp] <number>

• dlms-data-access-result [comp] <number> - with <number> as one of these:

  • 0 - success

  • 1 - hardware-fault

  • 2 - temporary-failure

  • 3 - read-write-denied

  • 4 - object-undefined

  • 9 - object-class-inconsistent

  • 11 - object-unavailable

  • 12 - type-unmatched

  • 13 - scope-of-access-violated

  • 14 - data-block-unavailable

  • 15 - long-get-aborted

  • 16 - no-long-get-in-progress

  • 17 - long-set-aborted

  • 18 - no-long-set-in-progres

  • 250 - other-reason

• dlms-action-result [comp] <number> - with <number> as one of these:

  • 0 - success

  • 1 - hardware-fault

  • 2 - temporary-failure

  • 3 - read-write-denied

  • 4 - object-undefined

  • 9 - object-class-inconsistent

  • 11 - object-unavailable

  • 12 - type-unmatched

  • 13 - scope-of-access-violated

  • 14 - data-block-unavailable

  • 15 - long-action-aborted

  • 16 - no-long-action-in-progress

  • 250 - other-reason

VMware NSX fields

• nsx-ruleid <number> - Firewall rule ID

• nsx-vnicindex <number> - VNIC index

• nsx-vmuuid <number> [<number>] - filters flow records with specific VM UUID that uniquely identifies the VM. This ID comprises of two hexadecimal numbers. You can provide just the first one or both. Each hexa number must be preceded with a 0x prefix. This is an example for VM UUID (00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ff): "nsx-vmuuid 0x0011223344556677" or "nsx-vmuuid 0x0011223344556677 0x8899aabbc-cddeeff".

• nsx-vmuuid-mac <addr> - since VM UUID usually contains MAC address in its first part, you can use MAC in a filter as well. It will be matched with the first VMUUID number. This is an example how to filter out the machine with mac address 00:11:22:33:44:55: "nsx-vmuuid-mac 00:11:22:33:44:55".

Network Performance Metrics Primitives

• npm-rtt [[<comp>] <realnumber>] - Round Trip Time (RTT)

• npm-srt [[<comp>] <realnumber>] - Server Response Time (SRT)

• npm-retr [[<comp>] <realnumber>] - Packet Retransmissions (RTR)

• npm-ooo [[<comp>] <realnumber>] - Number of Out of Order packets (OoO)

• npm-jdev [[<comp>] <realnumber>] - Standard Deviation of Jitter (SDV Jitter)

• npm-javg [[<comp>] <realnumber>] - Average Jitter (AVG Jitter)

• npm-jmin [[<comp>] <realnumber>] - Minimal Jitter (MIN Jitter)

• npm-jmax [[<comp>] <realnumber>] - Maximal Jitter (MAX Jitter)

• npm-ddev [[<comp>] <realnumber>] - Standard Deviation of Inter-packet Delay (SDV IPD)

• npm-davg [[<comp>] <realnumber>] - Average Inter-packet Delay (AVG IPD)

• npm-dmin [[<comp>] <realnumber>] - Minimal Inter-packet Delay (MIN IPD)

• npm-dmax [[<comp>] <realnumber>] - Maximal Inter-packet Delay (MAX IPD)

with <realnumber> as a real number in format NNN.nnn.

Cisco Primitives

Cisco AVC - ART

• art-snt [[<comp>] <realnumber>] - Sum Server Network Time (Sum SNT)

• art-sntmin [[<comp>] <realnumber>] - Minimal Server Network Time (MIN SNT)

• art-sntmax [[<comp>] <realnumber>] - Maximal Server Network Time (MAX SNT)

• art-cnt [[<comp>] <realnumber>] - Sum Client Network Time (Sum CNT)

• art-cntmin [[<comp>] <realnumber>] - Minimal Client Network Time (MIN CNT)

• art-cntmax [[<comp>] <realnumber>] - Maximal Client Network Time (MAX CNT)

• art-srt [[<comp>] <realnumber>] - Sum Server Response Time (Sum SRT)

• art-srtmin [[<comp>] <realnumber>] - Minimal Server Response Time (MIN SRT)

• art-srtmax [[<comp>] <realnumber>] - Maximal Server Response Time (MAX SRT)

Cisco NEL

• nat event <add|delete>

• nat event [<comp>] <number>

• [src|dst] nip <ip> - selects the NAT IP address.

• [src|dst] nport <port> - selects the NAT port.

• ingress vrf <number> - selects the vrf.

Cisco NSEL/ASA

• asa event <ignore|create|term|delete|deny>

• asa event [<comp>] <number>

• asa event denied <ingress|egress|interface|nosyn>

• asa xevent [<comp>] <number>

• [src|dst] xip <ip> - selects the translated IP address.

• [src|dst] xport <port> - selects the translated port.

• ingress <ACN|ACE|XACE> [<comp>] <number> - selects/compares an ingress ACL ID fields.

• egress <ACN|ACE|XACE> [<comp>] <number> - selects/compares an egress ACL ID fields.

Aggregated Flows Primitives

• flows [<comp>] <num> [<scale>]- filters out NetFlow records with a specific number of aggregated flows.

<scale> is a scaling factor. Allowed prefixes are (Kilo) k, (Mega) m, (Giga) g, (Tera) t. The factor is 1024.

Packets, Bytes and Bits Primitives

Packets

• packets [<comp>] <num> - filters out NetFlow records with a specific packet count.

Example: packets > 1k.

Bytes

• bytes [<comp>] <num> - filters out NetFlow records with a specific byte count.

Example: bytes 46.

Packets per second

• pps [<comp>] <num> - specifies the pps of the flow.[<scale>]

Bits per second

• bps [<comp>] <num> - specifies the bps of the flow.[<scale>]

Bytes per packet

• bpp [<comp>] <num> - specifies the bpp of the flow.[<scale>]

Packets, Bytes and Bits examples

• packets > 1 M and bytes < 1700 M - matches records with more than 1 mega packets but under 1700 MB.

• (pps > 200 K or bps > 180 M) and bpp < 130 - matches records with a minimal threshold of at least 200 K packets per second or 180 M bits per second) while keeping packets under 130 B.

• bpp > 1500 and bytes > 100 M - finds jumbo packets flows larger than 100 MB.

Duration Primitives

Duration

• duration [<comp>] <num> - specifies the duration in milliseconds.

Duration examples

• duration > 1000 and duration < 5000 - matches flow records which took between 1 and 5 seconds.

Other Filter Examples

• proto tcp and net 192.168/16 and src port >> 1024 and dst port 80 and bytes > 2048 - matches HTTP/TCP communication in an internal network larger than 2048 bytes.

• proto tcp and (net 192.168/16) and (src port > 1024 and dst port 80) and (bytes > 2048) - is identical to the previous (with added brackets for readability).