Filter Syntax

Save PDF

Last Updated: May 5, 2026
46 minute read

Flowmon Products
Flowmon
Documentation

The filter syntax is similar to the well-known pcap library used by tcpdump. The filter can span several lines. Anything after a '#' is treated as a comment and ignored to the end of the line. There is virtually no limit on the length of the filter expression. All keywords are case-independent (for example, IP is the same as ip) unless noted otherwise. The strings are enclosed in double-quotes. String values are case sensitive (for example, "windowsupdate.COM" is not the same as "windowsupdate.com").

It is important to understand that these filters are applied to individual flow records before any aggregation occurs. Aggregated statistics, such as total bytes, total flows, or total packets, are not available for filtering because the filtering logic operates only at the individual flow level. As a result, amount‑based fields are not applicable for filtering top statistics or aggregated flow lists.

For several keywords you can use the autocomplete function for entering the desired value - see the picture below.

Autocomplete function

The filter consists of individual expressions. Expressions can be connected with the logical operators: “and” or “or”. When two expressions are connected with the logical operator “and”, the filtered data must satisfy conditions in both expressions to be included in the results. The logical operator “or” means that the data must match at least one of the expressions. All data matching the expression can be excluded by applying the operator “not” before the expression. Brackets can be used to create more complex filters:

<expression>
<expression> and <expression>
<expression> or <expression>
not <expression>
( <expression> )

Some keywords support comparators before the value. For string keywords, the support of comparators is indicated with <strcomp>. The following comparators are supported:

= - compared strings are identical.

> - <string> begins with a compared string.

< - <string> ends with a compared string.

If <strcomp> is omitted, compared string is a substring of <string>.

Numerical comparator support is indicated with <comp>. The following comparators are supported:

=, ==, or eq - compared values are equal.

!= or ne - compared values are not equal.

> or gt - compared value is greater.

< or lt - compared value is less.

>= or ge - compared value is greater or equal.

<= or le - compared value is less or equal.

in - compared value is in the list of values. In is used with [] brackets with values separated by space. For example, ip in [192.168.2.3 192.168.2.4].

If <comp> is omitted, '=' is assumed.

Some keywords support directional flags before the keyword itself. The following directional flags are supported:

src - the keyword applies to the source of the flow, for example, src ip <value>

dst - the keyword applies to the destination of the flow, for example, dst ip <value>

in - the keyword applies to the input interface of the flow, for example, in interface <value>

out - the keyword applies to the output interface of the flow, for example, out interface <value>

The directional flags can be supplied in any order before the keyword itself. The directional flags in|out are mutually exclusive. Only the directional flags src|dst can be combined with the logical operators “and” and “or” (for example, src or dst ip <value> has the same meaning as src ip <value> or dst ip <value>).

See the following subchapters for possible content of the <expression> element, that is, primitives.

Any

Use any as a dummy filter. Use not any to block all flows.

Protocol Primitives

Protocol version

inet or ipv4 for IPv4
inet6 or ipv6 for IPv6

Protocol

protocol <protocol> where <protocol> can be any known IP protocol such as TCP, UDP, ICMP, ICMP6, ARP, GRE, ESP, AH, and so on. This keyword has an alias proto.
protocol <num> where <num> is the protocol number (for example, 1 for ICMP).

Modbus

modbus-unit-id <num> - Modbus Unit ID.
modbus-read-requests <num> - Modbus Read Requests.
modbus-write-requests <num> - Modbus Write Requests.
modbus-diagnostic-requests <num> - Modbus Diagnostic Requests.
modbus-other-requests <num> - Modbus Other Requests.
modbus-undefined-requests <num> - Modbus Undefined Requests.
modbus-success-responses <num> - Modbus Success Responses.
modbus-error-responses <num> - Modbus Error Responses.

S7

s7comm-param-length-sum [<comp>] <num> - S7 Param Len Sum.
s7comm-data-length-sum [<comp>] <num> - S7 Data Len Sum.
s7comm-job-readvar-count [<comp>] <num> - S7 Read.
s7comm-job-readvar-item-count [<comp>] <num> - S7 Read Items.
s7comm-ack-readvar-count [<comp>] <num> - S7 Read Ack.
s7comm-ack-readvar-success-count [<comp>] <num> - S7 Read Success Ack.
s7comm-job-writevar-count [<comp>] <num> - S7 Write.
s7comm-job-writevar-item-count [<comp>] <num> - S7 Write Items.
s7comm-ack-writevar-count [<comp>] <num> - S7 Write Ack.
s7comm-ack-writevar-success-count [<comp>] <num> - S7 Write Success Ack.
s7comm-job-upload-count [<comp>] <num> - S7 Upload Job.
s7comm-ack-upload-count [<comp>] <num> - S7 Upload Ack.
s7comm-job-download-count [<comp>] <num> - S7 Download Job.
s7comm-ack-download-count [<comp>] <num> - S7 Download Ack.
s7comm-job-control-count [<comp>] <num> - S7 Control Job.
s7comm-ack-control-count [<comp>] <num> - S7 Control Ack.
s7comm-error-response-count [<comp>] <num> - S7 Errors.
s7comm-userdata-request-programmer-count [<comp>] <num> - S7 User Data Prog Req.
s7comm-userdata-response-programmer-count [<comp>] <num> - S7 User Data Prog Resp.
s7comm-userdata-request-cyclic-count [<comp>] <num> - S7 User Data Cyclic Req.
s7comm-userdata-response-cyclic-count [<comp>] <num> - S7 User Data Cyclic Resp.
s7comm-userdata-response-block-count [<comp>] <num> - S7 User Data Block Resp.
s7comm-userdata-request-cpu-count [<comp>] <num> - S7 User Data CPU Req.
s7comm-userdata-response-cpu-count [<comp>] <num> - S7 User Data CPU Resp.
s7comm-userdata-request-security-count [<comp>] <num> - S7 User Data Security Req.
s7comm-userdata-response-security-count [<comp>] <num> - S7 User Data Security Resp.
s7comm-userdata-request-time-count [<comp>] <num> - S7 User Data Time Req.
s7comm-userdata-response-time-count [<comp>] <num> - S7 User Data Time Resp.
s7comm-userdata-request-other-count [<comp>] <num> - S7 User Data Other Req.
s7comm-userdata-response-other-count [<comp>] <num> - S7 User Data Other Resp.
s7comm-unknown-request-count [<comp>] <num> - S7 Unknown Req.
s7comm-unknown-response-count [<comp>] <num> - S7 Unknown Resp.

MQTT

mqtt-client-id <string> - MQTT Client ID.
mqtt-protocol-version <num> - MQTT Protocol Version.
mqtt-pub-count-server <num> - MQTT Publish Count Server.
mqtt-pub-count-client <num> - MQTT Publish Count Client.
mqtt-sub-count <num> - MQTT Subscribe Count.
mqtt-connect-ack <num> - MQTT Connect ACK.
mqtt-auth-username <string> - MQTT Auth Username.
mqtt-auth-password-present <num> - MQTT Auth Password Present.
mqtt-auth-method <string> - MQTT Auth Method.

DNP3

dnp3-read-requests <num> - DNP3 Read Requests.
dnp3-control-requests <num> - DNP3 Control Requests.
dnp3-freeze-requests <num> - DNP3 Freeze Requests.
dnp3-configuration-requests <num> - DNP3 Configuration Requests.
dnp3-time-sync-requests <num> - DNP3 Time Sync Requests.
dnp3-reserved-requests <num> - DNP3 Reserved Requests.
dnp3-malformed-requests <num> - DNP3 Malformed Requests.
dnp3-confirmation-responses <num> - DNP3 Confirmation Responses.
dnp3-solicited-responses <num> - DNP3 Solicited Responses.
dnp3-unsolicited-responses <num> - DNP3 Unsolicited Responses.
dnp3-malformed-responses <num> - DNP3 Malformed Responses.
dnp3-internal-indicators <num> - DNP3 Internal Indicators.

Hostname

[src|dst] hostname <string> - Hostname.

Flow source interface

flow-source-interface <string> - Flow source interface.

QUIC

quic-version <num> - QUIC Version.

Protocol and protocol version examples

inet6 - matches only IPv6 communication.

The following four filters all have the same meaning.

inet6 and proto udp - matches only UDP communication over IPv6.
inet6 and proto 17 - because UDP = 17.
ipv6 and proto 17 - because inet6 and ipv6 are interchangeable.
IPV6 AND PROTO 17 - because the expressions are not case sensitive.
proto icmp or proto udp - matches both ICMP and UDP.
(proto icmp or proto udp) and ipv4 - matches both ICMP and UDP communication only over IPv4.
ipv4 and (proto icmp or proto udp) - is identical to the previous (the order does not matter in this case).
ipv4 and proto icmp or proto udp - ambiguous, brackets are missing (UDP would be using both IPv4 and IPv6).
not (proto tcp or proto udp or proto icmp) - excludes TCP, UDP, and ICMP communication (ARP, ICMP6, IGMP, and other protocols can be explored).

IP Address Primitives

IP address

[src|dst] ip <ipaddr> or [src|dst] host <ipaddr> with <ipaddr> as any valid IPv4 or IPv6 address. [src|dst] defines the IP address to be selected - src for source, dst for destination. Omitting [src|dst] means any direction (it is equivalent to “src or dst”).
[src|dst] IP addresses, networks, ports, AS numbers, and so on, can be specifically selected using a direction qualifier, such as src or dst. These can also be used in combination with “and” and “or” (for example, “as src and dst ip”).
[src|dst] ip4 <ipaddr> with <ipaddr> as any valid IPv4 address.
[src|dst] ip6 <ipaddr> with <ipaddr> as any valid IPv6 address.

IP address - examples

ip 192.168.2.4 - matches specific IP address (both source and destination).
src or dst ip 192.168.2.4 - is identical to the previous.
src ip 192.168.2.4 - matches the specific source IP address.
src host 192.168.2.4 - is identical to the previous (IP and host are interchangeable).
proto tcp and (src ip 192.168.2.3 or dst ip 192.168.0.1) - matches TCP communication with either first source address or second destination address.

List of IP addresses

[src|dst] ip in [<iplist>] or [src|dst] host in [<iplist>] where iplist is a space-separated list of individual <ipaddr>.

List of IP addresses - examples

src ip in [192.168.2.3 192.168.2.4] - matches records with these two addresses as sources.
ip in [192.168.2.3 192.168.2.4] and proto tcp - matches only TCP communication of these addresses.

Network Primitives

Network

[src|dst] net a.b.c.d m.n.r.s - selects the IPv4 network a.b.c.d with netmask m.n.r.s.
[src|dst] net <net>/<num> with <net> as a valid IPv4 or IPv6 network and <num> as maskbits. The number of mask bits must match the appropriate address family in IPv4 or IPv6. Networks may be abbreviated such as 172.16/16 if they are unambiguous.
[src|dst] net in [<ip/masklist>] - where <ip/masklist> is list of subnet addresses (see examples)
next net a.b.c.d m.n.r.s - selects the next IPv4 network a.b.c.d with netmask m.n.r.s.

Network - examples

src net 192.168.0.0/16 - matches IPs starting with 192.168 (the first 16 bits of the IP address are masked).
src net 192.168.0.0 255.255.0.0 - is identical to the previous (first 16 bits are 1s).
src net 192.168.0.0 255.255.255.240 - matches IPs in a range from 192.168.0.0 to 192.168.0.15 (last number of mask 240 is 1111 0000 in binary).
src net 192.168.0.0 255.255.255.240 and not ip in [192.168.0.14 192.168.0.15] - matches IPs in a range from 192.168.0.0 to 192.168.0.13.
src net in [192.168.10.0/24, 192.168.20.0/24] and dst net in [192.168.50.0/24, 192.168.60.0/24] - matches IPs with source of subnet 192.168.10.0/24 or 192.168.20.0/24 and destination subnet 192.168.50.0/24 or 192.168.60.0/24

Masks

fwd-status [<comp>] <number> - Forwarding status. The keyword has aliases fwdstat and fwds.
[src|dst] prefix4 [<comp>] <number>. The keyword has an alias mask4.
[src|dst] prefix6 [<comp>] <number>. The keyword has an alias mask6.

Port Primitives

Port

[src|dst] port [<comp>] <num or portname>
[src|dst] port in [ <portlist> ]

The <portlist> is a space-separated list of individual port numbers or names. The <num> is a valid port number. The <portname> is a name of a service assigned to a specific port number by IANA. Use the autocomplete function to enter the service name.

The <comp> is a numerical comparator defined in the previous chapter.

[src|dst] udp-port [<comp>] <num> - matches the port number.
[src|dst] tcp-port [<comp>] <num> - matches the port number.

Port - examples

dst port 110 - matches destination port 110 (pop3).
dst port "pop3" - is identical to the previous (“pop3” is a text name for this port).
port in [20, 21] - matches FTP communication.
src port < 1024 and not port in [80,443] - matches well-known source ports (0-1023) in use, but ignores HTTP(S).
dst port > 1023 and dst port < 49152 and proto udp - matches registered destination ports (1024-49151) in use over UDP.

ICMP

icmp-type [<comp>] <num> - "ICMP type"
icmp-code [<comp>] <num> - "ICMP code"
icmp-type-code4 [<comp>] <num> - "ICMP Type Code". Use autocomplete function to enter the value.
icmp-type-code6 [<comp>] <num> - "ICMP Type Code v6". Use autocomplete function to enter the value.
icmp-type4 [<comp>] <num> - "ICMPv4 type", alias icmptype4
icmp-code4 [<comp>] <num> - "ICMPv4 code", alias icmpcode4. Use autocomplete function to enter the ICMPv4 code.
icmp-type6 [<comp>] <num> - "ICMPv6-T", alias icmptype6
icmp-code6 [<comp>] <num> - "ICMPv6-C", alias icmpcode6. Use autocomplete function to enter the ICMPv6 code.

With <num> as a valid ICMP type/code, this automatically implies proto icmp.

HTTP Primitives

HTTP hostname

http-host [<strcomp>] "<string> with <string> as a part or complete HTTP hostname." This keyword has an alias hhost.

HTTP URL

http-url [<strcomp>] "<string>" with <string> as a part or complete URL. Alias hurl.

HTTP - Operating System in User Agent

http-os [<comp>] "<value>" with <value> as a name of operating system or corresponding number (use the autocomplete function).

HTTP - Operating System Major Version

http-os-major [<comp>] <num> with <num> as a major version number. Alias hosmaj.

HTTP - Operating System Minor Version

http-os-minor [<comp>] <num> with <num> as a minor version number. Alias hosmin.

HTTP - Operating System Build Number

http-os-build [<comp>] <num> with <num> as a build number. Alias hosbld.

HTTP - Client Application in User Agent

http-app "<num or string>" with <string> as a name of client application (use the autocomplete function). Alias happ.

HTTP - Client Application Major Version

http-app-major [<comp>] <num> with <num> as a major version number. Alias happmaj.

HTTP - Client Application Minor Version

http-app-minor [<comp>] <num> with <num> as a minor version number. Alias happmin.

HTTP - Client Application Build Number

http-app-build [<comp>] <num> with <num> as a build version. Alias happbld.

HTTP - HTTP Method

http-method "<value>" with <value> as a name of HTTP method (use the autocomplete function) or hexadecimal number. Alias hmethod.

HTTP - HTTP Result Code

http-response-code [<comp>] <num> with <num> as a return code. Alias hrcode.

HTTP - Others

http-xforward [<comp>] <ipaddr> with <ipaddr> as an IP address.
http-xforward4 [<comp>] <ipaddr> with <ipaddr> as an IPv4 address. Alias hxff4.
http-xforward6 [<comp>] <ipaddr> with <ipaddr> as an IPv6 address. Alias hxff6.

Autonomous System Numbers Primitives

Autonomous system numbers

[src|dst] autonomous-systems [\comp] <num or name> - selects source, destination, or any AS number with <num> as any valid as number. 32-bit AS numbers are supported. Use the autocomplete function to enter the autonomous system name. If <comp> is omitted, '=' is assumed. The keyword has aliases as and bgpnum.
prev-as [\comp] <num> - selects previous AS number. The keyword has aliases prev as, prevas, and pas.
next-as [\comp] <num> - selects next AS number. The keyword has aliases next as, nextas, and nas.
[src|dst|prev|next] as in [ <ASlist> ] - an AS number can be compared against a known list, where <ASlist> is a space or comma separated list of individual AS numbers.

Autonomous system number - examples

as 15169 - includes whole communication involving Google LLC AS (15169).
not src as 8068 - excludes communication from Microsoft Corporation AS (8068).

VLAN labels

[src|dst] vlan [<comp>] <num> with <num> as any valid VLAN label.

User identity of IP

[src|dst] user-id <user ID> with <user ID> as a user identifier provided by DHCP, VPN, directory service, and so on, using syslog. The keyword has aliases uid and login.

Country of origin of IP

[src|dst] country "<value>" with <value> as a name of the country or the number of the country according to ISO 3166-2. Use the autocomplete function to enter the name of a country. The keyword has an alias ctry.

TCP Flags Primitives

TCP flags

flags [=] "<flagstring>" where flagstring can either be an individual flag or a logical expression of flags. In the logical expression, the flags can be joined by "&" and "|" operators. The following grammar is used:

flagstring ::= <exp> | <exp-and> | <exp-or>
<exp> ::= <flag> | <exp><flag>
<exp-and> ::= <flag> | <exp-and> "&" <flag>
<exp-or> ::= <flag> | <exp-or> "|" <flag>

<flag> - "A" | "S" | "F" | "R" | "P" | "U" | "C" | "E" | "X"

All flags must be in uppercase letters.

<flag> has the following meaning:

A - ACK
S - SYN
F - FIN
R - Reset
P - Push
U - Urgent
C - Congestion Window Reduced
E - ECN-Echo
X - All flags on

<exp>, <exp-and> and <exp-or> have the following meaning:

The <exp>, <exp-and>, and <exp-or> expressions can be used with or without the = operator. Without =, the filter performs a partial match: the specified flags condition must be met, but other flags may also be set. With =, the filter performs an exact match: only the specified flags are set and no others.
The <exp> and <exp-and> expressions match flows where all listed flags are set. Without = (partial match), other flags may also be set. With = (exact match), only the specified flags are set and no others.
The <exp-or> expression matches flows where at least one of the listed flags is set. When used with =, at least one of the listed flags must be present, and no other flags may be set.

The flags keyword has an alias tcpflags.

Note:

The not operator negates the entire TCP flags expression, not individual flags. For example, not flags S matches flows where the SYN flag is not set, and not flags "S|F" matches flows where neither the SYN nor the FIN flag is set. This behavior can produce unexpected results in complex filter expressions. Where possible, use the = operator to construct explicit exact-match filters rather than relying on negation.

Note:

The evaluation behavior of TCP flags expressions changed between Flowmon 12 and Flowmon 13, particularly for partial match and negation expressions. After upgrading from Flowmon 12 to Flowmon 13, review and test any saved filters that use TCP flags expressions to verify they produce the expected results.

TCP Flags - examples

flags S - matches any flow where the SYN flag is set (partial match). Other flags may also be set (for example, ...AP.S. or ...A..SF).
flags = S - matches flows with only the SYN flag set (exact match, that is, .....S.). Use this expression for SYN-only filtering.
flags "S|F" - matches flows where the SYN or FIN flag (or both) is set (partial match).
flags = "S|F" - matches flows where only the SYN or FIN flag is set (exact match), with at least one present.
flags = "A&P&F" - matches flows with only the ACK, Push, and FIN flags set (exact match, ...AP..F).

Extended TCP

tcp-ttl [comp] <number> - filters by TCP TTL (Time to live). The keyword has an alias ttltcp.
tcp-window-size [comp] <number> - filters by TCP window size. The keyword has an alias tcpwinsize.
tcp-syn-size [comp] <number> - filters by TCP syn packet size. The keyword has an alias tcpsynsize.

Next Hop IP Primitive

next ip <ipaddr> with <ipaddr> as IPv4/IPv6 IP address of next hop router.
next-hop4 - Next Hop IPv4 address. The keyword has an alias nexthop4.
next-hop6 - Next Hop IPv6 address. The keyword has an alias nexthop6.

Next-hop router's IP in the BGP domain

bgpnext ip <ipaddr> with <ipaddr> as IPv4/IPv6 next-hop router's IP in the BGP domain.
bgp-next4 - Next Hop router IPv4 address in the BGP domain. The keyword has an alias bgpnext4.
bgp-next6 - Next Hop router IPv6 address in the BGP domain. The keyword has an alias bgpnext6.
bgpnext net

Router IP Primitive

router ip <ipaddr> - filters the flows according to the IP address of the exporting source (router or probe).

Flow Source Name Primitive

source "<sourcename>" - filters the flows according to the name of the exporting source (router or probe). Use the autocomplete function to enter the name of the source. Only names shown on the "Sources" page are supported.

Flow Source Identification

flow-source "<string>" - with as a flow source identification (use the autocomplete function). The keyword has the alias flowident.

Source ID Primitive

source-id [ <comp> ] <number> - filters flows with specific source ID (one exporting device might use multiple source IDs for different exporting engines). Supported for sFlow only.

Interface Primitives

Interface

[in|out] interface <num> - selects input or output interface ID. Omitting [in|out] is equivalent to IN or OUT (selects either IN or OUT interfaces). The <num> is SNMP interface number. The keyword has an alias if.

Interface - Examples

in if 3 - selects input interface #3.

Flow Source Network Interface Name

sourceport "<sourcename>":"<interfacename>" - filters flows exported from network interface <interfacename> on source <sourcename>. Use autocomplete function to enter the name of the source and interface. Only names shown on page "Sources" are supported.

MAC Address Primitive

[<in|out src|dst>] mac <addr> with <addr> any valid MAC and src, dst, in, and out are optional and can be provided in any order. The <mac> can be further specified by using any combination of a direction specifier as defined by CISCO v9: in src, in dst, out src, out dst.

MPLS Labels Primitives

mpls<n>-label [<comp>] <number> with <n> as any MPLS label number in range 1..10. It filters exactly specified label<n>.
mpls-eos [<comp>] <number> - filters End of Stack label for a given value <num>.
mpls<n>-stack [<comp>] <number> with <n> as any MPLS label number in the range 1..10. It filters specified label in the stack<n>.
mpls-exp<n> [<comp>] <number> - filters experimental bits of label <n> with <bits> in range 0..7.

MPLS VPN Route Distinguisher

route-distinguisher-data [<comp>] <num> with <num> - Route Distinguisher Raw. The keyword has an alias rdraw.
rdasn [<comp>] <num>
rdval [<comp>] <num>
rd [<strcomp>] <string>
rdip [<comp>] <ipaddr>

TOS Primitives

TOS field

The type-of-service field has an 8-bit structure: a 6-bit DSCP value and a 2-bit ECN value.

[src|dst] type-of-service [<comp>] <value> for the Type of Service. Numerical values 0..255 are supported. The keyword has an alias tos.

DSCP field

dscp can be used for filtering the DSCP values stored in the first 6 bits of the type-of-service field.

[src|dst] dscp [<comp>] <value> with numerical value or named DSCP constant ("AF11", "AF12", "CS1", "CS2", ...)
DSCP filter examples:
- dscp "AF11" - is the same as dscp 10
- dscp "CS7" - is the same as dscp 56

ECN field

ecn can be used for filtering the ECN values stored in the last 2 bits of the type-of-service field.

[src|dst] ecn [<comp>] <value> - with numerical value 0..3

For further information, visit https://en.wikipedia.org/wiki/Type_of_service.

NBAR2 Primitives

NBAR2 Application Tag

application-id [<comp>] "<appname>"
application-id <AppEID>:<AppID>

With <appname> as the name of application recognized by NBAR2 or as a number (0..255). Use the autocomplete function to enter the application name. The <AppEID> is Classification Engine ID and <AppID> is Application ID (defined in RFC 6759 and NBAR2 Protocol Pack). The keyword has an alias apptag.

NBAR2 AppID

appid <value> with <value> as a number (0..16777216).
appeid <number>

DNS Primitives

DNS filters

A correct DNS filter should be preceded with the keyword "dns" to correctly process only the valid DNS flows (e.g. dns and dns-qrflag 0).

DNS ID

dns-id [comp] <value> with <value> as a number (0..65535). The keyword has an alias dnsid.

DNS question count

dns-query-count [comp] <value> with <value> as a number (0..65535). The keyword has aliases dnsqcount and dns-qcount.

DNS answer count

dns-answer-count [comp] <value> with <value> as a number (0..65535). The keyword has aliases dnsanswcount and dns-answcount.

DNS authority count

dns-authority-count [comp] <value> with <value> as a number (0..65535). The keyword has aliases dnsauthcount and dns-authcount.

DNS additional count

dns-additional-count [comp] <value> with <value> as a number (0..65535). The keyword has aliases dnsaddtcount and dns-addtcount.

DNS flags

dns-flags [=] "<flagstring>" with <flagstring> in the following format:
- flagstring ::= ’"’ <flagstringexp> ’"’
- <flagstringexp> ::= <exp>
- <flagstringexp> ::= <exp-and>
- <flagstringexp> ::= <exp-or>
- <exp> ::= <flag> | <exp><flag>
- <exp-and> ::= <flag> | <exp-and> "&" <flag>
- <exp-or> ::= <flag> | <exp-or> "|" <flag>
- <flag> "AA" | "TC" | "RD" | "RA" | "AD" | "CD"
- <flag> has the following meaning:

AA - Authoritative Answer Flag

TC - Truncation Flag

RD - Recursion Desired

RA - Recursion Available

AD - Authentic Data

CD - Checking Disabled

<exp>, <exp-and> and <exp-or> have the following meaning:

The <exp> filter selects flows containing all flags listed in <exp>. To include these flags only, use operator "=".
The <exp-and> is equivalent to <exp>.
The <exp-or> filter selects flows containing at least one of the flags listed in <exp-or>. To include these flags only, use operator "=".

dns-qrflag [comp] <value>, where value "0" is a DNS Query and "1" is a DNS Response.

DNS question

dns-query-type [comp] <value> with <value> as a question type. The keyword has aliases dns-qtype and dnsqtype.
dns-query-class [comp] <number> with <number> as a question class. The keyword has aliases dns-qclass and dnsqclass.
dns-query-name [strcomp] "<string>" with <string> as a question name. The keyword has aliases dns, dns-qname and dnsqname.
dns-query-name1 [strcomp] "<string>" with <string> as a question name (1st level domain). The keyword has an alias dns-qname1.
dns-query-name2 [strcomp] "<string>" with <string> as a question name (1st & 2nd level domain). The keyword has an alias dns-qname2.
dns-query-name3 [strcomp] "<string>" with <string> as a question name (1st, 2nd & 3nd level domain). The keyword has an alias dns-qname3.

DNS response

dns-response-name [strcomp] "<string>" with <string> as a question response name. The keyword has aliases dns-rname and dnsrname.
dns-response-type [comp] <value> with <value> as a response type. The keyword has aliases dns-rtype and dnsrtype.
dns-response-class [comp] <value> with <value> as a response class. The keyword has aliases dns-rclass and dnsrclass.
dns-response-ttl [comp] <value> with <value> as a response TTL. The keyword has aliases dns-rttl and dnsrttl.
dns-response-info [<strcomp>] "<string>" with <string> as a response data. The keyword has aliases dns-rdata and dnsrdata.
dns-response-name1 "<string>" with <string> as a question response name (1st level domain). The keyword has an alias dns-rname1.
dns-response-name2 "<string>" with <string> as a question response name (1st & 2nd level domain). The keyword has an alias dns-rname2.
dns-response-name3 "<string>" with <string> as a question response name (1st, 2nd & 3nd level domain). The keyword has an alias dns-rname3.
dns-response-data1 "<string>" with <string> as response data (1st level domain). Only for response types CNAME, DNAME, NS, SOA, MX, SRV. The keyword has an alias dns-rdata1.
dns-response-data2 "<string>" with <string> as response data (1st & 2nd level domain). Only for response types CNAME, DNAME, NS, SOA, MX, SRV. The keyword has an alias dns-rdata2.
dns-response-data3 "<string>" with <string> as response data (1st, 2nd & 3nd level domain). Only for response types CNAME, DNAME, NS, SOA, MX, SRV. The keyword has an alias dns-rdata3.

DNS - Others

dns-rcode [comp] <number or codestring> with <number> as a response code. Use autocomplete suggestions for codestring.
dns-opcode [comp] <number or codestring> with <number> as an operation code. Use autocomplete suggestions for codestring.
dns-qrflag [comp] <value> with <value> as a query (0) / response (1) flag. Use autocomplete suggestions.

DHCP Primitives

DHCP offered IP address

dhcp-offered-ip <ip> with <ip> as the IP address, which DHCP server offered to the host. The keyword has aliases dhcpoip and dhcp-offeredip.

DHCP MAC address of host

dhcp-host-mac <macaddr> with <macaddr> as a MAC address of the host. The keyword has aliases dhcphmac and dhcp-hostmac.

DHCP message type

dhcp-type-message [comp] <number>, with <number> as a combination of (RFC 2132, RFC 3203, RFC 4388, RFC 6926, draft-ietf-dhc-dhcpv4-active-leasequery-07):

1 - Discover

2 - Offer

3 - Request

4 - Decline

5 - ACK

6 - NAK

7 - Release

8 - Inform

9 - Force Renew

10 - Lease Query

11 - Lease Unassigned

12 - Lease Unknown

13 - Lease Active

14 - Lease Bulk Lease Query

15 - Lease Query Done

The keyword has aliases dhcp-type and dhcptype.

DHCP IP address lease time

dhcp-lease-time [comp] <number> with <number> as the IP address lease time. Value is specified in seconds. The keyword has aliases dhcpltime and dhcp-leasetime.

DHCP server IP address

dhcp-server-ip <ip> where <ip> is the IP address of the DHCP server. The keyword has aliases dhcpsip and dhcp-servip.

DHCP server domain name

dhcp-domain-name [<strcomp>] "<string>" with <string> as the domain name of the DHCP server. The keyword has aliases dhcpdname and dhcp-domname.

DHCP hostname

dhcp-host-name [<strcomp>] "<octalstring>" with <octalstring> as a combination of:

– <string>

– <octalval> where <octalval> is a string in the following format \&nnn, where nnn is the octal number in range 0..255.

The keyword has aliases dhcphname and dhcp-hostname.

DHCP requested IP address

dhcp-request-ip <ip> with <ip> as the requested IP address. The keyword has aliases dhcpipreq and dhcp-ipreq.

Samba Primitives

Samba operation code version 1

smb1-cmd [<comp>] <number or smbopcode1> with <smbopcode1> as a samba operation code version 1. Use autocomplete suggestions.

Samba operation code version 2

smb2-cmd "<flagstring>" with <flagstring> in following format:

– flagstring ::= ’"’ <flagstringexp> ’"’

– <flagstringexp> ::= <exp>

– <flagstringexp> ::= <exp-and>

– <flagstringexp> ::= <exp-or>

– <exp> ::= <flag> | <exp><flag>

– <exp-and> ::= <flag> | <exp-and> "&" <flag>

– <exp-or> ::= <flag> | <exp-or> "|" <flag>

– <flag> - "NE" | "SS" | "LO" | "TC" | "TD" | "CR" | "CL" | "FL" | "RE" | "WR" | "LC" | "IO" | "CA" | "EC" | "QD" | "CN" | "QI" | "SI" | OB" | "EN"

<flag> has the following meaning:

NE - Negotiate

SS - Session setup

LO - Logoff

TC - Tree connect

TD - Tree disconnect

CR - Create

CL - Close

FL - Flush

RE - Read

WR - Write

LC - Lock

IO - Ioctl

CA - Cancel

EC - Echo

QD - Query directory

CN - Change notify

QI - Query info

SI - Set info

OB - Oplock break

EN - Encrypted packet (in SMB3)

<exp>, <exp-and> and <exp-or> have the following meaning:

– The <exp> filter selects flows containing all flags listed in <exp>. To include these flags only, use operator "=".

– The <exp-and> is equivalent to <exp>.

– The <exp-or> filter selects flows containing at least one of the flags listed in <exp-or>. To include these flags only, use operator "=".

smb2-scmd "<smbopcode2>". Only flows matching exactly the specified flags will be processed.

Samba tree structure

smb-tree [strcomp] "<string>" with <string> as a tree structure. The keyword has an alias smbtree.

Samba file name

smb-file [strcomp] "string" with <string> as a file name. The keyword has an alias smbfile.

Samba file type

smb-file-type [comp] <number> where number 1 is a directory and 2 is a file. The keyword has aliases smbfiletype and smb-filetype.

Samba file operation type

smb-op [comp] <sambaoptype> with <sambaoptype> as a combination of:

0 - Supersede

1 - Open

2 - Create

3 - Overwrite

4 - Open if (Open the file if it already exists; otherwise, create the file.)

5 - Overwrite if (Overwrite the file if it already exists; otherwise, create the file.)

smb-op-int [comp] <number>

Samba delete flag

smb-del [comp] <value> where value "1" indicates file deletion and "0" indicates no deletion.

Samba error flag

smb-err [comp] <value> where value "1" indicates error and "0" indicates no error.

MAIL Primitives

SMTP hello content

smtp-hello [<strcomp>] "<str>", with <str> as described in RFC 5321. The keyword has aliases smtp-helo and smtphelo.

SMTP from

smtp-from [<strcomp>] "<str>", with <str> as described in RFC 5321. The keyword has an alias smtpfrom.

MAIL username

mail-user [<strcomp>] "<str>". The keyword has an alias mailuser.

MAIL failed authentication counter

mail-failed-authentication [<comp>] <number>. The keyword has aliases mailfailedauth and mail-fail-auth.

MAIL TLS flag

mail-tls [<comp>] <number>, with <number> as described in RFC 3207. The keyword has an alias mailtls.

SIP Primitives

SIP call ID

sip-call-id [<strcomp>] "<str>". The keyword has aliases scid and sip-callid.

SIP calling party

sip-calling-party [<strcomp>] "<str>". The keyword has aliases scing and sip-calling.

SIP called party

sip-called-party [<strcomp>] "<str>". The keyword has aliases scled and sip-called.

SIP VIA

sip-via [<strcomp>] "<str>". The keyword has an alias svia.

SIP ringing time

sip-ring-time [<comp>] <number>. The keyword has aliases srt andsip-ringtime.

SIP OK time

sip-ok-time [<comp>] <number>. The keyword has aliases sok and sip-oktime.

SIP bye time

sip-bye-time [<comp>] <number>. The keyword has aliases sbye and sip-byetime.

SIP RTP IP (IPv4/IPv6)

sip-ip [<comp>] <ipv4>.
sip-ip4 [<comp>] <ipv4>. The keyword has an alias srip4.
sip-ip6 [<comp>] <ipv6>. The keyword has an alias srip6.

SIP RTP audio

sip-audio [<comp>] <number>. The keyword has an alias saud.

SIP RTP video

sip-video [<comp>] <number>. The keyword has an alias svid.

SIP Stats

sip-stats [<comp>] <number>. The keyword has an alias ssts.

VOIP Packet Type

voip-packet-type [<comp>] <number>

VOIP packet type list:

0 - Non-VOIP data

1 - SIP service requests

2 - SIP responses on service requests

3 - SIP call requests

4 - SIP responses on call requests

8 - RTP voice data

16 - RTCP control and statistical data

The keyword has aliases voip-pkttype and spt.

RTCP Primitives

RTCP packets count

rtcp-packets [<comp>] <number>. The keywords has aliases rpkt and rtcp-pkts.

RTCP octets count

rtcp-octets [<comp>] <number>. The keyword has an alias roct.

RTP jitter

rtp-jitter [<comp>] <number>. The keyword has an alias rjit.

RTP jitter is measured in RTP timestamp units. RTP timestamp unit is based on the sampling rate. For example, for the sampling rate of 8000 Hz (PCMA) one unit is equal to 1/8000 of a second. For details, refer to RFC 3550 - interarrival jitter.

RTCP lost packets on client side

rtcp-lost [<comp>] <number>. The keyword has an alias rlst.

RTP codec type

rtp-codec [<comp>] <number>. The keyword has an alias rcod.

RTCP source count

rtcp-sources [<comp>] <number>. The keyword has an alias rsc.

Latency

client-latency [<comp>] <number>. The keyword has an alias client latency.
server-latency [<comp>] <number>. The keyword has an alias server latency.
app-latency [<comp>] <number>. The keyword has an alias app latency.

MSSQL Primitives

MSSQL TDS

tds-request-type [<comp>] <number> - TDS request type. The keyword has aliases tdsreq and tds-req.
tds-protocol-version [<comp>] <number> - TDS protocol version (<number> should be a 32bit hex number, e.g. 0x71000001). The keyword has aliases tdsver and tds-ver.
tds-client-version [<comp>] <version> - TDS client version (<version> in format unsigned.unsigned.unsigned). The keyword has aliases tdscver and tds-cver.
tds-server-version [<comp>] <version> - TDS server version. The keyword has aliases tdssver and tds-sver.
tds-database-context [<strcomp>] "<string>" - TDS database context. The keyword has aliases tdsdb and tds-db.
tds-user [<strcomp>] "<string>" - TDS username. The keyword has an alias tdsuser.
tds-host [<strcomp>] "<string>" - TDS hostname. The keyword has an alias tdshost.

Filters can be used without parameters to select the elements with valid values.

MSSQL TDS Experimental

tds-response-type [<comp>] <number> - TDS response type. The keyword has aliases tdsres and tds-res.
tds-token [<comp>] <number> - TDS 1st token of response. The keyword has an alias tdstoken.
tds-transaction-manager-request-type [<comp>] <number> - TDS transaction manager request type. The keyword has aliases tdstmr and tds-tmr.
tds-error-code [<comp>] <number> - TDS error code. The keyword has aliases tdserr and tds-err.
tds-enviroment-change-type [<comp>] <number> - TDS environment change type. The keyword has aliases tdsenvch and tds-envch.
tds-sql [<strcomp>] "<string>" - TDS SQL query (search for case-sensitive string). The keyword has aliases tdssql and tds-isql.
tds-rpc [<strcomp>] "<string>" - TDS remote procedure name. The keyword has an alias tdsrpc.
tds-server-name [<strcomp>] "<string>" - TDS server name. The keyword has aliases tdsservname and tds-servname.

Filters can be used without parameters to select elements with valid values.

MySQL Primitives

MySQL Protocol Version

mysql-ver [<comp>] <number>

MySQL Server Version

mysql-server-version [<strcomp>] "<str>". The keyword has an alias mysql-sver.

MySQL User Authentication Status

mysql-auth-status [<comp>] "<authstr or authnum>". The keyword has an alias mysql-auths.

with <authnum> - <authstr> as information about successful authentication:

0 - Not authenticated yet (any reason)

1 - User authenticated

2 - Credentials rejected

3 - Pre-authentication

4 - In progress

MySQL Username

mysql-user [<strcomp>] "<str>"

MySQL Authentication Method

mysql-auth-method [<strcomp>] "<string>". The keyword has an alias mysql-authm.

MySQL Database

mysql-db [<strcomp>] "<string>"

MySQL Server and Client Capabilities

mysql-server-capabilities [=] "<flagstring>". The keyword has an alias mysql-cpblts.
mysql-client-capabilities [=] "<flagstring>". The keyword has an alias mysql-cpbltc.

The <flagstring> has the following format:

– flagstring ::= ’"’ <flagstringexp> ’"’

– <flagstringexp> ::= <exp>

– <flagstringexp> ::= <exp-and>

– <flagstringexp> ::= <exp-or>

– <exp> ::= <flag> | <exp><flag>

– <exp-and> ::= <flag> | <exp-and> "&" <flag>

– <exp-or> ::= <flag> | <exp-or> "|" <flag>

– <flag> - "RO" | "VC" | "MO" | "NE" | "TR" | "HE" | "LD" | "AB" | "AP" | "MP" | "MS" | "MQ" | "NP" | "RD" | "TS" | "IP" | "CY" | "IE" | "41" | "IS" | "LF" | "OD" | "CS" | "NS" | "HD" | "LG" | "RF" | "LP"

<flag> has the following meaning:

RO - Remember Options

VC - SSL Verify Server Certificate

MO - MariaDB: Obsolete (old Client Progress flag)

NE - No EOF Packets (Deprecate EOF)

TR - Session Tracking

HE - Handle Expired Passwords

LD - Length Encoded Client Authentication Data

AB - Connection Attributes

AP - Authentication Plugin (Pluggable Authentication)

MP - Multi Result Set in Prepared Statements

MS - Multi Result Set

MQ - Multiple Queries (Statements)

NP - Native ("Secure") Password Authentication

RD - Reserved (old Client Protocol 4.1 flag)

TS - Transactions

IP - Ignore SIGPIPE

CY - Encryption

IE - Interactive Session

41 - Client Protocol 4.1

IS - Ignore Spaces

LF - Local Files

OD - ODBC support

CS - Compression

NS - No "schema.table.column" Expressions

HD - Handshake (Connect) With Database

LG - Long Flags

RF - Found Rows

LP - Long Password

<exp>, <exp-and> and <exp-or> have the following meaning:

– The <exp> filter selects flows containing all flags listed in <exp>. To include these flags only, use operator "=".

– The <exp-and> is equivalent to <exp>.

– The <exp-or> filter selects flows containing at least one of the flags listed in <exp-or>. To include these flags only, use operator "=".

MySQL Error Code

mysql-error-code [<comp>] <number>. The keyword has an alias mysql-err.

MySQL Command

mysql-cmd [<comp>] <cmdnum>
mysql-cmd "<cmdstr>"
with <cmdnum> - <cmdstr> as a combination of:

0 - SLEEP

1 - QUIT

2 - INIT_DB

3 - QUERY

4 - FIELD_LIST

5 - CREATE_DB

6 - DROP_DB

7 - REFRESH

8 - SHUTDOWN

9 - STATISTICS

10 - PROCESS_INFO

11 - CONNECT

12 - PROCESS_KILL

13 - DEBUG

14 - PING

15 - TIME

16 - DELAYED_INSERT

17 - CHANGE_USER

18 - BINLOG_DUMP

19 - TABLE_DUMP

20 - CONNECT_OUT

21 - REGISTER_SLAVE

22 - STMT_PREPARE

23 - STMT_EXECUTE

24 - STMT_SEND_LONG_DATA

25 - STMT_CLOSE

26 - STMT_RESET

27 - SET_OPTION

28 - STMT_FETCH

29 - DAEMON

30 - BINLOG_DUMP_GTID

31 - RESET_CONNECTION

250 - STMT_BULK_EXECUTE

254 - MULTI

MySQL SQL Query

mysql-sql-query [<strcomp>] "<str>". The keyword has an alias mysql-sql.

PostgreSQL Primitives

PostgreSQL Protocol Version

pgsql-ver "<verstr or number>" where <verstr> should be a string of format "<major>.<minor>" or any prefix thereof, where <major> and <minor> is a numeric value or the ’*’ character. The ’*’ character acts as a wildcard (i.e. matches any value).

PostgreSQL Server Version

pgsql-server-version "<sverstr>" Where <sverstr> should be a string of format "<major>.<minor>.<bugfix>" (server versions up to 9.6) or "<major>.<bugfix>" (server versions 10 onwards) or any prefix thereof, where <major>, <minor> and <bugfix> is a numeric value or the ’*’ character. The ’*’ character acts as a wildcard (that means it matches any value, including ones not present). The keyword has an alias pgsql-sver.

Note:

"<sverstr>" of format "*.1" will match all server versions where the minor version is 1 for servers of major version 9 or lower and all server versions where bugfix version is 1 for servers of major version 10 or higher.

PostgreSQL Authentication Method

pgsql-auth-method [<comp>] "<authnum or authstr>". The keyword has an alias pgsql-authm.
Where <authstr> and <authnum> are used to specify one of the following authentication methods:

0 - NO AUTHENTICATION

1 - KERBEROS V4

2 - KERBEROS V5

3 - CLEAR PASSWORD

4 - CRYPT PASSWORD

5 - MD5 PASSWORD

6 - SCM CREDENTIALS

7 - GSS

8 - UNKNOWN

9 - SSPI

10 - SASL

PostgreSQL Username

pgsql-user [<strcomp>] "<str>"

PostgreSQL Database

pgsql-db [<strcomp>] "<str>"

PostgreSQL SQLSTATE Error Code

pgsql-error-code [<strcomp>] "<sqlstate>" where <sqlstate> should be an exactly 5 character long string according to the SQLSTATE standard. You may substitute any of its characters for the ’*’ character, which acts as a wildcard (that means it matches any character). The keyword has an alias pgsql-errc.

Note

"pgsql-error-code "*****" matches any valid error code.

PostgreSQL Error Severity

pgsql-error-severity [<comp>] "<errsstr or ersnum>". The keyword has an alias pgsql-errs.
Where <errsstr> and <errsnum> are used to specify one of the following error severities:

1 - PANIC

2 - FATAL

3 - ERROR

4 - WARNING

5 - NOTICE

6 - INFO

7 - LOG

8 - DEBUG

254 - UNRECOGNIZED

255 - UNKNOWN

PostgreSQL SQL Query

pgsql-sql-query [<strcomp>] "<str>". The keyword has an alias pgsql-sql.

PostgreSQL Client Message Type

pgsql-client-message-type [=] "<flagstring>" with <flagstring> in following format:
- flagstring ::= ’"’ <flagstringexp> ’"’
- <flagstringexp> ::= <exp>
- <flagstringexp> ::= <exp-and>
- <flagstringexp> ::= <exp-or>
- <exp> ::= <flag> | <exp><flag>
- <exp-and> ::= <flag> | <exp-and> "&" <flag>
- <exp-or> ::= <flag> | <exp-or> "|" <flag>
- <flag> - "?" | "+" | "
  quot; | "#" | "B" | "C" | "D" | "E" | "H" | "F" | "P" | "p" | "Q" | "S" | "X" |"r" | "h" | "d" | "c" | "f"

<flag> has the following meaning:

? - Unknown message

+ - Startup message

$ - SSL request

# - Cancel request

B - Bind

C - Close

D - Describe

E - Execute

H - Flush

F - Function call

P - Parse

p - Password message

Q - Query

S - Sync

X - Terminate

r - Standby status update

h - Hot standby feedback

d - Copy data

c - Copy done

f - Copy fail

<exp>, <exp-and> and <exp-or> have the following meaning:

The <exp> filter selects flows containing all flags listed in <exp>. To include these flags only, use operator "=".
The <exp-and> is equivalent to <exp>.
The <exp-or> filter selects flows containing at least one of the flags listed in <exp-or>. To include these flags only, use operator "=".

The keyword has an alias pgsql-msgc.

PostgreSQL Server Message Type

pgsql-server-message-type [=] "<flagstring>" with <flagstring> in following format:
- flagstring ::= ’"’ <flagstringexp> ’"’
- <flagstringexp> ::= <exp>
- <flagstringexp> ::= <exp-and>
- <flagstringexp> ::= <exp-or>
- <exp> ::= <flag> | <exp><flag>
- <exp-and> ::= <flag> | <exp-and> "&" <flag>
- <exp-or> ::= <flag> | <exp-or> "|" <flag>
- <flag> - "?" | "R" | "K" | "2" | "3" | "C" | "G" | "H" | "W" | "D" | "I" | "E" | "V" | "n" | "N" |"A" | "t" | "S" | "1" | "s" | "Z" | "T" | "w" | "k" | "
  quot; | "%" | "d" | "c"

<flag> has the following meaning:

? - Unknown message

R - Authentication

K - Backend key data

2 - Bind complete

3 - Close complete

C - Command complete

G - Copy in response

H - Copy out response

W - Copy both response

D - Data row

I - Empty query response

E - Error response

V - Function call response

n - No data

N - Notice response

A - Notification response

t - Parameter description

S - Parameter status

1 - Parse complete

s - Portal suspended

Z - Ready for query

T - Row description

w - Xlog data

k - Primary keepalive

$ - SSL accept

% - SSL deny

d - Copy data

c - Copy done

<exp>, <exp-and> and <exp-or> have the following meaning:

The <exp> filter selects flows containing all flags listed in <exp>. To include these flags only, use operator "=".
The <exp-and> is equivalent to <exp>.
The <exp-or> filter selects flows containing at least one of the flags listed in <exp-or>. To include these flags only, use operator "=".

The keyword has an alias pgsql-msgs.

RADIUS Primitives

RADIUS Username

radius-login [strcomp] "<string>". The keyword has an alias radiuslogin.

RADIUS Calling Station ID

radius-calling-station-id [strcomp] "<string>". The keyword has an alias radiuscallingstationid.

RADIUS Called Station ID

radius-called-station-id [strcomp] "<string>". The keyword has an alias radiuscalledstationid.

RADIUS NAS IP address

radius-nas-address <ipaddr>. The keyword has aliases radius-nat-address and radiusnataddress.

RADIUS NAT port

radius-port-start [comp] <number>. The keyword has an alias radiusportstart.
radius-port-end [comp] <number>. The keyword has an alias radiusportend.

TLS Primitives

TLS Content type

tls-content-type [=] "<flagtokens>" where <flagtokens> is list of tokens representing desired flags. These are valid TLS content type flags:
CCS - Content type CCS
ALERT - Content type ALERT
HS - Content type HANDSHAKE
DATA - Content type APP DATA

The tokens in <flagtokens> can be joined by either ’&’ (all specified flags are set) or ’|’ (at least one of the specified flags is set).

The keyword has aliases tls-cont and tlscont.

TLS Handshake type

tls-handshake-type-flags [=] "<flagtokens>" where <flagtokens> is list of tokens representing desired flags. These are valid TLS handshake type flags:
HRQ - Hello request
CH - Client hello
SH - Server hello
HVER - Hello verify request
NST - New session ticket
EED - End of early data
HRET - Hello retry request
ENC - Encrypted extensions
CER - Certificate
KSRV - Server key exchange
CRQ - Certificate request
SHD - Server hello done
CVER - Certificate verify
KCL - Client key exchange
FIN - Finished
CURL - Certificate url
CST - Certificate status
SUPL - Supplemental data
KUPD - Key update
MSGH - Message hash
UNKN - Unknown

The tokens in <flagtokens> can be joined by either ’&’ (all specified flags are set) or ’|’ (at least one of the specified flags is set).

The keyword has an alias tls-hshk.

TLS Setup time

tls-setup [comp] <time-milli>

TLS Server version

tls-server-version [comp] "<string or number>"

The argument can be either a numeric representation of tls version or its text name. The numeric value can be hexadecimal (prefixed with "0x") or decimal. Supported TLS versions are "SSL 2.0", "SSL 3.0", "TLS 1.0", "TLS 1.1" and "TLS 1.2". Hexadecimal values are 0x002, 0x0300, 0x0301, 0x0302 and 0x0303 in respective order.

The keyword has aliases tls-sver and tlssver.

TLS Server random ID

tls-server-random-id "<bytes>" where <bytes> is some part of a random ID byte sequence (entered as hexadecimal digits). One hexadecimal digit corresponds to one nibble (4bits). For example filter tls-srnd "90a0b0" will match all flows in which TLS Server random ID contains sequence of 3 bytes 0x90 0xa0 0xb0 or sequence of 4 bytes 0x*9 0x0a 0x0b 0x0*, where "*" is any nibble. The keyword has aliases tls-srnd and tlssrnd.

TLS Server session ID

tls-server-session-id [comp] "<bytes>" where <bytes> is some part of the session ID byte sequence (entered as hexadecimal digits). One hexadecimal digit corresponds to one nibble (4bits). For example filter tls-ssid "90a0b0" will match all flows in which TLS Server session ID contains sequence of 3 bytes 0x90 0xa0 0xb0 or sequence of 4 bytes 0x*9 0x0a 0x0b 0x0*, where "*" is any nibble. The keyword has aliases tls-ssid and tlsssid.

TLS Cipher suite

tls-cipher-suite [comp] "<number or string>". The keyword has aliases tls-ciph and tlsciph.

TLS Application layer protocol negotiation

tls-alpn [strcomp] "<string>". The keyword has an alias tlsalpn.

TLS Server name indication

tls-server-name-indication [strcomp] "<string>". The keyword has aliases tls-sni and tlssni.

TLS Server name length

tls-server-name-indication-len [comp] <number>. The keyword has aliases tls-sni-len and tls-snlen.

TLS server compression method

tls-server-compression-method [comp] <number or method>. The keyword has aliases tls-scm and tlsscm.

With <number> and <method> as one of these:

0 - NULL
1 - DEFLATE
64 - LZS

The keyword has aliases tls-scm and tlsscm.

TLS Client version

tls-client-version [comp] "<string or number>". The keyword has aliases tls-cver and tlscver.

The argument can be either a numeric representation of tls version or its text name. Supported TLS versions are:

2 - SSL 2.0
256 - DTLS 1.0 (OpenSSL pre 0.9.8f)
768 - SSL 3.0
769 - TLS 1.0
770 - TLS 1.1
771 - TLS 1.2
772 - TLS 1.3
32526 - TLS 1.3 (draft 14)
32527 - TLS 1.3 (draft 15)
32528 - TLS 1.3 (draft 16)
32529 - TLS 1.3 (draft 17)
32530 - TLS 1.3 (draft 18)
32531 - TLS 1.3 (draft 19)
32532 - TLS 1.3 (draft 20)
32533 - TLS 1.3 (draft 21)
32534 - TLS 1.3 (draft 22)
32535 - TLS 1.3 (draft 23)
32536 - TLS 1.3 (draft 24)
32537 - TLS 1.3 (draft 25)
32538 - TLS 1.3 (draft 26)
32539 - TLS 1.3 (draft 27)
32540 - TLS 1.3 (draft 28)
2570 - GREASE#0x0A0A
6682 - GREASE#0x1A1A
10794 - GREASE#0x2A2A
14906 - GREASE#0x3A3A
19018 - GREASE#0x4A4A
23130 - GREASE#0x5A5A
27242 - GREASE#0x6A6A
31354 - GREASE#0x7A7A
35466 - GREASE#0x8A8A
39578 - GREASE#0x9A9A
43690 - GREASE#0xAAAA
47802 - GREASE#0xBABA
51914 - GREASE#0xCACA
56026 - GREASE#0xDADA
60138 - GREASE#0xEAEA
64250 - GREASE#0xFAFA
64279 - TLS 1.3 (Facebook draft 23)
64282 - TLS 1.3 (Facebook draft 26)
65279 - DTLS 1.0
65277 - DTLS 1.2

The keyword has aliases tls-cver and tlscver.

TLS Cipher suites and Elliptic curves

tls-cipher-suites [=] "<tokens>" - exact order match, use autocomplete suggestions. The keyword has aliases tls-ciphs, tls-ciphse and tlsciphs.
tls-elliptic-curves [=] "<tokens>" - exact order match, use autocomplete suggestions. The keyword has aliases tls-ec, tls-ece and tlsec.

<tokens> is comma separated list of either cipher suite / elliptic curve text names or their hexadecimal representations. Combination is not allowed, so all values in the list will be treated either as hexadecimal numbers or text. Filters will match only if all values are found inside the record. Exact order filters will match only if the sequence of values is found inside the record array in the specified order. The exact filter (optional equal sign is used) will match only if there are no other values in the record array than those specified. Hexadecimal representation of one cipher suite has form 0xAAAA. The cipher suite / elliptic curve is represented as a two-byte number, so the maximum number of digits is four. For text tokens, there are no input rules. Partial text names are also allowed (the substring compare method is used).

TLS Client random ID and Client session ID

tls-client-random-id [=] "<bytes>". The keyword has aliases tls-crnd and tlscrnd.
tls-client-session-id [=] "<bytes>". The keyword has aliases tls-csid and tlscsid.

<bytes> is some part of a random ID / session ID byte sequence (entered as hexadecimal digits). One hexadecimal digit corresponds to one nibble (4bits).

TLS Extensions

tls-ext [=] "<value>" - Extension types. Use autocomplete suggestions for value. For The keyword has aliases tls-exte and tlsext.
tls-exl [=] "<tokens>" - Extension lengths. The keyword has aliases tls-exle and tlsexl.

<tokens> is comma separated list of decimal values. Filters will match only if all values are found inside the record. Exact order filters will match only if the sequence of values is found inside the record array in the specified order. The exact filter (optional equal sign is used) will match only if there are no other values in the record array than those specified. Extension type and extension length are represented as a two-byte number, so the maximum allowed value is 65535.

TLS Elliptic curves point formats

tls-ec-point-formats [=] "<tokens>". The keyword has aliases tls-ecpf and tlsecpf.

<tokens> is comma separated list of either decimal or text values. The maximum allowed decimal number is 254. For text values, only full-text names are allowed. Numeric and text tokens may be combined. Recognized names are "uncompressed" (0), "ansiX962_compressed_prime" (1) and "ansiX962_compressed_char2" (2).

TLS Client key length

tls-client-key-length [comp] <number>. The keyword has an alias tls-cklen.

TLS Certificate

tls-certificate-issuer-common-name [strcomp] "<string>" - Certificate issuer common name. The keyword has aliases tls-icn and tlsicn.
tls-subject-common-name [strcomp] "<string>" - Subject common name. The keyword has aliases tls-scn and tlsscn.
tls-subject-organizaion-name [strcomp] "<string>" - Subject organisation name. Comparison is case insensitive. The keyword has aliases tls-son and tlsson.
tls-valid-from [comp] <timestamp or date> - Certificate validity since. The keyword has aliases tls-vfrom and tlsvfrom.
tls-valid-to [comp] <timestamp or date> - Certificate validity until <date> is text specification of date/time in format "YYYY-MM-DD HH:MM:SS". <timestamp> is date/time represented seconds since epoch. The special value "now" is also accepted and interpreted as the current time.
tls-signature-algorithm [=] "<algorithm name>" - Signature algorithm. Use autocomplete suggestions. The keyword has aliases tls-salg and tlssalg.
tls-public-key-algorithm [=] "<algorithm name>" - Public key algorithm. Use autocomplete suggestions. The keyword has aliases tls-pkalg and tlspkalg.
tls-public-key-length [comp] <number> - Public key length. The keyword has aliases tls-pklen and tlspklen.
tls-certificate-serial-number "<bytes>" - TLS certificate serial number. <bytes> is a part of the TLS certificate serial number (entered as hexadecimal digits). One hexadecimal digit corresponds to one nibble (4bits). The keyword has aliases tls-snum and tlssnum.
tls-certificate-subject-alternate-names [strcomp] "<string>" - TLS certificate subject alternate names. The keyword has aliases tls-san and tlssan.

TLS JA3 Fingerprint

tls-ja3 [=] "<bytes>" <bytes> is some part of JA3 Fingerprint byte sequence (entered as hexadecimal digits). One hexadecimal digit corresponds to one nibble (4bits). The keyword has an alias tlsja3.

Extended ARP

arp-hardware-type [comp] <number>. The keyword has aliases arp-hrd and arp_hrd.
arp-operation-code [comp] <number>. The keyword has aliases arp-op and arp_op.

VxLAN Primitives

VxLAN VNI

vxlan-vni [comp] <number>. The keyword has an alias vxlanvni.

IEC104

iec104-packet-length [comp] <number> - IEC104 Packet Length. The keyword has aliases iec104-pktlen and iec104pktlen.
iec104-frame-format [comp] "<fmtstr or number>" - IEC104 Frame Format. The keyword has aliases iec104-fmt and iec104fmt. The <fmtstr> as one of these characters:
- I - I-frame
- S - S-frame
- U - U-frame
iec104-asdu-type [comp] <number or string> - IEC104 ASDU Type. Use autocomplete suggestions. The keyword has an alias iec104asdutype.
iec104-asdu-object-count [comp] <number> - IEC104 ASDU Object Count. The keyword has aliases iec104-asdu-objcount and iec104asduobjcount.
iec104-asdu-cause-of-transmission [comp] <number or string> - IEC104 ASDU Cause Of Transmission. Use autocomplete suggestions. The keyword has aliases iec104-asdu-cot and iec104asduscot.
iec104-asdu-originator [comp] <number> - IEC104 ASDU Originator Address. The keyword has aliases iec104-asdu-org and iec104asduorg.
iec104-asdu-address [comp] <number> - IEC104 Common ASDU Address. The keyword has aliases iec104-asdu-addr and iec104asduaddr.

CoAP

coap-version [comp] <number>. The keyword has an alias coap-ver.
coap-message-id [comp] <number>. The keyword has an alias coap-mid.
coap-code [comp] "<value>" - with <value> as a number or string suggested by autocompletion.
coap-option-count [comp] <number>. The keyword has an alias coap-opcount.
coap-type [comp] "<str>" - with <str> as one of these:
- CNF - Confirmable message
- NCNF - Nonconfirmable message
- ACK - Acknowledge
- RST - Reset
coap-accept [comp] <number>
coap-content-format [comp] <number>. The keyword has an alias coap-contentfmt.
coap-token [strcomp] "<str>" - hexadecimal representation of bytestream (maximal length 16 characters). Example: coap-token = "b38a4e20"
coap-uri-path [strcomp] "<str>". The keyword has an alias coap-uripath.
coap-uri-query [strcomp] "<str>". The keyword has an alias coap-uriquery.
coap-uri-host [strcomp] "<str>". The keyword has an alias coap-urihost.

GOOSE

goose-application-id [comp] <number>. The keyword has aliases goose-appid and gooseappid.
goose-control-block [strcomp] "<str>". The keyword has aliases goose-cbref and goosecbref.
goose-data-set [strcomp] "<str>". The keyword has aliases goose-dataset and goosedataset.
goose-id [strcomp] "<str>". The keyword has an alias goosegoid.
goose-status-number [comp] <number>. The keyword has aliases goose-stnum and goosestnum.

MMS

mms-type [comp] <number> - with alias mmstype and <number> as one of these:
- 0 - confirmed-Request
- 1 - confirmed-Response
- 2 - confirmed-Error
- 3 - unconfirmed
- 4 - reject
- 5 - cancel-Request
- 6 - cancel-Response
- 7 - cancel-Error
- 8 - initiate-Request
- 9 - initiate-Response
- 10 - initiate-Error
- 11 - conclude-Request
- 12 - conclude-Response
- 13 - conclude-Error

mms-confirmed-service-request [comp] <number>. The keyword has aliases mms-conf-service-req and mmsconfservicereq.
mms-conf-service-response [comp] <number> - with aliases mms-conf-service-resp and mmsconfserviceresp. The <number> for mms-conf-service-requset and mms-conf-service-response as one of these:
- 0 - status
- 1 - getNameList
- 2 - identify
- 3 - rename
- 4 - read
- 5 - write
- 6 - getVariableAccessAttributes
- 7 - defineNamedVariable
- 8 - defineScatteredAccess
- 9 - getScatteredAccessAttributes
- 10 - deleteVariableAccess
- 11 - defineNamedVariableList
- 12 - getNamedVariableListAttributes
- 13 - deleteNamedVariableList
- 14 - defineNamedType
- 15 - getNamedTypeAttributes
- 16 - deleteNamedType
- 17 - input
- 18 - output
- 19 - takeControl
- 20 - relinquishControl
- 21 - defineSemaphore
- 22 - deleteSemaphore
- 23 - reportSemaphoreStatus
- 24 - reportPoolSemaphoreStatus
- 25 - reportSemaphoreEntryStatus
- 26 - initiateDownloadSequence
- 27 - downloadSegment
- 28 - terminateDownloadSequence
- 29 - initiateUploadSequence
- 30 - uploadSegment
- 31 - terminateUploadSequence
- 32 - requestDomainDownload
- 33 - requestDomainUpload
- 34 - loadDomainContent
- 35 - storeDomainContent
- 36 - deleteDomain
- 37 - getDomainAttributes
- 38 - createProgramInvocation
- 39 - deleteProgramInvocation
- 40 - start
- 41 - stop
- 42 - resume
- 43 - reset
- 44 - kill
- 45 - getProgramInvocationAttributes
- 46 - obtainFile
- 47 - defineEventCondition
- 48 - deleteEventCondition
- 49 - getEventConditionAttributes
- 50 - reportEventConditionStatus
- 51 - alterEventConditionMonitoring
- 52 - triggerEvent
- 53 - defineEventAction
- 54 - deleteEventAction
- 55 - getEventActionAttributes
- 56 - reportEventActionStatus
- 57 - defineEventEnrollment
- 58 - deleteEventEnrollment
- 59 - alterEventEnrollment
- 60 - reportEventEnrollmentStatus
- 61 - getEventEnrollmentAttributes
- 62 - acknowledgeEventNotification
- 63 - getAlarmSummary
- 64 - getAlarmEnrollmentSummary
- 65 - readJournal
- 66 - writeJournal
- 67 - initializeJournal
- 68 - reportJournalStatus
- 69 - createJournal
- 70 - deleteJournal
- 71 - getCapabilityList
- 72 - fileOpen
- 73 - fileRead
- 74 - fileClose
- 75 - fileRename
- 76 - fileDelete
- 77 - fileDirectory
- 78 - additionalService
- 80 - getDataExchangeAttributes
- 81 - exchangeData
- 82 - defineAccessControlList
- 83 - getAccessControlListAttributes
- 84 - reportAccessControlledObjects
- 85 - deleteAccessControlList
- 86 - changeAccessControl
- 87 - reconfigureProgramInvocation

mms-unconfirmed-service [comp] <number> - with aliases mms-unconf-service and mmsunconfservice. The <number> as one of these:
- 0 - informationReport
- 1 - unsolicitedStatus
- 2 - eventNotification

DLMS

dlms-type [comp] <number> - with an alias dlmstype and <number> as one of these:
- 192 - get-request
- 193 - set-request
- 194 - event-notification-request
- 195 - action-request
- 196 - get-response
- 197 - set-response
- 199 - action-response
dlms-sub-type [comp] <number>. The keyword has aliases dlms-subtype and dlmssubtype.
- 49153 (0xc001) - get-request-normal
- 49154 (0xc002) - get-request-next
- 49155 (0xc003) - get-request-with-list
- 49409 (0xc101) - set-request-normal
- 49410 (0xc102) - set-request-with-first-data-block
- 49411 (0xc103) - set-request-with-datablock
- 49412 (0xc104) - set-request-with-list
- 49413 (0xc105) - set-request-with-list-and-first-data-block
- 49921 (0xc301) - action-request-normal
- 49922 (0xc302) - action-request-next-pblock
- 49923 (0xc303) - action-request-with-list
- 49924 (0xc304) - action-request-with-first-pblock
- 49925 (0xc305) - action-request-with-list-and-first-pblock
- 49926 (0xc306) - action-request-with-pblock
- 50177 (0xc401) - get-response-normal
- 50178 (0xc402) - get-response-with-datablock
- 50179 (0xc403) - get-response-with-list
- 50433 (0xc501) - set-response-normal
- 50434 (0xc502) - set-response-datablock
- 50435 (0xc503) - set-response-last-data-block
- 50436 (0xc504) - set-response-last-data-block-with-list
- 50437 (0xc505) - set-response-with-list
- 50945 (0xc701) - action-response-normal
- 50946 (0xc702) - action-response-with-pblock
- 50947 (0xc703) - action-response-with-list
- 50948 (0xc704) - action-response-next-pblock
dlms-class-id [comp] <number>. The keyword has aliases dlms-classid and dlmsclassid.
dlms-obis [arraycomp] <obidnum> Where <obidnum> is ID consisting of 6 digits delimited with . (dot), each digit has a maximal size of one byte, arraycomp is the array comparator, and only = (array exact equality) is supported. The keyword has an alias dlmsobis. Example: dlms-obis = 1.0.99.1.0.255 To filter a group of IDs use a common prefix terminated with the character ’.’ (dot) Example: "dlms-obis 1.0.99." filters all IDs with the first 3 digits same, last 3 digits are treated as don’t care.
dlms-attribute-method-id [comp] <number> - with aliases dlms-attr-method-id and dlmsattrmethodid.
dlms-data-length [comp] <number> - with an alias dlmsdatalength.
dlms-data-type [comp] <number> - with an alias dlmsdatatype and <number> as one of these:
- 0 - null-data
- 1 - array
- 2 - structure
- 3 - boolean
- 4 - bit-string
- 5 - double-long
- 6 - double-long-unsigned
- 9 - octet-string
- 10 - visible-string
- 13 - bcd
- 15 - integer
- 16 - long
- 17 - unsigned
- 18 - long-unsigned
- 19 - compact-array
- 20 - long64
- 21 - long64-unsigned
- 22 - enum
- 23 - float32
- 24 - float64
- 25 - date-time
- 26 - date
- 27 - time
dlms-data-length [comp] <number>
dlms-data-access-result [comp] <number> - with and alias dlmsdataaccessresult and <number> as one of these:
- 0 - success
- 1 - hardware-fault
- 2 - temporary-failure
- 3 - read-write-denied
- 4 - object-undefined
- 9 - object-class-inconsistent
- 11 - object-unavailable
- 12 - type-unmatched
- 13 - scope-of-access-violated
- 14 - data-block-unavailable
- 15 - long-get-aborted
- 16 - no-long-get-in-progress
- 17 - long-set-aborted
- 18 - no-long-set-in-progres
- 250 - other-reason
dlms-action-result [comp] <number> - with an alias dlmsactionresult and <number> as one of these:
- 0 - success
- 1 - hardware-fault
- 2 - temporary-failure
- 3 - read-write-denied
- 4 - object-undefined
- 9 - object-class-inconsistent
- 11 - object-unavailable
- 12 - type-unmatched
- 13 - scope-of-access-violated
- 14 - data-block-unavailable
- 15 - long-action-aborted
- 16 - no-long-action-in-progress
- 250 - other-reason

VMware NSX fields

nsx-rule-id [<comp>] <number> - Firewall rule ID. The keyword has an alias nsx-ruleid.
nsx-vnicindex [<comp>] <number> - vNIC index
nsx-vmuuid <number> [<number>] - filters flow records with specific VM UUID that uniquely identifies the VM. This ID comprises of two hexadecimal numbers. You can provide just the first one or both. Each hexa number must be preceded with a 0x prefix. This is an example for VM UUID (00 11 22 33 44 55 66 77-88 99 aa bb cc dd ee ff): "nsx-vmuuid 0x0011223344556677" or "nsx-vmuuid 0x0011223344556677 0x8899aabbc-cddeeff".
nsx-vmuuid-mac <addr> - since VM UUID usually contains MAC address in its first part, you can use MAC in a filter as well. It will be matched with the first VMUUID number. This is an example how to filter out the machine with mac address 00:11:22:33:44:55: "nsx-vmuuid-mac 00:11:22:33:44:55".

Network Performance Metrics Primitives

Round trip time

npm-round-trip-time [<comp>] <realnumber> - Round Trip Time (RTT). The keyword has aliases npm-rtt and nrtt.
npm-round-trip-time-count [<comp>] <number> - Round Trip Time Count (RTT Count). The keyword has aliases nrtt-cnt and nrtt_cnt.
npm-round-trip-time-sum [<comp>] <realnumber> - Round Trip Time Sum (RTT Sum). The keyword has aliases nrtt-sum and nrtt_sum.
npm-round-trip-time-min [<comp>] <realnumber> - Round Trip Time Min (RTT Min). The keyword has aliases nrtt-min and nrtt_min.
npm-round-trip-time-max [<comp>] <realnumber> - Round Trip Time Max (RTT Max). The keyword has aliases nrtt-max and nrtt_max.

Server response time

npm-server-response-time [<comp>] <realnumber> - Server Response Time (SRT). The keyword has aliases npm-srt and nsrt.
npm-server-response-time-count [<comp>] <number> - Server Response Time Count (SRT Count). The keyword has aliases nsrt-cnt and nsrt_cnt.
npm-server-response-time-sum [<comp>] <realnumber> - Server Response Time Sum (SRT Sum). The keyword has aliases nsrt-sum and nsrt_sum.
npm-server-response-time-min [<comp>] <realnumber> - Server Response Time Min (SRT Min). The keyword has aliases nsrt-min and nsrt_min.
npm-server-response-time-max [<comp>] <realnumber> - Server Response Time Max (SRT Max). The keyword has aliases nsrt-max and nsrt_max.

TCP Retransmissions

npm-tcp-retransmission [<comp>] <realnumber> - Packet Retransmissions (RTR). The keyword has aliases npm-retr and nretr.
npm-tcp-retransmission-count [<comp>] <number> - Retransmission Count (RTR Count). The keyword has aliases nretr-cnt and nretr_cnt.
npm-tcp-retransmission-sum [<comp>] <realnumber> - Retransmission Sum (RTR Sum). The keyword has aliases nretr-sum and nretr_sum.
npm-tcp-retransmission-min [<comp>] <realnumber> - Retransmission Min (RTR Min). The keyword has aliases nretr-min and nretr_min.
npm-tcp-retransmission-max [<comp>] <realnumber> - Retransmission Max (RTR Max). The keyword has aliases nretr-max and nretr_max.

TCP Out of Order

npm-tcp-out-of-order [<comp>] <realnumber> - Number of Out of Order packets (OoO). The keyword has aliases npm-ooo and nooo.
npm-tcp-out-of-order-count [<comp>] <number> - Out of Order Count (OoO Count). The keyword has aliases nooo-cnt and nooo_cnt.
npm-tcp-out-of-order-sum [<comp>] <realnumber> - Out of Order Sum (OoO Sum). The keyword has aliases nooo-sum and nooo_sum.
npm-tcp-out-of-order-min [<comp>] <realnumber> - Out of Order Min (OoO Min). The keyword has aliases nooo-min and nooo_min.
npm-tcp-out-of-order-max [<comp>] <realnumber> - Out of Order Max (OoO Max). The keyword has aliases nooo-max and nooo_max.

Jitter

npm-jitter-deviation [<comp>] <realnumber> - Standard Deviation of Jitter (SDV Jitter). The keyword has aliases npm-jdev and njdev.
npm-jitter-deviation-count [<comp>] <number> - Jitter Deviation Count (JDC). The keyword has aliases njdev-cnt and njdev_cnt.
npm-jitter-deviation-sum [<comp>] <realnumber> - Jitter Deviation Sum (JDS). The keyword has aliases njdev-sum and njdev_sum.
npm-jitter-average [<comp>] <realnumber> - Average Jitter (AVG Jitter). The keyword has aliases npm-javg and njavg.
npm-jitter-average-count [<comp>] <number> - Jitter Average Count (JAC). The keyword has aliases njavg-cnt and njavg_cnt.
npm-jitter-average-sum [<comp>] <realnumber> - Jitter Average Sum (JAS). The keyword has aliases njavg-sum and njavg_sum.
npm-jitter-min [<comp>] <realnumber> - Minimal Jitter (MIN Jitter). The keyword has aliases npm-jmin and njmin.
npm-jitter-max [<comp>] <realnumber> - Maximal Jitter (MAX Jitter). The keyword has aliases npm-jmax and njmax.

Inter-packet Delay

npm-delay-deviation [<comp>] <realnumber> - Standard Deviation of Inter-packet Delay (SDV IPD). The keyword has aliases npm-ddev and nddev.
npm-delay-deviation-count [<comp>] <number> - Delay Deviation Count (DDC). The keyword has aliases nddev-cnt and nddev_cnt.
npm-delay-deviation-sum [<comp>] <realnumber> - Delay Deviation Sum (DDS). The keyword has aliases nddev-sum and nddev_sum.
npm-delay-average [<comp>] <realnumber> - Average Inter-packet Delay (AVG IPD). The keyword has aliases npm-davg and ndavg.
npm-delay-average-count [<comp>] <realnumber> - Delay Average Count (DAC). The keyword has aliases ndavg-cnt and ndavg_cnt.
npm-delay-average-sum [<comp>] <realnumber> - Delay Average Sum (DAS). The keyword has aliases ndavg-sum and ndavg_sum.
npm-delay-min [<comp>] <realnumber> - Minimal Inter-packet Delay (MIN IPD). The keyword has aliases npm-dmin and ndmin.
npm-delay-max [<comp>] <realnumber> - Maximal Inter-packet Delay (MAX IPD). The keyword has aliases npm-dmax and ndmax.

with <realnumber> as a real number in format NNN.nnn.

Cisco Primitives

Cisco AVC - ART

art-snt [<comp>] <realnumber> - Sum Server Network Time (Sum SNT)
art-snt-min [<comp>] <realnumber> - Minimal Server Network Time (MIN SNT). The keyword has an alias art-sntmin.
art-snt-max [<comp>] <realnumber> - Maximal Server Network Time (MAX SNT). The keyword has an alias art-sntmax.
art-cnt [<comp>] <realnumber> - Sum Client Network Time (Sum CNT)
art-cnt-min [<comp>] <realnumber> - Minimal Client Network Time (MIN CNT). The keyword has an alias art-cntmin.
art-cnt-max [<comp>] <realnumber> - Maximal Client Network Time (MAX CNT). The keyword has an alias art-cntmax.
art-cnt-responses [<comp>] <number> - Client Network Time Responses (CNT Responses). The keyword has an alias art-cntresp.
art-srt [<comp>] <number> - Sum Server Response Time (Sum SRT)
art-srt-min [<comp>] <number> - Minimal Server Response Time (MIN SRT). The keyword has an alias art-srtmin.
art-srt-max [<comp>] <number> - Maximal Server Response Time (MAX SRT). The keyword has an alias art-srtmax.
art-hist[n] [<comp>] <number> - Responses Histogram [n], where n is a number from 1 to 7.
art-client-retransmission [<comp>] <number> - Client Retransmission (CR). The keyword has an alias art-cretr.
art-server-retransmission [<comp>] <number> - Server Retransmission (SR). The keyword has an alias art-sretr.
art-late [<comp>] <number> - Responses Late.
cisco-net-time [<comp>] <number> - Cisco Network Time Sum. The keyword has an alias cisco-nettime.

Cisco NEL

nat-event [<comp>] <value> where value is either number, add or delete. The keyword has aliases nat event and nevent.
[src|dst] nat-ip <ip> - selects the NAT IP address. The keyword has an alias nip.
[src|dst] nat-port [comp] <port> - selects the NAT port. The keyword has an alias nport.
nat-vrf [comp] <number> - selects the Vrf. The keyword has aliases vrf and ingress vrf.

Cisco NSEL/ASA

nsel-event [<comp>] <value> has aliases asa event and event. The value is one of
- 0 - IGNORE
- 1 - CREATE
- 2 - DELETE
- 2 - TERM
- 3 - DENIED
- 3 - DENY
- 4 - ALERT
- 5 - UPDATE
asa event denied <value> where value is either a number or one of strings suggested by the autocomplete function.
nsel-extended-event [<comp>] <number>. The keyword has aliases asa xevent and xevent.
nsel-connection-id [<comp>] <number>. The keyword has an alias nfc.
nsel-user-name [<strcomp>] <string>. The keyword has an alias uname.
[in|out] nsel-acl [=] <binary>. The keyword has an alias acl.
[src|dst] xlate-ip <ip> - selects the translated IP address. The keyword has an alias xip.
[src|dst] xlate-port <number> - selects the translated port. The keyword has an alias xport.
ingress <ACN|ACE|XACE> [<comp>] <number> - selects/compares an ingress ACL ID fields.
egress <ACN|ACE|XACE> [<comp>] <number> - selects/compares an egress ACL ID fields.
iacn [<comp>] <number>
iace [<comp>] <number>
ixace [<comp>] <number>
eacn [<comp>] <number>
eace [<comp>] <number>
exace [<comp>] <number>

Aggregated Flows Primitives

Because filters are applied before aggregation, the filter's usefulness is limited. Individual flows always have an aggregated flow count value of 1.

flows [<comp>] <num>[<scale>]- filters out NetFlow records with a specific number of aggregated flows.

<scale> is a scaling factor. Allowed prefixes are (Kilo) k, (Mega) m, (Giga) g, (Tera) t. The factor is 1024.

Packets, Bytes and Bits Primitives

Because filters are applied before aggregation, they filter flows based on the values in each individual flow record, not based on the aggregated totals.

Packets

[in|out] packets [<comp>] <num>[<scale>] - filters out NetFlow records with a specific packet count.

<scale> is a scaling factor. Allowed prefixes are (Kilo) k, (Mega) m, (Giga) g, (Tera) t. The factor is 1024.

Example: packets > 1k.

[in|out] total-packets [<comp>] <num>[<scale>]
in-out-packets [<comp>] <num>[<scale>]
iopackets [<comp>] <num>[<scale>]

Bytes

[in|out] bytes [<comp>] <num>[<scale>] - filters out NetFlow records with a specific byte count.

<scale> is a scaling factor. Allowed prefixes are (Kilo) k, (Mega) m, (Giga) g, (Tera) t. The factor is 1024.

Example: bytes 46.

[in|out] total-bytes [<comp>] <num>[<scale>]
in-out-bytes [<comp>] <num>[<scale>]
iobytes [<comp>] <num>[<scale>]

Packets per second

pps [<comp>] <num>[<scale>] - specifies the pps of the flow.

Bits per second

bps [<comp>] <num>[<scale>] - specifies the bps of the flow.

Bytes per packet

bpp [<comp>] <num>[<scale>] - specifies the bpp of the flow.

Packets, Bytes and Bits examples

packets > 1M and bytes < 1700M - matches records with more than 1 mega packets but under 1700 MB.
(pps > 200K or bps > 180M) and bpp < 130 - matches records with a minimal threshold of at least 200 K packets per second or 180 M bits per second) while keeping packets under 130 B.
bpp > 1500 and bytes > 100M - finds jumbo packets flows larger than 100 MB.

Duration Primitives

Duration

duration [<comp>] <num> - specifies the duration in milliseconds.

Duration examples

duration > 1000 and duration < 5000 - matches flow records which took between 1 and 5 seconds.

Amounts

start-time [<comp>] <number>. The keyword has aliases tstart and stime.
end-time [<comp>] <number>. The keyword has aliases tend and etime.
start-uptime [<comp>] <number>. The keyword has an alias suptime.
sys-init-time <time>. The keyword has an alias sysinittime.
flow-active-timeout <seconds>
flow-end-reason <number>
time-received <time>.

Flowmon specific

uuid [<strcomp>] <string> - unique identifier of the flow
channel [<strcomp>] <string> - origin channel (of type "Real") of the flow

Other Filter Examples

proto tcp and net 192.168/16 and src port > 1024 and dst port 80 and bytes > 2048 - matches HTTP/TCP communication in an internal network larger than 2048 bytes.
proto tcp and (net 192.168/16) and (src port > 1024 and dst port 80) and (bytes > 2048) - is identical to the previous (with added brackets for readability).

Flowmon User Guide

Filter Syntax

Any

Protocol Primitives

Protocol version

Protocol

Modbus

S7

MQTT

DNP3

Hostname

Flow source interface

QUIC

Protocol and protocol version examples

IP Address Primitives

IP address

IP address - examples

List of IP addresses

List of IP addresses - examples

Network Primitives

Network

Network - examples

Masks

Port Primitives

Port

Port - examples

ICMP

HTTP Primitives

HTTP hostname

HTTP URL

HTTP - Operating System in User Agent

HTTP - Operating System Major Version

HTTP - Operating System Minor Version

HTTP - Operating System Build Number

HTTP - Client Application in User Agent

HTTP - Client Application Major Version

HTTP - Client Application Minor Version

HTTP - Client Application Build Number

HTTP - HTTP Method

HTTP - HTTP Result Code

HTTP - Others

Autonomous System Numbers Primitives

Autonomous system numbers

Autonomous system number - examples

VLAN labels

User identity of IP

Country of origin of IP

TCP Flags Primitives

TCP flags

TCP Flags - examples

Extended TCP

Next Hop IP Primitive

Next-hop router's IP in the BGP domain

Router IP Primitive

Flow Source Name Primitive

Flow Source Identification

Source ID Primitive

Interface Primitives

Interface

Interface - Examples

Flow Source Network Interface Name

MAC Address Primitive

MPLS Labels Primitives

MPLS VPN Route Distinguisher

TOS Primitives

TOS field

DSCP field

ECN field

NBAR2 Primitives

NBAR2 Application Tag

NBAR2 AppID

DNS Primitives

DNS filters

DNS ID

DNS question count

DNS answer count

DNS authority count

DNS additional count

DNS flags

DNS question