Table of Contents
Rules syntax
Syntax
You can either match a protocol or a specific parameter of this protol.
To match a protocol: <match>
Example : ipv4
To match a specific field : <match>.<field> <op> <value>
Example : ipv4.src == 10.0.0.0/8
See the start page for a list of match modules and their documentation.
Easy and advanced examples
When you specify a rule, you must give the whole chain of headers that you want to match. Each header is separated by a pipe sign : '|'. For example, to match all the IPv6 TCP traffic sniffed from a network card, you would use the following rule :
ipv6 | tcp
If you want to match all the TCP traffic without any restriction on the layer 3 header, you can simply use this :
tcp
You can also match either one layer or an other. For example the following match IPv6 UDP or TCP traffic :
ipv6 | udp or tcp
Things can be a little more complicated. The following rule will match IPv4 TCP traffic and IPv6 UDP traffic :
(ipv4 | tcp ) or ( ipv6 | udp )
You can also match packets on specific fields in the headers. The following rule match all the IPv4 TCP packets with source port being 80 :
ipv4 | tcp.sport == 80
You can also match all the IPv4 TCP packets but the ones with source port 80 :
ipv4 | !tcp.sport == 80
Again things can be more complicated. The following rule match IPv4 TCP packets with source port between 80 and 100 without port 90 :
ipv4 | (tcp.sport >= 80 and tcp.sport <= 100 ) and !tcp.sport == 90
The negation can also be used on protocol level. This occurs when no field is specified. For example, this rule will match all the IPv4 traffic but ICMP packets :
ipv4 | !icmp
Useful examples
HTTP traffic :
tcp.dport == 80
RTP (VoIP) traffic to 10.1.2.0/24 range :
ipv4.dst == 10.1.2.0/24 | udp | rtp
MSN traffic :
tcp.dport == 1863