User Tools

Site Tools


pom:rules_syntax

Rules syntax

Syntax

You can either match a protocol or a specific parameter of this protol.
To match a protocol: <match>
Example : ipv4

To match a specific field : <match>.<field> <op> <value>
Example : ipv4.src == 10.0.0.0/8

See the start page for a list of match modules and their documentation.

Easy and advanced examples

When you specify a rule, you must give the whole chain of headers that you want to match. Each header is separated by a pipe sign : '|'. For example, to match all the IPv6 TCP traffic sniffed from a network card, you would use the following rule :

ipv6 | tcp

If you want to match all the TCP traffic without any restriction on the layer 3 header, you can simply use this :

tcp

You can also match either one layer or an other. For example the following match IPv6 UDP or TCP traffic :

ipv6 | udp or tcp

Things can be a little more complicated. The following rule will match IPv4 TCP traffic and IPv6 UDP traffic :

(ipv4 | tcp ) or ( ipv6 | udp )

You can also match packets on specific fields in the headers. The following rule match all the IPv4 TCP packets with source port being 80 :

ipv4 | tcp.sport == 80

You can also match all the IPv4 TCP packets but the ones with source port 80 :

ipv4 | !tcp.sport == 80

Again things can be more complicated. The following rule match IPv4 TCP packets with source port between 80 and 100 without port 90 :

ipv4 | (tcp.sport >= 80 and tcp.sport <= 100 ) and !tcp.sport == 90

The negation can also be used on protocol level. This occurs when no field is specified. For example, this rule will match all the IPv4 traffic but ICMP packets :

ipv4 | !icmp

Useful examples

HTTP traffic :

tcp.dport == 80

RTP (VoIP) traffic to 10.1.2.0/24 range :

ipv4.dst == 10.1.2.0/24 | udp | rtp

MSN traffic :

tcp.dport == 1863
pom/rules_syntax.txt · Last modified: 2012/10/12 11:53 by 2001:7e8:2221:600:9471:feff:febb:91f7