.. _custom_filters_full: ============== Custom Filters ============== Client/Server ------------- ===================== ============================================================= ========================= Keyword Field Operand Type ===================== ============================================================= ========================= ``0win`` Total number of zero-windows :ref:`decimal or hexa.` ``0win.count.clt`` Number of zero-windows from the Client :ref:`decimal or hexa.` ``0win.count.srv`` Number of zero-windows from the Server :ref:`decimal or hexa.` ``app`` -- :ref:`application name` ``capture.begin`` Capture begin time :ref:`date and time` ``capture.end`` Capture end time :ref:`date and time` ``capture.name`` Capture name (distributed probe) :ref:`capture` ``ct`` Connection time :ref:`duration` ``ct.count`` Number of successful handshakes :ref:`decimal or hexa.` ``dcerpc`` Distributed Computing Environment :ref:`dce rpc uuid` ``delta_session`` Difference between created session and finished sessions :ref:`decimal or hexa.` ``device`` Either Client or Server Device :ref:`packet datasource` ``device.clt`` Device id (Client side) :ref:`packet datasource` ``device.srv`` Device id (Server side) :ref:`packet datasource` ``diffserv`` Either Client or Server Diffserv *-* ``diffserv.clt`` Client Diffserv *-* ``diffserv.srv`` Server Diffserv *-* ``dtt`` Sum of DTT (Data Transfert Time) in both directions :ref:`duration` ``dtt.clt`` Average data transfer time from Client :ref:`duration` ``dtt.count`` -- :ref:`decimal or hexa.` ``dtt.count.clt`` -- :ref:`decimal or hexa.` ``dtt.count.srv`` -- :ref:`decimal or hexa.` ``dtt.srv`` Average data transfer time from Server :ref:`duration` ``dup_ack.count`` Total Duplicate ACKs :ref:`decimal or hexa.` ``dup_ack.count.clt`` Duplicate ACKs from Client to Server :ref:`decimal or hexa.` ``dup_ack.count.srv`` Duplicate ACKs from Server to Client :ref:`decimal or hexa.` ``eth.proto`` Ethernet Type Protocol :ref:`ethernet type` ``eurt`` End-user response time: sum of RTT, DTT and SRT :ref:`duration` ``fin.count`` Total number of FIN packets :ref:`decimal or hexa.` ``fin.count.clt`` Number of FINs emitted by the Client :ref:`decimal or hexa.` ``fin.count.srv`` Number of FINs emitted by the Server :ref:`decimal or hexa.` ``ip`` Either Client or Server IP or subnet :ref:`address or netmask` ``ip.clt`` IP that initiated a connection to a server :ref:`address or netmask` ``ip.netflow`` IP of the netflow capture :ref:`address or netmask` ``ip.srv`` IP that replied to another IP (works also without handshak... :ref:`address or netmask` ``mac`` Either Client or Server MAC address :ref:`mac address` ``mac.clt`` Client MAC (physical) address :ref:`mac address` ``mac.srv`` Server MAC (physical) address :ref:`mac address` ``mtu`` The global MTU (Maximum Transmission Unit) :ref:`decimal or hexa.` ``mtu.clt`` Client MTU (Maximum Transmission Unit) :ref:`decimal or hexa.` ``mtu.srv`` Server MTU (Maximum Transmission Unit) :ref:`decimal or hexa.` ``os`` Either Client or Server Operating System :ref:`os name` ``os.clt`` Client Operating System :ref:`os name` ``os.srv`` Server Operating System :ref:`os name` ``payload`` Total payload :ref:`byte quantity` ``payload.clt`` Payload from Client to Server :ref:`byte quantity` ``payload.count`` Number of IP packets with a payload :ref:`decimal or hexa.` ``payload.count.clt`` Number of packets with payload emitted by the Client :ref:`decimal or hexa.` ``payload.count.srv`` Number of packets with a payload emitted by the Server :ref:`decimal or hexa.` ``payload.ret`` Total retransmission payload :ref:`byte quantity` ``payload.ret.clt`` Retransmission payload from Client to Server :ref:`byte quantity` ``payload.ret.srv`` Retransmission payload from Server to Client :ref:`byte quantity` ``payload.srv`` Payload from Server to Client :ref:`byte quantity` ``pkt.count`` Number of IP packets :ref:`decimal or hexa.` ``pkt.count.clt`` Number of packets emitted by the Client :ref:`decimal or hexa.` ``pkt.count.srv`` Number of packets emitted by the Server :ref:`decimal or hexa.` ``port`` Either the client or the server port :ref:`port number` ``port.clt`` TCP/UDP client Port. :ref:`port number` ``port.srv`` TCP/UDP server Port. :ref:`port number` ``protostack`` Protocols Stack :ref:`wildcard or regex` ``rd`` Sum of RD (Retransmission delay) in both directions :ref:`duration` ``rd.clt`` Retransmission delay from Client to Server :ref:`duration` ``rd.count`` Retransmission count (both directions) :ref:`decimal or hexa.` ``rd.count.clt`` Retransmission count from Client to Server :ref:`decimal or hexa.` ``rd.count.srv`` Retransmission count from Server to Client :ref:`decimal or hexa.` ``rd.rate`` Total retransmission ratio :ref:`rate` ``rd.rate.clt`` Retransmission ratio from Client to Server :ref:`rate` ``rd.rate.srv`` Retransmission ratio from Server to Client :ref:`rate` ``rd.srv`` Retransmission delay from Server to Client :ref:`duration` ``ret`` Total retransmission traffic :ref:`byte quantity` ``ret.clt`` Retransmission traffic from Client to Server :ref:`byte quantity` ``ret.srv`` Retransmission traffic from Server to Client :ref:`byte quantity` ``rst.count`` Total number of RST packets :ref:`decimal or hexa.` ``rst.count.clt`` Number of RSTs emitted by the Client :ref:`decimal or hexa.` ``rst.count.srv`` Number of RSTs emitted by the Server :ref:`decimal or hexa.` ``rtt`` Sum of RTT (Round Trip Time) in both directions :ref:`duration` ``rtt.clt`` The round-trip time for packets emitted by the Client :ref:`duration` ``rtt.count`` Number of RTT (in both directions) :ref:`decimal or hexa.` ``rtt.count.clt`` Number of RTT for packets emitted by the Client :ref:`decimal or hexa.` ``rtt.count.srv`` Number of RTT for packets emitted by the Server :ref:`decimal or hexa.` ``rtt.srv`` The round-trip time for packets emitted by the Server :ref:`duration` ``srt`` Server response time (SRT), elapsed time from the client r... :ref:`duration` ``srt.count`` Number of SRT computed in a time interval :ref:`decimal or hexa.` ``syn.count`` Number of SYN packets :ref:`decimal or hexa.` ``tcp_close.count`` Number of times the connection has been closed (by acked F... :ref:`decimal or hexa.` ``traffic`` Total traffic :ref:`byte quantity` ``traffic.clt`` Traffic emitted by the Client :ref:`byte quantity` ``traffic.srv`` Traffic emitted by the Server :ref:`byte quantity` ``vlan`` Either Client or Server VLAN :ref:`decimal or hexa.` ``vlan.clt`` Tagged Link (802.1Q) seen on the Client side :ref:`decimal or hexa.` ``vlan.srv`` Tagged Link (802.1Q) seen on the Server side :ref:`decimal or hexa.` ``zone`` Either Client or Server Zone :ref:`zone name` ``zone.clt`` Client zone as described in the configuration. :ref:`zone name` ``zone.srv`` Server zone as described in the configuration. :ref:`zone name` ===================== ============================================================= ========================= Source/Destination ------------------ ===================== ============================================================= ========================= Keyword Field Operand Type ===================== ============================================================= ========================= ``0win`` Total number of zero-windows :ref:`decimal or hexa.` ``0win.count.dst`` Number of zero-windows from the Destination :ref:`decimal or hexa.` ``0win.count.src`` Number of zero-windows from the Source :ref:`decimal or hexa.` ``app`` -- :ref:`application name` ``capture.begin`` Capture begin time :ref:`date and time` ``capture.end`` Capture end time :ref:`date and time` ``capture.name`` Capture name (distributed probe) :ref:`capture` ``ct`` Connection time :ref:`duration` ``ct.count`` Number of successful handshakes :ref:`decimal or hexa.` ``dcerpc`` Distributed Computing Environment :ref:`dce rpc uuid` ``delta_session`` Difference between created session and finished sessions :ref:`decimal or hexa.` ``device`` Either Soure or Destination Device :ref:`packet datasource` ``device.dst`` Device id (Destination side) :ref:`packet datasource` ``device.src`` Device id (Source side) :ref:`packet datasource` ``diffserv`` Either Source or Destination Diffserv *-* ``diffserv.dst`` Destination Diffserv *-* ``diffserv.src`` Source Diffserv *-* ``dtt`` Sum of DTT (Data Transfert Time) in both directions :ref:`duration` ``dtt.count`` -- :ref:`decimal or hexa.` ``dtt.count.dst`` -- :ref:`decimal or hexa.` ``dtt.count.src`` -- :ref:`decimal or hexa.` ``dtt.dst`` Average data transfer time from Destination :ref:`duration` ``dtt.src`` Average data transfer time from Source :ref:`duration` ``dup_ack.count`` Total Duplicate ACKs :ref:`decimal or hexa.` ``dup_ack.count.dst`` Duplicate ACKs from Destination to Source :ref:`decimal or hexa.` ``dup_ack.count.src`` Duplicate ACKs from Source to Destination :ref:`decimal or hexa.` ``eth.proto`` Ethernet Type Protocol :ref:`ethernet type` ``eurt`` End-user response time: sum of RTT, DTT and SRT :ref:`duration` ``fin.count`` Total number of FIN packets :ref:`decimal or hexa.` ``fin.count.dst`` Number of FINs emitted by the Destination :ref:`decimal or hexa.` ``fin.count.src`` Number of FINs emitted by the Source :ref:`decimal or hexa.` ``ip`` Either Source or Destination IP or subnet :ref:`address or netmask` ``ip.dst`` IP address to which network communication is sent :ref:`address or netmask` ``ip.netflow`` IP of the netflow capture :ref:`address or netmask` ``ip.src`` IP address from which network communication originated :ref:`address or netmask` ``mac`` Either Source or Destination MAC address :ref:`mac address` ``mac.dst`` Destination MAC (physical) Address :ref:`mac address` ``mac.src`` Source MAC (physical) Address :ref:`mac address` ``mtu`` The global MTU (Maximum Transmission Unit) :ref:`decimal or hexa.` ``mtu.dst`` Destination MTU (Max Tranfert Unit) :ref:`decimal or hexa.` ``mtu.src`` Source MTU (Max Tranfert Unit) :ref:`decimal or hexa.` ``os`` Either Source or Destination Operating System :ref:`os name` ``os.dst`` Destination Operating System :ref:`os name` ``os.src`` Source Operating System :ref:`os name` ``payload`` Total payload :ref:`byte quantity` ``payload.count`` Number of IP packets with a payload :ref:`decimal or hexa.` ``payload.count.dst`` Number of packets with a payload sent by the Destination :ref:`decimal or hexa.` ``payload.count.src`` Number of packets with payload sent by the Source :ref:`decimal or hexa.` ``payload.dst`` Payload from Destination to Source :ref:`byte quantity` ``payload.ret`` Total retransmission payload :ref:`byte quantity` ``payload.ret.dst`` Retransmission payload from Destination to Source :ref:`byte quantity` ``payload.ret.src`` Retransmission payload from Source to Destination :ref:`byte quantity` ``payload.src`` Payload from Source to Destination :ref:`byte quantity` ``pkt.count`` Number of IP packets :ref:`decimal or hexa.` ``pkt.count.dst`` Number of packets emitted by the Destination :ref:`decimal or hexa.` ``pkt.count.src`` Number of packets emitted by the Source :ref:`decimal or hexa.` ``port`` Either the client or the server port :ref:`port number` ``port.clt`` TCP/UDP client Port. :ref:`port number` ``port.srv`` TCP/UDP server Port. :ref:`port number` ``protostack`` Protocols Stack :ref:`wildcard or regex` ``rd`` Sum of RD (Retransmission delay) in both directions :ref:`duration` ``rd.count`` Retransmission count (both directions) :ref:`decimal or hexa.` ``rd.count.dst`` Retransmission count from Destination to Source :ref:`decimal or hexa.` ``rd.count.src`` Retransmission count from Source to Destination :ref:`decimal or hexa.` ``rd.dst`` Retransmission delay from Destination to Source :ref:`duration` ``rd.rate`` Total retransmission ratio :ref:`rate` ``rd.rate.dst`` Retransmission ratio from Destination to Source :ref:`rate` ``rd.rate.src`` Retransmission ratio from Source to Destination :ref:`rate` ``rd.src`` Retransmission delay from Source to Destination :ref:`duration` ``ret`` Total retransmission traffic :ref:`byte quantity` ``ret.dst`` Retransmission traffic from Destination to Source :ref:`byte quantity` ``ret.src`` Retransmission traffic from Source to Destination :ref:`byte quantity` ``rst.count`` Total number of RST packets :ref:`decimal or hexa.` ``rst.count.dst`` Number of RSTs emitted by the Destination :ref:`decimal or hexa.` ``rst.count.src`` Number of RSTs emitted by the Source :ref:`decimal or hexa.` ``rtt`` Sum of RTT (Round Trip Time) in both directions :ref:`duration` ``rtt.count`` Number of RTT (in both directions) :ref:`decimal or hexa.` ``rtt.count.dst`` Number of RTT for packets emitted by the Destination :ref:`decimal or hexa.` ``rtt.count.src`` Number of RTT for packets emitted by the Source :ref:`decimal or hexa.` ``rtt.dst`` The round-trip time for packets emitted by the Destination :ref:`duration` ``rtt.src`` The round-trip time for packets emitted by the Source :ref:`duration` ``srt`` Server response time (SRT), elapsed time from the client r... :ref:`duration` ``srt.count`` Number of SRT computed in a time interval :ref:`decimal or hexa.` ``syn.count`` Number of SYN packets :ref:`decimal or hexa.` ``tcp_close.count`` Number of times the connection has been closed (by acked F... :ref:`decimal or hexa.` ``traffic`` Total traffic :ref:`byte quantity` ``traffic.dst`` Traffic emitted by the Destination :ref:`byte quantity` ``traffic.src`` Traffic emitted by the Source :ref:`byte quantity` ``vlan`` Either Source or Destination VLAN :ref:`decimal or hexa.` ``vlan.dst`` Tagged Link (802.1Q) seen on the Destination side :ref:`decimal or hexa.` ``vlan.src`` Tagged Link (802.1Q) seen on the Source side :ref:`decimal or hexa.` ``zone`` Either Source or Destination Zone :ref:`zone name` ``zone.dst`` Zone to which network communication is sent :ref:`zone name` ``zone.src`` Zone from which network communication originated :ref:`zone name` ===================== ============================================================= ========================= HTTP ---- ========================= ============================================================= ============================== Keyword Field Operand Type ========================= ============================================================= ============================== ``app`` -- :ref:`application name` ``capture.begin`` Capture begin time :ref:`date and time` ``capture.end`` Capture end time :ref:`date and time` ``capture.name`` Capture name (distributed probe) :ref:`capture` ``device`` Either Client or Server Device :ref:`packet datasource` ``device.clt`` Device id (Client side) :ref:`packet datasource` ``device.srv`` Device id (Server side) :ref:`packet datasource` ``dtt`` Sum of DTT (Data Transfert Time) in both directions :ref:`duration` ``dtt.clt`` Average data transfer time from Client :ref:`duration` ``dtt.count`` -- :ref:`decimal or hexa.` ``dtt.count.clt`` -- :ref:`decimal or hexa.` ``dtt.count.srv`` -- :ref:`decimal or hexa.` ``dtt.srv`` Average data transfer time from Server :ref:`duration` ``eth.proto`` Ethernet Type Protocol :ref:`ethernet type` ``http.dtt`` Sum of DTT (Data Transfert Time) in both directions :ref:`duration` ``http.dtt.clt`` Average data transfer time from Client :ref:`duration` ``http.dtt.srv`` Average data transfer time from Server :ref:`duration` ``http.hit.count`` Number of HTTP hits :ref:`decimal or hexa.` ``http.hit.err.count`` Sum of Hits with an error status (4xx and 5xx) :ref:`decimal or hexa.` ``http.hit.rt`` Average of the hit response time :ref:`duration` ``http.host`` URL Host :ref:`string` ``http.page.count`` Number of HTTP pages :ref:`decimal or hexa.` ``http.page.hit_count`` The number of hits that contributed to this page :ref:`decimal or hexa.` ``http.page.lt`` Page load time average :ref:`duration` ``http.request.length`` Sum of content length generated by HTTP Queries :ref:`byte quantity` ``http.request.method`` The HTTP method used to query :ref:`http method` ``http.resp.status`` The HTTP response code (1xx to 5xx) :ref:`http status or category` ``http.resp.status.cat`` The category of the HTTP response code :ref:`http status category` ``http.resp.status.code`` The HTTP response code :ref:`http status` ``http.response.length`` Sum of content length generated by HTTP Responses :ref:`byte quantity` ``http.response.server`` Software declared as the HTTP server :ref:`string` ``http.url.path`` The path, query and fragment parts of the URL. :ref:`wildcard or regex` ``http.user_agent`` User agent :ref:`string` ``ip`` Either Client or Server IP or subnet :ref:`address or netmask` ``ip.clt`` IP that initiated a connection to a server :ref:`address or netmask` ``ip.srv`` IP that replied to another IP (works also without handshak... :ref:`address or netmask` ``mac`` Either Client or Server MAC address :ref:`mac address` ``mac.clt`` Client MAC (physical) address :ref:`mac address` ``mac.srv`` Server MAC (physical) address :ref:`mac address` ``port`` Either the client or the server port :ref:`port number` ``port.clt`` TCP/UDP client Port. :ref:`port number` ``port.srv`` TCP/UDP server Port. :ref:`port number` ``vlan`` Either Client or Server VLAN :ref:`decimal or hexa.` ``vlan.clt`` Tagged Link (802.1Q) seen on the Client side :ref:`decimal or hexa.` ``vlan.srv`` Tagged Link (802.1Q) seen on the Server side :ref:`decimal or hexa.` ``zone`` Either Client or Server Zone :ref:`zone name` ``zone.clt`` Client zone as described in the configuration. :ref:`zone name` ``zone.srv`` Server zone as described in the configuration. :ref:`zone name` ========================= ============================================================= ============================== SQL --- ======================== ============================================================= ========================= Keyword Field Operand Type ======================== ============================================================= ========================= ``app`` -- :ref:`application name` ``capture.begin`` Capture begin time :ref:`date and time` ``capture.end`` Capture end time :ref:`date and time` ``capture.name`` Capture name (distributed probe) :ref:`capture` ``device`` Either Client or Server Device :ref:`packet datasource` ``device.clt`` Device id (Client side) :ref:`packet datasource` ``device.srv`` Device id (Server side) :ref:`packet datasource` ``dtt`` Sum of DTT (Data Transfert Time) in both directions :ref:`duration` ``dtt.clt`` Average data transfer time from Client :ref:`duration` ``dtt.count`` -- :ref:`decimal or hexa.` ``dtt.count.clt`` -- :ref:`decimal or hexa.` ``dtt.count.srv`` -- :ref:`decimal or hexa.` ``dtt.srv`` Average data transfer time from Server :ref:`duration` ``eth.proto`` Ethernet Type Protocol :ref:`ethernet type` ``ip`` Either Client or Server IP or subnet :ref:`address or netmask` ``ip.clt`` IP that initiated a connection to a server :ref:`address or netmask` ``ip.srv`` IP that replied to another IP (works also without handshak... :ref:`address or netmask` ``mac`` Either Client or Server MAC address :ref:`mac address` ``mac.clt`` Client MAC (physical) address :ref:`mac address` ``mac.srv`` Server MAC (physical) address :ref:`mac address` ``port`` Either the client or the server port :ref:`port number` ``port.clt`` TCP/UDP client Port. :ref:`port number` ``port.srv`` TCP/UDP server Port. :ref:`port number` ``protostack`` Protocols Stack :ref:`wildcard or regex` ``sql.dbname`` The database or instance name which is used to execute the... :ref:`wildcard or regex` ``sql.dbuser`` Authenticated username who execute the queries :ref:`wildcard or regex` ``sql.dtt`` Sum of DTT (Data Transfert Time) in both directions :ref:`duration` ``sql.dtt.clt`` Average data transfer time from Client :ref:`duration` ``sql.dtt.srv`` Average data transfer time from Server :ref:`duration` ``sql.error.code`` The system specific error code :ref:`string` ``sql.error.count`` Number of errors :ref:`decimal or hexa.` ``sql.error.msg`` The SQL error message :ref:`string` ``sql.error.rate`` Errors ratio :ref:`rate` ``sql.error.status`` The SQL error status :ref:`string` ``sql.query.command`` Type of SQL command :ref:`sql command` ``sql.query.count`` Number of queries :ref:`decimal or hexa.` ``sql.query.packets`` Query packets at applicative level (PDU) :ref:`decimal or hexa.` ``sql.query.payload`` Sum of query payload :ref:`byte quantity` ``sql.response.packets`` Response packets at applicative level (PDU) :ref:`decimal or hexa.` ``sql.response.payload`` Sum of response payload :ref:`byte quantity` ``sql.system`` Database system :ref:`sql system` ``srt`` Server response time (SRT), elapsed time from the client r... :ref:`duration` ``srt.count`` Number of SRT computed in a time interval :ref:`decimal or hexa.` ``vlan`` Either Client or Server VLAN :ref:`decimal or hexa.` ``vlan.clt`` Tagged Link (802.1Q) seen on the Client side :ref:`decimal or hexa.` ``vlan.srv`` Tagged Link (802.1Q) seen on the Server side :ref:`decimal or hexa.` ``zone`` Either Client or Server Zone :ref:`zone name` ``zone.clt`` Client zone as described in the configuration. :ref:`zone name` ``zone.srv`` Server zone as described in the configuration. :ref:`zone name` ======================== ============================================================= ========================= CIFS ---- ========================= ============================================================= ========================= Keyword Field Operand Type ========================= ============================================================= ========================= ``app`` -- :ref:`application name` ``capture.begin`` Capture begin time :ref:`date and time` ``capture.end`` Capture end time :ref:`date and time` ``capture.name`` Capture name (distributed probe) :ref:`capture` ``cifs.command`` CIFS Command :ref:`smb command` ``cifs.data.payload`` Payload of data (files transferred) without CIFS meta info... :ref:`byte quantity` ``cifs.domain`` CIFS Domain :ref:`string` ``cifs.error.count`` Number of errors (mostly Server side) :ref:`decimal or hexa.` ``cifs.fileid`` CIFS File ID :ref:`decimal or hexa.` ``cifs.meta.payload`` Metadata payload used for the CIFS commands (like 'move', ... :ref:`byte quantity` ``cifs.meta.read`` Number of metadata bytes read :ref:`byte quantity` ``cifs.meta.written`` Number of metadata bytes written :ref:`byte quantity` ``cifs.path`` CIFS Path to the file related to this command :ref:`wildcard or regex` ``cifs.query.count`` Number of queries :ref:`decimal or hexa.` ``cifs.query.packets`` Query packets at applicative level (PDU) :ref:`decimal or hexa.` ``cifs.query.payload`` Sum of query payload :ref:`byte quantity` ``cifs.query.write`` Number of bytes to be written :ref:`byte quantity` ``cifs.response.packets`` Response packets at applicative level (PDU) :ref:`decimal or hexa.` ``cifs.response.payload`` Sum of response payload :ref:`byte quantity` ``cifs.response.read`` Number of bytes read :ref:`byte quantity` ``cifs.response.written`` Number of bytes effectively written :ref:`byte quantity` ``cifs.status`` CIFS Status :ref:`smb status` ``cifs.subcommand`` CIFS Subcommand :ref:`smb sub-command` ``cifs.success.count`` Number of queries with OK or Informational status :ref:`decimal or hexa.` ``cifs.tree`` CIFS Tree related to this command :ref:`wildcard or regex` ``cifs.tree.id`` CIFS Tree ID :ref:`decimal or hexa.` ``cifs.user`` CIFS User :ref:`string` ``cifs.warning.count`` Number of warnings (mostly Client side) :ref:`decimal or hexa.` ``device`` Either Client or Server Device :ref:`packet datasource` ``device.clt`` Device id (Client side) :ref:`packet datasource` ``device.srv`` Device id (Server side) :ref:`packet datasource` ``dtt`` Sum of DTT (Data Transfert Time) in both directions :ref:`duration` ``dtt.clt`` Average data transfer time from Client :ref:`duration` ``dtt.count`` -- :ref:`decimal or hexa.` ``dtt.count.clt`` -- :ref:`decimal or hexa.` ``dtt.count.srv`` -- :ref:`decimal or hexa.` ``dtt.srv`` Average data transfer time from Server :ref:`duration` ``eth.proto`` Ethernet Type Protocol :ref:`ethernet type` ``ip`` Either Client or Server IP or subnet :ref:`address or netmask` ``ip.clt`` IP that initiated a connection to a server :ref:`address or netmask` ``ip.srv`` IP that replied to another IP (works also without handshak... :ref:`address or netmask` ``mac`` Either Client or Server MAC address :ref:`mac address` ``mac.clt`` Client MAC (physical) address :ref:`mac address` ``mac.srv`` Server MAC (physical) address :ref:`mac address` ``port`` Either the client or the server port :ref:`port number` ``port.clt`` TCP/UDP client Port. :ref:`port number` ``port.srv`` TCP/UDP server Port. :ref:`port number` ``protostack`` Protocols Stack :ref:`wildcard or regex` ``srt`` Server response time (SRT), elapsed time from the client r... :ref:`duration` ``srt.count`` Number of SRT computed in a time interval :ref:`decimal or hexa.` ``vlan`` Either Client or Server VLAN :ref:`decimal or hexa.` ``vlan.clt`` Tagged Link (802.1Q) seen on the Client side :ref:`decimal or hexa.` ``vlan.srv`` Tagged Link (802.1Q) seen on the Server side :ref:`decimal or hexa.` ``zone`` Either Client or Server Zone :ref:`zone name` ``zone.clt`` Client zone as described in the configuration. :ref:`zone name` ``zone.srv`` Server zone as described in the configuration. :ref:`zone name` ========================= ============================================================= ========================= ICMP ---- ===================== ============================================================= ========================= Keyword Field Operand Type ===================== ============================================================= ========================= ``app`` -- :ref:`application name` ``capture.begin`` Capture begin time :ref:`date and time` ``capture.end`` Capture end time :ref:`date and time` ``capture.name`` Capture name (distributed probe) :ref:`capture` ``device`` Either Emitting or Server Device :ref:`packet datasource` ``device.clt`` Device id (Emitting side) :ref:`packet datasource` ``device.srv`` Device id (Server side) :ref:`packet datasource` ``diffserv`` Either Client or Server Diffserv *-* ``diffserv.clt`` Client Diffserv *-* ``diffserv.srv`` Server Diffserv *-* ``eth.proto`` Ethernet Type Protocol :ref:`ethernet type` ``icmp.code`` ICMP Code :ref:`decimal or hexa.` ``icmp.err.ip`` Either Client or Server Error IP :ref:`address or netmask` ``icmp.err.ip.clt`` Client IP of the ICMP Error :ref:`address or netmask` ``icmp.err.ip.srv`` Server IP of the ICMP Error :ref:`address or netmask` ``icmp.err.port`` Either Client or Server Error Port :ref:`port number` ``icmp.err.port.clt`` ICMP Client Error Port :ref:`port number` ``icmp.err.port.srv`` ICMP Server Error Port :ref:`port number` ``icmp.err.zone`` Either Client or Server Error Zone :ref:`zone name` ``icmp.err.zone.clt`` Client zone of the ICMP error :ref:`zone name` ``icmp.err.zone.srv`` Server zone of the ICMP error :ref:`zone name` ``icmp.protocol`` Which protocol caused an error *-* ``icmp.type`` ICMP type :ref:`icmp type.` ``ip`` Either Emitting or Server IP or subnet :ref:`address or netmask` ``ip.clt`` IP that sent the packet :ref:`address or netmask` ``ip.netflow`` IP of the netflow capture :ref:`address or netmask` ``ip.srv`` IP that replied to another IP (works also without handshak... :ref:`address or netmask` ``mac`` Either Client or Server MAC address :ref:`mac address` ``mac.clt`` Client MAC (physical) address :ref:`mac address` ``mac.srv`` Server MAC (physical) address :ref:`mac address` ``mtu`` The global MTU (Maximum Transmission Unit) :ref:`decimal or hexa.` ``mtu.clt`` Client MTU (Maximum Transmission Unit) :ref:`decimal or hexa.` ``mtu.srv`` Server MTU (Maximum Transmission Unit) :ref:`decimal or hexa.` ``pkt.count`` Number of IP packets :ref:`decimal or hexa.` ``pkt.count.clt`` Number of packets emitted by the Client :ref:`decimal or hexa.` ``pkt.count.srv`` Number of packets emitted by the Server :ref:`decimal or hexa.` ``protostack`` Protocols Stack :ref:`wildcard or regex` ``traffic`` Total traffic :ref:`byte quantity` ``traffic.clt`` Traffic emitted by the Client :ref:`byte quantity` ``traffic.srv`` Traffic emitted by the Server :ref:`byte quantity` ``vlan`` Either Emitting or Server VLAN :ref:`decimal or hexa.` ``vlan.clt`` Tagged Link (802.1Q) seen on the Emitting side :ref:`decimal or hexa.` ``vlan.srv`` Tagged Link (802.1Q) seen on the Server side :ref:`decimal or hexa.` ``zone`` Either Emitting or Server Zone :ref:`zone name` ``zone.clt`` Zone from where the ICMP packet was sent :ref:`zone name` ``zone.srv`` Server zone as described in the configuration. :ref:`zone name` ===================== ============================================================= ========================= DNS --- ===================== ============================================================= ========================= Keyword Field Operand Type ===================== ============================================================= ========================= ``capture.begin`` Capture begin time :ref:`date and time` ``capture.end`` Capture end time :ref:`date and time` ``capture.name`` Capture name (distributed probe) :ref:`capture` ``device`` Either Client or Server Device :ref:`packet datasource` ``device.clt`` Device id (Client side) :ref:`packet datasource` ``device.srv`` Device id (Server side) :ref:`packet datasource` ``dns.pkt.count`` Number of IP packets :ref:`decimal or hexa.` ``dns.pkt.count.clt`` Number of packets emitted by the Client :ref:`decimal or hexa.` ``dns.pkt.count.srv`` Number of packets emitted by the Server :ref:`decimal or hexa.` ``dns.req.class`` The DNS class of the Request :ref:`dns class` ``dns.req.name`` The name or IP address to resolve :ref:`wildcard or regex` ``dns.req.type`` The DNS type of the Request :ref:`dns type` ``dns.res.class`` The DNS class of the Response :ref:`dns class` ``dns.res.rcode`` Code of DNS Response :ref:`dns result` ``dns.res.type`` The DNS type of the Response :ref:`dns type` ``dns.traffic`` Total traffic :ref:`byte quantity` ``dns.traffic.clt`` Traffic emitted by the Client :ref:`byte quantity` ``dns.traffic.srv`` Traffic emitted by the Server :ref:`byte quantity` ``drt`` DNS response time :ref:`duration` ``drt.count`` Number of DNS RT computed in a time interval :ref:`decimal or hexa.` ``eth.proto`` Ethernet Type Protocol :ref:`ethernet type` ``ip`` Either Client or Server IP or subnet :ref:`address or netmask` ``ip.clt`` IP that initiated a connection to a server :ref:`address or netmask` ``ip.requester`` IP that initiated a connection to a server :ref:`address or netmask` ``ip.srv`` IP that replied to another IP (works also without handshak... :ref:`address or netmask` ``mac`` Either Client or Server MAC address :ref:`mac address` ``mac.clt`` Client MAC (physical) address :ref:`mac address` ``mac.srv`` Server MAC (physical) address :ref:`mac address` ``pkt.count`` Number of IP packets :ref:`decimal or hexa.` ``pkt.count.clt`` Number of packets emitted by the Client :ref:`decimal or hexa.` ``pkt.count.srv`` Number of packets emitted by the Server :ref:`decimal or hexa.` ``traffic`` Total traffic :ref:`byte quantity` ``traffic.clt`` Traffic emitted by the Client :ref:`byte quantity` ``traffic.srv`` Traffic emitted by the Server :ref:`byte quantity` ``vlan`` Either Client or Server VLAN :ref:`decimal or hexa.` ``vlan.clt`` Tagged Link (802.1Q) seen on the Client side :ref:`decimal or hexa.` ``vlan.srv`` Tagged Link (802.1Q) seen on the Server side :ref:`decimal or hexa.` ``zone`` Either Client or Server Zone :ref:`zone name` ``zone.clt`` Client zone as described in the configuration. :ref:`zone name` ``zone.srv`` Server zone as described in the configuration. :ref:`zone name` ===================== ============================================================= ========================= Non IP ------ ================= ============================================== ======================== Keyword Field Operand Type ================= ============================================== ======================== ``app`` -- :ref:`application name` ``capture.begin`` Capture begin time :ref:`date and time` ``capture.end`` Capture end time :ref:`date and time` ``capture.name`` Capture name (distributed probe) :ref:`capture` ``device`` Either Client or Server Device :ref:`packet datasource` ``device.clt`` Device id (Client side) :ref:`packet datasource` ``device.srv`` Device id (Server side) :ref:`packet datasource` ``eth.proto`` Ethernet Type Protocol :ref:`ethernet type` ``mac`` Either Client or Server MAC address :ref:`mac address` ``mac.clt`` Client MAC (physical) address :ref:`mac address` ``mac.srv`` Server MAC (physical) address :ref:`mac address` ``mtu`` The global MTU (Maximum Transmission Unit) :ref:`decimal or hexa.` ``mtu.clt`` Client MTU (Maximum Transmission Unit) :ref:`decimal or hexa.` ``mtu.srv`` Server MTU (Maximum Transmission Unit) :ref:`decimal or hexa.` ``nonip.proto`` Ethernet Protocol :ref:`ethernet type` ``pkt.count`` Number of IP packets :ref:`decimal or hexa.` ``pkt.count.clt`` Number of packets emitted by the Client :ref:`decimal or hexa.` ``pkt.count.srv`` Number of packets emitted by the Server :ref:`decimal or hexa.` ``protostack`` Protocols Stack :ref:`wildcard or regex` ``traffic`` Total traffic :ref:`byte quantity` ``traffic.clt`` Traffic emitted by the Client :ref:`byte quantity` ``traffic.srv`` Traffic emitted by the Server :ref:`byte quantity` ``vlan`` Either Client or Server VLAN :ref:`decimal or hexa.` ``vlan.clt`` Tagged Link (802.1Q) seen on the Client side :ref:`decimal or hexa.` ``vlan.srv`` Tagged Link (802.1Q) seen on the Server side :ref:`decimal or hexa.` ``zone`` Either Client or Server Zone :ref:`zone name` ``zone.clt`` Client zone as described in the configuration. :ref:`zone name` ``zone.srv`` Server zone as described in the configuration. :ref:`zone name` ================= ============================================== ======================== VoIP ---- ====================== ============================================================= ========================= Keyword Field Operand Type ====================== ============================================================= ========================= ``app`` -- :ref:`application name` ``capture.begin`` Capture begin time :ref:`date and time` ``capture.end`` Capture end time :ref:`date and time` ``capture.name`` Capture name (distributed probe) :ref:`capture` ``device`` Either Client or Server Device :ref:`packet datasource` ``device.clt`` Device id (Client side) :ref:`packet datasource` ``device.srv`` Device id (Server side) :ref:`packet datasource` ``eth.proto`` Ethernet Type Protocol :ref:`ethernet type` ``ip`` Either Client or Server IP or subnet :ref:`address or netmask` ``ip.callee`` IP of the Callee :ref:`address or netmask` ``ip.caller`` IP of the Caller :ref:`address or netmask` ``ip.clt`` IP that initiated a connection to a server :ref:`address or netmask` ``ip.srv`` IP that replied to another IP (works also without handshak... :ref:`address or netmask` ``mac`` Either Client or Server MAC address :ref:`mac address` ``mac.callee`` Callee MAC (physical) address :ref:`mac address` ``mac.caller`` Caller MAC (physical) address :ref:`mac address` ``mac.clt`` Client MAC (physical) address :ref:`mac address` ``mac.srv`` Server MAC (physical) address :ref:`mac address` ``payload`` Total payload :ref:`byte quantity` ``payload.clt`` Payload from Client to Server :ref:`byte quantity` ``payload.count`` Number of IP packets with a payload :ref:`decimal or hexa.` ``payload.count.clt`` Number of packets with payload emitted by the Client :ref:`decimal or hexa.` ``payload.count.srv`` Number of packets with a payload emitted by the Server :ref:`decimal or hexa.` ``payload.srv`` Payload from Server to Client :ref:`byte quantity` ``pkt.count`` Number of IP packets :ref:`decimal or hexa.` ``pkt.count.clt`` Number of packets emitted by the Client :ref:`decimal or hexa.` ``pkt.count.srv`` Number of packets emitted by the Server :ref:`decimal or hexa.` ``port`` Either the client or the server port :ref:`port number` ``port.clt`` TCP/UDP client Port. :ref:`port number` ``port.srv`` TCP/UDP server Port. :ref:`port number` ``protostack`` Protocols Stack :ref:`wildcard or regex` ``sign.rd`` Sum of signalization RD (Retransmission delay) in both dir... :ref:`duration` ``sign.rd.count`` The total number of retransmission delays for signalizatio... :ref:`decimal or hexa.` ``sign.rd.rate`` The ratio of retransmission of signalization packets to th... :ref:`rate` ``sign.rtt`` Sum of signalization RTT (Round Trip Time) in both directi... :ref:`duration` ``sign.rtt.clt`` The average round-trip time for a signalization packet emi... :ref:`duration` ``sign.rtt.count`` Number of RTT for signalization data in both directions :ref:`decimal or hexa.` ``sign.rtt.count.clt`` Number of RTT for signalization data from Client to Server :ref:`decimal or hexa.` ``sign.rtt.count.srv`` Number of RTT for signalization data from Client to Server :ref:`decimal or hexa.` ``sign.rtt.srv`` The average round-trip time for a signalization packet emi... :ref:`duration` ``sign.srt`` Server response time for signalization data :ref:`duration` ``sign.srt.count`` Number of SRT for signalization data from Server to Client :ref:`duration` ``traffic`` Traffic for the voice only :ref:`byte quantity` ``traffic.clt`` Traffic emitted by the Caller :ref:`byte quantity` ``traffic.srv`` Traffic emitted by the Callee :ref:`byte quantity` ``vlan`` Either Client or Server VLAN :ref:`decimal or hexa.` ``vlan.clt`` Tagged Link (802.1Q) seen on the Client side :ref:`decimal or hexa.` ``vlan.srv`` Tagged Link (802.1Q) seen on the Server side :ref:`decimal or hexa.` ``voip.sign.traffic`` Traffic for the signalisation only :ref:`byte quantity` ``voip.traffic`` Traffic for the voice only :ref:`byte quantity` ``zone`` Either Client or Server Zone :ref:`zone name` ``zone.callee`` Callee zone as described in the configuration. :ref:`zone name` ``zone.caller`` Caller zone as described in the configuration. :ref:`zone name` ``zone.clt`` Client zone as described in the configuration. :ref:`zone name` ``zone.srv`` Server zone as described in the configuration. :ref:`zone name` ====================== ============================================================= ========================= Citrix ------ =============================== ============================================================= ============================= Keyword Field Operand Type =============================== ============================================================= ============================= ``app`` -- :ref:`application name` ``capture.begin`` Capture begin time :ref:`date and time` ``capture.end`` Capture end time :ref:`date and time` ``capture.name`` Capture name (distributed probe) :ref:`capture` ``citrix.abort.count`` Number of aborted Citrix sessions. :ref:`decimal or hexa.` ``citrix.application`` Published application being executed :ref:`wildcard or regex` ``citrix.cgp.pdus.count`` CGP total query packets at applicative level (Packet Data ... :ref:`decimal or hexa.` ``citrix.cgp.pdus.count.clt`` CGP query packets at applicative level (Packet Data Units)... :ref:`decimal or hexa.` ``citrix.cgp.pdus.count.srv`` CGP response packets at applicative level (Packet Data Uni... :ref:`decimal or hexa.` ``citrix.channel`` The Citrix channel type used. :ref:`citrix channel` ``citrix.channel.id`` The Citrix channel ID number. :ref:`citrix channel id` ``citrix.compressed.count`` Total number of compressed packets (in both directions). :ref:`decimal or hexa.` ``citrix.compressed.count.clt`` Number of compressed client packets. :ref:`decimal or hexa.` ``citrix.compressed.count.srv`` Number of compressed server packets. :ref:`decimal or hexa.` ``citrix.domain`` Windows Domain of the user :ref:`string` ``citrix.encryption`` The encryption type used between the client and the server... :ref:`citrix encryption type` ``citrix.ka.count`` Total number of Citrix Keep-Alives (in both directions). :ref:`decimal or hexa.` ``citrix.ka.count.clt`` Citrix Keep-Alives from clients. :ref:`decimal or hexa.` ``citrix.ka.count.srv`` Citrix Keep-Alives from servers. :ref:`decimal or hexa.` ``citrix.launch_time`` Time for a client to launch an application through Citrix. :ref:`duration` ``citrix.login_time`` Time for a client to login the Citrix server. :ref:`duration` ``citrix.module`` The Citrix module name used by the client. :ref:`string` ``citrix.pdus.count`` Total packets at applicative level (Packet Data Units). :ref:`decimal or hexa.` ``citrix.pdus.count.clt`` Query packets at applicative level (Packet Data Units). :ref:`decimal or hexa.` ``citrix.pdus.count.srv`` Response packets at applicative level (Packet Data Units). :ref:`decimal or hexa.` ``citrix.timeout.count`` Number of timeouted Citrix session. :ref:`decimal or hexa.` ``citrix.username`` Authenticated username :ref:`wildcard or regex` ``device`` Either Client or Server Device :ref:`packet datasource` ``device.clt`` Device id (Client side) :ref:`packet datasource` ``device.srv`` Device id (Server side) :ref:`packet datasource` ``dtt`` Sum of DTT (Data Transfert Time) in both directions :ref:`duration` ``dtt.clt`` Average data transfer time from Client :ref:`duration` ``dtt.count`` -- :ref:`decimal or hexa.` ``dtt.count.clt`` -- :ref:`decimal or hexa.` ``dtt.count.srv`` -- :ref:`decimal or hexa.` ``dtt.srv`` Average data transfer time from Server :ref:`duration` ``eth.proto`` Ethernet Type Protocol :ref:`ethernet type` ``ip`` Either Client or Server IP or subnet :ref:`address or netmask` ``ip.clt`` IP that initiated a connection to a server :ref:`address or netmask` ``ip.srv`` IP that replied to another IP (works also without handshak... :ref:`address or netmask` ``mac`` Either Client or Server MAC address :ref:`mac address` ``mac.clt`` Client MAC (physical) address :ref:`mac address` ``mac.srv`` Server MAC (physical) address :ref:`mac address` ``payload`` Total payload :ref:`byte quantity` ``payload.clt`` Payload from Client to Server :ref:`byte quantity` ``payload.count`` Number of IP packets with a payload :ref:`decimal or hexa.` ``payload.count.clt`` Number of packets with payload emitted by the Client :ref:`decimal or hexa.` ``payload.count.srv`` Number of packets with a payload emitted by the Server :ref:`decimal or hexa.` ``payload.srv`` Payload from Server to Client :ref:`byte quantity` ``port`` Either the client or the server port :ref:`port number` ``port.clt`` TCP/UDP client Port. :ref:`port number` ``port.srv`` TCP/UDP server Port. :ref:`port number` ``protostack`` Protocols Stack :ref:`wildcard or regex` ``rd.rate`` Ratio of all compressed packets (in both directions) by th... :ref:`rate` ``rd.rate.clt`` Ratio of compressed packets sent from the client by the cl... :ref:`rate` ``rd.rate.srv`` Ratio of all compressed packets recieved to the server by ... :ref:`rate` ``srt`` Server response time (SRT), elapsed time from the client r... :ref:`duration` ``srt.count`` Number of SRT computed in a time interval :ref:`decimal or hexa.` ``vlan`` Either Client or Server VLAN :ref:`decimal or hexa.` ``vlan.clt`` Tagged Link (802.1Q) seen on the Client side :ref:`decimal or hexa.` ``vlan.srv`` Tagged Link (802.1Q) seen on the Server side :ref:`decimal or hexa.` ``zone`` Either Client or Server Zone :ref:`zone name` ``zone.clt`` Client zone as described in the configuration. :ref:`zone name` ``zone.srv`` Server zone as described in the configuration. :ref:`zone name` =============================== ============================================================= ============================= Type definitions ================ .. _packet datasource: Packet datasource ----------------- This can be either: * a plain interface name (such as ``eth1``), * a kind of datasource, among ``iface`` (Network Interface), ``rpcap`` (Remote Capture), ``pcap`` (a PCAP file) or ``netflow``, * a qualified datasource name, which is a datasource kind followed by ``:`` and the name of the datasource, which can be a wildcard. For example: ``iface:eth1`` or ``pcap:ottawa*.pcap``. * an integer (for legacy purpose), equivalent to writting ethX. For example 1 is interpreted as the interface name ``eth1``. **Operators:** ``!=``, ``<``, ``<=``, ``=``, ``>``, ``>=`` (only ``!=`` and ``=`` are allowed when comparing with a kind of datasource). * Example of *valid* inputs: ``1``, ``eth1``, ``iface:eth1`` (same as just ``eth1``), ``pcap:ottawa*.pcap``. .. _address or netmask: Address or netmask ------------------ This can be either an IPv4 address (either complete, or with wildcards patterns ``*`` to form a netmask), or an IPv6 address. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``192.168.*.*``, ``192.168.5.10``, ``2001:db8:85a3::8a2e:370:7334`` * Example of *invalid* inputs: ``192.524.1.1``, ``1::2::3`` .. _application name: Application name ---------------- This value must be a valid application name, enclosed in quotes. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``"http"`` * Example of *invalid* inputs: ``"unknown-app"`` .. _byte quantity: Byte quantity ------------- This value indicates a quantity of bytes with its unit. Note that there's no space between the quantity and the unit. **Operators:** ``!=``, ``<``, ``<=``, ``=``, ``>``, ``>=`` * Example of *valid* inputs: ``42B``, ``4KB``, ``4KiB``, ``56MiB`` * Example of *invalid* inputs: ``4 KiB`` .. _capture: Capture ------- This value must be either a capture's Device ID, Name or IP. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``"PVX"`` * Example of *invalid* inputs: ``"unknown-capture"`` .. _citrix channel: Citrix channel -------------- The Citrix channel name, as seen at the start of the conversation (only available on the Citrix Channel pages). **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``'AURTCX'``, ``'BASE'`` * Example of *invalid* inputs: ``'channel'`` .. _citrix channel id: Citrix channel ID ----------------- Either a decimal number or an hexadecimal number which must be prefixed by ``0x`` (only available on the Citrix Channel pages). **Operators:** ``!=``, ``<``, ``<=``, ``=``, ``>``, ``>=`` * Example of *valid* inputs: ``0x21``, ``0x7a5E``, ``4`` * Example of *invalid* inputs: ``0X45``, ``0xTH`` .. _citrix encryption type: Citrix encryption type ---------------------- The Citrix encryption type used for this conversation. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``'basic'``, ``'off'`` * Example of *invalid* inputs: ``'random text'`` .. _dce rpc uuid: DCE RPC UUID ------------ An valid UUID of the DCE-RPC protocol. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``506b1890-14c8-11d1-bbc3-00805fa6962e`` * Example of *invalid* inputs: ``506b1890-``, ``FOO`` .. _dns class: DNS class --------- A DNS class, either numeric or symbolic. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``1``, ``IN`` * Example of *invalid* inputs: ``A``, ``MX`` .. _dns result: DNS result ---------- A DNS result code, either numeric or symbolic. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``0``, ``NoError``, ``ServFail`` * Example of *invalid* inputs: ``45778``, ``SomeCode`` .. _dns type: DNS type -------- A DNS type value, either numeric or symbolic. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``4``, ``A``, ``MX`` * Example of *invalid* inputs: ``1223648``, ``FOO`` .. _date and time: Date and time ------------- A date and time value in the following format: ``YYYY-MM-DD hh:mm``. Note that the value must be enclosed in simple or double quotes. **Operators:** ``!=``, ``<``, ``<=``, ``=``, ``>``, ``>=`` * Example of *valid* inputs: ``"2000-01-01 00:00"``, ``'2012-06-14 17:15'`` * Example of *invalid* inputs: ``"2000-01-01"``, ``2013/11/02 14:58`` .. _decimal or hexa.: Decimal or hexa. ---------------- Either a decimal number or an hexadecimal number which must be prefixed by ``0x``. **Operators:** ``!=``, ``<``, ``<=``, ``=``, ``>``, ``>=`` * Example of *valid* inputs: ``0x21``, ``0x7a5E``, ``4`` * Example of *invalid* inputs: ``0X45``, ``0xTH`` .. _duration: Duration -------- A duration in microseconds, minutes, etc. depending on the unit set. The lowest value is in microsecond, specified as ``us`` or ``µs``. **Operators:** ``!=``, ``<``, ``<=``, ``=``, ``>``, ``>=`` * Example of *valid* inputs: ``42us``, ``4µs``, ``5m`` * Example of *invalid* inputs: ``4 microseconds`` .. _ethernet type: Ethernet type ------------- The ethernet protocol ID **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``"IPv4"``, ``0x0800``, ``2048`` * Example of *invalid* inputs: ``"FOO"``, ``123456789`` .. _http method: HTTP method ----------- A symbol representing the HTTP method name. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``GET``, ``HEAD`` * Example of *invalid* inputs: ``foo``, ``get`` .. _http status: HTTP status ----------- A HTTP status number **Operators:** ``!=``, ``<``, ``<=``, ``=``, ``>``, ``>=`` * Example of *valid* inputs: ``200``, ``404`` * Example of *invalid* inputs: ``GET``, ``Success`` .. _http status category: HTTP status category -------------------- A symbol representing the category of the HTTP status number. For example, ``Success`` will correspond to all HTTP "successful" codes. Available categories are: ``noresp``, ``info``, ``success``, ``redirect``, ``client``, ``server``, ``invalid``. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``Redirect``, ``Success`` * Example of *invalid* inputs: ``200``, ``GET`` .. _http status or category: HTTP status or category ----------------------- A HTTP status number, or a symbol representing the category of HTTP status number: ``Success`` will correspond to all HTTP "successful" codes. Available categories are: ``noresp``, ``info``, ``success``, ``redirect``, ``client``, ``server``, ``invalid``. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``404``, ``Success`` * Example of *invalid* inputs: ``GET`` .. _icmp type.: Icmp Type. ---------- The ICMP type as either a decimal number or an hexadecimal number which must be prefixed by ``0x``. **Operators:** ``!=``, ``<``, ``<=``, ``=``, ``>``, ``>=`` * Example of *valid* inputs: ``0x21``, ``0xFE``, ``4`` * Example of *invalid* inputs: ``0X45``, ``0xTH`` .. _mac address: MAC address ----------- A MAC address of the form ``XX:XX:XX:XX:XX:XX``, where ``XX`` is a hexadecimal number. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``01:23:45:67:89:ab``, ``FF:ab:45:7b:D6:55`` * Example of *invalid* inputs: ``AA:AA:AA:AA`` .. _os name: OS name ------- The name of an operating system, like ``'linux'`` or ``'windows'``. Note that the value must be enclosed in single or double quotes. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``"linux"``, ``'windows'`` * Example of *invalid* inputs: ``unknown os`` .. _port number: Port number ----------- The value represents a TCP or UDP port number as a numeric value. It can also be given as a port range as in ``45-80``. **Operators:** ``!=``, ``<``, ``<=``, ``=``, ``>``, ``>=`` * Example of *valid* inputs: ``80`` * Example of *invalid* inputs: ``85-12`` .. _rate: Rate ---- A numeric value as a percentage. The value can be lower than ``1%``, as in ``0.024%``. **Operators:** ``!=``, ``<``, ``<=``, ``=``, ``>``, ``>=`` * Example of *valid* inputs: ``0.25%``, ``4%``, ``99%`` * Example of *invalid* inputs: ``45 %`` .. _smb command: SMB command ----------- The SMB command used in the transaction. It can be a command id in decimal or hexadecimal form, or a command name inside strings. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``'SMB2_com_logoff'``, ``0x0e``, ``2`` * Example of *invalid* inputs: ``random text`` .. _smb status: SMB status ---------- The status of the SMB transaction. It can be a status id in decimal or hexadecimal form, or a status code inside quotes. The special values ``ok``, ``warning`` and ``error`` are also accepted and mean, respectively, a match on every success, warning and error status. The special value ``common`` matches a set of common statuses. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``'SMB_status_no_such_file'``, ``'error'``, ``0xc000000f`` * Example of *invalid* inputs: ``random text`` .. _smb sub-command: SMB sub-command --------------- The SMB sub-command associated with the command used in the transaction. It can be a sub-command id in decimal or hexadecimal form, or a sub-command name inside strings. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``'SMB_TRANS2_open2'``, ``0x0d``, ``16`` * Example of *invalid* inputs: ``random text`` .. _sql command: SQL command ----------- A single SQL command, inside quotes. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``'CREATE INDEX'``, ``'INSERT'`` * Example of *invalid* inputs: ``'SELECT * FROM users;'``, ``INSERT`` .. _sql system: SQL system ---------- The name of the RDBMS dialect used in the connection, inside quotes. Remind that 'TNS' is used for Oracle, 'DRDA' for DB2, 'TDS(msg)' for MSSQL. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``'DRDA'``, ``'MySQL'``, ``'PostgresQL'``, ``'TDS(msg)'``, ``'TNS'`` * Example of *invalid* inputs: ``MySQL`` .. _string: String ------ A character string enclosed in single or double quotes. It can contain the ``*`` wildcard that matches anything, or for more accurate search, it can be prefixed by a ``~`` which will treat the value as a regular expression pattern. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``"*some thing*"``, ``'~^.*\.[a-z]{2}$'`` * Example of *invalid* inputs: ``not enclosed in quotes`` .. _wildcard or regex: Wildcard or regex ----------------- Either a string containing wildcard ``*``, or a regular expression if prefixed by ``~``. The value should be surrounded by simple or double quotes. **Operators:** ``!=``, ``=`` * Example of *valid* inputs: ``"google.com"``, ``"~\.google\.(com|fr)"``, ``'*.securactive.org'`` * Example of *invalid* inputs: ``foo.com`` .. _zone name: Zone name --------- The name of a zone, using the path notation ``'/Private/Local'``. The ``=`` operator will return results matching **only** this specific zone, whereas the ``in`` operator will also return results contained in children zones. Note that the value must be enclosed in single or double quotes. **Operators:** ``!=``, ``=``, ``in`` * Example of *valid* inputs: ``"/Private"`` * Example of *invalid* inputs: ``/NonExistent/Zone``