Element <find>

Defines the find(f). It has a start tag <find> or <f>

Attribute

Attribute
Alternative
Description
Type
Default (* must have)

id

Specifies a unique id for an element

Interger

name

n

refer to wireshark filter function, but less item

String

*

relation

r

Equal or Not equal

==/!=

>=/<= (v3.9)

*

content

c

content of name, could be empty

String

*

Attribute -name

name
id
type
Description
Example
Support

eth.addr

0

MAC address

Source or Destination MAC address

eth.addr == 12:34:56:78:9a:bc

eth.src

1

MAC address

Source MAC address

eth.src == 12:34:56:78:9a:bc

eth.dst

2

MAC address

Destination MAC address

eth.dst == 12:34:56:78:9a:bc

eth.type

3

Unsigned integer, 2 bytes

EtherType

eth.type == 2048 (IPv4 0x0800)

vlan.id

4

Unsigned integer, 2 bytes

vlan id

vlan.id == 5

vlan.l2.id

5

Unsigned integer, 2 bytes

vlan layer 2 id

vlan.l2.id == 1

vlan.priority

6

Unsigned integer, 2 bytes

Priority

vlan.priority == 5

ip

7

is IPv4

ip ==

ip.addr

8

IPv4 address

Source or Destination Address

ip.addr == 8.8.8.8

ip.src

9

IPv4 address

Source Address

ip.src == 8.8.8.8

ip.dst

10

IPv4 address

Destination Address

ip.dst == 8.8.8.8

ip.proto

11

Unsigned integer, 1 byte

Protocol

ip.proto == 6 (TCP)

ip.fragment

12

is IPv4 Fragment

ip.fragment ==

ip.flags.df

90

Unsigned integer, 1 byte

is IP don't fragment

ip.flags.df == 1

v3.9

ip.flags.mf

91

Unsigned integer, 1 byte

is IP more fragment

ip.flags.mf == 1

v3.9

ip.dsfield

13

Unsigned integer, 1 byte

Differentiated Services Field

ip.dsfield == 1

ipv6

14

is IPv6

ipv6 ==

ipv6.addr

15

IPv6 address

Source or Destination Address

ipv6.addr == 2001:0db8:86a3:08d3:1319:8a2e:0370:7344

ipv6.src

16

IPv6 address

Source Address

ipv6.src == 2001:0db8:86a3:08d3:1319:8a2e:0370:7344

ipv6.dst

17

IPv6 address

Destination Address

ipv6.dst == 2001:0db8:86a3:08d3:1319:8a2e:0370:7344

ipv6.nxt

18

Unsigned integer, 1 byte

Next Header

icmp

104

is ICMP

icmp ==

v5.5

icmp.type

105

Unsigned integer, 1 byte

ICMP Type

icmp.type == 8

v5.5

icmp.code

106

Unsigned integer, 1 byte

ICMP Code

icmp.code == 0

v5.5

tcp

19

is TCP

tcp ==

tcp.port

20

Unsigned integer, 2 bytes

Source or Destination Port

tcp.port == 443

tcp.srcport

21

Unsigned integer, 2 bytes

Source Port

tcp.srcport == 443

tcp.dstport

22

Unsigned integer, 2 bytes

Destination Port

tcp.dstport == 443

tcp.flags.syn

23

0 or 1

Syn

tcp.flags.syn == 1

tcp.flags.ack

24

0 or 1

Ack

tcp.flags.ack == 1

tcp.flags.fin

25

0 or 1

Fin

tcp.flags.fin == 1

tcp.flags.reset

26

0 or 1

Reset

tcp.flags.rst == 1

udp

27

is UDP

udp ==

udp.port

28

Unsigned integer, 2 bytes

Source or Destination Port

udp.port == 53

udp.srcport

29

Unsigned integer, 2 bytes

Source Port

udp.srcport == 53

udp.dstport

30

Unsigned integer, 2 bytes

Destination Port

udp.dstport == 53

sctp

31

is SCTP

sctp ==

sctp.port

32

Unsigned integer, 2 bytes

Source or Destination Port

sctp.port == 2906

sctp.srcport

33

Unsigned integer, 2 bytes

Source Port

sctp.srcport == 2906

sctp.dstport

34

Unsigned integer, 2 bytes

Destination Port

sctp.dstport == 2906

5-tuple

35

5 Tuple, - means don't care

Source IP Address, Destination IP Address, Protocol, Source Port, Destination Port

5-tuple == - 192.168.1.203 - - 443

gtp.cp

36

gtp.data

37

ip.addr.related.gtp.imsi

38

ip.addr.related.gtp.imsi == 466100000001007

gtp.teid

39

gre

40

is GRE

gre ==

vxlan

99

is VXLAN

vxlan ==

v5.2

vxlan.vni

100

Unsigned integer, 3 bytes

VXLAN vni

vxlan.vni == 1

v5.2

erspan.spanid

41

ERSPAN id

erspan.spanid == 1

voip

42

is SIP or RTP

voip ==

voip.account

43

voip.account == 212@o.gentrice.net

voip.from

44

voip.from == 212@o.gentrice.net

voip.to

45

voip.to == 212@o.gentrice.net

dns.a

46

IPv4 address

DNS type A ip addresses

dns.a == 216.239.32.10

dns.flags.response

47

0 or 1

DNS Response

dns.flags.response == 1

dns.count.add_rr

83

int

DNS additional records count

dns.count.add_rr == 1

dns.qry.type

84

int

DNS query type

dns.qry.type == 1

dns.qry.name

48

Character string

DNS query name

dns.qry.name == google.com

dns.qry.name_public_suffix

85

Character string

DNS query name public suffix

dns.qry.name_public_suffix == *.googlevideo.com

dns.qry.name.resp.ip.addr

49

Character string

DNS query name response ip addr

dns.qry.name.resp.ip.addr == googlevideo.com

http

50

is HTTP

http ==

http.request

51

is HTTP request

http.request ==

http.request.method

52

GET,HEAD,POST,etc.

HTTP request method

http.request.method == GET

http.request.url

53

url

HTTP request url

http.request.url == www.whitehollowtransport.com/current-elliott-c-89.html

http.request.uri

97

Character string

HTTP request uri

http.request.uri == /index.html

v5.3

http.host

98

Character string

HTTP host

http.host == yahoo.com

v5.3

ssl

54

is SSL

ssl ==

ssl.server_name

80

Character string

SSL server_name

ssl.server_name == facebook.com

ssl.server_name_public_suffix

81

Character string

SSL server_name public suffix

ssl.server_name_public_suffix == *.googlevideo.com

ssl.handshake.type

55

0 or 1

SSL handshake type

ssl.handshake.type == 1

ssl.ja3_digest

56

SSL ja3 digest

ssl.ja3_digest == 39e62db039deed96a9daf75dacdbd207

ssl.ja3s_digest

101

SSL ja3s digest

ssl.ja3s_digest == 15af977ce25de452b96affa2addb1036

v5.3

arp

75

is ARP

arp ==

arp.request

76

is ARP request

arp.request ==

arp.reply

77

is ARP reply

arp.reply ==

arp.request.target.ip

78

IPv4 address

ARP target ip Address

arp.request.target.ip == 192.168.1.10

arp.request.sender.ip

93

IPv4 address

ARP sender ip Address

arp.request.sender.ip == 192.168.1.10

v4.8

ftp

86

is FTP

ftp ==

regex

64

Regular Expression

regex == {s}\/.*Host: nlpqflkbvkdde.eu

country.iso_code

79

Country ISO code (Alpha-2 code)

is Country flow

country.iso_code == TW

Need enable dbip database

grism.srcport

66

packet comes from which port

grism.srcport == P0

grism.port.linkdown

87

grism port link down

grism.port.linkdown == P0

session.packet.nth

68

the nth packet in flow

session.packet.nth == 3

heartbeat.target.miss.nth

69

heartbeat missed from nth target setting

heartbeat.target.miss.nth == 1

heartbeat.target.miss.id

88

int

heartbeat missed from target id (recommend)

heartbeat.target.miss.id == 5

v3.2

flowtable.matched.fid

67

flow matched which filter id

flowtable.matched.fid == F1

flowtable.inport

70

flow comes from which port

flowtable.inport == P0

dstmac.in.l2gre.mapping.table

102

is dstmac in l2gre mapping table

v5.4

dstmac.in.vxlan.mapping.table

103

is dstmac in vxlan mapping table

v5.4

dstip.in.dns.response.ip.table

107

is dstip in dns response ip table

v5.6

packet.len

92

int

packet length

packet.len >= 500

v3.9

1

82

Unsigned integer, 4 byte

true or false

1 != 1

Example

<filter id="1">
  <or>
    <find id="1" name="ip.addr" relation="==" content="8.8.8.8" />
    <find id="2" name="ip.addr" relation="==" content="2.2.2.2" />
  </or>
</filter>
<filter id="1">
  <or>
    <f n="ip.addr" r="==" c="8.8.8.8" />
    <f n="ip.addr" r="==" c="2.2.2.2" />
  </or>
</filter>
PreviousElement <filter>NextElement <output>

Last updated