Preconfigured network packet search rules

You can search in traffic using preconfigured rules that use BPF and regular expressions.

To search network packets using a preconfigured rule:

  1. Select the Network map section in the application web interface window.
  2. Go to the Network sessions tab.
  3. Click Search in packets.

    This opens the window with network packet search settings.

  4. In the Period of traffic to download field, set the bounds within which you want to search network packets.
  5. In the table below, copy a filtering expression from the Filtering using BPF or Filtering using regular expressions column and paste it into the corresponding section of the web interface for searching in network packets.
  6. Click Search.

The table displays data that match the filtering criteria.

The preconfigured rules are listed in the table below.

Preconfigured network packet search rules

Purpose of the rule

Filtering using BPF

Filtering using regular expressions

Explanation

Example

Searching traffic by IP address

host <address>

 

<address> is an IPv4 address

host 10.10.0.1

Searching traffic between two hosts

host <address1> and host <address2>

 

<address1> and <address2> are IPv4 addresses

host 10.10.0.1 and host 10.10.0.2

Searching for traffic of an individual TCP session

tcp <port1> and host <address1> and tcp <port2> and host <address2>

 
  • <address1> and <address2> are communication IPv4 addresses
  • <port1> and <port2> are communication ports

tcp port 80 and tcp port 53567

and host 10.10.0.1 and host 10.10.0.2

Searching for traffic by multiple IP addresses

host <address1> or host <address2> or ... host <addressN>

 

<address 1-N> are IPv4 addresses

host 10.10.0.1 and host 10.10.0.2 and host 10.10.0.3

Finding all DNS queries from a group of hosts

udp and dst port 53 and ( src host <address1> or src host <address2> or ... src host <addressN> )

 

<address 1-N> are IPv4 addresses

udp and dst port 53 and ( src host 10.10.0.1 or src host 10.10.0.2 )

Searching for HTTP traffic

 

" HTTP/"

The filter must be used without quotes

 

Searching for DNS traffic

udp dst port 53 or tcp dst port 53

 

Standard DNS only

 

Searching for HTTP traffic with a GET request to a certain domain

tcp port 80 or tcp port 8000 or tcp port 8080 or tcp port 8888

GET.{1,1000}<domain>

<domain> is the domain to be found

 

Searching for ICMP traffic of a specific host

icmp and host <address>

 

<address> is an IPv4 address

icmp and host 10.10.10.1

Searching for authentication data transmitted as plain text

tcp port 80 or tcp port 8000 or tcp port 8080 or tcp port 8888 or port ftp or port smtp or port imap or port pop3 or port

telnet

"pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|Username:|Password:|login:|pass |user|VXNlcm5hbWU6|UGFzc3dvcmQ6|LOGIN |USER|PASS "

The filter must be used without quotes

 

Searching for TCP sessions in which the host acts as a client

tcp[tcpflags] = tcp-syn and host <address>

 

<address> is an IPv4 address

tcp[tcpflags] = tcp-syn and host 10.10.10.1

Searching for HTTP traffic in a given subnet

net xx.xx.xx.xx/yy and ( port 8080 or port 80 )

 

xx.xx.xx.xx/yy is an IPv4 subnet with mask

net 10.10.10.0 /24 and ( port 8080 or port 80 )

Searching for local interaction traffic

ip and src net (10 or 172.16/12 or 192.168/16) and dst net (10 or 172.16/12 or 192.168/16)

 

 

 

Searching for traffic of interaction with objects on the internet

ip and not (src net (10 or 172.16/12 or 192.168/16) and dst net (10 or 172.16/12 or 192.168/16)) and not multicast and not broadcast and not net 169.254/16

 

 

 

Searching for traffic by the UserAgent field in HTTP traffic

User-Agent:

 

 

 

Page top