Filter rules are based on the following format:
field[filter]
Samples:
SourceIP[10.0.0.1] SourceIP[10.*.*.*] SourceIP[10.0.0.0/10] DestinationIP[10.0.0.120-130] DestinationPort[80-88] Protocol[UDP]
Complex expressions can be created using parentheses and and/or/not:
Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.0]
Samples:
SourceIP[10.0.0.1]
SourceIP[10.*.*.*]
SourceIP[10.0.0.0/10]
DestinationIP[10.0.0.120-130]
DestinationPort[80-88]
Protocol[UDP]
Valid fields are:
IP
Port
SourceIP
SourcePort
DestinationIP
DestinationPort
Protocol (values: TCP, UDP, ICMP, OSPFIGP or any number)
ToS
Additional Sniffer Fields:
MAC
SourceMAC
DestinationMAC
EtherType (values IPV4, ARP,RARP,APPLE, AARP,IPV6 ,IPXold, IPX or any number)
Additional NetFlow v5 / jFlow fields:
Interface
ASI
InboundInterface
OutboundInterface
SourceASI
DestinationASI
Additional NetFlow v9 fields:
Interface
ASI
InboundInterface
OutboundInterface
SourceASI
DestinationASI
MAC
SourceMAC
DestinationMAC
Mask
SourceMask
DestinationMask
Note: ‚Masks‘ represent subnet masks in the form of a single number (’number of contiguous bits‘)
NextHop (IP address)
VLAN
SourceVLAN
DestinationVLAN
Note: ‚VLANs‘ represent a VLAN identifier
Additional sFlow fields:
Interface
InboundInterface
OutboundInterface
MAC
SourceMAC
DestinationMAC
Data Formats:
IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax.
Number fields support range (80-88) syntax.
Protocol and EtherType fields support numbers and a list of predefined constants.