1) Filtering DNS packets according to their "return code" (rcode):
(dns.flags.rcode == x) //Filter dns packets whose rcode is equal to "x".
!(dns.flags.rcode == x) //Filter dns packets whose rcode is NOT equal to "x".
See common "return codes" and their description in the table below:
Return Message |
RCODE |
Description |
NOERROR |
0 |
DNS Query completed successfully |
FORMERR |
1 |
DNS Query Format Error |
SERVFAIL |
2 |
Server failed to complete the DNS request |
NXDOMAIN |
3 |
Domain name does not exist. |
NOTIMP |
4 |
Function not implemented |
REFUSED |
5 |
The server refused to answer for the query |
YXDOMAIN |
6 |
Name that should not exist, does exist |
XRRSET |
7 |
RRset that should not exist, does exist |
NOTAUTH |
8 |
Server not authoritative for the zone |
NOTZONE |
9 |
Name not in zone |
2) Filtering packets based on Source and Destination IP Addresses:
(ip.src == 31.13.64.11) && (ip.dst == 10.210.0.10)
(m3ua.protocol_data_opc == 12345) //Filter M3UA packets whose OPC is equal to "12345".
4) Filtering M3UA packets based on Destination Point Code (DPC):
(m3ua.protocol_data_dpc == 34567) //Filter M3UA packets whose DPC is equal to "34567".
5) Filtering M3UA packets based on OPC or DPC:
(m3ua.protocol_data_opc == 12345) || (m3ua.protocol_data_dpc == 34567) //Filter M3UA packets whose OPC is equal to "12345" OR DPC is equal to "34567".
(m3ua.protocol_data_opc == 12345) && (m3ua.protocol_data_dpc == 34567) //Filter M3UA packets whose OPC is equal to "12345" AND DPC is equal to "34567".
6) Filtering GSM MAP packets based on TBCD (Telephony Binary-Coded Decimal) digits:
(gsm_map.tbcd_digits == "1234567") //Filter GSM MAP packets whose TBCD is equal to "1234567".
7) Filtering TCP/UDP packets based on port number:
(tcp.port == 8080) //Filter TCP packets whose source or destination port number is equal to "8080".
(tcp.srcport == 80) //Filter TCP packets whose source port number is equal to "80".
(tcp.dstport == 443) //Filter TCP packets whose source or destination port number is equal to "443".
(udp.port == 53) //Filter UDP packets whose source or destination port number is equal to "53".
(udp.srcport == 53) //Filter UDP packets whose source port number is equal to "53".
(udp.dstport == 53) //Filter UDP packets whose destination port number is equal to "53".
8) Filtering TCAP (Transaction Capabilities Application Part) packets based on OTID (Orig. Transaction Id)/DTID (Dest. Transaction Id):
(tcap.otid == 1a:00:6a:15) //Filter TCAP packets whose otid is equal to "1a:00:6a:15".
(tcap.dtid == 1a:00:6a:15) //Filter TCAP packets whose dtid is equal to "1a:00:6a:15".
9) Filtering Voice packets based on E.164 international telephone numbering plan:
(e164.calling_party_number.digits == "256723039294") //Filter voice packets whose calling party (A)is equal to "256723039294".
(e164.called_party_number.digits == "254782243131") //Filter voice packets whose called party (B)is equal to "254782243131".
10) Filtering S1AP (Signalling between eNodeB & MME):
(s1ap.ENB_UE_S1AP_ID == 101) //During LTE Attach & Default EPS Bearer Establishment, The eNodeB allocates 101 as the ENB-UE-S1AP-ID for the new session.
(s1ap.MME_UE_S1AP_ID == 211) //During LTE Attach & Default EPS Bearer Establishment, The MME allocates 211 as the MME-UE-S1AP-ID for the session.
11) Filtering GTP (GPRS Tunneling Protocol) packets:
(gtp.ptmsi == 0xc6eb8017) //Filter GTP packets whose P-TMSI(Packet Temporary Mobile Subscriber Identity) is equal to "0xc6eb8017".