# arp htype 1
[
{
"match": {
"left": {
"payload": {
"field": "htype",
"protocol": "arp"
}
},
"op": "==",
"right": 1
}
}
]
# arp htype != 1
[
{
"match": {
"left": {
"payload": {
"field": "htype",
"protocol": "arp"
}
},
"op": "!=",
"right": 1
}
}
]
# arp htype 22
[
{
"match": {
"left": {
"payload": {
"field": "htype",
"protocol": "arp"
}
},
"op": "==",
"right": 22
}
}
]
# arp htype != 233
[
{
"match": {
"left": {
"payload": {
"field": "htype",
"protocol": "arp"
}
},
"op": "!=",
"right": 233
}
}
]
# arp htype 33-45
[
{
"match": {
"left": {
"payload": {
"field": "htype",
"protocol": "arp"
}
},
"op": "==",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# arp htype != 33-45
[
{
"match": {
"left": {
"payload": {
"field": "htype",
"protocol": "arp"
}
},
"op": "!=",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# arp htype { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "htype",
"protocol": "arp"
}
},
"op": "==",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# arp htype != { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "htype",
"protocol": "arp"
}
},
"op": "!=",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# arp htype { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "htype",
"protocol": "arp"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# arp htype != { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "htype",
"protocol": "arp"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# arp ptype 0x0800
[
{
"match": {
"left": {
"payload": {
"field": "ptype",
"protocol": "arp"
}
},
"op": "==",
"right": "0x0800"
}
}
]
# arp hlen 22
[
{
"match": {
"left": {
"payload": {
"field": "hlen",
"protocol": "arp"
}
},
"op": "==",
"right": 22
}
}
]
# arp hlen != 233
[
{
"match": {
"left": {
"payload": {
"field": "hlen",
"protocol": "arp"
}
},
"op": "!=",
"right": 233
}
}
]
# arp hlen 33-45
[
{
"match": {
"left": {
"payload": {
"field": "hlen",
"protocol": "arp"
}
},
"op": "==",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# arp hlen != 33-45
[
{
"match": {
"left": {
"payload": {
"field": "hlen",
"protocol": "arp"
}
},
"op": "!=",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# arp hlen { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "hlen",
"protocol": "arp"
}
},
"op": "==",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# arp hlen != { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "hlen",
"protocol": "arp"
}
},
"op": "!=",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# arp hlen { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "hlen",
"protocol": "arp"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# arp hlen != { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "hlen",
"protocol": "arp"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# arp plen 22
[
{
"match": {
"left": {
"payload": {
"field": "plen",
"protocol": "arp"
}
},
"op": "==",
"right": 22
}
}
]
# arp plen != 233
[
{
"match": {
"left": {
"payload": {
"field": "plen",
"protocol": "arp"
}
},
"op": "!=",
"right": 233
}
}
]
# arp plen 33-45
[
{
"match": {
"left": {
"payload": {
"field": "plen",
"protocol": "arp"
}
},
"op": "==",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# arp plen != 33-45
[
{
"match": {
"left": {
"payload": {
"field": "plen",
"protocol": "arp"
}
},
"op": "!=",
"right": {
"range": [ 33, 45 ]
}
}
}
]
# arp plen { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "plen",
"protocol": "arp"
}
},
"op": "==",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# arp plen != { 33, 55, 67, 88}
[
{
"match": {
"left": {
"payload": {
"field": "plen",
"protocol": "arp"
}
},
"op": "!=",
"right": {
"set": [
33,
55,
67,
88
]
}
}
}
]
# arp plen { 33-55}
[
{
"match": {
"left": {
"payload": {
"field": "plen",
"protocol": "arp"
}
},
"op": "==",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# arp plen != {33-55}
[
{
"match": {
"left": {
"payload": {
"field": "plen",
"protocol": "arp"
}
},
"op": "!=",
"right": {
"set": [
{ "range": [ 33, 55 ] }
]
}
}
}
]
# arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "==",
"right": {
"set": [
"nak",
"inreply",
"inrequest",
"rreply",
"rrequest",
"reply",
"request"
]
}
}
}
]
# arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request}
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "!=",
"right": {
"set": [
"nak",
"inreply",
"inrequest",
"rreply",
"rrequest",
"reply",
"request"
]
}
}
}
]
# arp operation 1-2
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "==",
"right": {
"range": [
"request",
"reply"
]
}
}
}
]
# arp operation request
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "==",
"right": "request"
}
}
]
# arp operation reply
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "==",
"right": "reply"
}
}
]
# arp operation rrequest
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "==",
"right": "rrequest"
}
}
]
# arp operation rreply
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "==",
"right": "rreply"
}
}
]
# arp operation inrequest
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "==",
"right": "inrequest"
}
}
]
# arp operation inreply
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "==",
"right": "inreply"
}
}
]
# arp operation nak
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "==",
"right": "nak"
}
}
]
# arp operation reply
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "==",
"right": "reply"
}
}
]
# arp operation != request
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "!=",
"right": "request"
}
}
]
# arp operation != reply
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "!=",
"right": "reply"
}
}
]
# arp operation != rrequest
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "!=",
"right": "rrequest"
}
}
]
# arp operation != rreply
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "!=",
"right": "rreply"
}
}
]
# arp operation != inrequest
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "!=",
"right": "inrequest"
}
}
]
# arp operation != inreply
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "!=",
"right": "inreply"
}
}
]
# arp operation != nak
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "!=",
"right": "nak"
}
}
]
# arp operation != reply
[
{
"match": {
"left": {
"payload": {
"field": "operation",
"protocol": "arp"
}
},
"op": "!=",
"right": "reply"
}
}
]
# arp saddr ip 1.2.3.4
[
{
"match": {
"left": {
"payload": {
"field": "saddr ip",
"protocol": "arp"
}
},
"op": "==",
"right": "1.2.3.4"
}
}
]
# arp daddr ip 4.3.2.1
[
{
"match": {
"left": {
"payload": {
"field": "daddr ip",
"protocol": "arp"
}
},
"op": "==",
"right": "4.3.2.1"
}
}
]
# arp saddr ether aa:bb:cc:aa:bb:cc
[
{
"match": {
"left": {
"payload": {
"field": "saddr ether",
"protocol": "arp"
}
},
"op": "==",
"right": "aa:bb:cc:aa:bb:cc"
}
}
]
# arp daddr ether aa:bb:cc:aa:bb:cc
[
{
"match": {
"left": {
"payload": {
"field": "daddr ether",
"protocol": "arp"
}
},
"op": "==",
"right": "aa:bb:cc:aa:bb:cc"
}
}
]
# arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee
[
{
"match": {
"left": {
"payload": {
"field": "saddr ip",
"protocol": "arp"
}
},
"op": "==",
"right": "192.168.1.1"
}
},
{
"match": {
"left": {
"payload": {
"field": "daddr ether",
"protocol": "arp"
}
},
"op": "==",
"right": "fe:ed:00:c0:ff:ee"
}
}
]
# arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1
[
{
"match": {
"left": {
"payload": {
"field": "daddr ether",
"protocol": "arp"
}
},
"op": "==",
"right": "fe:ed:00:c0:ff:ee"
}
},
{
"match": {
"left": {
"payload": {
"field": "saddr ip",
"protocol": "arp"
}
},
"op": "==",
"right": "192.168.1.1"
}
}
]
# meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566
[
{
"match": {
"left": {
"meta": { "key": "iifname" }
},
"op": "==",
"right": "invalid"
}
},
{
"match": {
"left": {
"payload": {
"field": "ptype",
"protocol": "arp"
}
},
"op": "==",
"right": "0x0800"
}
},
{
"match": {
"left": {
"payload": {
"field": "htype",
"protocol": "arp"
}
},
"op": "==",
"right": 1
}
},
{
"match": {
"left": {
"payload": {
"field": "hlen",
"protocol": "arp"
}
},
"op": "==",
"right": 6
}
},
{
"match": {
"left": {
"payload": {
"field": "plen",
"protocol": "arp"
}
},
"op": "==",
"right": 4
}
},
{
"match": {
"left": {
"payload": {
"base": "nh",
"len": 32,
"offset": 192
}
},
"op": "==",
"right": "0xc0a88f10"
}
},
{
"mangle": {
"key": {
"payload": {
"base": "nh",
"len": 48,
"offset": 144
}
},
"value": "0x112233445566"
}
}
]