" CAPTURE FILTERS" HEADER
"   "
"ARP" HEADER
"	ARP" ether proto 0806
"       ARP" ether proto \arp
"	ARP" arp
"MAC FILTERS" HEADER
"	Ether Host" ether host 00:11:95:2f:cc:cc
"	Mac Address" ether host 00:11:95:2f:cc:cc
"	Ethernet Source First 3 Bytes" ether.src [6 :3] == 00:11:95
"       LLDP (802.1AB)" ether dst 01:80:c2:00:cc:0e
"       MAC This PC" ether host 00:16:35:ee:ee:eb
"	MAC 2" ether host 00:16:35:ee:ee:eb
"IP FILTERS" HEADER
"	Destination Host" dst host 10.10.1.1
"	IP" h
"	IP#2" host 192.168.20.32
"	Host " host 10.10.1.1
"	Host by Name" host www.gearbit.com
"	Source Host" srd host 10.10.1.1
"	IP Address & Port ??" host 10.10.10.1 && port 80
"	IP Address & Not Port ??" host 192.168.1.100 && not port 80
"	IP Address or IP Address" host 192.168.1.100 or host 192.168.1.101
"BROADCAST & MULTICAST FILTERS" HEADER
"	IP Multicast" ip multicast
"	Ethernet Multicast" ether multicast
"	Broadcast" ether broadcast
"	Broadcast" xxx.xxx.xxx.255 || xxx.xxx.xxx.0 
"	Broadcast" (ip[19]=0xff) || (ip[19]=0x00)
"DNS" HEADER
"	DNS Zone Transfer" tcp && dst port 53 
"ICMP" HEADER
"       All ICMP Except Ping icmp && icmp[0] != 8 && icmp[0] != 0
"       Fragmentation Needed But DF Flag Set" (icmp[0] = 3) && (icmp[1] = 4)
"       Fragmented ICMP" icmp && (ip[6:1] & 0x20 != 0)
"       In Out Going Smurf Attack" icmp && (ip[19:1] = 255)
"       In Out Going Fragmentation Attack" icmp && ip[6:2] & 16383 != 0
"       Loki Filter" ((icmp[0] = 0) || (icmp[0] = 8)) && ((icmp[6:2] = 0xf001) || (icmp[6:2] = 0x01f0) 
"       ICMP Address Mask Requests" icmp[0] = 17
"       Frag required but DF set" ((icmp[0] = 3) && (icmp[1] = 4)) 
"       Source Route Failed" (icmp[0] = 3) && (icmp[1] = 5)
"       Source Quench" icmp[0] = 4  
"       Redirect" icmp[0] = 5  
"       Router Advertisement" icmp[0] = 9  
"       Router Solicitation" icmp[0] = 10 
"       Parameter Problem" icmp[0] = 12 
"       Timestamp Request" icmp[0] = 13 
"       Timestamp Reply" icmp[0] = 14 
"       Information Request" icmp[0] = 15 
"       Information reply" icmp[0] = 16 
"       Address Mask Request" icmp[0] = 17 
"       Address Mask Reply" icmp[0] = 18
"	ICMP" ip proto \ icmp
"SPECIFIC ETHER TYPE" HEADER
"	Reverse ARP" ip proto rarp
"       DHCP & BOOTP" udp port 67 or udp port 68
"       CDP, VTP, other Cisco" Ether dst 01:00:0c:cc:cc:cc
"	RARP" ether proto 8035
"	Apple Talk" atlak
"	IP" ether proto 0800
"	IP Ver 6" ip6
"	Dec Net" dec-net
"	LAT" ether proto 6004
"	Netbeui" netbeui
"PROTOCOL & PORTS" HEADER
"	ICMP" proto \icmp
"       IGMP and DVMRP" proto 2
"       IPX Ethernet_II" ether proto 0x8137
"HTTP" HEADER 
"      	HTTP Port 80" port 80
"	HTTP Source Port 80 " src port 80
"	HTTP Desitnation Port 80" dst port 80
"	Incoming HTTP Requests" (tcp[13:1]&18 = 2) && (port 80) && (ip dst 192.168.1.40)
"	TCP" ip proto tcp
"	Port 80" tcp[0:2] = 80
"FTP" HEADER
"	FTP" ftp
"	FTP" tcp[0:2] = 21 || tcp[2:2] == 21
"       FTP" tcp port 20 or tcp port 21
"       LLDP (802.1AB)" ether dst 01:80:c2:00:00:0e
"UDP" HEADER	
"	UDP" udp
"	IP" ether proto \ip 
"       TFTP" udp port 69
"TELNET" HEADER
" 	TELNET" tcp[2:2] = 23
" 	TELENT" (tcp[(tcp[12]>>2):2] > 0xfffa) && (tcp[(tcp[12]>>2):2] < 0xffff)
"TCP" HEADER
"	TCP all" tcp
"	TCP Port" port 80
"	TCP Port" port http
"	Time To Live" tcp=1" ip[8]
"	SYN" tcp[13] & 0x02=2
"	Time To Live" ip[8]
"	TCP Basic Filter" tcp[13] = 2  /*
"	TCP Source Port" tcp[0:2]
"	TCP Destination Port" tcp[2:2]
"	TCP FINAL" tcp[13] & 0x01 = 0x01
"	TCP SYN 1" tcp[13] & 0x02 = 0x02
"	TCP SYN 2" tcp.flags.syn == 1
"	TCP SYN 3" tcp.flags == 0x02
"	TCP RST" tcp[13] & 0x04 = 0x04
"	TCP All Flages" tcp[13] & 0x07 != 0
"	TCP PUSH" tcp-push
"	TCP URGENT" tcp-urg
"	TCP Zero Window Size WITHOUT a reset" tcp.window_size==0 && !(tcp.flags==0x14) && !(tcp.flags==0x04)tcp.window_size==0 && !(tcp.flags.reset == 1)
"	TCP All External to 192.168.1.0/24" tcp and not (src net 192.168.1 && dst net 192.168.1)
"ROUTING PROTOCOLS" HEADER
"       OSPF" ip proto 89
"       PVST+" ether dst 01:00:0c:cc:cc:cd
"       RIP" udp port 520 and dst net 255.255.255.255
"       RIPv2" udp port 520 and dst net 224.0.0.9
"NETWORK & HOST TO HOST" HEADER
"	Nerwork Address" net 192.168
"	Source Network Address" src net 192.168
"	Destination Network Address" dst net 192.168
"	Host to Host" host 10.10.10.1 and host 10.10.10.2
"SMTP" HEADER
"	SMTP All" port 25 and (tcp[12] & 0xf0>0x50 or tcp[20:4] = 0x48454C4F or tcp[20:4] = 0x4D41494C or tcp[20:4] = 0x52435054 or tcp[20:4] = 0x44415441 or tcp[20:4] = 0x52534554 or tcp[20:4] = 0x53454E44 or tcp[20:4] = 0x534F4D4C or tcp[20:4] = 0x53414D4C or tcp[20:4] = 0x56524659 or tcp[20:4] = 0x4558504E or tcp[20:4] = 0x4E4F4F50 or tcp[20:4] = 0x51554954 or tcp [20:4] = 0x5455524E)
"       SNMP" udp port 161 or udp port 162
"Special Filters" HEADER
"	All Traffic no Broadcast or Multicast" not broadcast and not multicast
"	Blaster Worm" dst port 135 and tcp port 135 and ip[2:2]==48
"	Welchia Worm" icmp[icmptype]==icmp-echo and ip[2:2]==92 and icmp[8:4]==0xAAAAAAAA
"Spanning Tree" HEADER
"       Spanning Tree" ether dst 01:80:c2:00:00:00
"       Spanning Tree and PVST+" ether dst 01:80:c2:00:00:00 or ether dst 01:00:0c:cc:cc:cd
"       Topology protocol(1)" ether dst 01:00:81:00:01:01 or ether dst 01:00:81:00:02:01 or ether dst 01:00:81:00:01:00 or ether dst 01:00:81:00:02:00
"       Traffic to or from IP (2)" host x.x.x.x
"       Traffic to or from MAC" ether host xx:xx:xx:xx:xx:xx
"Microsoft Protocols" HEADER
"	TCP PORT 139" tcp port 139
"	UDP PORT 137" udp port 137
"	UDP PORT 138" udp port 138
"	UDP PORT 445" udp port 445
"	SMB" dst port 139 && tcp[13:1] & 18 = 2
"       DNS" port 53
"       DNS servers that allow recursive queries" udp port 53 and (udp[10] & 1 == 1) and src net not 10.0.0.0/8 and src net not 10.0.0.0/8
"Other Useful Filters" HEADER
"       Ethernet address 00:08:15:00:08:15" ether host 00:08:15:00:08:15
"       Ethernet type 0x0806 (ARP)" ether proto 0x0806
"       No broadcast and no Multicast" not broadcast and not multicast
"       No ARP" not arp
"       No ARP and no DNS" not arp and port not 53
"       Non-HTTP and non-SNMP to/from wireshark.org" not port 80 and not port 25 and host www.wireshark.org
"UDP" HEADER
"	UDP All" udp
"       Teardrop Attack"  udp && (ip[6:1] & 0x20 != 0)
" 	Catch Anything UDP to port 500 UDP" -n -vv udp && dst port 500
" 	UDP Packets with impossible UDP lengths" (udp[4:2] < 0) || (udp[4:2] > 1500)
"	Back Orifice" -n -vv udp && dst port 31337
"	UNIX Traceroute Dest Ports between 33000 and 33999" (udp[2:2] >= 33000) && (udp[2:2] <= 33999)
" 	Or Alternatively" udp[2:2] >= 33000 && udp[2:2] < 34000 && ip[8] = 1
"	UDP Port Scan" udp && src port = dst port
"Routing Protocols" HEADER
"	RIP info" -s 1024 port routed
"VoIP" HEADER
"	RTP" rtp
"	SIP TCP" tcp port sip
"	SIP UDP" udp port sip
"	SIP TCP & UPD" port sip
"VLAN" HEADER
"	VLAN 802.1Q"[vlan_id]
"       VLAN & HOST"vlan and host x.x.x.x"