# ip protocol tcp tcp dport 22
[
    {
        "match": {
            "left": {
                "payload": {
                    "field": "protocol",
                    "name": "ip"
                }
            },
            "right": "tcp"
        }
    },
    {
        "match": {
            "left": {
                "payload": {
                    "field": "dport",
                    "name": "tcp"
                }
            },
            "right": 22
        }
    }
]

# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22
[
    {
        "match": {
            "left": {
                "payload": {
                    "field": "protocol",
                    "name": "ip"
                }
            },
            "right": "tcp"
        }
    },
    {
        "match": {
            "left": {
                "payload": {
                    "field": "saddr",
                    "name": "ip"
                }
            },
            "right": "1.2.3.4"
        }
    },
    {
        "match": {
            "left": {
                "payload": {
                    "field": "dport",
                    "name": "tcp"
                }
            },
            "right": 22
        }
    }
]

# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22
[
    {
        "match": {
            "left": {
                "payload": {
                    "field": "protocol",
                    "name": "ip"
                }
            },
            "right": "tcp"
        }
    },
    {
        "counter": null
    },
    {
        "match": {
            "left": {
                "payload": {
                    "field": "saddr",
                    "name": "ip"
                }
            },
            "right": "1.2.3.4"
        }
    },
    {
        "match": {
            "left": {
                "payload": {
                    "field": "dport",
                    "name": "tcp"
                }
            },
            "right": 22
        }
    }
]

# ip protocol tcp counter tcp dport 22
[
    {
        "match": {
            "left": {
                "payload": {
                    "field": "protocol",
                    "name": "ip"
                }
            },
            "right": "tcp"
        }
    },
    {
        "counter": null
    },
    {
        "match": {
            "left": {
                "payload": {
                    "field": "dport",
                    "name": "tcp"
                }
            },
            "right": 22
        }
    }
]

# ether type ip tcp dport 22
[
    {
        "match": {
            "left": {
                "payload": {
                    "field": "type",
                    "name": "ether"
                }
            },
            "right": "ip"
        }
    },
    {
        "match": {
            "left": {
                "payload": {
                    "field": "dport",
                    "name": "tcp"
                }
            },
            "right": 22
        }
    }
]