# arp htype 1 [ { "match": { "left": { "payload": { "field": "htype", "protocol": "arp" } }, "op": "==", "right": 1 } } ] # arp htype != 1 [ { "match": { "left": { "payload": { "field": "htype", "protocol": "arp" } }, "op": "!=", "right": 1 } } ] # arp htype 22 [ { "match": { "left": { "payload": { "field": "htype", "protocol": "arp" } }, "op": "==", "right": 22 } } ] # arp htype != 233 [ { "match": { "left": { "payload": { "field": "htype", "protocol": "arp" } }, "op": "!=", "right": 233 } } ] # arp htype 33-45 [ { "match": { "left": { "payload": { "field": "htype", "protocol": "arp" } }, "op": "==", "right": { "range": [ 33, 45 ] } } } ] # arp htype != 33-45 [ { "match": { "left": { "payload": { "field": "htype", "protocol": "arp" } }, "op": "!=", "right": { "range": [ 33, 45 ] } } } ] # arp htype { 33, 55, 67, 88} [ { "match": { "left": { "payload": { "field": "htype", "protocol": "arp" } }, "op": "==", "right": { "set": [ 33, 55, 67, 88 ] } } } ] # arp htype != { 33, 55, 67, 88} [ { "match": { "left": { "payload": { "field": "htype", "protocol": "arp" } }, "op": "!=", "right": { "set": [ 33, 55, 67, 88 ] } } } ] # arp ptype 0x0800 [ { "match": { "left": { "payload": { "field": "ptype", "protocol": "arp" } }, "op": "==", "right": "0x0800" } } ] # arp hlen 22 [ { "match": { "left": { "payload": { "field": "hlen", "protocol": "arp" } }, "op": "==", "right": 22 } } ] # arp hlen != 233 [ { "match": { "left": { "payload": { "field": "hlen", "protocol": "arp" } }, "op": "!=", "right": 233 } } ] # arp hlen 33-45 [ { "match": { "left": { "payload": { "field": "hlen", "protocol": "arp" } }, "op": "==", "right": { "range": [ 33, 45 ] } } } ] # arp hlen != 33-45 [ { "match": { "left": { "payload": { "field": "hlen", "protocol": "arp" } }, "op": "!=", "right": { "range": [ 33, 45 ] } } } ] # arp hlen { 33, 55, 67, 88} [ { "match": { "left": { "payload": { "field": "hlen", "protocol": "arp" } }, "op": "==", "right": { "set": [ 33, 55, 67, 88 ] } } } ] # arp hlen != { 33, 55, 67, 88} [ { "match": { "left": { "payload": { "field": "hlen", "protocol": "arp" } }, "op": "!=", "right": { "set": [ 33, 55, 67, 88 ] } } } ] # arp plen 22 [ { "match": { "left": { "payload": { "field": "plen", "protocol": "arp" } }, "op": "==", "right": 22 } } ] # arp plen != 233 [ { "match": { "left": { "payload": { "field": "plen", "protocol": "arp" } }, "op": "!=", "right": 233 } } ] # arp plen 33-45 [ { "match": { "left": { "payload": { "field": "plen", "protocol": "arp" } }, "op": "==", "right": { "range": [ 33, 45 ] } } } ] # arp plen != 33-45 [ { "match": { "left": { "payload": { "field": "plen", "protocol": "arp" } }, "op": "!=", "right": { "range": [ 33, 45 ] } } } ] # arp plen { 33, 55, 67, 88} [ { "match": { "left": { "payload": { "field": "plen", "protocol": "arp" } }, "op": "==", "right": { "set": [ 33, 55, 67, 88 ] } } } ] # arp plen != { 33, 55, 67, 88} [ { "match": { "left": { "payload": { "field": "plen", "protocol": "arp" } }, "op": "!=", "right": { "set": [ 33, 55, 67, 88 ] } } } ] # arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request} [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "==", "right": { "set": [ "nak", "inreply", "inrequest", "rreply", "rrequest", "reply", "request" ] } } } ] # arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request} [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "!=", "right": { "set": [ "nak", "inreply", "inrequest", "rreply", "rrequest", "reply", "request" ] } } } ] # arp operation 1-2 [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "==", "right": { "range": [ "request", "reply" ] } } } ] # arp operation request [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "==", "right": "request" } } ] # arp operation reply [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "==", "right": "reply" } } ] # arp operation rrequest [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "==", "right": "rrequest" } } ] # arp operation rreply [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "==", "right": "rreply" } } ] # arp operation inrequest [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "==", "right": "inrequest" } } ] # arp operation inreply [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "==", "right": "inreply" } } ] # arp operation nak [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "==", "right": "nak" } } ] # arp operation != request [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "!=", "right": "request" } } ] # arp operation != reply [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "!=", "right": "reply" } } ] # arp operation != rrequest [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "!=", "right": "rrequest" } } ] # arp operation != rreply [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "!=", "right": "rreply" } } ] # arp operation != inrequest [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "!=", "right": "inrequest" } } ] # arp operation != inreply [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "!=", "right": "inreply" } } ] # arp operation != nak [ { "match": { "left": { "payload": { "field": "operation", "protocol": "arp" } }, "op": "!=", "right": "nak" } } ] # arp saddr ip 1.2.3.4 [ { "match": { "left": { "payload": { "field": "saddr ip", "protocol": "arp" } }, "op": "==", "right": "1.2.3.4" } } ] # arp daddr ip 4.3.2.1 [ { "match": { "left": { "payload": { "field": "daddr ip", "protocol": "arp" } }, "op": "==", "right": "4.3.2.1" } } ] # arp saddr ether aa:bb:cc:aa:bb:cc [ { "match": { "left": { "payload": { "field": "saddr ether", "protocol": "arp" } }, "op": "==", "right": "aa:bb:cc:aa:bb:cc" } } ] # arp daddr ether aa:bb:cc:aa:bb:cc [ { "match": { "left": { "payload": { "field": "daddr ether", "protocol": "arp" } }, "op": "==", "right": "aa:bb:cc:aa:bb:cc" } } ] # arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee [ { "match": { "left": { "payload": { "field": "saddr ip", "protocol": "arp" } }, "op": "==", "right": "192.168.1.1" } }, { "match": { "left": { "payload": { "field": "daddr ether", "protocol": "arp" } }, "op": "==", "right": "fe:ed:00:c0:ff:ee" } } ] # arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1 [ { "match": { "left": { "payload": { "field": "daddr ether", "protocol": "arp" } }, "op": "==", "right": "fe:ed:00:c0:ff:ee" } }, { "match": { "left": { "payload": { "field": "saddr ip", "protocol": "arp" } }, "op": "==", "right": "192.168.1.1" } } ] # meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 [ { "match": { "left": { "meta": { "key": "iifname" } }, "op": "==", "right": "invalid" } }, { "match": { "left": { "payload": { "field": "ptype", "protocol": "arp" } }, "op": "==", "right": "0x0800" } }, { "match": { "left": { "payload": { "field": "htype", "protocol": "arp" } }, "op": "==", "right": 1 } }, { "match": { "left": { "payload": { "field": "hlen", "protocol": "arp" } }, "op": "==", "right": 6 } }, { "match": { "left": { "payload": { "field": "plen", "protocol": "arp" } }, "op": "==", "right": 4 } }, { "match": { "left": { "payload": { "base": "nh", "len": 32, "offset": 192 } }, "op": "==", "right": "0xc0a88f10" } }, { "mangle": { "key": { "payload": { "base": "nh", "len": 48, "offset": 144 } }, "value": "0x112233445566" } } ]