Packet Reply
ARP reply, DNS response, HTTP response
ARP reply
<run>
<filter id="1" sessionBase="no">
<or>
<find name="arp.request.target.ip" relation="" content="192.168.1.10" />
</or>
</filter>
<output id="1">
<port>P6</port>
<arp_reply_default_mac/>
</output>
<chain>
<in>P6</in>
<fid>F1</fid>
<out>O1</out>
<next type="notmatch">
<out>P7</out>
</next>
</chain>
<chain>
<in>P7</in>
<out>P6</out>
</chain>
</run>DNS response
<run>
<filter id="1" sessionBase="no">
<or>
<find n="dns.qry.name" r="==" c="google.com" />
<find n="dns.qry.name" r="==" c="www.google.com" />
<find n="dns.qry.name" r="==" c="ssl.gstatic.com" />
<find n="dns.qry.name" r="==" c="www.gstatic.com" />
<find n="dns.qry.name" r="==" c="apis.google.com" />
</or>
</filter>
<!-- dns query type IPv4 and not EDNS -->
<filter id="2" sessionBase="no">
<or>
<find n="dns.qry.type" r="==" c="1" />
<find n="dns.count.add_rr" r="==" c="0" />
</or>
</filter>
<output id="1">
<port>P6</port>
<dns_response_ipv4>192.168.1.201</dns_response_ipv4>
</output>
<chain>
<in>P6</in>
<fid type="and">F1,F2</fid>
<out>O1</out>
<next type="notmatch">
<out>P7</out>
</next>
</chain>
<chain>
<in>P7</in>
<out>P6</out>
</chain>
</run>Last updated