# Element \ ## Attribute
AttributeAlternativeDescriptionTypeDefault (* must have)
idSpecifies a unique id for an elementInterger
namenrefer to wireshark filter function, but less itemString*
relationrEqual or Not equal

==/!=

>=/<= (v3.9)

*
contentccontent of name, could be emptyString*
### Attribute -name
nametypeDescriptionExampleSupport
eth.addrMAC addressSource or Destination MAC addresseth.addr == 12:34:56:78:9a:bc
eth.srcMAC addressSource MAC addresseth.src == 12:34:56:78:9a:bc
eth.dstMAC addressDestination MAC addresseth.dst == 12:34:56:78:9a:bc
eth.typeUnsigned integer, 2 bytesEtherTypeeth.type == 2048 (IPv4 0x0800)
vlan.idUnsigned integer, 2 bytesvlan idvlan.id == 5
vlan.l2.idUnsigned integer, 2 bytesvlan layer 2 idvlan.l2.id == 1
vlan.priorityUnsigned integer, 2 bytesPriorityvlan.priority == 5
ipis IPv4ip ==
ip.addrIPv4 addressSource or Destination Addressip.addr == 8.8.8.8
ip.srcIPv4 addressSource Addressip.src == 8.8.8.8
ip.dstIPv4 addressDestination Addressip.dst == 8.8.8.8
ip.protoUnsigned integer, 1 byteProtocolip.proto == 6 (TCP)
ip.fragmentis IPv4 Fragmentip.fragment ==
ip.flags.dfUnsigned integer, 1 byteis IP don't fragmentip.flags.df == 1v3.9
ip.flags.mfUnsigned integer, 1 byteis IP more fragmentip.flags.mf == 1v3.9
ip.dsfieldUnsigned integer, 1 byteDifferentiated Services Fieldip.dsfield == 1
ipv6is IPv6ipv6 ==
ipv6.addrIPv6 addressSource or Destination Addressipv6.addr == 2001:0db8:86a3:08d3:1319:8a2e:0370:7344
ipv6.srcIPv6 addressSource Addressipv6.src == 2001:0db8:86a3:08d3:1319:8a2e:0370:7344
ipv6.dstIPv6 addressDestination Addressipv6.dst == 2001:0db8:86a3:08d3:1319:8a2e:0370:7344
ipv6.nxtUnsigned integer, 1 byteNext Header
tcpis TCPtcp ==
tcp.portUnsigned integer, 2 bytesSource or Destination Porttcp.port == 443
tcp.srcportUnsigned integer, 2 bytesSource Porttcp.srcport == 443
tcp.dstportUnsigned integer, 2 bytesDestination Porttcp.dstport == 443
tcp.flags.syn0 or 1Syntcp.flags.syn == 1
tcp.flags.ack0 or 1Acktcp.flags.ack == 1
tcp.flags.fin0 or 1Fintcp.flags.fin == 1
tcp.flags.reset0 or 1Resettcp.flags.rst == 1
udpis UDPudp ==
udp.portUnsigned integer, 2 bytesSource or Destination Portudp.port == 53
udp.srcportUnsigned integer, 2 bytesSource Portudp.srcport == 53
udp.dstportUnsigned integer, 2 bytesDestination Portudp.dstport == 53
sctpis SCTPsctp ==
sctp.portUnsigned integer, 2 bytesSource or Destination Portsctp.port == 2906
sctp.srcportUnsigned integer, 2 bytesSource Portsctp.srcport == 2906
sctp.dstportUnsigned integer, 2 bytesDestination Portsctp.dstport == 2906
5-tuple5 Tuple, - means don't careSource IP Address, Destination IP Address, Protocol, Source Port, Destination Port5-tuple == - 192.168.1.203 - - 443
gtp.cp
gtp.data
gtp.imsi
gtp.teid
ip.addr.related.gtp.imsiip.addr.related.gtp.imsi == 466100000001007
greis GREgre ==
vxlanis VXLANvxlan ==v5.2
vxlan.vniUnsigned integer, 3 bytesVXLAN vnivxlan.vni == 1v5.2
erspan.spanidERSPAN iderspan.spanid == 1
voipis SIP or RTPvoip ==
voip.accountvoip.account == 212@o.gentrice.net
voip.fromvoip.from == 212@o.gentrice.net
voip.tovoip.to == 212@o.gentrice.net
dns.aIPv4 addressDNS type A ip addressesdns.a == 216.239.32.10
dns.flags.response0 or 1DNS Responsedns.flags.response == 1
dns.count.add_rrintDNS additional records countdns.count.add_rr == 1
dns.qry.typeintDNS query typedns.qry.type == 1
dns.qry.nameCharacter stringDNS query namedns.qry.name == google.com
dns.qry.name_public_suffixCharacter stringDNS query name public suffixdns.qry.name_public_suffix == *.googlevideo.com
dns.qry.name.resp.ip.addrCharacter stringDNS query name response ip addrdns.qry.name.resp.ip.addr == googlevideo.com
httpis HTTPhttp ==
http.requestis HTTP requesthttp.request ==
http.hostCharacter stringHTTP hosthttp.host == yahoo.comv5.3
http.request.uriCharacter stringHTTP request urihttp.request.uri == /index.htmlv5.3
http.request.methodGET,HEAD,POST,etc.HTTP request methodhttp.request.method == GET
http.request.urlurlHTTP request urlhttp.request.url == www.whitehollowtransport.com/current-elliott-c-89.html
sslis SSLssl ==
ssl.server_nameCharacter stringSSL server_namessl.server_name == facebook.com
ssl.server_name_public_suffixCharacter stringSSL server_name public suffixssl.server_name_public_suffix == *.googlevideo.com
ssl.handshake.type0 or 1SSL handshake typessl.handshake.type == 1
ssl.ja3_digestSSL ja3 digestssl.ja3_digest == 39e62db039deed96a9daf75dacdbd207
ssl.ja3s_digestSSL ja3s digestssl.ja3s_digest == 15af977ce25de452b96affa2addb1036v5.3
arpis ARParp ==
arp.requestis ARP requestarp.request ==
arp.replyis ARP replyarp.reply ==
arp.request.target.ipIPv4 addressARP target ip Addressarp.request.target.ip == 192.168.1.10
arp.request.sender.ipIPv4 addressARP sender ip Addressarp.request.sender.ip == 192.168.1.10v4.8
ftpis FTPftp ==
regexRegular Expressionregex == {s}\/.*Host: nlpqflkbvkdde.eu
country.iso_codeCountry ISO code (Alpha-2 code)is Country flowcountry.iso_code == TWNeed upload dbip database
grism.srcportpacket comes from which portgrism.srcport == P0
grism.port.linkdowngrism port link downgrism.port.linkdown == P0
session.packet.nththe nth packet in flowsession.packet.nth == 3
heartbeat.target.miss.nthheartbeat missed from nth target settingheartbeat.target.miss.nth == 1
heartbeat.target.miss.idintheartbeat missed from target id (recommend)heartbeat.target.miss.id == 5v3.2
flowtable.matched.fidflow matched which filter idflowtable.matched.fid == F1
flowtable.inportflow comes from which portflowtable.inport == P0
1Unsigned integer, 4 bytetrue or false1 != 1
packet.lenintpacket lengthpacket.len >= 500v3.9
## Example ```xml ``` ```xml ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://arraynetworks.gitbook.io/array-xml/readme/filter/find.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.