Traffic Filters Examples
Traffic Filter Examples
This section provides practical examples of applying traffic filters to refine search results. These examples demonstrate how to use specific query parameters to filter traffic data based on time, protocol, IP addresses, and other attributes, helping to streamline analysis and improve network visibility.
The following examples demonstrate how to use the search function in the Traffic tab.
Each example includes setting the Start Date and End Date (with a quick filter option for the last day or hour) and entering a query string in the search textbox.
Detailed explanations of these examples are provided in the following sections.
AND Example:
The AND filter is used to optimize search results by including multiple conditions that must all be met. This helps in narrowing down traffic data to match specific criteria.
SrcIP:"192.168.***.***" AND NOT DestIP:"192.168.***.***"
Suppose there is a need to filter network traffic to display only UDP traffic originating from a specific source IP address. Applying the AND filter ensures that only results meeting both conditions are included in the search output.
Protocol:"UDP" AND SrcIP:"192.168.***.**"
Protocol: UDP - Filters traffic to include only UDP-related packets or flows. AND - Ensures that both conditions must be true for a record to appear in the results. SrcIP: 192.168.***. - Limits the search to traffic originating from the specified IP address.
OR Example:
The OR filter is used to broaden search results by including multiple conditions, where at least one must be met. This filter is particularly useful when analyzing traffic that may match different criteria but still falls under a relevant category.
Suppose network administrators need to investigate traffic originating from two specific source IP addresses suspected of unusual activity. By using the OR filter, the search results will include traffic from either of these IPs, enabling a broader yet focused analysis.
SrcIP:"192.168.200.18" OR SrcIP:"192.168.200.36"
This query retrieves all network traffic where the source IP matches either 192.168.200.18 or 192.168.200.36, making it easier to analyze communication patterns from both addresses.
Composed Example:
A composed filter combines multiple conditions using both AND and OR operators, allowing for more advanced and precise traffic filtering. This approach is particularly useful when monitoring multiple communication paths between specific source and destination IP addresses.
Suppose a security analyst needs to monitor traffic between two specific source and destination IP pairs. The objective is to capture traffic where:
(SrcIP:"192.168.200.18" AND DestIP:"192.168.200.36") OR (SrcIP:"192.168.200.36" AND DestIP:"192.168.200.18")
Simple Filter Example:
A simple filter can be used to isolate specific types of traffic based on a single condition.
To identify traffic that has been detected as proxy traffic, apply the following filter:
_OS7.isProxyTraffic:true
NOT Example:
The NOT filter is used to exclude specific types of traffic from the search results.
Suppose the objective is to analyze all network traffic except proxy-related traffic. This can be achieved by applying the following filter:
NOT _OS7.isProxyTraffic:true
Note: You can filter on several properties/attributes which you can find in the Traffic View panel (sometimes in paranthesis), on the right.
- This query ensures that any traffic identified as proxy-related is excluded from the results.
- It allows for a focused investigation of non-proxy traffic, helping to identify direct communications and other network activities.
Filter by protocol type
The protocol type filter allows traffic to be filtered based on the communication protocol used.
Suppose the objective is to display only TCP traffic while excluding other protocols like UDP or ICMP. This can be achieved by applying the following filter:
Protocol:"TCP"
Filter by UDP protocol, destination port and source IP address
This filter enables the extraction of specific UDP traffic based on both the destination port and source IP address, allowing for a more precise analysis of network activity.
Suppose there is a need to investigate DNS traffic originating from a specific source IP address and targeting port 53 (which is commonly used for DNS queries). The following filter can be applied:
Protocol:"UDP" AND DestPort:"53" AND SrcIP:"192.168.200.18"
Protocol:"UDP" - Filters the traffic to include only UDP packets, excluding TCP and other protocols. DestPort:"53" - Further refines the search to only show traffic that is being sent to port 53, which is used for DNS requests. SrcIP:"192.168.200.18" - Restricts the results to packets originating from a specific source IP address.
Filter by TCP protocol, destination port and source IP address
This filter allows for precise traffic analysis by extracting TCP packets based on both the destination port and source IP address. It helps in monitoring and investigating network activity related to specific services or potential security threats.
Suppose there is a need to analyze HTTPS traffic originating from a particular source IP address and targeting port 443 (which is commonly used for secure web traffic). The following filter can be applied:
Protocol:"TCP" AND DestPort:"443" AND SrcIP:"192.168.200.36"
Protocol:"TCP" - Filters the results to include only TCP traffic, excluding all other protocols such as UDP and ICMP. DestPort:"443" - Limits the search to packets sent to port 443, which is commonly used for HTTPS connections. SrcIP:"192.168.200.36" - Restricts the results to traffic originating from a specific source IP address.
Filter by ICMP protocol and source IP address
Filtering traffic based on the ICMP protocol and a specific source IP address allows for monitoring network diagnostics, detecting potential scanning activities, and identifying unusual ICMP traffic patterns.
Suppose you need to analyze ICMP traffic (such as ping requests or responses) originating from a particular source IP address. The following filter can be applied:
Protocol:"ICMP" AND SrcIP:"192.168.200.71"
Protocol:"ICMP" - Filters the results to include only ICMP traffic, excluding other protocols such as TCP or UDP. SrcIP:"192.168.200.71" - Restricts the search to traffic originating from the specified source IP address.
Filter by external traffic
Filtering by external traffic and the TCP protocol helps in isolating traffic that is coming from outside the internal network and is using the TCP protocol. This can be particularly useful for monitoring inbound and outbound connections from external sources, identifying potential security threats, or troubleshooting connectivity issues.
Suppose you need to examine external traffic (traffic from outside the internal network) that is utilizing the TCP protocol. The filter can be applied as follows:
_OS7.isExternalTraffic:"true" AND Protocol:"TCP"
_OS7.isExternalTraffic:"true" - Filters the traffic to only include external traffic, meaning the data is originating from sources outside the internal network or perimeter. Protocol:"TCP" - Limits the results to traffic that uses the TCP protocol, which is commonly used for reliable, connection-based communication (e.g., HTTP, FTP, SSH, etc.).
Filter by direction
Filtering by traffic direction allows for a more granular analysis of how data flows between different network zones. By using the filter _OS7.direction:"external to internal communication", it is possible to isolate traffic that originates from external sources and is directed toward the internal network.
This filter is useful when monitoring incoming traffic from external sources to detect potential security threats, unauthorized access attempts, or simply analyze communication patterns.
_OS7.direction:"external to internal communication"
_OS7.direction:"external to internal communication" - Filters traffic that originates outside the network and is directed toward internal systems.
Filter by current running TCP connections
Monitoring active TCP connections is essential for real-time network analysis, troubleshooting, and security monitoring. This filter helps identify currently running TCP sessions where the connection is established and ongoing.
This filter is useful when investigating live TCP sessions to detect ongoing data exchanges, monitor long-lived connections, or identify potentially suspicious persistent connections.
status:"running" AND connectionStatus:"ESTABLISHED"
status:"running" - Filters traffic to show only active network connections that have not been closed or terminated.
connectionStatus:"ESTABLISHED" - Ensures that only TCP connections that have successfully completed the handshake and are actively transmitting data are displayed.
Filter by connections that time out at the beginning of flow
When monitoring network traffic, it is crucial to identify connections that fail to establish properly due to timeouts. This filter is specifically intended to capture TCP connections that never complete the handshake process and time out while in the "CONNECTING" state.
This filter is useful for detecting failed connection attempts, which may indicate:
- Network misconfigurations preventing proper communication.
- Blocked or unreachable destinations due to firewall rules or server downtime.
- Potential reconnaissance activities, where an attacker probes for open ports but does not receive a response.
status:"timeout" AND connectionStatus:"CONNECTING"
- status:"timeout" - Filters out connections that were not successfully completed and ended due to a timeout.
- connectionStatus:"CONNECTING" - Ensures that only connections that were attempted but never fully established are included.
Filter by connections that timedout out during data transfer
This filter retrieves TCP connections that were successfully established but later timed out while transmitting data. Such occurrences could signal network congestion, server unresponsiveness, or connection interruptions caused by external factors like firewall restrictions or packet loss.
Consider a situation where certain users report incomplete file downloads or interrupted streaming sessions. Applying this filter helps network administrators identify connections that experienced timeouts during active data exchange, allowing them to troubleshoot potential bottlenecks or stability issues in the network.
status:"timeout" AND connectionStatus:"ESTABLISHED"
Filter by OS
This filter retrieves network traffic where the source device's operating system has been detected. The exists operator ensures that only traffic with an identified operating system is displayed, while filtering by an OS name narrows results to a specific platform, such as Windows, Linux, or macOS.
A network administrator investigating potential security risks may want to identify all traffic originating from devices running a specific OS. For example, filtering by "Windows" can help locate outdated systems that may be vulnerable to known exploits, enabling proactive security measures.
_exists_:_OS7.SrcOS // or just filter by the operating system name for example:_OS7.SrcOS:"g:win:Windows:NT kernel"
Filter by connetions which are loosing packets
This filter identifies TCP connections where packet loss has occurred during data transmission. The _tcpFlow.sloss and _tcpFlow.dloss fields represent packet loss in the source-to-destination and destination-to-source directions, respectively. By applying NOT "0", the filter captures all TCP flows where at least one lost packet has been recorded. The condition DetectedTrafficTag:"TCP_FLow" ensures that only TCP traffic is included in the results.
Packet loss can indicate network congestion, poor link quality, or potential security threats like network attacks or misconfigurations. Network administrators can use this filter to monitor and troubleshoot degraded connections, ensuring optimal network performance and identifying issues that may require intervention.
(NOT _tcpFlow.sloss:"0" OR NOT _tcpFlow.dloss:"0") AND DetectedTrafficTag:"TCP_FLow"
Next, we proceed to viewing and searching the alerts generated from the traffic data.