Skip to content

Instantly share code, notes, and snippets.

@phaag

phaag/cheatsheet.md

Last active April 17, 2026 16:27
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save phaag/06369bed7f39f97e1de51b1b0f5bc29a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save phaag/06369bed7f39f97e1de51b1b0f5bc29a to your computer and use it in GitHub Desktop.
Download ZIP
nfdump Filter Syntax Cheatsheet
Raw
cheatsheet.md

nfdump Filter Syntax Cheatsheet

The nfdump filter syntax is similar to tcpdump, but it is adapted and extended for NetFlow and IPFIX records.
This cheatsheet provides both a learning-friendly introduction and a complete reference for filter usage in nfdump.

🧭 Getting Started with Filters

A filter defines which flow records should be matched or displayed.
You can apply a filter directly on the command line or load it from a file using -f.

# Example: Show all TCP traffic to destination port 80
nfdump -r /data 'proto tcp and dst port 80'

# Using a filter file
nfdump -r /data -f myfilter.txt

⚠️ Note: Filters with parentheses () or special characters should be quoted to avoid shell interpretation.

πŸ’‘ Tip: Combine direction qualifiers (src, dst, prev, next) for more precise filtering.

1. Filter Syntax Fundamentals

The filter consists of one or more filter elements logically chained together. Each element applies to a single field in a NetFlow record such as protocol, IP address, or port.

Rule Description Example
Logic and, or, not (!).
and has higher precedence than or.
not applies to the element on the right.		 not proto tcp and dst port 80
Grouping Use parentheses () for complex logic.
Must be quoted or escaped in the shell.		 '( net 10.0.0.0/8 or net 192.168.0.0/16 )'
Case All keywords are case-insensitive. PROTO TCP is the same as proto tcp.
Numeric Values Supports decimal, hex (0x22) values as well as quantifiers (K, M, G, T). bytes > 1G
External Filters Use @include file to include the content of another file (only when using -f). The content of the file is replaced with the @include statement. The final filter must be valid. @include networks.txt

Notes:

  • A filter on the command line must always be the last argument.
  • Quoting is optional unless the syntax may interfere with the shell.
  • A filter must be quoted if the syntax could interfere with the shell: nfdump -r flows 'proto tcp and bytes > 1k '

2. Filter Elements

A filter element may include an optional direction qualifier such as src, dst, prev, or next.
If omitted, the filter applies to both source and destination fields.

For example, ip 192.168.20.1 applies to both source and destination IP addresses.
If the value is numeric, it can be compared using relational operators such as <, >, >=, etc.

2.1. Addressing and Routing Primitives

Primitive Keyword(s) Direction Qualifier Description Example
inet, ipv4 (N/A) Matches only ipv4 traffic ipv4 and port 80
inet6,ipv6 (N/A) Matches only ipv6 traffic ipv6 and proto udp
ip, host optional src, dst Matches an IPv4 or IPv6 address.
host is an alias for ip.		 ip 192.168.1.1
src ip 192.168.20.1
ip in [iplist] optional src,dst Match IP address in iplist, which is a ',' or space separated list of IP-addresses and/or net blocks in CIDR notation. Use this form to match an IP address against a list of known IPs, which is more efficient than (ip 1.1.1.1 or ip 2.2.2.2 or ip 3.3.3.3 ...) specifically for large lists. ip in [ 192.169.20.1 172.16.0.0/16]
net optional src, dst Matches an entire IP subnet using CIDR notation. dst net 10.0.0.0/8
router ip (N/A) IP address of the NetFlow exporting router. router ip 172.16.0.1
next ip (N/A) The next hop IP address for the flow. next ip 10.10.10.254
bgp next ip (N/A) BGP Next Hop IP address. bgp next ip 1.2.3.4
tun ip optional src, dst Match tunnel IP address (for GRE, IPIP, IPv6 etc. tunnels) src tun ip 192.168.200.1
as optional src, dst Autonomous System number. as 64512
as in [aslist] optional src, dst Match as number in aslist which is a ',' or space separated list of as numbers src as in [ 1033 2011 65122, 3030]
as required prev, next Next or previous autonomous System number. prev as 64512
as in [aslist] required prev, next Match next or previous as number in aslist which is a ',' or space separated list of as numbers next as in [ 2033 2051 51226, 7030]
mask optional src, dst IP address mask field as network prefix. src mask 27
geo optional src, dst Geo location country code (if compiled in). src geo CH
tor optional src, dst Tor exit node IP (if compiled in). tor ip 1.1.1.1

2.2. Metric and Quantitative Primitives

These require a relational operator (=, !=, >, <, >=, <=) or (eq, ne, gt, lt, ge, le). If no operator is given, = applies.

Primitive Keyword(s) Value Type Optional Quantifiers Description Example
packets Integer K, M, G, T Total number of packets. packets < 100
bytes Integer K, M, G, T Total number of bytes. bytes > 50M
duration Float (N/A) Duration of the flow in seconds. duration >= 30
bps Integer K, M, G, T Bits per second (rate). bps > 10M
pps Integer K, M, G, T Packets per second (rate). pps > 500
bpp Integer (N/A) Bytes per packet. bpp < 100
count Integer K, M, G, T Comparison with the consecutive record number to skip a number of records. count > 100

2.3. Protocol and Interface Primitives

Primitive Keyword(s) Optional Direction Qualifier Description Example
proto (N/A) IP protocol number or keyword (tcp, udp, icmp, icmp6). proto tcp
port src, dst TCP/UDP port number. port < 1024
icmp type (N/A) ICMP type number icmp type 3
icmp code (N/A) ICMP code number icmp code 3
if in, out SNMP interface index number. in if 5
vlan (N/A) VLAN ID. vlan 100
dir (N/A) Flow direction (0 or 1). dir 1

2.4. Extended Metadata and Flags

Primitive Keyword(s) Value Type Description Example
flags String (S,A,F,R,P,U,E,C) TCP flags filter flags S and not flags A
flags Integer(0-127) TCP flags as integer mask. flags 6 identical to flags S and flags R
tos Integer (0-255) IP Type of Service / DSCP value. tos 40
fwd status Integer (0-255) Forwarding status field. fwd status 1
sampler id Integer (0-255) NetFlow V9/IPFIX Sampler ID. sampler id 5

2.5. Payload filter primitives

All payload filters start with the keyword payload followed by the content decoding type and specific arguments.

Content decoding argument(s) Example
payload content 'sting' Case sensitive string to be matched in payload data. The string must be quoted. payload content GET
payload regex 'regex' Match the regex in the payload data. The regex string must be quoted. The regex engine understands the following reduced syntax:
(..) subexpression
| 'or' operator
^ Begin of line anchor
$ End of line anchor
[...] character class
[^...] inverse character class (not)
?, , + simple quantifiers
?, +?, ?? lazy quantifiers
{}, {, } complex quantifiers
\d numeric character
\w alphanumeric character
\r carriage return
\n newline		 payload regex 'GET /.+HTTP/1.1'
payload regex 'regex'flags Match the regex in the payload as above with the flag options
m multiline
i case insensitive match
s dot '.' includes newline		 payload regex 'password'i
payload dns defined Match payload with valid DNS queries/answers. payload dns defined
payload dns name 'dnsname' Match payload dns queries which contain the string dnsname. It may be the full name or a sub string payload dns name 'cloud'
payload dns address 'ipaddr' Match payload dns answers or additional records, which contain ipaddr. It may be the full or partial IP address. (String match) payload dns address '192.168'
payload ssl defined Match payload with a valid SSL/TLS handshake payload ssl defined
payload ssl version version Match payload with a valid SSL handshake and the SSL version matches version. Valid versions are 1.0, 2.0, 3.0. payload ssl version 3.0
payload tls version version Matches payload with a valid TLS handshake and the TLS version matches version. Valid versions are 1.0, 1.1, 1.2, 1.3 payload tls version 1.2
payload tls sni 'sniname' Matches payload with a valid TLS handshake and the TLS sni name contains the string sniname payload tls sni 'google'
payload ja3 defined Match payload with a valid TLS handshake and a valid ja3 value can be calculated. payload ja3 defined
payload ja3 md5sum Match payload with a valid TLS handshake and the ja3 value matches md5sum. payload ja3 2253c82f03b621c5144709b393fde2c9
payload ja4 defined Match payload with a valid TLS handshake and a valid ja4 value can be calculated. payload ja4 defined
payload ja4 ja4Hash Match payload with a valid TLS handshake and the ja4 value matches the given ja4Hash payload ja4 t12d640600_9197985d2161_36aea2269ab5
payload ja4s ja4sHash Match payload with a valid TLS handshake and the ja4s value matches the given ja4sHash payload ja4s t130400_c030_1b122d51bd39

2.6. Latency Primitives (nprobe / IPFIX)

Latency is specified in milliseconds.

Primitive Keyword(s) Value Type Description Example
client latency Integer Client latency field. client latency > 100
server latency Integer Server latency field. server latency < 50
application latency Integer Application latency field. application latency > 200

2.7. CISCO ASA (NSEL/NEL) Specific Filters

Primitive Keyword(s) Value Type Description Example
asa event Keyword or Integer NSEL event type: create, term, delete, deny, ignore. asa event deny
asa event denied Keyword Denied reason: ingress, egress, interface, nosyn. asa event denied nosyn
asa xevent Integer Extended event field number (for denied events). asa xevent 10
nat event Integer NAT event number (for NEL records). nat event 1
nat ip src, dst Nat-translated IP address (NEL). src nat ip 1.1.1.1
nat port src, dst Nat-translated port (NEL). dst nat port 8080

2.8. OpenBSD pflog Implemented Elements

Primitive Keyword(s) Value Type Description Example
pf action Keyword pflog action: pass, block, scrub, nat, etc. pf action block
pf reason Keyword pflog reason: match, fragment, bad-offset, etc. pf reason state-limit
pf rule Integer pflog rule number. pf rule 45
pf dir in or out pflog rule direction. pf dir out
pf interface String pflog interface name. pf interface em0

3. Practical Examples πŸ§‘β€πŸ’»

Goal Filter Expression
Traffic to/from the 10.0.0.0/8 network, excluding a specific host. 'net 10.0.0.0/8 and not host 10.0.0.1'
All short-lived UDP floods (> 500 pps, < 1s duration). 'proto udp and pps > 500 and duration < 1'
Find flows with only the SYN flag set (initial connection attempt). 'proto tcp and flags S and not flags A and not flags F and not flags R'
All internal-to-DMZ traffic (example subnets). '( src net 10.0.0.0/8 and dst net 172.16.0.0/16 ) or ( src net 172.16.0.0/16 and dst net 10.0.0.0/8 )'
High-volume TCP flows over 1 GB to/from a specific AS. 'proto tcp and bytes > 1G and as 64512'

Version 1.0 20251009

πŸ“š Resources:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment