The flow option is used to check session properties of a given packet. There are four main property categories that one can check with this option:

  • The direction of the packet, specifically whether it's from a client to a server or from a server to a client
  • Whether the packet is part of an established TCP connection or not
  • Whether the packet is a reassembled packet or not
  • Whether the packet is a rebuilt frag packet or not

Each of these property categories has a few different arguments that can be specified in a flow option, but only one property from each "category" can be included in a single option. All possible arguments are listed and described in the below table, and specifying multiple properties is done by adding commas in between them. The order is not important.

to_clientMatch on server responses
to_serverMatch on client requests
from_clientMatch on client requests
from_serverMatch on server responses
establishedMatch only on established TCP connections
not_establishedMatch only when no TCP connection is established
statelessMatch regardless of stream state
no_streamMatch only on non-reassembled packets
only_streamMatch only on reassembled packets
no_fragMatch only on fragmented packets
only_fragMatch only on de-fragmented packets


flow:[{established|not_established|stateless}] \
     [,{to_client|to_server|from_client|from_server}] \
     [,{no_stream|only_stream}] \