flow
The flow option is used to check session properties of a given packet. There are four main property categories that one can check with this option:
- The direction of the packet, specifically whether it's from a client to a server or from a server to a client
- Whether the packet is part of an established TCP connection or not
- Whether the packet is a reassembled packet or not
- Whether the packet is a rebuilt frag packet or not
Each of these property categories has a few different arguments that can be specified in a flow option, but only one property from each "category" can be included in a single option. All possible arguments are listed and described in the below table, and specifying multiple properties is done by adding commas in between them. The order is not important.
| Argument | Description |
|---|---|
to_client | Match on server responses |
to_server | Match on client requests |
from_client | Match on client requests |
from_server | Match on server responses |
established | Match only on established TCP connections |
not_established | Match only when no TCP connection is established |
stateless | Match regardless of stream state |
no_stream | Match only on non-reassembled packets |
only_stream | Match only on reassembled packets |
no_frag | Match only on fragmented packets |
only_frag | Match only on de-fragmented packets |
Format:
flow:[{established|not_established|stateless}] \
[,{to_client|to_server|from_client|from_server}] \
[,{no_stream|only_stream}] \
[,{no_frag|only_frag}];
Examples:
flow:to_server,established;
flow:to_client,established;
flow:stateless;