"TCP Errors" tcp.analysis.flags && !tcp.analysis.duplicate_ack
"TCP Retrans" tcp.analysis.retransmission || tcp.analysis.fast_retransmission
"TCP RST" tcp.flags.reset == 1
"TCP SYN only" tcp.flags == 0x002
"TCP Zero Window" tcp.analysis.zero_window
"Low TTL" ip.ttl < 5
"Bad Checksum" ip.checksum.status == 2 || tcp.checksum.status == 2 || udp.checksum.status == 2
"ICMP Errors" icmp.type >= 3
"DNS NXDOMAIN" dns.flags.rcode == 3
"DNS Errors" dns.flags.rcode != 0
"DHCP" bootp
"DHCP Discover/Offer" bootp.option.dhcp == 1 || bootp.option.dhcp == 2
"DHCP NAK" bootp.option.dhcp == 6
"ARP requests" arp.opcode == 1
"ARP responses" arp.opcode == 2
"SIP" sip
"RTP" rtp
"HTTP 4xx 5xx" http.response.code >= 400
"FTP" ftp
"Port Scan heuristic" tcp.flags.syn == 1 && tcp.flags.ack == 0
"Fragmented IP" ip.flags.mf == 1 || ip.frag_offset > 0
"Malformed" _ws.malformed
"Large packets (> 1400)" frame.len > 1400
"No retrans no dup" not tcp.analysis.retransmission and not tcp.analysis.duplicate_ack
