1 "Ethernet address 00:00:5e:00:53:00" eth.addr == 00:00:5e:00:53:00
2 "Ethernet type 0x0806 (ARP)" eth.type == 0x0806
3 "Ethernet broadcast" eth.addr == ff:ff:ff:ff:ff:ff
6 "IPv4 address 192.0.2.1" ip.addr == 192.0.2.1
7 "IPv4 address isn't 192.0.2.1 (don't use != for this!)" !(ip.addr == 192.0.2.1)
9 "IPv6 address 2001:db8::1" ipv6.addr == 2001:db8::1
12 "Non-DNS" !(udp.port == 53 || tcp.port == 53)
13 "TCP or UDP port is 80 (HTTP)" tcp.port == 80 || udp.port == 80
15 "No ARP and no DNS" not arp and !(udp.port == 53)
16 "Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}