🔍 Interpreting Manual Filters
Parameters
any » Everything, same as 0.0.0.0/0 and ::/0.
src » Source.
dst » Destination.
proto » Communication protocol. (TCP, UDP, ICMP, ICMP6, GRE, etc).
ttl » Time-to-Live (TTL) value of the packet, indicating how many hops it can still make before being discarded.
port » Port number.
port in » List of ports.
src port » Source port.
dst port » Destination port.
src port in [range] » List of source ports.
dst port in [range] » List of destination ports.
Fields [range] you can add more than one value [ value-1 value-2 value-3 ]
net » Network prefix.
src net » Source network prefix.
dst net » Destination network prefix.
ip » IP address.
ip in [range] » List of IPs.
src ip » Source IP address.
dst ip » Destination IP address.
dst ip in [range] » List of destination IPs.
src ip in [range] » List of source IPs.
as » AS (Autonomous System).
as in [range] » List of ASes.
src as » Source AS.
dst as » Destination AS.
src as in [range] » List of source ASes.
dst as in [range] » List of destination ASes.
bgpnext ip » Next BGP IP. The next IP address in the BGP path.
next ip » Next IP. The next IP address in the route path.
if number » Interface. Identifies a specific interface by its SNMP number.
in if number » Input interface.
out if number » Output interface.
nat ip » Shared IP address.
src nat ip » Shared source IP address.
dst nat ip » Shared destination IP address.
src nat port » Shared source port.
dst nat port » Shared destination port.
src nat port in [range] » List of shared source ports.
dst nat port in [range] » List of shared destination ports.
nat net » Shared network prefix.
src nat net » Shared source network prefix.
dst nat net » Shared destination network prefix.
Operators
Operators are used to combine or modify filters to refine the data search:
AND» Logical AND operator.NOT» Logical NOT operator.OR» Logical OR operator.
Examples
IP
ip 10.0.168.9
Filters traffic by the specified IP, both source and destination.
dst ip 10.0.168.9
Filters traffic with the specified destination IP.
dst ip 2001:db8:bebe:cafe::9
Filters traffic with the specified IPv6 destination address.
dst ip 10.0.168.9 OR dst ip 2001:db8:bebe:cafe::9
Filters traffic with either of the specified destination IPs.
dst ip in [10.0.168.9 2001:db8:bebe:cafe::9]
Filters traffic with any of the IPs in the specified list as destination.
dst ip 10.0.168.9 AND dst port 443
Filters traffic to IP 10.0.168.9 on destination port 443.
dst ip 10.0.168.9 AND port 443
Filters traffic to IP 10.0.168.9 on port 443, regardless of source or destination port.
dst ip 10.0.168.9 AND (dst port 443 OR dst port 8080)
Filters traffic to IP 10.0.168.9 on destination ports 443 or 8080.
(dst ip 10.0.168.9 OR dst ip 2001:db8:bebe:cafe::9) AND (dst port 443 OR dst port 8080)
Filters traffic to IPs 10.0.168.9 or 2001:db8:bebe:cafe::9 on destination ports 443 or 8080.
dst ip 10.0.168.9 AND dst port in [443 8080]
Filters traffic to IP 10.0.168.9 on destination ports 443 or 8080.
dst ip 10.0.168.9 AND dst port in [443 8080 25]
Filters traffic to IP 10.0.168.9 on destination ports 443, 8080, or 25.
dst ip 10.0.168.9 AND dst port <= 1024
Filters traffic to IP 10.0.168.9 on destination ports less than or equal to 1024.
dst ip 10.0.168.9 AND dst port >= 0 AND dst port <= 1024
Filters traffic to IP 10.0.168.9 in a destination port range from 0 to 1024.
dst ip 10.0.168.18 AND dst port >= 8000 AND dst port <= 9000
Filters traffic to IP 10.0.168.18 in a destination port range from 8000 to 9000.
dst ip 10.0.168.2 AND proto UDP
Filters traffic to IP 10.0.168.2 using the UDP protocol.
dst ip 10.0.168.2 AND proto TCP
Filters traffic to IP 10.0.168.2 using the TCP protocol.
dst ip 10.0.168.2 AND dst port >= 0 AND dst port <= 1024 AND proto UDP
Filters traffic to IP 10.0.168.2 on destination ports 0 to 1024 using UDP protocol.
dst ip 10.0.168.27 AND proto ICMP
Filters traffic to IP 10.0.168.27 using the ICMP protocol.
NET
net 10.0.170.0/24
Filters traffic associated with the network 10.0.170.0/24.
dst net 10.0.170.0/24
Filters traffic destined to the network 10.0.170.0/24.
src net 10.0.170.0/24
Filters traffic originating from the network 10.0.170.0/24.
(net 10.0.170.0/24 OR net 10.0.171.0/24)
Filters traffic associated with networks 10.0.170.0/24 or 10.0.171.0/24.
dst net 10.0.170.0/24 AND proto ICMP
Filters traffic destined to network 10.0.170.0/24 using the ICMP protocol.
dst net 10.0.170.0/24 AND proto GRE
Filters traffic destined to network 10.0.170.0/24 using the GRE protocol.
dst net 10.0.168.0/21 AND proto UDP
Filters traffic destined to network 10.0.168.0/21 using the UDP protocol.
dst net 10.0.168.0/21 AND proto UDP AND not src port in [443]
Filters traffic destined to network 10.0.168.0/21 using UDP protocol, excluding traffic from source port 443.
dst ip 10.0.168.9 AND dst port 8080 AND proto TCP
Filters traffic to IP 10.0.168.9 on port 8080 using the TCP protocol.
dst net 10.0.168.0/21 AND proto TCP AND not src port in [443 80]
Filters traffic destined to network 10.0.168.0/21 using TCP protocol, excluding traffic from source ports 443 and 80.
dst net 10.0.170.0/24 AND proto ICMP
Filters traffic destined to network 10.0.170.0/24 using the ICMP protocol.
ICMP
dst net 10.0.170.0/24 AND proto ICMP AND icmp-type 8 AND icmp-code 0
Echo Request (ICMP type 8, code 0)
dst net 10.0.170.0/24 AND proto ICMP AND icmp-type 11
Time Exceeded (ICMP type 11)
ICMP Types
0: Echo Reply – Reply to an echo request (ping).3: Destination Unreachable – Destination is unreachable, with codes from 0 to 15 detailing the reason.4: Source Quench – Request to reduce message sending speed (obsolete).5: Redirect – Instructs route change, with codes from 0 to 3.8: Echo Request – Used to check host accessibility (ping).9and10: Router Advertisement and Router Solicitation – For automatic router discovery.11: Time Exceeded – Packet TTL expired, codes 0 and 1.12: Parameter Problem – Parameter problem, codes 0 to 2.13and14: Timestamp and Timestamp Reply – For time synchronization.
ICMP Codes
0: Network unreachable.1: Host unreachable.2: Protocol unreachable.3: Port unreachable.4: Fragmentation needed and DF set.5: Source routing failed.
Connection Duration
Duration values are expressed in milliseconds. Below are some example duration conversions:
50000: 5 seconds100000: 10 seconds150000: 15 seconds300000: 30 seconds600000: 1 minute1200000: 2 minutes3000000: 5 minutes
To filter connections based on their duration, you can use the duration parameter. For example:
duration >= 60000
Filter connections lasting at least 1 minute.
dst ip 10.0.168.9 AND dst port 8080 AND proto TCP AND duration >= 60000
Filter traffic to IP 10.0.168.9 on port 8080 using TCP that lasts at least 1 minute.
ASN (Autonomous System)
Examples of ASN-based filters:
as 15169
Filters traffic associated with ASN 15169 (Google).
src as 15169
Filters traffic originating from ASN 15169.
dst as 15169 OR dst as 36040 OR dst as 396982
Filters traffic destined to any of the specified ASNs.
dst as in [15169 36040 396982]
Filters traffic destined to a list of ASNs.
dst as >= 13335 AND dst as <= 15169
Filters traffic destined to ASNs within a specific range.
Bytes (Data Transfers)
Examples of filters to identify significant data transfers:
proto TCP AND dst port 80 AND bytes > 1M
proto TCP AND dst port 80 AND bytes > 1048576
TCP traffic to port 80 with transfers greater than 1MB.
proto TCP AND dst port 80 AND bytes > 10M
proto TCP AND dst port 80 AND bytes > 10485760
TCP traffic to port 80 with transfers greater than 10MB.
proto TCP AND dst port 80 AND bytes > 100M
proto TCP AND dst port 80 AND bytes > 104857600
TCP traffic to port 80 with transfers greater than 100MB.
proto TCP AND dst port in [80 443] AND bytes > 100M
proto TCP AND dst port in [80 443] AND bytes > 104857600
TCP traffic to ports 80 and 443 with transfers greater than 100MB.
proto TCP AND dst port in [80 443] AND bytes > 500M
proto TCP AND dst port in [80 443] AND bytes > 524288000
TCP traffic to ports 80 and 443 with transfers greater than 500MB.
proto TCP AND dst port in [80 443] AND bytes > 1G
proto TCP AND dst port in [80 443] AND bytes > 1073741824
TCP traffic to ports 80 and 443 with transfers greater than 1GB.
Identification of large data transfers from your network:
src net 10.0.168.0/21 AND proto TCP AND bytes > 500M AND duration > 50000
Large data transfers (> 500MB) from the network 10.0.168.0/21 lasting longer than 50 seconds.
(src net 10.0.168.0/21 OR src net 10.5.220.0/22 OR src net 10.186.204.0/22 OR src net 2001:db8::/32) AND proto TCP AND bytes > 524288000 AND duration > 50000
Large data transfers (> 500MB) from multiple networks lasting longer than 50 seconds.
src net 10.0.168.0/21 AND proto UDP AND not dst port in [53 123 161] AND bytes < 200
UDP traffic leaving the network 10.0.168.0/21 to uncommon ports with small payloads, possibly indicating malicious activity or reconnaissance.
TCP Flags
TCP flags are used to control the state of a connection and are critical for analyzing network behavior:
S(SYN): Initiates a TCP connection.A(ACK): Acknowledges receipt of data.F(FIN): Indicates the end of data transmission.R(RST): Abruptly resets the TCP connection.P(PSH): Requests immediate data delivery.U(URG): Indicates urgent data in the packet.X: All flags set (used for diagnostics or testing).
flags S
Start of a TCP connection.
flags SA
Establishment of a TCP connection.
flags PA
Data transmission in an established connection.
flags FA
Termination of an established connection.
flags S AND not flags AFRPU
Syntax to get flows with only the SYN flag set.
flags S AND not flags AFRPU AND dst port 22
Detection of SYN scan on SSH port.
flags S AND not flags AFRPU AND dst port 22 AND dst net 10.0.170.0/24
Filter for SYN scan on SSH for network 10.0.170.0/24.
flags S AND not flags AFRPU AND dst port in [22 23 80 443] AND dst net 10.0.170.0/24
Detection of SYN scans on ports 22, 23, 80, 443 on network 10.0.170.0/24.
flags S AND not flags AFRPU AND dst port in [22 23 80 443] AND dst net 10.0.170.0/24 bytes > 98304
Detection of SYN flag traffic on certain ports with over 96KB of data.
flags RA AND dst net 10.0.168.0/21
Identification of abrupt connection terminations on network 10.0.168.0/21.
xip 249.0.0.200 and src xport >= 1000 and src xport <= 2000
Identifying a shared IP with port range between 1000 and 2000.
Others
Here are some more examples, great for you to configure in data_traffic_analysis.json and create triggers.
proto UDP and (port 80 or port 443)
QUIC+DoH Traffic
proto UDP and (port 80 or port 443) and not (ip 8.8.8.8 or ip 8.8.4.4 or ip 1.1.1.1 or ip 1.0.0.1 or ip 9.9.9.9 or ip 149.112.112.112 or ip 208.67.222.222 or ip 208.67.220.220 or ip 94.140.14.14 or ip 94.140.15.15 or ip 185.228.168.9 or ip 185.228.169.9 or ip 76.76.19.19 or ip 76.223.122.150 or ip 8.26.56.26 or ip 8.20.247.20 or ip 77.88.8.8 or ip 77.88.8.1 or ip 64.6.64.6 or ip 64.6.65.6 or ip 84.200.69.80 or ip 84.200.70.40 or ip 195.46.39.39 or ip 195.46.39.40 or ip 91.239.100.100 or ip 89.233.43.71 or ip 76.76.2.0 or ip 76.76.10.0 or ip 1.1.1.2 or ip 1.0.0.2 or ip 1.1.1.3 or ip 1.0.0.3 or ip 208.67.222.123 or ip 208.67.220.123 or ip 185.228.168.168 or ip 185.228.169.168 or ip 2001:4860:4860::8888 or ip 2001:4860:4860::8844 or ip 2606:4700:4700::1111 or ip 2606:4700:4700::1001 or ip 2620:fe::fe or ip 2620:fe::9 or ip 2620:119:35::35 or ip 2620:119:53::53 or ip 2a10:50c0::1:ff or ip 2a10:50c0::2:ff or ip 2a0d:2a00:1::2 or ip 2a0d:2a00:2::2 or ip 2602:fcbc::ad or ip 2602:fcbc::ad1 or ip 2a02:6b8::feed:0ff or ip 2a02:6b8:0:1::feed:0ff or ip 2620:74:1b::1:1 or ip 2620:74:1c::2:2 or ip 2001:1608:10:25::1c04:b12f or ip 2001:1608:10:25::9249:d69b or ip 2001:67c:28a4:: or ip 2a01:3a0:53:53:: or ip 2606:4700:4700::1112 or ip 2606:4700:4700::1002 or ip 2606:4700:4700::1113 or ip 2606:4700:4700::1003 or ip 2a0d:2a00:1::168 or ip 2a0d:2a00:2::168)
DoH Traffic (Public DNS over HTTPS)
proto UDP and (port 80 or port 443) and (ip 8.8.8.8 or ip 8.8.4.4 or ip 1.1.1.1 or ip 1.0.0.1 or ip 9.9.9.9 or ip 149.112.112.112 or ip 208.67.222.222 or ip 208.67.220.220 or ip 94.140.14.14 or ip 94.140.15.15 or ip 185.228.168.9 or ip 185.228.169.9 or ip 76.76.19.19 or ip 76.223.122.150 or ip 8.26.56.26 or ip 8.20.247.20 or ip 77.88.8.8 or ip 77.88.8.1 or ip 64.6.64.6 or ip 64.6.65.6 or ip 84.200.69.80 or ip 84.200.70.40 or ip 195.46.39.39 or ip 195.46.39.40 or ip 91.239.100.100 or ip 89.233.43.71 or ip 76.76.2.0 or ip 76.76.10.0 or ip 1.1.1.2 or ip 1.0.0.2 or ip 1.1.1.3 or ip 1.0.0.3 or ip 208.67.222.123 or ip 208.67.220.123 or ip 185.228.168.168 or ip 185.228.169.168 or ip 2001:4860:4860::8888 or ip 2001:4860:4860::8844 or ip 2606:4700:4700::1111 or ip 2606:4700:4700::1001 or ip 2620:fe::fe or ip 2620:fe::9 or ip 2620:119:35::35 or ip 2620:119:53::53 or ip 2a10:50c0::1:ff or ip 2a10:50c0::2:ff or ip 2a0d:2a00:1::2 or ip 2a0d:2a00:2::2 or ip 2602:fcbc::ad or ip 2602:fcbc::ad1 or ip 2a02:6b8::feed:0ff or ip 2a02:6b8:0:1::feed:0ff or ip 2620:74:1b::1:1 or ip 2620:74:1c::2:2 or ip 2001:1608:10:25::1c04:b12f or ip 2001:1608:10:25::9249:d69b or ip 2001:67c:28a4:: or ip 2a01:3a0:53:53:: or ip 2606:4700:4700::1112 or ip 2606:4700:4700::1002 or ip 2606:4700:4700::1113 or ip 2606:4700:4700::1003 or ip 2a0d:2a00:1::168 or ip 2a0d:2a00:2::168)
QUIC Traffic (UDP Web without DNS)
proto TCP
TCP traffic
proto UDP
UDP traffic
flags S
SYN traffic
flags S and not flags A
TCP SYN traffic without ACK response
flags A and flags S
TCP SYN+ACK traffic
flags R
TCP Reset (RST) packets traffic
flags A and not flags S
TCP ACK traffic of active sessions
proto UDP and not (port 80 or port 443)
General UDP traffic (excluding Web)
port 53
DNS traffic
(proto TCP and port 0) or (proto UDP and port 0)
Anomalous traffic on port 0 (TCP/UDP)
proto GRE or proto L2TP or proto ESP or proto AH
Tunnel traffic
proto ESP or proto AH
IPsec traffic
proto ICMP or proto ICMP6
ICMP traffic
proto TCP and port 80
HTTP traffic
proto TCP and port 443
HTTPS traffic
proto TCP and (port 25 or port 110 or port 143 or port 465 or port 585 or port 587 or port 993 or port 995)
Email traffic
proto TCP and (port 80 or port 443)
Web traffic (HTTP/HTTPS)
proto TCP and port 22
SSH traffic
port 5060
VoIP SIP traffic
proto UDP and port 123
Network Time Protocol (NTP) traffic
proto UDP and (port 161 or port 162)
SNMP monitoring traffic
port 3389
Remote Desktop Protocol (RDP) traffic
proto UDP and port 1900
UPnP (SSDP) traffic
proto TCP and port 139
File sharing traffic (NetBIOS)
proto UDP and port 11211 and bytes > 1400
Memcached amplification traffic
port 19
Chargen amplification traffic
proto TCP and port 389
LDAP authentication
proto UDP and port 389
LDAP queries (UDP)
in if 87 and not flags S and not flags AFRPU and (proto tcp or proto udp) and not port in [80 443]
not flags S and not flags AFRPU and (proto tcp or proto udp) and not port in [80 443]
TCP/UDP traffic filter excluding ports 80 and 443, without SYN packets and control flags, focused on identifying possible attacks outside web traffic.
dst ip in [1.1.1.1 8.8.8.8 8.8.4.4 1.0.0.1] AND dst port 53 AND proto UDP
Filters traffic destined to Google’s DNS servers (8.8.8.8 8.8.4.4) and Cloudflare (1.1.1.1 1.0.0.1) on UDP port 53.
dst as in [13335 15169] AND dst port 53 AND proto UDP
Filters traffic destined to ASNs 13335 (Cloudflare) and 15169 (Google) on UDP port 53.
dst net 10.0.170.0/24 AND dst port 0
Identifies traffic destined to the network 10.0.170.0/24 on port 0, which is unusual for regular communication.
dst net 10.0.170.0/24 AND dst port 0 AND not proto GRE
Filters traffic destined to the network 10.0.170.0/24 on port 0, excluding the GRE protocol.
dst net 10.0.168.0/21 AND dst port 0 AND not proto GRE AND not proto ICMP
Filters traffic destined to the network 10.0.168.0/21 on port 0, excluding GRE and ICMP protocols, indicating potentially suspicious or non-conventional activity.
Reserved ASNs
| ASN | Desc. | RFC |
|---|---|---|
| 0 | RESERVED BY | RFC7607 |
| 23456 | AS_TRANS | RFC6793 |
| 64496-64511 | FOR DOCUMENTATION AND SAMPLE CODE | RFC5398 |
| 64512-65534 | FOR PRIVATE USE | RFC6996 |
| 65535 | RESERVED | RFC7300 |
| 65536-65551 | FOR DOCUMENTATION AND SAMPLE CODE | RFC5398 |
| 4200000000-4294967294 | FOR PRIVATE USE | RFC6996 |
| 4294967295 | RESERVED | RFC7300 |
| 65552-157371 | IANA RESERVED ASNS | - |
Protocols
| Nº | Keyword | Protocol |
|---|---|---|
| 0 | HOPOPT | IPv6 Hop-by-Hop Option |
| 1 | ICMP | Internet Control Message Protocol |
| 2 | IGMP | Internet Group Management Protocol |
| 3 | GGP | Gateway-to-Gateway Protocol |
| 4 | IP-in-IP | IP in IP (encapsulation) |
| 5 | ST | Internet Stream Protocol |
| 6 | TCP | Transmission Control Protocol |
| 7 | CBT | Core-based trees |
| 8 | EGP | Exterior Gateway Protocol |
| 9 | IGP | Interior gateway protocol (any private interior gateway, for example Cisco’s IGRP) |
| 10 | BBN-RCC-MON | BBN RCC Monitoring |
| 11 | NVP-II | Network Voice Protocol |
| 12 | PUP | Xerox PUP |
| 13 | ARGUS | ARGUS |
| 14 | EMCON | EMCON |
| 15 | XNET | Cross Net Debugger |
| 16 | CHAOS | Chaos |
| 17 | UDP | User Datagram Protocol |
| 18 | MUX | Multiplexing |
| 19 | DCN-MEAS | DCN Measurement Subsystems |
| 20 | HMP | Host Monitoring Protocol |
| 21 | PRM | Packet Radio Measurement |
| 22 | XNS-IDP | XEROX NS IDP |
| 23 | TRUNK-1 | Trunk-1 |
| 24 | TRUNK-2 | Trunk-2 |
| 25 | LEAF-1 | Leaf-1 |
| 26 | LEAF-2 | Leaf-2 |
| 27 | RDP | Reliable Data Protocol |
| 28 | IRTP | Internet Reliable Transaction Protocol |
| 29 | ISO-TP4 | ISO Transport Protocol Class 4 |
| 30 | NETBLT | Bulk Data Transfer Protocol |
| 31 | MFE-NSP | MFE Network Services Protocol |
| 32 | MERIT-INP | MERIT Internodal Protocol |
| 33 | DCCP | Datagram Congestion Control Protocol |
| 34 | 3PC | Third Party Connect Protocol |
| 35 | IDPR | Inter-Domain Policy Routing Protocol |
| 36 | XTP | Xpress Transport Protocol |
| 37 | DDP | Datagram Delivery Protocol |
| 38 | IDPR-CMTP | IDPR Control Message Transport Protocol |
| 39 | TP++ | TP++ Transport Protocol |
| 40 | IL | IL Transport Protocol |
| 41 | IPv6 | IPv6 Encapsulation (6to4 and 6in4) |
| 42 | SDRP | Source Demand Routing Protocol |
| 43 | IPv6-Route | Routing Header for IPv6 |
| 44 | IPv6-Frag | Fragment Header for IPv6 |
| 45 | IDRP | Inter-Domain Routing Protocol |
| 46 | RSVP | Resource Reservation Protocol |
| 47 | GRE | Generic Routing Encapsulation |
| 48 | DSR | Dynamic Source Routing Protocol |
| 49 | BNA | Burroughs Network Architecture |
| 50 | ESP | Encapsulating Security Payload |
| 51 | AH | Authentication Header |
| 52 | I-NLSP | Integrated Net Layer Security Protocol |
| 53 | SwIPe | SwIPe |
| 54 | NARP | NBMA Address Resolution Protocol |
| 55 | MOBILE | IP Mobility (Min Encap) |
| 56 | TLSP | Transport Layer Security Protocol (using Kryptonet key management) |
| 57 | SKIP | Simple Key-Management for Internet Protocol |
| 58 | IPv6-ICMP | ICMP for IPv6 |
| 59 | IPv6-NoNxt | No Next Header for IPv6 |
| 60 | IPv6-Opts | Destination Options for IPv6 |
| 61 | Any host internal protocol | |
| 62 | CFTP | CFTP |
| 63 | Any local network | |
| 64 | SAT-EXPAK | SATNET and Backroom EXPAK |
| 65 | KRYPTOLAN | Kryptolan |
| 66 | RVD | MIT Remote Virtual Disk Protocol |
| 67 | IPPC | Internet Pluribus Packet Core |
| 68 | Any distributed file system | |
| 69 | SAT-MON | SATNET Monitoring |
| 70 | VISA | VISA Protocol |
| 71 | IPCU | Internet Packet Core Utility |
| 72 | CPNX | Computer Protocol Network Executive |
| 73 | CPHB | Computer Protocol Heart Beat |
| 74 | WSN | Wang Span Network |
| 75 | PVP | Packet Video Protocol |
| 76 | BR-SAT-MON | Backroom SATNET Monitoring |
| 77 | SUN-ND | SUN ND PROTOCOL-Temporary |
| 78 | WB-MON | WIDEBAND Monitoring |
| 79 | WB-EXPAK | WIDEBAND EXPAK |
| 80 | ISO-IP | International Organization for Standardization Internet Protocol |
| 81 | VMTP | Versatile Message Transaction Protocol |
| 82 | SECURE-VMTP | Secure Versatile Message Transaction Protocol |
| 83 | VINES | VINES |
| 84 | TTP | TTP (Transaction Transport Protocol) (obsoleted March 2023) |
| 84 | IPTM | Internet Protocol Traffic Manager |
| 85 | NSFNET-IGP | NSFNET-IGP |
| 86 | DGP | Dissimilar Gateway Protocol |
| 87 | TCF | TCF |
| 88 | EIGRP | EIGRP |
| 89 | OSPF | Open Shortest Path First |
| 90 | Sprite-RPC | Sprite RPC Protocol |
| 91 | LARP | Locus Address Resolution Protocol |
| 92 | MTP | Multicast Transport Protocol |
| 93 | AX.25 | AX.25 |
| 94 | OS | KA9Q NOS compatible IP over IP tunneling |
| 95 | MICP | Mobile Internetworking Control Protocol |
| 96 | SCC-SP | Semaphore Communications Sec. Pro |
| 97 | ETHERIP | Ethernet-within-IP Encapsulation |
| 98 | ENCAP | Encapsulation Header |
| 99 | Any private encryption scheme | |
| 100 | GMTP | GMTP |
| 101 | IFMP | Ipsilon Flow Management Protocol |
| 102 | PNNI | PNNI over IP |
| 103 | PIM | Protocol Independent Multicast |
| 104 | ARIS | IBM’s ARIS (Aggregate Route IP Switching) Protocol |
| 105 | SCPS | SCPS (Space Communications Protocol Standards) |
| 106 | QNX | QNX |
| 107 | A/N | Active Networks |
| 108 | IPComp | IP Payload Compression Protocol |
| 109 | SNP | Sitara Networks Protocol |
| 110 | Compaq-Peer | Compaq Peer Protocol |
| 111 | IPX-in-IP | IPX in IP |
| 112 | VRRP | Virtual Router Redundancy Protocol, Common Address Redundancy Protocol (not IANA assigned) |
| 113 | PGM | PGM Reliable Transport Protocol |
| 114 | Any 0-hop protocol | |
| 115 | L2TP | Layer Two Tunneling Protocol Version 3 |
| 116 | DDX | D-II Data Exchange (DDX) |
| 117 | IATP | Interactive Agent Transfer Protocol |
| 118 | STP | Schedule Transfer Protocol |
| 119 | SRP | SpectraLink Radio Protocol |
| 120 | UTI | Universal Transport Interface Protocol |
| 121 | SMP | Simple Message Protocol |
| 122 | SM | Simple Multicast Protocol |
| 123 | PTP | Performance Transparency Protocol |
| 124 | IS-IS over IPv4 | Intermediate System to Intermediate System (IS-IS) Protocol over IPv4 |
| 125 | FIRE | Flexible Intra-AS Routing Environment |
| 126 | CRTP | Combat Radio Transport Protocol |
| 127 | CRUDP | Combat Radio User Datagram |
| 128 | SSCOPMCE | Service-Specific Connection-Oriented Protocol in a Multilink and Connectionless Environment |
| 129 | IPLT | |
| 130 | SPS | Secure Packet Shield |
| 131 | PIPE | Private IP Encapsulation within IP |
| 132 | SCTP | Stream Control Transmission Protocol |
| 133 | FC | Fibre Channel |
| 134 | RSVP-E2E-IGNORE | Reservation Protocol (RSVP) End-to-End Ignore |
| 135 | Mobility Header | Mobility Extension Header for IPv6 |
| 136 | UDPLite | Lightweight User Datagram Protocol |
| 137 | MPLS-in-IP | Multiprotocol Label Switching Encapsulated in IP |
| 138 | manet | MANET Protocols |
| 139 | HIP | Host Identity Protocol |
| 140 | Shim6 | Site Multihoming by IPv6 Intermediation |
| 141 | WESP | Wrapped Encapsulating Security Payload |
| 142 | ROHC | Robust Header Compression |
| 143 | Ethernet | Segment Routing over IPv6 |
| 144 | AGGFRAG | AGGFRAG Encapsulation Payload for ESP |
| 145 | NSH Network Service Header |