[Bro] pcap syntax (Re: BPF?)

Vern Paxson vern at icir.org
Thu Jan 16 21:06:37 PST 2014

> I think you meant to do
> (not src port 443 and not dst port 443)

(A nit: that's equivalent to "not port 443".  Nit #2: more correct would
be "not tcp port 443".  The above will weed out UDP traffic that happens
to use 443.)

More information about the Bro mailing list