Magic Firewall fields
cf.colo.name String
The data center that is handling this traffic.
Example value: sfo06
cf.colo.region String
Region of the data center that is handling this traffic.
Example value: WNAM
icmp String
The raw ICMP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
icmp.type Number
The ICMP type ↗. Only applies to ICMP packets.
Example value: 8
icmp.code Number
The ICMP code ↗. Only applies to ICMP packets.
Example value: 2
ip String
The raw IP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
ip.dst IP address
The destination address as specified in the IP packet.
Example value: 192.0.2.2
ip.dst.country String
Represents the 2-letter country code associated with the server IP address in ISO 3166-1 Alpha 2 ↗ format.
Example value: GB
For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 ↗ on Wikipedia.
ip.src.country String
Represents the 2-letter country code associated with the client IP address in ISO 3166-1 Alpha 2 ↗ format.
Example value: GB
For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 ↗ on Wikipedia.
For Magic Firewall, the ip.geoip.country field (which is deprecated) will match on either source or destination address. The ip.geoip.country field is still available for new and existing rules, but you should use the ip.src.country and/or ip.dst.country fields instead.
ip.hdr_len Number
The length of the IPv4 header in bytes.
Example value: 5
ip.len Number
The length of the packet including the header.
Example value: 60
ip.opt.type Number
The first byte of IP options field ↗, if the options field is set.
Example value: 25
ip.proto String
The transport layer for the packet, if it can be determined.
Example values: icmp, tcp
ip.src IP address
The source address of the IP Packet.
ip.src.country String
Represents the 2-letter country code associated with the client IP address in ISO 3166-1 Alpha 2 ↗ format.
Example value: GB
For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 ↗ on Wikipedia.
ip.ttl Number
The time-to-live of the IP Packet.
Example values: 54
sip Boolean
Determines if packets are valid L7 protocol SIP ↗. Requires UDP packets to operate.
Use a guard clause as shown below to ensure the packet is UDP (wirefilter):
ip.proto == "udp"
tcp String
The raw TCP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
tcp.flags Number
The numeric value of the TCP flags byte.
tcp.flags.ack Boolean
TCP acknowledgment flag.
tcp.flags.cwr Boolean
TCP congestion window reduced flag.
tcp.flags.ecn Boolean
TCP ECN-Echo flag.
tcp.flags.fin Boolean
TCP flag indicating this is the last packet from sender.
tcp.flags.push Boolean
TCP push flag.
tcp.flags.reset Boolean
TCP reset flag.
tcp.flags.syn Boolean
TCP synchronize flag.
tcp.flags.urg Boolean
TCP urgent flag.
tcp.srcport Number
Source port number of the IP packet. Only applies to TCP packets.
tcp.dstport Number
Destination port number of the IP packet. Only applies to TCP packets.
udp String
The raw UDP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
udp.dstport Number
Destination port number of the IP packet. Only applies to UDP packets.
udp.srcport Number
Source port number of the IP packet. Only applies to UDP packets.
GeoIP is the registered trademark of MaxMind, Inc.