use of filter(..) in TCP reassembly scripts

admin

This post explains the use of filter

filter: called for each flow

we tell the framework if we are interested in reassembling the new flow. In this case we are only interesed in Port-22 (ssh). Your filter is just a "hint" to the Trisul framework to build an optimal reassembly plan for each flow because other scripts. may ask for other flows. The code @flowkey:id():match('p-0016')@ is a quick way to check if the flow key (a special string in trisul) contains "p-0016" this is the special key for Port 22.

<pre class="language-lua">
filter = function(engine, timestamp, flowkey)
return flowkey:id():match("p-0016") ~= nil
end,
</pre>

alternately you can do the following, check the destination (typically port-Z) for port 22.

<pre class="language-lua">
filter = function(engine, timestamp, flowkey)
return flowkey:id():portz_readable()=="22"
end,
</pre>