Original Thread: Searching for a specific packet size
have a use case to monitor DNS payloads for irregularities.
Is it possible and appropriate to use the following app rule syntax to find any DNS packet/session where the payload is over 100 bytes. (Per IETF max DNS payload per protocol is 512 bytes)
service = '53' && payload = 100-u
I see the info above in the thread about using tag = l-10000 for less than 10k, but not sure on format for greater than.
Thanks for your help!
Answer with an example for you ...