rainbow/config/builtin/tcpdump.cfg
[filters]
# IPv4 address+port:
reset-all-after: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,5}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
magenta-before: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
blue-after: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.
reset-after: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
# MAC address:
yellow: ([0-9a-f]{2}\:){5}[0-9a-f]{2}
# TCP/UDP flags:
# 1. TCP Flags
# 2. UDP indicator
# 3. UDP indicator with checksum indicator
# Note: Bare "[udp sum ok]" is highlighted because tcpdump will
# sometimes omit the "UDP"
cyan: (?<=Flags )\[[SP\.RFU]+\]
(?<=\: )UDP
(?<=\: )\[udp sum ok\]( UDP)?
# error conditions (UDP, TCP, IPv4):
red: (?<=\: )\[bad udp cksum.*?\]
cksum \S+ \(incorrect.*?\)
bad cksum .*?!
# Network-layer Description (e.g. "IP")
# 1. With -e flag
# 2. With -e flag where no link layer addresses exist (e.g. VPN interface)
# 3. Without -e flag
bold: (?<=ethertype )\S+ \S+(?=,)
(?<=^\d{2}\:\d{2}\:\d{2}\.\d{6} AF )[^\s\:]+\s
(?<=^\d{2}\:\d{2}\:\d{2}\.\d{6} )[^\s\:]+\s
# Time stamp:
faint: \d{2}\:\d{2}\:\d{2}\.\d{6}