1 | initial version |
No, that is currently not possible, because it would require that the filter engine compares fields in multiple packets. Right now it can only look for filter matches at one packet at any given time, so any correlation between packets needs to have been hard coded and checked during reading them (e.g. like echo request/echo reply for ICMP ping packet).