A network interface and storage medium that, in an embodiment, filter packets received from a network based on rules. The filtering discards a subset of the packets based on the rules and keeps a remaining subset of the packets. The remaining subset is copied to a destination. The rules are created offline in a lower priority process from the filtering and copying by detecting whether symptoms exist in a sample of the remaining subset. In an embodiment, the order that the symptoms are detected is changed based on the frequency of the existence of the symptoms in the sample. In various embodiments, the symptoms may include receiving a threshold number of ping packets within a time period, receiving a threshold number of broadcast packets within a time period, receiving a packet with an invalid source address, and receiving a packet with an invalid header flag.