Well, after several tries I found a working solution:
In the above example I used “payload(0,5) 3c3f786d6c” to identify XMPP traffic by its xml payload, where
3c3f786d6c = <?xml
Unfortunatly some XMPP clients send “<? xml” <-- With space between ? and x !
However, I managed to find another position in the payload which seems to be identical with every client:
^^ This does do the trick and identifies XMPP.
Cheers