Filter elements

Packet capture supports capture filters and display filters. You can use expressions to match packets to capture or display.

A capture or display filter contains a keyword string or multiple keyword strings that are connected by operators.

Keywords include the following types:

Qualifiers—Fixed keyword strings. For example, you must use the ip qualifier to specify the IPv4 protocol.
Variables—Values supplied by users in the required format. For example, you can set an IP address to 2.2.2.2 or any other valid values.

A variable must be modified by one or multiple qualifiers. For example, to capture any packets sent from the host at 2.2.2.2, use the filter src host 2.2.2.2.

Operators include the following types:

Logical operators—Perform logical operations, such as the AND operation.
Arithmetic operators—Perform arithmetic operations, such as the ADD operation.
Relational operators—Indicate the relation between keyword strings. For example, the = operator indicates equality.

This document provides basic information about these elements. For more information about capture and display filters, go to the following websites:

Capture filter keywords

Table 32 and Table 33 describe the qualifiers and variables for capture filters, respectively.

Table 32: Qualifiers for capture filters

Category	Description	Examples
Protocol	Matches a protocol. If you do not specify a protocol qualifier, the filter matches any supported protocols.	arp—Matches ARP. icmp—Matches ICMP. ip—Matches IPv4. ip6—Matches IPv6. tcp—Matches TCP. udp—Matches UDP.
Direction	Matches packets based on its source or destination location (an IP address or port number). If you do not specify a direction qualifier, the src or dst qualifier applies.	src—Matches the source IP address field. dst—Matches the destination IP address field. src or dst—Matches the source or destination IP address field. NOTE: The src or dst qualifier applies if you do not specify a direction qualifier. For example, port 23 is equivalent to src or dst port 23.
Type	Specifies the direction type.	host—Matches the IP address of a host. net—Matches an IP subnet. port—Matches a service port number. portrange—Matches a service port range. NOTE: The host qualifier applies if you do not specify any type qualifier. For example, src 2.2.2.2 is equivalent to src host 2.2.2.2. To specify an IPv6 subnet, you must specify the net qualifier.
Others	Any other qualifiers than the previously described qualifiers.	broadcast—Matches broadcast packets. multicast—Matches multicast and broadcast packets. less—Matches packets that are less than or equal to a specific size. greater—Matches packets that are greater than or equal to a specific size. len—Matches the packet length. vlan—Matches VLAN packets.

NOTE:

The broadcast, multicast, and all protocol qualifiers cannot modify variables.

Table 33: Variable types for capture filters

Variable type	Description		Examples
Integer	Represented in binary, octal, decimal, or hexadecimal notation.		The port 23 expression matches traffic sent to or from port number 23.
Integer range	Represented by hyphenated integers.		The portrange 100-200 expression matches traffic sent to or from any ports in the range of 100 to 200.
IPv4 address	Represented in dotted decimal notation.		The src 1.1.1.1 expression matches traffic sent from the IPv4 host at 1.1.1.1.
IPv6 address	Represented in colon hexadecimal notation.		The dst host 1::1 expression matches traffic sent to the IPv6 host at 1::1.
IPv4 subnet	Represented by an IPv4 network ID or an IPv4 address with a mask.		Both of the following expressions match traffic sent to or from the IPv4 subnet 1.1.1.0/24: src 1.1.1. src net 1.1.1.0/24.
IPv6 network segment		Represented by an IPv6 address with a prefix length.	The dst net 1::/64 expression matches traffic sent to the IPv6 network 1::/64.

Capture filter operators

Capture filters support logical operators (Table 34), arithmetic operators (Table 35), and relational operators (Table 36). Logical operators can use both alphanumeric and nonalphanumeric symbols. The arithmetic and relational operators can use only nonalphanumeric symbols.

Logical operators are left associative. They group from left to right. The not operator has the highest priority. The and and or operators have the same priority.

Table 34: Logical operators for capture filters

Nonalphanumeric symbol	Alphanumeric symbol	Description
!	not	Reverses the result of a condition. Use this operator to capture traffic that matches the opposite value of a condition. For example, to capture non-HTTP traffic, use not port 80.
&&	and	Joins two conditions. Use this operator to capture traffic that matches both conditions. For example, to capture non-HTTP traffic that is sent to or from 1.1.1.1, use host 1.1.1.1 and not port 80.
\|\|	or	Joins two conditions. Use this operator to capture traffic that matches either of the conditions. For example, to capture traffic that is sent to or from 1.1.1.1 or 2.2.2.2, use host 1.1.1.1 or host 2.2.2.2.

Nonalphanumeric symbol

Alphanumeric symbol

Description

not

Reverses the result of a condition.

Use this operator to capture traffic that matches the opposite value of a condition.

For example, to capture non-HTTP traffic, use not port 80.

and

Joins two conditions.

Use this operator to capture traffic that matches both conditions.

For example, to capture non-HTTP traffic that is sent to or from 1.1.1.1, use host 1.1.1.1 and not port 80.

Joins two conditions.

Use this operator to capture traffic that matches either of the conditions.

For example, to capture traffic that is sent to or from 1.1.1.1 or 2.2.2.2, use host 1.1.1.1 or host 2.2.2.2.

Table 35: Arithmetic operators for capture filters

Nonalphanumeric symbol	Description
+	Adds two values.
-	Subtracts one value from another.
*	Multiplies one value by another.
/	Divides one value by another.
&	Returns the result of the bitwise AND operation on two integral values in binary form.
\|	Returns the result of the bitwise OR operation on two integral values in binary form.
<<	Performs the bitwise left shift operation on the operand to the left of the operator. The right-hand operand specifies the number of bits to shift.
>>	Performs the bitwise right shift operation on the operand to the left of the operator. The right-hand operand specifies the number of bits to shift.
[ ]	Specifies a byte offset relative to a protocol layer. This offset indicates the byte where the matching begins. You must enclose the offset value in the brackets and specify a protocol qualifier. For example, ip[6] matches the seventh byte of payload in IPv4 packets (the byte that is six bytes away from the beginning of the IPv4 payload).

Table 36: Relational operators for capture filters

Nonalphanumeric symbol	Description
=	Equal to. For example, ip[6]=0x1c matches an IPv4 packet if its seventh byte of payload is equal to 0x1c.
!=	Not equal to. For example, len!=60 matches a packet if its length is not equal to 60 bytes.
>	Greater than. For example, len>100 matches a packet if its length is greater than 100 bytes.
<	Less than. For example, len<100 matches a packet if its length is less than 100 bytes.
>=	Greater than or equal to. For example, len>=100 matches a packet if its length is greater than or equal to 100 bytes.
<=	Less than or equal to. For example, len<=100 matches a packet if its length is less than or equal to 100 bytes.

Display filter keywords

Table 37 and Table 38 describe the qualifiers and variables for display filters, respectively.

Table 37: Qualifiers for display filters

Category	Description	Examples
Protocol	Matches a protocol.	eth—Matches Ethernet. ftp—Matches FTP. http—Matches HTTP. icmp—Matches ICMP. ip—Matches IPv4. ipv6—Matches IPv6. tcp—Matches TCP. telnet—Matches Telnet. udp—Matches UDP.
Packet field	Matches a field in packets by using a dotted string in the protocol.field[.level1-subfield]…[.leveln-subfield] format.	tcp.flags.syn—Matches the SYN bit in the flags field of TCP. tcp.port—Matches the source or destination port field.

NOTE:

The protocol qualifiers cannot modify variables.

Table 38: Variable types for display filters

Variable type	Description
Integer	Represented in binary, octal, decimal, or hexadecimal notation. For example, to display IP packets that are less than or equal to 1500 bytes, use one of the following expressions: ip.len le 1500. ip.len le 02734. ip.len le 0x436.
Boolean	This variable type has two values: true or false. This variable type applies if you use a packet field string alone to identify the presence of a field in a packet. If the field is present, the match result is true. The filter displays the packet. If the field is not present, the match result is false. The filter does not display the packet. For example, to display TCP packets that contain the SYN field, use tcp.flags.syn.
MAC address (six bytes)	Uses colons (:), dots (.), or hyphens (-) to break up the MAC address into two or four segments. For example, to display packets that contain a destination MAC address of ffff.ffff.ffff, use one of the following expressions: eth.dst==ff:ff:ff:ff:ff:ff. eth.dst==ff-ff-ff-ff-ff-ff. eth.dst ==ffff.ffff.ffff.
IPv4 address	Represented in dotted decimal notation. For example: To display IPv4 packets that are sent to or from 192.168.0.1, use ip.addr==192.168.0.1. To display IPv4 packets that are sent to or from 129.111.0.0/16, use ip.addr==129.111.0.0/16.
IPv6 address	Represented in colon hexadecimal notation. For example: To display IPv6 packets that are sent to or from 1::1, use ipv6.addr==1::1. To display IPv6 packets that are sent to or from 1::/64, use ipv6.addr==1::/64.
String	Character string. For example, to display HTTP packets that contain the string HTTP/1.1 for the request version field, use http.request version=="HTTP/1.1".

Display filter operators

Display filters support logical operators (Table 39) and relational operators (Table 40). Both operator types can use alphanumeric and nonalphanumeric symbols.

Logical operators are left associative. They group from left to right. Table 39 displays logical operators by priority, from the highest to the lowest. The and and or operators have the same priority.

Table 39: Logical operators for display filters

Nonalphanumeric symbol	Alphanumeric symbol	Description
[ ]	No alphanumeric symbol is available.	Used with protocol qualifiers. For more information, see "The proto[…] expression."
!	not	Displays packets that do not match the condition connected to this operator.
&&	and	Joins two conditions. Use this operator to display traffic that matches both conditions.
\|\|	or	Joins two conditions. Use this operator to display traffic that matches either of the conditions.

Table 40: Relational operators for display filters

Nonalphanumeric symbol	Alphanumeric symbol	Description
==	eq	Equal to. For example, ip.src==10.0.0.5 displays packets with the source IP address as 10.0.0.5.
!=	ne	Not equal to. For example, ip.src!=10.0.0.5 displays packets whose source IP address is not 10.0.0.5.
>	gt	Greater than. For example, frame.len>100 displays frames with a length greater than 100 bytes.
<	lt	Less than. For example, frame.len<100 displays frames with a length less than 100 bytes.
>=	ge	Greater than or equal to. For example, frame.len ge 0x100 displays frames with a length greater than or equal to 256 bytes.
<=	le	Less than or equal to. For example, frame.len le 0x100 displays frames with a length less than or equal to 256 bytes.

prev	up	next
Packet capture modes	home	Building a capture filter