Filtering captured packets

You can configure filtering for packet capture so that only packets that satisfy the conditions of filters are written to the file. This may be necessary, for example, to make the network dump file smaller. No filters are configured by default, you need to create the filters that you want to use.

You can view information about existing filters by running the following command:

show pcapdump filters

Example output

To create or modify a filter:

On the command line, run the following command to go to the filter settings menu:
pcapdump filters
Open a filter for editing:
name <name>

where <name> is one of the following:
- Name of an existing filter that you want to edit.
- Unique name for a new filter if you want to create one. A filter name can be up to 128 characters long.

Add a text query with filter parameters in the following format:

value 'mask <mask parameters> match <values of mask parameters>'

where:

<mask parameters> is a combination of the name of the interface for which you want to filter packets and one or more parameters by which you want to filter the captured packets. All parameters must be separated by spaces. You can specify one or more of such combinations. For possible parameters and examples of filters, see the expandable section below.
<values of mask parameters> is a combination of the name of the interface for which you want to filter packets and one or more parameter-value pairs. You must specify a value for each parameter that you specify after mask.

Filter mask parameters

If you want to exit the active menu, run the following command:
exit

Interface	Parameter
`l2`	`src`
`dst`
`proto`
`tag1`
`tag2`
`ignore-tag1`
`ignore-tag2`
`cos1`
`cos2`
`dot1q`
`dot1ad`
`l3 ip4`	`version`
`hdr_length`
`src[/width]`
`dst[/width]`
`tos`
`length`
`fragment_id`
`ttl`
`protocol`
`checksum`
`l4`	`src_port`
`dst_port`

The filter is created or modified, and you can use it to filter the captured traffic.

Page top