307
NOTE:
The
broadcast
,
multicast
, and all protocol qualifiers cannot modify variables.
Table 29 Variable types for capture filters
Variable type Description
Examples
Integer
Represented in binary, octal,
decimal, or hexadecimal notation.
The
port 23
expression matches traffic sent to or
from port number 23.
Integer range
Represented by hyphenated
integers.
The
portrange 100-200
expression matches traffic
sent to or from any ports in the range of 100 to 200.
IPv4 address
Represented in dotted decimal
notation.
The
src 1.1.1.1
expression matches traffic sent
from the IPv4 host at 1.1.1.1.
IPv6 address
Represented in colon hexadecimal
notation.
The
dst host 1::1
expression matches traffic sent
to the IPv6 host at 1::1.
IPv4 subnet
Represented by an IPv4 network ID
or an IPv4 address with a mask.
Both of the following expressions match traffic sent
to or from the IPv4 subnet 1.1.1.0/24:
•
src 1.1.1
.
•
src net 1.1.1.0/24
.
IPv6 network
segment
Represented by an IPv6 address
with a prefix length.
The
dst net 1::/64
expression matches traffic sent
to the IPv6 network 1::/64.
Capture filter operators
Capture filters support logical operators (
), and relational
operators (
). Logical operators can use both alphanumeric and nonalphanumeric symbols.
The arithmetic and relational operators can use only nonalphanumeric symbols.
Logical operators are left associative. They group from left to right. The
not
operator has the highest
priority. The
and
and
or
operators have the same priority.
Table 30 Logical operators for capture filters
Nonalphanumer
ic symbol
Alphanumeric
symbol
Description
!
not
Reverses the result of a condition.
Use this operator to capture traffic that matches the opposite
value of a condition.
For example, to capture non-HTTP traffic, use
not port 80
.
&&
and
Joins two conditions.
Use this operator to capture traffic that matches both conditions.
For example, to capture non-HTTP traffic that is sent to or from
1.1.1.1, use
host 1.1.1.1 and not port 80
.
||
or
Joins two conditions.
Use this operator to capture traffic that matches either of the
conditions.
For example, to capture traffic that is sent to or from 1.1.1.1 or
2.2.2.2, use
host 1.1.1.1 or host 2.2.2.2
.