Filter bar syntax
This section defines and describes the operators, filter types, and argument names used in creating Omnipeek and Capture Engine filter bar filters.
• syntax: exp [op exp]*
Examples: SMB, smb | netbios, pspec(http) & (!pspec('802.3'))
where:
• op is an operator, one of: & (and) | (or)
• exp is an expression: (!exp), (exp), or keyword[(arglist)]
• keyword is either a filter type or named filter from the filter list
• arglist is a list of arguments: arg [, arg]*
• arg is an argument: [arg-name ':'] arg-value. The first part is optional for some filters where a default arg-name is assumed.
• arg-value is a value or value list (comma separated) for the arg-name, value or 'value' (see Filter expression table). If value has reserved characters (single-quote space comma) it must be quoted.
•
Filter expression table
NOTE: For filter expressions and arg-names: [] indicate optional arguments.
|
Filter Expression
|
Description
|
Arguments
|
Argument Description
|
Examples
|
|---|---|---|---|---|
|
addr
|
Filter by address
|
type: address type
addr1: address [addr2: address] [dir: direction]) or address type: address |
address type = ip, ipv6, ethernet,
wireless direction = 1to2, 2to1, or both (default)
|
addr(ip:'10.4.3.*')
addr(ethernet:'3com:*.*.*') addr(type: ip, addr1: 10.4.3.1, addr2: 10.5.1.1, dir: 1to2) |
|
app
|
Filter by application (by name)
|
application name (no named arguments)
|
application name is case insensitive (e.g., ‘ebay’, and ‘EBAY’ will all work correctly)
|
app(‘eBay’)
app(‘instagram’)
|
|
channel
|
Filter by channel number (wired only)
|
num: number (default)
|
|
channel(2)
|
|
country
|
Filter by country
|
1 or 2 country codes or names
[dir: direction] |
country code as specified by ISO 3166-1 alpha-2 or country name from "countrynames.txt"
direction = 1to2, 2to1, or both (default) |
country('US')
country('United States', 'China') country('US', 'RU', dir: 1to2) |
|
filter
|
Filter using existing filter
|
filter name (no named arguments)
|
filter keyword is optional
|
filter('SMB')
SMB
|
|
ip
|
Filter by IP Address
|
ip address specifier list
(no named arguments)
|
|
ip(10.4.3.6)
ip('10.4.3.*')
ip('10.4.3.*', '192.168.*.*')
ip('www.liveaction.com')
|
|
length
|
Filter on a size of the packet
|
(only one is required)
min: min length
max: max length
|
Either min or max is required, or a single numeric value for exact length matches
|
length(64)
length(min: 128)
length(max: 256) length(min:128,max:256)
|
|
mpls
|
Filter by MPLS Label
|
mpls(label1, [label2, ...labelx])
|
label is a number (0-1048575) or label-range
|
mpls(10)
mpls(10, 20-50) |
|
pattern
|
Filter by pattern
|
search type:'search string'
[case: boolean value]
[start: integer value]
[end: integer value]
[layer: string value]
|
search type = ASCII (default), Unicode, Hex, RegEx, EBCDIC, UTF-8
boolean value = yes, no, true, false, on, off, 1, 0
case on means to use a case sensitive match
start, end are the offsets within the packet to start or end the search layer is the name of the protocol at which the search should start (optionally suffixed with 'header' or 'payload')
|
pattern(ascii: 'smb', case: off)
pattern('SMB')
pattern(hex: FF464D50)
pattern('GET', layer: 'tcp payload')
|
|
plugin
|
Filter by plugin
|
plug-in name (no named arguments)
|
|
plugin('FTP Analysis')
|
|
port
|
Filter by port
|
[type: port type]
[port1: port]
[port2: port]
[dir: direction]
|
port type = tcpudp (default), netware, atalk
port = number or name table port specifier (port1 is default)
direction = 1to2, 2to1, or both (default)
|
port(80)
port(80, 8080)
port(tcpudp: 80)
port(port1: 80, port2: 1523, dir:1to2)
|
|
protocol
|
Filter by protocol
|
protocol type: protocol
|
protocol type = protospec,
Ethernet.Protocol, LSAP, SNAP, LAP,
DDP, WAN.PPP, WAN.Frame.Relay
|
protocol(protospec: http)
protocol(protospec:1418)
see also pspec
|
|
pspec
|
Filter by protospec
|
protocol list
(no named arguments)
|
|
pspec(http)
pspec(HTTP)
pspec(HTTP, 'NB Sess Init')
pspec(1418, 6018)
|
|
tcpdump
|
Filter using tcpdump filter syntax
|
See tcpdump syntax online
|
See tcpdump syntax online
|
tcpdump('tcp src port 80')
|
|
value
|
Filter on a value in the packet
|
'([s/u][n/b]off[8/16/32](offset) & mask) operator value'
[layer: string value]
off8, off16, off32, off64
soff8, soff16, soff32, soff64
snoff8, snoff16, snoff32, snoff64
sboff8, sboff16, sboff32, sboff64
uoff8, uoff16, uoff32, uoff64
unoff8, unoff16, unoff32, unoff64
uboff8, uboff16, uboff32, uboff64
|
s = signed compare
u = unsigned compare (default)
n = network byte order
b = big endian order
8, 16, 32, 64 = bit size of the value in the packet
offset = offset into the packet
mask = value mask (e.g. 0xff, 0b11111111, 255)
operator = comparison operator, < <= > >= ==
value = value to compare against (same format as mask)
layer: name of the protocol to which the offset is relative (optionally suffixed with 'header' or 'payload')
|
value('off8(20) == 0x10')
compares the 8 bits 20 bytes
into the packet against the
value 0x10 (16)
value('unoff16(0) == 0', layer:'tcp payload')
compares the 16 bits (in network byte order, treated as unsigned), at offset 0 relative to the TCP payload, against 0
|
|
vlan
|
Filter by VLAN Identifier
|
vlan(id1, [id2, ...idx])
|
id is a number (0-4095) or id-range
|
vlan(100)
vlan(100, 200-210) |
|
wan
|
Filter by wan attribute
|
dir: direction
|
direction = dte, dce
|
wan(dir: dte)
|
|
wireless
|
Filter by wireless attribute
|
(only one is required)
media: media type
channelband: band type
channelnum: numeric value
datarate: numeric value
minsignal: numeric value
maxsignal: numeric value
mindbmsignal: numeric value
maxdbmsignal: numeric value
minnoise: numeric value
maxnoise: numeric value
mindbmnoise: numeric value
maxdbmnoise: numeric value
encrypted: boolean value
decrypterr: boolean value
bssid: bssid value
sourceap: ip address
flagsn: bit mask specifying 802.11n flags
|
media type = 802.11b, 802.11a, 802.11 (default)
band type = a, b, bg, n, at (a turbo), gt (g turbo), sg (super g), s1 (licensed A 1MHz), s5 (licensed A 5MHz), s10 (licensed A 10MHz), s15 (licensed A 15MHz), s20 (licensed A 20MHz)
boolean value = yes, no, true, false, on, off, 1, 0
|
wireless(media:'802.11b', channelnum: 1, encrypted: 1)
|