Traffic capture expressions are used to narrow down the types of traffic
that are captured. This feature supports true tcpdump expressions. For more
information about expression usage, refer to external tcpdump and libpcap
documentation.
To capture only TCP traffic enter the following expression in the
Expression field:
tcp
The following example captures IPv4 HTTP packets that are transmitting
to and from port 80 and only includes packets that contain data. SYN, FIN, and
ACK packets are excluded.
tcp port 80 and (((ip[2:2] - ((ip[0]&&0xf)<<2)) -
((tcp[12]&&0xf0)>>2)) != 0)
| Parameter | Description |
| ip | IPv4 traffic. By default, only IPv4 traffic is captured. |
| ipv6 | IPv6 traffic. |
| proto | Designates the protocol of captured traffic. Can be an explicit number or tcp, udp, or icmp. |
| src | Specifies the source of the traffic. This parameter can be applied to both host and port. |
| dst | Specifies the destination of the traffic. This parameter can be applied to both host and port. |
| host | Designates a host IP address. IPv4 and IPv6 addresses are supported, as is CIDR format. |
| port | Designates the port; you must also specify a port number. |
| Examples: | |
host 172.31.255.254
|
Captures all traffic to and from 172.31.255.254. |
src 172.31.255.254
|
Captures all traffic from 172.31.255.254. |
dst 172.31.255.254
|
Captures all traffic to 172.31.255.254. |
src 172.31.255.254 & dst 10.10.10.10
|
Captures all traffic from 172.31.255.254 to 10.10.10.10. |
ip proto tcp
|
Captures only TCP traffic. |
ip proto tcp & src port 63
|
Captures only TCP traffic on port 63. |