Capture Filter
A monitoring session may have a special filter, called capture filter, configured. This filter is applied at the earliest point of time, before the monitored packet ever sent for data processing, including Data Recording. It allows the user to effectively filter unneeded packets out before sending them to expensive processing. Capture filter uses currently loaded protocol definitions.
Capture filter is specified in the Session Configuration Window.
You may select one of the pre-defined filters in the Capture Filter combobox, or press the Edit button to open the Capture Filter Configuration Window:
Use this window to select a display filter from a list, or enter the filter string manually, give it a name and save.
It is allowed to add, change and remove the capture filter of a running session.
Limitations
Serial Bridge and Remote data sources do not support capture filters.
Capture Filter Syntax
Capture filter expression is an expression that can reference fields of a bound protocol. It should evaluate to a boolean value. If the result of the expression is true, a packet is allowed to “pass”, otherwise it is silently discarded. A result of the expression is automatically cast to boolean according to the following rules:
| Expression Type | Conversion Rules |
|---|---|
boolean | Used as is |
integer | Zero is converted to false, any other value converted to true |
string | Empty string is converted to false, any other string is converted to true |
Reference | An invalid reference (a reference to non-existing field) is converted to false, otherwise it is true |
Filter expression supports special kinds of immediates in addition to standard ones:
| Immediate | Sample |
|---|---|
| IPv4 address | 127.0.0.1 |
| IPv6 address | fe80::a4e0:281f:768b:ca30 |
| MAC address | 56:15:FB:B7:EF:99 |
When the user types new filter expression, available fields are automatically suggested using the auto-completion engine. However, this engine is limited in its functionality and the user is advised to consult the source code of used protocols.
Examples
Serial Monitoring
The following filter passes only Serial Input/Output Control packets (IOCTL). This expression evaluates to true if and only if there is a sub-field io in the bound serial field:
serial.io
Then following filter passes only Write packets:
serial.Type == 4
The following filter passes only packets that has non-empty payload:
(serial.Direction == "Up" && serial.Type == 3) || (serial.Direction == "Down" && serial.Type == 4)
USB Monitoring
The following filter passes only URB packets (discards PnP packets, for example):
usb.urb
Network Monitoring
The following filter passes only IP traffic:
ipv4 || ipv6
The following filter passes only packets sent to or received from 192.168.0.1:
ipv4.SourceAddress == 192.168.0.1 || ipv4.DestinationAddress == 192.168.0.1