Filtering IP Network Traces
You can filter Syslog and debug recording messages for IP network traces, by configuring the 'Filter Type' parameter to IP Trace in the Logging Filters table. IP traces record any IP stream, according to destination and/or source IP address, or port and Layer-4 protocol (UDP, TCP or any other IP type as defined by http://www.iana.com). Network traces are typically used to record HTTP.
When the IP Trace option is selected, only the ‘Value’ parameter is applicable ('Syslog' and 'Capture Type' parameters are not applicable). The 'Value' parameter configures the Wireshark-like filtering expressions for your IP trace. The following Wireshark-like expressions are supported:
Supported Wireshark-like Expressions for 'Value' Parameter
|
Expression |
Description |
|---|---|
|
ip.src |
Defines the source IPv4 address. |
|
ipv6.src |
Defines the source IPv6 address. |
|
ip.dst |
Defines the destination IPv4 address. |
|
ipv6.dst |
Defines the destination IPv6 address. |
|
ip.addr |
Defines IPv4 addresses (up to two). |
|
ipv6.addr |
Defines IPv6 addresses (up to two). |
|
ip.proto |
Defines the IP protocol type (PDU), entered as an enumeration value (e.g., 1 is ICMP, 6 is TCP, 17 is UDP). |
|
udp, tcp, icmp, sip, ldap, http, https |
Defines single expressions for the protocol type. |
|
udp.port, tcp.port |
Defines the transport layer. |
|
udp.srcport, tcp.srcport |
Defines the transport layer for the source port. |
|
udp.dstport, tcp.dstport |
Defines the transport layer for the destination port. |
|
and, &&, ==, <, > |
Comparison operators used between expressions. |
Below are examples of configured expressions for the 'Value' parameter:
| ■ | udp && ip.addr==10.8.6.55 |
| ■ | ip.src==10.8.6.55 && udp.port>=5000 and udp.port<6000 |
| ■ | ip.dst==10.8.0.1/16 |
| ■ | ip.addr==10.8.6.40 |
| ■ | ipv6.addr==2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
| ■ | ipv6.src==2001:db8:abcd:0012::0/64 |
For conditions requiring the "or" / "||" expression, add multiple rows in the Logging Filters table. For example, the Wireshark condition "(ip.src == 1.1.1.1 or ip.src == 2.2.2.2)" and "ip.dst == 3.3.3.3" can be done by adding two rows in the table, where the 'Value' parameter of each row has the following value:
| ■ | Index #0: 'Value' parameter is configured to (without quotation marks) "ip.src == 1.1.1.1 and ip.dst == 3.3.3.3" |
| ■ | Index #1: 'Value' parameter is configured to (without quotation marks) "ip.src == 2.2.2.2 and ip.dst == 3.3.3.3" |
| ● | If you leave the 'Value' parameter empty, the device records all IP traffic types. |
| ● | You cannot configure the 'Value' parameter with IPv4 addresses together with IPv6 addresses. |
| ● | You cannot configure the 'Value' parameter with ip.addr or udp/tcp.port together with ip.src/dst or udp/tcp.srcport/dstport. For example, "ip.addr==1.1.1.1 and ip.src==2.2.2.2" (without quotation marks) is an invalid configuration value. |
| ● | You cannot configure the 'Value' parameter with ipv6.addr or udp/tcp.port together with ipv6.src/dst or udp/tcp.srcport/dstport. For example, "ipv6.addr==2001:0db8:85a3:0000:0000:8a2e:0370:7334 and ipv6.src==2001:db8:abcd:0012::0/64" (without quotation marks) is an invalid configuration value. |