pktcap-uw Options for Filtering Packets

Narrow the range of packets that you monitor by using the pktcap-uw utility to apply filtering options for source and destination address, VLAN, VXLAN, and next level protocol consuming the packet payload.

Filter Options

The filter options for pktcap-uw are valid when you capture and trace packets. For information about the command syntax of the pktcap-uw utility, see pktcap-uw Command Syntax for Capturing Packets and pktcap-uw Command Syntax for Tracing Packets.

Table 1. Filter Options of the pktcap-uw Utility
Option	Description
`--srcmac mac_address`	Capture or trace packets that have a specific source MAC address. Use colons to separate the octets in it.
`--dstmac mac_address`	Capture or trace packets that have a specific destination MAC address. Use colons to separate the octets in it.
`--mac mac_address`	Capture or trace packets that have a specific source or destination MAC address. Use colons to separate the octets in it.
`--ethtype 0xEthertype`	Capture or trace packets at Layer 2 according to the next level protocol that consumes the packet payload. `EtherType` corresponds to the EtherType field in Ethernet frames. It represents the type of next level protocol that consumes the payload of the frame. For example, to monitor traffic for the Link Layer Discovery Protocol (LLDP) protocol, type `--ethtype 0x88CC`.
`--vlan VLAN_ID`	Capture or trace packets that belong to a VLAN.
`--srcip IP_addess\|IP_address/subnet_range`	Capture or trace packets that have a specific source IPv4 address or subnet.
`--dstip IP_addess\|IP_address/subnet_range`	Capture or trace packets that have a specific destination IPv4 address or subnet.
`--ip IP_addess`	Capture or trace packets that have a specific source or destination IPv4 address.
`--proto 0xIP_protocol_number`	Capture or trace packets at Layer 3 according to the next level protocol that consumes the payload. For example, to monitor traffic for the UDP protocol, type `--proto 0x11`.
`--srcport source_port`	Capture or trace packets according to their source TCP port.
`--dstport destination_port`	Capture or trace packets according to their destination TCP port.
`--tcpport TCP_port`	Capture or trace packets according to their source or destination TCP port.
`--vxlan VXLAN_ID`	Capture or trace packets that belong to a VXLAN.
`--rcf pcap_filter_expression`	Capture or trace packets using the rich common filter expression. For example, to capture all ingress and egress packets whose IP content length is larger than 1000 bytes, use the filter expression `--rcf "ip[2:2]>1000"`. To select a specific source host address and port number, use the filter expression `--rcf "src host 12.0.0.1 and port 5000"`. This example filters traffic for the host address 12.0.0.1 using port 5000. To learn more about filtering network traffic with the `--rcf` option, refer to the documentation for pcap filter expressions using command-line packet analyzers such as tcpdump. See pcap-filter - packet filter syntax. Note: When using the `--rcf` option, obey the following limitations. Do not filter VLAN packets using the `--rcf` option. To trace VLAN or VXLAN use the pktcap-uw --vlan or --vxlan options. Do not filter an IP broadcast address. Do not use `--rcf` on ENS ports.
`--rcf-tcp-data tcp_packet_data_filter`	Capture or trace TCP data packets using the rich common filter expression. For example, to capture all HTTP/1.0 response packets with 200 OK, use the filter expression `--rcf-tcp-data "HTTP/1.0 200 OK"`. To filter on HTTP GET requests returning an index.html file, use the filter expression `--rcf-tcp-data "GET /index.html"`.

The vertical bars | represent alternative values.