Blue Coat Systems SG Appliance Manual De Usuario

Chapter 4:  Diagnostics

53

To add a filter to the CLI, use the command:

SGOS# pcap filter expr parameters

To remove a filter, use the command: 

SGOS# pcap filter <enter>

Use the following procedures to configure packet capturing. If a download of the 
captured packets is requested, packet capturing is implicitly stopped. In addition to 
starting and stopping packet capture, a filter expression can be configured to control 
which packets are captured. For information on configuring a PCAP filter, see 

Some qualifiers must be escaped with a backslash because their identifiers are also 

keywords within the filter expression parser.

❐

ip proto protocol

where protocol is a number or name (icmp, udp, tcp).

❐

ether proto protocol

where protocol can be a number or name (ip, arp, rarp).

Table 4-1.  PCAP Filter Expressions 

ip host 10.25.36.47

Captures packets from a specific host with IP address 
10.25.36.47

.

not ip host 10.25.36.47

Captures packets from all IP addresses except 
10.25.36.47

.

ip host 10.25.36.47 and ip 

host 10.25.36.48

Captures packets sent between two IP addresses: 
10.25.36.47

 and 10.25.36.48.

Packets sent from one of these addresses to other IP 
addresses are not filtered.

ether host 00:e0:81:01:f8:fc

Captures packets to or from MAC address 
00:e0:81:01:f8:fc:

.

port 80

Captures packets to or from port 80.

ip sr www.bluecoat.com and 

ether broadcast

Captures packets that have IP source of 
www.bluecoat.com and ethernet broadcast 
destination.

Define

 CLI filter

 expr

 parameters with double-quotes to avoid 

confusion with special characters. For example, a space is interpreted by the CLI as 
an additional parameter, but the CLI accepts only one parameter for the filter 
expression. Enclosing the entire filter expression in quotations allows multiple 
spaces in the filter expression.