Blue Coat Systems SG Appliance 用户手册
Chapter 4: Diagnostics
53
Using Filter Expressions in the CLI
To add a filter to the CLI, use the command:
SGOS# pcap filter expr parameters
To remove a filter, use the command:
SGOS# pcap filter <enter>
Configuring Packet Capturing
Use the following procedures to configure packet capturing. If a download of the
captured packets is requested, packet capturing is implicitly stopped. In addition to
starting and stopping packet capture, a filter expression can be configured to control
which packets are captured. For information on configuring a PCAP filter, see
captured packets is requested, packet capturing is implicitly stopped. In addition to
starting and stopping packet capture, a filter expression can be configured to control
which packets are captured. For information on configuring a PCAP filter, see
Note:
Some qualifiers must be escaped with a backslash because their identifiers are also
keywords within the filter expression parser.
❐
ip proto protocol
where protocol is a number or name (icmp, udp, tcp).
❐
ether proto protocol
where protocol can be a number or name (ip, arp, rarp).
Table 4-1. PCAP Filter Expressions
Filter Expression
Packets Captured
ip host 10.25.36.47
Captures packets from a specific host with IP address
10.25.36.47
10.25.36.47
.
not ip host 10.25.36.47
Captures packets from all IP addresses except
10.25.36.47
10.25.36.47
.
ip host 10.25.36.47 and ip
host 10.25.36.48
Captures packets sent between two IP addresses:
10.25.36.47
10.25.36.47
and 10.25.36.48.
Packets sent from one of these addresses to other IP
addresses are not filtered.
addresses are not filtered.
ether host 00:e0:81:01:f8:fc
Captures packets to or from MAC address
00:e0:81:01:f8:fc:
00:e0:81:01:f8:fc:
.
port 80
Captures packets to or from port 80.
ip sr www.bluecoat.com and
ether broadcast
Captures packets that have IP source of
www.bluecoat.com and ethernet broadcast
destination.
www.bluecoat.com and ethernet broadcast
destination.
Important:
Define
CLI filter
expr
parameters with double-quotes to avoid
confusion with special characters. For example, a space is interpreted by the CLI as
an additional parameter, but the CLI accepts only one parameter for the filter
expression. Enclosing the entire filter expression in quotations allows multiple
spaces in the filter expression.
an additional parameter, but the CLI accepts only one parameter for the filter
expression. Enclosing the entire filter expression in quotations allows multiple
spaces in the filter expression.