All data retrieval commands accept an optional filter string. The filter string is used to select which sessions to include in the retrieval.

Filter strings consist of statements, such as SRVIP==123.45.67.89 ("server IP address is 123.45.67.89") and CLNPKTS>=100 ("number of client-transmitted packets is at least 100"), which may be combined using logical operators.

You can combine statements using the following logical operators:

For example: SRVIP==123.45.67.89 && CLNIP==89.67.45.123 .

[Tip]Tip

You can build compound statements and specify precedence by using parentheses. For example, you might use:

(SRVPORT==22 && SRVIP==123.45.67.89) || (SRVIP==89.67.45.123)

to specify all sessions which are either connections on port 22 to 123.45.67.89, or connections on ANY port to 89.67.45.123.

Statements are formed by combining field names (such as SRVIP) with comparators (such as ==) and values to compare them to. The following lists the available comparators and field names.

Table 11.6. Filter String Fields

FieldDescriptionValid Comparators
SRVIP server IP (or CIDR), IPv4: 123.45.67.89/32, or IPv6: fed9::c0:ffee/128 ==, !=
CLNIP client IP (or CIDR), same as SRVIP ==, !=
ADDR IP or CIDR block ==, !=
SRVPORT server port, integer number ==, !=, >=, <=, >, <
CLNPORT client port, integer number ==, !=, >=, <=, >, <
PORT port, integer number ==, !=, >=, <=, >, <
PROTO protocol, one of TCP/UDP/ICMP, or integer number ==, !=, >=, <=, >, <
CLNPKTS number of client transmitted packets, integer number ==, !=, >=, <=, >, <
SRVPKTS number of server transmitted packets, integer number ==, !=, >=, <=, >, <
PACKETS match either of the packet fields (server or client), integer number ==, !=, >=, <=, >, <
TOTPKTS total packets (server plus client), integer number ==, !=, >=, <=, >, <
CLNBYTS number of client transmitted bytes, integer number ==, !=, >=, <=, >, <
SRVBYTS number of server transmitted bytes, integer number ==, !=, >=, <=, >, <
BYTES match either of the bytes fields (server or client), integer number ==, !=, >=, <=, >, <
TOTBYTS total bytes (server plus client), integer number ==, !=, >=, <=, >, <
TTIME total time of session, floating point, in seconds: 2.5 ==, !=, >=, <=, >, <
TOS ToS, QoS, DiffServ, integer number 0-256 ==, !=, >=, <=, >, <
CLNCC client country code, two characters: 'US', 'NL' ==, !=
SRVCC server country code, same as client country code ==, !=
INIF inbound interface, integer number 0-65536 ==, !=, >=, <=, >, <
OUTIF outbound interface, integer number 0-65536 ==, !=, >=, <=, >, <
IFACE match either of the interface fields (inbound or outbound), integer number 0-65536 ==, !=, >=, <=, >, <
INVLAN inbound VLAN, integer number 0-4096 ==, !=, >=, <=, >, <
OUTVLAN outbound VLAN, integer number 0-4096 ==, !=, >=, <=, >, <
VLAN match either of the VLAN fields (inbound or outbound), integer number 0-4096 ==, !=, >=, <=, >, <
CLNAS client autonomous system number, integer number ==, !=, >=, <=, >, <
SRVAS server autonomous system number, integer number ==, !=, >=, <=, >, <
ASN match either of the autonomous system number fields (server or client), integer number ==, !=, >=, <=, >, <
ASAEVT ASA event code, integer number ==, !=, >=, <=, >, <
ASAEXTEVT ASA extended event code, integer number ==, !=, >=, <=, >, <
FLAGS TCP flags in session, one of: 'FSYN' (syn), 'FACK' (ack), 'FRST' (reset), 'FFIN' (fin), 'FPSH' (push), 'FECN' (ECN-echo), 'FCWR' (congestion window reduced), 'FURG' (urgent) ==, !=
EXPIP IP of the device that exported the record ==, !=
EXPV flow version, use: 1, 5, 7, 9 (NetFlow v1/5/7/9), 18, 20, 21 (sFlow v2/4/5) ==, !=