All data retrieval commands accept an optional filter string. The filter string is used to select which sessions to include in the retrieval.
Filter strings consist of statements, such as SRVIP==123.45.67.89 ("server IP address is 123.45.67.89") and CLNPKTS>=100 ("number of client-transmitted packets is at least 100"), which may be combined using logical operators.
You can combine statements using the following logical operators:
-
&& logical 'AND'
-
|| logical 'OR'
-
^| logical 'XOR' (exclusive-OR)
-
! logical 'NOT'
For example: SRVIP==123.45.67.89 && CLNIP==89.67.45.123 .
![[Tip]](../common/images/admon/tip.png) | Tip |
|---|---|
You can build compound statements and specify precedence by using parentheses. For example, you might use: (SRVPORT==22 && SRVIP==123.45.67.89) || (SRVIP==89.67.45.123) to specify all sessions which are either connections on port 22 to 123.45.67.89, or connections on ANY port to 89.67.45.123. |
Statements are formed by combining field names (such as SRVIP) with comparators (such as ==) and values to compare them to. The following lists the available comparators and field names.
Comparators
-
== equals
-
!= does not equal
-
>= greater than or equal to
-
<= less than or equal to
-
> greater than
-
< less than
Table 13.6. Filter String Fields
| Field | Description | Valid Comparators |
|---|---|---|
SRVIP
| server IP (or CIDR), IPv4: 123.45.67.89/32, or IPv6: fed9::c0:ffee/128 |
==, !=
|
CLNIP
| client IP (or CIDR), same as SRVIP |
==, !=
|
ADDR
| IP or CIDR block |
==, !=
|
SRVPORT
| server port, integer number |
==, !=, >=, <=, >, <
|
CLNPORT
| client port, integer number |
==, !=, >=, <=, >, <
|
PORT
| port, integer number |
==, !=, >=, <=, >, <
|
PROTO
| protocol, one of TCP/UDP/ICMP, or integer number |
==, !=, >=, <=, >, <
|
CLNPKTS
| number of client transmitted packets, integer number |
==, !=, >=, <=, >, <
|
SRVPKTS
| number of server transmitted packets, integer number |
==, !=, >=, <=, >, <
|
PACKETS
| match either of the packet fields (server or client), integer number |
==, !=, >=, <=, >, <
|
TOTPKTS
| total packets (server plus client), integer number |
==, !=, >=, <=, >, <
|
CLNBYTS
| number of client transmitted bytes, integer number |
==, !=, >=, <=, >, <
|
SRVBYTS
| number of server transmitted bytes, integer number |
==, !=, >=, <=, >, <
|
BYTES
| match either of the bytes fields (server or client), integer number |
==, !=, >=, <=, >, <
|
TOTBYTS
| total bytes (server plus client), integer number |
==, !=, >=, <=, >, <
|
TTIME
| total time of session, floating point, in seconds: 2.5 |
==, !=, >=, <=, >, <
|
TOS
| ToS, QoS, DiffServ, integer number 0-256 |
==, !=, >=, <=, >, <
|
CLNCC
| client country code, two characters: 'US', 'NL' |
==, !=
|
SRVCC
| server country code, same as client country code |
==, !=
|
INIF
| inbound interface, integer number 0-65536 |
==, !=, >=, <=, >, <
|
OUTIF
| outbound interface, integer number 0-65536 |
==, !=, >=, <=, >, <
|
IFACE
| match either of the interface fields (inbound or outbound), integer number 0-65536 |
==, !=, >=, <=, >, <
|
INVLAN
| inbound VLAN, integer number 0-4096 |
==, !=, >=, <=, >, <
|
OUTVLAN
| outbound VLAN, integer number 0-4096 |
==, !=, >=, <=, >, <
|
VLAN
| match either of the VLAN fields (inbound or outbound), integer number 0-4096 |
==, !=, >=, <=, >, <
|
CLNAS
| client autonomous system number, integer number |
==, !=, >=, <=, >, <
|
SRVAS
| server autonomous system number, integer number |
==, !=, >=, <=, >, <
|
ASN
| match either of the autonomous system number fields (server or client), integer number |
==, !=, >=, <=, >, <
|
ASAEVT
| ASA event code, integer number |
==, !=, >=, <=, >, <
|
ASAEXTEVT
| ASA extended event code, integer number |
==, !=, >=, <=, >, <
|
FLAGS
| TCP flags in session, one of: 'FSYN' (syn), 'FACK' (ack), 'FRST' (reset), 'FFIN' (fin), 'FPSH' (push), 'FECN' (ECN-echo), 'FCWR' (congestion window reduced), 'FURG' (urgent) |
==, !=
|
EXPIP
| IP of the device that exported the record |
==, !=
|
EXPV
| flow version, use: 1, 5, 7, 9 (NetFlow v1/5/7/9), 18, 20, 21 (sFlow v2/4/5) |
==, !=
|
