Device Monitoring Studio - TODO
Docs

Capture Filter

A monitoring session may have a special filter, called capture filter, configured. This filter is applied at the earliest point of time, before the monitored packet ever sent for data processing, including Data Recording. It allows the user to effectively filter unneeded packets out before sending them to expensive processing. Capture filter uses currently loaded protocol definitions.

Capture filter is specified in the Session Configuration Window.

You may select one of the pre-defined filters in the Capture Filter combobox, or press the Edit button to open the Capture Filter Configuration Window:

Capture Filter Configuration Window

Use this window to select a display filter from a list, or enter the filter string manually, give it a name and save.

It is allowed to add, change and remove the capture filter of a running session.

Limitations

Serial Bridge and Remote data sources do not support capture filters.

Capture Filter Syntax

Capture filter expression is an expression that can reference fields of a bound protocol. It should evaluate to a boolean value. If the result of the expression is true, a packet is allowed to “pass”, otherwise it is silently discarded. A result of the expression is automatically cast to boolean according to the following rules:

Expression TypeConversion Rules
booleanUsed as is
integerZero is converted to false, any other value converted to true
stringEmpty string is converted to false, any other string is converted to true
ReferenceAn invalid reference (a reference to non-existing field) is converted to false, otherwise it is true

Filter expression supports special kinds of immediates in addition to standard ones:

ImmediateSample
IPv4 address127.0.0.1
IPv6 addressfe80::a4e0:281f:768b:ca30
MAC address56:15:FB:B7:EF:99

When the user types new filter expression, available fields are automatically suggested using the auto-completion engine. However, this engine is limited in its functionality and the user is advised to consult the source code of used protocols.

Examples

Serial Monitoring

The following filter passes only Serial Input/Output Control packets (IOCTL). This expression evaluates to true if and only if there is a sub-field io in the bound serial field:

serial.io

Then following filter passes only Write packets:

serial.Type == 4

The following filter passes only packets that has non-empty payload:

(serial.Direction == "Up" && serial.Type == 3) || (serial.Direction == "Down" && serial.Type == 4)

USB Monitoring

The following filter passes only URB packets (discards PnP packets, for example):

usb.urb

Network Monitoring

The following filter passes only IP traffic:

ipv4 || ipv6

The following filter passes only packets sent to or received from 192.168.0.1:

ipv4.SourceAddress == 192.168.0.1 || ipv4.DestinationAddress == 192.168.0.1