This section contains information on using JavaScript to construct custom filters, which allows very specific filtering.
Section 11.1, “Basic use of filters” describes the basic use of filters. To use a filter, an expression is entered into the filter bar, which specifies what to filter on. The filter expression is actually interpreted in JavaScript, which allows the full power of JavaScript to be used to create a filter. The expression can take the form of a series of JavaScript statements, eg
statement-1; statement-2; ... statement-n
Each of these statements is evaluated for each network traffic
datapoint
found. The result used by the filter is the result of the
final statement,
statement-n
,
which must be a boolean. If the result is
true
,
then the datapoint is passed by the filter, and added to
the chart. If the result is
false
,
then that datapoint is discarded. If the final expression
is not a boolean, then an error is indicated. Note that the
statements prior to the final one may have side effects,
that affect the result of the final statement.
The terms that can be referenced from the filter are listed in Section 11.3, “Terms available for use in filters”. Any valid JavaScript boolean operator or function can be used to evaluate a term. This includes regular expressions, which allow more complex pattern matching than equality.
A common requirement, but one difficult to formulate in a filter,
is testing if an IP address is a member of a specific subnet. To
make this easier, a function is provided for this purpose:
inSubnet(address, subnet, maskBits)
.
This will return true
if address
is a member of subnet
with a mask of length
maskBits
. address
can be any address
field, or in fact any string representing an IP address.
For example, to create a filter to retain only traffic from subnet 10.1.2.0/24, use this filter:
inSubnet(ipSource, "10.1.2.0", 24)
More complex filters can be constructed; for example, if you wanted all traffic from the above subnet going to another subnet 192.168.0.0/16, then you could use:
inSubnet(ipSource, "10.1.2.0", 24) && inSubnet(ipDestination, "192.168.0.0", 16)
Similarly to inSubnet
, an address can be tested for falling
within a range of IP addresses, but where the range may not form a valid subnet.
For this, use the function inIPRange(address, rangeStart, rangeEnd)
.
This will return true
if address
is greater
than or equal to rangeStart
and less than or equal to
rangeEnd
. rangeStart
and rangeEnd
can be
either IPv4 or IPv6 addresses (both must be of the same version).
For example, to create a filter to retain only traffic sourced from 10.1.2.1 to 10.1.2.10, use the filter:
inIPRange(ipSource, "10.1.2.1", "10.1.2.10")