Post-filtering via command line
Post-filtering via command line can save you time if you are comfortable building a filter using text.
Prerequisite(s):  
You have enabled command-line filtering.
 
As an alternative to traditional set-up of filters, it is possible to post-filter your packet captures via command line.
Note: Command-line filtering must be enabled before continuing. See Enabling command-line filtering.
Some benefits of creating a command-line filter include:
Ability to create a custom filters without losing focus of your capture window
Ability to automatically convert to a traditional filter that is...
persistent, exportable, and shareable using OMS or the network
suitable for more complex rules or later reconfiguration
Familiarity with command-line interfaces may save you time
You can either type the text manually or use text building blocks to aid your syntax. To use this tool most efficiently, we highly recommend using saved packet captures.
This filtering process also works with an unsaved, real-time packet capture, but realize the data that appears after the filter is applied is static and unchanging. Your packet capture is still running, but new packets are not shown in the filtered view. Simply re-run your query from the active packet capture window to refresh your filtered data.
To post-filter via command line:
1. Click the File tab, and click Open > Local Packet Captures > Load and Analyze.
2. Navigate to the capture file you want to load, and select it.
3. Click Open. The capture file loads into Observer and you arrive at the Decode and Analysis tool.
4. Click the Type Script Filter button.
If you do not see the Type Script Filter button, verify you have enabled command-line filtering.
5. Build your filter, using the building blocks list as your guide.
Descriptions of each building block, including example usage, can be found in Table 15.
 
Figure 27: Use building blocks as your guide
 
6. Click Apply when finished.
The packet capture is filtered according to the rules. If you encounter an error, or provide improper syntax, Observer alerts you that the filter must be fixed.
7. To automatically convert your command-line filter to a traditional Observer filter, which can be kept forever, click Save Filter.
 
 
 
Table 15. Building blocks
Building block
Examples
Description
-ip=
-ip=10.0.36.139
-ip=74.125.224.72
IPv4 Address—use this to filter for a single IP address (IPv4).
-ip_pair=
-ip_pair=10.0.36.139/10.0.36.154
-ip_pair=10.0.36.139/74.125.224.72/
IPv4 Pair—use this to filter for two IP addresses (IPv4) that have conversed with each other.
-ip_range=
-ip_range=10.0.36.1/10.0.36.255
-ip_range=192.168.0.20/192.168.0.100
IPv4 Range—use this to filter for any IP address (IPv4) within a set range. The IP addresses that form the beginning and the end of the range are included in the filter.
-ipv6=
-ipv6=FE80::F544:9E0:9C81:9FB1
-ipv6=ff00::7f00:1
IPv6 Address—use this to filter for a single IP address (IPv6).
-ipv6_pair=
-ipv6_pair=FE80::F544:9E0:9C81:9FB1/2002::4A7D:E048
IPv6 Pair—use this to filter for two IP addresses (IPv6) that have conversed with each other.
-ipv6_range=
-ipv6_range=FE80::A00:2401/FE80::A00:24FF
IPv6 Range—use this to filter for any IP address (IPv6) within a set range. The IP addresses that form the beginning and the end of the range are included in the filter.
-mac=
-mac=00:0C:85:BD:08:80
-mac=00:50:56:2E:AB:A0
MAC Address—use this to filter for a single MAC (hardware) address.
-mac_pair=
-mac_pair=00:50:56:2E:AB:A0/00:0C:85:BD:08:80
MAC Address Pair—use this to filter for two MAC addresses that have conversed with each other.
-mac_range=
-mac_range=01:00:5E:00:00:00/01:00:5E:7F:FF:FF
MAC Address Range—use this to filter within a set range. The IP addresses that form the beginning and the end of the range are included in the filter.
-regex=
-tcp=
-tcp=22
-tcp=80
-tcp=25901 -and -tcp=25903
-tcp=63268
TCP Port—use this to filter for a single TCP port number. As with other building blocks, you can add more using an -and building block.
-tcp_pair=
-tcp_pair=63268/25901
-tcp_pair=25901/25903
-tcp_pair=3389/3391
TCP Port Pair—use this to filter for any pair of TCP ports that have conversed with each other. Direction is a non-factor for this building block; the filter looks for a pair of ports regardless of source or destination.
-tcp_range=
-tcp_range=0/5000
-tcp_range=35/1023
-tcp_range=60000/63500
TCP Port Range—use this to filter for communication on any TCP port between the specified range. The port numbers that form the beginning and the end of the range are included in the filter. Direction is a non-factor for this building block; the filter looks for a pair of ports regardless of source or destination.
-udp=
-udp=53
-udp=88
-udp=26000 -and -udp=61001
UDP Port—use this to filter for a single UDP port number. As with other building blocks, you can add more using an -and building block.
-udp_pair=
-udp_pair=63240/27015
-udp_pair=49501/42
UDP Port Pair—use this to filter for any pair of UDP ports that have conversed with each other. Direction is a non-factor for this building block; the filter looks for a pair of ports regardless of source or destination.
-udp_range=
-udp_range=27901/27910
-udp_range=27030/27000
-udp_range=0/1023
UDP Port Range—use this to filter for communication on any UDP port between the specified range. The port numbers that form the beginning and the end of the range are included in the filter. Direction is a non-factor for this building block; the filter looks for a pair of ports regardless of source or destination.
-vlan=
-vlan=101
-vlan=101 -and -vlan=102
VLAN ID—use this to filter for a single VLAN ID. As with other building blocks, you can add more using an -and building block.
(space character)
-tcp=80 -tcp=8080
(TCP port 80 -OR- TCP port 8080)
Use this to denote a logical OR statement. Use this to include more items and broaden the scope of your filter.
/
(forward slash)
-ip_range=10.0.36.1/10.0.36.255
(Any IPv4 address between 10.0.36.1 and 10.0.36.255)
Use this to denote a value range or any pairs. Do not add a leading or trailing space character to the forward slash.