Time to upgrade! NAM is scheduled for end of support. It's time to move to Dynatrace our all-in-one software intelligence platform.


The TCPDUMP filter is similar to the tcpdump utility provided by the operating system.

Filter pattern

The limit for TCPDUMP filter is 4096 characters. Make sure that your filter pattern does not exceed that number of characters.

To filter a capture, use:

packet_count [destination] [filter_expression] [interfaces] max_file_size



The maximum packet count to save. Specifying 0 as packet count causes packets to be saved (sent to specified address) until a stop is requested using tcpdump stop, or until the maximum file size is reached.


A string giving the absolute path to the destination file or colon-separated IP address and port number, where the dump data is to be sent over UDP.


Optional filtering expression enclosed in double quotes. See standard tcpdump man page for help on filter expressions.

Note that due to a tcpdump known issue with expression syntax, you need to construct your logical expressions so that the logical order of arguments does not affect packet saving.


Optional list of interfaces to be supplied after the filtering expression. The list must be enclosed in double quotes (for example, eth0 eth1).


Optional maximum output file size, to be specified after the list of interfaces. The value should be specified in bytes.

For example:


host and port 80

host or host

(host or host and port 80

host and host

host and host and port 80

For more information on TCDUMP filtering, visit www.tcpdump.org

The filters displayed on the Capture packets screen (part of Smart Packet Capture) are generated automatically. To change them, use the tcpdump expression syntax.

Error messages

The following error messages indicate a syntax error in your filter. For syntax help, see BPF Syntax below.

Unknown error
Usually indicates a syntax error that does fit any of the above descriptions.

Filter is too complex for NAM Probe
On the NAM Probe, a TCP filter can have no more than 5 logical ANDs or ORs. Typical solution: edit the filter expression to include no more than 5 logical ANDs and ORs.

There is no filter with specified ID
Usually indicates an issue on the NAM Probe or NAM Server.

Syntax error in filter expression or expression rejects all packets

Error occurred during capture file opening
Usually indicates an issue with the NAM Probe.

Internal server error
Usually indicates an issue with the NAM Probe.

Value cannot be empty
You must provide a valid filter expression.

Unknown error occurred
Usually indicates a NAM Probe error others than those described above.

BPF syntax

The filter syntax is standard BPF format as specified in libpcap and used in packet analyzers such as Wireshark and tcpdump. Use the examples below to help you get started, but see the BPF documentation for a complete description of the available commands and syntax.


Match only packets coming from or going to host hostnameA :

 host hostnameA


Match only packets coming from (src=source) host hostnameA :

 src host hostnameA


Match only packets going to (dst=destination) host hostnameB :

 dst host hostnameB


Match only packets that match both of the previous two filters: coming from host hostnameA and going to host hostnameB :

 src host hostnameA and dst host hostnameB


Match only packets that do not match both of the previous two filters: not coming from host hostnameA and going to host hostnameB :

 not (src host hostnameA and dst host hostnameB)


Match only packets coming from host hostnameA or coming from host hostnameB :

 src host hostnameA or src host hostnameB


Use parentheses to force (or clarify) the order in which the filter compiler resolves your filter expressions.

 ((host hostA) or (host hostB)) and (not (host hostC) and not (host hostD))


Match only ACK packets:

 (tcp[tcpflags] & tcp-ack) != 0

Match only non -ACK packets:

 (tcp[tcpflags] & tcp-ack) = 0

broadcast and multicast

Match only broadcast/multicast packets (dependent on the subnet mask, which here is

 ip[18] <= 3

packet length

Match only IP packets with length greater than or equal to 606 bytes:

 ip[2:2] >= 606


Match only outgoing TCP packets coming from <hostname> on any port with a port number in the 2000 to 3000 range.

 src host <hostname> and portrange 2000-3000 and tcp