You can create complex, explicit filters using Berkeley Packet Filter (BPF) expressions to specify what to include or what to exclude in SSL Visibility packet captures.
BPF uses the following operators:
Negation has the highest precedence. Alternation and concatenation have equal precedence and associate left to right. If an identifier is given without a keyword, the most recent keyword is assumed. For example: not port 80 and 443 is short for (not port 80) and (port 443) (excludes port 80, includes port 443), which should not be confused with not (port 80 and 443) (excludes both port 80 and 443).
Note: Filters containing net and mask are not valid for IPv6 addresses.
For additional information on using BPF, including all available parameters and syntax, see biot.com/capstats/bpf.html. The table below provides examples of expressions you can use in the Filter Expression field when defining packet capture settings.