Summary: BPF/tcpdump filter syntax reference for the Meraki dashboard packet capture tool, covering host, protocol, port, VLAN, MAC, and combination filters.
The Meraki dashboard packet capture tool (Network → Packet Capture) accepts standard BPF (Berkeley Packet Filter) syntax — the same filter language used by tcpdump. Filters are case-sensitive. Logical operators can be written as words (and, or, not) or symbols (&&, ||, !).
Captures can be scoped to a specific device and interface before applying a filter. On MX appliances, the WAN and LAN interfaces are selectable; on MS switches, individual ports or uplinks can be targeted.
¶ Host and Network
| Filter |
What It Captures |
host 10.1.1.50 |
All traffic to or from this IP |
src host 10.1.1.50 |
Traffic sourced from this IP only |
dst host 10.1.1.50 |
Traffic destined for this IP only |
net 10.1.1.0/24 |
All traffic to or from this subnet |
src net 10.1.1.0/24 |
Traffic sourced from this subnet |
dst net 10.1.1.0/24 |
Traffic destined for this subnet |
not host 10.1.1.1 |
Exclude a specific host (useful to filter gateway noise) |
| Filter |
What It Captures |
tcp |
All TCP traffic |
udp |
All UDP traffic |
icmp |
All ICMP (ping, unreachable, TTL exceeded) |
arp |
ARP requests and replies |
ip |
All IPv4 traffic |
ip6 |
All IPv6 traffic |
not arp |
Suppress ARP from a busy capture |
| Filter |
What It Captures |
port 443 |
TCP or UDP on port 443 (either direction) |
tcp port 443 |
TCP port 443 only |
udp port 53 |
DNS queries and responses |
src port 68 |
DHCP client (source port 68) |
dst port 67 |
DHCP server (destination port 67) |
port 67 or port 68 |
Full DHCP exchange |
tcp portrange 1024-65535 |
Ephemeral port range |
not port 22 |
Exclude SSH (suppress management traffic) |
| Filter |
What It Captures |
ether host aa:bb:cc:dd:ee:ff |
All frames to or from this MAC |
ether src aa:bb:cc:dd:ee:ff |
Frames sourced from this MAC |
ether dst aa:bb:cc:dd:ee:ff |
Frames destined for this MAC |
ether broadcast |
Broadcast frames only |
ether multicast |
Multicast frames only |
⚠️ MAC Filters on MX
MAC-level filters work on Layer 2 interfaces (MS switch ports, MR wireless). On MX WAN-facing interfaces, packets may arrive without the original client MAC — use IP filters for WAN-side captures.
| Filter |
What It Captures |
vlan 100 |
Traffic tagged with VLAN 100 |
vlan 100 and host 10.1.100.5 |
Tagged VLAN 100 frames to/from a specific host |
vlan |
Any 802.1Q-tagged frame (regardless of VLAN ID) |
⚠️ VLAN Tag Visibility
VLAN tags are visible in captures taken on trunk ports or uplink interfaces. On access ports, frames arrive untagged — use IP or MAC filters instead.
| Filter |
What It Captures |
greater 1400 |
Packets larger than 1400 bytes (MTU/fragmentation investigation) |
less 100 |
Small packets — useful for finding ACK storms or keepalives |
len == 1500 |
Packets at exactly 1500 bytes (potential fragmentation boundary) |
Useful for diagnosing connection establishment, resets, or retransmissions.
| Filter |
What It Captures |
tcp[tcpflags] & tcp-syn != 0 |
Any packet with the SYN flag set |
tcp[tcpflags] & tcp-rst != 0 |
Any TCP RST (connection resets) |
tcp[tcpflags] & tcp-fin != 0 |
Any TCP FIN (session teardown) |
tcp[tcpflags] == tcp-syn |
SYN-only (new connection attempts, no SYN-ACK) |
tcp[tcpflags] == (tcp-syn\|tcp-ack) |
SYN-ACK only (server responses to new connections) |
port 67 or port 68
icmp and host 10.1.1.50
¶ HTTP and HTTPS traffic to a web server
host 203.0.113.10 and (port 80 or port 443)
udp port 53
host 10.1.1.10 and host 10.1.1.20
host 10.1.1.100 and not port 22
tcp[tcpflags] & tcp-rst != 0 and host 10.1.1.100
tcp[tcpflags] == tcp-syn
host 10.1.1.50 and greater 1400
vlan 100 and host 10.1.100.50
¶ Exclude noisy multicast and broadcast
not ether multicast and not ether broadcast
- The Meraki dashboard caps captures at 25 MB or 30 seconds by default — use precise filters rather than capturing everything and filtering in Wireshark.
- Captured packets download as a
.pcap file, openable in Wireshark.
- Wrap complex expressions in parentheses to ensure operator precedence:
(tcp or udp) and port 443 not tcp or udp and port 443.
- On MS switches, capturing on an uplink port while filtering by a client IP is the most efficient way to trace east-west traffic.
- Meraki MX captures on the
wan1 or wan2 interface show post-NAT traffic (public IPs). Capture on lan or a VLAN interface to see private-side addresses.