Capture Filters
Use capture filters to select what traffic to include in flow logs or VTAPs.
You can create two types of capture filters: Flow log capture filters and VTAP capture filters. Both types use rules to include or exclude packets. Flow log capture filters also let you to specify a sampling rate.
Capture filters can be used by many VTAPs or flow logs. When you change the configuration for a capture filter, then all the resources that use that capture filter are impacted. You can only use capture filters of the appropriate type with a resource. For example, you can't use a VTAP capture filter with a flow log.
For more information, see VCN Flow Logs and Virtual Test Access Points.
Sampling Rate
When you create a flow log capture filter, you can specify a sampling rate. The capture filter sampling rate controls the percentage of network flows you want the flow log to capture. Then, rules are applied by the capture filter to include or exclude packets in the flow from logging.
Rules
A capture filter must have at least one rule, and can have up to 10 rules. Capture filter rules are examined in the sequence order you define. When a match is found, that rule is applied. If no match is found on a particular rule, the next rule in the sequence is evaluated and run if matched. Reordering the rules can change the capture filter behavior. A capture filter can take an action (either include or exclude a packet) based on the following types of criteria:
- The packet is part of ingress or egress traffic
- The packet is bound for or coming from a specific source or destination IPv4 CIDR block or IPv6 prefix
- The packet uses a specific IP protocol parameter (TCP or UDP port range, ICMP , ICMPv6) used by the traffic, or any protocols (using the default, All)
If a rule doesn't specify a CIDR block or prefix or IP protocol, all IP addresses or IP protocols are accepted for that rule.
Here's a working example of how you might structure a set of rules. The intent is that all traffic from 10.1.0.0/16 is included except 10.1.1.1, which is excluded:
- Source CIDR: 10.1.1.1/32, Exclude
- Source CIDR: 10.1.0.0/16, Include
- Source CIDR: 10.1.1.0/24, Include
The capture filter evaluates each packet in the traffic against the rules in the defined sequence order. A packet from 10.1.1.1 matches the first rule and is excluded from the mirrored traffic. The packet is not compared against the other rules in the set. The rule set works as intended.
If the first rule is moved to be third in the sequence order, the set of rules no longer works as intended:
- Source CIDR: 10.1.0.0/16, Include
- Source CIDR: 10.1.1.0/24, Include
- Source CIDR: 10.1.1.1/32, Exclude
Because the capture filter rules evaluate each packet in the traffic in the defined sequence order, a packet from 10.1.1.1 now matches the first rule and is included in the mirrored traffic. Further rule evaluations are skipped. This example uses CIDR blocks, but rules are evaluated the same way no matter which source type you choose.
If a packet doesn't match any rule, then it's ignored and it isn't included in the log. If you want packets that aren't otherwise specified in a rule to be included in a log, you can create an Include rule for the source CIDR of 0.0.0.0/0. This captures any 'leftover' packets in a log that aren't captured in a previous rule.
Here's an example: The intent is that all traffic from 10.1.1.1 is excluded, and everything else is included.
- Source CIDR: 10.1.1.1/32, Exclude
- Source CIDR: 0.0.0.0/0, Include
Using 0.0.0.0/0 to log packets can produce a large amount of log data.