The basic layer 3 filters are:

• ip or ip6: To capture IP or IPv6 packets.
• host <host>: To get a hostname or address.
• dst host <host>: To get a destination hostname or address.
• src host <host>: To get a source hostname or address.

• gateway <Host name or address>: Captures traffic to or from the hardware address but not to the IP address of the host. This filter captures traffic going through the specified router. This filter requires a hostname that can be found by the local system's name resolution process (for example, DNS).
• net <net>: All packets to or from the specified IPv4/IPv6 network.
• dst net <net>: All packets to the specified IPv4/IPv6 destination network.
• src net <net>: All packets to the specified IPv4/IPv6 destination network.
• net <net> mask <netmask>: All packets to/from the specific network and mask. This syntax is not valid for the IPv6 network.
• dst net <net> mask <netmask>: All packets to/from the specific network and mask. This syntax is not valid for the IPv6 network.
• src net <net> mask <netmask>: All packets to/from the specific network and mask. This syntax is not valid for the IPv6 network.
• net <net>/<len>: All packets to/from the net network with len length in bits.
• dst net <net>/<len>: All packets to/from the net network with len length in bits.
• dst net <net>/<len>: All packets to/from the net network with len length in bits.
• broadcast: All broadcast packets.
• multicast: All multicast packets.
• ip proto <protocol code>: Captures packets while the IP protocol field equals the protocol identifier. There can be various protocols, such as TCP (code 6), UDP (code 17), ICMP (code 1), and so on.

• ip6 proto <protocol>: Captures IPv6 packets with the protocol indicated in the type field. Note that this primitive does not follow the IPv6 extension headers chain.

• icmp[icmptype]==<identifier>: Captures ICMP packets while the identifier is an ICMP code, such as icmp-echo and icmp-request.