CoreScope packet filters

Where the filter lives

Open CoreScope and go to the Packets view. The long box at the top is the filter — type an expression and the table narrows as you go. Five ways to drive it:

Type it. Autocomplete pops as you go — ↑/↓ to move, Tab or Enter to accept, Esc to dismiss.
ⓘ Help opens the built-in syntax card (fields, operators, examples).
Right-click any cell in the packet table → “Filter by this value” adds a matching clause (joined with &&).
★ Saved holds the built-in starters plus anything you save.
Share a view by appending ?filter=… to the page URL — the whole expression travels in the link.

Next to the expression box are two quick fields that don’t use this language: Hash (matches a hex hash prefix) and Node name (sender or anywhere in the path). Handy for a fast lookup; everything else below is the expression box.

// syntax

The shape of a filter

A filter is field · operator · value, chained with boolean logic.

field        operator     value
snr          >            5
type         ==           ADVERT
payload.name contains     "Gilroy"
age          <            1h

# chain them
type == ADVERT && snr > 5          && = and
type == ACK || type == TRACE        || = or
!type == ACK                       ! = not
( type==ADVERT || type==ACK ) && snr>0   ( ) group
transport                            bare field = "has a value"

Combine clauses with && (and), || (or), ! (not), and ( ) to group. The words and / or / not are not recognized — use the symbols.
&& binds tighter than ||, so a && b || c means (a && b) || c. Add parentheses when in doubt.
A bare field with no operator is a “has a value” test — transport or payload.flags.hasLocation.
Strings are case-insensitive. !type == ADVERT reads as not (type == ADVERT).

// operators

Operators

Type the operator exactly as shown — symbols and lowercase words.

Operator	Use	Type it like
==	Equal (case-insensitive for text; alias-aware for `type`/`route`)	`type == ADVERT`
!=	Not equal	`type != ACK`
>	Greater than (numbers)	`snr > 5`
<	Less than (numbers)	`rssi < -90`
>=	Greater or equal	`hops >= 2`
<=	Less or equal	`size <= 100`
contains	Substring anywhere (case-insensitive)	`payload.name contains "Gilroy"`
starts_with	Text prefix	`hash starts_with "8a91"`
ends_with	Text suffix	`hash ends_with "ff"`
after	Datetime / epoch after	`time after "2026-01-01"`
before	Datetime / epoch before	`time before "2026-12-31"`
between	Two values, space-separated — dates or numbers	`snr between 4 9`
in	Any of a parenthesized, comma-separated list	`iata in ("MSN","ORD")`

No wildcards or regex. For partial text use contains / starts_with / ends_with.

// fields

Fields

Everything you can filter on, straight from the parser.

Field	What it is	Example
type	Payload type (see values below)	`type == ADVERT`
route	Route type (see values below)	`route == DIRECT`
transport	True if route is TRANSPORT_FLOOD / TRANSPORT_DIRECT	`transport`
hash	Packet hash (hex)	`hash starts_with "8a91"`
raw	Full raw packet hex	`raw contains "ffff"`
size	Total packet size in bytes	`size > 100`
snr	Signal-to-noise ratio (dB)	`snr > 5`
rssi	Received signal strength (dBm)	`rssi > -90`
hops	Number of hops in the path	`hops >= 2`
observer	Observer station name	`observer == "Lake Edge"`
observer_id	Observer pubkey / id	`observer_id starts_with "a1"`
observer_iata · iata	Observer IATA region code (`iata` is an alias)	`iata == "MSN"`
observations	How many times this packet was seen	`observations > 3`
path	Hop path, arrow-joined	`path contains "Gilroy"`
payload_bytes	Payload size in bytes (size − 2 header)	`payload_bytes > 20`
payload_hex	Payload bytes as hex (raw without header)	`payload_hex starts_with "10"`
time · timestamp	Packet timestamp (epoch ms)	`time after "2026-01-01"`
age	Seconds since seen — pair with a duration	`age < 1h`
code1 · code2	Transport route codes (hex) — on TRANSPORT_FLOOD/DIRECT	`code1 == "AABB"`
payload.name	Decoded node name (adverts)	`payload.name contains "Repeater"`
payload.lat · payload.lon	Decoded coordinates	`payload.lat > 43`
payload.text	Decoded message text (channel / DM)	`payload.text contains "weather"`
payload.channel	Decoded channel name	`payload.channel == "General"`
payload.channelHash	Decoded channel hash	`payload.channelHash == "1a"`
payload.sender	Decoded sender name	`payload.sender contains "KJ6"`
payload.flags.repeater	Advert flag — repeater role	`payload.flags.repeater == true`
payload.flags.room	Advert flag — room server	`payload.flags.room`
payload.flags.hasLocation	Advert carries a location	`payload.flags.hasLocation`
payload.<key>	Any decoded field by dot path	`payload.battery < 20`

// values

type values

Use a canonical name, or one of the friendly aliases — both work with == and !=.

# canonical (type == <one of>)
REQ   RESPONSE   TXT_MSG   ACK   ADVERT   GRP_TXT   GRP_DATA
ANON_REQ   PATH   TRACE   MULTIPART   CONTROL   RAW_CUSTOM

Type these aliases…	…and you get
request	`REQ`
response	`RESPONSE`
dm · direct msg	`TXT_MSG`
ack	`ACK`
advert	`ADVERT`
channel · channel msg	`GRP_TXT`
group data	`GRP_DATA`
anon req	`ANON_REQ`
path	`PATH`
trace	`TRACE`
multipart	`MULTIPART`
control	`CONTROL`
raw · custom	`RAW_CUSTOM`

Aliases with a space need quotes: type == "direct msg". Single words don’t: type == advert.

// values

route values

# route == <one of>
FLOOD   DIRECT   TRANSPORT_FLOOD   TRANSPORT_DIRECT

# shorthand aliases
t_flood   →  TRANSPORT_FLOOD
t_direct  →  TRANSPORT_DIRECT

Or skip the names: transport is true for both transport routes (TRANSPORT_FLOOD and TRANSPORT_DIRECT).

// time

Durations & datetimes

Durations attach a unit to a number — use them with age and the numeric operators (< > <= >=):

s seconds   m minutes   h hours   d days   w weeks

age < 30m            # seen in the last half hour
age > 2h             # older than two hours
age > 5m && age < 1h  # a window (chain two clauses)

Datetimes go with after / before / between on the time field — an ISO date in quotes, or raw epoch milliseconds:

time after "2026-01-01"
time before "2026-06-01T12:00"
time between "2026-01-01" "2026-02-01"

// rules

Quoting & gotchas

Quote anything with a space or lowercase letters: observer == "Lake Edge", payload.text contains "good morning".
Numbers and ALL-CAPS names can skip quotes: snr > 5, type == ADVERT. Both "ADVERT" and ADVERT work.
Negatives and decimals are fine: rssi < -90, snr >= 5.5.
A missing field fails every comparison — including !=. A packet with no snr won’t match snr != 0.
contains & friends are string ops — their value is always quoted.
Errors are silent-safe: a half-typed or invalid expression simply shows everything until it parses.

// starters

Built-in saved filters

Already in the ★ Saved dropdown — good templates to tweak.

Name	Expression
Adverts only	`type == ADVERT`
Channel traffic	`type == GRP_TXT`
Direct messages	`type == TXT_MSG`
Strong signal	`snr > 5`
Multi-hop	`hops > 1`
Repeater adverts	`type == ADVERT && payload.flags.repeater == true`
Recent (last 5 min)	`age < 5m`

// cookbook

Copy-paste recipes

Real filters for real questions. Swap the names and numbers.

You want…	Filter
Repeater adverts only	`type == ADVERT && payload.flags.repeater`
Room-server adverts	`type == ADVERT && payload.flags.room`
Adverts with a location fix	`type == ADVERT && payload.flags.hasLocation`
One node by name	`payload.name contains "Lake Edge"`
Chatter on one channel	`type == GRP_TXT && payload.channel == "General"`
Strong & close	`snr > 6 && rssi > -85`
Direct (non-flooded) traffic	`route == DIRECT`
Transport-routed only	`transport`
Long hauls (3+ hops)	`hops >= 3`
Seen by one region	`iata == "MSN"`
Seen by any of several regions	`iata in ("MSN","ORD","MKE")`
Last 10 minutes	`age < 10m`
Big packets	`size > 100`
One observer’s adverts	`observer == "Lake Edge" && type == ADVERT`
A hash prefix	`hash starts_with "8a91"`
Everything except ACKs	`type != ACK`
Adverts or traces, decent signal	`(type == ADVERT \|\| type == TRACE) && snr > 0`
A transport code	`code1 == "AABB"`

Built a good one? Hit ★ Save to keep it, or copy the URL (it carries ?filter=…) to share it.

// sources & links

Go deeper

Open CoreScopethe live instance we host CoreScope on GitHubopen source · Kpa-clawbot MeshCorewhat the packets actually are IDs & collisionsmaking sense of hashes & paths

Where the filter lives

Found a sharp filter?