Tutorials

Writing ExaQL Queries: From Wireshark to AI

Nov 29, 2025

Writing ExaQL Queries: From Wireshark Filters to Natural Language

ExaQL is the single language that controls an entire ExaScale deployment—from 800 Gbps+ capture to 100 EB+ storage, indexing, security, and distributed processing.

Think of it as SQL + Wireshark + Kubernetes—but for packets.

If you've ever written a Wireshark display filter, you already know ExaQL's foundation. Every valid Wireshark filter is a valid ExaQL expression. But ExaQL goes much further: capture control, view creation, security policies, macro definitions, and orchestration across global federations.

Let's dive in.

Core Principles

ExaQL is built on five principles:

Principle	What It Means
One Language	Capture, store, index, secure, query, export—all in ExaQL
Wireshark Compatibility	Every display filter you know works verbatim
Natural When Possible	`show flows where customer-traffic`
Powerful When Needed	Full aggregation, views, macros, orchestration
Exascale Under the Hood	Automatic sharding, indexing, parallel execution

The Basics: Wireshark Compatibility

ExaQL is 100% compatible with Wireshark display filter syntax. Every filter you know works exactly as expected.

Filter by protocol:

Filter by IP address:

Filter by port:

Combine with operators:

Use comparison operators:

If you've written these filters in Wireshark, they work identically in ExaQL. Copy and paste. No translation needed.

First-Class Citizens

ExaQL treats five data types as first-class citizens—you can query, filter, and export any of them:

Citizen	Keyword	What It Represents
Packets	`packets`	Raw frames
Flows	`flows`	5-tuple sessions
Streams	`streams`	Reassembled TCP/QUIC/SCTP
Application	`app PROTOCOL`	Fully decoded L7 (e.g., `app http`)
Content	`content`	Payload search (raw or decoded)

Query packets:

show packets where tcp.port == 443

Query flows:

show flows where ip.src == 10.0.0.50 during last 24h

Query reassembled streams:

show streams where http.request.uri contains "/api/"

Query application-layer data:

show app http where http.response.code >= 500

The Show Command

show (or find) is your primary query command. It supports filtering, time ranges, sources, and output options.

Basic syntax:

show TARGET where EXPRESSION from SOURCE during TIMERANGE OPTIONS

Examples:

show packets where tcp.port == 443 from /captures/global-2025

show flows where ip.src == 192.168.1.0/24 during last 7 days

show packets where dns.qry.name contains "malware" from cluster "us-east-prod" during last 1h

With options:

show packets where tcp.port == 443 from /captures/global-2025 slice headers only

show streams where http reassembled decrypt with "acme-tls-key"

Time Ranges

Use during to specify time bounds—critical for performance at exascale.

Relative time:

during last 30 seconds
during last 15 minutes
during last 24 hours
during last 7 days
during last 4 weeks

Absolute time:

during "2025-11-01" to "2025-11-15"

Always include time ranges when possible. A bounded query on petabytes is fast. An unbounded query is not.

Macros: Reusable Expressions

Macros let you define complex filters once and reuse them everywhere. This is where ExaQL becomes powerful for enterprise deployments.

Define a macro:

define macro customer-traffic as 
    (ip.src == 10.0.0.0/8 or ip.dst == 10.0.0.0/8) 
    and not ip.src == 10.99.0.0/16

define macro fraud-pattern as 
    meta.stats.requests > 50 
    and meta.stats.duration < 30s 
    and http.status == 200

define macro booking-flow as 
    http.host contains "acme.com" 
    and http.request.uri contains "/book/"

Use the macro:

show flows where fraud-pattern during last 24h

show packets where customer-traffic and tcp.port == 443

Macros are stored in ExaScale and available across your entire deployment. Define them once, use them everywhere.

Capture Control

ExaQL controls live packet capture—start, stop, configure, and monitor.

Basic capture:

capture on port0,port1 store as "capture-2025"

Filtered capture:

capture on port0,port1 where tcp.port == 443 store as "tls-traffic-2025"

With options:

capture on port0,port1 
    where gtpv2.imsi == "311480123456789" 
    live 
    shard by time[minute] 
    decap gtp 
    reassembled

Enterprise capture with security:

capture all traffic 
    on clusters "us-east-prod","eu-west-prod","apac-syd-prod"
    store as "acme-global-2025"
    encrypt level 12
    index with six interval 1_000_000
    obfuscate pii level 10

Sharding Strategies

ExaScale automatically shards data for parallel processing. You can control the strategy with shard by:

Strategy	Syntax	Use Case
Time	`shard by time[hour]`	Time-series analysis
Offset	`shard by offset[TB]`	Large sequential scans
Index	`shard by index`	Random access queries
Flow	`shard by flow`	Session-based analysis
Field	`shard by field:ip.src`	Group by specific field
Fanout	`shard by fanout=16`	Parallel processing

Example:

create projection "hourly-dns" 
    from /captures/global-2025 
    where dns 
    shard by time[hour]

Creating Projections and Views

Projections are virtual subsets of your capture data. Views add transformations.

Create a projection:

create projection "IMSI 311480123456789" 
    from /captures/global-2025 
    where gtpv2.imsi == "311480123456789" 
    shard by time[minute], field:gtpv2.imsi 
    security level 15

Create a lean view (99% size reduction):

create view "lean-customer-journeys" as
    from storage "acme-global-2025"
    where customer-traffic
    reassembled tcp
    strip tunnel
    slice payload 128
    headers only
    encrypt level 12

Create a synthetic view from template:

create view "synth-fraud-test" as
    from template "real-booking-attack.pcapng"
    scale to 10PB
    apply traffic-mix { fraud-pattern: 5%, customer-traffic: 95% }

Views don't copy data. They're computed on-demand. A 16MB template can project to 100+ exabytes.

Export with Security

Export data securely with format and security level controls.

Basic export:

export packets where tcp.port == 22 to "/exports/ssh-traffic.pcapng"

With security:

export packets 
    where dns.qry.name length > 200 
    to s3://soc-export/dns-exfil.pcapng 
    format pcapng 
    security level 18 
    obfuscate imsi

Scheduled export:

schedule daily at 03:00
    report "gdpr-exposure" 
    where meta.tuple contains "IMSI|IMEI|passport"
    export to "s3://acme-compliance/gdpr-{{date}}.csv"

Key Management

Attach decryption keys for TLS and IPsec traffic.

Attach a TLS key:

attach key "acme-tls-2025" type tls "/keys/acme-tls-2025.pem" to all

Query with decryption:

show streams where http decrypt with "acme-tls-2025"

Keys are stored securely and access is controlled by security levels.

Security Levels

ExaScale implements 20 configurable security levels (0-20). ExaQL respects these automatically.

Encrypt data at a level:

capture all traffic encrypt level 12

Export with security:

export packets to "/secure/evidence.pcapng" security level 18

Auto-escalate on sensitive data:

on packet where meta.tuple contains "creditcard|ssn|passport"
    do encrypt level 18
    and notify soc@acme.corp

Users only see data at or below their clearance level. Queries automatically filter. Audit logs capture all access.

Metadata Queries

ExaQL exposes metadata through the meta. prefix:

show flows where meta.stats.duration > 10s

show flows where meta.stats.bytes > 10MB

show flows where meta.stats.requests > 50 and meta.stats.duration < 30s

show packets where meta.tuple contains "IMSI|IMEI"

System Commands

Manage your ExaScale deployment with system commands.

Indexing:

index /captures/global-2025 six

Security:

secure /captures/sensitive level 18 obfuscate imsi,msisdn

Monitoring:

show nodes where cpu > 80% during last 1h

show storage usage by cluster

show licenses

Multi-Cluster Queries

Query across regions and clusters seamlessly.

Query specific clusters:

show flows where fraud-pattern 
    from cluster "us-east-prod","eu-west-prod"
    during last 24h

Query entire federation:

show packets where dns.qry.name contains "malware"
    from all
    during last 7 days

Data stays where it lives. Queries are distributed. Results are aggregated. You write one query—ExaScale handles the rest.

Common Query Patterns

Threat hunting: Find port scans

show flows where 
    tcp.flags.syn == 1 and tcp.flags.ack == 0
    group by ip.src
    having count(distinct tcp.dstport) > 100
    during last 1h

Fraud detection: Rapid automated requests

find flows where fraud-pattern
    during last 24h
    group by meta.tuple
    order by count(*) desc
    limit 100

Performance: Slow transactions

show flows where 
    booking-flow 
    and meta.stats.duration > 10s
    during last 7 days
    limit 1000

Security: DNS exfiltration

show dns where 
    meta.stats.bytes > 10MB 
    or dns.qry.name length > 100
    during last 30 days

Compliance: PII exposure

show packets where meta.tuple contains "creditcard|ssn|passport"
    during last 24h
    security level 15

Natural Language (AI Prefix)

Prefix any query with AI: to use natural language:

AI: Show me all failed SSH login attempts from last week

AI: Find DNS queries to newly registered domains

AI: Which internal hosts talked to known C2 servers

The AI translates to ExaQL and executes. You can view the generated query to learn the syntax.

Performance Tips

Always use time bounds:

-- Fast: bounded
show packets where ip.dst == 10.0.0.50 during last 24h

-- Slow: unbounded
show packets where ip.dst == 10.0.0.50

Use macros for complex filters:

-- Clean and fast
show flows where customer-traffic and fraud-pattern

-- Harder to optimize
show flows where (ip.src == 10.0.0.0/8 or ip.dst == 10.0.0.0/8) and meta.stats.requests > 50.

Leverage indexes: ExaScale maintains SIX (sparse) and MSPIB (dense) indexes. Time, IP addresses, and ports are indexed by default.

Limit exploration queries:

show packets where http.response.code >= 500 limit 1000

Next Steps

ExaQL is the single language for your entire packet infrastructure. Start with Wireshark filters you know. Define macros for your environment. Build views for your analysts. Scale to global federation.

Same syntax from laptop to 3,900-node deployment.

Ready to try it? Request a demo and bring your toughest query. We'll show you how ExaScale handles it.

Mark Bednarczyk is the founder and CEO of Sly Technologies, with 30+ years of experience in network architecture and security.

‹ Why the Smartest Visibility Vendors in the World Are About to Partner with Sly Technologies

Introducing ExaScale: The Operating System for Packets ›