Writing HTTPQL Queries
With HTTPQL, you can include or exclude traffic proxied through Caido from traffic tables and operations.
HTTPQL query statements filter either requests (req), responses (resp), or specific table rows (id). The filtering is further refined by specifying an available field, operator, and comparison value, using dot notation.
<namespace>.<field>.<operator>:"<value>"NOTE
These statements will serve as a starting point for your HTTPL queries. View the full HTTPQL reference to customize your query statements to achieve the intended results.
Filtering Requests by Host
To filter requests made to example.com, use the host field.
req.host.eq:"www.example.com"
req.host.regex:"^example.com$"req.host.ne:"www.example.com"
req.host.nregex:"^example.com$"req.host.cont:".example.com"
req.host.like:"%.example.com"req.host.ncont:".example.com"
req.host.nlike:"%.example.com"Filtering Requests by Time
To filter requests by date/time, use the created_at field.
req.created_at.lt:"2025-12-05"req.created_at.gt:"2025-12-05"req.created_at.lt:"2025-12-05T08:30:00+00:00"req.created_at.gt:"2025-12-05T08:30:00+00:00"Filtering Responses by Status Code
To filter responses by status code, use the code field.
resp.code.eq:200resp.code.ne:200To specify a range of status codes, use the gt, lt, gte, or lte operators.
Filter Requests by ID
To filter traffic by the numerical table row value, use the id field.
row.id.eq:50row.id.ne:50row.id.gt:50row.id.lt:50To include the specific request ID, use the gte or lte operators.
Filter by Request/Response Content
To match against a value in a full request or response, use the raw field.
req.raw.cont:"application/json"resp.raw.cont:"\"isAdmin\":true"