Products Downloads Sales Support About us



 
 
Using Filters
 
Distinct Network Monitor allows you to create and set powerful filters. You may set a filter for the capture itself to actually save only the filtered packets to a file. You may also apply a filter to a previously saved capture file to view only the filtered packets from that file. Whichever method of filtering you use, you must first create your packet filters. The Distinct Network Monitor is shipped with some Filter examples as well as built-in templates for most filtering needs. Filter configuration management is done through the Filters tab, which you select from the Configure menu.

 

Creating a Filter with the built-in Templates

The built in templates allow you to build efficient filters without getting involved with logical expressions. They are very easy to use and cover most basic filtering needs. With these templates you can quickly create filters that will capture the traffic from or to specific IP addresses or systems, that are sent to or from a specific port, that contain a particular protocol such as HTTP or most combinations of these. To build a filter using the built-in templates:
  1. Choose the built-in templates option, then click the Create button.

  2. You will see a tree that lists the main filter topics. Open the tree of interest to you. In the example above, we have opened the tree to create a filter that will capture only IP-type packets that are sent from or received by specific IP addresses.
  3. When you have selected your template, you will see a green check mark next to the option, click the Next button to build the filter.
  4. Enter the Filter name as you wish it to appear in the list of filters and a brief description, then click Next.
  5. Enter the IP addresses whose traffic you wish to monitor one at a time, clicking Add after each address.

  6. When you have added all your entries, click Finish. Your filter is now created and will appear in the Existing Filters list. You may now apply this filter to your next captures by setting it as the filter to use in the Capture configuration tab or you can use it on an existing capture file by opening the capture file and then selecting the filter from the filter pull down in the toolbar.

Note: If you wish to set the capture filter, you must do this before starting a capture. A capture filter is applied through the Settings command in the Capture menu.
 

Creating a Basic Filter Using Advanced Expressions

To create a new filter:
  1. Select Filters in the Configure menu.
  2. Select Advanced Expressions and then click on Create. Give your filter a descriptive name. For example, if you are going to write a filter for the email protocols you may want to call your filter Email Filter.
  3. In the description field write a short description that will later remind you why you created this filter.
  4. You may choose to restrict the capture to certain systems that you are having a problem with. For example, if you are trying to diagnose a problem between Jim's system and the email server, check the Filter by IP address option, and select the Between IP address radio button. Then add the IP addresses of Jim's system and of the mail server and click the Add button. This will filter unneeded packets from your capture making it easier to read and faster to diagnose the problem.
  5. Next you need to select the protocols to filter. In our example of the email protocols you would probably select POP3, IMAP and SMTP. These need to be added one at a time by selecting the protocol and clicking the Add button.
  6. When you have selected all the protocols and any other restrictions that should be part of the filter click OK to create the filter.

Note: If you wish to set the capture filter, you must do this before starting a capture. A capture filter is applied through the Settings command in the Capture menu.
 

Creating Advanced Filters with Advanced Expressions

The Advanced Expressions Option allows for the creation of highly sophisticated filters. Not only are you able to filter by protocol but by an offset within the protocol having a specific value or by giving a value to predefined fields in the packet such as the source hardware address for ARP packets. If the value is a hexadecimal number you need to precede the number by 0x. For example 000186A0 should be entered as 0x000186A0. It is also possible to build filters using logical AND and logical OR.

When filtering by offset, note that the offset is starting from the particular protocol that is currently chosen. If you wish to have the offset from the start of the packet, then you will need to use Ethernet or Token Ring as the protocol. Note that this may give you unexpected results as the packet may also include optional fields that you were not expecting to be in the packet.

Filters may also be created by excluding certain protocols instead of including them. So for example you could create a filter that includes all RPC packets but excludes UDP, which means that only RPC packets over TCP will be filtered.

 

Filtering by Offset

You can create very useful filters using the packet offset. Below we give an example of how to create a filter that will show only the RPC Portmapper request packets
  1. Select Filters in the Configure menu.
  2. Select advanced expressions and then click on Create. Give your filter a descriptive name. For example, Filter Portmapper packets.
  3. In the description field write a short description that will later remind you why you created this filter.
  4. Next you need to select the protocols to filter. Choose RPC - ONC.

  5. Now select the Filter by offset radio button. Add the offset 12, which is the offset for program number. Set this to Double word and enter the value 100,000, which is the program number for the portmapper application, in hexadecimal format. Note that the hexadecimal number must be preceded by 0x. Click the Add button. Next add the offset 16, which is the offset for the version number. Set this to Double word and enter the value 2, which is the portmapper version. Click the Add button.
  6. Click Ok to create the filter.
 

Filtering by Field

Some of the protocol filters have predefined fields that you can select to filter. As an example of how to do this we will create a filter that will show only TCP and UDP packets coming in and out of port 443.
  1. Select Filters in the Configure menu.
  2. Select advanced expressions, then click on Create. Give your filter a descriptive name. For example, Filter for Port 443.
  3. In the description field write a short description that will later remind you why you created this filter.
  4. Next you need to select the protocol to filter. Select TCP.

  5. Select the Filter by Field radio button and choose Source Port from the pull down list box. Enter 443 as the value. Click the Add button to add this rule to your filter.
  6. Now choose Destination port from the pull down list box. Enter 443 as the value. Click the Add button to add this rule to your filter.
  7. Repeat steps 4 to 6 for the UDP protocol.
  8. Your rules are now complete. Click Ok to create this filter.
 

Building Filters with Mixed Operands

As of version 4, it is possible to build filters with mixed operands. So, for example if you wished to build a filter that filters the SMTP protocol from one system AND all HTTP traffic, this is what you would do:
  1. Select Filters in the Configure menu.
  2. Select advanced expressions, then click on Create. Give your filter a descriptive name.
  3. In the description field write a short description that will later remind you why you created this filter.
  4. Choose from or to IP address and enter the IP address of the mail server. Now choose SMTP and POP3 and HTTP from the protocol to filter and Add them one at a time.

  5. Next you need to build the filter statement. Right click the mouse under the column showing an open parenthesis “[“ right at the start of the statement and select Add Open Parenthesis. Move to the close parenthesis column on the SMTP line, right click the mouse and choose Add closing parenthesis. Now move to the last line that contains the HTTP statement, right click on the AND operand, and select Use OR operation. The statement is now complete.
<<<  Table of Contents  >>>
Products


 Intelliterm Terminal Emulator
The Most Complete Terminal Emulator for TN3270, TN5250 and DEC VT220 to VT420
Now also TN3270 and TN5250 over TLS/SSL

 RPC for C and C++
The Fastest Way to Port Your Existing Unix-RPC Applications to Windows

04/26/2024   Legal notices | PRIVACY Policy |
©2024 Distinct® Corporation
www.distinct.com
Contact us