Capture filters

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Capture filters

A capture filter functions like a database query that you can use to specify the types of network information you want to monitor. For example, to see only a specific subset of computers or protocols, you can create an address database, use the database to add addresses to your filter, and then save the filter to a file. By filtering frames, you save both buffer resources and time. Later, if necessary, you can load the capture filter file and use the filter again.

Designing a capture filter

To design a capture filter, specify decision statements in the Capture Filter dialog box. This dialog box displays the filter's decision tree, which is a graphical representation of a filter's logic. When you include or exclude information from your capture specifications, the decision tree reflects these specifications.

Filtering by protocol

To capture frames sent using a specific protocol, specify the protocol on the SAP/ETYPE= line of the capture filter. For example, to capture only IP frames, disable all protocols and then enable IP ETYPE 0x800 and IP SAP 0x6. By default, all of the protocols that Network Monitor supports are enabled. You can only specify protocols with ETYPE or SAP.

Filtering by address

To capture frames sent from a specific computer on your network to your computer or sent from your computer to a specific computer on your network, specify one or more address pairs in a capture filter. You can monitor up to four address pairs simultaneously.

An address pair consists of:

  • The addresses of the two computers you want to monitor traffic between.

  • Arrows that specify the traffic direction you want to monitor.

  • The INCLUDE or EXCLUDE keyword, indicating how Network Monitor should respond to a frame that meets a filter's specifications.

Regardless of the sequence in which statements appear in the Capture Filter dialog box, EXCLUDE statements are evaluated first. Therefore, if a frame meets the criteria specified in an EXCLUDE statement in a filter containing both an EXCLUDE and INCLUDE statement, that frame is discarded. Network Monitor does not test that frame by INCLUDE statements to see if it meets that criterion also.

For example, to capture all the traffic from Joe's computer except the traffic from Joe to Anne, use the following capture filter address section:

Addresses

include Joe <----> Any

exclude Joe <----> Anne

If there are no INCLUDE lines, YourComputer <----> Any is used implicitly.

Filtering by data pattern

By specifying a pattern match in a capture filter, you can:

  • Limit a capture to only those frames containing a specific pattern of ASCII or hexadecimal data.

  • Specify how many bytes (offsets) of the frame must be ignored before the search begins.

When you filter based on a pattern match, you must specify where, in the frame, the search for the pattern should begin. This setting specifies, in bytes, the distance from the beginning of the frame or the end of the topology header to the point at which the pattern might occur. If your network medium has a variable size in the media access control protocol, such as Ethernet or token ring, specify to count from the end of the topology header.