Filtering data

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Filtering data

Like a capture filter, a display filter helps you to isolate specific types of information. Unlike a capture filter, however, a display filter operates on data that has already been captured. You can use a display filter to configure how much captured data appears in the Frame Viewer Window, or you can use it to save data to a capture file.

Use display filters to determine which frame to display. You can filter a frame by:

  • Its source or destination address.

  • The protocols it contains.

  • The properties and values that it contains. The properties of a protocol collectively indicate the purpose of the protocol.

The structure of the display-filter decision tree is flexible. You can define a simple, rather flat structure, or you can make it complex, as your needs dictate.

Protocols Used

When you display captured data, all available information about the captured frames appears in the Frame Viewer window. You can display only the frames which contain a specific protocol by editing the Protocol == line in the Display Filter dialog box.

Network Monitor processes the filter you have designed and applies it to the contents of the Frame Viewer window.

Protocol Properties

You can use a display filter to isolate frames that contain specific protocol properties. Protocol properties consist of the elements of information that define the purpose of a protocol. Because the purposes of protocols vary, properties differ from one protocol to another.

As an example, you might capture a large number of frames with SMB protocol but want to examine only those frames in which the SMB protocol was used to create a directory on a remote computer. In this situation, you could isolate frames that include the Make Directory SMB command property.

Network Monitor identifies the protocols used to send a frame on the network by using a protocol parser. Each protocol that Network Monitor supports has a corresponding parser.

Computer Addresses

When you display captured data, by default all addresses that you capture information from appear in the Frame Viewer window. You can display only those frames that originate or are sent to a specific computer by editing the ANY <--> ANY line in the Edit Display Filter dialog box.

Filtering and address databases

Often, you need to capture only those frames that originate with or are sent to specific computers. To do this, you must know the addresses of the computers on your network.

You can use the ping command to find the IP address of a computer if you know its computer name. For more information, see the section "Testing connections by using ping" in Command-line utilities.

See Also

Concepts

Save a capture filter
Save a display filter
Load a display filter
Design a display filter