https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/
Https://social.technet.microsoft.com/wiki/contents/articles/1130.network-monitor-ipv4-filtering.aspx
https://blogs.technet.microsoft.com/messageanalyzer/
Challenges of Filtering
One of the biggest changes between nm2.x and NM3.0 is the the-the-do filtering. Old nm2.x hacks is challenged by the loss of the UI Wizard to build filters. On the other hand, Ethereal users is pleased and further encouraged by the built in IntelliSense Er. Hopefully I ll be able to ease the transition and provide some tips and tricks for filtering with NM3.0.
What exactly does filtering do?
When your type in a filter and hits apply, each frame is evaluated against the filter. If The result of the filter is TRUE, then the frame is displayed (or captured in the case of a capture filter). So-to-start simple, if you want to see every frame where the TCP source port is a, you could type:
Tcp.srcport = = 80
In this example, the parser engine looks at each frame and evaluates this expression. If the current frames port was set to $, then it includes that frame in your view.
Where do I start?
Intellisense is technology in many MS products that shows you a list of the possibilities given some starting place. In the context of filtering, it allows the available data items for a given protocol or structure. So if you type ' TCP. ' In any of the filter windows you'll see a list of available data fields. If you further the type in "TCP. Flags. "And see a list of the names for each of the TCP flags. Now unfortunately in the Beta2 version of NM3.0 we have show you both levels deep. So when you type "TCP. Flags. "You won ' t actually see anything more. But in the released version of NM3.0, we should has this implemented fully.
So one little known trick are that can start off with a "." (period) and you'll see IntelliSense for all of the top level items.
In this list you can see stuff like Protocol, which would show you a list of all protocols underneath. If you have not sure where to start, the is as good a place as any.
Built-in Filters (Standard Filters)
We ' ve actually included a bunch of built in filters with the product. These is common filters that does mostly general things, like Target a specific protocol, or narrow traffic down to a speci FIC machine. Once you choose a filter text box is populated with the filter, and you can then apply it. The some part of the filter, as often they reference placeholder for IP Addresses or Ports. These filters provide a bunch of examples that could help you understand what filters work.
You can also save your own filters and bring them up in other sessions. This lets your access your most used filters easily.
Applying a filter
In order to apply a filter in NM3.0, you can either press the button (paper with a pin on it), or you can hit Ctrl+enter. One advantage to using the key stroke, Ctrl+enter, was that it always applies the current filter. When you use the button, you may have a turn off the current filter if you have one applied already. This UI glitch would probably is something we address in the future. Note that the We use ctrl+enter because our filters can is multiple lines. Have multiple lines helps readability and allows you to add comments as well.
What does I want to filter on?
I Suppose it depends on the what is looking for. Some problem you is investigating, or perhaps you simply want to get rid of all uninteresting traffic . Filters The narrow down the traffic and see only the data you want to focus on. You'll often start with something and then further narrow down what's is looking for by adding expressions separated by ORs and ANDs.
Filters can reference anything in the NPL. So this includes protocol the data fields like we mentioned above. But this also includes Properties, which is derived by NPL and usually based on the data.
For example, the value of the TCP window size is a combination of the Windows scale and the TCP window size. So we could create a property to hold the real window size. Each column, with a few exceptions, was also just property value. So the means can search any column for data in a filter as well. We ' ll show some examples of this.
Show me all frames where X exists ...
So let's start with a simple filter to find all the ARP packets.
Arp
OK, almost too easy. A simple principle to remember are that by simply typing a protocol, structure or property of you filter for the existence. If you have the type arp, you is looking for any frame which parses as an ARP protocol. Similarly if you wanted-get rid of all ARP frames, you just say
Not ARP
Also If you like C-terminology you can type
! Arp
So let's apply this same principle to a structure. Say we want to find all TCP traffic where SACKs is used (selective acknowledgments). You don't care about the values of the SACK is, you just want to show only those frames where they exist. So your filter would is:
Tcp.TCPOptions.Option.SACK
And finally, let's apply this to a property. In TCP we had a property called "Tcpretransmit" that gets set whenever a retransmit is found. By the the-the-the-requires that conversations is enabled, which isn ' t the default in NM3. So to find all retransmit frames, just type:
Property.tcpretransmit
Actually the property portion are only needed if the term were defined as something other than a property as well. Preceding it with the property suffix makes sure you be referencing it correctly in case it's defined as a structure or Protocol too. It never hurts to begin your terms with property, Struct, or Protocol as called for.
Using equivalence and comparative operators
Another type of filtering that's often required is to look for a specific value in a trace or a value within a certain RA Nge. For example, say-wanted-to-look-for-traffic on a certain port. Would type a filter like:
Tcp.port = = 5555
This would return any frame with a port (either source or destination) is 5555. What's interesting here's that Port is defined as a "pair". This simply means, we pair up the source and destination port so you don't have to. If you were to explicitly type this is out using the source and destination ports you would has to type:
Tcp.srcport = = 5555 OR Tcp.dstport = = 5555
But the Port ' Pair ' property is takes care of the. This makes creating filters with paired properties much easier. Since NPL defines these pairs, this could is established for any pair of terms the act this. Pairs has also been created for Ethernet and IP addresses. So-to-filter on frames this involve at least one IP address containing 192.168.1.1, you would type:
Ipv4.address = = 192.168.1.1
and similarly for Ethernet addresses:
Ethernet.address==0x1185ae4e95
It's also important to note, the expansion is different, the if you use this in the negative case,! = (not equals).
Tcp.port! = 5555
Expands to:
Tcp.srcport! = 5555 and Tcp.dstport! = 5555
This should is no surprise to your Boolean math heads, but for the commoner this may seem incorrect at first. The typical reaction is to use OR instead of and. But this would show you the only frames where either port was not 5555.
You can also use all the comparative operators like;, <, >=, <=. So if you wanted to search for instances where the window size started getting small and you could so something like.
Tcp.window < 1200
Now-as I mentioned before, if Windows scaling is enabled, this may isn't be the real size. So a better-in-a-do-this-NM3.0 is-to-use the property that calculates the real window size. So this filter would is:
Property.windowsize < 100
Using Contains to search strings
A Common task is to being able to search ASCII and Unicode strings. You can use the Contains plug-in. It searches the associated string and ignores case. This can is used in and different ways, with the same results. Use which ever method you feel more comfortable with.
Contains (property. Description, "error")
You can also use as an operator on a string object.
Property.Description.Contains ("error")
As I mentioned before, you can search all property. And remember that most columns is just properties. The exceptions is Framenumber, Timeoffset, Timedelta, TimeOfDay, and Convid. But the rest is fair game. So in this case we can search the Description property text using the-Contains plug in. Note that the using this to search for binary data doesn ' t work. This was something that would probably be addressed in the future versions, as it was useful to search binary data.
generating compound statements by using and ' s and OR ' s:
When narrowing-frames, you'll often start by using one expression to filter the frames down and then you'll want to a DD and expressions to further restrict your search. So let's say I wanted to look for all frames on the port 5555 that also has a window size less than of bytes.
Tcp.port = = 5555 and Property.windowsize < 100
You can also with the C like shorthand:
Tcp.port = = 5555 && property.windowsize < 100
Or to search for traffic between-machines, you could type
Ipv4.address = = 192.168.1.1 && ipv4.address = = 10.0.0.1
You have the to is careful when using and ' s and OR. The English language tends is more ambiguous when using these terms. Asking a car dealer to see all the Red and Green cars could make sense to both you and him, but the same query to NM3.0 Woul D result in a potentially ugly car the maybe only Santa would appreciate.
Here's another example for filtering on subnets.
(ipv4.address >= 10.53.0.0) && (ipv4.address <= 10.53.255.255)
In this example, it's important to understand that the address is really just by the bits of data. So checking if an address was between the lower and upper bounds of the networks range, is really the same thing as checkin G if it ' s in the same subnet.
Using Math operators in filters
It's also possible to the use of math operators, like +,-,*,/,&, and | In filters. The last of the being "bitwise AND" (&) and "Bitwise OR" (|). As an example, we can use this to filter out on a subnet, but this time using the "bitwise AND". This simulates what subnet mask does.
(IPv4. SourceAddress & 255.255.0.0) = = 10.53.0.0)
||
(IPv4. Destinationaddress & 255.255.0.0) = = 10.53.0.0)
Comments in the filter window
It ' s also possible to add comments in the Filter window. This helpful if you want to the document how a filter works. This also allows your to comment out a sections temporarily so you don ' t has to remove that portion of the filter Completel Y. Comments can used with either//for a single line comment and/* * * If you want to comment more than one line.
Extra, modifying NPL to filter on a new property Ipttl
We talked before about searching on properties. There may is special cases where you are want to create a property of yourself so and can search on it. For this example, we'll create an Ipttl property that can reference both the IPV4 and IPv6 hop count values.
So the first step was to modify both IPV4.NPL and IPV6.NPL to add our property. For IPV4, we'll add the property to the TimeToLive data field and for IPV6 the Hoplimit data field. In NPL properties is placed in square brackets "[]" before the data field definition. The Bracket section can contain multiple lines separated by commas but we won ' t has to worry on this for our example.
In IPV4.NPL, we see this TTL parameter is defined as follows.
...
};
UINT8 TimeToLive;
[Nextprotocol]
UINT8 Nextprotocol = FormatString ("%s,%d (% #x)",
Protocoltypetable (this), this, this);
So called Ipttl as follows:
[Ipttl]
UINT8 TimeToLive;
The property automatically attaches itself to the data that follows it. So now let's modify the IPV6 parser. Here's how it's looks in its original form.
[Nextheader]
UINT8 Nextprotocol = FormatString ("%s,%d (% #x)",
Protocoltypetable (this), this, this);
UINT8 Hoplimit;
So we'll make the same change here:
[Ipttl]
UINT8 Hoplimit;
The properties is named the exact same, so we now can reference the same property name. If IPv4 exists it references TimeToLive, and if IPv6 exists we reference hoplimit.
You must now reload the parsers. This is similar to a recompile as we want to save time for each time you run NM3.0. This can is done from the Parsers tab. You can hit the button from the tool bar, select Tools Reload parsers, or type ctrl+alt+b.
Once the parsers is reloaded, you can and then use this in a filter as follows:
Property.ipttl = = 0
This would return all frames where the TimeToLive or Hoplimit are set to zero.
And that ' s your filtering introduction
While it takes a and get good at filtering, the discussion above should give you a good premier. Hopefully this would help you understand the basics of what to use filtering to find the data you want with Network Monitor 3.0.
C:documents and Settingspaullomy Documentsnetmon projectblogintelliexample.bmp
Intro to Filtering with Network Monitor 3.0