When do you use capture filters, and when do you use display filters? I use capture filters when I know the type of traffic I am looking for straight off the wire. (The original trace buffer contents are not erased.) Display filters are placed on traffic in the trace buffer so that you can view specific types of packets as a subset of the trace buffer. CAPTURE FILTERS VERSUS DISPLAY FILTERSĬapture filters are placed on incoming traffic to reduce the amount of traffic that flows into the trace buffer. There are two types of filters: capture filters and display filters (also referred to as pre-filters and post-filters respectively). They may not offer all of the options and filter types. As you would expect, however, the capabilities of protocol analyzers vary.
If a single bit does not match the filter value or offset, however, the packet is said to not match the filter.įilters can be based on a number of packet characteristics-such as the source or destination hardware address (the media access control, or MAC, address), a single-bit setting in a flag field, or a specific ASCII character sequence in the data portion of the packet. If the incoming packet contains data that matches your filter in content and offset, the packet is said to match the filter. The filters you build consist of an offset location and a value. At this point, the packet is examined as a series of bytes with varying values. When the packets come in off the wire, the protocol analyzer's card does some basic error checking on the packet.
The value that you are looking for at that offset The offset indicating where you are looking in the packet
You need to know two things to build really great filters:
The vendors have been noticeably lax on supplying strong filters out of the box. Don't count on your protocol analyzer having a complete set of prebuilt filters. For example, a filter based on all packets to 0xFF-FF-FF-FF-FF-FF is a standard broadcast filter.Īs a protocol analyst, you must create a set of filters that match the traffic you are interested in viewing. Ī filter is a set of criteria that a packet must match to be accepted in the trace buffer or displayed in a protocol analyzer. Editor's Note: This article is taken from Laura Chappell's book, Packet Filtering: Capturing the Cool Packets, which is available at.
0 kommentar(er)
