Documente online.
Zona de administrare documente. Fisierele tale
Am uitat parola x Creaza cont nou
 HomeExploreaza
upload
Upload




MICROSOFT NETWORK MONITOR 3.1 FILTER EXPRESSION MANUAL

software


Microsoft Network Monitor 3.1 Filter Expression Manual

This document supports a publicly available release of a software program that bears the name Microsoft Network Monitor 3.1.



Information in this document, including URL and other Internet Web s 14114d319o ite references, is subject to change without notice and is provided for informational purposes only. The entire risk of the use or results from the use of this document remains with the user, and Microsoft Corporation makes no warranties, either express or implied. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, except for single copies for personal use, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

2006-2007 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Overview

General Usage

Filter Expression Syntax

Examples

Advanced Usage

Pairs

Filtering on Conversations

Casting

Negation

Overview

This is a brief user manual to help you get started on writing filter expressions in Capture and Display filter windows.

General Usage

You can filter on any protocol, protocol element, or property.

If you have already captured some frames, right click on a cell in the Frame Summary window and select "Add Cell To Display Filter". This will create a filter for that cell value and append it to the existing Display filter using the OR operator. Similarly, you can right click on a protocol element in the Frame Details window and select "Add Selected Value to Display Filter" to filter on that element. Right-click filtering is a great way to learn the filtering syntax!

Network Monitor 3.1 has a limited version of intellisense. You can start by typing the protocol name (e.g. tcp or http) and then a period "." to see the elements available for that protocol.

If you don't know the protocol name you are looking for, start by placing the cursor in the Display Filter window and type ".Protocol." The first period starts the intellisense. You will then see Protocol show up. The second period shows all the Protocols available.

Intellisense can also show you what fields are filterable in a protocol header, such as a TCP header. If you type tcp followed by a period(.) , a drop down list of filterable protocol elements will appear and you can select any element.  For example if you chose tcp.flags and press a period (.) again, you will see a list of TCP Flags and you can select the SYN flag to form a filter expression such as: "tcp.flags.syn == 1".

Standard cut & paste operations work in the filter window. Use ctrl-c to copy and ctrl-v to paste filters.

"//" is a comment. You can add comments to filters, or add and remove them quickly to change the filter.

There are many sample filters available in the Capture and Display Filter window toolbar. Just click the folder icon. You will see a menu called "Standard Filters". Select any item to have the filter imported into the window.

There is a verify filter button which checks the validity of the filter expression that you entered in the capture or display filter windows. This allows you to confirm a filter will work, but will not apply the filter.

When you first use Network Monitor 3.1, a user directory tree is created under your Documents folder.  The top level folder is Network Monitor 3 which includes a subdirectory for storing user-created filters files (.nmf).

Filter Expression Syntax

A filter in Network Monitor 3.1 looks like an equation, usually separated by AND's and OR's. You can also use the C representation of || and &&. Basic operators include:  ==, !=  , !, respectively meaning: Equals, Not Equals, Not. You can also use more advanced operators such as < and >. For instance, the following filter is perfectly valid, though perhaps not very useful.

Smb.Command > 10 && Smb.command < 0xA1

Use parenthesis to further scope things so that the order of operations is correct.

Examples

// Filter on source IPv4 address
IPv4.SourceAddress == 192.168.0.1

// Filter on destination IPv4 address
IPv4.DestinationAddress == 192.168.0.1

// Filter on IPv4 address (source or dest)
IPv4.Address == 192.168.0.1

// Filter on IPv6 address (source or dest). If you have IPv6 installed
//on your machine you can use the "colon" syntax. Otherwise, you will need
//to use the actual hex value of the address.
IPv6.Address == 3ffe:2900:d005:f282: b8df:3ec8:8a61:a06b

// View IPv4 traffic between a source and a destination node
IPv4.Address==10.0.0.1 and IPv4.Address==10.0.0.222

// Traffic To or From the capturing computer IPv4 address:
// Local <-> Any
// If you have more than one network adapter, this becomes
// an array, indexed starting from zero.
IPv4.Address == IpConfig.LocalIpv4Address

// Do not show Broadcast frames
// There are several ways to do this
// Ethernet.DestinationAddress != 0xFFFFFFFFFFFF
// Ethernet.DestinationAddress!=FF-FF-FF-FF-FF-FF
Ethernet.DestinationAddress!= BROADCAST

// Ethernet source or destination address
Ethernet.Address == 0x010203040506
// or
Ethernet.Address == 01-02-03-04-05-06

// Do not show RAS frames
NOT EAPOL and NOT EAP and NOT GRE and NOT PPTP and NOT PPP

// or you could use
!EAPOL and !EAP and !GRE and !PPTP and !PPP

// Do not show Terminal Service or Citrix frames
!(Tcp.port == 3389) and !(Tcp.port == 1494) and !(Tcp.port == 1503)

// Shows all ARPs, and any frame with TCP.FLAGS.SYN element turned on
Arp or Tcp.Flags.Syn

// Show all DNS Name Resolution requests
Dns.QuestionCount

// Find a web page string (known as a URI or URL)
Contains(Http.Request.URI,"msn.com")

// Show only LDAP frames
Tcp.Port == 389 or Udp.Port == 389

// NetBIOS Name Service query for a hostname
Contains(NbtNs. NbtNsQuestionSectionData. QuestionName.Name,"ComputerName")

// SMB Client Request & Server Response
SMBRequestNTCreateAndX or SMBResponseNTCreateAndX

// Show only the create file traffic to track file usage.
Smb.Command==0xa2

// Capture all SMB traffic except for browser traffic.
Smb and NOT Browser

// A way to filter AOL Instant Messenger data packets (no acks)
 Tcp.Port == 5190 and Tcp.flags.push

// Searches TCP Payload for Ascii or Unicode data.
// This does not work with binary data.
property. TCPPayload.contains ("BORDER-BOTTOM")

// Find a byte at 8 bytes from the beginning of a frame.
UINT8(FrameData, 7)==0x11  

// You can use the filter expression window like a typical code editor. Here is an // example of using comments "//" to remove parts of the filter expression. If your // initial filter looks like this:
IPv4.address==10.1.1.1 ||
IPv4.address==10.1.1.2 ||
IPv4.address==10.1.1.3

// you can put comments on the middle section to prevent it from being evaluated,
// yet still keep all the code.

IPv4.address==10.1.1.1 ||
//IPv4.address==10.1.1.2 ||
IPv4.address==10.1.1.3

// The key to this technique is placement of the || (OR operator) and using a
//separate line for each evaluation.

Advanced Usage

Pairs

If you need to see all frames that use port 0x1234, and are also from a specific client (such as 10.0.0.1) you would type:

Tcp.Port==0x1234 AND IPv4.Address==10.0.0.1

Notice that you don't have to specify the source and destination port and source and destination address. This is because Network Monitor has a concept called PAIRs. This allows you to associate two pieces of information (Ports or Addresses) as a pair. So for instance, the two following examples are the same.
Tcp.Port==0x1234
Is the same as
Tcp.SrcPort==0x1234 || Tcp.DstPort==0x1234

Note that if you say Tcp.port!=0x1234, this does expand to:
Tcp.SrcPort!=0x1234 && Tcp.DstPort!=0x1234.

You can still use the Source and Destination parts separately, for instance if you wanted to see one way traffic.
IPv4.SourceAddress==10.0.0.1

Filtering on Conversations

Given a TCP conversation with ID equal to 9, you can filter on that conversation in two ways. In this first example, we will show all frames where the conversation ID exists. This includes frames where TCP is not the highest level protocol.

Conversation.TCP.Id == 9

This second example we will only show frames that match this conversation ID and that don't have any protocols on top of TCP. So this will only display TCP traffic, and no frames where TCP is not the highest level.

convid == 9

These filters require conversations to be enabled. To enable conversations, go to the start page, and check the box that says "Enable Conversations".  You will then have to close and reopen the capture.

Casting

Casting allows you to look at data at a specific offset in the frame. The syntax for this is as follows:

DATA_TYPE(FrameData, offset, length)

where DATA_TYPE refers to the type of data you are looking for (e.g., UINT8 for a byte); FrameData corresponds to the network frame; offset is the starting position (BigEndian) of the data in the frame; and length is an optional parameter that specifies how many bytes to look at. Often the length is implied by the data type.

So to find one byte at offset 2 you'd do the following
UINT8(FrameData,1)==0x50

Or to find a 16 bit value at offset 7 (BigEndian) you could do
UINT16(FrameData, 6)==0x00d0

To find a string of 10 bytes at offset 4, you would use
AsciiString(FrameData, 3, 10)=="1234567890"

Negation

'Ipv4.Address != 157.59.9.73' filter will return a different set of frames from '! (Ipv4.Address == 157.59.9.73)'. The first filter will return only IP frames which do not match the IP Address 157.59.9.73. However, the latter filter will return IP frames which do not match the IP Address 157.59.9.73, as well as non-IP frames (e.g., ARP).

Generally "Protocol.Property != value" is not the same as "!(Protocol.Property == value)".


Document Info


Accesari: 9540
Apreciat: hand-up

Comenteaza documentul:

Nu esti inregistrat
Trebuie sa fii utilizator inregistrat pentru a putea comenta


Creaza cont nou

A fost util?

Daca documentul a fost util si crezi ca merita
sa adaugi un link catre el la tine in site


in pagina web a site-ului tau.




eCoduri.com - coduri postale, contabile, CAEN sau bancare

Politica de confidentialitate | Termenii si conditii de utilizare




Copyright © Contact (SCRIGROUP Int. 2024 )