Microsoft Network Monitor 3.1 Filter Expression Manual
This document supports a publicly available release of a software program that bears the name Microsoft Network Monitor 3.1.
Information in this document, including URL and other Internet Web s 14114d319o ite references, is subject to change without notice and is provided for informational purposes only. The entire risk of the use or results from the use of this document remains with the user, and Microsoft Corporation makes no warranties, either express or implied. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, except for single copies for personal use, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
2006-2007 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS,
Windows, Windows Server, Windows Vista, are
either registered trademarks or trademarks of Microsoft Corporation in the
All other trademarks are property of their respective owners.
This is a brief user manual to help you get started on writing filter expressions in Capture and Display filter windows.
You can filter on any protocol, protocol element, or property.
If you have already captured some frames, right click on a cell in the Frame Summary window and select "Add Cell To Display Filter". This will create a filter for that cell value and append it to the existing Display filter using the OR operator. Similarly, you can right click on a protocol element in the Frame Details window and select "Add Selected Value to Display Filter" to filter on that element. Right-click filtering is a great way to learn the filtering syntax!
Network Monitor 3.1 has a limited version of intellisense. You can start by typing the protocol name (e.g. tcp or http) and then a period "." to see the elements available for that protocol.
If you don't know the protocol name you are looking for, start by placing the cursor in the Display Filter window and type ".Protocol." The first period starts the intellisense. You will then see Protocol show up. The second period shows all the Protocols available.
Intellisense can also show you what fields are filterable in a protocol header, such as a TCP header. If you type tcp followed by a period(.) , a drop down list of filterable protocol elements will appear and you can select any element. For example if you chose tcp.flags and press a period (.) again, you will see a list of TCP Flags and you can select the SYN flag to form a filter expression such as: "tcp.flags.syn == 1".
Standard cut & paste operations work in the filter window. Use ctrl-c to copy and ctrl-v to paste filters.
"//" is a comment. You can add comments to filters, or add and remove them quickly to change the filter.
There are many sample filters available in the Capture and Display Filter window toolbar. Just click the folder icon. You will see a menu called "Standard Filters". Select any item to have the filter imported into the window.
There is a verify filter button which checks the validity of the filter expression that you entered in the capture or display filter windows. This allows you to confirm a filter will work, but will not apply the filter.
When you first use Network Monitor 3.1, a user directory tree is created under your Documents folder. The top level folder is Network Monitor 3 which includes a subdirectory for storing user-created filters files (.nmf).
A filter in Network Monitor 3.1 looks like an equation, usually separated by AND's and OR's. You can also use the C representation of || and &&. Basic operators include: ==, != , !, respectively meaning: Equals, Not Equals, Not. You can also use more advanced operators such as < and >. For instance, the following filter is perfectly valid, though perhaps not very useful.
Smb.Command > 10 && Smb.command < 0xA1
Use parenthesis to further scope things so that the order of operations is correct.
// Filter on source IPv4
address
IPv4.SourceAddress == 192.168.0.1
// Filter on destination
IPv4 address
IPv4.DestinationAddress == 192.168.0.1
// Filter on IPv4 address
(source or dest)
IPv4.Address == 192.168.0.1
// Filter on IPv6 address
(source or dest). If you have IPv6 installed
//on your machine you can use the "colon" syntax. Otherwise, you will need
//to use the actual hex value of the address.
IPv6.Address == 3ffe:2900:d005:f282: b8df:3ec8:8a61:a06b
// View IPv4 traffic
between a source and a destination node
IPv4.Address==10.0.0.1 and IPv4.Address==10.0.0.222
// Traffic To or From the capturing computer IPv4 address:
// Local <-> Any
// If you have more than one network adapter, this becomes
// an array, indexed starting from zero.
IPv4.Address == IpConfig.LocalIpv4Address
// Do not show Broadcast
frames
// There are several ways to do this
// Ethernet.DestinationAddress != 0xFFFFFFFFFFFF
// Ethernet.DestinationAddress!=FF-FF-FF-FF-FF-FF
Ethernet.DestinationAddress!= BROADCAST
// Ethernet source or
destination address
Ethernet.Address == 0x010203040506
// or
Ethernet.Address == 01-02-03-04-05-06
// Do not show RAS frames
NOT EAPOL and NOT EAP and NOT
GRE and NOT PPTP and NOT
PPP
// or you could use
!EAPOL and !EAP and !GRE and !PPTP and !PPP
// Do not show Terminal
Service or Citrix frames
!(Tcp.port == 3389) and !(Tcp.port == 1494) and !(Tcp.port == 1503)
// Shows all ARPs, and
any frame with TCP.FLAGS.SYN element turned on
Arp or Tcp.Flags.Syn
// Show all DNS Name
Resolution requests
Dns.QuestionCount
// Find a web page string
(known as a URI or URL)
Contains(Http.Request.URI,"msn.com")
// Show only LDAP frames
Tcp.Port == 389 or Udp.Port == 389
// NetBIOS Name Service
query for a hostname
Contains(NbtNs. NbtNsQuestionSectionData. QuestionName.Name,"ComputerName")
// SMB Client Request
& Server Response
SMBRequestNTCreateAndX or SMBResponseNTCreateAndX
// Show only the create file
traffic to track file usage.
Smb.Command==0xa2
// Capture all SMB
traffic except for browser traffic.
Smb and NOT Browser
// A way to filter AOL
Instant Messenger data packets (no acks)
Tcp.Port == 5190 and Tcp.flags.push
// Searches TCP Payload for Ascii or Unicode data.
// This does not work with binary data.
property. TCPPayload.contains ("BORDER-BOTTOM")
// Find a byte at 8 bytes from the beginning of a frame.
UINT8(FrameData, 7)==0x11
// You can use the filter
expression window like a typical code editor. Here is an // example of using comments "//" to remove parts of the filter
expression. If your // initial filter looks like this:
IPv4.address==10.1.1.1 ||
IPv4.address==10.1.1.2 ||
IPv4.address==10.1.1.3
// you can put comments
on the middle section to prevent it from being evaluated,
// yet still keep all the code.
IPv4.address==10.1.1.1
||
//IPv4.address==10.1.1.2 ||
IPv4.address==10.1.1.3
// The key to this
technique is placement of the || (OR operator) and using a
//separate line for each evaluation.
If you need to see all frames that use port 0x1234, and are also from a specific client (such as 10.0.0.1) you would type:
Tcp.Port==0x1234 AND IPv4.Address==10.0.0.1
Notice that you don't
have to specify the source and destination port and source and destination
address. This is because Network Monitor has a concept called PAIRs. This
allows you to associate two pieces of information (Ports or Addresses) as a
pair. So for instance, the two following examples are the same.
Tcp.Port==0x1234
Is the same as
Tcp.SrcPort==0x1234 || Tcp.DstPort==0x1234
Note that if you say
Tcp.port!=0x1234, this does expand to:
Tcp.SrcPort!=0x1234 && Tcp.DstPort!=0x1234.
You can still use the
Source and Destination parts separately, for instance if you wanted to see one
way traffic.
IPv4.SourceAddress==10.0.0.1
Given a TCP conversation with ID equal to 9, you can filter on
that conversation in two ways. In this
first example, we will show all frames where the conversation ID exists. This includes frames where TCP is not the
highest level protocol.
Conversation.TCP.Id ==
9
This second example we will only show frames that match this conversation ID and that don't have any protocols on top of TCP. So this will only display TCP traffic, and no frames where TCP is not the highest level.
convid == 9
These filters require conversations to be enabled. To enable conversations, go to the start page, and check the box that says "Enable Conversations". You will then have to close and reopen the capture.
Casting allows you to
look at data at a specific offset in the frame. The syntax for this is as follows:
DATA_TYPE(FrameData, offset, length)
where DATA_TYPE refers to the type of data you are looking for (e.g., UINT8 for
a byte); FrameData corresponds to the
network frame; offset is the starting position (BigEndian) of the data in the
frame; and length is an optional parameter that specifies how many bytes to
look at. Often the length is implied by the data type.
So to find one byte at
offset 2 you'd do the following
UINT8(FrameData,1)==0x50
Or to find a 16 bit value
at offset 7 (BigEndian) you could do
UINT16(FrameData, 6)==0x00d0
To find a string of 10
bytes at offset 4, you would use
AsciiString(FrameData, 3,
10)=="1234567890"
'Ipv4.Address != 157.59.9.73' filter will return a different set of frames from '! (Ipv4.Address == 157.59.9.73)'. The first filter will return only IP frames which do not match the IP Address 157.59.9.73. However, the latter filter will return IP frames which do not match the IP Address 157.59.9.73, as well as non-IP frames (e.g., ARP).
Generally "Protocol.Property != value" is not the same as "!(Protocol.Property == value)".
|
