 |
 |
 |
 |
 |
 |
 |
| CommTraffic Help Documentation |
|
| |
|
||||||||||
|
|
 |
Overview This is the most powerful and flexible way to create complex traffic monitoring filters using Boolean logic. Using the rules requires a basic understanding of mathematics and logic, but the rules syntax is rather easy to understand. 
The Advanced Rules page contains certain automatically created rules that appear if you add entries to the Local Networks, Ignore Networks, or Local Proxies pages. Such rules have the word Auto for their name. You can evaluate them; however, you cannot edit or delete them. To add a new rule, you should click on the Add button. A dialog window will appear. Please enter an arbitrary name in the Rule name field, select the direction (Incoming our Outgoing) from the drop-down menu, select the action to take (Count or Ignore), and enter a Formula using the syntax described below. The Formula field has a context menu that allows you to create your traffic rules quickly and easily. Right-click on the Formula field and the following menu will pop up: Insert – allows you to insert a keyword or an operator from the list of available keywords and operators, or insert an IP address, MAC or port number alias stored in the program. Create Alias – allows you to create an alias for the IP address, MAC address, or port number present in the formula. Undo – undo the latest operation. Redo – redo the last operation that was undone. Cut – copy the selected text to the clipboard and remove it from the field. Copy – copy the selected text to the clipboard. Paste – paste the text from the clipboard. Delete – delete the selected text. Select All – select the entire text in the Formula field. Your new rule will be added to the list. Dragging the column header to the desired place will change the sequence of columns. You can hide certain columns by right-clicking on the header of a column and unchecking the entries that you need to hide. You can also sort the entries by clicking on the header of the corresponding column. You can add as many rules as you wish, but only those rules that have a checked box next to the rule name are currently active. You can activate/deactivate rules by checking/unchecking the corresponding boxes or completely delete selected rules using the Delete button. You can evaluate the resulting combined rule by clicking on the Evaluate button. Please note that multiple active rules are combined using the logical OR operator, e.g. if you have three active rules, RULE1, RULE2, and RULE3, the resulting rule is RULE1 OR RULE2 OR RULE3. Please click on the Apply button to activate the new rules or apply the changes to the existing rules. Please note, there are separate rules for incoming and outgoing traffic, so you should design your rules carefully and select the appropriate direction for them; otherwise, CommTraffic will produce incorrect statistics results. The Traffic Rules window has a context menu that is also duplicated in the Action =>Traffic Rules item in the main menu. Add - launches a dialog window for adding a new rule. Modify - allows you to modify the selected rule. Enable – activates the selected deactivated rule. Disable – deactivates the selected active rule. Duplicate - duplicates the selected entry. Rename - allows you to rename the selected entry. Delete - deletes the selected entry. Undelete - restores the previously deleted entry. Evaluate – allows you to evaluate the results of all active rules combined. Create Alias – allows you to create an alias for an IP address, MAC address, or port number that is present in the selected rule. Copy - copies the selected line, its part, or all entries to the clipboard. Open - allows you to open a rules file from the disk. You can also drop a CommTraffic traffic rules file (.ctrul) to the Advanced Rules page to open it. Save - saves the listed traffic rules entries to the disk in CommTraffic format (.ctrul), as well as in HTML, XML, RTF, XLS and text file formats. Print – opens the printing dialog window. Options – opens a dialog window where you can change the appearance of the Advanced Rules page. Syntax Description etherproto – Ethernet protocol, the 13th and 14th bytes of the packet. Acceptable values are numbers (e.g. etherproto=0x0800 for IP) or common aliases (e.g. etherproto=ARP, which is equivalent to 0x0806). ipproto – IP protocol. Acceptable values are numbers (e.g. ipproto!=0x06 for TCP) or commonly used aliases (e.g. ipproto=UDP, which is equivalent to 0x11). smac – Source MAC address. Acceptable values are MAC addresses in hex notation (e.g. smac=00:00:21:0A:13:0F) or user-defined aliases. dmac – Destination MAC address. sip – Source IP address. Acceptable values are IP addresses in dotted notation (e.g. sip=192.168.0.1), IP addresses with wildcards (e.g. sip!=*.*.*.255), network addresses with subnet masks (e.g. sip=192.168.0.4/255.255.255.240 or sip=192.168.0.5/28), IP ranges (e.g. sip from 192.168.0.15 to 192.168.0.18 or sip in 192.168.0.15 .. 192.168.0.18), or user-defined aliases. dip - Destination IP address. sport – Source port for TCP and UDP packets. Acceptable values are numbers (e.g. sport=80 for HTTP) or ranges (e.g. sport from 20 to 50 or sport in 20..50 for any port number between 20 and 50). dport – Destination port for TCP and UDP packets. str – Packet contents. Use this function to indicate that the packet must contain a certain string. This function has three arguments: string, position, and case sensitivity. The first argument is a string, e.g. 'GET'. The second argument is a number that indicates the string position (offset) in the packet. The offset is zero-based, i.e. if you're looking for the first byte in the packet, the offset value must be 0. If the offset is not important, use –1. The third argument indicates the case-sensitivity and can be either false (case-insensitive) or true (case-sensitive). The second and third arguments are optional; if omitted, the offset defaults to –1 and the case-sensitivity defaults to false. Usage examples: str('GET',-1,false), str('GET',-1), str ('GET'). hex - Packet contents. Use this function to indicate that the packet must contain a certain hexadecimal byte pattern. This function has two arguments: hex pattern and position. The first argument is a hex value, e.g. 0x4500. The second argument is a number that indicates the pattern position (offset) in the packet. The offset is zero-based, i.e. if you're looking for the first byte in the packet, the offset value must be 0. If the offset is not important, use –1. The second argument is optional; if omitted, the offset defaults to –1. Usage examples: hex(0x04500, 14) , hex(0x4500, 0x0E), hex (0x010101). The keywords described above can be used with the following operators: and - Boolean conjunction. or - Boolean disjunction. not - Boolean negation. = - arithmetic equality. != - arithmetic inequality. <> - same as above. > - arithmetic greater-than. < - arithmetic less-than. ( ) – parentheses, control operator precedence rules. All numbers can be in decimal or hexadecimal notation. If you want to use hexadecimal notation, the number must be preceded by 0x, i.e. you can use either 15 or 0x0F. Examples Below, you will find a number of examples illustrating the rules syntax. Each rule is followed by our comments about what the rule does. The rules are shown in red. The comments are separated from the actual rule by two slashes. Example 1
Example 3
|
