 |
 |
 |
 |
 |
 |
 |
| LAN Analyzer and Protocol Decoder - CommView |
|
| |
|
||||||||||
|
|
 |
This tab allows you to set rules for capturing packets. If one or more rules are set, the program filters packets based on these rules and displays only the packets that comply with the rules. Note that CommView is not a firewall, and when you set rules, packets are still processed by the operating system; they are not just displayed and logged by CommView. If a rule is set, the name of the corresponding tab is displayed in bold font. You can save your rules configuration(s) to a file and load them by using the Rules command of the program's menu. Since LAN traffic can often generate a high number of packets, it is recommended that you use rules to filter out unnecessary packets. This can considerably reduce the amount of system resources consumed by the program. If you want to enable/disable a rule, select the appropriate branch on the left side of the window (e.g. IP Addresses or Ports), and check or uncheck the box describing the rule (Enable IP Address rules or Enable port rules). There are eight types of rules that can be used: Protocols & Direction Allows you to ignore or capture packets based on Ethernet (Layer 2) and IP (Layer 3) protocols, as well as on packet direction. 
This example shows how to make the program capture only inbound and outbound ICMP and UDP packets. All other packets in the IP family will be ignored; all pass-through packets will be ignored also. MAC Addresses Allows you to ignore or capture packets based on MAC (hardware) addresses. Enter a MAC address in the Add Record frame, select the direction (From, To, or Both), and click Add MAC Address. The new rule will be displayed. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored. You can also click on the MAC Aliases button to get the list of aliases; double-click on the alias you would like to add, and the corresponding MAC address will appear in the input box. 
This example shows how to make the program ignore packets that come from 0A:DE:34:0F:23:3E. All packets that come from other MAC addresses will be captured. IP Addresses Allows you to ignore or capture packets based on IP addresses. Enter an IP or IPv6 address in the Add Record frame, select the direction (From, To, or Both), and click Add IP Address. You can use wildcards to specify blocks of IP addresses. The new rule will be displayed. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored. You can also click on the IP Aliases button to access the list of aliases; double-click on the alias you would like to add, and the corresponding IP address will appear in the input box. 
This example shows how to make the program capture the packets that go to 63.34.55.66, go to and come from 207.25.16.11 and come from all addresses between 194.154.0.0 and 194.154.255.255. All packets that come from other addresses or go to other addresses will be ignored. Since IP addresses are used in the IP protocol, such configuration will automatically make the program ignore all non-IP packets. Usage of IPv6 addresses requires Windows XP or higher and that the IPv6 stack be installed. Ports Allows you to ignore or capture packets based on ports. Enter a port number in the Add Record frame, select the direction (From, To, or Both), and click Add Port. The new rule will be displayed. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored. You can also click on the Port Reference button to get a list of all known ports; double-click on the port you would like to add and its number will appear in the input box. Ports can also be entered as text; for example, you can type in http or pop3, and the program will convert the port name to the numeric value. 
This example shows how to make the program ignore packets that come from port 80 and go to and come from port 137. This rule will prevent CommView from displaying inbound HTTP traffic, as well as inbound and outbound NetBIOS Name Service traffic. All packets coming to and from other ports will be captured. TCP Flags Allows you to ignore or capture packets based on TCP flags. Check a flag or a combination of flags in the Add Record frame, and click Add Flags. The new rule will be displayed. Now you can select the action to be taken when a new packet with the entered TCP flags is processed: the packet can be either captured or ignored. 
This example shows how to make the program ignore TCP packets with the PSH ACK flag. All packets with other TCP flags will be captured. Text Allows you to capture packets that contain certain text. Enter a text string in the Add Record frame, select the type of entered information (As String or As Hex), and click Add Text. The new rule will be displayed. You can enter text either as a string (self-explanatory), or as a hexadecimal value. The latter method should be used when you want to enter non-printable characters: just type hexadecimal character values separated by spaces, as shown below. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored. 
This example shows how to make the program capture only the packets that contain either "GET" or the 01 02 03 04 hex data. Check the Case sensitive box if you want the rules to be case sensitive. All other packets that do not contain the text mentioned above will be ignored. Process Allows you to capture packets based on the process name. Enter a process name in the Add Record frame and click Add Process Name. The new rule will be displayed. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored. You can enter partial process names, e.g. netscp or net; any process name that contains such a substring will match the rule. Process names are not case-sensitive. 
This example shows how to make the program capture only the packets that were sent or received by netscp.exe. Packets sent by other processes will be ignored. Advanced Advanced rules are the most powerful and flexible rules that allow you to create complex filters using Boolean logic. For the detailed help on using advanced rules, please refer to the Advanced Rules chapter. |
