TamoSoft: Network Analysis Tools & Security Software
Contents

LAN Analyzer and Protocol Decoder - CommView
Site Survey Tool - TamoGraph Next Page
 
Introduction
About CommView
What's New
Using the Program
Overview
Selecting Network Interface for Monitoring
Latest IP Connections
Packets
Logging
Viewing Logs
Rules
Advanced Rules
Alarms
Reconstructing TCP Sessions
Reconstructing UDP Streams
Searching Packets
Statistics and Reports
Using Aliases
Packet Generator
Visual Packet Builder
NIC Vendor Identifier
Scheduler
Using Remote Agent
Using RPCAP
Capturing Loopback Traffic
Port Reference
Setting Options
Frequently Asked Questions
VoIP Analysis
Introduction
Working with VoIP Analyzer
SIP and H.323 Sessions
RTP Streams
Registrations
Endpoints
Errors
Call Logging
Reports
Call Playback
Viewing VoIP Logs
Working with Lists in VoIP Analyzer
NVF Files
Advanced Topics
Capturing High Volume Traffic
Working with Multiple Instances
Running CommView in Invisible Mode
Command Line Parameters
Exchanging Data with Your Application
Custom Decoding
CommView Log Files Format
Information
How to Purchase CommView
Contacting Us

Rules

This tab allows you to set rules for capturing packets. If one or more rules are set, the program filters packets based on these rules and displays only the packets that comply with the rules. Note that CommView is not a firewall, and when you set rules, packets are still processed by the operating system; they are not just displayed and logged by CommView. If a rule is set, the name of the corresponding tab is displayed in bold font.

 

You can save your rules configuration(s) to a file and load them by using the Rules command of the program's menu.

 

Since LAN traffic can often generate a high number of packets, it is recommended that you use rules to filter out unnecessary packets. This can considerably reduce the amount of system resources consumed by the program. If you want to enable/disable a rule, select the appropriate branch on the left side of the window (e.g. IP Addresses or Ports), and check or uncheck the box describing the rule (Enable IP Address rules or Enable port rules). There are eight types of rules that can be used:

 

 

Protocols & Direction

 

Allows you to ignore or capture packets based on Ethernet (Layer 2) and IP (Layer 3) protocols, as well as on packet direction.

 

etherprotorule

 

This example shows how to make the program capture only inbound and outbound ICMP and UDP packets. All other packets in the IP family will be ignored; all pass-through packets will be ignored also.

 

 

MAC Addresses

 

Allows you to ignore or capture packets based on MAC (hardware) addresses. Enter a MAC address in the Add Record frame, select the direction (From, To, or Both), and click Add MAC Address. The new rule will be displayed. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored. You can also click on the MAC Aliases button to get the list of aliases; double-click on the alias you would like to add, and the corresponding MAC address will appear in the input box.

 

macrule

 

This example shows how to make the program ignore packets that come from 0A:DE:34:0F:23:3E. All packets that come from other MAC addresses will be captured.

 

 

IP Addresses

 

Allows you to ignore or capture packets based on IP addresses. Enter an IP or IPv6 address in the Add Record frame, select the direction (From, To, or Both), and click Add IP Address. You can use wildcards to specify blocks of IP addresses. The new rule will be displayed. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored. You can also click on the IP Aliases button to access the list of aliases; double-click on the alias you would like to add, and the corresponding IP address will appear in the input box.

 

 

iprule

 

This example shows how to make the program capture the packets that go to 63.34.55.66, go to and come from 207.25.16.11 and come from all addresses between 194.154.0.0 and 194.154.255.255. All packets that come from other addresses or go to other addresses will be ignored. Since IP addresses are used in the IP protocol, such configuration will automatically make the program ignore all non-IP packets. Usage of IPv6 addresses requires Windows XP or higher and that the IPv6 stack be installed.

 

 

 

Ports

 

Allows you to ignore or capture packets based on ports. Enter a port number in the Add Record frame, select the direction (From, To, or Both), and click Add Port. The new rule will be displayed. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored. You can also click on the Port Reference button to get a list of all known ports; double-click on the port you would like to add and its number will appear in the input box. Ports can also be entered as text; for example, you can type in http or pop3, and the program will convert the port name to the numeric value.

 

portrule

 

This example shows how to make the program ignore packets that come from port 80 and go to and come from port 137. This rule will prevent CommView from displaying inbound HTTP traffic, as well as inbound and outbound NetBIOS Name Service traffic. All packets coming to and from other ports will be captured.

 

 

TCP Flags

 

Allows you to ignore or capture packets based on TCP flags. Check a flag or a combination of flags in the Add Record frame, and click Add Flags. The new rule will be displayed. Now you can select the action to be taken when a new packet with the entered TCP flags is processed: the packet can be either captured or ignored.

 

tcpflag

 

This example shows how to make the program ignore TCP packets with the PSH ACK flag. All packets with other TCP flags will be captured.

 

 

Text

 

Allows you to capture packets that contain certain text. Enter a text string in the Add Record frame and click Add Text. The new rule will be displayed. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored.

 

textrule

 

This example shows how to make the program capture only the packets that contain "GET". Check the Case sensitive box if you want the rules to be case sensitive. Check the UTF8 or UTF16 box if you want the rule to match the text encoded using the respective encodings. All other packets that do not contain the text mentioned above will be ignored. If you would like to create a rule based on hex byte sequences, when the text is not printable (e.g. 0x010203), use the Advanced Rules.

 

 

Process

 

Allows you to capture packets based on the process name. Enter a process name in the Add Record frame and click Add Process Name. The new rule will be displayed. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored. You can enter partial process names, e.g. netscp or net; any process name that contains such a substring will match the rule. Process names are not case-sensitive.

 

procrule

 

This example shows how to make the program capture only the packets that were sent or received by netscp.exe. Packets sent by other processes will be ignored.

 

Advanced

 

Advanced rules are the most powerful and flexible rules that allow you to create complex filters using Boolean logic. For the detailed help on using advanced rules, please refer to the Advanced Rules chapter.