Home
Contents

LAN Analyzer and Protocol Decoder - CommView

Prev Page Next Page
 
Introduction
About CommView
What's New
Using the Program
Overview
Selecting Network Interface for Monitoring
Latest IP Connections
Packets
Logging
Viewing Logs
Rules
Advanced Rules
Alarms
Reconstructing TCP Sessions
Reconstructing UDP Streams
Searching Packets
Statistics and Reports
Using Aliases
Packet Generator
Visual Packet Builder
NIC Vendor Identifier
Scheduler
Using Remote Agent
Using RPCAP
Capturing Loopback Traffic
Port Reference
Setting Options
Frequently Asked Questions
VoIP Analysis
Introduction
Working with VoIP Analyzer
SIP and H.323 Sessions
RTP Streams
Registrations
Endpoints
Errors
Call Logging
Reports
Call Playback
Viewing VoIP Logs
Working with Lists in VoIP Analyzer
NVF Files
Advanced Topics
Capturing High Volume Traffic
Working with Multiple Instances
Running CommView in Invisible Mode
Command Line Parameters
Exchanging Data with Your Application
Custom Decoding
CommView Log Files Format
Sales and Support

Advanced Rules

Advanced rules are the most powerful and flexible rules that allow you to create complex filters using Boolean logic. Using advanced rules requires a basic understanding of mathematics and logic, but the rules syntax is rather easy to understand.

advanced

Overview

 

To add a new rule, you should enter an arbitrary name in the Name field, select the action (Capture/Ignore), enter a Formula using the syntax described below, and click Add/Edit. Your new rule will be added to the list and become active immediately. You can add as many rules as you wish, but only those rules that have a checked box next to the rule name are active currently. You can activate/deactivate rules by checking/unchecking the corresponding boxes or completely delete selected rules using the Delete button. If more than one rule is active, you can evaluate the resulting combined rule by clicking Evaluate. Please note that multiple active rules are combined using the logical OR operator, e.g. if you have three active rules, RULE1, RULE2, and RULE3, the resulting rule is RULE1 OR RULE2 OR RULE3.

 

You can use advanced rules in conjunction with the basic rules described in the previous chapter, however if you feel comfortable with Boolean logic, it's a good idea to use advanced rules only, as they offer much more flexibility. Basic rules are combined with advanced rules using the logical AND operator.

 

Syntax Description

dir – Packet direction. Possible values are in (inbound), out (outbound), and pass (pass-through).

etherproto – Ethernet protocol, the 13th and 14th bytes of the packet. Acceptable values are numbers (e.g. etherproto=0x0800 for IP) or common aliases (e.g. etherproto=ARP, which is equivalent to 0x0806).

ipproto – IP protocol. Acceptable values are numbers (e.g. ipproto!=0x06 for TCP) or commonly used aliases (e.g. ipproto=UDP, which is equivalent to 0x11).

smac – Source MAC address. Acceptable values are MAC addresses in hex notation (e.g. smac=00:00:21:0A:13:0F) or user-defined aliases.

dmac – Destination MAC address.

sip Source IP or IPv6 address. Acceptable values are IP addresses in dotted notation (e.g. sip=192.168.0.1 or sip= fe80::02c0:26ff:fe2d:edb5), IP addresses with wildcards (e.g. sip!=*.*.*.255, except for IPv6 addresses),  network addresses with subnet masks (e.g. sip=192.168.0.4/255.255.255.240 or sip=192.168.0.5/28), IP ranges (e.g. sip from 192.168.0.15 to 192.168.0.18 or sip in 192.168.0.15 .. 192.168.0.18 ), or  user-defined aliases. Use of IPv6 addresses requires Windows XP or higher and that the IPv6 stack be installed.

dip -  Destination IP address.

sport – Source port for TCP and UDP packets. Acceptable values are numbers (e.g. sport=80 for HTTP), ranges (e.g. sport from 20 to 50  or sport in 20..50 for any port number between 20 and 50) or the aliases defined by your operating system  (e.g. sport=ftp, which is equivalent to 21). For the list of aliases supported by your OS click View => Port Reference.

dport – Destination port for TCP and UDP packets.

flag – TCP flag.  Acceptable values are numbers (e.g. 0x18 for PSH ACK) or one or several of the following characters: F (FIN), S (SYN), R (RST), P (PSH), A (ACK), and U (URG), or the has keyword, which means that the flag contains a certain value. Usage examples: flag=0x18, flag=SA, flag has F.

size – Packet size. Acceptable values are numbers (e.g. size=1514) or ranges (e.g. size from 64 to 84 or size in 64..84 for any size between 64 and 84).

str – Packet contents. Use this function to indicate that the packet must contain a certain string. This function has three arguments: string, position, and case sensitivity. The first argument is a string, e.g. 'GET'. The second argument is a number that indicates the string position (offset) in the packet. The offset is zero-based, i.e. if you're looking for the first byte in the packet, the offset value must be 0. If the offset is not important, use –1. The third argument indicates the case-sensitivity and can be either false (case-insensitive) or true (case-sensitive). The second and third arguments are optional; if omitted, the offset defaults to –1 and the case-sensitivity defaults to false. Usage examples: str('GET',-1,false), str('GET',-1), str ('GET').

hex - Packet contents. Use this function to indicate that the packet must contain a certain hexadecimal byte pattern. This function has two arguments: hex pattern and position. The first argument is a hex value, e.g. 0x4500. The second argument is a number that indicates the pattern position (offset) in the packet. The offset is zero-based, i.e. if you're looking for the first byte in the packet, the offset value must be 0. If the offset is not important, use –1. The second argument is optional; if omitted, the offset defaults to –1. Usage examples: hex(0x04500, 14) , hex(0x4500, 0x0E), hex (0x010101).

bit - Packet contents. Use this function to determine if the specified bit at the specified offset is set to 1, in which case the function returns true. If the specified bit is set to 0 or the specified byte is beyond the packet boundary, the function returns false. This function has two arguments: bit index and byte position. The first argument is the bit index in the byte; the allowed values are 0-7. The index is zero-based, i.e. if you're looking for the eighth bit in the byte, the index value must be 7. The second argument is a number that indicates the byte position (offset) in the packet. The offset is zero-based, i.e. if you're looking for the first byte in the packet, the offset value must be 0. Both arguments are mandatory. Usage examples: bit(0, 14) , bit(5, 1).

The keywords described above can be used with the following operators:

and - Boolean conjunction.

or - Boolean disjunction.

not - Boolean negation.

=  - Arithmetic equality.

!= - Arithmetic inequality.

<> - Same as above.

> - Arithmetic greater-than.

< - Arithmetic less-than.

( ) – parenthesis, control operator precedence rules.

All numbers can be in decimal or hexadecimal notation. If you want to use the hexadecimal notation, the number must be preceded by 0x, i.e. you can use either 15 or 0x0F.

Examples

Below you will find a number of examples illustrating the rules syntax. Each rule is followed by our comments about what the rule does. The rules are shown in red. The comments are separated from the actual rule by two slashes.

· dir!=pass // Captures only inbound and outbound packets. Pass-through packets being sent between other workstations on the LAN are ignored.
· (smac=00:00:21:0A:13:0E or smac=00:00:21:0A:13:0F) and etherproto=arp // Captures ARP packets sent by two computers, 00:00:21:0A:13:0E and 00:00:21:0A:13:0F.
· ipproto=udp and dport=137 // Captures UDP/IP packets sent to the port number 137.
· dport=25 and str('RCPT TO:', -1, true) // Captures TCP/IP or UDP/IP packets that contain "'RCPT TO:" and where the destination port is 25.
· not (sport>110) // Captures everything except the packets where the source port is greater than 110.
· (sip=192.168.0.3 and dip=192.168.0.15) or (sip=192.168.0.15 and dip=192.168.0.3) // Captures only the IP packets being sent between two machines, 192.168.0.3 and 192.168.0.15. All other packets are discarded.
· ((sip from 192.168.0.3 to 192.168.0.7) and (dip = 192.168.1.0/28)) and (flag=PA) and (size in 200..600) // Captures TCP packets the size of which is between 200 and 600 bytes coming form the IP addresses in the 192.168.0.3 - 192.168.0.7 range, where destination IP address is in the 192.168.1.0/255.255.255.240 segment, and where the TCP flag is PSH ACK.
· Hex(0x0203, 89) and (dir<>in) // Captures the packets that contain 0x0203 at the offset 89, where the packet direction is not inbound.