TamoSoft: Network Analysis Tools & Security Software
Contents

WLAN Analyzer and Protocol Decoder - CommView for WiFi
Site Survey Tool - TamoGraph Next Page
 
Introduction
About CommView for WiFi
What's New
Using the Program
Driver Installation
Overview
Scanner
Nodes
Channels
Latest IP Connections
Packets
Logging
Viewing Logs
Rules
Advanced Rules
Alarms
WEP/WPA Keys
Reconstructing TCP Sessions
Reconstructing UDP Streams
Searching Packets
Statistics and Reports
Using Aliases
Packet Generator
Visual Packet Builder
NIC Vendor Identifier
Scheduler
Node Reassociation
Using Remote Agent for WiFi
Using RPCAP
Port Reference
Setting Options
Frequently Asked Questions
VoIP Analysis
Introduction
Working with VoIP Analyzer
SIP and H.323 Sessions
RTP Streams
Registrations
Endpoints
Errors
Call Logging
Reports
Call Playback
Viewing VoIP Logs
Working with Lists in VoIP Analyzer
NVF Files
Advanced Topics
Understanding CRC and ICV Errors
Understanding WPA Decryption
Understanding Signal Strength
Monitoring 802.11n Networks
Capturing A-MPDU and A-MSDU Packets
Multi-channel Capturing
Capturing High Volume Traffic
Running CommView for WiFi in Invisible Mode
Command Line Parameters
Exchanging Data with Your Application
Custom Decoding
CommView Log Files Format
Information
How to Purchase CommView for WiFi
Contacting Us

Rules

CommView allows you to set two types of rules.

 

The first type (wireless rules) allows you to filter packets based on the wireless packet type: Data, Management, and Control packets. To turn capturing of these packet types on or off, use the Rules command of the program's menu, or the corresponding toolbar buttons. Additionally, the Ignore Beacons menu command allows you to switch capturing of beacon packets on and off.

 

The second type (conventional rules) allows you to filter packets based on many criteria, such as port number or MAC address. To use this type of rule, switch to the Rules tab of the program's main window. If one or more rules are set, the program filters packets based on the set rules and displays only the packets that comply with these rules. If a rule is set, the name of the corresponding page is displayed in bold font.

 

The program's status bar shows the number of conventional rules that are currently active. Note that it does not show the number of active wireless rules, as the state of the toolbar buttons (up or down) clearly indicate if any of the wireless rules are on or off. Also note that wireless rules have precedence over conventional rules. Any captured packet must first pass the wireless rules before any further processing takes place. If, for example, none of the three wireless rules toolbar buttons is pressed, the program will not display any packets.

 

You can save your rules configuration(s) to a file and load them by using the Rules command of the program's menu.

 

Since WLAN traffic can often generate a high number of packets, it is recommended that you use rules to filter out unnecessary packets. This can considerably reduce the amount of system resources consumed by the program. If you want to enable/disable a rule, select the appropriate branch on the left side of the window (e.g. IP Addresses or Ports), and check or uncheck the box describing the rule (Enable IP Address rules or Enable port rules). There are seven types of rules that can be used:

 

 

Protocols

 

Allows you to ignore or capture packets based on Ethernet (Layer 2) and IP (Layer 3) protocols.

 

etherules

 

This example shows how to make the program capture only  ICMP and UDP packets. All other packets in the IP family will be ignored.

 

MAC Addresses

 

Allows you to ignore or capture packets based on MAC (hardware) addresses. Enter a MAC address in the Add Record frame, select the direction (From, To, or Both), and click Add MAC Address. The new rule will be displayed. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored. You can also click on the MAC Aliases button to get the list of aliases; double-click on the alias you would like to add, and the corresponding MAC address will appear in the input box.

 

macrules

 

This example shows how to make the program ignore packets that come from 0A:DE:34:0F:23:3E. All packets that come from other MAC addresses will be captured.

 

 

IP Addresses

 

Allows you to ignore or capture packets based on IP addresses. Enter an IP or IPv6 address in the Add Record frame, select the direction (From, To, or Both), and click Add IP Address. You can use wildcards to specify blocks of IP addresses. The new rule will be displayed. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored. You can also click on the IP Aliases button to access the list of aliases; double-click on the alias you would like to add, and the corresponding IP address will appear in the input box.

 

 

iprules

 

This example shows how to make the program capture the packets that go to 63.34.55.66, go to and come from 207.25.16.11 and come from all addresses between 194.154.0.0 and 194.154.255.255. All packets that come from other addresses or go to other addresses will be ignored. Since IP addresses are used in the IP protocol, such configuration will automatically make the program ignore all non-IP packets. Usage of IPv6 addresses requires Windows XP or higher and that the IPv6 stack be installed.

 

 

 

Ports

 

Allows you to ignore or capture packets based on ports. Enter a port number in the Add Record frame, select the direction (From, To, or Both), and click Add Port. The new rule will be displayed. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored. You can also click on the Port Reference button to get a list of all known ports; double-click on the port you would like to add and its number will appear in the input box. Ports can also be entered as text; for example, you can type in http or pop3, and the program will convert the port name to the numeric value.

 

portrules

 

This example shows how to make the program ignore packets that come from port 80 and go to and come from port 137. This rule will prevent CommView from displaying inbound HTTP traffic, as well as inbound and outbound NetBIOS Name Service traffic. All packets coming to and from other ports will be captured.

 

 

TCP Flags

 

Allows you to ignore or capture packets based on TCP flags. Check a flag or a combination of flags in the Add Record frame, and click Add Flags. The new rule will be displayed. Now you can select the action to be taken when a new packet with the entered TCP flags is processed: the packet can be either captured or ignored.

 

tcpflag

 

This example shows how to make the program ignore TCP packets with the PSH ACK flag. All packets with other TCP flags will be captured.

 

 

Text

 

Allows you to capture packets that contain certain text. Enter a text string in the Add Record frame and click Add Text. The new rule will be displayed. Now you can select the action to be taken when a new packet is processed: the packet can be either captured or ignored.

 

textrule

 

This example shows how to make the program capture only the packets that contain "GET". Check the Case sensitive box if you want the rules to be case sensitive. Check the UTF8 or UTF16 box if you want the rule to match the text encoded using the respective encodings. All other packets that do not contain the text mentioned above will be ignored. If you would like to create a rule based on hex byte sequences, when the text is not printable (e.g. 0x010203), use the Advanced Rules.

 

 

Advanced

 

Advanced rules are the most powerful and flexible rules that allow you to create complex filters using Boolean logic. For the detailed help on using advanced rules, please refer to the Advanced Rules chapter.