 |
 |
 |
 |
 |
 |
 |
| WLAN Analyzer and Protocol Decoder - CommView for WiFi |
|
| |
|
||||||||||
|
|
 |
Advanced rules are the most powerful and flexible rules that allow you to create complex filters using Boolean logic. Using advanced rules requires a basic understanding of mathematics and logic, but the rules syntax is rather easy to understand. 
Overview To add a new rule, you should enter an arbitrary name in the Name field, select the action (Capture/Ignore), enter a Formula using the syntax described below, and click Add/Edit. Your new rule will be added to the list and become active immediately. You can add as many rules as you wish, but only those rules that have a checked box next to the rule name are active currently. You can activate/deactivate rules by checking/unchecking the corresponding boxes or completely delete selected rules using the Delete button. If more than one rule is active, you can evaluate the resulting combined rule by clicking Evaluate. Please note that multiple active rules are combined using the logical OR operator, e.g. if you have three active rules, RULE1, RULE2, and RULE3, the resulting rule is RULE1 OR RULE2 OR RULE3. You can use advanced rules in conjunction with the basic rules described in the previous chapter. However, if you feel comfortable with Boolean logic, it's a good idea to use advanced rules only, as they offer much more flexibility. Basic rules are combined with advanced rules using the logical AND operator. Syntax Description dir – packet direction. Possible values are in (inbound), out (outbound), and pass (pass-through). This keyword is for compatibility with the standard, non-wireless edition of CommView only. In CommView for WiFi, there are no inbound or outbound packets, because your adapter does not participate in data exchange and only passively monitors pass-through packets. etherproto – Ethernet protocol, the 13th and 14th bytes of the packet. Acceptable values are numbers (e.g. etherproto=0x0800 for IP) or common aliases (e.g. etherproto=ARP, which is equivalent to 0x0806). ipproto – IP protocol. Acceptable values are numbers (e.g. ipproto!=0x06 for TCP) or commonly used aliases (e.g. ipproto=UDP, which is equivalent to 0x11). smac – source MAC address. Acceptable values are MAC addresses in hex notation (e.g. smac=00:00:21:0A:13:0F) or user-defined aliases. dmac – destination MAC address. sip – source IP or IPv6 address. Acceptable values are IP addresses in dotted notation (e.g. sip=192.168.0.1), IP addresses with wildcards (e.g. sip!=*.*.*.255, except for IPv6 addresses), network addresses with subnet masks (e.g. sip=192.168.0.4/255.255.255.240 or sip=192.168.0.5/28), IP ranges (e.g. sip from 192.168.0.15 to 192.168.0.18 or sip in 192.168.0.15 .. 192.168.0.18 ), or user-defined aliases. Use of IPv6 addresses requires Windows XP or higher and that the IPv6 stack be installed. dip – destination IP address. sport – source port for TCP and UDP packets. Acceptable values are numbers (e.g. sport=80 for HTTP), ranges (e.g. sport from 20 to 50 or sport in 20..50 for any port number between 20 and 50) or the aliases defined by your operating system (e.g. sport=ftp, which is equivalent to 21). For the list of aliases supported by your OS click View => Port Reference. dport – destination port for TCP and UDP packets. flag – TCP flag. Acceptable values are numbers (e.g. 0x18 for PSH ACK) or one or several of the following characters: F (FIN), S (SYN), R (RST), P (PSH), A (ACK), and U (URG), or the has keyword, which means that the flag contains a certain value. Usage examples: flag=0x18, flag=SA, flag has F. size – packet size. Acceptable values are numbers (e.g. size=1514) or ranges (e.g. size from 64 to 84 or size in 64..84 for any size between 64 and 84). str – packet contents. Use this function to indicate that the packet must contain a certain string. This function has three arguments: string, position, and case sensitivity. The first argument is a string, e.g. 'GET'. The second argument is a number that indicates the string position (offset) in the packet. The offset is zero-based, i.e. if you're looking for the first byte in the packet, the offset value must be 0. If the offset is not important, use –1. The third argument indicates the case-sensitivity and can be either false (case-insensitive) or true (case-sensitive). The second and third arguments are optional; if omitted, the offset defaults to –1 and the case-sensitivity defaults to false. Usage examples: str('GET',-1,false), str('GET',-1), str ('GET'). hex – packet contents. Use this function to indicate that the packet must contain a certain hexadecimal byte pattern. This function has two arguments: hex pattern and position. The first argument is a hex value, e.g. 0x4500. The second argument is a number that indicates the pattern position (offset) in the packet. The offset is zero-based, i.e. if you're looking for the first byte in the packet, the offset value must be 0. If the offset is not important, use –1. The second argument is optional; if omitted, the offset defaults to –1. Usage examples: hex(0x04500, 14) , hex(0x4500, 0x0E), hex (0x010101). bit - Packet contents. Use this function to determine if the specified bit at the specified offset is set to 1, in which case the function returns true. If the specified bit is set to 0 or the specified byte is beyond the packet boundary, the function returns false. This function has two arguments: bit index and byte position. The first argument is the bit index in the byte; the allowed values are 0-7. The index is zero-based, i.e. if you're looking for the eighth bit in the byte, the index value must be 7. The second argument is a number that indicates the byte position (offset) in the packet. The offset is zero-based, i.e. if you're looking for the first byte in the packet, the offset value must be 0. Both arguments are mandatory. Usage examples: bit(0, 14) , bit(5, 1). ToDS, FromDS, MoreFrag, Retry, Power, MoreData, WEP, Order, Ftype, FsubType, Duration, FragNum, SeqNum - allow you to use 802.11 packet header fields in advanced rules. The names of the operators fully correspond to the packet header fields as described in the 802.11 standard specification. The acceptable values for ToDS, FromDS, MoreFrag, Retry, Power, MoreData, WEP, and Order are 0 or 1. For Ftype, FsubType, Duration, FragNum, and SeqNum operators other numeric values are acceptable. Please refer to the 802.11 standard specification for the detailed information about 802.11 packet headers fields and their acceptable values. The keywords described above can be used with the following operators: and - Boolean conjunction. or - Boolean disjunction. not - Boolean negation. = - arithmetic equality. != - arithmetic inequality. <> - same as above. > - arithmetic greater-than. < - arithmetic less-than. ( ) – parenthesis, control operator precedence rules. All numbers can be in decimal or hexadecimal notation. If you want to use the hexadecimal notation, the number must be preceded by 0x, i.e. you can use either 15 or 0x0F. Examples Below you will find a number of examples illustrating the rules syntax. Each rule is followed by our comments about what the rule does. The rules are shown in red. The comments are separated from the actual rule by two slashes.
|
