This tab allows you to set rules for capturing packets. If one or
more rules are set, the program filters packets based on these
rules and displays only the packets that comply with the rules.
Note that CommView is not a firewall, and when you set rules,
packets are still processed by the operating system; they are not
just displayed and logged by CommView. If a rule is set, the name
of the corresponding tab is displayed in bold font.
You can save your rules configuration(s) to a file and load them by
using the
Rules
command of the program's menu.
Since LAN traffic can often generate a high number of packets, it
is recommended that you use rules to filter out unnecessary
packets. This can considerably reduce the amount of system
resources consumed by the program. If you want to enable/disable a
rule, select the appropriate branch on the left side of the window
(e.g.
IP Addresses
or
Ports),
and check or uncheck the box describing the rule
(Enable
IP Address rules
or
Enable port rules).
There are eight types of rules that can be used:
Protocols & Direction
Allows you to ignore or capture packets based on Ethernet (Layer 2)
and IP (Layer 3) protocols, as well as on packet direction.
This example shows how to make the program capture only inbound and
outbound ICMP and UDP packets. All other packets in the IP family
will be ignored; all pass-through packets will be ignored
also.
MAC Addresses
Allows you to ignore or capture packets based on MAC (hardware)
addresses. Enter a MAC address in the
Add Record
frame, select the direction (From,
To,
or
Both),
and click
Add MAC Address.
The new rule will be displayed. Now you can select the action to be
taken when a new packet is processed: the packet can be either
captured or ignored. You can also click on the MAC Aliases button
to get the list of aliases; double-click on the alias you would
like to add, and the corresponding MAC address will appear in the
input box.
This example shows how to make the program ignore packets that come
from 0A:DE:34:0F:23:3E. All packets that come from other MAC
addresses will be captured.
IP Addresses
Allows you to ignore or capture packets based on IP addresses.
Enter an IP or IPv6 address in the
Add Record
frame, select the direction (From,
To,
or
Both),
and click
Add IP Address.
You can use wildcards to specify blocks of IP addresses. The new
rule will be displayed. Now you can select the action to be taken
when a new packet is processed: the packet can be either captured
or ignored. You can also click on the IP Aliases button to access
the list of aliases; double-click on the alias you would like to
add, and the corresponding IP address will appear in the input
box.
This example shows how to make the program capture the packets that
go to 63.34.55.66, go to and come from 207.25.16.11 and come from
all addresses between 194.154.0.0 and 194.154.255.255. All packets
that come from other addresses or go to other addresses will be
ignored. Since IP addresses are used in the IP protocol, such
configuration will automatically make the program ignore all non-IP
packets.
Usage of IPv6 addresses requires Windows XP or higher and that the
IPv6 stack be installed.
Ports
Allows you to ignore or capture packets based on ports. Enter a
port number in the
Add Record
frame, select the direction (From,
To,
or
Both),
and click
Add Port.
The new rule will be displayed. Now you can select the action to be
taken when a new packet is processed: the packet can be either
captured or ignored. You can also click on the
Port Reference
button to get a list of all known ports; double-click on the port
you would like to add and its number will appear in the input box.
Ports can also be entered as text; for example, you can type
in
http
or
pop3,
and the program will convert the port name to the numeric
value.
This example shows how to make the program ignore packets that come
from port 80 and go to and come from port 137. This rule will
prevent CommView from displaying inbound HTTP traffic, as well as
inbound and outbound NetBIOS Name Service traffic. All packets
coming to and from other ports will be captured.
TCP Flags
Allows you to ignore or capture packets based on TCP flags. Check a
flag or a combination of flags in the
Add Record
frame, and click
Add Flags.
The new rule will be displayed. Now you can select the action to be
taken when a new packet with the entered
TCP flags is processed:
the packet can be either captured or ignored.
This example shows how to make the program ignore TCP packets with
the PSH ACK flag. All packets with other TCP flags will be
captured.
Text
Allows you to capture packets that contain certain text. Enter a
text string in the
Add Record
frame and click
Add Text.
The new rule will be displayed. Now you can select the action to be
taken when a new packet is processed: the packet can be either
captured or ignored.
This example shows how to make the program capture only the packets
that contain "GET". Check the
Case sensitive
box if you want the rules to be case sensitive. Check the
UTF8
or
UTF16
box if you want the rule to match the text encoded using the
respective encodings. All other packets that do not contain the
text mentioned above will be ignored. If you would like to create a
rule based on hex byte sequences, when the text is not printable
(e.g. 0x010203), use the
Advanced
Rules.
Process
Allows you to capture packets based on the process name. Enter a
process name in the
Add Record
frame and click
Add Process Name.
The new rule will be displayed. Now you can select the action to be
taken when a new packet is processed: the packet can be either
captured or ignored. You can enter partial process names,
e.g.
netscp
or
net;
any process name that contains such a substring will match the
rule. Process names are not case-sensitive.
This example shows how to make the program capture only the packets
that were sent or received by
netscp.exe.
Packets sent by other processes will be ignored.
Advanced
Advanced rules are the most powerful and flexible rules that allow
you to create complex filters using Boolean logic. For the detailed
help on using advanced rules, please refer to the Advanced
Rules chapter.
|