CommView allows you to set two types of rules:
1.The
first type (wireless
rules)
allows you to filter packets based on the wireless packet
type: Data, Management,
and Control packets.
To turn capturing of these packet types on or off, use
the Rules command
of the program's menu, or the corresponding toolbar buttons.
Additionally, the Ignore
Beacons menu
command allows you to switch capturing of beacon packets on and
off.
2.The
second type (conventional
rules)
allows you to filter packets based on many criteria, such as port
number or MAC address. To use this type of rule, switch to
the Rules tab
of the program's main window. If one or more rules are set, the
program filters packets based on the set rules and displays only
the packets that comply with these rules. If a rule is set, the
name of the corresponding page is displayed in bold font.
The program's status bar shows the number of conventional rules
that are currently active. Note that it
does not show
the number of active wireless rules, as the state of the toolbar
buttons (up or down) clearly indicate if any of the wireless rules
are on or off. Also, note that wireless rules have precedence over
conventional rules. Any captured packet must first pass the
wireless rules before any further processing takes place. If, for
example, none of the three wireless rules toolbar buttons is
pressed, the program will not display any packets.
You can save your rules configuration(s) to a file and load them by
using the Rules command
of the program's menu.
Since WLAN traffic can often generate a high number of packets, it
is recommended that you use rules to filter out unnecessary
packets. This can considerably reduce the amount of system
resources consumed by the program. If you want to enable/disable a
rule, select the appropriate branch on the left side of the window
(e.g. IP
Addresses or Ports),
and check or uncheck the box describing the rule
(Enable
IP Address rules or Enable
port rules).
Available types of rules are overviewed below.
Protocols
Allows you to ignore or capture packets based on Ethernet (Layer 2)
and IP (Layer 3) protocols.
This example shows how to make the program capture only ICMP
and UDP packets. All other packets in the IP family will be
ignored.
MAC Addresses
Allows you to ignore or capture packets based on MAC (hardware)
addresses. Enter a MAC address in the
Add Record
frame, select the direction (From,
To,
or
Both),
and click
Add MAC Address.
The new rule will be displayed. Now you can select the action to be
taken when a new packet is processed: the packet can be either
captured or ignored. You can also click on the MAC Aliases button
to get the list of aliases; double-click on the alias you would
like to add, and the corresponding MAC address will appear in the
input box.
This example shows how to make the program ignore packets that come
from 0A:DE:34:0F:23:3E. All packets that come from other MAC
addresses will be captured.
IP Addresses
Allows you to ignore or capture packets based on IP addresses.
Enter an IP or IPv6 address in the
Add Record
frame, select the direction (From,
To,
or
Both),
and click
Add IP Address.
You can use wildcards to specify blocks of IP addresses. The new
rule will be displayed. Now you can select the action to be taken
when a new packet is processed: the packet can be either captured
or ignored. You can also click on the IP Aliases button to access
the list of aliases; double-click on the alias you would like to
add, and the corresponding IP address will appear in the input
box.
This example shows how to make the program capture the packets that
go to 63.34.55.66, go to and come from 207.25.16.11 and come from
all addresses between 194.154.0.0 and 194.154.255.255. All packets
that come from other addresses or go to other addresses will be
ignored. Since IP addresses are used in the IP protocol, such
configuration will automatically make the program ignore all non-IP
packets.
Usage of IPv6 addresses requires Windows XP or higher and that the
IPv6 stack be installed.
Ports
Allows you to ignore or capture packets based on ports. Enter a
port number in the
Add Record
frame, select the direction (From,
To,
or
Both),
and click
Add Port.
The new rule will be displayed. Now you can select the action to be
taken when a new packet is processed: the packet can be either
captured or ignored. You can also click on the
Port Reference
button to get a list of all known ports; double-click on the port
you would like to add and its number will appear in the input box.
Ports can also be entered as text; for example, you can type
in
http
or
pop3,
and the program will convert the port name to the numeric
value.
This example shows how to make the program ignore packets that come
from port 80 and go to and come from port 137. This rule will
prevent CommView from displaying inbound HTTP traffic, as well as
inbound and outbound NetBIOS Name Service traffic. All packets
coming to and from other ports will be captured.
TCP Flags
Allows you to ignore or capture packets based on TCP flags. Check a
flag or a combination of flags in the
Add Record
frame, and click
Add Flags.
The new rule will be displayed. Now you can select the action to be
taken when a new packet with the entered TCP flag is processed: the
packet can be either captured or ignored.
This example shows how to make the program ignore TCP packets with
the PSH ACK flag. All packets with other TCP flags will be
captured.
Text
Allows you to capture packets that contain certain text. Enter a
text string in the
Add Record
frame and click
Add Text.
The new rule will be displayed. Now you can select the action to be
taken when a new packet is processed: the packet can be either
captured or ignored.
This example shows how to make the program capture only the packets
that contain "GET". Check the
Case sensitive
box if you want the rules to be case sensitive. Check the
UTF8
or
UTF16
box if you want the rule to match the text encoded using the
respective encodings. All other packets that do not contain the
text mentioned above will be ignored. If you would like to create a
rule based on hex byte sequences, when the text is not printable
(e.g. 0x010203), use the
Advanced
Rules.
Advanced
Advanced rules are the most powerful and flexible rules that allow
you to create complex filters using Boolean logic. For the detailed
help on using advanced rules, please refer to the Advanced Rules chapter.
|