Tell me how to filter by pattern
Tip! For hexadecimal patterns, you must enter the two-character representation of each byte in the hex pattern, with a SPACE between. For the example above, telnet is on port 23, which is represented as 00 17 in hex. Note the SPACE between the 00 and the 17. For binary patterns, you must enter each byte as two 8-position bit strings separated by a space (for example,10011101 11001100).
When defining a Pattern rule, you can enter a specific offset from the beginning of a packet header (or from the beginning of a protocol’s header), and a specific pattern or data sequence to search for after that offset.
The offset is the decimal position to start looking for the sequence, in the byte order you specify (Big Endian or Little Endian, or most significant bit first or last, respectively). Enter the offset as a decimal value. If you select Search Using Range you can enter an ending offset beyond which the filter will not search for the pattern. You can also make the search case sensitive or insensitive.
The pattern itself is the actual ASCII, Regular Expression, Hex or Binary string that you are filtering for.
Figure 20: Pattern Filter
For example, to define an offset-sequencing filter to look for telnet packets (i.e., looking for TCP port 23) in one direction, the offset would be 34 (14 bytes of Ethernet header + 20 more bytes of IP header) and the hex pattern would be 00 17 (23 in hex).
To create a Hex Pattern rule for telnet in both directions, you could first tell Observer you want to start the offset at the IP-TCP protocol portion of the header (specify IP-TCP in the Protocol dialog), then tell Observer that you want the first offset to start immediately (port number is the first field after the TCP header) by entering 0 in the first offset field and 00 17 in the first Offset Filter area. This will filter for telnet packets in the direction of source to destination. To see the telnet response packets, you should enter a second offset (in the same dialog) for offset 2 and with a value of 00 17. The second offset specifies the destination port (this is the reason for the offset of 2).
Rule Type | Usage |
|---|---|
Address - IP Range/IP | Specify a hardware or IP address or range of addresses for source and destination. You can also limit the rule to apply only to packets from particular source or destination ports. For IPv4 packets, you can specify a subnet mask for inclusion/exclusion. |
Packets with Comments | Filter for packets that have been commented by an Observer user and saved with a capture file. Comments are useful for annotating packets when two analysts are working on a problem together, perhaps sending each other captures from remote sites on a corporate network. There are no setup options. Available for post-filter only. |
Error | Specify the categories of errors you want to filter for: CRC, Alignment, packet to small, and packet too large are available for all network types. You can also filter for Wireless WEP errors if you are analyzing a wireless network. If you are analyzing a WAN link, you can filter for WAN abort and RBIT errors. Observer also lets you filter for Token Ring error notifications when analyzing Token Ring networks. |
Ethernet Physical Port | Allows you to filter on the physical port or link of the Ethernet capture card. When choosing to filter by link, you can also choose the direction (DCE or DTE). |
Expert Packets | This rule lets you filter for Observer -generated Expert packets. These packets will only be generated if the Include Expert Load information packets box has been checked in Mode Commands Setup for Packet Capture. There are no setup options. Available for post-filter only. |
Full Duplex Ethernet Port | Lets you filter for direction (DCE or DTE) on a selected full-duplex port. |
Length (Bytes) | Specify a packet length, and whether you want to filter for packets that are less than, equal to, or greater than that length. You can also filter for packets that fall within a range of length values. |
MPLS | The MPLS filter allows you to filter on any level of the MultiProtocol Label Switching protocol. |
Numeric Value | This rule is useful when you need to filter for a numeric value (or range of values) that is embedded within a byte, word or double word. |
Packet Time | Allows you to create a capture file with packets only before, after, or during a specific time. This filter is only available for pre- and post-filtering. |
Partial Packet Payload for TCP/UDP | Allows you to capture (or not capture) specific payload data based on how the rule is configured. This is especially useful if you need to share packet captures. See Sharing packet captures with third-parties |
Pattern | Use this rule to filter an ASCII, Regular Expression, hexadecimal, or binary string starting at specified offset or within a specified range. Hexadecimal and binary strings allow you to filter for values embedded within a particular byte, word, or double word if you know the offset, either from the beginning of the packet, or from the beginning of a particular protocol header. If you want to filter for numeric value or range of values within a byte or word, consider using the numeric value filter. Regular Expression filters allow you to use Unix/Perl-style regular expressions, which let you wildcard for single characters, groups of characters, ranges of characters and numeric values, and more. |
Port | Specify a port or range of ports for inclusion or exclusion. |
Protocol | Select a protocol and field to filter on. For example, you can filter for ICMP Destination unreachable messages, or the presence of a VLAN tag. |
VLAN 802.1Q or VLAN 802.1ad (QinQ) | The 802.1Q protocol allows you to filter on the outermost or innermost Virtual Local Area Network (VLAN) packet. The 802.1ad, or QinQ, protocol allows you to filter on any or all of the multiple VLANs in a packet. See Tell me more about choosing a VLAN protocol to learn how to use VLAN filtering. |
VLAN ISL | VLAN ISL (Cisco proprietary VLAN). Beyond the VLAN ID, you can filter by user-defined bits. Source address (MAC): CDP and BPDU indicator: High bits of source address: Port index: Reserved field: |
VNTag | Allows you to define the direction, loop, DVIF, and SVIF for tags created by the vNIC in your virtual network. |
WAN - DLCI Address | Specify a WAN DLCI by number. |
WAN Port | Specify a WAN Port by number. |
WAN Conditions | Lets you filter for direction (DCE or DTE or both), and logically chain tests for forward congestion packets, backward congestion packets, and discard eligibility. |
Wireless Access Point | Enter or select a hardware address that corresponds to the wireless access point you want to capture traffic from. |
Wireless Data Rate | Select a wireless data rate, and whether you want to filter for packets traveling at, under, or over that rate. |
Wireless Channel | Select a wireless channel, and whether you want to filter for packets received from channels less than, greater than, or equal to that channel. |
Wireless Channel Strength | Select a wireless signal strength, and whether you want to filter for packets received at, under, or over that signal strength. |