Observer Analyzer : Observer Analyzer : Filtering : Pre-filtering your packet captures : How to chain filter rules using logical operators
How to chain filter rules using logical operators
Sometimes you need more sophisticated rules to capture packets from several addresses that meet complex criteria.
For these kinds of situations, you can chain multiple rules together into a single filter using the logical operators AND, OR, and BRANCH. The filter rule editor arranges the rules according to where they fall logically in the decision tree that you are building when using multiple rules. Each rule is represented by a rectangle, ANDs are represented by horizontal connecting lines, ORs and BRANCHes are represented by vertical lines.
AND and OR mean exactly what you would think. For example, the following rule would cause Observer to include only CRC error packets that originate from IP (in other words, both the address rule AND the error rule must return positive for the packet to be captured).
Figure 24: AND filter example
If you want to capture traffic from along with any error packets regardless of originating station, you would chain the rules with OR:
Figure 25: OR filter example
BRANCH is somewhat like an OR, but if the packet matches the first rule in the branch, it is matched only against the rules that follow on that branch.
When you chain multiple rules in a filter, packets are processed using the first match wins method: If a packet matches an exclude in the filter, further processing through that particular string stops. However, the packet is still processed through any subsequent OR or BRANCH rules in the filter.