Observer Analyzer : Observer Analyzer : Filtering : Pre-filtering your packet captures
Pre-filtering your packet captures
By filtering your packet captures, you can extract and examine only network packets that meet certain criteria. You can introduce such a filter either before (pre-filter) or after (post-filter) you perform a packet capture.
When you pre-filter your packet captures, you have two choices. You can choose to use a software pre-filter or a hardware pre-filter.
Some countries or locales have laws regarding data privacy and strictly regulate what information may be captured. Failure to abide by these laws could result in fines or jail time. This means that if you are troubleshooting an issue for a specific user you may not be able to create a generic filter. Instead, you must create a filter that captures only traffic for that individual. If you need to be very specific about what you capture, we recommend a hardware filter with a pattern filter.
Caution: Failing to click OK in step 8 causes Observer to discard any and all changes made since the Active Filters window first appeared in step 1, including all filters you may have created during that period of time.
This section describes pre-filters only; these filters affect what your future packet captures record. If you have an existing capture file and would like to post-filter it instead, see Post-filtering your packet captures.
To create and apply a pre-filter, complete the following steps:
1. Choose one of the following to create your filter.
On the Home tab, in the Probe group, click Filters > Configure Software Filter.
On the Home tab, in the Probe group, click Filters > Configure Hardware Filter.
2. Click New Filter.
The New Filter dialog appears.
3. Type a name for your new filter, and click OK.
The Edit Filter window appears.
4. Use the editor to create a filter.
The maximum number of elements a filter expression may have is 256.
See Tell me more about modifiers for a list of rules, types, and their usage.
5. Click OK to confirm your changes.
Your new filter appears in the Active Filters window.
6. To exclude, negate, or do the inverse of what you just defined, select the rule, right-click and choose Toggle Include/Exclude on rule.
When you exclude a rule, a diagonal red line crosses through it.
7. Activate your new filter by enabling it from the list.
8. Click OK to save your changes.
 
Your newly created filter is available to use when capturing packets.