Observer Analyzer : Analyzer : Filtering : Post-filtering your packet captures
   
Post-filtering your packet captures
 
Page Contents
Enabling command-line filtering
Post-filtering via command line
Revised: 2016-03-17
By filtering your packet captures, you can extract and examine only network packets that meet certain criteria. You can introduce such a filter either before (pre-filter) or after (post-filter) you perform a packet capture.
This section describes post-filters only; these filters affect what you see in a loaded capture file. If you have an existing capture file and would like to pre-filter it instead, see Pre-filtering your packet captures.
To apply a post-filter, complete the following steps:
1. Click the File tab, and click Options > Fallback Instance.
2. Choose the probe instance with the settings you want to use to decode the buffer file. For more details about why this is important, see Opening files from unknown locations.
3. Click the File tab, and click Open > Local Packet Captures > PreFilter and Analyze.
4. Navigate to the capture file you want to load, and select it.
5. Click Open. The Pre-Filtering window appears.
6. Enable the filters you want to apply to the capture file.
If you do not see any pre-installed filters worth using, create your own. The maximum number of elements a filter expression may have is 256.
7. Click OK. The capture file loads into Observer and you arrive at the Decode tab.
 
The Decode tab, of the Decode and Analysis window, displays each captured packet stored in the file matching the filter criteria. See Using the Decode pane for more details.
 
Enabling command-line filtering
Command-line filtering is a method for post-filtering your packet captures via command line.
To enable command-line filtering:
1. On the Home tab, in the Capture group, click Configuration > Packet Capture.
2. Click the Start button to begin your packet capture.
3. Click the Decode button.
4. Ensure the Decode tab is selected, and then click Settings.
5. Select Enable type script filters in the General tab.
Figure 24: Enable type script filters
 
After command-line filtering is enabled, you can post-filter via command line as described in Post-filtering via command line.
 
Post-filtering via command line
Post-filtering via command line can save you time if you are comfortable building a filter using text.
You have enabled command-line filtering.
As an alternative to traditional set-up of filters, it is possible to post-filter your packet captures via command line.
Note: Command-line filtering must be enabled before continuing. See Enabling command-line filtering.
Some benefits of creating a command-line filter include:
Ability to create a custom filters without losing focus of your capture window
Ability to automatically convert to a traditional filter that is...
persistent, exportable, and shareable using OMS or the network
suitable for more complex rules or later reconfiguration
Familiarity with command-line interfaces may save you time
You can either type the text manually or use text building blocks to aid your syntax. To use this tool most efficiently, we highly recommend using saved packet captures.
This filtering process also works with an unsaved, real-time packet capture, but realize the data that appears after the filter is applied is static and unchanging. Your packet capture is still running, but new packets are not shown in the filtered view. Simply re-run your query from the active packet capture window to refresh your filtered data.
To post-filter via command line:
1. Click the File tab, and click Open > Local Packet Captures > Load and Analyze.
2. Navigate to the capture file you want to load, and select it.
3. Click Open. The capture file loads into Observer and you arrive at the Decode and Analysis tool.
4. Click the Type Script Filter button.
If you do not see the Type Script Filter button, verify you have enabled command-line filtering.
5. Build your filter, using the building blocks list as your guide.
Descriptions of each building block, including example usage, can be found in Table 12.
Figure 25: Use building blocks as your guide
6. Click Apply when finished.
The packet capture is filtered according to the rules. If you encounter an error, or provide improper syntax, Observer alerts you that the filter must be fixed.
7. (Optional) To automatically convert your command-line filter to a traditional Observer filter, which can be kept forever, click Save Filter.
 
 
 
Table 12. Building blocks
Building block
Examples
Description
-ip=
-ip=10.0.36.139
-ip=74.125.224.72
IPv4 Address—use this to filter for a single IP address (IPv4).
-ip_pair=
-ip_pair=10.0.36.139/10.0.36.154
-ip_pair=10.0.36.139/74.125.224.72/
IPv4 Pair—use this to filter for two IP addresses (IPv4) that have conversed with each other.
-ip_range=
-ip_range=10.0.36.1/10.0.36.255
-ip_range=192.168.0.20/192.168.0.100
IPv4 Range—use this to filter for any IP address (IPv4) within a set range. The IP addresses that form the beginning and the end of the range are included in the filter.
-ipv6=
-ipv6=FE80::F544:9E0:9C81:9FB1
-ipv6=ff00::7f00:1
IPv6 Address—use this to filter for a single IP address (IPv6).
-ipv6_pair=
-ipv6_pair=FE80::F544:9E0:9C81:9FB1/2002::4A7D:E048
IPv6 Pair—use this to filter for two IP addresses (IPv6) that have conversed with each other.
-ipv6_range=
-ipv6_range=FE80::A00:2401/FE80::A00:24FF
IPv6 Range—use this to filter for any IP address (IPv6) within a set range. The IP addresses that form the beginning and the end of the range are included in the filter.
-mac=
-mac=00:0C:85:BD:08:80
-mac=00:50:56:2E:AB:A0
MAC Address—use this to filter for a single MAC (hardware) address.
-mac_pair=
-mac_pair=00:50:56:2E:AB:A0/00:0C:85:BD:08:80
MAC Address Pair—use this to filter for two MAC addresses that have conversed with each other.
-mac_range=
-mac_range=01:00:5E:00:00:00/01:00:5E:7F:FF:FF
MAC Address Range—use this to filter within a set range. The IP addresses that form the beginning and the end of the range are included in the filter.
-regex=
-tcp=
-tcp=22
-tcp=80
-tcp=25901 -and -tcp=25903
-tcp=63268
TCP Port—use this to filter for a single TCP port number. As with other building blocks, you can add more using an -and building block.
-tcp_pair=
-tcp_pair=63268/25901
-tcp_pair=25901/25903
-tcp_pair=3389/3391
TCP Port Pair—use this to filter for any pair of TCP ports that have conversed with each other. Direction is a non-factor for this building block; the filter looks for a pair of ports regardless of source or destination.
-tcp_range=
-tcp_range=0/5000
-tcp_range=35/1023
-tcp_range=60000/63500
TCP Port Range—use this to filter for communication on any TCP port between the specified range. The port numbers that form the beginning and the end of the range are included in the filter. Direction is a non-factor for this building block; the filter looks for a pair of ports regardless of source or destination.
-udp=
-udp=53
-udp=88
-udp=26000 -and -udp=61001
UDP Port—use this to filter for a single UDP port number. As with other building blocks, you can add more using an -and building block.
-udp_pair=
-udp_pair=63240/27015
-udp_pair=49501/42
UDP Port Pair—use this to filter for any pair of UDP ports that have conversed with each other. Direction is a non-factor for this building block; the filter looks for a pair of ports regardless of source or destination.
-udp_range=
-udp_range=27901/27910
-udp_range=27030/27000
-udp_range=0/1023
UDP Port Range—use this to filter for communication on any UDP port between the specified range. The port numbers that form the beginning and the end of the range are included in the filter. Direction is a non-factor for this building block; the filter looks for a pair of ports regardless of source or destination.
-vlan=
-vlan=101
-vlan=101 -and -vlan=102
VLAN ID—use this to filter for a single VLAN ID. As with other building blocks, you can add more using an -and building block.
(space character)
-tcp=80 -tcp=8080
(TCP port 80 -OR- TCP port 8080)
Use this to denote a logical OR statement. Use this to include more items and broaden the scope of your filter.
/
(forward slash)
-ip_range=10.0.36.1/10.0.36.255
(Any IPv4 address between 10.0.36.1 and 10.0.36.255)
Use this to denote a value range or any pairs. Do not add a leading or trailing space character to the forward slash.