Advanced filters

When creating a filter, you can choose to create a simple filter or an advanced filter. The Advanced Filter tab appears as below.

The filter rules are arranged in a filter relation map. The map shows the logical relations among the rules from adapter to an analysis project. You can double-click the rule to edit it.

Toolbar

The toolbar contains the following items:

• And: The rules connected by "and" are in logical and relationship.
• Or: The rules connected by "or" are in logical or relationship.
• Not: Only packets unmatched the condition will be captured. The Not rules are marked as red ones.
• : Edits the selected rule.
• : Deletes the selected rule.
• : Shows the icon for each rule.
• : Shows the details of the rules.
• : Shows the logical relationships of the rules.

For advanced filters, there are six kinds of rules, including Address, Port, Protocol, Size, Value and Pattern. The Address, Port and Protocol rules are the same to those in simple filters (See Simple filters for details).

Defining size rule

Size rule is for defining the rule on packet size. Only packets of the size satisfying the rule will be captured.

To define a size rule, click And or Or on the toolbar and select Size to open the Size Rule dialog box which appears as below.

You can choose < (less than), <= (less than or equal to), > (greater than), >= (greater than or equal to), = (equal to), != (not equal to), Between (size range) to define the size rule.

Defining value rule

Value rule is for defining the rule on the value of decoded field of a packet.

To define a value rule, click And or Or on the toolbar and select Value to open the Value Rule dialog box which appears as below.

• Length: Specifies the length of the mask, and the length of the value for the rule. It could be 1 byte, 2 bytes and 4 bytes.
• From: Specifies where to offset in a packet. It could be Raw data, IP Header, ARP Header, TCP Header, and UDP Header.
• Offset: Specifies the bytes to be offset. The unit is byte.
• Mask: The hexadecimal mask of the value.
• Byte order: The order of the bytes. It could be network byte order and host byte order.
• Operator: It could be = (equal to), != (not equal to), < (less than), <= (less than or equal to), > (greater than), >= (greater than or equal to).
• Type: The type of the value. It could be binary, octal, unsigned decimal and hex.
• Value: The value for the rule.

When a value rule is enabled, do logical AND operation between the specified bytes in a packet and the mask, and compare the operation result with the value for the rule. If the compare result is consonant, the packet will be captured; or else, the packet will be filtered out.

Defining pattern rule

Content rule is for defining the rule on the content of a packet.

To define a content rule, click And or Or on the toolbar, select Pattern to open the Pattern Rule dialog box which appears as below, select the type for the content, type the content, set the offset options, and click OK.

The unit for offset is byte.

Advanced filters can also be converted into simple filters, but some filter rules will be lost because advanced filters have more filter conditions than simple filters.