Menu
Resources
  • Wireless Drivers
  • Product Tips & Tricks
  • Video How-To's
  • Free Utilities
  • LiveAction Blog

    • A Few Basic Filters Can Be Better Than One Big Filter

    By Jeff Trawick, WildPackets Professional Services

    When building filters in the OmniPeek Network Analyzer, there is often a temptation to build complex filters containing multiple conditions connected by several AND/OR/NOT operators. When building some filters, such as signature filters for viruses or worms, complex filters are necessary since most forms of malware have very unique characteristics that require filter conditions that you are unlikely to reuse.

    Yet even our more common filters often consist of several conditions when we are trying to isolate a combination of rather common characteristics, like node address or address range, protocol, port, wireless channel, and so forth. For example, we might build a filter to watch for all HTTP traffic from a particular client on a particular wireless channel. For this purpose, we could construct a single filter with three or four conditions in it, but the next time we needed a similar filter for another node, protocol, or channel, we would need to rebuild the entire filter for that unique scenario.

    A better way might be to build individual filters for each of the elementary filter conditions, and then combine those conditions as needed using the power of the Filter Bar. Don’t remember anything about the Filter Bar? Then, this Tip is a great place to start!

    For our example, let’s say that we want to isolate traffic for a subnet 192.168.0.0/24. We want to focus on this subnet’s HTTP traffic, but only on WLAN Channel 11. Instead of building one filter with all of these conditions, let’s build three individual filters. The first filter is just an address filter for 192.168.0.*, where the asterisk is a wildcard that lets us capture all traffic for the subnet. The second filter is a simple protocol filter for HTTP. The last filter looks for WLAN traffic on Channel 11. Since the first two filters are so easy, we won’t illustrate them here, but the third filter looks like this:


    Now that we have the three filters, let’s combine them in the filter bar during a capture or while looking at a trace file.

    The Filter Bar provides the flexibility of combining existing filters using AND, OR, or NOT conditions. That’s something we can’t do in the traditional Filter views. By having basic component filters for common nodes, networks, protocols, channels, or other fundamental items, we can easily build more complex filters on the fly! Unlike a more complex multi-condition filter, we can reuse these component filters in many different situations. So let those simple filters work together to give you the precise view that you need. Use the Filter Bar and have fun!