Network Instruments Observer User Manual

Packet Capture

© 2002 Network Instruments, LLC

13

Observer filters allow you to capture packets coming from one hardware

address to another, from one IP address to another, from a hardware address

to an IP address, or from an IP address to a hardware address—in one or both

directions: all incoming packets to a particular address from any source, all

outgoing packets from a particular address to any destination, or all the traffic

on the network—subject to the protocol subfilter. In addition, Observer

allows “exclude” directional settings. This would specifically exclude one

address to another, in either direction. The exclude arrows are the opposite of

include arrows. Additionally, you can capture only error packets by selecting

the “Error” filter.

Exclude filters take precedence over include filters. If a packet is
marked for inclusion by one filter and for exclusion by another, it will be
excluded.

1. To create or edit a filter entry, right-click on the desired filter in the

Configured Address Filter column.

2. Click on the C

REATE

N

EW

F

ILTER

E

NTRY

or E

DIT

S

ELECTED

F

ILTER

E

NTRY

button to display the Add/Edit Address Filter Entry dialog.

3. Select a Network Address Type by selecting the E

THERNET

, T

OKEN

R

ING

,

OR

FDDI option button or the F

RAME

R

ELAY

option button.

4. Select a filter address type by selecting the H

ARDWARE

ADDRESS

option

button or the IP

ADDRESS

option button from Address 1 Type and

Address 2 Type. You can select a hardware filter or IP filter

independently for source or destination.

5. Right-click on the “Address 1” or “Address 2” textboxes to display a

popup list of available addresses. Click on the address you want to

capture or exclude. You may also type in an address you wish to capture

or exclude.
The “Address 1” and “Address 2” list boxes show the addresses (and

aliases) that you may want to monitor. You can create as many entries as

you have on your LAN. However, you can only set a filter to monitor up

to five addresses at a time.
The format of an address entry is either the six numbers of the Ethernet

address separated by colons or dots or the Token Ring address. An alias

is a name that Observer will substitute for an address when showing the

headers of incoming packets (if you tell Observer to use aliases). This can

make packets easier to recognize and analyze (e.g., 00:02:8A:49:B2:48

David Jones).