Workbench 0.18 User Guide

Feature Pack Tools - Network Engineering

Filter

Introduction

The Filter tool can filter a file, a file set, a directory set or several individual files.

Filter tool icon

It supports pcap and pcapng files, and will use any available transformers to filter other file types.

Initiating a Filter Task

The filter is applied to any files that are placed on the workpad.

 Screenshot showing good filter selection

Above we see that there are two files on the workpad.  The Filter tool is then dragged onto the workpad, and we see the border of the workpad turn green indicating that all is well.

It’s not possible to drag Filter onto an individual data object, and if we try the workpad border turns red.  Always drag the Filter icon from the Toolbox to an area not occupied by a data object and then drop the tool.

Conversation filter options

Filter automatically scans all files to identify the transport level conversations and the total time span of the files (note the dates and times at each end of the slider).

Filtering in General

Any combination of the following filter selection criteria can be used to extract the data needed.  Filtering doesn’t start until we click on the Filter button in the bottom right corner of the Filter main pane.

Filtering by Time Range

If we start with a large amount of trace data, it’s often useful to be able to reduce the number of trace entries to just those that occurred in a certain time frame.  This is also useful when we have an accurate indication of when a problem occurred, such as when we have markers in the trace data.

 Using the time range slider

The Filter tool includes a slider mechanism to select a desired time range.  Adjust the left slider so that the date and time on the left is set approximately to the start of the desired time range.  The slider on the right should be adjusted so that the date and time on the right is set approximately to the end of the desired time range.

Conversation Filter

The Conversation Filter facility has many capabilities.

Check Entries in the List

If one or more entries in the Conversation List are checked, the Filter will select these conversations only.

Selecting conversations

Scrolling down through the list and checking more entries adds to the list of conversations selected, i.e. a checked conversation that scrolls out of view will still be selected.

Ordering by Column Value

Click any column header label to order the conversation by values in the column.  Click once for ascending order, and a second time for descending order.

Complex Selections

A more powerful selection mechanism is available by clicking on the small filter symbol in the column header.  This causes a filter dialogue to appear that allows:

  • Select All – selects all conversations but allows individual conversations to be deselected
  • Show rows with value that – allows entry of match criteria and match conditions; e.g. starts with 192.

Complex selection dialogue.

Clicking on the Filter button reduces the list of conversations in the Conversation List to just those that meet the criteria.

Details

Clicking on the Details tab in the Filter pane presents a very simple set of filter criteria based on the TCP/IP protocol 5-tuple.

Filter details dialogue.

The reference to A and B refers to the host at each end of a conversation.  The parameters are:

Parameter Possible Values

IPv4 Address A and B

Any valid IP version 4 address.  If an A and B address are entered both the A and the B addresses must be present in the IP header for the packet to be selected.

An asterisk in the A or B address fields means that the field matches on any value.

Port

Any valid TCP or UDP port number.  If an A and B address are entered both the A and the B port numbers must be present in the TCP or UDP header for the packet to be selected.

An asterisk in the A or B port fields means that the field matches on any value.

IP Protocol

Any – matches to packets with any (or no) transport protocol

TCP – matches to packets carrying a TCP header

UDP – matches to packets carrying a UDP header

A -> B

Select only traffic flowing from host A to host B

A <- B

Select only traffic flowing from host B to host A

A <> B

Select traffic flowing in either direction


The relationship between the criteria is a logical AND.

Example of filtering by detail.

In the example above, only TCP packets flowing from 192.168.12.5 to 10.100.20.18, and destined for port 80 will be selected by this filter.

Expression

Clicking on the Expression tab allows us to define a filter based on a Wireshark display filter expression.

Filter by expression dialogue.

When in this dialogue, any filter expression present in the Wireshark Filter Expression field can be applied.

The possible ways to use this dialogue are:

Filter Operation Possible Values

Recall a filter

  • Click on the Filters dropdown and select a saved filter

Create a new filter

  • Enter a Wireshark display filter expression into Wireshark Filter Expression
  • Click the Create Filter button
  • Enter a name for the saved expression
  • Click OK

Update a filter

  • Click on the Filters dropdown and select a saved filter
  • Modify the filter expression
  • Click on the Update Filter button

Remove a filter

  • Click on the Filters dropdown and select a saved filter
  • Click on the Delete Filter button

Workbench will apply any filter that is present in Wireshark Filter Expression when the Filter button is clicked.

Apply Filter

Click on the Filter button in the bottom right corner of the Filter main pane to start the filtering process.