Address Filter

Address filters allow to reduce the number of packets stored in the document (capture filter) or displayed in views (view filter) depending on the source or destination addresses of the packets. Use the Address Filter pages of the Settings dialog to enable and modify the different address filters.

Each packet will at least have a MAC (Media Access Control) source and destination address. These are Network Layer 2 addresses that are only visible in the current LAN. (A LAN is a Local Area Network. It contains a number of computer and/or other systems, which can send data to each other system without using a router. All systems are directly connected via hubs or switches.) Most packets will also contain network layer addresses (e.g. IP addresses). These addresses are needed to exchange network data between LANs. If packets have been sent to or received from outside the LAN their Layer 3 addresses may belong to other systems than their MAC addresses. If for example a packet is received from an outside web server, the IP source address will belong to the web server while the MAC source address belongs to the gateway of your LAN that handles the traffic to and from this web server.

This gives some hints on which filters to use for which purpose:

• To observe the network traffic to and from specific systems in your LAN use a MAC address filter containing the addresses of these systems.

• To observe the traffic going outside from the LAN and vice versa use a MAC address filter as well, but use the gateway's address.

• To observe traffic to and from systems outside the LAN (e.g. a specific web server) use the layer 3 address filters.

Of course you can use the layer 3 filters for filtering traffic inside your LAN, too. But to get only packets for a single system, you may need more than one filter in this case. This is because the layer 3 filters do not interact with each other and thus an IP address filter will let pass any non-IP packet like IPX or CLNP. Though, if you are not interested in these other protocols, you can use the protocol filter to remove the corresponding packets.

Note: If the computer on which the Network Analyzer is running is connected to the LAN via a switch, it will only collect packets sent from or to this computer and packets sent to multicast MAC addresses (first address byte is odd) because the switch won't forward other packets to this computer. To collect other than these packets, you have the following options: Some switches may offer a service connector to which all data is sent. Otherwise use a hub instead of the switch or install and run the Network Analyzer on all systems you need to observe.