Upravit

Sdílet prostřednictvím


Writing ADDRESSTABLE Filter Portion

The address filter notifies the Network Monitor driver to accept frames that have one of a variety of specified MAC address types (Ethernet, Token Ring, and FDDI). You can specify a maximum of eight address pairs. An address pair can specify a source, a destination, both, or neither.

The address portion of the filter consists of two structures: ADDRESSTABLE and ADDRESSPAIR.

If you specify NO addresses, then ALL frames will pass the address filter. However, if you specify any addresses, only those frames that pass the given address filter will pass.

Building the address filter involves allocating an ADDRESSTABLE structure and filling in members of the ADDRESSPAIR structure.

To build the address portion of a capture filter

  1. Use the CAPTUREFILTER_FLAGS_LOCAL_ONLY flag of the CAPTUREFILTER structure to restrict the capture to traffic to and from your local computer.

    Setting this flag will not set the NIC to promiscuous mode; the capture file will capture only local traffic.

  2. Use the following example code to define the ADDRESSTABLE structure:

    typedef struct _ADDRESSTABLE
    {
        DWORD           nAddressPairs;
        DWORD           nNonMacAddressPairs;
        ADDRESSPAIR     AddressPair[MAX_ADDRESS_PAIRS];
    } ADDRESSTABLE;
    
    typedef ADDRESSTABLE *LPADDRESSTABLE;
    
    typedef struct _ADDRESSPAIR
    {
        WORD        AddressFlags;
        WORD        NalReserved;
        ADDRESS     DstAddress;
        ADDRESS     SrcAddress;
    } ADDRESSPAIR;
    
    typedef ADDRESSPAIR *LPADDRESSPAIR;
    
  3. Use the information, listed in the following table, to select an ADDRESSPAIR flag type.

    Flag Meaning
    ADDRESS_FLAGS_MATCH_DST Matches a destination address.
    ADDRESS_FLAGS_MATCH_SRC Matches a source address
    ADDRESS_FLAGS_EXCLUDE Excludes the frame if this address is found (either a defined source or destination).
    ADDRESS_FLAGS_DST_GROUP_ADDR Matches group bit (of the destination address) only for broadcast-type messages.
    ADDRESS_FLAGS_MATCH_BOTH Matches both the destination and source addresses.

     

  4. Fill in a destination address, which is evaluated against the ADDRESSPAIR flag that you select.

  5. Fill in a source address, which is evaluated against the ADDRESSPAIR flag that you select.

  6. Populate the ADDRESSTABLE structure with an array of ADDRESSPAIR structures, which includes the address pairs that the driver evaluates. All address pairs are evaluated as a logical OR statement (ADDRESSPAIR 1 || ADDRESSPAIR 2). You can include a maximum of eight address pairs in a capture filter.