Network Monitor Fields and Properties for Filtering
The links below list common data fields and properties that can be used for filtering with Network Monitor 3.x. They are categorized by protocol. This list is helpful for understanding some of the more common data fields and properties with descriptions of what they do. Please help us extend the list by editing the wiki with fields you've found useful.
Data Fields represent real data that is on the wire. Each piece of the raw data will most likely have a field associated with it.
Properties represent meta data. There are many uses for Properties in the protocol parsing code, but a few useful ones from a user perspective are:
- Calculation or summary of multiple data fields - For Instance, there is no field that represents the TCP length, but there is a property that does.
- Represents a data field with different root paths- For instance and SMB file name can appear in many different structures and locations with in and SMB and SMB2 packet. It's difficult to filter on each of these separately because you'd have to know all the possible paths. In some instances, a property decorates the data fields in each location it appears in the parser code. Using these properties to filter makes it easier to find any instance of a value regardless where it appears in the protocol parser.
- Pairs- Pairs are special properties and in the tables below are listed under the fields section as they are associated with a protocol. Pair properties represent two pieces of data at the same time so, for instance, that they can be evaluated as a source/destination pair. When you filter with a pair, the
Click on each protocol below to see a list of data fields, properties and examples.
| [[Network Monitor Conversation Filtering | Conversation]] | The conversation scope provides state information properties at different levels. At the root it contains process information. And for each protocol, state information based on the current conversation. |
| [[Network Monitor Ethernet Filtering | Ethernet]] | This protocol contains the low level machine addresses and protocol type. Most traffic has an Ethernet header, though there are exceptions like wireless and Tunneled traffic. Look at Ethernet on Wikipedia. |
| [[Network Monitor FrameVariable Filtering | FrameVariable]] | FrameVariable is a special scope which contains frame level information like frame length and time related fields. |
| [[Network Monitor HTTP Filtering | HTTP]] | HTTP is the main protocol used to describe web pages for your browser to render. Look at HTTP on Wikipedia. |
| [[Network Monitor IPv4 Filtering | IPv4]] | IPv4 is the Internet layer protocol which provides general network layer addressing. Look at IPv4 on Wikipedia. |
| [[Network Monitor IPv6 Filtering | IPv6]] | IPv6 is the update to IPv4 to provide more networking addresses. Look at IPv6 on Wikipedia. |
| [[Network Monitor Property Filtering | Property]] | The property scope represents a set of properties which exist for the current frame. Some of these are mentioned with regards to other protocols as they are defined in multiple places. The property value you see is the last one that is set after the frame is completely parsed. |
| [[Network Monitor SMB Filtering | SMB]] | Server Message Block (SMB) is a common protocol for file and sharing type communication. The SMB protocol documentation is available here. |
| [[Network Monitor SMB2 Filtering | SMB2]] | This is an update to SMB which is used in Vista moving forward. The SMB2 protocol documentation is available here. |
| [[Network Monitor TCP Filtering | TCP]] | TCP is the transport layer which handles sequencing and deliver of packets on the network. Look at TCP on Wikipedia. |
| [[Network Monitor Wireless Filtering | WiFi]] | WiFi is the hardware layer for Wireless traffic. Our driver adds a wireless header which contains information like signal strength, channel and data rate. |
Go to Network Monitor Blog