Network Monitor FrameVariable Filtering
Data Fields:
We will consider FrameVariable's members as properties because data fields represent data on the wire for a frame.
Properties:
To avoid [[Network Monitor Name Collisions | name collisions]], each field should be prefaced by "FrameVariable.". To save space, we've left this out in the Field column.
Field |
Description |
Example |
| FrameNumber | The 0-based index of the frame in the capture file. This means frame 1 is 0 when using FrameNumber while filtering. |
FrameVariable.FrameNumber == 0 |
| TimeOfDay | Unfortunately you can't filter on a date string. However you can convert it to a long value using the right click add as filter feature when clicking the Time of Day column in the UI. This value is the 64 bit representation of a time value. | FrameVariable.TimeOfDay == 129222852861360590 |
| TimeDateLocalAdjusted | The Time and Date Stamp of the captured frame adjusted to your local time zone. Unfortunately you can't filter on a date string. However you can convert it to a long value using the right click add as filter feature when clicking the Time of Day column in the UI. This value is the 64 bit representation of a time value. | FrameVariable.TimeDateLocalAdjusted == 129222852861360590 |
| TimeDelta | When displayed as a column in the UI, this is the delta from the last displayed frame. However, when used as a filter this is the time delta from the last physical frame in the capture. You can always save a filtered trace if you need to filter a time data based on a subset of the total traffic. The example shows frames where the response from the last frame is greater than 1 second. | FrameVariable.TimeDelta > 10000000 |
| TimeOffset | Time offset of the frame in relationship to the time stamp of the capture file. This is usually when the capture was started. For instance the time stamp of the first frame could be greater than zero if it's a circular capture and the oldest frames have been overwritten. This example shows all frames greater than 1 second into the trace. | FrameVariable.Offset > 10000000 |
| CommentTitle | This represents a comment title if a frame comment has been added to your trace. You can add as a column in the UI or use it in a filter to find frames. One application of this would be to mark frames with certain attributes and then filter to find frames that match. | FrameVariable.CommentTitle.Contains("test") |
| MediaType | As the Network Capture Format can hold frames from multiple interfaces, each frame can have a different media type. The example looks for frames that are Ethernet. | FrameVariable.MediaType==1 |
| FrameData | Represents all the data in a frame. A main scenario is searching all frame data using ContainsBin as the example shows. | ContainsBin(FrameData, HEX, "12 A9") |
| ConvID | Represents all the data in a frame. A main scenario is searching all frame data using ContainsBin as the example shows. | FrameVariable.ConvID.Contains("12") |