Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Creating a capture filter that works with Network Monitor is a five-step process:
- Setting the Etype or SAP Filter
- Writing ADDRESSTABLE Filter
- Writing the PATTERNMATCH Filter
- Clipping a Frame
- Implementing the Capture Filter Code
A capture filter is a series of additions to the NPP BLOB that selects which frames are passed back to the monitor. If a monitor does not alter the NPP BLOB, then the NPP will go into promiscuous mode and send all network traffic to the monitor. The NPP is most efficient if it can reduce the data handed up to a driver, so a monitor should create a capture filter. A monitor sets its capture filter by writing to the NPP BLOB in the call to the DoConfigure function. The MCSVC then calls the NPP with the NPP BLOB. See Capture Filters for more details on the capture filter, Network Packet Providers on NPPs, and Network Monitor Blobs on BLOB functions.