Live filtering of tables
General
Multiple measuring statistics show all entries in tables with different columns for all measured values, which can be sorted individually.
Since often there are a lot of entries, the Allegro Network Multimeter allows for filtering those tables to quickly find the relevant information.
All search text areas show a hint about for what kind of information the table can be filtered. Once entered, the table is updated immediately while still updating the measured values for the visible entries.
This live filtering allows for viewing live data only for the entries that are currently important for the investigation of a network problem.
Single word matching
It is always possible the enter a single word for filtering.
In this case the Allegro Network Multimeter will match any possible field for the given text.
For instance, in the IP statistics, the IP will be matched if a number representation is entered, with an optional subnet mask length (1.2.3.4/8).
The known alternative names are also matched, so it is possible to enter a host name and the list will show only those entries which contain the string in the DHCP name, DNS name, HTTP name, or any other name field.
Complex filter expressions
Some tables allow for using more complex expressions for flexible live filtering.
The support of filter expressions is indicated by the hint text in the search area, which informs that the entered string must start with an open parenthesis (.
In this mode it is possible to enter expressions in the form of keyword == value.
The keyword depends on the actual context of the search field, often name, ip, or packets is possible.
The web interface will give hints about all possible keywords in the current context which usually directly correlate with the available columns.
Also, the comparison operator can be == or != for equal or unequal compare, but for numbers <, >=, etc can be used too.
Multiple expressions can be combined with boolean operators and or or (or equivalent && / ||). Also, parentheses can be used to enter even more complex expressions.
Examples
- Show all IPs with at least 100 packets, that have been active within the last minute:
(packets > 100 and lasttime < 60)
- Show all IPs that showed up not more than 24 hours ago and have an associated name of alice or bob:
( (firsttime < 86400 and ( name == alice or name == bob ))
- 86400 is the number of seconds in 24 hours (24 * 60 * 60)
Notes
- It is possible to enter values in quotes if they contain reserved characters used for the expressions (<,=,&,(, etc).
- Under the search text area, the interface will show all valid values for the last element entered in the expression.
- A green check mark indicates if the entered expression has been successfully parsed.
Available keywords
The available keywords vary depending on the web interface section.
The web interface will always show the available keywords in the specific context. The following table contains all keywords:
Keyword | Description |
---|---|
name | any name information (DNS, DHCP, SSL, HTTP, custom names, etc) |
name.dns | DNS name information only for IPs and IP connections |
category | the category of a custom name |
ip | the IP address of the client or server side |
ipgroup | the name(s) of the matching IP groups if configured |
clientip | the IP address of the client |
serverip | the IP address of the server |
packets | the number of packets (received and transmitted combined) |
rxpackets | the number of received packets |
txpackets | the number of transmitted packets |
clientpackets | the number of packets sent by the client |
serverpackets | the number of packets sent by the server |
bytes | the number of bytes (received and transmitted combined) |
rxbytes | the number of received bytes |
txbytes | the number of transmitted bytes |
clientbytes | the number of bytes sent by the client |
serverbytes | the number of bytes sent by the server |
pps | the packets per second value |
rxpps | the received packets per second value |
txpps | the transmitted packets per second value |
bps | the bits per second value |
rxbps | the received bits per second value |
txbps | the transmitted bits per second value |
firsttime | the time of the first activity |
lasttime | the time of the last activity |
tcppackets | the number of TCP packets (received and transmitted combined) |
udppackets | the number of UDP packets (received and transmitted combined) |
tcppayload | the amount of bytes processed as TCP payload |
tcpRetrans | the amount of payload bytes retransmitted |
tcpRetransRx | the amount of received payload bytes retransmitted |
tcpRetransTx | the amount of transmitted payload bytes retransmitted |
tcpRetransClient | the amount of client payload bytes retransmitted |
tcpRetransServer | the amount of server payload bytes retransmitted |
mac | the MAC address of the client or server |
port | the layer 4 port of the client or server (a number or range) |
clientport | the layer 4 port of the client (a number or range) |
serverport | the layer 4 port of the server (a number or range) |
l4protocol | the layer 4 protocol name (tcp, udp, icmp, etc) |
l7protocol | the layer 7 protocol name (http, dns, etc) |
tcpend | the ending reason of a TCP connection (open, fin, rst, timeout) |
tcpstate | the state of a TCP connection (valid, invalid, unknown) |
tcpclienthandshake | the TCP handshake time in milliseconds for the client (time to answer the server's syn packet) |
tcpserverhandshake | the TCP handshake time in milliseconds for the server (time to answer the client's syn packet) |
tcpdataresponseavg | the average TCP data response time in milliseconds of the connection |
tcpdataresponsemax | the max TCP data response time in milliseconds of the connection (any direction) |
httpresponse | the HTTP response time for a request |
httpstatus | the HTTP status code of the response |
sslhandshake | the SSL handshake time (time for the server to answer the SSL setup) |
packetratio | the client/server packet ratio as a floating point number |
vlan | the VLAN tag (a tag or 'none'), both outer and inner VLAN will be considered |
outervlan | the outer VLAN tag (a tag or 'none') |
innervlan | the inner VLAN tag (a tag or 'none') |
interface | the interface ID (a number or a range) |
validconnections | the number of valid TCP connections |
invalidconnections | the number of invalid TCP connections |
profinetFrameId | the number of a Profinet frame ID |
minCallerJitter | the minimum jitter of the caller as a floating point number |
avgCallerJitter | the average jitter of the caller as a floating point number |
maxCallerJitter | the maximum jitter of the caller as a floating point number |
minCalleeJitter | the minimum jitter of the callee as a floating point number |
avgCalleeJitter | the average jitter of the callee as a floating point number |
maxCalleeJitter | the maximum jitter of the callee as a floating point number |
minJitter | the minimum jitter of the caller or callee as a floating point number |
avgJitter | the average jitter of the caller or callee as a floating point number |
maxJitter | the maximum jitter of the caller or callee as a floating point number |
minCallerMos | the minimum MOS of the caller as a floating point number |
avgCallerMos | the average MOS of the caller as a floating point number |
maxCallerMos | the maximum MOS of the caller as a floating point number |
minCalleeMos | the minimum MOS of the callee as a floating point number |
avgCalleeMos | the average MOS of the callee as a floating point number |
maxCalleeMos | the maximum MOS of the callee as a floating point number |
minMos | the minimum MOS of the caller or callee as a floating point number |
avgMos | the average MOS of the caller or callee as a floating point number |
maxMos | the maximum MOS of the caller or callee as a floating point number |
minClientJitter | the minimum jitter of the client as a floating point number |
maxClientJitter | the maximum jitter of the client as a floating point number |
avgClientJitter | the average jitter of the client as a floating point number |
minServerJitter | the minimum jitter of the server as a floating point number |
maxServerJitter | the maximum jitter of the server as a floating point number |
avgServerJitter | the average jitter of the server as a floating point number |
statusCode | the number of a status code |
mpls | the MPLS label (a label or 'none'), both outer and inner MPLS label will be considered |
outermpls | the outer MPLS label (a label or 'none') |
innermpls | the inner MPLS label (a label or 'none') |
qos | Filter for presence or absence of QoS. May be 'any' or 'none'. |
qosIpDscp | the DSCP value in the IP header |
qosMplsTc | the traffic class value in the outermost MPLS label stack entry |
qosVlanPcp | the priority code point in the outermost VLAN tag |
usedCipherSuite | the negotiated SSL/TLS cipher suite name |
usedTlsVersion | the negotiated SSL/TLS version |
pppoeSessionId | the PPPoE session ID (in hexadecimal or decimal representation) |
mtu | the MTU value in bytes |
rxMtu | the MTU value of the RX direction in bytes |
txMtu | the MTU value of the TX direction in bytes |
clientMtu | the MTU value of the sent direction of the client in bytes |
serverMtu | the MTU value of the sent direction of the server in bytes |
callId | the string value of a SIP call ID or similar identifier (e.g. P-Palladion-ID) |
dnsresponse | the DNS response time (for DNS connections) |
dnsstatus | matches DNS response status (either a DNS reply code, e.g, 0 for success, or noanswer for unanswered DNS connections |
dnsname | the requested DNS name |
callerRtpPacketLoss | the amount of lost packets of the RTP flow of the caller |
calleeRtpPacketLoss | the amount of lost packets of the RTP flow of the callee |
rtpPacketLoss | the amount of lost packets of the RTP flow of the caller or callee |
clientRtpPacketLoss | the amount of lost packets of the RTP flow of the client |
serverRtpPacketLoss | the amount of lost packets of the RTP flow of the server |
callerRtpJitterBufferExceeded | the amount of packets with jitter above configured max jitter buffer threshold (default 50ms) of the RTP flow of the caller |
calleeRtpJitterBufferExceeded | the amount of packets with jitter above configured max jitter buffer threshold (default 50ms) of the RTP flow of the callee |
rtpJitterBufferExceeded | the amount of packets with jitter above configured max jitter buffer threshold (default 50ms) of the RTP flow of the caller or callee |
clientRtpJitterBufferExceeded | the amount of packets with jitter above configured max jitter buffer threshold (default 50ms) of the RTP flow of the client |
serverRtpJitterBufferExceeded | the amount of packets with jitter above configured max jitter buffer threshold (default 50ms) of the RTP flow of the server |
callerRtpPayloadType | the payload type of the RTP flow of the caller as a string, will match also parts of the name e.g. G.711 |
calleeRtpPayloadType | the payload type of the RTP flow of the callee as a string, will match also parts of the name e.g. G.711 |
rtpPayloadType | the payload type of the RTP flow of the caller or callee as a string, will match also parts of the name e.g. G.711 |
duration, sipDuration | the duration of a connection or a SIP call, amount of seconds |
callerDuration | the duration of a SIP call of the caller, amount of seconds |
calleeDuration | the duration of a SIP call of the callee, amount of seconds |
diffRtpSipDuration | the difference between the duration of a SIP call and its RTP connection, amount of seconds |
sipQos | Filter for presence or absence of QoS in SIP calls. May be 'any' or 'none'. |
sipQosIpDscp | the DSCP value in the IP header of SIP packets |
sipQosMplsTc | the traffic class value in the outermost MPLS label stack entry of SIP packets |
sipQosVlanPcp | the priority code point in the outermost VLAN tag of SIP packets |
rtpQos | Filter for presence or absence of QoS in RTP streams. May be 'any' or 'none'. |
rtpQosIpDscp | the DSCP value in the IP header of RTP packets |
rtpQosMplsTc | the traffic class value in the outermost MPLS label stack entry of RTP packets |
rtpQosVlanPcp | the priority code point in the outermost VLAN tag of RTP packets |
tcpZeroWindow | the number of TCP zero window packets |
tcpZeroWindowRx | the number of TCP zero window packets in RX direction |
tcpZeroWindowTx | the number of TCP zero window packets in TX direction |
tcpZeroWindowClient | the number of TCP zero window packets of the client |
tcpZeroWindowServer | the number of TCP zero window packets of the server |
tcpWindowSize | the value of the announced TCP window size in bytes |
tcpWindowSizeClient | the value of the announced TCP window size of the client in bytes |
tcpWindowSizeServer | the value of the announced TCP window size of the server in bytes |
tcpSmallestWindowSize | the smallest announced TCP window in bytes |
tcpSmallestWindowSizeClient | the smallest announced TCP window of the client in bytes |
tcpSmallestWindowSizeServer | the smallest announced TCP window of the server in bytes |
tcpWindowScale | the value of the announced TCP window scale |
tcpWindowScaleClient | the value of the announced TCP window scale of the client |
tcpWindowScaleServer | the value of the announced TCP window scale of the server |
tcpUsedWindowSize | the value of the actual used TCP window in bytes |
tcpUsedWindowSizeClient | the value of the actual used TCP window of the client in bytes |
tcpUsedWindowSizeServer | the value of the actual used TCP window of the server in bytes |
tcpSyn | the number of TCP SYN packets |
tcpSynClient | the number of TCP SYN packets of the client |
tcpSynServer | the number of TCP SYN packets of the server |
tcpSynRx | the number of received TCP SYN packets of an IP |
tcpSynTx | the number of transmitted TCP SYN packets of an IP |
tcpSynAck | the number of TCP SYN-ACK packets |
tcpSynAckClient | the number of TCP SYN-ACK packets of the client |
tcpSynAckServer | the number of TCP SYN-ACK packets of the server |
tcpSynAckRx | the number of received TCP SYN-ACK packets of an IP |
tcpSynAckTx | the number of transmitted TCP SYN-ACK packets of an IP |
tcpRst | the number of TCP RST packets |
tcpRstClient | the number of TCP RST packets of the client |
tcpRstServer | the number of TCP RST packets of the server |
tcpRstRx | the number of received TCP RST packets of an IP |
tcpRstTx | the number of transmitted TCP RST packets of an IP |
tcpFin | the number of TCP FIN packets |
tcpFinClient | the number of TCP FIN packets of the client |
tcpFinServer | the number of TCP FIN packets of the server |
tcpFinRx | the number of received TCP FIN packets of an IP |
tcpFinTx | the number of transmitted TCP FIN packets of an IP |
tcpDupAck | the number of TCP DUP ACK packets |
tcpDupAckClient | the number of TCP DUP ACK packets of the client |
tcpDupAckServer | the number of TCP DUP ACK packets of the server |
tcpDupAckRx | the number of received TCP DUP ACK packets of an IP |
tcpDupAckTx | the number of transmitted TCP DUP ACK packets of an IP |
tcpMissedData | the estimated amount of TCP bytes to not see |
traceroute | the IP or host name of a traceroute network hop |
tracerouteHostname | the host name of a traceroute network hop |
tracerouteIp | the IP of a traceroute network hop |
tlsAlert | the description of TLS alert messages (see RFC8446 section 6 for a full list) |
tlsAlertLevel | the TLS alert level (can be warning, fatal or unknown) |
supportedTlsVersion | the announced TLS version |
supportedCipherSuite | the announced SSL/TLS cipher suite name |
spi | IPSec SPI (security parameter index), a number in hexadecimal or decimal representation |
number | The phone number of the caller or callee of a SIP call. Extracted from 'From', 'To', 'Contact', 'P-Asserted-Identity', or 'P-Preferred-Identity' field or request URI. |
callerNumber | The phone number of the caller of a SIP call. Extracted from 'From' field. |
calleeNumber | The phone number of the callee of a SIP call. Extracted from 'To' field. |
packetTimeDelta min/avg/max | The RTP packet time delta in milliseconds (min, average or max). This is the delta of arrival time between two subsequent packets. |
callerPacketTimeDelta min/avg/max | The RTP packet time delta in milliseconds (min, average or max) of the caller. This is the delta of arrival time between two subsequent packets. |
calleePacketTimeDelta min/avg/max | The RTP packet time delta in milliseconds (min, average or max) of the callee. This is the delta of arrival time between two subsequent packets. |
clientPacketTimeDelta min/avg/max | The RTP packet time delta in milliseconds (min, average or max) of the client. This is the delta of arrival time between two subsequent packets. |
serverPacketTimeDelta min/avg/max | The RTP packet time delta in milliseconds (min, average or max) of the server. This is the delta of arrival time between two subsequent packets. |
serverMaxPacketLossBurst | The longest RTP packet loss in a row of the server. |
clientMaxPacketLossBurst | The longest RTP packet loss in a row of the client. |
callerMaxPacketLossBurst | The longest RTP packet loss in a row of the caller. |
calleeMaxPacketLossBurst | The longest RTP packet loss in a row of the callee. |
maxPacketLossBurst | The longest RTP packet loss in a row of either client/server or caller/callee. |
peerRole | The peer role. Could be either client or server. |
ssrc | The RTP synchronization source value of either client or server. It can also be used in hexadecimal notation. |
clientSsrc | The RTP synchronization source value of the client. It can also be used in hexadecimal notation. |
serverSsrc | The RTP synchronization source value of the server. It can also be used in hexadecimal notation. |
callerSsrc | The RTP synchronization source value of the caller. It can also be used in hexadecimal notation. |
calleeSsrc | The RTP synchronization source value of the callee. It can also be used in hexadecimal notation. |
peers | The amount of peers of an IP address. |
sipCallerIp | The IP address of the SIP caller, usually the sender of SIP Invite packet. |
sipCalleeIp | The IP address of the SIP callee, usually the receiver of SIP Invite packet. |
minTtl | The min value of TTL for IPv4 or hop limit for IPv6. |
maxTtl | The max value of TTL for IPv4 or hop limit for IPv6. |
avgTtl | The avg value of TTL for IPv4 or hop limit for IPv6. |
There are some additional keywords to support some limited set of wireshark compatible filter expressions:
Keyword | Description | Available in firmware version |
---|---|---|
ip.addr | the IPv4 address (either source or destination) | 3.4 |
ip.src | the IPv4 source address | 3.4 |
ip.dst | the IPv4 destination address | 3.4 |
ipv6.addr | the IPv6 address (either source or destination) | 3.4 |
ipv6.src | the IPv6 source address | 3.4 |
ipv6.dst | the IPv6 destination address | 3.4 |
tcp.port | the source or destination port of a TCP connection | 3.4 |
tcp.srcport | the source port of a TCP connection | 3.4 |
tcp.dstport | the destination port of a TCP connection | 3.4 |
udp.port | the source or destination port of a UDP connection | 3.4 |
udp.srcport | the source port of a UDP connection | 3.4 |
udp.dstport | the destination port of a UDP connection | 3.4 |
smb.shareName | the Name of the smb share | 4.1 |
smb.connectionEncrypted | if the connection between a client and a server is encrypted (possible values are: "encrypted" and "unencrypted" | 4.1 |
smb.negotiationState | the negotiation state of a connection | 4.1 |
smb.successfulConnects / smb.failedConnects | number of successful/failed connects to a smb share | 4.1 |
smb.successfulDisconnects / smb.failedDisconnects | number of successful/failed disconnects to a smb share | 4.1 |
smb.dialect | the used dialects of a smb server | 4.1 |
smb.dialectReq | the dialects requested by a client | 4.1 |
smb.dialectUsed | the dialects used by a client | 4.1 |
smb.failedOpens / smb.successfulOpens | the number of successful/failed opens of a file by a client of a file | 4.1 |
smb.failedOpens / smb.successfulOpens | the number of successful/failed opens of a file by a client | 4.1 |
smb.failedCloses / smb.successfulCloses | the number of successful/failed closes of a file by a client | 4.1 |
smb.failedDeletes / smb.successfulDeletes | the number of successful/failed deletes of a file by a client | 4.1 |
smb.firstOpen / smb.lastOpen | time since the first/last open | 4.1 |
smb.lastClose | time since the file got closed the last time | 4.1 |
smb.lastDelete | time since the file got deleted the last time | 4.1 |
smb.bytesWritten / smb.bytesRead | the number of bytes written to/read from the file | 4.1 |
icmp.pingLatencyMin | the ping latency (min) in ms for ICMP ping request/replies tuples of one connection | 4.2 |
icmp.pingLatencyAvg | the ping latency (average) in ms for ICMP ping request/replies tuples of one connection | 4.2 |
icmp.pingLatencyMax | the ping latency (max) in ms for ICMP ping request/replies tuples of one connection | 4.2 |
icmp.requests | the number of ICMP ping requests of one connection | 4.2 |
icmp.replies | the number of ICMP ping replies of one connection | 4.2 |
ip.ttl.min / max / avg | the min / max / avg TTL value of an IPv4 | 4.2 |
ipv6.hlim.min / max / avg | the min / max / avg hop limit value of an IPv6 | 4.2 |
tds.loginack.tdsversion | the used TDS version as negotiated during the login process | 4.3 |
Wireshark filter syntax
Wireshark uses a filter syntax that is not directly compatible to the filter syntax in the Allegro Network Multimeter as it is more strict regarding the expression and also supports many packet header related fields.
However, Wireshark conversion filters for IPV4, IPV6, TCP, and UDP can be used directly:
- Example: The filter "(ip.addr eq 1.2.3.4 and ip.addr eq 2.3.4.5) and (tcp.port eq 80 and tcp.port eq 1234)" is a valid filter expression. The corresponding native expression is: "ip == 1.2.3.4 and ip == 2.3.4.5 and port == 80 and port == 1234 and l4protocol == TCP" (the last part about the l4protocol can be left out since most of the time there is only one connection matching the port portion).