Live filtering of tables

From Allegro Network Multimeter Manual
Jump to navigation Jump to search

General

Multiple measuring statistics show all entries in tables with different columns for all measured values, which can be sorted individually.

Since often there are a lot of entries, the Allegro Network Multimeter allows for filtering those tables to quickly find the relevant information.

All search text areas show a hint about for what kind of information the table can be filtered. Once entered, the table is updated immediately while still updating the measured values for the visible entries.

This live filtering allows for viewing live data only for the entries that are currently important for the investigation of a network problem.

Single word matching

It is always possible the enter a single word for filtering.

In this case the Allegro Network Multimeter will match any possible field for the given text.

For instance, in the IP statistics, the IP will be matched if a number representation is entered, with an optional subnet mask length (1.2.3.4/8).

The known alternative names are also matched, so it is possible to enter a host name and the list will show only those entries which contain the string in the DHCP name, DNS name, HTTP name, or any other name field.

Complex filter expressions

Some tables allow for using more complex expressions for flexible live filtering.

The support of filter expressions is indicated by the hint text in the search area, which informs that the entered string must start with an open parenthesis (.

In this mode it is possible to enter expressions in the form of keyword == value.

The keyword depends on the actual context of the search field, often name, ip, or packets is possible.

The web interface will give hints about all possible keywords in the current context which usually directly correlate with the available columns.

Also, the comparison operator can be == or != for equal or unequal compare, but for numbers <, >=, etc can be used too.

Multiple expressions can be combined with boolean operators and or or (or equivalent && / ||). Also, parentheses can be used to enter even more complex expressions.

Examples

  1. Show all IPs with at least 100 packets, that have been active within the last minute:
    (packets > 100 and lasttime < 60)
  2. Show all IPs that showed up not more than 24 hours ago and have an associated name of alice or bob:
    ( (firsttime < 86400 and ( name == alice or name == bob ))
    86400 is the number of seconds in 24 hours (24 * 60 * 60)

Notes

  • It is possible to enter values in quotes if they contain reserved characters used for the expressions (<,=,&,(, etc).
  • Under the search text area, the interface will show all valid values for the last element entered in the expression.
  • A green check mark indicates if the entered expression has been successfully parsed.

Available keywords

The available keywords vary depending on the web interface section.

The web interface will always show the available keywords in the specific context. The following table contains all keywords:

Keyword Description
name any name information (DNS, DHCP, SSL, HTTP, custom names, etc)
name.dns DNS name information only for IPs and IP connections
category the category of a custom name
ip the IP address of the client or server side
ipgroup the name(s) of the matching IP groups if configured
clientip the IP address of the client
serverip the IP address of the server
packets the number of packets (received and transmitted combined)
rxpackets the number of received packets
txpackets the number of transmitted packets
clientpackets the number of packets sent by the client
serverpackets the number of packets sent by the server
bytes the number of bytes (received and transmitted combined)
rxbytes the number of received bytes
txbytes the number of transmitted bytes
clientbytes the number of bytes sent by the client
serverbytes the number of bytes sent by the server
pps the packets per second value
rxpps the received packets per second value
txpps the transmitted packets per second value
bps the bits per second value
rxbps the received bits per second value
txbps the transmitted bits per second value
firsttime the time of the first activity
lasttime the time of the last activity
tcppackets the number of TCP packets (received and transmitted combined)
udppackets the number of UDP packets (received and transmitted combined)
tcppayload the amount of bytes processed as TCP payload
tcpRetrans the amount of payload bytes retransmitted
tcpRetransRx the amount of received payload bytes retransmitted
tcpRetransTx the amount of transmitted payload bytes retransmitted
tcpRetransClient the amount of client payload bytes retransmitted
tcpRetransServer the amount of server payload bytes retransmitted
mac the MAC address of the client or server
port the layer 4 port of the client or server (a number or range)
clientport the layer 4 port of the client
serverport the layer 4 port of the server
l4protocol the layer 4 protocol name (tcp, udp, icmp, etc)
l7protocol the layer 7 protocol name (http, dns, etc)
tcpend the ending reason of a TCP connection (open, fin, rst, timeout)
tcpstate the state of a TCP connection (valid, invalid, unknown)
tcpclienthandshake the TCP handshake time in milliseconds for the client (time to answer the server's syn packet)
tcpserverhandshake the TCP handshake time in milliseconds for the server (time to answer the client's syn packet)
tcpdataresponseavg the average TCP data response time in milliseconds of the connection
tcpdataresponsemax the max TCP data response time in milliseconds of the connection (any direction)
httpresponse the HTTP response time for a request
httpstatus the HTTP status code of the response
sslhandshake the SSL handshake time (time for the server to answer the SSL setup)
packetratio the client/server packet ratio as a floating point number
vlan the VLAN tag (a tag or 'none'), both outer and inner VLAN will be considered
outervlan the outer VLAN tag (a tag or 'none')
innervlan the inner VLAN tag (a tag or 'none')
interface the interface ID (a number or a range)
validconnections the number of valid TCP connections
invalidconnections the number of invalid TCP connections
profinetFrameId the number of a Profinet frame ID
minCallerJitter the minimum jitter of the caller as a floating point number
avgCallerJitter the average jitter of the caller as a floating point number
maxCallerJitter the maximum jitter of the caller as a floating point number
minCalleeJitter the minimum jitter of the callee as a floating point number
avgCalleeJitter the average jitter of the callee as a floating point number
maxCalleeJitter the maximum jitter of the callee as a floating point number
minJitter the minimum jitter of the caller or callee as a floating point number
avgJitter the average jitter of the caller or callee as a floating point number
maxJitter the maximum jitter of the caller or callee as a floating point number
minCallerMos the minimum MOS of the caller as a floating point number
avgCallerMos the average MOS of the caller as a floating point number
maxCallerMos the maximum MOS of the caller as a floating point number
minCalleeMos the minimum MOS of the callee as a floating point number
avgCalleeMos the average MOS of the callee as a floating point number
maxCalleeMos the maximum MOS of the callee as a floating point number
minMos the minimum MOS of the caller or callee as a floating point number
avgMos the average MOS of the caller or callee as a floating point number
maxMos the maximum MOS of the caller or callee as a floating point number
minClientJitter the minimum jitter of the client as a floating point number
maxClientJitter the maximum jitter of the client as a floating point number
avgClientJitter the average jitter of the client as a floating point number
minServerJitter the minimum jitter of the server as a floating point number
maxServerJitter the maximum jitter of the server as a floating point number
avgServerJitter the average jitter of the server as a floating point number
statusCode the number of a status code
mpls the MPLS label (a label or 'none'), both outer and inner MPLS label will be considered
outermpls the outer MPLS label (a label or 'none')
innermpls the inner MPLS label (a label or 'none')
qos Filter for presence or absence of QoS. May be 'any' or 'none'.
qosIpDscp the DSCP value in the IP header
qosMplsTc the traffic class value in the outermost MPLS label stack entry
qosVlanPcp the priority code point in the outermost VLAN tag
usedCipherSuite the negotiated SSL/TLS cipher suite name
usedTlsVersion the negotiated SSL/TLS version
pppoeSessionId the PPPoE session ID (in hexadecimal or decimal representation)
mtu the MTU value in bytes
rxMtu the MTU value of the RX direction in bytes
txMtu the MTU value of the TX direction in bytes
clientMtu the MTU value of the sent direction of the client in bytes
serverMtu the MTU value of the sent direction of the server in bytes
callId the string value of a SIP call ID or similar identifier (e.g. P-Palladion-ID)
dnsresponse the DNS response time (for DNS connections)
dnsstatus matches DNS response status (either a DNS reply code, e.g, 0 for success, or noanswer for unanswered DNS connections
dnsname the requested DNS name
callerRtpPacketLoss the amount of lost packets of the RTP flow of the caller
calleeRtpPacketLoss the amount of lost packets of the RTP flow of the callee
rtpPacketLoss the amount of lost packets of the RTP flow of the caller or callee
clientRtpPacketLoss the amount of lost packets of the RTP flow of the client
serverRtpPacketLoss the amount of lost packets of the RTP flow of the server
callerRtpJitterBufferExceeded the amount of packets with jitter above configured max jitter buffer threshold (default 50ms) of the RTP flow of the caller
calleeRtpJitterBufferExceeded the amount of packets with jitter above configured max jitter buffer threshold (default 50ms) of the RTP flow of the callee
rtpJitterBufferExceeded the amount of packets with jitter above configured max jitter buffer threshold (default 50ms) of the RTP flow of the caller or callee
clientRtpJitterBufferExceeded the amount of packets with jitter above configured max jitter buffer threshold (default 50ms) of the RTP flow of the client
serverRtpJitterBufferExceeded the amount of packets with jitter above configured max jitter buffer threshold (default 50ms) of the RTP flow of the server
callerRtpPayloadType the payload type of the RTP flow of the caller as a string, will match also parts of the name e.g. G.711
calleeRtpPayloadType the payload type of the RTP flow of the callee as a string, will match also parts of the name e.g. G.711
rtpPayloadType the payload type of the RTP flow of the caller or callee as a string, will match also parts of the name e.g. G.711
duration, sipDuration the duration of a connection or a SIP call, amount of seconds
callerDuration the duration of a SIP call of the caller, amount of seconds
calleeDuration the duration of a SIP call of the callee, amount of seconds
diffRtpSipDuration the difference between the duration of a SIP call and its RTP connection, amount of seconds
sipQos Filter for presence or absence of QoS in SIP calls. May be 'any' or 'none'.
sipQosIpDscp the DSCP value in the IP header of SIP packets
sipQosMplsTc the traffic class value in the outermost MPLS label stack entry of SIP packets
sipQosVlanPcp the priority code point in the outermost VLAN tag of SIP packets
rtpQos Filter for presence or absence of QoS in RTP streams. May be 'any' or 'none'.
rtpQosIpDscp the DSCP value in the IP header of RTP packets
rtpQosMplsTc the traffic class value in the outermost MPLS label stack entry of RTP packets
rtpQosVlanPcp the priority code point in the outermost VLAN tag of RTP packets
tcpZeroWindow the number of TCP zero window packets
tcpZeroWindowRx the number of TCP zero window packets in RX direction
tcpZeroWindowTx the number of TCP zero window packets in TX direction
tcpZeroWindowClient the number of TCP zero window packets of the client
tcpZeroWindowServer the number of TCP zero window packets of the server
tcpWindowSize the value of the announced TCP window size in bytes
tcpWindowSizeClient the value of the announced TCP window size of the client in bytes
tcpWindowSizeServer the value of the announced TCP window size of the server in bytes
tcpSmallestWindowSize the smallest announced TCP window in bytes
tcpSmallestWindowSizeClient the smallest announced TCP window of the client in bytes
tcpSmallestWindowSizeServer the smallest announced TCP window of the server in bytes
tcpWindowScale the value of the announced TCP window scale
tcpWindowScaleClient the value of the announced TCP window scale of the client
tcpWindowScaleServer the value of the announced TCP window scale of the server
tcpUsedWindowSize the value of the actual used TCP window in bytes
tcpUsedWindowSizeClient the value of the actual used TCP window of the client in bytes
tcpUsedWindowSizeServer the value of the actual used TCP window of the server in bytes
tcpSyn the number of TCP SYN packets
tcpSynClient the number of TCP SYN packets of the client
tcpSynServer the number of TCP SYN packets of the server
tcpSynAck the number of TCP SYN-ACK packets
tcpSynAckClient the number of TCP SYN-ACK packets of the client
tcpSynAckServer the number of TCP SYN-ACK packets of the server
tcpRst the number of TCP RST packets
tcpRstClient the number of TCP RST packets of the client
tcpRstServer the number of TCP RST packets of the server
tcpFin the number of TCP FIN packets
tcpFinClient the number of TCP FIN packets of the client
tcpFinServer the number of TCP FIN packets of the server
tcpMissedData the estimated amount of TCP bytes to not see
traceroute the IP or host name of a traceroute network hop
tracerouteHostname the host name of a traceroute network hop
tracerouteIp the IP of a traceroute network hop
tlsAlert the description of TLS alert messages (see RFC8446 section 6 for a full list)
tlsAlertLevel the TLS alert level (can be warning, fatal or unknown)
supportedTlsVersion the announced TLS version
supportedCipherSuite the announced SSL/TLS cipher suite name
spi IPSec SPI (security parameter index), a number in hexadecimal or decimal representation
number The phone number of the caller or callee of a SIP call. Extracted from 'From', 'To', 'Contact', 'P-Asserted-Identity', or 'P-Preferred-Identity' field or request URI.
callerNumber The phone number of the caller of a SIP call. Extracted from 'From' field.
calleeNumber The phone number of the callee of a SIP call. Extracted from 'To' field.
packetTimeDelta min/avg/max The RTP packet time delta in milliseconds (min, average or max). This is the delta of arrival time between two subsequent packets.
callerPacketTimeDelta min/avg/max The RTP packet time delta in milliseconds (min, average or max) of the caller. This is the delta of arrival time between two subsequent packets.
calleePacketTimeDelta min/avg/max The RTP packet time delta in milliseconds (min, average or max) of the callee. This is the delta of arrival time between two subsequent packets.
clientPacketTimeDelta min/avg/max The RTP packet time delta in milliseconds (min, average or max) of the client. This is the delta of arrival time between two subsequent packets.
serverPacketTimeDelta min/avg/max The RTP packet time delta in milliseconds (min, average or max) of the server. This is the delta of arrival time between two subsequent packets.
serverMaxPacketLossBurst The longest RTP packet loss in a row of the server.
clientMaxPacketLossBurst The longest RTP packet loss in a row of the client.
callerMaxPacketLossBurst The longest RTP packet loss in a row of the caller.
calleeMaxPacketLossBurst The longest RTP packet loss in a row of the callee.
maxPacketLossBurst The longest RTP packet loss in a row of either client/server or caller/callee.
peerRole The peer role. Could be either client or server.
ssrc The RTP synchronization source value of either client or server. It can also be used in hexadecimal notation.
clientSsrc The RTP synchronization source value of the client. It can also be used in hexadecimal notation.
serverSsrc The RTP synchronization source value of the server. It can also be used in hexadecimal notation.
callerSsrc The RTP synchronization source value of the caller. It can also be used in hexadecimal notation.
calleeSsrc The RTP synchronization source value of the callee. It can also be used in hexadecimal notation.
peers The amount of peers of an IP address.
sipCallerIp The IP address of the SIP caller, usually the sender of SIP Invite packet.
sipCalleeIp The IP address of the SIP callee, usually the receiver of SIP Invite packet.
minTtl The min value of TTL for IPv4 or hop limit for IPv6.
maxTtl The max value of TTL for IPv4 or hop limit for IPv6.
avgTtl The avg value of TTL for IPv4 or hop limit for IPv6.

There are some additional keywords to support some limited set of wireshark compatible filter expressions:

Keyword Description Available in firmware version
ip.addr the IPv4 address (either source or destination) 3.4
ip.src the IPv4 source address 3.4
ip.dst the IPv4 destination address 3.4
ipv6.addr the IPv6 address (either source or destination) 3.4
ipv6.src the IPv6 source address 3.4
ipv6.dst the IPv6 destination address 3.4
tcp.port the source or destination port of a TCP connection 3.4
tcp.srcport the source port of a TCP connection 3.4
tcp.dstport the destination port of a TCP connection 3.4
udp.port the source or destination port of a UDP connection 3.4
udp.srcport the source port of a UDP connection 3.4
udp.dstport the destination port of a UDP connection 3.4
smb.shareName the Name of the smb share 4.1
smb.connectionEncrypted if the connection between a client and a server is encrypted (possible values are: "encrypted" and "unencrypted" 4.1
smb.negotiationState the negotiation state of a connection 4.1
smb.successfulConnects / smb.failedConnects number of successful/failed connects to a smb share 4.1
smb.successfulDisconnects / smb.failedDisconnects number of successful/failed disconnects to a smb share 4.1
smb.dialect the used dialects of a smb server 4.1
smb.dialectReq the dialects requested by a client 4.1
smb.dialectUsed the dialects used by a client 4.1
smb.failedOpens / smb.successfulOpens the number of successful/failed opens of a file by a client of a file 4.1
smb.failedOpens / smb.successfulOpens the number of successful/failed opens of a file by a client 4.1
smb.failedCloses / smb.successfulCloses the number of successful/failed closes of a file by a client 4.1
smb.failedDeletes / smb.successfulDeletes the number of successful/failed deletes of a file by a client 4.1
smb.firstOpen / smb.lastOpen time since the first/last open 4.1
smb.lastClose time since the file got closed the last time 4.1
smb.lastDelete time since the file got deleted the last time 4.1
smb.bytesWritten / smb.bytesRead the number of bytes written to/read from the file 4.1
icmp.pingLatencyMin the ping latency (min) in ms for ICMP ping request/replies tuples of one connection 4.2
icmp.pingLatencyAvg the ping latency (average) in ms for ICMP ping request/replies tuples of one connection 4.2
icmp.pingLatencyMax the ping latency (max) in ms for ICMP ping request/replies tuples of one connection 4.2
icmp.requests the number of ICMP ping requests of one connection 4.2
icmp.replies the number of ICMP ping replies of one connection 4.2
ip.ttl.min / max / avg the min / max / avg TTL value of an IPv4 4.2
ipv6.hlim.min / max / avg the min / max / avg hop limit value of an IPv6 4.2

Wireshark filter syntax

Wireshark uses a filter syntax that is not directly compatible to the filter syntax in the Allegro Network Multimeter as it is more strict regarding the expression and also supports many packet header related fields.

However, Wireshark conversion filters for IPV4, IPV6, TCP, and UDP can be used directly:

  • Example: The filter "(ip.addr eq 1.2.3.4 and ip.addr eq 2.3.4.5) and (tcp.port eq 80 and tcp.port eq 1234)" is a valid filter expression. The corresponding native expression is: "ip == 1.2.3.4 and ip == 2.3.4.5 and port == 80 and port == 1234 and l4protocol == TCP" (the last part about the l4protocol can be left out since most of the time there is only one connection matching the port portion).