IpConfig/CaptureFilter Registry Key
The network traffic can be filtered prior to the capture buffer. This can
extend the period over which traffic can be collected by limiting the
content to only those connections or communications of interest. The syntax
used to define a capture filter utilizes logical operations such as NOT,
AND, OR and XOR. The filter can include references to MAC addresses,
IP addresses (IPv4), and TCP/IP or UDP port numbers. Matters of operation
precedence can be handled through the use of parenthesis groups. By default
the network capture is not filtered.
The NETSTAT -F command should be used to set the incoming filter. This
command first verifies the filter syntax and if no errors are found it
then sets the Registry key. This is the preferred method in that it includes
the syntax check.
The filter setting takes effect immediately and does not require a reboot.
An incoming capture filter is non-volatile and will remain in use. To remove
the filter you must either remove the Registry key or issue the NETSTAT -F
command without further arguments.
In a similar fashion packets can be selected from the network capture buffer
in creating the PCAPNG file /temp/network.pcapng . The filter syntax is the
same. You can therefore use the NETSTAT -C command to prototype and test a
packet filter before using it to define the incoming filter.
HELP Topics: FILTERING