Networks exchange huge volumes of data. Fast Ethernet can theoretically transmit 100 million bits per second. A few seconds of data on a busy network can overwhelm a troubleshooter with details. Network monitor has a filtering capabilities to help sort out the data. Filtering can be done at two stages in protocol analysis.

• The Capture filter selectively captures data into the capture buffer
• The Display filter selectively displays data already in the capture buffer

As the frames appear on a high speed LAN, the capture filter must make a quick decision to capture it. Because of these real-time constraints, the capture filter options are rather basic and low level. The capture filter can select frames based on

• Ethernet Type field or IEEE SAP field
• Source and Destination address combinations
• Byte patterns in the frame

Depending on the volume of traffic and the speed of your computer, Network Monitor may not be able to keep up with capturing all of the data. There is a capture statistic labeled # Frames Dropped which indicates frames that could not be captured. Using the Capture filter to capture only what you need will help to reduce the number of dropped frames. You can also run Network Monitor in a dedicated capture mode where the running statistics are not displayed thereby reducing the overhead. The following dialog shows the minimal display in the dedicated capture mode.

Another optimization technique appears in the capture buffers settings dialog. The default is to capture the Full frame, however most troubleshooting is done with the header information. You can specify a limited frame size where the end of the frame is not captured thereby reducing the system overhead.

The following dialog is the Capture Filter dialog.

The following dialogs show how Ethertypes, SAPs and byte patterns are specified.

Display filters filter can display frames based on

• Source and Destination address combinations
• Protocol types
• Properties of any header field
  • e.g. Protocol field = 6 indicates TCP

In the following Display Filter dialog, note that complex logical expressions can be created.

The following dialog shows how combinations of protocols can be specified.

The following dialog shows how field properties can be specified. Not that the options for may fields can be selected from a list. The following example specifies the Protocol field = 06 indicating TCP.

Addresses are selected from a known list. Note that you can indicate whether the address is the source or the destination and whether to include or exclude those frames.