Home
TrafMeter Web Online Help
TrafMeter
What is TrafMeter?
License Agreement
TrafMeter Editions
Registration Info
How To Contact Us
Description
System requirements
Introduction
Installation Package
Installation Guide
Opening the configuration
Selecting NIC
Capturing the traffic
TrafMeter Service Monitor
User authentication
Sending SMS
NAT
Traffic Shaper
Viewing the Traffic Counters
Processing the captured packet
Logging the Application Events
Logging the denied packets
Firewall
Zeroing counters
Users
Filter Manager
Filter Editor
Rule Editor
IP Address Groups
Database Connection String
XML Traffic Reports
Using XSL formatting
The example of XSL formatting
The example of XSL formatting (2)
Traffic Logging into the Database
Database table
Packet Logging
Into the plaintext file
Filename template
Into the database
Database Table
Microsoft SQL Server Syntax
MySQL Server Syntax
Microsoft Access Syntax
Useful SQL scripts
Host Header Logging
Into the plaintext file
Into the database
Database Table
Microsoft SQL Server Syntax
MySQL Server Syntax
Microsoft Access Syntax
Result Codes
Counting VPN packests
Table for storing Filter Names
Registry Settings
FAQ
TrafMeter FAQ
Traffic counting with TrafMeter FAQ
Configuration examples
Example 1
Example 2
Example 3
Example 4
Example 5
Example 6
Example 7
Example 8
Knowledge base
IP protocol number
Type Of Service (ToS) field
MAC address
Promiscuous mode
Ethernet hub
Ethernet switch
Ethernet
NAT router
HOWTO: Creating an OLE DB Connection String for Microsoft SQL Server
HOWTO: Creating an OLE DB Connection String for an Access
HOWTO: Creating an OLE DB Connection String for MySQL
Manual editing of the XML files
Zeroing counters using TrafReset
How to enable
Reloading the Filterset

Rule Editor

You can fill here the following rule parameters parameters:

Rule description

The description of the rule (maximum 100 symbols). This field can stay blank.

IP protocol

Defines the name or the number of an IP protocol for the rule. See the IP protocol number article in TrafMeter Knowledge Base.

Source and Destination

These fields define a method of checking the IP addresses of the captured packets. If the captured packet is TCP or UDP, you can set the conditions to check the TCP or UDP port number.

Direction

There two options are available here:

  • "Also match packets with the exact opposite source and destination addresses". If it is disabled, the captured packet must be matching the source and destination addresses exactly. This case is called "Direct Match". If "Direct Match" appears, the sent bytes counter of the current filter will be updated. If this option is enabled, the rule will also match the captured packets with the exact opposite source and destination addresses. This option can fire two types of matching: "Direct Match" (or exact match) and "Mirrored Match" (or opposite match). If "Direct Match" appears, the sent bytes counter will be updated. If "Mirrored Match" appears, the received bytes counter will be updated.

  • "Stateful Inspection" (available only when "Also match packets..." options is selected). This allows to create so-called "dynamic rules" for Mirrored Matches. The packet will be checked for Mirrored Match only when the current rule directly matches previous packet with the same source and destination IP addresses and ports.

The above description can be supported by the following example. Imagine, that you create rule:

Filter 1. Traffic from My computer to any web server.
 
Rule		 Type of IP 
protocol		 Source
address		 Source
port		 Destination
address		 Destination
port		 Both
directions		 Action
for
packet		 Additional condition
1 TCP My computer  Any Any  80 ? Count  

The packets will be processed in the Rule as the follows:

Example of processing packet with different Direction option
Rule 1 TCP packet (1):
Src: My computer
Dst: 192.168.0.10
Src port: Any
Dst port: 1389		 TCP packet (2):
Src: 192.168.0.10
Dst: My computer
Src port: 80
Dst port: 1389		 TCP packet (3):
Src: 192.168.0.10
Dst: My computer
Src port: 80
Dst port: 1390
"Also match packets..." is disabled Direct Match - -
"Also match packets..." is enabled
"Stateful Inspection" is disabled		 Direct Match Mirrored Match Mirrored Match
"Also match packets..." is enabled
"Stateful Inspection" is enabled		 Direct Match Mirrored Match* -

* Mirrored Match will only occur when Packet (2) is captured after Packet (1).

Attention! The "Direction" option is enabled by default. Unless you surely know what you are doing, leave this untouched.

TCP options (only for TCP protocol)

There two options are available here:

  • "SYN". This allows to catch only the first packet of new TCP connection (according the TCP specification, it is the packet with SYN flag and without ACK flag). The option is useful for creating firewall rules which will block, for example, incoming TCP connections. This option is available only in one direction, the "Direction" flag will be disabled automatically.
  • "FTP". This allows counting data transferred over FTP-data connection. To use this options, you should create the rule for counting traffic of FTP-control connection (in other words, you should create rule for counting traffic by TCP port number 21). If this options is enabled, TrafMeter will analyze each packet of FTP-control connection and look for port number of FTP-data connection. Then TrafMeter will create dynamic rule to count the traffic for FTP-data connection. See details about FTP.

ICMP options (only for ICMP protocol)

This enables checking a type of each captured ICMP packet. If captured packet is ICMP Echo Request, the match will be appeared (if other condition are valid also). This option is useful for creating firewall fules as well.

Action

The "Action" property defines what TrafMeter should do with the captured packet in case of Rule Match.

  • Count - the filter counter will be updated and the captured packet will be processed by the next filter
  • Pass (not count) - the filter counter will be not updated and the captured packet will not be processed by the next filter
  • Count and Pass - the filter counter will be updated and the captured packet will not be processed by the next filter
  • Deny - the filter counter will be not updated and the captured packet will be denied by the firewall (available only in the Active Capture mode)

These actions can be expressed in the next table as well:

Action The counters will be updated The captured packet will be processed by the next filter The captured packet will be denied by firewall
Count Yes Yes No
Pass (not count) No No No
Count and pass Yes No No
Block No No Yes
No rule match No Yes No

Options "The packet must be"

This defines whether the packet must be counted in the previous filter(s), not counted in the previous filter(s) or ignore this option. It is useful to prevent counting the same packet twice.

Option "Via network adapter"

You can select the network adapter whose the traffic will be processed in this rule. To use this option,you should assign the alias for the network adapter(s).

Traffic counters condition

This allows setting the traffic limits for the filters (available only in Active Capture Mode). See configuration example 6.

Time-based counters conditions

This allows to define a time when the current rule will be valid.

 


You can invoke Rule Editor from Filter Editor.

 
This HTML Help has been published using the chm2web software.