,

Microsoft Network Monitor 3.1 なるものを見つけました

フィルターの書き方を調べようとしたらFilter Expression Manualはインストールフォルダにdoc形式であるんだそうな。Webにはなさそうなのでアットランダムに引用しておきます。

IPv4.SourceAddress == 10.0.0.1  // (source ipv4 address matches 10.0.0.1)
TCP.Port == 389 or UDP.Port == 389 // Show only LDAP frames
!EAPOL and !EAP and !GRE and !PPTP and !PPP // Filter out RAS (Remote Access Service) //frames
UINT8(FrameData, 7)==0x11 // Find a byte at 8 bytes from the beginning of a frame.
property.TCPPayload.contains("BORDER-BOTTOM") //Search TCP Payload for Ascii or //Unicode data (does not work with binary data).
tcp.flags.syn == 1”
Smb.Command > 10 && Smb.command < 0xA1
// Filter on source IPv4 address
IPv4.SourceAddress == 192.168.0.1
// Filter on destination IPv4 address
IPv4.DestinationAddress == 192.168.0.1
// Filter on IPv4 address (source or dest)
IPv4.Address == 192.168.0.1
// Filter on IPv6 address (source or dest). If you have IPv6 installed
//on your machine you can use the “colon” syntax. Otherwise, you will need
//to use the actual hex value of the address.
IPv6.Address == 3ffe:2900:d005:f282:b8df:3ec8:8a61:a06b
// View IPv4 traffic between a source and a destination node
IPv4.Address==10.0.0.1 and IPv4.Address==10.0.0.222 
// Traffic To or From the capturing computer IPv4 address:
// Local <-> Any
// If you have more than one network adapter, this becomes
// an array, indexed starting from zero.
IPv4.Address == IpConfig.LocalIpv4Address
// Do not show Broadcast frames
// There are several ways to do this
//  Ethernet.DestinationAddress != 0xFFFFFFFFFFFF
//  Ethernet.DestinationAddress!=FF-FF-FF-FF-FF-FF
Ethernet.DestinationAddress!= BROADCAST 
// Ethernet source or destination address
Ethernet.Address == 0x010203040506
// or
Ethernet.Address == 01-02-03-04-05-06
// Do not show RAS frames
NOT EAPOL  and  NOT EAP  and  NOT GRE  and  NOT PPTP  and  NOT PPP
//    or you could use 
!EAPOL  and  !EAP  and  !GRE  and  !PPTP  and  !PPP
// Do not show Terminal Service or Citrix frames
!(Tcp.port == 3389) and !(Tcp.port == 1494) and !(Tcp.port == 1503)
// Shows all ARPs, and any frame with TCP.FLAGS.SYN element turned on
Arp or Tcp.Flags.Syn
// Show all DNS Name Resolution requests
Dns.QuestionCount
// Find a web page string (known as a URI or URL)
Contains(Http.Request.URI,"msn.com")
// Show only LDAP frames
Tcp.Port == 389 or Udp.Port == 389
// NetBIOS Name Service query for a hostname
Contains(NbtNs.NbtNsQuestionSectionData.QuestionName.Name,"ComputerName")
// SMB Client Request & Server Response
SMBRequestNTCreateAndX or SMBResponseNTCreateAndX
// Show only the create file traffic to track file usage. 
Smb.Command==0xa2 
// Capture all SMB traffic except for browser traffic. 
Smb and NOT Browser 
// A way to filter AOL Instant Messenger data packets (no acks) 
 Tcp.Port == 5190 and Tcp.flags.push
// Searches TCP Payload for Ascii or Unicode data.
// This does not work with binary data.
property.TCPPayload.contains("BORDER-BOTTOM")
// Find a byte at 8 bytes from the beginning of a frame.
UINT8(FrameData, 7)==0x11  	
// You can use the filter expression window like a typical code editor.  Here is an 
// example of using comments “//” to remove parts of the filter expression.  If your
// initial filter looks like this:
IPv4.address==10.1.1.1 ||
IPv4.address==10.1.1.2 ||
IPv4.address==10.1.1.3
// you can put comments on the middle section to prevent it from being evaluated,
// yet still keep all the code…
IPv4.address==10.1.1.1 ||
//IPv4.address==10.1.1.2 ||
IPv4.address==10.1.1.3
// The key to this technique is placement of the || (OR operator) and using a 
//separate line for each evaluation.
Tcp.Port==0x1234 AND IPv4.Address==10.0.0.1 
Tcp.Port==0x1234 
Tcp.SrcPort==0x1234 || Tcp.DstPort==0x1234 
//中身でもフィルタ可能
//So to find one byte at offset 2 you’d do the following
UINT8(FrameData,1)==0x50
//Or to find a 16 bit value at offset 7 (BigEndian) you could do
UINT16(FrameData, 6)==0x00d0
//To find a string of 10 bytes at offset 4, you would use
AsciiString(FrameData, 3, 10)=="1234567890"
//Generally “Protocol.Property != value” is not the same as “!(Protocol.Property == value)”.

キャプチャといえばいまはWireSharkEtherealのフィルタですが、2種類あって何度やっても忘れますが
http://www.space-peace.com/ethereal/ethereal_4_2.htm
が便利かも