TMeter :: Rule editor

Rule Editor

You can fill here the following rule parameters parameters:

Rule description

The description of the rule (maximum 100 symbols). This field can stay blank.

IP protocol

Defines the name or the number of an IP protocol for the rule. See the IP protocol number article in TMeter Knowledge Base.

Source and Destination

These fields define a method of checking the IP addresses of the captured packets. If the captured packet is TCP or UDP, you can set the conditions to check the TCP or UDP port number.

Direction

There two options are available here:

"Also match packets with the exact opposite source and destination addresses". If it is disabled, the captured packet must be matching the source and destination addresses exactly. This case is called "Direct Match". If "Direct Match" appears, the sent bytes counter of the current filter will be updated. If this option is enabled, the rule will also match the captured packets with the exact opposite source and destination addresses. This option can fire two types of matching: "Direct Match" (or exact match) and "Mirrored Match" (or opposite match). If "Direct Match" appears, the sent bytes counter will be updated. If "Mirrored Match" appears, the received bytes counter will be updated.
"Stateful Inspection" (available only when "Also match packets..." options is selected). This allows to create so-called "dynamic rules" for Mirrored Matches. The packet will be checked for Mirrored Match only when the current rule directly matches previous packet with the same source and destination IP addresses and ports.

The above description can be supported by the following example. Imagine, that you create rule:

Filter 1. Traffic from My computer to any web server.
Rule	Type of IP protocol	Source address	Source port	Destination address	Destination port	Both directions	Action for packet	Additional condition
1	TCP	My computer	Any	Any	80	?	Count

The packets will be processed in the Rule as the follows:

Example of processing packet with different Direction option
Rule 1	TCP packet (1): Src: My computer Dst: 192.168.0.10 Src port: Any Dst port: 1389	TCP packet (2): Src: 192.168.0.10 Dst: My computer Src port: 80 Dst port: 1389	TCP packet (3): Src: 192.168.0.10 Dst: My computer Src port: 80 Dst port: 1390
"Also match packets..." is disabled	Direct Match	-	-
"Also match packets..." is enabled "Stateful Inspection" is disabled	Direct Match	Mirrored Match	Mirrored Match
"Also match packets..." is enabled "Stateful Inspection" is enabled	Direct Match	Mirrored Match*	-

* Mirrored Match will only occur when Packet (2) is captured after Packet (1).

Attention! The "Direction" option is enabled by default. Unless you surely know what you are doing, leave this untouched.

TCP options (only for TCP protocol)

There two options are available here:

"SYN". This allows to catch only the first packet of new TCP connection (according the TCP specification, it is the packet with SYN flag and without ACK flag). The option is useful for creating firewall rules which will block, for example, incoming TCP connections. This option is available only in one direction, the "Direction" flag will be disabled automatically.
"FTP". This allows counting data transferred over FTP-data connection. To use this options, you should create the rule for counting traffic of FTP-control connection (in other words, you should create rule for counting traffic by TCP port number 21). If this options is enabled, TMeter will analyze each packet of FTP-control connection and look for port number of FTP-data connection. Then TMeter will create dynamic rule to count the traffic for FTP-data connection. See details about FTP.

ICMP options (only for ICMP protocol)

This enables checking a type of each captured ICMP packet. If captured packet is ICMP Echo Request, the match will be appeared (if other condition are valid also). This option is useful for creating firewall fules as well.

Action

The "Action" property defines what TMeter should do with the captured packet in case of Rule Match.

Count - the filter counter will be updated and the captured packet will be processed by the next filter
Pass (not count) - the filter counter will be not updated and the captured packet will not be processed by the next filter
Count and Pass - the filter counter will be updated and the captured packet will not be processed by the next filter
Deny - the filter counter will be not updated and the captured packet will be denied by the firewall (available only in the Active Capture mode)

These actions can be expressed in the next table as well:

Action	The counters will be updated	The captured packet will be processed by the next filter	The captured packet will be denied by firewall
Count	Yes	Yes	No
Pass (not count)	No	No	No
Count and pass	Yes	No	No
Block	No	No	Yes
No rule match	No	Yes	No

Options "The packet must be"

This defines whether the packet must be counted in the previous filter(s), not counted in the previous filter(s) or ignore this option. It is useful to prevent counting the same packet twice.

Option "Via network adapter"

You can select the network adapter whose the traffic will be processed in this rule. To use this option,you should assign the alias for the network adapter(s).

Traffic counters condition

This allows setting the traffic limits for the filters (available only in Active Capture Mode). See configuration example 6.

Time-based counters conditions

This allows to define a time when the current rule will be valid.

You can invoke Rule Editor from Filter Editor.