Protocol Filters the Easy Way

Previous page
Table of content
Next page

When you start to write a master list of all the protocols that you should have filters for, you begin to wonder when you'll have time for life. There are so many filters to build! Fortunately, the analyzers we have today have some pre-built protocol filters - just select the protocol and you're done.

Figure 19 shows the pre-built filter list for the Sniffer.

click to expand
Figure 19: Just click on a protocol to build a protocol filter.

Geez… that's easy, eh? We'll let's look at a sample list of filters that are included in one analyzer (Sniffer) under the IP heading. Ready? Here we go:

  • IP

  • EGP

  • GGP

  • Hello

  • ICMP

  • IGMP

  • IGRP/EIGRP

  • IP-VINES

  • ISO-TP4

  • OSPF

  • TCP

  • DNS (TCP)

  • FTP

  • GOPHER

  • HTTP

  • HTTPS

  • LDAP

  • NETBIOS (TCP)

  • NNTP

  • POP

  • PRINTER

  • REXEC

  • RLOGIN

  • RSH

  • ...and many more...

These pre-built protocol filters are based on standards and specifications - if the specification says that FTP commands use port 21, then the pre-built FTP filter will look for the number 21 in the port number fields. What if someone brings up an FTP server using port 80 for all FTP commands? What happens to our pre-built filters then? In that case, our filters won't work, eh? While we look for all traffic to and from port 21, FTP traffic cruises by using port 80. Yipes… This is why you really need to be careful when you rely solely on the pre-built filters.

Chapter 4 covers ways to go higher than the PID fields to identify packets.

Figure 20 shows how EtherPeek protocol filters are built using the pre-defined PID values.

click to expand
Figure 20: EtherPeek's protocol filter list.

See… it's not that tough! Take a moment and make a solid set of protocol filters for your network. You might want to start by learning what protocols are crossing the wire. To do this either protocol analyzer, view the protocol distribution windows. Figure 21 shows the Sniffer protocol distribution window.

click to expand
Figure 21: The Sniffer protocol distribution window.

Figure 22 shows the EtherPeek protocol distribution window.

click to expand
Figure 22: The EtherPeek protocol distribution window.

In Figures 21 and 22, we're looking at the protocol distribution windows for Sniffer and EtherPeek. As you can see, these networks have several IP-based protocols running on the network. If I were setting up the analyzer for this network, I'd build the following filter set:

  • all IP traffic (you've got to have that)

  • broadcast traffic

  • NCP over IP (based on port 524)

  • ICMP (based on protocol 1 in the IP header)

  • RIP (based on port 520)

  • SLP (based on port 527)

  • NetBIOS Name Service (based on port 137)

  • NetBIOS Datagram Services (based on port 138)

  • DHCP (pretty sure they aren't using BOOTP - based on ports 67 and 68)

  • SNMP (based on ports 161 and 162)

You may wonder why I would create a filter on IP. Well… I like to know when non-IP traffic comes across the network. By looking at the rate of packets seen v. packets captured on an IP filter, I can figure out how much 'non-IP' traffic is crossing the wire. Another way to do this is to build a 'NOT' filter using the pattern filtering (covered in the next chapter).


Previous page
Table of content
Next page
Packet Filtering. Catching the Cool Packets.
Packet Filtering: Catching the Cool Packets
ISBN: 1893939383
EAN: 2147483647
Year: 2000
Pages: 65
Authors: Laura A. Chappell
BUY ON AMAZON
Java I/O
Systematic Software Testing (Artech House Computer Library)
Cisco CallManager Fundamentals (2nd Edition)
Competency-Based Human Resource Management
101 Microsoft Visual Basic .NET Applications
Ruby Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy