Data Formats

As you work with the various analyzers, you’ll notice that there are various formats that you can define for your patterns. You already know that you have a choice between starting your filter at the beginning of the packet or the beginning of the network protocol layer, right? If not, go back and review Chapter One, “Packet Filtering and Offsets.”

The following list defines the most commonly used filter data types:

• Hexadecimal

• Binary

• ASCII (also referred to as String)

• EBCDIC

• Decimal

Let’s look at when you’d use each of these data formats.

Hexadecimal Data Format

Use this format when you’re looking for data that is typically defined in hexadecimal format. For example, NetWare IPX addresses are in hex format. Data Link addresses are in hexadecimal format, as well.

Binary Data Format

Use this format to look for a binary-level pattern. For example, if you’re looking all traffic to and from devices on a single subnet that is assigned a Variable Length Subnet Mask, you may want to filter on the value in just the first few bits of an address. We’ll show an example of this in the section titled, “Filtering on a Variable Length Subnet Address.” Another example of when you need to do a binary filter is when you are looking for a single bit value inside a packet.

ASCII Data Format

Many commands cross the network in plain ASCII text. For example, FTP uses the following ASCII commands inside the packet immediately following the TCP header:

• USER

• PASS

• PORT

• LIST

• NLST

• RETR

• STOR

When you want to capture packets based on these commands, or any other plain-text value, you can set up an ASCII filter.

For an example of this filtering style, see the sections entitled, “Filtering on FTP Commands” later in this chapter.

EBCDIC Data Format

You might find EBCDIC traffic crossing an SNA network. To build an EBCDIC filter, you need to know the sequence of EBCDIC characters you are interested in. Next, of course, you need to know the offset. Apply an EBCDIC filter in the same way that you catch an ASCII filter.

Decimal Data Format

A decimal filter should be used whenever you are interested in filtering on data based on the decimal value. For example, if you know the decimal value of a port number, you’d want to build a decimal filter. Read the section entitled, “Filtering on Source/Destination Ports” for an example of how we can do decimal filtering on the EtherPeek analyzer.^[1]

Before we get into the filter examples too far, however, I want to go over the basics of boolean operands^[2]. We use these operands to define specific items we’re interested in as groups or options or negatives. Read on for more details...

^[1]Ok... what’s the deal with Sniffer, eh? There isn’t any “decimal” option on the Sniffer (at least not in the 4.5 version). When you build the port filter, you’ll see that we need to convert the decimal value to hexadecimal -- then you’ll build a hexadecimal filter.

^[2]Don’t remember your high school math? Don’t worry - these things are pretty basic.