Boolean Operands | Packet Filtering: Catching the Cool Packets

Boolean logic was developed by George Boole^[3], an English math teacher, in the mid 1800’s. The logic is used to describe the relationship between terms -- in this case, those terms are packet patterns.

There are three basic boolean operands

Which operand you choose depends on what you are looking for. In this next section, we’ll look at the operands and I’ll give you examples of when you would use each one. Later in this chapter, I’ll show you how to make each of these filters listed in this section.

Using the OR Operand

The OR operand is used when you are interested in packets that match more than one filter. For example, if you are looking for packets to a specific port OR packets from a specific port, you need to build an OR filter with two patterns. The first pattern would be all packets to a specific port. The second pattern would be all traffic from a specific port.

Using the AND Operand

The AND operand is used when you are looking for a packet that matches two or more patterns. For example, let’s say you are looking for all packets from a specific IP address that contain the ASCII pattern GET in the data portion of the packet. Using the AND operand, you can identify packets that match a whole series of different patterns.

Using the NOT Operand

The NOT operand indicates the packets that should NOT be captured. For example, perhaps you are looking for all the packets that contain FTP commands but do NOT have the default port 21 value in the destination or source port fields.

These boolean operands enable you to be creative in adding and subtracting patterns from your filter. You can really spend hours and hours making your pattern filters do more in a single shot. ^[4]

Although most of the graphics will show the Sniffer view of building filters, the EtherPeek boolean process is similar. At this time, these are the two analyzers that I use most often.^[5]

Keep in mind, however, that it is just as important to know why you are applying a specific pattern filter and the offsets and values for that filter as it is to know how to set one up on your specific analyzer -- that’s the easy part!

In this next section, we’ll focus on the following filters:

Filtering on Source/Destination Ports
Filtering on ICMP Packet Types
Filtering on TCP Flags
Filtering on the TCP Handshake Process
Filtering on FTP Commands
Filtering on IP Fragment Fields
Filtering on a Variable Length Subnet Address
Filtering on Stinkin’ Peer-to-Peer Application Commands

Gawd, I love this stuff!

Each of these examples is based on actual tasks that I had to perform at customer sites -- I included a bit of dirt on why I built the filters and the various results that you can achieve with them.

^[3]This guy Boole is really an interesting figure in mathematics history. He was primarily self-educated, became a teaching assistant when he turned 16 and opened his own school just four years later. Whew! For more information on George Boole, check out www.digitalcentury.com/encyclo/update/boole.html (no hyphen).

^[4]I warn you - these pattern filters are addictive!

^[5]Once you are familiar with Sniffer’s method of defining advanced filters using patterns, check out EtherPeek’s advanced filtering - it’s much easier.