JANOS Help System: [Commands] [Topics] [Tech Support] [Printable Manual] [Search]
Network Filtering Reference DESCRIPTION The content of a network capture can be filtered either on the incoming or outgoing side. Using the same filter syntax the remote clients allowed to interact with the JNIOR can be controlled. These filters can be quite simple or, if needed, much more sophisticated. The IpConfig/CaptureFilter Registry key may optionally define a filter which is applied to incoming packet data prior to capture. There is limited storage for captured information and by filtering you can extend the capture period and the amount of pertinent information collected. A filter may also be used in generating the /temp/network.pcap capture file from the capture buffer content using the NETSTAT -C command. Here the filter allows you to extract only pertinent information in order to keep the file size at a manageable level. The resulting file can be downloaded and opened directly using Wireshark https://wireshark.org . The IpConfig/Allow Registry key may optionally define a filter which is applied to incoming connections. In this case the referenced IP addresses refer to the incoming source IP addresses, those of remote clients. Referenced port numbers refer only to destination ports, those available on the JNIOR. SYNTAX IP Addresses To filter packets referencing a specific IP address you need only include the IP address in the format “nnn.nnn.nnn.nnn” in the filter string. Any packet that references this IP address either as the source or the destination address will be selected for inclusion. All other packets will be excluded unless covered by some other part of the filter. When filtering remote client connections this specifies a specific IP address to allow. Note that this is a dangerously limiting restriction on remote clients. To exclude packets referencing a certain IP address you can prepend a ‘!’ exclamation point to the address like this “!nnn.nnn.nnn.nnn”. All packets that do reference the IP address as either a source or destination address will NOT be selected for inclusion. This can also be written as “NOT nnn.nnn.nnn.nnn”. This may be especially helpful to filter your IP address while debugging communications with other devices. In filtering remote client connections, the NOT syntax is ideal for blocking the client based upon IP address. Note that an IP address is identified by its format, four decimal values between 0 and 255 separated by the ‘.’ period. The domain syntax allows you to define a range of IP addresses as would be associated with a netmask. The format is “nnn.nnn.nnn.nnn/mm” where ‘mm’ specifies the number of high order bits that would be in the netmask. For example, “10.0.0.0/24” specifies any IP address in the domain that contains IP addresses 10.0.0.1 through 10.0.0.255 and uses a netmask of “255.255.255.0”.  This is useful in selecting only local traffic for instance. It would also be perfect for allowing only clients from a specific network to connect to the unit. MAC Addresses Although less often required you can filter on a specific MAC address. The MAC address is included in the filter string in the format “hh:hh:hh:hh:hh:hh”. This is six hexadecimal values (0-9 a-f) not case-sensitive separated by the ‘:’ colon. For instance most INTEG Series 4 JNIORs have MAC address formatted as “9C:8D:1A:hh:hh:hh” where the lower three bytes are assigned uniquely in some sequence. As with IP addressing, packets with MAC addresses may be excluded by writing the filter as “!hh:hh:hh:hh:hh:hh” or “NOT hh:hh:hh:hh:hh:hh”.  Again a MAC address is identified by its format. A MAC address would rarely be appropriate in filtering a remote client however. Ports A port is specified in the filter string as a decimal value between 1 and 65535 inclusive. No punctuation is required. The capture filter does not distinguish between a TCP or UDP port number. A port may be excluded using the negation “!nnn” or “NOT nnn”. When filtering remote client connections the filter logic can use this to block the client from accessing a specific function by port. There are standard ports assigned for various functions. The capture filter knows some of them by name. Some may be reconfigured through the Registry. As a convenience the port may be specified using its protocol name. The capture will be filtered on the port as configured at the time the filter is compiled (at boot or upon NETSTAT command). JANOS recognizes these port names where the default values are shown in parentheses: SMTP (25), NTP (123), JNIOR (9200), JMP (9220), FTP (21), HTTP (80), HTTPS (443), TELNET (23), and BEACON (4444). These ports may be excluded using the same negation syntax as previously shown. Boolean Constants The capture filter will also recognize the terms TRUE and FALSE. TRUE indicates that the packet is to be included and FALSE otherwise. Logical Operations To filter on a single IP address, MAC address or port (or to exclude a single item) the filter need only specify the address or port in the proper format. The following would select the communications involved in an email transfer. If this is used as an incoming filter, only email transactions would be captured. If this is used with NETSTAT -C in generating the PCAPNG file, the file would only include email communications. NETSTAT -C SMTP netstat -c 25 Note that filters (and also commands) are not case-sensitive. The forms above will create a PCAPNG file with just outgoing email communications. This assumes that you have not reconfigured the SMTP port. If you have set Email/Port to another port (587 for instance) then the first line will extract your email communications and the second will not. Although the second filter might show an application trying to use the incorrect port. Filters often need to be slightly more complex in order to include the collection of communications needed. The syntax allows you to specify any number of addresses or ports in any combination using AND, OR and XOR logic. As an alternative you may use the notation && and || for AND or OR respectively. As an example perhaps you want to filter only email communications with the SERVER whose IP address is 10.0.0.4 netstat -c "10.0.0.4 && smtp" If you want to also include BEACON communications you might write the filter as: netstat -c "10.0.0.4 AND smtp OR beacon" Here you might question the order of precedence of the logical operations. The capture filters do not support an order of precedence but perform the operations from left to right. So this would be calculated as follows: netstat -c "(10.0.0.4 && SMTP) || BEACON" And this would have done what we had said. If there is some question you can use the parentheses in the filter as shown. The following will create the same subset of packets but would not if we were to exclude the parentheses: netstat -c "BEACON || (10.0.0.4 && SMTP)" A parentheses grouping can be negated as you would expect. The following will create a capture of all activity EXCEPT email communications with the SERVER. netstat -c "!(10.0.0.4 && smtp)" Finally if we had wanted to mask these email communications from the overall capture buffer we can install this filter using the command: netstat -f "!(10.0.0.4 && smtp)" This would result in the following Registry setting and would filter out matching communications until such time as the filter is removed. IpConfig/CaptureFilter = "!(10.0.0.4 && smtp)" NOTES Filters containing space characters and logical AND and OR operators need to be surrounded by quotes. This is to insure that the entire filter string is properly processed as a single parameter to the NETSTAT command. This same Filter syntax is used by the IpConfig/Allow Registry key the purpose of which is to limit access to the JNIOR. Care needs to be exercised in setting this key as you may end up preventing your own access to the JNIOR. If this occurs you must reset the filter through the COM RS-232 serial port. SEE ALSO HELP Topics: NETSTAT, SAFEMODE [/flash/manpages/reference.hlp:324]