Network Filtering Reference
DESCRIPTION
The content of a network capture can be filtered either on the incoming or
outgoing side. Using the same filter syntax the remote clients allowed to
interact with the JNIOR can be controlled. These filters can be quite simple
or, if needed, much more sophisticated.
The
IpConfig/CaptureFilter Registry key may optionally define a filter
which is applied to incoming packet data prior to capture. There is limited
storage for captured information and by filtering you can extend the capture
period and the amount of pertinent information collected.
A filter may also be used in generating the /temp/network.pcap capture file
from the capture buffer content using the NETSTAT -C command. Here the filter
allows you to extract only pertinent information in order to keep the file
size at a manageable level. The resulting file can be downloaded and opened
directly using Wireshark
https://wireshark.org .
The
IpConfig/Allow Registry key may optionally define a filter which is
applied to incoming connections. In this case the referenced IP addresses
refer to the incoming source IP addresses, those of remote clients.
Referenced port numbers refer only to destination ports, those available on
the JNIOR.
SYNTAX
IP Addresses
To filter packets referencing a specific IP address you need only include
the IP address in the format “nnn.nnn.nnn.nnn” in the filter string. Any
packet that references this IP address either as the source or the
destination address will be selected for inclusion. All other packets
will be excluded unless covered by some other part of the filter. When
filtering remote client connections this specifies a specific IP address
to allow. Note that this is a dangerously limiting restriction on remote
clients.
To exclude packets referencing a certain IP address you can prepend a ‘!’
exclamation point to the address like this “!nnn.nnn.nnn.nnn”. All
packets that do reference the IP address as either a source or
destination address will NOT be selected for inclusion. This can also be
written as “NOT nnn.nnn.nnn.nnn”. This may be especially helpful to
filter your IP address while debugging communications with other devices.
In filtering remote client connections, the NOT syntax is ideal for
blocking the client based upon IP address.
Note that an IP address is identified by its format, four decimal values
between 0 and 255 separated by the ‘.’ period.
The domain syntax allows you to define a range of IP addresses as would
be associated with a netmask. The format is “nnn.nnn.nnn.nnn/mm” where
‘mm’ specifies the number of high order bits that would be in the netmask.
For example, “10.0.0.0/24” specifies any IP address in the domain that
contains IP addresses 10.0.0.1 through 10.0.0.255 and uses a netmask of
“255.255.255.0”. This is useful in selecting only local traffic for
instance. It would also be perfect for allowing only clients from a
specific network to connect to the unit.
MAC Addresses
Although less often required you can filter on a specific MAC address.
The MAC address is included in the filter string in the format
“hh:hh:hh:hh:hh:hh”. This is six hexadecimal values (0-9 a-f) not
case-sensitive separated by the ‘:’ colon. For instance most INTEG
Series 4 JNIORs have MAC address formatted as “9C:8D:1A:hh:hh:hh” where
the lower three bytes are assigned uniquely in some sequence.
As with IP addressing, packets with MAC addresses may be excluded by
writing the filter as “!hh:hh:hh:hh:hh:hh” or “NOT hh:hh:hh:hh:hh:hh”.
Again a MAC address is identified by its format. A MAC address would
rarely be appropriate in filtering a remote client however.
Ports
A port is specified in the filter string as a decimal value between 1
and 65535 inclusive. No punctuation is required. The capture filter does
not distinguish between a TCP or UDP port number. A port may be excluded
using the negation “!nnn” or “NOT nnn”. When filtering remote client
connections the filter logic can use this to block the client from
accessing a specific function by port.
There are standard ports assigned for various functions. The capture
filter knows some of them by name. Some may be reconfigured through the
Registry. As a convenience the port may be specified using its protocol
name. The capture will be filtered on the port as configured at the time
the filter is compiled (at boot or upon NETSTAT command). JANOS
recognizes these port names where the default values are shown in
parentheses: SMTP (25), NTP (123), JNIOR (9200), JMP (9220), FTP (21),
HTTP (80), HTTPS (443), TELNET (23), and BEACON (4444). These ports may
be excluded using the same negation syntax as previously shown.
Boolean Constants
The capture filter will also recognize the terms TRUE and FALSE. TRUE
indicates that the packet is to be included and FALSE otherwise.
Logical Operations
To filter on a single IP address, MAC address or port (or to exclude a
single item) the filter need only specify the address or port in the
proper format. The following would select the communications involved
in an email transfer. If this is used as an incoming filter, only email
transactions would be captured. If this is used with NETSTAT -C in
generating the PCAPNG file, the file would only include email
communications.
NETSTAT -C SMTP
netstat -c 25
Note that filters (and also commands) are not case-sensitive. The forms
above will create a PCAPNG file with just outgoing email communications.
This assumes that you have not reconfigured the SMTP port. If you have
set
Email/Port to another port (587 for instance) then the first line
will extract your email communications and the second will not. Although
the second filter might show an application trying to use the incorrect
port.
Filters often need to be slightly more complex in order to include the
collection of communications needed. The syntax allows you to specify
any number of addresses or ports in any combination using AND, OR and
XOR logic. As an alternative you may use the notation && and || for
AND or OR respectively.
As an example perhaps you want to filter only email communications with
the SERVER whose IP address is 10.0.0.4
netstat -c "10.0.0.4 && smtp"
If you want to also include BEACON communications you might write the
filter as:
netstat -c "10.0.0.4 AND smtp OR beacon"
Here you might question the order of precedence of the logical operations.
The capture filters do not support an order of precedence but perform the
operations from left to right. So this would be calculated as follows:
netstat -c "(10.0.0.4 && SMTP) || BEACON"
And this would have done what we had said. If there is some question you
can use the parentheses in the filter as shown. The following will create
the same subset of packets but would not if we were to exclude the
parentheses:
netstat -c "BEACON || (10.0.0.4 && SMTP)"
A parentheses grouping can be negated as you would expect. The following
will create a capture of all activity EXCEPT email communications with
the SERVER.
netstat -c "!(10.0.0.4 && smtp)"
Finally if we had wanted to mask these email communications from the
overall capture buffer we can install this filter using the command:
netstat -f "!(10.0.0.4 && smtp)"
This would result in the following Registry setting and would filter
out matching communications until such time as the filter is removed.
IpConfig/CaptureFilter = "!(10.0.0.4 && smtp)"
NOTES
Filters containing space characters and logical AND and OR operators need to
be surrounded by quotes. This is to insure that the entire filter string is
properly processed as a single parameter to the NETSTAT command.
This same Filter syntax is used by the
IpConfig/Allow Registry key the
purpose of which is to limit access to the JNIOR. Care needs to be
exercised in setting this key as you may end up preventing your own
access to the JNIOR. If this occurs you must reset the filter through
the COM RS-232 serial port.
SEE ALSO
HELP Topics:
NETSTAT,
SAFEMODE
[/flash/manpages/reference.hlp:324]