Packet Filtering: Catching the Cool Packets
The UDP header is simplistic by comparison to the TCP header, as shown in Figure 9. It's only 8 bytes long - that's it! The main fields we filter on in the UDP header are the source and destination port numbers.
Most analyzers have application filters pre-built based on the source and destination port number field value. For example, if you select the FTP filter in Sniffer, you will have a filter built on the value 0x15 (21d). What happens if someone is sneaking through data using port 33d for their FTP commands? The pre- built filter just won't work then, eh?
That's why you must be able to build filters based on the source and destination port field. Again, Chapter 4 has lots of examples of building filters based on the source and destination port field values. In that chapter, you’ll build a filter for ‘hidden’ FTP commands crossing your network.
Note | If you’re not sure if your ‘content filtering’ firewall is stopping these types of packets, build an FTP command filter and test it! -- Laura |