Packet Filtering: Catching the Cool Packets
Throughout this book I show the filters that I most often build to use on networks. Here is one quick list of the filters that you should have ready to go whenever needed.
Depending on your analyzer, some of these filters may be pre- built - you may consider, however, whether the filter is going to work for you. For example, Sniffer has an option to select FTP data as an application filter. This filter is based on port 21 usage for command sequences.
Unfortunately, however, most FTP communications negotiate a dynamic port number for exchange of data - you won't catch this traffic with the default Sniffer port filter. In Chapter 4, we’ll look at other ways to catch FTP traffic without a dependency on port values.
Filters Ya Gotta Have
-
broadcast
-
multicast
-
peer-to-peer applications
-
nimda
-
ARP
-
BPDU (spanning tree)
-
CDP (Cisco Discovery Protocol)
-
IP
-
TCP
-
UDP
-
IPX
-
SPX
-
DHCP
-
FTP
-
Telnet
-
SNMP (query and trap)
-
DNS (query and zone transfer)
-
Fred (you know who that is)
-
TCP handshake
-
IP fragments
-
ICMP (all types and codes)
-
NCP 1111 (Get Connection)
-
NCP 2222 (Request)
-
NCP 3333 (Response)
-
NCP 5555 (Destroy)
-
NCP 9999 (Server Delay)
-
NetBIOS
-
... and so many more...
In Appendix C and D, you’ll follow some step-by-step instructions to import my sample filter set into EtherPeek or Sniffer. I’ve included several of these filters in the set.
So there you have it. It's time now to start building all types of filters to use on your network. I have confidence in you that you can build every filter listed in this book. Once you start building filters, you'll find that it's addictive!