Packet Filtering: Catching the Cool Packets
If you know the IPX address of a device and you only want to focus on IPX-based communications, build IPX-based address filters. Just as shown in the MAC address filter section and IP address filter section, you can set up filters for IPX traffic to the broadcast or multicast addresses or filter for IPX traffic to and from unicast addresses.
IPX addressing is kinda weird. IPX addresses include the MAC address in the network-layer address, or (in the case of traffic coming from the NCP layer of the server), the IPX address includes an identifiable host address value (0x000000000001).
We also find that there are times when devices don't know what IPX network they are on. For example, when a NetWare client boots up, it broadcasts SAP packets onto the network - during this communication, the NetWare client uses the source IPX network address of 0x00000000. This is because the IPX client has not discovered the network address yet. Once the SAP response is received, the client can start using the actual IPX network address in further transmissions.
So what can you do with this basic information about then way IPX communications works? Well… consider the following:
-
You can filter on all packets coming from an IPX address that has the host portion value 0x000000000001.
-
When you capture some IPX traffic, you can look into the IPX header to get the sender/receiver's hardware address (except in the case of packets sent to and from NCP).
-
You can build a filter for all traffic from the IPX network portion value set at 0x00000000.
Consider the filter shown in Figure 17.
Most analyzers have a pretty simple way to do address filtering. In some cases, you may even be able to click and drag the address from an address table. Regardless, consider building a strong set of general address filters as defined in this section.