Packet Filtering: Catching the Cool Packets
When you start to write a master list of all the protocols that you should have filters for, you begin to wonder when you'll have time for life. There are so many filters to build! Fortunately, the analyzers we have today have some pre-built protocol filters - just select the protocol and you're done.
Figure 19 shows the pre-built filter list for the Sniffer.
Geez… that's easy, eh? We'll let's look at a sample list of filters that are included in one analyzer (Sniffer) under the IP heading. Ready? Here we go:
-
IP
-
EGP
-
GGP
-
Hello
-
ICMP
-
IGMP
-
IGRP/EIGRP
-
IP-VINES
-
ISO-TP4
-
OSPF
-
TCP
-
DNS (TCP)
-
FTP
-
GOPHER
-
HTTP
-
HTTPS
-
LDAP
-
NETBIOS (TCP)
-
NNTP
-
POP
-
PRINTER
-
REXEC
-
RLOGIN
-
RSH
-
...and many more...
These pre-built protocol filters are based on standards and specifications - if the specification says that FTP commands use port 21, then the pre-built FTP filter will look for the number 21 in the port number fields. What if someone brings up an FTP server using port 80 for all FTP commands? What happens to our pre-built filters then? In that case, our filters won't work, eh? While we look for all traffic to and from port 21, FTP traffic cruises by using port 80. Yipes… This is why you really need to be careful when you rely solely on the pre-built filters.
Chapter 4 covers ways to go higher than the PID fields to identify packets.
Figure 20 shows how EtherPeek protocol filters are built using the pre-defined PID values.
See… it's not that tough! Take a moment and make a solid set of protocol filters for your network. You might want to start by learning what protocols are crossing the wire. To do this either protocol analyzer, view the protocol distribution windows. Figure 21 shows the Sniffer protocol distribution window.
Figure 22 shows the EtherPeek protocol distribution window.
In Figures 21 and 22, we're looking at the protocol distribution windows for Sniffer and EtherPeek. As you can see, these networks have several IP-based protocols running on the network. If I were setting up the analyzer for this network, I'd build the following filter set:
-
all IP traffic (you've got to have that)
-
broadcast traffic
-
NCP over IP (based on port 524)
-
ICMP (based on protocol 1 in the IP header)
-
RIP (based on port 520)
-
SLP (based on port 527)
-
NetBIOS Name Service (based on port 137)
-
NetBIOS Datagram Services (based on port 138)
-
DHCP (pretty sure they aren't using BOOTP - based on ports 67 and 68)
-
SNMP (based on ports 161 and 162)
You may wonder why I would create a filter on IP. Well… I like to know when non-IP traffic comes across the network. By looking at the rate of packets seen v. packets captured on an IP filter, I can figure out how much 'non-IP' traffic is crossing the wire. Another way to do this is to build a 'NOT' filter using the pattern filtering (covered in the next chapter).