|
|
This chapter describes how you develop custom filters using the TrafficDirector Filter Editor application.
The following topics are described in this chapter:
A filter is a screening device that helps you isolate and retrieve only the data you need from a SwitchProbe or Network Analysis Module agent so it can be passed and stored for processing in TrafficDirector applications, or incorporated into a generic domain definition.
The filter defines a specific bit pattern you want the SwitchProbe device or Network Analysis Module to look for. By using filters, you can configure the device to look for specific types of packets on a network segment. The SwitchProbe device or Network Analysis Module compares every packet it sees on the selected interface to the specified bit pattern.
Before you start a data capture session or create a custom domain, you must determine how much data is actually required for evaluation. To do this, you can select an existing filter or design a new one using Filter Editor to narrow the scope of incoming data.
The Filter Editor includes several predefined filter formats for the most commonly used protocols that should handle most data capture requirements. You can use these formats to construct a filter for a data capture session or add to a generic domain definition. You can also edit the filter definition and retain it in the filter list for later use.
To build a filter definition, you apply a filter format that uniquely describes the specific characteristics of the packets you want to evaluate. Filter formats are based on the detailed structure of the seven-layer OSI model protocol stack that defines a transmission frame.
To collect selected data, you can construct the filter definitions to capture data that is:
All packets that pass the filter form a logical data and event stream or channel within the SwitchProbe device. You can monitor these channels and their associated traffic flow using TrafficDirector applications.
You can use the filters you create using Filter Editor to construct generic domains. When you define a custom generic domain, you are also identifying one or more filters that are downloaded to the SwitchProbe agent when the generic domain is installed. SwitchProbe devices can support a total of 32 filters simultaneously (and not more than 8 per generic domain), across all generic domains installed at the device. This means that if four generic domains have four associated filters, two more domains could have as many as eight each.
The filters you create with Filter Editor are displayed in a list in the New Generic Domain window of the Domain Editor. For related information, see Chapter 5, "Working with Domains."
You can use the filters you create using Filter Editor to perform data capture requests. You can associate multiple filters with a data capture request; at least one filter must match the search criteria for the data to be included in the capture.
You can also use a custom filter in a post-capture filtering request, when the data retrieved from a data capture is saved in a file, then evaluated using the Protocol Decode application.You may need to further isolate the data, to eliminate extra detail that may otherwise obscure the information you are looking for.
The filters you create in the Filter Editor are displayed in a pulldown list in the Data Capture window of the Data Capture application. The same filters are also displayed in a Custom Filters list in the Post Capture Filters window of the Protocol Decode application. For information about using the Data Capture or Protocol Decode applications, see Chapter 28, "Capturing Data Packets," and Chapter 29, "Decoding Packets."
To speed the filter definition process, the Filter Editor includes many predefined filter formats for the most common protocol stacks, such as IP and UDP. After you select a filter format, the corresponding fields are displayed as a template that you can customize as needed.
Except for the filter name (which is required), the remaining fields are all optional; you define only those fields needed. The fields may require a single-byte value, or in some cases, multiple bytes. You can also create filters at the bit level, if required, by making the necessary changes to a single-byte representation.
You can choose from two filter types: physical or logical. The filter type depends upon the filter format you select.
A physical filter is topology-specific. The filter criteria you define must be used with a specific media type, and is applied to packets at fixed positions. The predefined physical filters are listed in Table 8-1.
| This Filter Type... | Is For Use Only On |
|---|---|
SMT | FDDI networks |
TRMAC | Token Ring networks for MAC packets |
TRNONMAC | Token Ring networks for non-MAC packets |
You can use a logical filter on any network. The software applies the criteria you specify at the appropriate position in a packet, regardless of the topology. The TrafficDirector software logically calculates the offset so that the comparison between the filter and packet begins at the Destination MAC Address bits. This allows you to use the same filter format across several topologies.
Logical filters are also useful because they save you time and effort in setting up the proper configurations, because filters can apply in more than one instance. For example, if you need to apply an IP filter on both a Token Ring network and an Ethernet network, you can define one filter that works on both.
When you define filters, you can use different numeric styles for values:
The numeric style you use to specify values depends on whether the field is single-byte, multibyte, or single bit, and whether the field is tied to a certain type, such as MAC address, which accepts only a hex value.
To find out whether a field is single byte or multiple byte, you can open any predefined filter format file contained in the $NSHOME/usr directory. For example, if you want to find out how many bytes are required in the Time to Live field in an IP filter format, you would issue the following command from your $NSHOME/usr directory:
The filter format file (ip.ff) is displayed, showing the fields defined for the IP filter type, number of bytes required for each field, and any specific value type associated with a field (such as MACADDR, the MAC address type).
You can specify the numeric types shown in Table 8-2 in single-byte fields, but note any restrictions.
| Data Type | Description |
|---|---|
Hex | These values must contain characters from the hexadecimal numeric set, 0 to 9 or a to f. However, if you specify a hex value that contains all numerics, the TrafficDirector application translates it as a decimal number. For example, if you want to specify time to live as 128 seconds, and you enter the hex value 80, the TrafficDirector application translates it as 80 seconds, instead of 128. |
Decimal | These values must contain all numbers and no dots. For example, if you want to specify time to live as 128 seconds, enter 128, not 128.00. If you do enter 128.00, the TrafficDirector application translates your entry as a two-byte value and displays an error message advising you that time to live is a single-byte field. |
Binary | These values are only 0s and 1s, and must begin with the capital letter B. |
Wildcard | There are two acceptable wildcards when you only want to specify part of a numeric value. For hex or decimal numbers, you can specify an uppercase X as a wildcard. The X is a placeholder for one byte of information for decimal values, or four bits for hex values. For binary numbers, you must use a lowercase x as a wildcard and as a placeholder for one bit of information. |
Binary and | You can use a combination of binary and hexadecimal values in any multibyte field. This is especially useful when you want to capture multicast packets on different network topologies. |
In multiple-byte fields, you can specify the numeric types shown in Table 8-3, but note any restrictions.
| Data Type | Description |
|---|---|
Hex | These values must contain characters from the hexadecimal numeric set, 0 to 9 or a to f. However, if you specify a hex value that contains all numerics, the TrafficDirector application translates it as a decimal number. |
Decimal | These values in multiple-byte fields can contain numbers and dots. However, the TrafficDirector application reads each side of a dot as a separate number. For example, if you specify a number as 255.255.255.75, the TrafficDirector application reads four values: 255, 255, 255, and 75. |
Binary | These values are only 0s and 1s, and must begin with the capital letter B. |
Wildcard | There are two acceptable wildcards when you only want to specify part of a numeric value. For hex or decimal numbers, you can specify an uppercase X as a wildcard. The X is a placeholder for one byte of information for decimal values, or four bits for hex values. For binary numbers, you must use a lowercase x as a wildcard and as a placeholder for one bit of information. |
To create a filter based on the individual bits of a field, you must manually edit the appropriate file in the $NSHOME/usr directory to capture the values for individual bits.
The bits must be represented as part of a byte in binary form. An entire byte representation must start with the capital letter B, have all eight bits entered, and have each bit represented by a 0 or a 1. Use a lowercase x character to represent a bit wildcard.
For example, B01xxxxxx, where the source address entry in a new filter definition file would appear as:
#Field NameSizeTypeMatch Value "Source Address"6MACADDR00-00-0c-B00xxxxxx-XX-XX
You can add new filter definitions, edit existing ones, or delete filter definitions from the Filter Editor list as described in the following sections:
To add a new filter, follow these steps:
Step 1 Click the Filter Editor icon in the TrafficDirector main window.
The Filter Editor window opens (Figure 8-1).
Step 2 Click New.
The New Filter window opens (Figure 8-2). Most fields are blank, allowing you to designate details for a specified filter format.
Step 3 Enter a name for the new filter in the Filter Name field.
Specify up to 8 letters, numbers, dashes, or underscores. The name must begin with a letter.
Step 4 Select a format from the Filter list box.
Step 5 Click Select Format.
The Add Filter window displays all field names applicable for the filter format you selected. Depending on your selection, you may see only three fields or two pages of fields.
For example, if you selected the TCP filter format, the Add Filter window displays names for all fields shown in the window, and the PgDn button is enabled. You can click PgDn to see the remaining fields, then click PgUp to toggle back to the first page.
Step 6 Enter information as needed.
(Some fields already contain data.)
Step 7 Click OK to add the filter and display it in the filter list.
To edit an existing filter definition, follow this procedure:
Step 1 Click on the Filter Editor icon in the TrafficDirector main window.
The Filter Editor window opens (Figure 8-1).
Step 2 Select the filter you want to edit from the filter list.
Step 3 Click Edit.
The Edit Filter window (Figure 8-3) is displayed. Existing fields are already filled in with the values you last specified.
Step 4 Change the fields you want to edit.
Step 5 Click OK to create the new filter, or click Cancel to quit.
When you no longer need a filter, you can delete the filter definition to conserve system resources. To delete a filter definition from the filter list, use the following procedure.
Step 1 Click the Filter Editor icon in the TrafficDirector main window.
The Filter Editor window is displayed.
Step 2 Select the filter you want to delete from the filter list.
Step 3 Click Delete.
A cautionary window asks you to confirm that you really want to delete the filter definition.
Step 4 Click OK to delete the filter definition, or click Cancel to quit without deleting the filter definition.
Posted: Mon Feb 8 15:17:38 PST 1999
Copyright 1989-1999©Cisco Systems Inc.