Director xStream Pro

escaped (or alternatively, specified in HEX notation) using the backslash (\) character. • White space is ignored (unless escaped). • Search strings are specified ...
Télécharger le PDF
708KB taille 1 téléchargements 290 vues
commentaire
Report
Director xStream Pro

Creating Filters and Using DPI Director xStream Pro features extensive packet filtering capabilities that inspect every bit in every packet, including header fields and payload, down to the last byte. Header field constraints may include equality, inequality and exact range checks. Payload pattern search may include anchored and non-anchored strings, with wildcards, located anywhere in the packet. Filters can be applied on the eight ProPorts whether they are being used as inputs or outputs, enabling, for example, specification of traffic to be load balanced, and full flexibility for aggregating or regeneration. Filters can be applied to traffic originating at or leaving standard ports by routing the traffic through a ProPort (port 9-24 → filter → port 1-8 or port 1-8 → filter → port 9-24). In addition to the complex filters that allow sophisticated specification of packet profiles, “simple” filters can be used to filter on IP addresses (including wildcards and CIDR masks); this facilitates easy entry of multiple IP addresses. Each ProPort supports 16 complex rules and 10 simple rules.

Complex Filters Each complex filter is divided into three sections. The top section is a control section—this section provides controls for activating/deactivating filters, selecting the action (drop, pass, balance), setting the name of the filter, choosing from filter types, and snapshot packet capture. The middle section contains fields specific to each filter template and is used to enter criteria such as IP addresses and payload patterns. The bottom section reports status as well as error messages and also displays the amount of traffic matching the specified filter. A typical filter is shown in the following figure and a detailed description follows. Filter Activate/ Deactivate Filter Name

Filter Type

Action: Count, Pass, Drop, or Balance

Snapshot Packet Capture Trigger

Expand/ Collapse aa:bb:cc:dd:ee:ff

11:22:33:44:55:66

410

192.168.9.1

192.168.9.5

105

80

80

Filter Control (Yellow) Filter Specification (Teal)

Stats and Counters (Gray)

Figure 37: Filter Overview

Expand / Collapse Expands or collapses the filter. When collapsed, only the filter controls are shown. If the filter is expanded, the filter specification and status lines are shown. If an error occurs, filters with errors are automatically expanded.

ELEXO - Téléphone : 01 41 22 10 00 - Fax : 01 41 22 10 01 - [email protected] SA AU CAPITAL DE 381 123 EUROS – TVA : FR 00 722 063 534 - R.C.S. NANTERRE B 722 063 534 - SIRET 72206353400043 - CODE APE 516 J

Director xStream Pro

Filter Activate / Deactivate Activates or deactivates the filter. A check box indicates the filter is active. Since modification of active filters is not allowed, editing a filter specification or control will automatically deactivate the filter. Click the activate box to reactivate. Tip!____________________________________________________________________________________________________ When you activate a filter, it is saved in the hardware. If you want to define a filter and save it in the hardware without activating it, click the Save button at the top of the complex filter screen. ________________________________________________________________________________________________________ Filter Name An identifier for the filter: alphanumeric characters and “_”, “-” only, maximum length of 24 characters long. Spaces are permitted. Filter Type Use this menu to select the type of filter specification to use. Each type presents a different set of configurable filter parameters; choose the filter type that best meets your needs. For payload pattern matching, the beginning of the payload varies depending on the filter type; see Appendix B for details. Note:___________________________________________________________________________________________________ When you change the filter type, any values you may have entered in the filter fields are cleared. ________________________________________________________________________________________________________ Drop, Pass, and Balance By default, all traffic received on an input port is copied (mirrored) to the ports designated as its outputs (as configured on the topology page). Similarly, if a port is configured as an output and no filters are set, all traffic will leave the device. Setting an action (DROP, PASS or BALANCE) enables control over which packets are transmitted or received. The DROP action causes all packets that match the specified criteria to be dropped. The PASS action does the opposite: packets matching the filter criteria are passed by the filter. PASS has higher priority than DROP—it is “stronger.” This fact enables creation of filters that pass only the desired traffic. For example, a filter that drops all TCP traffic can be combined with a filter that passes all TCP traffic with source port 80 and “Net Optics” in the payload, enabling a monitoring tool attached to an output to receive only TCP traffic with port 80 and Net Optics anywhere in the payload. A PASS filter by itself does nothing because all traffic is passed by default. To pass only traffic specified with a PASS filter, couple it with a DROP filter that drops all packets (use a STRING MATCH filter type with ? for the payload). Selecting the BALANCE action causes packets that match the specified filter to be load balanced among the ports configured on the topology page. The type of traffic to be load balanced can be filtered by setting additional drop and pass filters on the input port. In addition, ProPorts can be used as output ports to provide filtering on packet egress, enabling flexible management of load balanced traffic. Snapshot Packet Capture Trigger Click SNAP to activate snapshot capture of packets matching the filter specification. Click snapshot in the top command men bar to see the captured pcap files.

ELEXO - Téléphone : 01 41 22 10 00 - Fax : 01 41 22 10 01 - [email protected] SA AU CAPITAL DE 381 123 EUROS – TVA : FR 00 722 063 534 - R.C.S. NANTERRE B 722 063 534 - SIRET 72206353400043 - CODE APE 516 J

Director xStream Pro

Filter Input Conventions Director xStream Pro comes with a set of filter templates that cover a broad set of networking protocols and applications. This following sections explain the basics of how to specify filters and walk through some examples. Entering Values: CIDR masks, port ranges Most filters contain fields that support entry of CIDR masks and port ranges. CIDR masks for IP addresses are specified using the standard “/” notation. Port ranges for TCP or UDP ports are specified using a colon (:) between the ports. Examples of these are shown below. Example 1: IPv4 address CIDR To Specify

Enter

192.168.0.0 with anything in the last octet

192.168.0.0/24

Example 2: IPv6 address CIDR To Specify

Enter

aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222 with anything in the last 32 bits

aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222/96

Example 3: Port range To Specify

Enter

Range from 80 to 8080

80:8080

Entering Values: Payload Patterns The payload specification enables creation of complex filters based on payload inspection anywhere in the packet. Payload pattern searches can be case sensitive or insensitive, anchored or floating, and contain wildcards. The payload field options are listed in the following table. Option

Function

SKIP WORDS

Used to specify an offset, in 16-bit words, from which to begin the search (floating search) or the specific location to search (anchored search)

ANCHORED

Selects between anchored and floating searches

IGNORECASE

Selects case insensitivity searching for text strings

PAYLOAD

A combination of ASCII or hexadecimal characters with wildcards

The following conventions are used to enter payload strings: • Strings in hexadecimal representation are enclosed between vertical bars, e.g., |01 AB 09| • Each pair of hexadecimal characters in between vertical bars | | is an octet value; for example, ABCD is equivalent to |41|B|43 44| • The '.' (dot) represents a “don’t-care” byte. It is supported in both ASCII and HEX notations. • When using ASCII notation, the non-alphanumeric characters, including all special characters, need to be escaped (or alternatively, specified in HEX notation) using the backslash (\) character • White space is ignored (unless escaped) • Search strings are specified in words (an even number of bytes); if the length of the specific search is odd, a don’t care '.' is automatically appended to the string

ELEXO - Téléphone : 01 41 22 10 00 - Fax : 01 41 22 10 01 - [email protected] SA AU CAPITAL DE 381 123 EUROS – TVA : FR 00 722 063 534 - R.C.S. NANTERRE B 722 063 534 - SIRET 72206353400043 - CODE APE 516 J

Director xStream Pro Some examples of payload specification are: • Hex notation: |6e 65 74 77 6f 72 6b 73| is equivalent to ASCII notation: “networks” • Mixed notation: “Net|20|Optics|20 6e 65 74 77 6f 72 6b 73|" is equivalent to ASCII notation: “Net Optics networks” and to HEX notation: |63 70 61 63 6b 65 74 20 6e 65 74 77 6f 72 6b 73| A dot (.) designates a don’t-care byte; for example, in "Net.Optics" any character (byte) can occupy the position between the two words. The dot can also be used in HEX notation, e.g. |6e . 74 77 6f 72 6b 73| is equivalent to “n” followed by any character then “tworks”. Complex Filter Examples This example shows how to create a filter to drop selected traffic. To create a filter to drop TCP traffic:

1. Go to filters page and select the port with the traffic you want to filter. 2. Click Complex under the port name. 3. Select the VLAN:IP:(TCP OR UDP) filter type. 4. Enter a name for the rule. 5. Select the DROP action. 6. Select TCP as protocol. 7. Click the activate check box in the upper left corner of the filter form.

The status line at the bottom of the filter form indicates the filter is active. The right side of the status line shows the amount of TCP traffic (that is, packets matching the filter specification) on this port; these counters are also included on the current, statistics, and cumulative reports for this port.

The next example shows how to create a filter to drop traffic that contains a specified string. To create a filter to drop packets containing the string "Net Optics":

1. Go to filters page and select the port with the traffic you want to filter. 2. Click Complex under the port name. 3. Select the STRING MATCH filter type. 4. Enter a name for the rule. 5. Select the DROP action. 6. Enter the payload Net|20|Optics in the payload field.

Note: |20| is the hexadecimal representation of a space.

7. Click the activate check box in the upper left corner of the filter form.

ELEXO - Téléphone : 01 41 22 10 00 - Fax : 01 41 22 10 01 - [email protected] SA AU CAPITAL DE 381 123 EUROS – TVA : FR 00 722 063 534 - R.C.S. NANTERRE B 722 063 534 - SIRET 72206353400043 - CODE APE 516 J

Director xStream Pro The status line at the bottom of the filter form indicates the filter is active. The right side of the status line shows the amount of traffic containing the specified string on this port; these counters are also included on the current, statistics, and cumulative reports for this port.

Snapshot Packet Capture The snapshot packet capture feature enables selective remote capturing of packets to pcap files. Packets are selected and captured on the filters page, then viewed on the snapshot page. To capture a snapshot of traffic matching a filter:

1. On the filters page, define or choose a filter that matches the packets to be captured. 2. Click the SNAP box at the right side of the filter control bar.

The status line indicates that packet capture is in progress, approximately eight seconds.

3. Go to the snapshots page to view the pcap file containing the captured traffic. On the snapshots page, a list of packet captures is shown for each port, sorted by time. If no packets were captured, the number of packets for that entry will be zero. Click on the link to download and view the pcap file (for example using Wireshark or other protocol analysis software). To delete a capture, click ‘x’ at the beginning of the line. A maximum of ten pcap files are saved per port. Successive captures automatically delete older pcap files (oldest file first). Note that pcap files are not retained when the Director xStream Pro is power cycled. Port 1 “Switch A572-3”-Snapshots Time

Size

x Tue Jun 8 21:39:24 2010

# Packets

2068560 2021

x Tue Jun 8 21:37:31 2010

1688392 1009

x Tue Jun 8 21:33:08 2010

3489798 2042

x Tue Jun 8 21:26:52 2010

3611992 2047

x Fri Jun 4 10:00:51 2010

45301

35

x Fri Jun 4 9:57:22 2010

79766

51

78211

48

x Fri Jun 4 9:54:21 2010 x Fri Jun 4 9:49:44 2010

1843556 1833

x Fri Jun 4 9:10:40 2010

1358787 1234

x Fri Jun 4 8:45:37 2010

1981872 1992

Figure 38: Snapshot packet capture page

Note:___________________________________________________________________________________________________ Snapshot packet capture is not like a traffic recorder. It does not capture every packet on the wire, it only captures a sample of packets matching the profile. When a packet is captured, it is written to the pcap file, and only then can another packet be captured; in the meanwhile, some packets matching the profile may have gone by without being captured. The maximum size of a pcap file is 2 megabytes. At most 10 pcap files can be created per port, after which the oldest file is deleted when a new file is created. The pcap files are kept in volatile storage an are lost whenever power is removed from the unit. ________________________________________________________________________________________________________

ELEXO - Téléphone : 01 41 22 10 00 - Fax : 01 41 22 10 01 - [email protected] SA AU CAPITAL DE 381 123 EUROS – TVA : FR 00 722 063 534 - R.C.S. NANTERRE B 722 063 534 - SIRET 72206353400043 - CODE APE 516 J