Protocol Filtering: Creating Cool Filters
Novell Cool Solutions: Feature
By Laura Chappell
Digg This -
Posted: 8 Apr 2002
Novell Connection Magazine is featuring another great piece from protocol pro, Laura Chappell. This article details how to get the most out of your favorite protocol analyzer by creating protocol filters that are germane to your environment.
Here's how to get to the full article: http://www.novell.com/connectionmagazine/2002/04/protocol42.pdf
Here's an excerpt:
I have two filters that are my absolute favorites: the broadcast filter and the ICMP filter. You can create a filter that captures all broadcast traffic by building an address filter. To create this filter, you define a filter that captures all broadcast traffic that is going to and from the MAC address, 0xFF-FF-FF-FF-FF-FF. (See Figure 6) (For more information about creating address filters, see Packet Filtering: Catching the Cool Packets! at www.podbooks.com.)
Because excessive broadcast traffic impacts the performance of individual devices (they all have to process broadcasts), I need to know how much traffic these devices are processing. In some cases, misconfigured devices may also continually broadcast queries on the network.
You can create a filter that captures ICMP traffic by making a simple protocol selection in most analyzer products. Why do I care so much about the ICMP filter? When I go onsite, I usually capture all of the packets (no filters applied) and then look specifically for the ICMP traffic crossing the wire. Here are some examples of what you can learn using an ICMP filter:
- If you find a lot of ICMP echo requests/replies on the network, you can look at the source to determine whether an automated process is sending out all these packets (pinging). Or, perhaps an application is using ICMP as a "keepalive" process. You should also look at where the ICMP packets are coming from. If the packets are coming from an outside system (outside the firewall), you should be curious about the sender and his or her intentions.
- If you capture a lot of ICMP redirects, you should check out what is being redirected to where. For example, maybe a set of hosts are using the least efficient default gateway setting, or maybe a redirection attack is underway.
- If you capture a lot of ICMP destination unreachable packets, you should look into who is sending and receiving those packets to determine what each destination unreachable packet is saying. For example, perhaps the host was unreachable or the destination port number was unreachable. Either way, you should determine why these packets are crossing the wire.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com