Creating and Using Packet Filters | 3Com 2200 instruction

12-4 CHAPTER 12: CREATING AND USING PACKET FILTERS

Concepts for Writing Before writing a packet ﬁlter, you should understand thsee basic concepts:

a Filter

■How the packet ﬁlter language works

■The basic elements of a packet ﬁlter

■How to implement sequential tests in a packet ﬁlter

■The pre-processed and run-time storage requirements

How the Packet Filter Language Works

You deﬁne packet ﬁlters using a simple, stack-orientedlanguage. Stack- oriented means that the language uses a LIFO (last in, ﬁrst out) queue when the packet ﬁlter is running. The program places values (called operands) on the stack and tests them with various logical expressions (called operators), such as and, or, equal, and not equal (see Table 12-3 and Table 12-4). These expressions typically test the values of various ﬁelds in the received packet, which include MAC addresses, type ﬁelds, IP addresses, and Service Access Points (SAPs).

A program in the packet ﬁlter language consists of a series of one or more instructions that results in the top of the stack containing a byte value after execution of the last instruction in the program. This byte value determines whether to forward or discard the packet.

In this stack-oriented language, instructions:

■push operands onto the stack

■pop the operands from the stack for comparison purposes

■push the results back onto the stack

Therefore, with the exception of the push instructions, instructions (such as logical operators) locate their operands implicitly and do not require additional operand speciﬁers in the instruction stream.

Opcodes are the variables used to identify the type of operands and operators you are specifying in the packet ﬁlter instructions.

Image 141

3Com 2200 manual Creating and Using Packet Filters

Contents

Superstack II Switch Administration Console User Guide 3Com Corporation 5400 Bayfront Plaza Santa Clara, California Contents Remote Access Parameters Administration Console Interface ParametersSetting Up an IP Interface for Management Online Help Rebooting the System Setting PasswordsAbout Setting Baselines Setting Baselines Setting lerAlarm Setting lerCutoff Setting tmaxLowerBoundSetting the Aging Time Starting Port Monitoring 10-7 Setting the Bridge Priority10-8 10-9 13-3 Using Groups in Packet Filters Listing GroupsOpcodes A-1 Destination Address Filter A-9 Support from 3Com Access by ModemWorld Wide Web Site 3ComForum on CompuServe Returning Products for Repair Introduction About this GuideFamiliarity with communications protocols that are used on Interconnected LANs How to Use Switch 2200. The parts of the guide are described in TableThis Guide This guide Conventions Switch DocumentationDocuments, contact your sales representative for assistance Comments Introduction Administration Overview About Switch AdministrationConﬁguration Tasks Adjust the console screen height for your terminal General System Commands Task Quick Command For Details, See Change the factory default baud rate of the Console port To the system, or reset nonvolatile data to defaults System Management Setup Commands Task Quick Command Bridging Commands Task Quick Command For Details, SeeConfigurations, and spanning tree configurations 12-1 and following Administer bridge port addressesDisplay bridge port information Set the multicast packet firewall threshold Ethernet Commands Task Quick Command For Details, See A summarized or detailed format9-2 to 8-3 Fddi Commands Task Quick Command Initial User Access HOW to USEAccess Levels of User Select access level read, write, administer Password Using Menus to Perform Tasks System-level Functions Menu Hierarchy for Administer Access Bridge Menu Fddi Menu IP Menu Bridging Menu Hierarchy for Administer Access Analyzer Menu Snmp Menu Menu options are not case sensitive Most abbreviated version of the same command string is Entering Values Adjusting Console InterfaceParameters Disabling Reboot Abort Keys System consoleLock Running Scripts Administration Console Tasks Setting Timeout Interval for Remote SessionsEnter the telnet timeout interval 30 minutes to 60 minutes HOW to USE the Administration Console Running Scripts of Administration Console Tasks Getting HelpConsole To exit from the Administration Console Exiting returns you to the password promptExiting There, by pressing the ESC key SYSTEM-LEVEL Functions Page Access to the System AboutManagement Setting Up Console Serial Port IP Interface for Setting Up an Broadcast Address Directed all 1s in the host field Cost Ports AllBroadcast address Ip interface modify Removing an Interface Gateway IP Address Timing outTimed out Defining a Static Route Default route is immediately removed from the routing table Administering the ARP Cache Setting the RIP Mode You could receive one of the following responses Enter the IP address of the station you want to ping Displaying IP Statistics IP statistics you can view are described in TableStatistics are displayed, as shown in this example Setting Up Snmp on Your System Displaying Snmp SettingsCommunity string settings are displayed as shown here Community string length Administering Snmp Trap Reporting Enter an IP address of the Snmp manager destination address Conﬁguring Trap Reporting Trap address invalid or unreachable This example shows a trap conﬁguration You receive the following prompt Remote SMT events. On all other Switch 2200s in your network Snmp trap smtProxyTraps Example of a Switch 2200 system conﬁguration display EnvironmentDisplaying System Conﬁguration Initial passwords Setting Passwords Setting the System Name Changing the Date and TimeYou are prompted for the name of the system Rebooting You must disable the baseline About SettingBaselines Displaying the Current Baseline Baselining is automatically enabled when a baseline is set Setting BaselinesEnabling or Disabling Baselines Message similar to the following appears SAVING, RESTORING, and Resetting Nonvolatile Data Working withNonvolatile Data Saving NV Data NV Data RestoringSaving the NV data Restoration rules described here System nvData restore You are returned to the NV data menu options Examining a Saved NV Data File You see the following prompt Resetting NV Data to Defaults Ethernet and Fddi Parameters IIIPage Displaying PortsEthernet Port Information RxDiscards Describes the information provided about an Ethernet port Layer to receive them or because the port was disabled Default is enabledLong and are not configurable Disabled Successfully Second long and are not configurableTransmitted successfully TxPeakByteRate There is no buffer space available Frame is in error TxFrames Frames delivered to this port TxDiscards TxQOverflows Labeling a Port Setting the Port State Administering ResourcesFddi Stations Can be Thru, Isolated, WrapA, and WrapB Describes these statisticsConnectPolicy This value can be user-defined Description of Fields for Fddi Station Attributes TNotify Defaults for connecting to a Port MFrames NIF. This value can be user-defined TraceMaxExp Normal tree connection With defaults for connecting to a Port MTopology Node may not go to Thru state in CFM Enabling Disabling Status Reporting Setting Neighbor Notiﬁcation Timer Fddi Paths RingLatency Description of Fields for Fddi Path Attributes MaxTReqTmaxLowBound TraceStatus Current Trace status of the path TvxLowBound Station, which appears in brackets To set tvxLowerBound Fddi MACs Displaying MAC Information Administering Fddi MACs Describes the information provided for the Fddi MAC Description of Fields for Fddi MAC Attributes OldDownstream Error during receptionNeighbor OldUpstream There is no buffer space available Frame is in error Receive Frame Network Shows the order in which the discard tests are made Setting the Frame Error Threshold Enter the new threshold value. See the following example Setting the Not Copied Threshold Setting MAC Paths Enabling Disabling LLC Service Displaying Port Information Administering Fddi Ports Describes the type of information provided for an Fddi port Setting lerCutoff Setting Port Labels Fddi port path Roving Analysis About RovingAnalysis Roving Analysis On a speciﬁc systemReceive Adding an Analyzer Port Removing an Analyzer Port Monitoring Starting PortYou can start monitoring port activity See the example below for starting port monitoring Stopping Port Monitoring Bridging Parameters Information about the bridge is displayed Displaying Bridge Information Each item in the bridge parameter list is described in Table Following example shows a display of bridge information Learning states. The default value is 15 seconds BridgeFwdDelayRoot. The default value is 2 seconds ForwardDelay Bridge Attributes Parameter Description MaxAge Default value is disabledIs determined by the root bridge Mode Disabling IP EnablingFragmentation Disabling IPX Address SettingThreshold Aging Time Enter enabled or disabled at the prompt STP BridgeEnabling and Disabling STP on a Bridge To conﬁgure the STP bridge priority Setting the Bridge Maximum Age To conﬁgure the forward delay value Forward delay The recommended value is 15 seconds Setting the STP Group Address Bridge Port Following example shows a bridge port detail display Following example shows a bridge port summary display Port is attached RxErrorDiscsDesignatedCost BPDUs from the designated bridge for that LAN Management frames Bridge Port Attributes Parameter Description RxFramesRxMcastExcDiscs Exceeded Disabled The port has been disabled by management Disabled in which the port is currently operatingBridge Port Attributes Parameter Description State Blocking The bridge continues to run the Spanning Tree Shows the order in which the discard decisions are made Multicast Limit You are prompted for port typeMulticast packet ﬁrewall, see Bridging Extensions Enabling STP Bridge PortDisabling STP On a Port Bridge port stpCost Bridge port stpPriority Listing Addresses Administering Port Addresses You are prompted for the port number From the top level of the Administration Console, enterEnter the number of the port You are prompted for one or more addresses to add Flushing All Addresses You are prompted for the port numbers Packet Filtering Packet Filters Listing Packet Filters Displaying Packet Filters Creating and Using Packet Filters Describes the instructions and stacks of a packet ﬁlter Ethernet and Fddi Packet Fields Basic Elements of a Packet Filter PushField Packet Filter Operands Description Opcode Packet fieldSize of the field can be 1, 2, 4, or 6 bytes Want the filter to examine a 48-bit address Constant Accept and Reject Instructions Creating Packet Filters 12-9 Preprocessed and Run-time Storage Opcode.size operand... # comment 12-11 Creating and Using Packet Filters # XNS Filtering Section Pseudocode translates into the following packet ﬁlter Enter executable instruction #2 Enter executable instruction #1 Enter executable instruction #4 Enter executable instruction #3Enter executable instruction #5 Enter executable instruction #6 Only IP pkts w/in socket range This combination looks like this Add a not statement to discard any matching packets Maximum length of a packet ﬁlter deﬁnition is 4096 bytes Being edited Command are discardedDelete Previous Ctrl+h Character One position Delete Current Ctrl+d Editing, Checking Deleting Packet FiltersSaving Packet Filters At the Replace existing filter? prompt Bridge packetFilter load Loading Packet Filters Fddi Unassigning Packet Filters from Ports Using Groups Configuring Address Port Groups to USE Packet FiltersUser-deﬁned Packet Filtering in the SuperStack II Switch Address and port groups in packet ﬁlters To list the currently deﬁned groups, enter this command OR, for port groups, enter the following command Displaying Groups Enter this command Creating New Groups Address 08-32-45-e3-32-21 Enter the ports in this syntax Port Ethernet Adding AddressesPorts to Groups Address 08-37-21-65-78-c4 To remove an address from a group, enter Removing Addresses or Ports from a GroupOR, to remove a port from a group, enter Enter the ports in the syntax Address 08-42-21-84-78-f1 Loading Groups 13-11 Configuring Address and Port Groups to USE in Packet Filters Appendixes Opcodes Packet Filter OpcodesOpcodes are described in this section Name name Bytes PushLiteral.size value PushField.size offset Byte PushSAGM PushTopByte PushDAGM Byte PushSPGM Byte PushDPGMByte Eq equal Ne not equal Byte Lt less thanByte Le less than or equal to Gt greater than Byte Ge greater than or equal toByte Bit-wise Byte Xor bit-wise exclusive-OR Or bit-wise orByte Not Byte Accept Reject Byte Shiftl shift leftByte Shiftr shift right Packet Filter ExamplesPacket ﬁlter concepts Address XNS To make a copy of the type ﬁeldPage Common Syntax Errors Number with a leading 0x or 0X is treated as Characters of the numberHexadecimal Number with a leading 0 is treated as octal Variety of services. This appendix describes these services ServicesOnline Technical Through the following online systems Press Return to see the 3ComForum main menu Access by Isdn Support from Maintenance, application training, and support servicesYour Network Supplier To ﬁnd your authorized service provider U.S. and Canada, call 800 876-3266 for customer service3Com Support contracts are available from 3Com Index Address Resolution Protocol. See ARP address threshold3ComFacts B-3 3ComForum B-2 Abort ARP cache ﬂushing 3-12 removing entry Multicast limit, setting 11-7 Spanning Tree Enabling Statistics, displaying 10-1bridge portCost PortState Station MAC addresses 11-11Ethernet address SRFs 8-2 Connection policies, settingFddi path deﬁned Fddi port Enabling Le opcode A-5 Removing from -9, 3-10 status On-line technical services B-1opcode Name opcode A-1 Naming the Switch 2200 4-3ne opcode A-5Password conﬁguring Multicast frames Packet ﬁlters 12-1multicast limit Broadcast address 3-4default mode 3-12displaying state RloginFddi ports 8-19ping IP station SMT event Snmp agent Accessing through IP 3-1deﬁned Snmp trapSnifﬁng. See roving analysis and analyzer Port LER Condition Port Path Change Deﬁned 8-7 setting SwitchTOpr Technical support B-1telnet Packet ﬁlter 12-12, 12-14, A-11 xor opcode A-7