User manual CACE TECHNOLOGIES CACE PILOT FILTERS 2010

[. . . ] Filters Manual CACE Pilot Filters Manual Page 1 PUBLISHED BY CACE Technologies, Inc. 1949 5th Street, Suite 103 Davis, CA 95616 Copyright © 2010 CACE Technologies, Inc. No part of the contents of this manuscript may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Wireshark and the Wireshark icon are registered trademarks of Wireshark Foundation, Inc. [. . . ] Each extractor makes a specific set of fields available for filter comparisons. Extractors available for Pilot filters include the following: Extractor dns generic Description Type of DNS packets, Transaction ID, Response Time etc. . . Repository of fields to count bytes, packets, packets length, absolute packet number or to identify IP protocol, TCP port or UDP port converted into a traffic type string (e. g. 'Email' or 'Web') Type of web traffic (http, https. . . ), HTTP request type (GET, POST, etc. ), number of HTTP requests etc. . . Fields to work with ieee802. 11 wireless packets such as channels, type of encryption used, etc. . . For resolution of internet domain and country of the domain Source and destination MAC address, vendor prefix, etc. . . PPI 802. 11 Common / Radiotap - Channel Frequency, Channel Numbers, Types. . . VoIP traffic, callers and telephone numbers Selection of TCP ports, TCP byte count, TCP packet count etc. . . TCP round trip time, number of requests to the server, TCP error type, etc. . . Selection of IP source and destination, UDP packet/byte/bit count, etc http ieee80211 ipres mac pseudo voip tcp tcp_state udp Fields Examples of filter use are shown later. Relational and Boolean operators Operator Name OP_EQ OP_LT OP_GT Symbol = < > Page 9 CACE Pilot Filters Manual OP_IN OP_NE OP_LE OP_GE contains != <= >= ex: ip::source_ip. str="192. 168. 77. 250" Operator Name OP_OR OP_AND OP_NOT Symbol | & ! Ex: (ip::source_ip. str= "192. 168. 246. 128" ) & (ip::destination_ip. str= "192. 168. 246. 2" ) Value format Values used for comparison must be of a specific format, and inside the " " to avoid errors while the filter is applied. Filter examples Here we present a short catalog of the most useful filters. Generic generic::application. str This expression depends on a set of customizable parameters better described in a section called proto-groups. The idea is to associate a list of port/protocols to a common name as 'Web' or 'Email' for frequently used filters. Thus, the language becomes more flexible and expression becomes more compact. Ex: (generic::application. str="Email") 802. 11 pseudo::80211_common. channel. str This expression allows you to filter on packets using 802. 11 channel representation strings such as BG 001, BG 002 . . . Allowed values: <BG | A | N | Nhigh | NLow> space <3 digits channel number> Ex: (pseudo::80211_common. channel. str="BG 002") pseudo::80211_common. channel. freq This expression allows you to filter on packets using 802. 11 channel frequency in MHz (2412, 2417, . . . ) CACE Pilot Filters Manual Page 10 Ex: (pseudo::80211_common. channel. freq="2447") ieee80211::bssid. essid. str This expression allows you to filter on packets using the Extended Service Set IDentifier (ESSID) string. Ex: (ieee80211::bssid. essid. str="CACE_WIFI") ieee80211::frame_control. source_type. str (::frame_control. destination_type. str) This expression allows you to filter on source (destination) wireless nodes according to their function as access points (AP) or stations (STA). Allowed values: (AP, STA) Ex: (ieee80211::frame_control. source_type. str="AP") pseudo::80211_common. channel. type. designator_per_station. str This expression allows you to filter on the string of the channel type designator. Allowed values: For PPI valid values are (A, B, G, N), for Radiotap valid values are (A, B, G) Ex: (pseudo::80211_common. channel. type. designator_per_station. str="B") ieee80211::frame_control. protection_type_simple. str This filter allows to select the type of encryption used based on the AP to which the client is associated. Allowed value: (Unknown, WEP, WPA [TKIP], WPA2 [CCMP], None) Ex: (ieee80211::frame_control. protection_type_simple. str="WPA [TKIP]") ieee80211::frame_control. type. str This expression allows you to filter on the string of the frame type. ::mac. vendor_with_mac. str selects the packets if either the source or the destination matches the value. Replace the field ::mac. str with the expressions in parenthesis if you are interested only in packets coming from a specific source or going to a specific destination address. Ex: (mac::source_mac. vendor_with_mac. str="Cisco-Link_0c:08:78") mac::local. str="Local" (::mac::local. str="Non Local") The expression Local is based on the setting of subnet mask and works only for the local traffic (it does not work for probes). [. . . ] Ex: (http::uri contains "1A8928AF6E4E4255BBECE04056B00DA038/TC2. pdb") CACE Pilot Filters Manual Page 15 http::host This expression allows you to filter on the Host name in the http header. Ex: (http::host contains "youtube") http::resource This expression allows you to filter on the HTTP resource path and name Ex: (http::resource contains "/books?id=Vi05") http::method This expression allows you to filter on the HTTP request type Allowed values: (GET, POST, HEAD, PUT, DELETE, TRACE, OPTIONS, CONNECT) Ex: (http::method="GET") http::content. type This expression allows you to filter on the HTTP content type Allowed values: any of the http mime types, see http://www. iana. org/assignments/media-types Ex: (http::content. type contain "image") http::status. code This expression allows you to filter on the http://en. wikipedia. org/wiki/List_of_HTTP_status_codes Ex: (http::status. code="200") status code, as listed in VoIP voip::call. user. number. str (:call. caller. number. str, ::call. receiver. number. str) This expression allows filtering on the phone number of the caller or the receiver of the VoIP call. ::call. user. number. str is used to filter if either the caller OR the receiver matches the specified phone number. Use the expression in parenthesis to select the caller and the receiver separately. [. . . ]