|
Because Packet Sniffers are mainly for use as passive monitoring agents,
they are usually created within their own Service Group. For example,
a new group can be created for this purpose by right-clicking
the Process in the tree view of the Policy Studio, selecting the
Add Service Group menu
option, and the entering "Packet Sniffer Group" on the
Add Service Group dialog.
We can then add a Relative Path Service to this Group by right-clicking
on the "Packet Sniffer Group" and selecting the
Add Relative Path menu option. Enter a path in the field
provided and select the policy that you want to dispatch messages to when
the Packet Sniffer detects a request for this path (after it assembles
the packets). So, for example, if the Relative Path is configured as
"/a", and the Packet Sniffer assembles packets into a request for this
path, the request will be dispatched to the policy selected in the
Relative Path Service.
Finally, we can add the Packet Sniffer itself by right-clicking on the
"Packet Sniffer Group" node, selecting
Packet Sniffer, and then the Add
menu option. Complete the following fields on the
Packet Sniffer dialog:
Device to Monitor:
Enter the name or identifier of the network interface that the Packet
Sniffer will monitor. The default entry here is "any", but it is
important to note that this is only valid on Linux. On UNIX-based
systems, network interfaces are usually identified using names like
"eth0", "eth1", and so on. On Windows, these names are more complicated,
for example, "\Device\NPF_{00B756E0-518A-4144 ... }.
Filter:
The Packet Sniffer can be configured to only intercept certain types of
packets. For example, it can ignore all UDP packets, only intercept
packets destined for port 80 on the network interface, ignore packets
from a certain IP address, listen for all packets on the network, and so
on.
The Packet Sniffer uses the libpcap library filter
language to achieve this. This language has a complicated but powerful
syntax that allows you to filter what packets are
intercepted and what packets are ignored. As a general rule, the syntax
consists of one or more expressions combined with conjunctions, such
as "and", "or", and "not". The following table lists a few examples of
common filters and explains what they actually filter:
| Filter Expression |
What does it filter? |
| port 80 |
Capture only traffic for the HTTP Port (i.e. 80). |
| host 192.168.0.1 |
Capture traffic to and from IP address 192.168.0.1. |
| tcp |
Capture only TCP traffic. |
| host 192.168.0.1 and port 80 |
Capture traffic to and from port 80 on IP address 192.168.0.1.
|
| tcp portrange 8080-8090 |
Capture all TCP traffic destined for ports from 8080 through
to 8090.
|
| tcp port 8080 and not src host 192.168.0.1 |
Capture all TCP traffic destined for port 8080 but not from
IP address 192.168.0.1.
|
The default filter of "tcp" simply captures all TCP packets arriving
on the network interface. For more information on how to configure
filter expressions like these, please refer to the man pages of
tcpdump man page, which can be found
here.
Promiscuous Mode:
When listening in "promiscuous mode", the Packet Sniffer will capture all
packets on the same Ethernet network, regardless of whether or not the
packets are addressed to the network interface that the Sniffer is
monitoring.
|