Filter

From Allegro Packets Product Wiki
Revision as of 14:14, 6 July 2020 by Martin.fesser (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Web interface

NIC filter.png


The filter page allows setting a processing filter for live traffic. The traffic may be filtered before it is processed. Filters can be applied for:

  • IP addresses (with possible subnet mask).
  • pairs of IP addresses (with possible subnet mask).
  • MAC addresses.
  • VLAN tags (or none for no VLAN tag).
  • specific TCP/UDP ports.
  • physical interface IDs (as listed in Interface statistics).
  • duplicate packets.

They can all be set to either blacklist or whitelist mode. Filtering will be evaluated for every packet in tab order. The more restrictive filter will be applied. For instance; if no IP address is denied but a specific MAC address is on the blacklist, no traffic for that MAC address will be processed. The processing filter is applied on live traffic only. When replaying a pcap or using the remote traffic capture feature, filtering is not used.

IP filters

The IP filter page allows importing an IP list in the format:

#A line with a comment
1.2.3.1
1.2.3.2
1.2.3.3

By clicking on Import list a dialogue box will be opened where you can choose to download such a list from a given URL or specify a file from your system. The IP addresses are added to the existing ones up to a maximum of 10000 addresses.

The Export list button allows for exporting the IP filter list in the same format as the import.

The Delete all button allows for deleting all IP addresses from the filter list.

Packet deduplication

Packet deduplication provides the ability to filter packets from live traffic which have already been seen. This feature creates a hash from significant parts of the packet and stores the hash for a certain amount of time and within the configured memory limit. If for a second packet (or possibly further packets) the same hash value is calculated this packet is discarded and will not be analyzed by the system. The feature provides several options for configuring which parts of a packets are regarded as significant for duplicate detection. It is also possible to capture packets which have been detected as duplicates but since these packets are excluded from further processing as well as the packet ring buffer it is only possible to create a live capture.

Statistics

The top graph and counter show how many packets have been discarded as duplicates.

The Memory used graph shows how much of the memory which has been configured for use by the packet deduplication is actually consumed. If the value is very high it is possible that the configured amount of memory is not sufficient for the actual traffic.

The Oldest packet age graph shows how old the oldest packet known to the packet deduduplication is. If this value is significantly lower than the configured Packet timeout value the configured amount of memory may not be sufficient for the actual traffic.

Settings

Enabled: Turns the packet deduplication filter on and off.

Reserved memory (MB): Controls how much memory in megabytes is reserved for packet deduplication. This memory then cannot be used for other statistics. Changes to this value will need a restart of the processing to take effect.

Packet timeout (ms): The time in milliseconds after which a packet hash is removed form the packet deduplication. If the time is between identical packets is longer than this value the packets will not be detected as duplicates.

Compare starting at layer: Here it is possible to choose where the packet deduplication will start to analyze the packet. If e.g. 'Layer 3' is chosen it is possible for two packets to have different MAC addresses and still be detected as duplicates.

Layer 7 length limit for compare (bytes): This value controls how many bytes of the application payload are actually used for the hash calculation. A very high value may affect the performance while a vary low value may increase the risk of false positives.

Ignore VLAN: The VLAN tag will not be used by the packet deduplication so that two packets from different VLANs can still be detected as duplicates.

Ignore IP TOS and traffic class: The IP 'type of service' and 'traffic class' fields will not be used by the packet deduplication so that two packets with different values in these fields can still be detected as duplicates.

Ignore IP TTL and HOP: The IP 'time to live' and 'hop counter' fields will not be used by the packet deduplication so that two packets with different values in these fields can still be detected as duplicates.

Ignore TCP SEQ and ACK numbers: The TCP sequence and acknowledgement numbers will not be used by the packet deduplication so that two packets with different TCP sequence and acknowledgement numbers can still be detected as duplicates.

Ignore TCP options: Any TCP options will not be used by the packet deduplication so that two packets with different TCP options can still be detected as duplicates.