March 12, 2005
Filtering ASCII text on a Sniffer Distributed s6040
The Sniffer Distributed s6040 is a powerful chassis-based analyzer that's designed for core networks. One of the more advanced features of the s6040 is its ability to filter on specific data patterns during capture, regardless of the data's offset. This capture-in-hardware capability adds a new level of filtering, especially on networks with high utilizations.
At its most basic level, this greatly expands the options for filtering. For example, it's now possible to capture any frame containing the word 'google,' regardless of where the word is contained in the frame!
The pattern matching options on an s6040 also allow for masks of the filtered data. Using this masking, the filter can be altered to look for any occurrence of 'google,' even if a letter is uppercase. This capture-in-hardware capability adds a new level of filtering, especially on networks with high utilizations.
Here's a screen shot of what this would look like:
To understand how this works, we need to examine each letter in it's binary form:
A = 01000001 a = 01100001
See the difference between uppercase and lowercase? The third bit is the only one that changes. If we wanted to create a mask that considered the other seven bits, the mask would be
11011111
or (do your hex conversions, everyone!) 0xDF. Changing the mask from 0xFF to 0xDF will now filter on both uppercase and lowercase letters simultaneously!
Now, your ASCII filtering can be twice as powerful (or half as difficult)!
Posted by james_messer at March 12, 2005 06:57 PM
Thanks for signing in, . Now you can comment. (sign out)
(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)