GB2331605A - Packet filter compiler program - Google Patents

Packet filter compiler program Download PDF

Info

Publication number
GB2331605A
GB2331605A GB9821777A GB9821777A GB2331605A GB 2331605 A GB2331605 A GB 2331605A GB 9821777 A GB9821777 A GB 9821777A GB 9821777 A GB9821777 A GB 9821777A GB 2331605 A GB2331605 A GB 2331605A
Authority
GB
United Kingdom
Prior art keywords
packet filter
user interface
implemented method
graphical user
computer implemented
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB9821777A
Other versions
GB2331605A9 (en
GB9821777D0 (en
Inventor
Jing Xiang
Darryl Black
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
3Com Corp
Original Assignee
3Com Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Publication of GB2331605A9 publication Critical patent/GB2331605A9/en
Priority to US94632397A priority Critical
Application filed by 3Com Corp filed Critical 3Com Corp
Publication of GB9821777D0 publication Critical patent/GB9821777D0/en
Publication of GB2331605A publication Critical patent/GB2331605A/en
Application status is Withdrawn legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • G06F8/34Graphical or visual programming

Abstract

Disclosed is a computer program, driven by a graphical user interface (GUI), for building packet filters for use in a networked environment. The graphical user interface is adapted to assist a user in the construction and design of a packet filter such that the user is able to build a packet filter without being extensively trained in all of the numerous parameters involved in packet filter construction: this may be through the use of a wizard (1100) for inexperienced users or via a calculator type interface (1200) for more experienced users. In one embodiment, the program receives expression-based statements from the user. These expression-based statements indicate the design characteristics of the packet filter which the user wishes to build. The program compiles the expression-based statements into a language which is suitable for the formation of the packet filter. Finally the packet filter builder creates the packet filter desired by the user by combining a sequence of compiler statements.

Description

2331605 A MET1101) OF BUILDING A PACKET FILTER

TECHNICAL FIELD

The present invention relates to the field of network management software. More specifically, the present invention relates to packet filters utilized in network systems.

BACKGROUND ART

User-defined Packet Filters are a very powerful feature of networking switches. Unfortunately, conventional packet filter building methods are often difficult to perform and implement, and also error prone. For example, conventional packet building methods require the network manager or other 20 individual building the packet filters to be intimately familiar with the basic elements(e.g. fields, operators, constands, and the like) used in packet filters. Such packet filter building knowledge is extensive. Ln addition, conventional packet filter building methods require the network manager or packet filter builder to have low-level programming language knowledge and skills because packet filters have to be consructed in complex design languages, such as Reverse Polish stackoriented language. Thus the average network manager can not effectively bu.ild user-defined Packet Filters using conventional packet filter building process.

1 User-defined Packet Filters can be used to improve network performance and increase network security. This enables network managers to maximize return of investment of very expensive switches. However, due to the afbrementioned complexity associated with conventional packet filter building, many network ma-nagers lack the ability and programming expertise to construct desired packet filters. Thus, it is wasteful to let such a powerful feature like userdefined Packet Filters not be fully utilized, or worse compromising network performance and security.

Accordingly, what is needed is a system and method for building UserDefined Packet Filters that is easy and intuitive to use and maintain, not solely constructed using complex design language, does not require extensive networking knowledge and can be used effectively by average network managers.

9 J 1 S C L 0 S U R E () F T 11E, 10 A method and computer system are described herein for packet filter building wherein the packet filter not constructed solely using complex design languages. The present invention further provides a packet filter building system and method which is not error-prone. Furthermore, the present invention provides a packet filter building system and method which does not require a highly trained programmer for the implementation thereof, and a packet filter building system and method which can be effectively and efficiently utilized by a typical network manager.

Specifically, two embodiments of the invention are presented to assist users in the construction of a packet filter such that the user is able to build a packet filter without being extensively trained in all of the numerous parameters involved in packet filter construction.

In one embodiment, a wizard-type interface guides the users through the formation of a packet filter on a step-by-step basis. That is, in such an embodiment, the present invention displays tutorial information to the user and prompts the user for various information or tells the user how to proceed. Then a packet filter is automatically generated at the end. Thus, by employing such a wizard-type approach, the present embodiment is able to assist even the most novice network manager or other packet filter builder in the creation of desiled packet filters.

2 'D In another embodiment, the present invention provides a "calculatortype7' interface for the formation of a packet filter by a more advanced network ma-nager or other packet filter builder. In this embodirnerit, the user can enter ,.-<.pression-bi,.sed 1 Ln 1 in ---LYeither ty-pi g theni or by clcking/double-elick desired fields, operators, constants, or pre-built filters. The e.-,cpression-based statements indicate the characteristics of the packet filter which the user wishes to build. The present embodiment then converts the expression- based statements to the final packet filter ui traditional filter builder language. Thus, even in this more advanced embodiment, the present invention allows a network manager or other packet filter builder to construct a packet filter without being extensively trained in or cognizant of all of the various parameters in packet filter construction.

These and other advantages of the present invention will no doubt become obvious to those of ordinary skill in the art after having read the following detailed description of the preferred embodiments which are illustrated in the various drawing figures.

-1 3RIEF DESCRIz'ITIO-',.. OF THEE DRAWINGS The accompanyring drawings, which are incorporated in and form a part of this specification, illustrate embodiments of the invention a-nd, together With the description, serve to explain the principles of the invention:

FIGURE 1 is a schematic diagram of an exemplary computer system used to perform steps of the packet filter builder TFB) method in accordance with one embodiment of the present invention.

FIGURE 2 is a flow chart of steps performed in accordance with one embodiment of the present claimed M invention.

FIGURE 3 is an illustration of one embodiment of a graphical user interface provided in accordance with one embodiment of the present claimed PFB invention.

FIGURES 4-7 are tables of information used during the building of a packet filter including the basic elements (e.g. fields, operators, constants, and the like) used in the building of packet filters.

FIGURES 8A-W are frames of information used dunng the building of a packet filter.

FIGURE 9 is an illustration of one embodiment of a wizard-type graphical user inter-face pro.,ded in accordance with one embodiment of the present claimed PH invention for less-advanced packet filter bwlders.

FIGURE 10 Is an iliu-strallon of one embodiment of a calculator- type graphical user interface provided in accordance With one embodiment of the present claimed PFB invention for more advanced packet filter builders.

FIGURE 11 is a schematic diagram of the architecture of the implementation of Filter Parsing and Conversion utilized in accordance with the present claimed invention.

FIGURE 12 is a schematic diagram of the main classes and methods used 10 in Filter Parsing employed in accordance with the present claimed invention.

FIGURES 13A-13C are flowcharts of the Operator Precedence Parsing Algorithm used in the present claimed invention.

FIGURE 14 is an example of pseudocode demonstrating Predictive Parsing Method utilized in accordance with the present claimed invention.

FIGURE 15 is the Expression-based Language Syntax Definition in BNF utilized in accordance with the present claimed invention.

The drawings referred to in this description should be understood as not being drawn to scale except if specifically noted.

6 BIEST N I ODE MR,'--A.PRi'INC- OU'T T I I E I N",,TNT ION Reference will now be made in detail to the preferred embodiments of the invention, examples of which are illustrated in the accompanying drawings, WI-dle the invention will be described in conjunction with the preferred embodiments, it will be understood that they are not intended to limit the invention to these embodiments. On the contrary, the invention is intended to cover alternatives, modifications and equivalents, which may be included within the spirit and scope of the invention as defined by the appended claims. Furthermore, in the following detailed description of the present invention, numerous specific details are set forth in order to provide a thorough understanding of the present invention. However, it will be obvious to one of ordinary skill in the art that the present invention may be practiced without these specific details. In other instances, well known methods, procedures, components, and circuits have not been described in detail as not to unnecessarily obscure aspects of the present invention.

Some portions of the detailed descriptions which follow are presented in terms of procedures, logic blocks, processing, and other symbolic representations of operations on data bits within a computer memory. These descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. In the present application, a procedure, logic block, process, etc., is conceived to be a self-consistent sequence of steps or instructions leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form.of electncal or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated in a computer system. It has proved convenient at times, principally 7 for reasons of cominon usage, to refer to these signals as bits, values, element's, symbols, characters, terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the following discussions, it is appreciated that throughout the present invention, discussions utilizing terms such as "determining", "assisting", 'loading", "storing" or the like, refer to the actions and processes of a computer system, or similar electronic computing device. The computer system or similar electronic computing device manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission, or display devices. The present invention is also well suited to the use of other computer systems such as, for example, optical and mechanical computers.

COMPUTER SYSTEM ENVIRONMENT OF THE PRESENT PACKET FILTER BUILDER INVENTION With reference now to Figure 1, portions of the present automatic packet filter builder (PFB) method are comprised of computer-readable and computerexecutable instructions which reside, for example, in computerusable media of a computer system. Figure 1 illustrates an exemplary computer system 100 used to perform the PFB method in accordance with one embodiment of the present invention. It is appreciated that system 100 of Figure 1 is exemplary only and that the present invention can operate within a number of different computer 8 systems including general purpose networked computer systems, embedded computer systems, and stand alone computer systems specially adapted for packet ffiter building.

System 100 of Figure 1 includes an address/data bus 102 for communicating information, and a central processor unit 104 coupled to bus 102 for processing information and instructions. System 100 also includes data storage features such as a computer usable volatile memory 106, e.g. random access memory (RAM), coupled to bus 102 for storing information and instructions for central processor unit 104, computer usable non-volatile memory 108, e.g. read only memory (ROM), coupled to bus 102 for storing static information and instructions for the central processor unit 104, and a data storage unit 110 (e.g., a magnetic or optical disk and disk drive) coupled to bus 102 for storing information and instructions. A input output signal unit 112 (e.g. a modem) coupled to bus 102 is also included in system 100 of Figure 1. System of the present invention also includes an optional alphanumeric input device 114 including alphanumeric and function keys is coupled to bus 102 for communicating information and command selections to central processor unit 104. System 100 also optionally includes a cursor control device 116 coupled to bus 102 for communicating user input information and command selections to central processor unit 104. System 100 of the present embodiment also includes an optional display device 118 coupled to bus 102 for displaying information.

Optional display device 118 of Figure 1, utilized with the present PFB method, may be a liquid crystal device, cathode ray tube, or other display device sWtable for creating graphic images and alphanumeric characters recognizable to a user. Optional cursor control device 116 allows the computer user to 9 dynamically signal the two durnensional movement of a visible symbol (cursor') on a display screen of display device 118. Many implementations of cursor control device 116 are known in the art including a trackball, mouse, touch pad, Joystick or special keys on alphanumeric input device 114 capable of signaling movement of a given direction or manner of displacement. Alternatively, it will be appreciated that a cursor can be directed and/or activated via input from alphanumeric input device 114 using special keys and key sequence commands. The present invention is also well suited to directing a cursor by other means such as, for example, voice commands. A more detailed discussion of the present PFB method is found below.

GENERAL DESCRIPTION OF THE PRESENT

PACKET FILTER BUILDER METHOD With reference next to Figure 2, an flow chart 200 of exemplary steps used by the present PFB method is shown. Flow chart 200 includes processes of the present invention which, in one embodiment, are carried out by a processor under the control of computer-readable and computer-executable instructions. The computer-readable and computer-executable instructions reside, for example, in data storage features such as computer usable volatile memory 106 and/or computer usable non-volatile memory 108 of Figure 1. The computer- readable and computer-executable instructions are used to control, for example, the operation and functioning of central processing unit 104 of Figure 1. Although specific steps are disclosed in the flow chart of Figure 2, such steps are exemplary. That is, the present invention is well suited to performing various other steps or variations of the steps recited in Figure 2. The steps of Figure 2 will be described in conjunction with Figures 3-15.

With reference again to Figure 2, in step 202, a user of the present uivention determines the initial design of the packet filter to be built. For example, the network manager or other designer of the packet filter writes down the features or functions of the desired packet filter. Although the present embodiment specifically recites writing down the features or functions of the packet filter to be built, it will be understood that the present invention is well suited to a user who does not first write down the features or functions of the packet filter to be built.

In step 204 of Figure 2, the user of the present invention initiates the present M invention. In the present embodiment, the us& initiates the present M invention by, for example, using cursor control device 116 to select a M icon displayed on optional display device 118. It will be understood, however, that the present invention is well suited to using various other methods to initiate the present PH invention. The present M invention provides a graphical user interface which guides the user through the creation of the desired packet filter. In one embodiment, designed for a more experienced or more highly trained network manager, the present invention provides a "calculator-type" interface. The calculator-type interface provided by the present M invention will be described and illustrated below in detail. In another embodiment, the present invention provides a "Wizard-type" interface which guides the user through the formation of a packet filter on a step-by-step basis. The wizard-type interface provided in one embodiment the present PH invention will be described and illustrated below in detail.

Referring next to Figure 3, an illustration of the present embodLiment of a graphical user interface 300 provided by the present PFB invention is shown.

Thus, in step 204 of the present invention, when the user initiates the present PFB, GUI 300 appears, for example, on optional display device 118 of Figil-re 1. The present PFB invention utilizes a user-ffiendly, expression-based language to define packet filters. More specifically, each packet filter can be defined in a series of if-then statements. In each statement an expression is tested, then a specified action (i.e. a "reject" or an "accept") will take place. For example, if the user wants to define a filter to discard all Appletalk packets (Phase I and Phase II) using the expression-based language, such a packet filter will be defined by the present PFB invention in the following manner:

if (appletalki or appleTalkil) then reject or if(appletalki) then reject; if(appletalkil) then reject.

The present PFB invention translates the user-friendly if then statement into the complex filter building language such that the user's expressionbased if/then statements are converted into the requisite complex filter building language. As an example, the present M invention translates the above listed if/then statements into the following filter:

pushField.w pushLiteral.w eq reject pushField.w pushLiteral.w

12 0x809b 12 1500 gt accept pushField.a 16 pushLiteral.a 0x03080007809b ne With conventional filter building methods, the above script has to be typed exactly as it is. As you can see, it reqLu"Lres extensive networking and programming knowledge and skill. And it is easy to make mistakes. However, in the present PFB invention, such filter script is invisible to the user. In so doing, the present 12 invention allows a user to build a desired packet filter using only intuitive if/then statements. Numerous, additional examples of such packet filters constructed using user-submitted Xthen statements are given below in conjunction with step 212.

With reference next to Figures 4-7, tables 400-700 of information used during the building of a packet filter are shown. More specifically, tables 400-700 recite the basic elements (e.g. fields, operators, constants, and the like) used in the building of packet filters. In conventional packet filter building, the network.

manager, or person building the packet filter, would have to be intimately familiar with the information displayed in each of tables 400- 700 of Figures 4-7, respectively. However, the present M invention elimina s the need for the network manager or other packet filter builder to be well-versed in such information in order to design and build packet filters. That is, the present M invention lowers the "network knowledge threshold" required to effectively design and build packet filters. In so doing, the present M invention enables the average network manager to build packet filters with the expertise and efficiency of a highly trained network programmer.

Additionally, with reference now to Figures SA-8J, frames 802-820 of information used during the building of a packet filter are shown. As mentioned above in connection with Figures 4-7, in conventional packet filter building, the network manager, or person building the packet filter, would have to be intimately familiar with the information displayed in each of frames 802-820 of Figures SA&J, respectively. Thus, as mentioned above, the present PFB invention lowers the "network knowledge threshold" required to effectively design and build packet filters. In so doing, the present PFB invention enables the average network 13 manager to build packet filters with the expertise and efficiency of a highly trained network programmer.

Referring again to Figure 3, the GUI of the present PFB invention allows the user to readily view Filters, Port Groups, and Address Groups, or use the menu to create new Filters, Port Groups, and/or Address Groups. As shown in GUI 300 of Figure 3, a user of the present PFB invention is able to readily access packet filter building information, and initiate the packet filter building process. As an example, in the present embodiment of GUI 300, the following information can be 10 retrieved by selecting either the File, View, Create, or Help:

View Find Filters... Tool bars Change Script Directory Status Bar Start Teinet Session...

Create Filter by wizard... Filter Advanced... Address Group... Port Group Help Help Info.

It will be understood, however, that the present PFB invention is well suited to providing various additional and/or other information in GUI 300.

With reference next to step 206, the user of the present invention must determine whether the packet filter to be built involves address/port groups. If the packet filter to be built does not involve such address/port groups, the present PFB invention proceeds to step 212. If the packet filter to be built does involve address/port groups, the present invention proceeds to step 208.

In step 208, the user of the present PFB inventipn must determiine the necessary mask number(s). The mask number is the bit number in the address group mask ith which the user would like to asso iate a particular group. Each g W1 1 cl group takes up one bit of the 32 bits provided for address group administration in 14 the present embodiment of the PFB invention. Although 32 bits are provided for address group administration in this embodiment, the present invention is well suited to providing a different number of bits such as, for example, 64 bits for address group administration. In this embodiment of the PFB invention, this number is limited to the mask bits which have not been assigned on the selected slots. Furthermore, in the present embodiment, if an address group is loaded on multiple slots, the same bit in the address group mask will be used on each of the slots. Also, in this embodiment of the PFB invention, MAC addresses can be entered in either canonical, FDDI format, or hexadecimal which will be converted 10 and displayed in canonical format.

Referring now to step 210, the present PFB invention then requires the user to define the address and port groups.

Referring now to step 212, the user of the present M invention defines the packet filters to be built. As mentioned above, the present invention allows the user to define the packet filters to be built using expressionbased if/then statements. The present M invention translates the userfriendly if then statements into a complex filter building language such that the user's expression- based if/then statements are converted into the requisite complex filter building language. However, in the present PFB invention, such conversion is invisible to andlor hidden from the user. The following exemplary list recites several &equently requested packet filter types, and iBustrates how the user's expressionbased if/then statements are converted into the requisite complex filter building language.

1.5 Predefined Packet Filters Provided by the Present PFB Invention A. PHYSICAL PORT FILTERING 1. DifFerent Port Groups(Reject):

To discard packages of different port group. [User Enters] ifWGM & DPGM) = 0 then reject [Variables] rejectlaccept [Packet Filter Language] Name "Filter different address group pushSPGM 15 pushDPGM and pushliteral. 1 0 ne 2. Source/Destination Port Groups: To reject packets from port group 3 and 8. [User Enters] reject source port group 3, 8 [Variables] Source/Destination accept/reject group(s) [Packet Filter Language] pushSPGM pushLiteraLl 0x0084 and pushliteral.1 0 eq B. MAC LAYER FILTERING 1. Different Address Groups(Reject): To discard packages of different address group. [User Enters] if (SAGM & DAGNI) =0 then reject [Variables] accept/reject 16 [Packet Filter La-nguagel Name "Filter diflerent port groUP" pushSAGM pushDAGM 5 and pushLiteral.l 0 ne 2. Source/Destination Address Groups:

To reject packets from address group 3 and 8. [User Enters] reject source address group 3, 8 [Variables] Source/Destination rejectlaccept address group(s) [Packet Filter Language] Name 'reject source address group 3,8" pushSAGM pushLiteral.1 0x0084 and pu.shLiteral.1 0 eq 3. Source Address Filter: This filter operates on the source address field of a frame. It rejects packets from station 00-DE-AD-00-00-02. [User Enters] ifsaddr = 0x00DEAD000002) then reject [Variables] MAC address rejectlaccept [Packet Filter Language] name "srcAddr-OODEAD000002-reject" pushField.a 6 # Get the soure address pushl-,iteral.a OXOODEAD000002# Load desired address ne # Check for a match 4. Destination Address Filter: This filter operates on the destination address field of a frame. It rejects packets to station 00-De-Ad-00-00-02. [User Enters] igdaddr = OXOODEAD000002) then reject

17 [Variables] NLAC address reject/accept [Packet Filter Language] name "destAddr-OODEAD000002_reject" pushField.a 0 # Get the destination address pushLiteral.a 0x00DEAD000002 # Load desired address ne # Check for a match 5. Source OUL This filter operates on the source network address field of a frame. It rejects packets from stations with an OUI of 00-DE-AD. [User Enters] itSOUI = 00-DE-AD) then reject [Variables] SOUI rejectlaccept [Packet Filter Language] name usrcAddr OUMODEAD-reject" pushField.1 0 # Get the first 4 bytes of the source address push.Literal.l OxfffffiDO # Setup mask to isolate first 3 bytes and # Top of stack now has OUI pushI.dteral.1 0x00DEADOO # Load desired OLTI value ne, # Check for a match 6. Destination OUL This filter operates on the destination network address field of a frame. It rejects packets to be forwarded to stations with an OU1 of 00-DE-AD. [User Enters] HMOUI = 00-DE-AD) then reject [Variables] SOUI rejectlaccept [Packet Filter Language] name "dstAddr-OUI=OODEAD-reject" push.Field.l 0 pushl.iteral.l OxfftffMO and pushLiteral.l MOdead00 ne # Get first 4 bytes of destination address # Setup mask to isolate first 3 bytes # Top of stack now has OUI # Load desired OUI value # Check for a match is 7. Multicast Filter: This filter operates on the destination address field of a fame. It rejects all multicast packets. [User Enters] 5 ifdaddr and 00 1) = M 1 then accept [Variables] Accept/reject sourceldestination [Packet Filter Language] name "dstAddrMulticast-reject" pushField.b 0 pushLiteral.b OX0 1 15 and pushLiteral.b ne # Get the first byte of the destination address # Setup multicast mask # Isolate the multicast bit OX0 1 # Setup multicast bit # Cheek for a multicast frame 8. Broadcast Filter: This filter operates on the destination address field of a frame. It forwards all broadcast packets. [User Enters] i:Rdaddr = OxfiTMM then accept [Variables] accept/reject source/destination [Packet Filter Language] name pushField.a 0 pushLiteral.a Oxf1HfffiMa eq # Check for a non-broadcast frame "dstAddrBroadeast-forward" # Get the destination address # Setun broadcast value 9. Ethernet IP: This filter operates on the type field of a frame. It allows packets to be forwarded that are IP frames. To customize this filter to another type value, change the literal value loaded in the pushLiteral.w instruction.

[User Enters] if (type = ip) then accept [Variables] Accept/reject [Packet Filter Language] name "EthernetIPaccept" pushField.w 12 # Get the type field pushLiteral.w OX0800 # Load? type value 19 eq 10. "RAW" IEEE 802.3: [User Enters] 5 if (length ≤1500) then accept [Variables] accept/reject (Packet Filter Language] name pushField.w pushLiteral.w ge # Cheek for a match "raw lEEES02.3" 12 1500 11. Etherneffi TX: This filter operates on the type field of a frame. It allows packets to be forwarded that are IpX frames. To customize this filter to another type value, change the literal value loaded in the pushLiteral.w instruction.

[User Enters] if (type = IPX) then reject [Variables] Accept/reject [Packet Filter Language] name pushField.w 12 pushLiteral.w 0x8137 ne "EthernetII TX reiect" 12. IEEE 802.2 IPX: This filter rejects IPX 802.2 frames. [User Enters] iflPX802.2 then reject or if (sap = OxeOeO) and (ctl = OxO3) then reject 4 5) # Get the type field # Load IPX type value # Check for a match [Variable] Accept/reject [Packet Filter Language] na-me pushField.1 pushLiteral.1 and pushLiteral. 1 ne 13. IEEE 802.3- "IEEES02-2-reject' 14 OxfTMO # #.Getthe dsap, ssap, arl

field

OxaaaaO3OO # Load value # Check for a match This filter rejects IEEE 802.3 frames. [User Enters] if 802.3 then reject or if(sap = Oxaaaa) and (ctl = OxO3) then reject [Variables] Accept/reject [Packet Filter Language] name "lEEE802.3-rejecC push.Field.1 14 pushliteral.1 OxflMO and pushLiteral-l OxaaaaO3OO ne 1.4. TX 802.1 This filter filters IPX 802.3 SNAP frames.

[User Enters] if 802.3 and netprot = TX then reject [Variables] Accept/reject [Packet Filter Language] name "IEEES02.3-reject" pushField.1 14 pushLiteral.l Oxf[M0 # and pushLiteral.1 OxaaaaO3OO #Load MEE802.3 value ne accept push-FieId.w 2 0 pushLiteral.w 0x8137 ne # Get the dsap, ssap,ctrI field #Load IEEE802.3 value # Get the dsap, ssap,ctrl field # get the protocol type # Load TX type 15. Appletalk I filter: This filter operates on the type field of a frame. It allows packets to be forwarded that are Appletalk frames. To custornize tl-ds filter to another type value, change the literal value loaded in the push-Literal.w instruction. [User Enters] if (type = appletalk) then reject [Variable] Accept/reject 21 [Packet Filter Languagel c name "AppletalkI-reject" pu.shReld.w 12 pushLiteral.w 0x809b ne 16. Appletalk II (appletalk 802.3 snap) Filter: This filter rejects appletalkIl frames. [User Enters] if appletalkII then reject [Variables] Accept/reject [Packet Filter Language] name " appletalkIF' pushField.w 14 pushLiteral.w Oxaaaa eq 20 accept pushField.a pushLiteral.a ne # Get the type field # Load Appletalk type value # Check for a match # Get the type field # 802.3 # Cheek for a match

16 0x03080007809b 17. Maximum Length Filter. This filter operates on the length field of a frame. It allows packets to be forwarded that are less than 400 bytes in length. To customize this filter to another length value, change the literal value loaded in the pushLiteral-w instruction.

[User Enters] if(Length ≤= 400) then accept [Variables] length accept/reject [Packet Filter Language] name "Forward ≤ 4W pushField.w 12 pushField.w 400 le # Get length field # load length limit

18. Minim= Length Filter: This filter operates on the length field of a frame. It allows packets to be forwarded that are greater than 900 bytes in length. To customize this filter to another length value, change the literal value loaded in the pushLiteral.w instruction. [User Enters] iffiength ≥ 900) then accept 22 [Variables] length accept/reject [Packet Filter Language] name "Forward ≥ 90T pushField.w 12 pushReld.w 900 ge # Get length field # load length hmit

19. FDDI 802.3: This filter rejects FDDI IEEE 802.3 frames. [User Enters] ifFDDI-802.3 then reject or if (FDD_sap = Oxaaaa) and (FDDI-ctl = OxO3) then reject [Variables] Accept/reject [Packet Filter Language] name pushField.1 12 # Get the dsap- ssap,ctrI field pushLiteral.l OxfRM00 # and pushLiteral.l OxaaaaO3OO #Load MEES02.3 value ne, "FDDI-802.3-reject" 20. FDDI IP:

This filter rejects FDDI IEEE 802.3 SNAP frames.

[User Enters] ifFDDI-802.3 and netpro = IP then reject [Variable] Accept/reject [Packet Filter Language] na-me "FDDI - IP-reject" pushField.1 12 pushLiteral.1 Ox0 and pushLiteral.l OxaaaaO3OO ne accept pushField.w 18 pushLiteral.w 0x0800 ne # Get the dsap. ssap,ctrl field #Load MEE802.3 value 23 21. FDDI IPX 802.2:

This filter rejects FDDI IPX 802.2 frarnes[User Enters] if FDDI-IPX802.2 then reject or if (sap OxeOeO) and (ctl = 0x03) then reject [Variables] Accept/reject [Packet Filter Language] name "FDDI-802.2-rejeet" pushField.1 12 # Get the dsap, ssap, ctrl field pushl,iteral.1 OxfHMO # and push.Lteral.l OxeOeOO300 # Load value ne # Check for a match 22. FDDI IPx 802.1 This filter rejects FDDI IPX 802.3 SNAPframes. [User Enters], if FDDI-802. 3 and FDDI-netprot = IPX then reject [Variables] Accept/reject [Packet Filter Language] name "FDDT-802.3-IPX-reject" pushField.l 12 # Get the dsap, ssap, etrl field pushLiteral.1 OxfiMMO and pushLiteral. 1 ne accept pushField.w pushLiteral.w ne OxaaaaO3OO # Load value is 0x8137 23. FDDI Appletalk:

This filter rejects FDDI appletalk frames. [User Enters] if FDDI-802.3 and FDDInetprot = appletalk then reject [Variables 45 Accept/reject [Packet Filter Language] name 7DDI - appletalk-reject" push-Field.1 12

24 # Get the dsap, ssap, ctrl field pushLiteral.1 OxfflEEF00 and pushLiteral.l OxaaaaO3OO ne accept pushField. w pushLiteral.w ne is 0x809b # Load value C. NETWORK LAYER FILTERING 1. TCP Filter: This filter discards all TCP packets. [User Enters] 15 i-tnetprot = 1? and tranprot = TCP) then reject [Variables] Accept/reject [Packet Filter Language] name pushField.w 12 pushLiteral.w 0x0800 ne, accept pushField.b pushLiteral.b ne, 23 0x06 llethIP - TcpOrUdp-reject.pW # Get the type field # Load'P type value # Get the protocol type in IF header # Load TCP protocol type # Nfismatch, accept 2. UDP Filter: This filter discards all UDP packets. [User Enters] Wnetprot = 1P and tanprot = UDP) then reject [Variables] Accept/reject [Packet Filter Language] name pushField.w 12 pushLiteral.w OX0800 ne accept pushField.b pushLiteral.b ne OX11 "ethIP-TcpOrUdp-reject.pfl" # Get the type field # Load IP type value # Get the proto col type in 19 header # Load UDP protocol type # N1ismatch, accept 3. Subnet Directed Broadcast Filter (reject): This filter operates on the destination IP address of an IP frame. It discards IP (class B with 8 bit subnet) subnet broadcast packets (x.x.x.255). [User Enters] if (IF and field.b.33 = Oxif) then reject [Variables] Accept/reject [Packet Filter Language] name TthIP subnefficast - reject.pfl" pushField.w 12 # Get the type field pushI!teral.w 0x0800 # Load IP type value ne accept pushField.b 33 # Get last byte of Dest IP address pushLiteral.b OxfF # Load broadcast byte 255 ne # Nfismatch, then forward 4. Filter 6 bytes at byte 56 (forward): This filter operates on the 56th byte of a frame. Filters within the first 20 bytes are handled differently than the rest of the packet. RJser Enters] if field.a:56 = 0x0Occcccccccc then accept [Packet Filter Language] name pushField.a pushLiteral.a 30 eq "Filt6BytesAtByte56_forward" 56 OX00cccccccccc Hence, the present PFB invention allows the user to enter expression- based statements an construct complex packet filters without requiring that the user be well-versed in complex and error prone programming languages. Additionally, the present PFB invention does not require that the user be extensively trained in or cognizant of all of the various parameters in packet filter construction. Furthermore, although the above-cited examples explicitly recite that the user enter an expression-based statement, the present invention is also well suited to having the user select such statements through various other methods. For example, the present invention is also well suited to having the user select statements Via pLi-II-down windows, double-clicking on the desired filter type, and

26 the like. Although such packet filter types are specifically recited above, it will be understood that the above-listed packet filter types are exemplary, and that the present invention is well suited to having various other packet filter types. It will also be understood that the present PFB irivention allows the user to build a plurality of packet filters if desired.

Referring next to step 214, the present PFB invention then prompts the user to load the stored packet filter. Although such an approach is employed in the present embodiment, the present invention is also well suited to automatically loading the constructed packet filter for the user. In such an embodiment, the particulars of the loading of the packet filter are defined, for example, by user entered information.

With reference next to Figure 9, another GUI 1100 is shown in accordance with the present claimed invention. In this embodiment, the present invention provides a "wizard-type" interface which guides the user through the formation of a packet filter on a step-by-step basis. In such an embodiment, the present M invention guides the user through the packet filter building method in a step-bystep process. That is, in such an embodiment, the present invention displays tutorial information to the user as shown in GUI 1100. Next, the present embodiment of the PH invention prompts the user for va-dous information or tells the user how to proceed. Thus, by employing such a wizard-type approach, the present PFB invention is able to assist even the most novice network manager or other packet filter builder in the creation of desired packet filters.

With reference next to Figure 10, another GUI 1200 is shown in accordance with the present clairned invention. In this embodiment, the present Invention 27 provides a " ealcula tor- type" interface for the formation of a packet filter by a more advanced network ma-nager or other packet filter builder. In the embodiment of Figure 10, the user can select fields, operators, constants or pre-built filters by either double clicking on the item in the list box 1202 or operator buttons 1204. The corresponding text will appear in the editable box 1206, the user can then all in variables. In the present embodiment of the PFB invention, the user can also directly enter (e.g. type) in the filter in editable box 1206. Furthermore, in the embodiment of Figure 10, the filter name may be any sequence of ASCII characters other than quotation marks. The filter name is limited to 32 characters in the present embodiment. However, the present invention is also well to allowing the filter to name to be restricted to fewer or greater than 32 characters. Also, the Verify button 1208 is used for syntax checking of the filter. In the present embodiment of the PFB invention, if errors are found the cursor is moved to the place where error is found. Furthermore, in the present embodiment, when the user clicks the OK button 1210, validation of the filters is performed. Thus, even in the more advanced embodiment, the present PFB invention allows a network manager or other packet filter builder to construct a packet filter without being extensively trained in or cognizant of all of the various parameters in packet filter construction.

With reference to Figure l 1,a schematic diagram of the architecture of the implementation of Filter Parsing and Conversion utilized Uil accordance with the present claimed invention is shown.

With reference to Figure 12, a schematic diagram of the main classes and methods used in Filter Parsing employed in accordance with the present claimed invention is shown.

28 With reference now to Figures 13A-13C, flowchartS of the Operator Precedence Parsing Algorithm used in accordance with the present invention are shown. These algorithms are used for expressions containing operators except logical AND, logical OR. The main advantage of this algorithm is its simplicity & efficiency. No need to use recursive- descent method.

Referring now to Figure 14, an example of pseudocode utilized in accordance with the present claimed invention is shown. The pseudocode demonstrates Predictive Parsing Method. A predictive parser is a program consisting of a procedure for every nonterminal. Each procedure does two things: (i) it decides which production to use by looking at the lookahead symbol, and (ii) the procedure uses a production by mimicking the right side. A nonterminal results in a call to the procedure for the nonterminal, and a token matching the lookahead symbol results in the next input token being read. If at some point the token in the production does not match the lookahead symbol, an error is declared.

With reference next to Figure 15, an Expression-based Language Syntax Defin-ition in BNF utilized in accordance with the present claimed invention.

The present PH invention is also well suited to automatically validating the syntax of the user-defined packet filters. That is, the present PFB invention checks the constructed filters against a syntax diagrash to insure that the packet filters are valid.

29 Similarly, the present PFB invention is also adapted to optimize the userdefined packet filters. That is, some packet filters can be writtenibuilt in many different ways. The present PFB invention is, however, adapted to analyze the constructed packet falters and optimize the structure thereof.

Thus, the present invention provides a method and computer system for packet filter building wherein the packet filter not constructed solely using complex design languages. The present invention further provides a packet filter building system and method which is not error-prone. Furthermore, the present invention provides a packet filter building system and method which does not require a highly trained programmer for the implementation thereof, and a packet filter building system and method which can be effectively and efficiently utilized by a typical network manager.

The foregoing descriptions of specific embodiments of the present invention have been presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the invention to the precise forms disclosed, and obviously many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order best to explain the

Claims (23)

principles of the invention and its practical application, to thereby enable others skilled in the art best to utilize the invention and various embodiments with various modifications suited to the particular use contemplated. It is intended that the scope of the invention be defined by the Claims appended hereto and their equivalents. CLAIMS What is Claimed is:
1. A computer implemented method of building a packet filter for a networked system, said computer implemented method comprising the step of. a) generating a graphcal user interface, said graphical user interface adapted to assist a user in the construction of a packet filter such that said user is able to build packet filter without being extensively trained in numerous parameters involved in packet filter construction.
2. The computer implemented method as recited in Claim 1 ftzther comprising the steps of.. b) receiving from said user expression-based statements indicating characteristics of said packet filter; c) converting said expression- based statements to a lang-uage suitable for the formation of said packet filter; and d) creating said packet filter.
3. The computer implemented method as recited in Claim 1 further comprising the step of.. exporting said packet filter to a file.
4. The computer implemented method as recited in Claim 1 ftirther comprising the step of: loading said packet filter onto said networked system.
Y
5. The computer implemented method as recited in Claim 1 wherein said graphical user interface is comprised of a wizard-type graphical user interface.
6. The computer implemented method as recited in Claim 1 wherein said graphical user u-iterface is comprised of a calculator-type graphical user interface.
7. A computer implemented method of building a packet filter for a networked system, said computer implemented method comprising the steps of. a) generating a graphical user interface, said graphical user interface adapted to assist a user in the construction of a packet filter; said graphical user interface adapted to assist said user in the following packet filter formation steps:
i) determining whether said packet filter involves first parameters; ii) determining whether said packet filter involves second parameters; and iii) constructing said packet filter.
8. The computer implemented method as described in step i) of Claim 7 wherein said graphical user interface assists said user in determining whether said 20 packet filter involves address groups.
9. The computer implemented method as described in step 11) of Claim 7 wherein said graphical user interface assists said user in determining whether said packet ffiter involves port groups, 32
10. The computer implemented method as recited in Claim 8 wherein said graphical user interface assists said user in defining an address group for said packet filter when said packet filter involves address groups.
11. The computer implemented method as recited in Claim 9 wherein said graphical user interface assists said user in defining a port group for said packet filter when said packet filter involves port g"roups.
12. The computer implemented method as described in step iii) of Claim 7 wherein said graphical user interface assists said user in constructing said packet filter using an expression-based statement.
13. The computer implemented method as recited in Claim 7 wherein said graphical user interface is comprised of a wizard-type graphical user interface.
14. The computer implemented method as recited in Claim 7 wherein said graphical user interface is comprised of a calculator-type graphical user interface.
15. The computer implemented method as recited in Claim 7 wherein said graphical user interface is further adapted to assist said user in exporting said packet filter to a file.
16. The computer implemented method as recited in Claim 7 wherein said graphical user interface is Rirther adapted to assist said user in loading said packet filter onto said networked system.
33
17. In a computer system having a processor coupled to a bus, a computer readable medi= coupled to said bus and having stored therein a computer program that when executed by said processor causes said computer system to implement a method of assisting a user in the building of a packet filter for a networked system, said method comprising the step of.
a) generating a graphical user interface, said graphical user interface adapted to assist a user in the construction of a packet filter such that said user is able to build packet filter without being extensively trained in or cognizant of all of n=erous parameters involved in packet filter construction.
18. A computer readable memory unit as described in Claim 17 wherein said computer implemented method stored on said computer readable medium further comprises the steps of.
b) receiving from said user expression-based statements indicating characteristics of said packet filter; c) converting said expression-based statements to a language suitable for the formation of said packet filter; and d) creating said packet filter.
19. The computer readable memory uiiit as described in Claim 17 wherein said computer implemented method stored on said computer readable medium further comprises the step of..
exporting said packet filter to a file.
20. The computer readable memory UrUt as described in Claim 17 wherein said computer implemented method stored on said computer readable medium further comprises the step of..
34 loading said packet filter onto said networked system.
2 1. The computer readable memory unit as descred in Claim 17 wherein said computer implemented method stored on said computer readable medium further comprises the step of. generating a wizard-type graphical user interface to assist said user in the construction of said packet filter.
22. The computer readable memory unit as described in Claim 17 wherein said computer implemented method stored on said computer readable medium further comprises the step of:
generating a calculator-type graphical user interface to assist said user in the construction of said packet filter.
23. A method of building a packet filter, substantially as described herein, with reference to and as illustrated in the accompanying drawings.
0 0 3,5
GB9821777A 1997-10-07 1998-10-06 Packet filter compiler program Withdrawn GB2331605A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US94632397A true 1997-10-07 1997-10-07

Publications (3)

Publication Number Publication Date
GB2331605A9 GB2331605A9 (en)
GB9821777D0 GB9821777D0 (en) 1998-12-02
GB2331605A true GB2331605A (en) 1999-05-26

Family

ID=25484314

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9821777A Withdrawn GB2331605A (en) 1997-10-07 1998-10-06 Packet filter compiler program

Country Status (3)

Country Link
CA (1) CA2249673A1 (en)
GB (1) GB2331605A (en)
IL (1) IL126465D0 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2350911A (en) * 1999-06-10 2000-12-13 Ibm Form data files generator
GB2362288A (en) * 2000-05-09 2001-11-14 3Com Corp Generating events in network management systems using filters
US20100333077A1 (en) * 2001-11-20 2010-12-30 Yuval Shachar Apparatus, Method, and Software for Analyzing Network Traffic in a Service Aware Network

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Anasil review at www.softseek.com and at www.lfnetworks. com, 30 June 1998 *
NetSense ProAnalyst review at www.softseek.com and at www.net3group.com, 8 July 1997 *
Picking out packets for perusal, Review of EtherPeek at www.zdnet.com, 6 January 1997 *
Review of Eagle 3.1 at www.zdnet.com, taken from ZD Internet Magazine February 1997 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2350911A (en) * 1999-06-10 2000-12-13 Ibm Form data files generator
GB2350911B (en) * 1999-06-10 2004-06-09 Ibm Form data files generator
US7069538B1 (en) 1999-06-10 2006-06-27 International Business Machines Corporation Form data files generator
GB2362288A (en) * 2000-05-09 2001-11-14 3Com Corp Generating events in network management systems using filters
GB2362288B (en) * 2000-05-09 2002-05-01 3Com Corp Apparatus and method for use in generating events in network management systems
US20100333077A1 (en) * 2001-11-20 2010-12-30 Yuval Shachar Apparatus, Method, and Software for Analyzing Network Traffic in a Service Aware Network
US9038035B2 (en) * 2001-11-20 2015-05-19 Cisco Systems Israel, Inc. Apparatus, method, and software for analyzing network traffic in a service aware network

Also Published As

Publication number Publication date
GB2331605A9 (en)
CA2249673A1 (en) 1999-04-07
IL126465D0 (en) 1999-08-17
GB9821777D0 (en) 1998-12-02

Similar Documents

Publication Publication Date Title
Sanders Practical packet analysis: Using Wireshark to solve real-world network problems
KR101027868B1 (en) A method for sharing a number of users and applications, devices, and computer readable medium
EP0726003B1 (en) Object-oriented network protocol configuration system
JP3545778B2 (en) System, control method and apparatus
US6104393A (en) Integration of procedural and object-oriented user interfaces
US9363709B2 (en) Method, system and device for automatically configuring a communications network
US20040236749A1 (en) Addresses as objects for email messages
US4688170A (en) Communications network for communicating with computers provided with disparate protocols
US5784275A (en) System and method for performing interface independent virtual instrumentation functions in a graphical data flow program
US5568471A (en) System and method for a workstation monitoring and control of multiple networks having different protocols
US7596716B2 (en) Method and system for managing networks
US6990548B1 (en) Methods and arrangements for configuring a printer over a wireless communication link using a wireless communication device
EP1303086B1 (en) A hierarchical protocol classification engine
US8621031B2 (en) Method and apparatus using connection pools in communication networks
US5751967A (en) Method and apparatus for automatically configuring a network device to support a virtual network
US7003578B2 (en) Method and system for controlling a policy-based network
US8098677B1 (en) Superset packet forwarding for overlapping filters and related systems and methods
US20010000193A1 (en) System and method for very fast IP packet filtering
US8516118B2 (en) System and method for managing, routing, and controlling devices and inter-device connections
EP1249966A2 (en) Apparatus, program and method for network administration and computer network system
US20060085681A1 (en) Automatic model-based testing
KR101303718B1 (en) Method and system for virtual machine networking
CA2358525C (en) Dynamic assignment of traffic classes to a priority queue in a packet forwarding device
US20050132043A1 (en) System and method for command line interface command processing
JP4006407B2 (en) Performing a traffic flow template packet filtering according to Internet protocol version in a mobile communication system apparatus and method

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)