Chapter 7. Filters

Filters are used to control the information displayed by all facilities. You may want to view statistics only on particular traffic so you must restrict the information displayed. The filters also apply to logging activity.

The IPTraf-ng filter management system is accessible through the Filters... submenu.

Figure 7-1. The Filters submenu

7.1. IP Filters

The Filters/IP... menu option allows you to define a set of rules that determine what IP traffic to pass to the monitors. Selecting this option pops up another menu with the tasks used to define and apply custom IP filters.

Figure 7-2. The IP filter menu

7.1.1. Defining a New Filter

A freshly installed program will have no filters defined, so before anything else, you will have to define a filter. You can do this by selecting the Define new filter... option.

Selecting this option displays a box asking you to enter a short description of the filter you are going to define. Just enter any text that clearly identifies the nature of the filter.

Figure 7-3. The IP filter name dialog

Press Enter when you're done with that box. As an alternative, you can also press Ctrl+X to cancel the operation.

7.1.1.1. The Filter Rule Selection Screen

After you enter the filter's description, you will be taken to a blank rule selection box. At this screen you manage the various rules you define for this filter. You can opt to insert, append, edit, or delete rules.

Figure 7-4. The filter rule selection screen. Selecting an entry displays that set for editing

Any rules defined will appear here. You will see the source and destination addresses, masks and ports (long addresses and masks may be truncated) and whether this rule includes or excludes matching packets.

Between the source and destination parameters is an arrow that indicates whether the rule matches packets (single-headed) only exactly or whether it matches packets flowing in the opposite direction (double-headed).

At this screen, press I to insert at the current position of the selection bar, A to append a rule to the end of the list, Enter to edit the highlighted rule and D to delete the selected rule. With an empty list, A or I can be used to add the first rule.

To add the first rule, press A or I. You will then be presented with a dialog box that allows you to enter the rule's parameters.

7.1.1.2. Entering Filter Rules

You can enter addresses of individual hosts, networks, or a catch-all address. The nature of the address will be determined by the wildcard mask.

You'll notice two sets of fields, marked Source and Destination. You fill these out with the information about your source and targets.

Fill out the host name or IP address of the hosts or networks in the first field marked Host name/IP Address. Enter it in standard dotted-decimal notation. When done, press Tab to move to the Wildcard mask field. The wildcard mask is similar but not exactly identical to the standard IP subnet mask. The wildcard mask is used to determine which bits to ignore when processing the filter. In most cases, it will work very closely like a subnet mask. Place ones (1) under the bits you want the filter to recognize, and keep zeros (0) under the bits you want the filter to ignore. For example:

To recognize the host 207.0.115.44

IP address207.0.115.44
Wildcard mask255.255.255.255

To recognize all hosts belonging to network 202.47.132.x

IP address202.47.132.0
Wildcard mask255.255.255.0

To recognize all hosts with any address:

IP address0.0.0.0
Wildcard mask0.0.0.0

The IP address/wildcard mask mechanism of the display filter doesn't recognize IP address class. It uses a simple bit- pattern matching algorithm.

The wildcard mask also does not have to end on a byte boundary; you may mask right into a byte itself. For example, 255.255.255.224 masks 27 bits (255 is 11111111, 224 is 11100000 in binary).

IPTraf-ng also accepts host names in place of the IP addresses. IPTraf-ng will resolve the host name when the filter is loaded. When the filter is interpreted, the wildcard mask will also be applied. This can be useful in cases where a single host name may resolve to several IP addresses.

TipTip
 

See the Linux Network Administrator's Guide if you need more information on IP addresses and subnet masking.

TipTip
 

IPTraf-ng allows you to specify the wildcard mask in Classless Interdomain Routing (CIDR) format. This format allows you to specify the number of 1-bits that mask the address. CIDR notation is the form address/bits where the address is the IP address or host name and bits is the number of 1-bits in the mask. For example, if you want to mask 10.1.1.0 with 255.255.255.0, note that 255.255.255.0 has 24 1-bits, so instead of specifying 255.255.255.0 in the wildcard mask field, you can just enter 10.1.1.0/24 in the address field. IPTraf-ng will translate the mask bits into an appropriate wildcard mask and fill in the mask field the next time you edit the filter rule.

If you specify the mask in CIDR notation, leave the wildcard mask fields blank. If you fill them up, the wildcard mask fields will take precedence.

The Port fields should contain a port number or range of any TCP or UDP service you may be interested in. If you want to match only a single port number, fill in the first field, while leaving the second blank or set to zero. Fill in the second field if you want to match a range of ports (e.g. 80 to 90). Leave the first field blank or set to zero to let the filter ignore the ports altogether. You will most likely be interested in target ports rather than source ports (which are usually unpredictable anyway, perhaps with the exception of FTP data).

Non-TCP and non-UDP packets are not affected by these fields, and these are used only when filtering TCP or UDP packets.

Fill out the second set of fields with the parameters of the opposite end of the connection.

TipTip
 

Any address or mask fields left blank default to 0.0.0.0 while blank Port fields default to 0. This makes it easy to define filter rules if you're interested only in either the source or destination, but not the other. For example, you may be interested in traffic originating from network 61.9.88.0, in which case you just enter the source address, mask and port in the Source fields, while leaving the Destination fields blank.

The next fields let you specify which IP-type protocols you want matched by this filter rule. Any packet whose protocol's corresponding field is marked with a Y is matched against the filter's defined IP addresses and ports, otherwise they don't pass through this filter rule.

If you want to evaluate all IP packets just mark with Y the All IP field.

For example, if you want to see only all TCP traffic, mark the TCP field with Y.

The long field marked Additional protocols allows you to specify other protocols by their IANA number. (You can view the common IP protocol number in the /etc/protocols file). You can specify a list of protocol numbers or ranges separated by commas, Ranges have the beginning and ending protocol numbers separated with a hyphen.

For example, to see the RSVP (46), IP mobile (55), and protocols (101 to 104), you use an entry that looks like this:

46, 55, 101-104

It's certainly possible to specify any of the protocols listed above in this field. Entering 1-255 is functionally identical to marking All IP with a Y.

The next field is marked Include/Exclude. This field allows you to decide whether to include or filter out matching packets. Setting this field to I causes the filter to pass matching packets, while setting it to E causes the filter to drop them. This field is set to I by default.

The last field in the dialog is labeled Match opposite. When set to Y, the filter will match packets flowing in the opposite direction. Previous versions of IPTraf-ng used to match TCP packets flowing in either direction, so the source and destination address/mask/port combinations were actually interchangeable. Starting with IPTraf 3.0, when filters extended to more than just the IP traffic monitor, this behavior is no longer the default throughout IPTraf-ng except in the IP traffic monitor's TCP window.

NoteNote
 

For TCP packets, this field is used in all facilities except the IP traffic monitor. Because the IP traffic monitor must capture TCP packets in both directions to properly determine a closed connection, the filter automatically matches packets in the opposite direction, regardless of this field's setting. However iin all other facilities, automatic matching of the reverse packets is not performed unless you set this field to Y.

Filters for UDP and other IP protocols do not automatically match packets in the opposite direction unless you set the field to Y, even in the IP traffic monitor.

Press Enter to accept all parameters when done. The parameters will be accepted and you'll be taken back to the rule selection box. You can then add more rules by pressing A or you can insert new rules at any point by pressing I. Should you make a mistake, you can press Enter to edit the selected filter. You may enter as many sets of parameters as you wish. Press Ctrl+X when done.

NoteNote
 

Because of the major changes in the filtering system since IPTraf 2.7, old filters will no longer work and will have to be redefined.

Figure 7-5. The IP filter parameters dialog

7.1.1.3. Examples

To see all traffic to/from host 202.47.132.1 from/to 207.0.115.44, regardless of TCP port

Host name/IP Address202.47.132.2207.0.115.44
Wildcard mask255.255.255.255255.255.255.255
Port00
ProtocolsTCP: Y 
Include/ExcludeI 
Match oppositeY 

To see all traffic from host 207.0.115.44 to all hosts on network 202.47.132.x

Host name/IP Address207.0.115.44202.47.132.0
Wildcard mask255.255.255.255255.255.255.0
Port00
ProtocolsAll IP: Y 
Include/ExcludeI 
Match oppositeN 

To see all Web traffic (to and from port 80) regardless of source or destination

Host name/IP Address0.0.0.00.0.0.0
Wildcard mask0.0.0.00.0.0.0
Port800
ProtocolsTCP: Y 
Include/ExcludeI 
Match oppositeY 

To see all IRC traffic from port 6666 to 6669

Host name/IP Address0.0.0.00.0.0.0
Wildcard mask0.0.0.00.0.0.0
Port06666 to 6669
ProtocolsTCP: Y 
Include/ExcludeI 
Match oppositeY 

To see all DNS traffic, (TCP and UDP, destination port 53) regardless of source or destination

Host name/IP Address0.0.0.00.0.0.0
Wildcard mask0.0.0.00.0.0.0
Port053
ProtocolsTCP: Y UDP: Y 
Include/ExcludeI 
Match oppositeY 

To see all mail (SMTP) traffic to a single host (202.47.132.2) from anywhere

Host name/IP Address0.0.0.0202.47.132.2
Wildcard mask0.0.0.0255.255.255.255
Port025
ProtocolsTCP: Y 
Include/ExcludeI 
Match oppositeN 

To see traffic from from/to host sunsite.unc.edu to/from cebu.mozcom.com

Host name/IP Addresssunsite.unc.educebu.mozcom.com
Wildcard mask255.255.255.255255.255.255.255
Port00
ProtocolsAll IP: Y 
Include/ExcludeI 
Match oppositeY 

To omit display of traffic to/from 140.66.5.x from/to anywhere

Host name/IP Address140.66.5.00.0.0.0
Wildcard mask255.255.255.00.0.0.0
Port00
ProtocolsAll IP: Y 
Include/ExcludeE 
Match oppositeY 

You can enter as many parameters as you wish. All of them will be interpreted until the first match is found.

7.1.1.4. Excluding Certain Sites

Filters follow an implicit "no-match" policy, that is, only packets matching defined rules will be matched, others will be filtered out. This is similar to the access-list policy "whatever is not explicitly permitted is denied". If you want to show all traffic to/from everywhere, except certain places, you can specify the sites you wish to exclude, mark them with E in the Include/Exclude field, and define a general catch-all entry with source address 0.0.0.0, mask 0.0.0.0, port 0, and destination 0.0.0.0, mask 0.0.0.0, port 0, tagged with an I in the Include/Exclude field as the last entry.

For example:

To see all traffic except all SMTP (both directions), Web (both directions), and traffic (only) from 207.0.115.44

Host name/IP address0.0.0.00.0.0.0
Wildcard mask0.0.0.00.0.0.0
Port250
ProtocolsTCP: Y 
Include/ExcludeE 
Match oppositeY 
   
Host name/IP address0.0.0.0 0.0.0.0
Wildcard mask0.0.0.00.0.0.0
Port800
ProtocolsTCP: Y 
Include/ExcludeE 
Match oppositeY 
   
Host name/IP address207.0.115.440.0.0.0
Wildcard mask255.255.255.2550.0.0.0
Port00
ProtocolsAll IP: Y 
Include/ExcludeE 
Match oppositeN 
   
Host name/IP address0.0.0.00.0.0.0
Wildcard mask0.0.0.00.0.0.0
Port00
ProtocolsAll IP: Y 
Include/ExcludeI 
Match oppositeN 

TipTip
 

To filter out all TCP, define a filter with a single entry, with a source of 0.0.0.0 mask 0.0.0.0 port 0, and a destination of 0.0.0.0 mask 0.0.0.0 port 0, with the Include/Exclude field marked E (exclude). Then apply this filter.

7.1.2. Applying a Filter

The above steps only add the filter to a defined list. To actually apply the filter, you must select Apply filter... from the menu. You will be presented with a list of filters you already defined. Select the one you want to apply, and press Enter.

The applied filter stays in effect over exits and restarts of the IPTraf-ng program until it is detached.

7.1.3. Editing a Defined Filter

Select Edit filter... to modify an existing filter. Once you select this option, you will be presented with the list of defined filters. Select the filter you want to edit by moving the selection bar and press Enter.

Edit the description if you wish. Pressing Ctrl+X at this point will abort the operation, and the filter will remain unmodified. Press Enter to accept any changes to the filter description.

After pressing Enter, you will see the filter's rules. To edit an existing filter rule, move the selection bar to the desired entry and press Enter. A prefilled dialog box will appear. Edit its contents as desired. Press Enter to accept the changes or Ctrl+X to discard.

You can add a new filter rule by pressing I to insert at the selection bar's current position. When you press I, you will be presented with a dialog box asking you to enter the new rule data. Pressing A results in a similar operation, except the rule will be appended as the last entry in the rule list.

Pressing D deletes the currently pointed entry.

Press X or Ctrl+X to end the edit and save the changes.

NoteNote
 

If you're editing the currently applied filter, you will need to re-apply the filter for the changes to take effect.

NoteNote
 

Be aware that the filter processes the rules in order. In other words, if a packet matches more than one rule, only the first matching rule is followed.

7.1.4. Deleting a Defined Filter

Select Delete filter... from the menu to remove a filter from the list. Just move the selection bar to the filter you want to delete, and press Enter.

7.1.5. Detaching a Filter

The Detach filter option deactivates the filter currently in use. Selecting this option causes all TCP traffic to be passed to the monitors.

When you're done with the menu, just select the Exit menu option.