Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Flow-Tap Filter Operation
This section includes the following topics:
- Identifying and Capturing Target Packets using Dynamic Filtering
- Sample LEA Filter Configuration
- Sample DTCP Parameter File
Identifying and Capturing Target Packets using Dynamic Filtering
These are the steps used by dynamic filtering in flow-tap for identifying and capturing target packets:
- If one of the filter terms matches an incoming packet, a copy of the packet is made and sent to the services PIC.
- The services PIC receives the packet and runs it through all LEA filters again. Then it sends a copy of the packet to each matching LEA, after adding a corresponding IP/UDP header. The ISP can tunnel these packets using an IPSec tunnel to the mediation device.
- The mediation device receives the packet and stores it or forwards it to each LEA, in a format specified by the receiving LEA.
Sample LEA Filter Configuration
The following is an example LEA filter configuration as it would be on the router. However, the LEA filter configuration is not visible in the router configuration. It is dynamically generated by the router and no user configuration is required.
Sample DTCP Parameter File
Table 1 describes each line of a sample DTCP parameter file that would be sent from the mediation device to the router. The parameters program the router to capture packets sent to the router, then send the packet with a new LEA header of source address = 10.209.75.199, destination address = 192.168.3.2, source port = 65534 and destination port = 1814.
It is assumed that the destination is a packet analyzer device whose functionality is separate from that of the mediation device.
 | Note: Ensure that the parameters selected will not cause the captured data to overwhelm the packet analyzer device beyond its processing capacity. |
Table 1: Lines of Sample DTCP Parameter File
Line | Command | Description |
|---|---|---|
1. | ADD DTCP/0.6 | This indicates the DTCP version to be used. DTCP/0.6 should be used for all versions of Junos OS up to and including Junos OS 8.5. DTCP/0.7 should be used for Junos OS 9.0 and later. However, Junos OS 9.5R2 and later also accept previous versions of DTCP. If any unsupported parameters are received for a particular DTCP version, the request is rejected. |
2. | Csource-ID: verint | This line specifies the user name of the owner of the filter (verint in this example). This should be the same user name specified under the system login. |
3. | Cdest-ID: cd1 | This line identifies the mediation device (cd1 in this example). This is only for administrator reference. |
4. | Source-Address: | Lines 4 through 8 identify the desired target flow to be captured. The identifiers can be wildcards or absolute IP addresses or port numbers. |
5. | Dest-Address: | |
6. | Source-Port: | |
7. | Dest-Port: | |
8. | Protocol: 6 | |
9. | Flags: STATIC | |
10. | X-JTap-Cdest-Dest-Address: 192.168.3.2 | Lines 10 through 14 define the LEA IP header fields. A captured target packet is appended with a header with these values before it is sent to the content destination. The source address is the operational IP address. |
11. | X-JTap-Cdest-Dest-Port: 1814 | |
12. | X-JTap-Cdest-Source-Address: 10.209.75.199 | |
13. | X-JTap-Cdest-Source-Port: 65534 | |
14. | X-JTap-Cdest-TTL: 255 | |
15. | Seq:10 | The sequence number identifies the “version” of flow-tap parameters being used. It is incremented each time the LEA reprograms the parameters and is tracked by the router. The router looks for a newer sequence number before accepting and implementing new parameters. Any configuration attempt with an older sequence number is rejected by the DFC process. |
