Hi Peter,
right, a generic filter is needed because the built-in IP filter only
looks at (src|dst) addresses and ports, not the packet length.
A UDP packet is embedded in an IP packet, i.e. the IP header comes
first, then the UDP header, then the UDP data if any. The filter has to
check 2 values:
a) from the IP header, it checks if the packet is an UDP packet
b) from the UDP header it checks the length field
So we chain 2 filters (More=Yes in the first filter).
OK let's go. The 10th byte in the IP header contains the protocol type
ID byte which for UDP must be 17 dec = 0x11.
Filters
Name=filter-name
Input filters...
In filter 01
Generic...
Forward=No
Offset=9
Length=1
Mask=FF 00 00 00 00 00 00 00
Value=11 00 00 00 00 00 00 00
Compare=Equals
More=Yes
Now the UDP part. The header is 8 bytes long, byte 5+6 contain the
length of the UDP packet in bytes _including_ the header. So the minimum
length is 8 dec=0x8.
In filter 02
Generic...
Forward=No
Offset=24
Length=2
Mask=FF FF 00 00 00 00 00 00
Value=00 08 00 00 00 00 00 00
Compare=Equals
More=No
And at last the ususal forward all...
In filter 03
Generic...
Forward=Yes
Offset=0
Length=0
Mask=00 00 00 00 00 00 00 00
Value=00 08 00 00 00 00 00 00
Compare=Equals
More=No
Comments:
1. For all offsets I assume that the ASCEND filters deal with IP
packets. IP packets carry an Ethernet header of 14 bytes length which I
did not take into account. I am too dumb to find this piece of
information in the ASCEND docs.
2. The IP header length _usually_ is 20 bytes but can be longer. Bits
5-8 of the IP header contain the number of bytes of the IP header and
are assumed to be 0x5 here. AFAIK we cannot read this value to use it as
an offset in a filter. Workaround: test this value and branch if not
equal to 0x5.
Do not mention fragmentation which may occur with UDP packets.
3. And yes, while writing this, the length of the IP datagram is also
contained in the IP header itself (byte 3+4). We could test this for a
value of 28 dec=0x1C. Again, if the IP header contains options the
header itself will be longer than this and the filter will fail.
Advantage: less CPU load. By sheer coincidence ASCEND allows to test for
8 byte values and the two fields span 8 bytes exactly:
In filter 01
Generic...
Forward=No
Offset=2
Length=8
Mask=FF FF 00 00 00 00 00 FF
Value=00 1C 00 00 00 00 00 11
Compare=Equals
More=No
followed by the forward-all filter as above.
4. Decide for Input or Output filter yourself depending on which
interface you apply it to.
5. All information from the excellent "TCP/IP Illustrated, Vol. 1" by W.
Richard Stevens, Addison-Wesley, pages 34 and 144.
Best regards,
Wolfgang
Peter Lalor wrote:
> I need to write a filter to drop zero-length UDP packets. I believe
> this can be done with a generic filter, but I haven't played with
> those for awhile.
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
B · E · N · E · I · C · K · E
EDV-Beratung
________________________________________________________________________
Netzwerk-Design
Remote Access und WAN-Lösungen
Storage-Lösungen (RAID, libraries, NAS/SAN)
COMPAQ Server und PC
Windows NT Implementation und Administration
Dr. Wolfgang Beneicke fon +49-6223-97 07 20
Fasanenstrasse 16, D-69251 Gaiberg (Heidelberg) fax +49-6223-97 07 21
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request at bungi.com
Archives: http://www.nexial.com/mailinglists/