Background: Know: FilterEntry definition, Prerequisites - Ethernet frame length, CRC checks, alignment checks, Recognize:

Previous Next

Filter masks


  • Filter is a tool to observe traffic on network . There are 2 types of filter:
1. Data filter: allows the monitor to screen a packet based on its content. In this type of filter, a portion of a packet will be compared to a stored sequence in the filter. If the result is "matched", packet will be eliminated, if not, it will pass through the filter.
There are two important fields in data filter:

filterPktDataOffset is distance from the beginning of a packet to a bit where the test begins. For example, if filterPktDataOffset =0, filter will begin examine packet from the first bit of it.

filterPktData contains a checking sequence. packet stream is compared to this sequence. Specific position is defined in filterPktDataMask and FilterDataNotMask

2. Status filter: operation is based on protocol processing of a packet.

For status filter, status of a packet is stored in a bitmap call filterPktStatus which contains 3 bits as follow:

Bit #Error
0Packet length is longer than 1518 octets
1Packet length is shorter than 64 octets
2Packet has CRC or alignment error

For example, if packet is longer than 1518 octets and it has CRC error, the filterOktStatus has value of 5 (101 in binary)

  • Channel:

A channel is defined by a set of filters. When a packet passes both data filter and status filter of a filter, it is accepted for a channel. This process can be illustrated by the following diagram:

Figure1: Channel( from figure 9.5, William Stallings: SNMP, SNMPv2, SNMPv3 and RMON 1 and 2)

Channels are defined in a table call channelTable. Each row of the channelTable defines a unique channel.

ChannelIndex is an interger that identifies a row in the channelTable. In other words, channelIndex is a number which refers to a unique channel

Figure 2: ChannelTable ( from figure 9.7, William Stallings: SNMP, SNMPv2, SNMPv3 and RMON 1 and 2)