Packet filter is one of the essential concepts in passive measurement. An active measurement tool pushes a predetermined data stream into the network, so the traffic to be measured is always known. In passive measurement, on the other hand, existing traffic is measured, so filters are needed to define what part, in particular, of the total traffic is the interesting one to be taken into the measurement.
In passive measurement, existing traffic in the network is being measured. By default, when tapping into a network interface, all the traffic traveling there is shown. Sometimes that is what is desired. However, often you may wish to examine only a specific part of the total traffic.
Consider the figure below, which depicts two measurement points through which several independent traffic streams flow, originating from different applications/services. If we were, for example, interested only in the QoS of a particular single flow between these two measurement points, we would need to filter out all the other flows during measurement. This enables us to measure the QoS solely from the perspective of that interesting traffic flow. Similarly, we could be interested in multiple flows of a specific kind, which would require another kind of filter. This is what filtering in the context of passive QoS measurements is all about.
Qosium has some automation in filtering. For example, in an end-to-end measurement scenario, Qosium will, by default, assume that all traffic between the two points is included in the measurement and generate an automatic filter accordingly. In many measurement cases, that is enough. If, however, you are interested only in a specific part of the total traffic, tell that to Qosium by defining a manual filter. All Qosium measurement controllers allow defining a filter.
Defining a filter in Qosium follows the well-known Pcap syntax. A typical end-to-end filter could look like this:
ip and host 192.168.0.10 and host 192.168.0.101
This instructs Qosium to measure all IPv4 based traffic between hosts 192.168.0.10 and 192.168.0.101. If, for example, the interesting part would be a VoIP-stream traveling between these two machines, we need to focus the filter. Let us assume that the VoIP software uses UDP port 7000 on one end and UDP port 7001 on the other. Now we can define the filter as
ip and host 192.168.0.10 and host 192.168.0.101 and udp and port 7000 and port 7001
This is now a so-called strict filter, as there can be only one two-way stream that fits the filter. The previous filter was an example of a loose filter as many potential streams can be caught with that.
Writing filters in Qosium is mostly straightforward. An up-to-date full instruction of the Pcap syntax is given here. See our article on Pcap syntax instructions, which includes keywords, functionalities, and examples typically needed when using Qosium.
There are some things to notice as Pcap libraries perform packet filtering in a particular order. For example, if there is a VLANVirtual LAN
A LAN seqment which has no physical hardware, but instead is carried over network. tag in the Ethernet header of a packet, at least some versions of Pcap won’t go inside the packet at all if not especially told to do so. Thus, the packet content cannot be reached by usual filtering. Instead, insert
vlan and … in front of the manual packet filter, and the filter works again as expected.
In some special two-point measurement setups, there can be VLAN tag in one end of the measurement, while not in the other. In this case, you cannot set a simple filter, but instead, the case with and without VLAN must be dealt with separately (with
or statement) in the filter. For example, if you wish to measure all IP traffic, the filter would become:
ip or (vlan and ip)
It is important to notice here that in Pcap (at least in most of the Pcap versions), the order of the
vlan statement in the filter matters! More specifically, the non-VLAN tagged part of the filter must be informed before the VLAN-tagged part. Otherwise, you will see only the VLAN-tagged part regardless of what comes next in the filter. Thus, if we write our previous example filter in the format:
(vlan and ip) or ip
which is logically the same as above, it will not work.
There is a good article related to this topic given here.
If the two measurement points have different VLAN-setup, i.e., the other has a VLAN tag the other does not, you can also use auto-filtering. Just set the filter for the Primary Probe end and then select suitable autofilter mode. Notice: the autofiltering modes are currently quite simple, so if you have a complex filter, this won’t work.
A LAN seqment which has no physical hardware, but instead is carried over network.