Migration
In the Green Bay 2 release, it was possible to match a string up to 32 bytes long. The ByteStr32 data type is not supported for 4GA SmartNICs in the Link™ Capture Software 11.6 release, where the pattern matcher only has 4 extractors. Since a single extractor can only extract 32 bits, a maximum of 16 bytes can be extracted from a frame. The 4 extractors can be combined in NTPL to emulate matching on a 12-byte string. This section illustrates how a pattern match NTPL example from Green Bay 2 matching on a 12-byte string can be converted to a Link™ Capture Software 11.6 NTPL example with the equivalent functionality.
Green Bay 2
This is the NTPL example from Green Bay 2.
DefineMacro("myTcpSrcPort", "Data[DynOffset = DynOffTcpFrame; DataType = ByteStr2]") DefineMacro("myHttpHeader", "Data[DynOffset = DynOffTcpData; DataType = ByteStr32]") Assign[StreamId=0] = myTcpSrcPort == 80 and myHttpHeader == {[0xFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000] : "HTTP/1.1 200xxxxxxxxxxxxxxxxxxxx"}
Link™ Capture Software 11.6
This is the converted Link™ Capture Software 11.6 NTPL example.
DefineMacro("myTcpSrcPort", "Data[DynOffset = DynOffTcpFrame; DataType = ByteStr2]") Assign[StreamId=0] = myTcpSrcPort == 80 AND Data[DynOffset = DynOffTcpData; Offset = 0; DataType = ByteStr4] == 0x48545450 AND Data[DynOffset = DynOffTcpData; Offset = 4; DataType = ByteStr4] == 0x2f312e31 AND Data[DynOffset = DynOffTcpData; Offset = 8; DataType = ByteStr4] == 0x20323030
- The 12-byte string is split into 3 parts of 4 bytes each. Each part is tested individually and the tests are AND'ed together.
- Since the NTPL parser for 4GA SmartNICs in Link™ Capture Software 11.6 does not accept ASCII characters, the individual characters must be written in hexadecimal form.
- Since there are only 4 extractors for 4GA SmartNICs in Link™ Capture Software 11.6, only a 12-byte string can be matched because one extractor is used for the port number and 3 extractors are used for the three 4-byte strings.
- When these NTPL expressions are executed, all extractors are used up. This means that no more pattern match filters can be set up unless they use the same fields.