Protocol Filter

SmartNIC Filtering with Link-Capture™ Software
Platform
Napatech SmartNIC
Content Type
User Guide
Capture Software Version
Link™ Capture Software 12.13

Frames can be filtered based on various protocol information.

Supported protocols

Napatech SmartNICs with Link-Capture™ Software decode every received frame and classify according to the various protocol layers as follows.
  • Encapsulation: ISL, CFP, VLAN, or MPLS
  • Broadcast, Multicast, Unicast
  • Layer 2: Ether II, LLC, SNAP, Raw, PPPoEDiscovery, PPPoESession
  • Layer 3: IP, IPv4, IPv6,
  • Layer 4: UDP, TCP, ICMP, SCTP
  • Tunneling: GREv0, GREv1, GTPv0-U, GTPv1-U, GTPv1-C, GTPv2-C, GTPv1v2-C, GTPv1-U-GPDU, GTPv1-U-Signal, IPinIP, EtherIP, VXLAN, NVGRE, EoMPLS
  • Inner encapsulation: VLAN, MPLS
  • Inner layer 2: EtherII
  • Inner layer 3: IP, IPv4, IPv6,
  • Inner layer 4: UDP, TCP, ICMP, SCTP
For tunneled traffic, both outer and inner layer protocols are decoded.

NTPL examples

This example configures the SmartNIC to capture IPv4 frames containing the UDP protocol.
Assign[streamid=0] = (Layer3Protocol==IPv4) AND (Layer4Protocol==UDP)
The following example shows how to filter tunneled IPv4 traffic which contains the IPv4 or IPv6 protocol in the inner layer. 
// Define a macro for IPv4 frames containing inner IPv4.
Define isIPv4_containing_IPv4 = Macro("Layer3Protocol==IPv4 AND InnerLayer3Protocol==IPv4")

// Define a macro for IPv4 frames containing inner IPv6.
Define isIPv4_containing_IPv6 = Macro("Layer3Protocol==IPv4 AND InnerLayer3Protocol==IPv6")

Assign[streamid=1] = isIPv4_containing_IPv4
Assign[streamid=2] = isIPv4_containing_IPv6
This following example sets filters for:
  • Delivering GTP-C traffic to stream 0.
  • Filtering UDP traffic inside the GTPv1 tunnel and distributing based on the inner 5-tuple hash mode.
// Define a filter for GTP-U traffic.
Define isGTP-U = Filter(TunnelType==GTPv1-U AND InnerLayer3Protocol==IPv4 AND \\
InnerLayer4Protocol==UDP)

// Define a filter for GTP-C traffic.
Define isGTP-C = Filter(TunnelType==GTPv2-C)

// Distribute traffic based on inner UDP sessions.
HashMode=HashInner5TupleSorted

// Stream 0: GTPv2-C traffic.
Assign[StreamId=0] = isGTP-C

// Stream 1 to 16: GTPv2 traffic hashed using HashInner5TupleSorted.
Assign[StreamId=(1..16)] = isGTP-U
MPLS and VLAN encapsulated frames can be filtered as follows.
Assign[streamid=3] = (Encapsulation==MPLS)
Assign[streamid=4] = (Encapsulation==VLAN)
Note: The TPID values, 0x8100 (33024) and 0x88a8 (34984), are always valid for VLAN tags in the SmartNIC. An additional TPID value for VLAN tags is configurable in the /opt/napatech3/config/ntservice.ini file. For example: 
AltTPID = 0x9100
The following NTPL example configures the SmartNIC to filter VXLAN encapsulated frames.
Assign[StreamId=5] = TunnelType==VxLan
Note: Alternative UDP port numbers for VXLAN are configurable in the /opt/napatech3/config/ntservice.ini file.
VXLANAltDestinationPorts = 8472, 8473
A maximum of two alternative UDP port numbers are supported. The standard UDP port, 4789, is always matched regardless of this configuration.

Classification conditions for protocols

For classifying a frame by protocol, the specific protocol header must be present in the frame. For example, a frame can only be identified as UDP if it contains the UDP header. Consequently, fragmented IP traffic without the UDP header will not be classified as UDP traffic, even if the IPv4 header's protocol field indicates 0x11 for UDP.

The following NTPL example can be applied to filter UDP traffic.
Assign[streamid=0] = (Layer3Protocol=IPv4) AND (Layer4Protocol=UDP)
IP fragments missing the UDP header will not match using this NTPL expression.
To capture IP fragments that do not contain the UDP header, the following NTPL example can be used.
Assign[streamid=0] = (Layer3Protocol==IPv4) AND (IpProtocol==17)
For detailed information on classification conditions for protocols, see Frame Classification in DN-1128.