This section specifies the syntax and semantics for the length tests.
The syntax for the length tests is shown below.
<LengthTest> ::= 'Length' [ '[' <LengthTestOptionSpec> ']' ] ( ( <CompareOperator> <FrameLengthValue> ) | ( <EqualNotEqualTest> <LengthValueRangeSpec> ) ) <LengthTestOptionSpec> ::= <LengthTestOption> [';' <LengthTestOptionSpec>] <LengthTestOption> ::= ( ( 'Begin' '=' <ProtocolLocation15> ) | ( 'Begin' '=' <ProtocolOffset> ) | ( 'End' '=' <ProtocolLocation15> ) | ( 'End' '=' <ProtocolOffset> ) ) <LengthValueRangeSpec> ::= '(' <FrameLengthValue> '..' <FrameLengthValue> ')'
Using a frame length test it is possible to set up a filter, filtering frames of a specific size. The length can be specified as:
- Equal to or not equal to a range of values.
Note: Ranges of values might use more than one hardware filter.
- Equal to, not equal to, less than, less than or equal to, greater than, or greater than or equal to a specific value.
The precision of the frame length test is 1 byte.
For a given range specification (<LengthValueRangeSpec>), all values are considered to be of the same size (equal to the largest number of bytes), that is either 1 or 2 bytes. Example: (0xF .. 0x1FF) is interpreted as (0x000F .. 0x01FF).
The 'Begin' and 'End' options can be used to limit the length test to a subset of the frame. The test will then compare against the length "Offset(End) - Offset(Begin). If Offset(Begin) is greater than Offset(End), the test result will be undefined. If an option is not given, 'Begin' defaults to 'StartOfFrame' and 'End' defaults to 'EndOfFrame'.
This section describes examples of filters for length testing.
This example illustrates how to set up a filter that captures all frames that are larger than or equal to 1000 bytes and smaller than or equal to 1200 bytes.
The filter NTPL example is shown below.
Assign[StreamId = 1] = (Length >= 1000 AND Length <= 1200)
This example makes use of dynamic offset options to limit the length test to the payload of a tunneled packet:
Assign[StreamId = 1] = TunnelType == GTPv1-U and Length[Begin=InnerLayer4Payload;End=EndOfFrame] > 1000
The NTPL above will assign a filter that captures all GTPv1-U where the tunneled layer 4 payload is larger than 1000 bytes. The "End" option could be omitted in this case since it defaults to end of frame.
Static offsets are also supported. The above NTPL can also be rephrased:
Assign[StreamId = 1] = TunnelType == GTPv1-U and Length[Begin=InnerLayer4Payload;End=EndOfFrame[-100]] > 900