32-Byte Strings

From Green Bay 2 to Link™ Capture Software 12.3

Napatech SmartNIC
Migration Document


In the Green Bay 2 release, it was possible to match a string up to 32 bytes long. The ByteStr32 data type is not supported for 4GA SmartNICs in the Link™ Capture Software 12.3 release, where the pattern matcher only has 4 extractors. Since a single extractor can only extract 32 bits, a maximum of 16 bytes can be extracted from a frame. The 4 extractors can be combined in NTPL to emulate matching on a 12-byte string. This section illustrates how a pattern match NTPL example from Green Bay 2 matching on a 12-byte string can be converted to a Link™ Capture Software 12.3 NTPL example with the equivalent functionality.

Green Bay 2

This is the NTPL example from Green Bay 2.

DefineMacro("myTcpSrcPort", "Data[DynOffset = DynOffTcpFrame; DataType = ByteStr2]")
DefineMacro("myHttpHeader", "Data[DynOffset = DynOffTcpData; DataType = ByteStr32]")
Assign[StreamId=0] = myTcpSrcPort == 80 and myHttpHeader == 
 {[0xFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000] :
 "HTTP/1.1 200xxxxxxxxxxxxxxxxxxxx"}

Link™ Capture Software 12.3

This is the converted Link™ Capture Software 12.3 NTPL example.

DefineMacro("myTcpSrcPort", "Data[DynOffset = DynOffTcpFrame; DataType = ByteStr2]")
Assign[StreamId=0] = myTcpSrcPort == 80 AND 
 Data[DynOffset = DynOffTcpData; Offset = 0; DataType = ByteStr4] == 0x48545450 AND 
 Data[DynOffset = DynOffTcpData; Offset = 4; DataType = ByteStr4] == 0x2f312e31 AND 
 Data[DynOffset = DynOffTcpData; Offset = 8; DataType = ByteStr4] == 0x20323030
Note that:
  • The 12-byte string is split into 3 parts of 4 bytes each. Each part is tested individually and the tests are AND'ed together.
  • Since the NTPL parser for 4GA SmartNICs in Link™ Capture Software 12.3 does not accept ASCII characters, the individual characters must be written in hexadecimal form.
  • Since there are only 4 extractors for 4GA SmartNICs in Link™ Capture Software 12.3, only a 12-byte string can be matched because one extractor is used for the port number and 3 extractors are used for the three 4-byte strings.
  • When these NTPL expressions are executed, all extractors are used up. This means that no more pattern match filters can be set up unless they use the same fields.