This document describes how to make filters and extraction files for the Profiler module. The Profiler module uses 2 different files for the purposes of collection: filters and extracts. The Filter files describe the type of traffic to collect while the extraction files describe the bytes of interest in the packet. For example, you could write a filter to catch TCP/IP traffic and then write an extract to extract the 4 bytes after the IP header. This would give you the source and destination ports for the TCP stream. To create filters, it is helpful, but not necessary to be familiar with tcpdump or ethereal. Both of these programs use the same Berkeley Packet Filter (BPF) style of describing traffic that the Profiler modules expects. Basically, BPF is a way of describing traffic that is easily readable. For example, to write a filter that describes TCP/IP traffic, you would have: ip proto \tcp This states that you want IP packets that have TCP payloads For a filter that matches HTTP: ip proto \tcp and port 80 Again, IP packets, protocol TCP and the port (either source or destination) is 80. Since text is good for people, but not so fast for computers, the Profiler module expects compiled BPF filters. Profiler also limits what it collects to a certain network address range based on netmask. So to turn the above HTTP filter into something usable by the Profiler module, you need the following in a text file: filter:ip proto \tcp and port 80 netmask:255.255.0.0 This specifies the same filter constraints and says to match IPs for a class B network (same as the interface network). If you save the above in a file named "httpFilt.txt", then to compile it for the Profiler you would do the following: ./bpfcompiler -i httpFilt.txt -o httpFilt.bin The -i option specifies the input file containing the filter and the -o option specifies the output file that the compiled filter is written into. To make an extraction, you must specify the number of bytes to extract. You also need to specify the offset into the packet (from the start of the IP header) to where the data you want to extract is. So, an extraction file to get the TCP ports from a packet would look like: 4 20 This says to extract 4 bytes at offset 20 (so skip over the 20 bytes of IP header). This is compiled in similar fashion to the filters: ./xtrctcomp tcpPort-extr.txt tcpPort-extr.bin The commandline above will take the text file containing the extraction rule and compile it and write out the binary as tcpPort-extr.bin. Once you have a binary filter and a binary extraction you can upload them to the Profiler module. ###### Decrypting the profiler collection ####### Once you collect the profiler data from target you can convert it to a pcap file using the script xtractpleasing located in the FW/Tools directory. Sample: ./xtractpleasing --i --o --s --t --p