IP Condition

<< Click to Display Table of Contents >>

Navigation:  Event and Object Analysis > Capture Results Filtering > Prefiltering HTTP Requests > Conditions >

IP Condition

Checks if the client or server IP addresses belong to a range or a subnet.

Description

This condition checks if the client or server IP addresses belong to a range or a subnet.

Please note:
Unwanted traffic should be isolated as early as possible. This affects the performance of Microolap EtherSensor and the runtime environment.
1. It is recommended to isolate all traffic from a certain IP address or a range of addresses in the EtherSensor EtherCAP service IP filter.
2. It is recommended to isolate certain HTTP traffic from a specific IP address or a range of addresses (if it is possible to specify such criteria) in an HTTP prefilter, but not at the message analysis stage.
3. It is recommended to filter certain messages from a specific IP address in the message filter.

Format

<с name="ip" address="<address type>" value="<ip-range>" />

The "name" attribute:

The name attribute specifies the name of the condition - name="ip".

The "address" attribute:

The address="..." attribute specifies the address type to check. Possible values:

src or client

Check the source address

dst or server

Check the destination address

The "value" attribute:

The value="..." provides a value for the comparison. Possible values:

ipaddress

Checks if the IP address is equal to this value. For example: value="192.168.0.10"

ip1-ip2

Checks if the IP address is within this range. For example: value="192.168.0.1-192.168.0.10"

ip/netmask

Checks if the IP address belongs to the specified subnet. For example: value="192.168.0.1/255.255.255.0"

ip/netmaskbits

Checks if the IP address belongs to the specified subnet. For example: value="192.168.0.1/24"

Example

Drop all messages from 192.168.0.15.

<?xml version="1.0" encoding="utf-8"?>
<filter name="HTTP filter" version="1.0">
 <comment>HTTP filter.</comment>
 
 <table name="main">
 
   <rule enabled="1">
     <comment>
       Discard messages from 192.168.0.15.
     </comment>
     <match>
       <c name="ip" address="client" value="192.168.0.15" />
     </match>
     <action name="drop" />
   </rule>
 
   <rule enabled="1">
     <action name="accept" />
   </rule>
 
   </table>
</filter>