Perle Knowledgebase

P Series router: Creating a pattern filter to block Netbios request packets

Issue:
P Series router: How to prevent NETBIOS request packets from getting through to the WAN from the LAN.

Solution:

To determine which computer is sending Netbios request packets on the LAN, you need to take a look at the Activation log in the router. Select the following router menu options: Network Events / Show Activation Log

This is an example of a screen shot from an Activation Log.

#1 2001-12-08 17:01:43 IP Address Connect event to (IP)
#2 2002-12-08 17:01:43 Dst 1.8.111.111 Src 10.1.199.166
#3 2002-12-08 17:01:43 Length = 48 - 45 00 00 30 1f 01 40 00 7f 06 91
+ 0a 01 c7 a6 0a 08 6f 6f 04 09 00 8b 00 72 38 05 00
+ 01 01 00 00 01 00 00 00 00 00 00 09 70 6c 61 74 72
+ 00 00 00 70 02 20 00 da f5 00 00 02 04 05 b4 01 01
+ 04 02

The octet locations for Ethernet Frames can be found in the PSeries Router Installation & Applications Guide.

We want the source address and the Destination Port starting octet locations from the activation log. The starting ethernet octet location for the source address is 12. The source address takes up octets 12 - 15. According to the activation log example, the source address is 0a 01c7a6. The source address is in hexadecimal and equates to IP address 10.1.199.166 in decimal notation which will be the IP address of the computer we are going to block.

The starting octet location for the Destination Port is 22. The Destination port takes up octets 22 and 23. The Destination port in this case is 008b in hexadecimal which equates to 139 in decimal. 139 happen to be the standard service port number for NetBios requests.

Based on the above information we can create a pattern filter in the following format:

12-0a01c7a6&22-008b

Now that we have our pattern filter, enter it into the router as follows. From the Main menu of the PSeries router, select the following menu options.

Configuration / Packet Service Set-up / Filter set-up / IP Router Pattern filters / Add Pattern

(For the following prompts, enter what you see in bold)

Enter :

global, lan, Remote site id or alias

> global

Enter:

pattern filter (up to 80 characters)

> 12-0a01c7a6&22-008b

Enter :

pattern ID number (from 1 to 64)

> 1 (assuming this is the first pattern filter configured in router)

Done. Lastly, select the "Show pattern" option and verify that your pattern filter exists and is correctly entered,

Article ID:	209
Published:	2/5/2003 5:33:28 PM
Last Modified:	9/8/2003 9:37:39 AM
Keywords:	IOLINK, P850, P840, P1705, P1730, P2600,
Issue Type:	Configuration