show screen) You then must supply a specific name (up to 99 characters). The published application name you enter must exactly match the name configured on the Citrix server and client. Some services can be further classified with specific criteria, enabling deeper classification within the service type.
The applications listed below can be further classified by attributes that are specific to the application.
If N/A appears in the matching rule's Criterion field, application-specific criteria are not available for the selected service. For special considerations, see Specifying Multiple Criteria.
Citrix-ICA (Independent Computer Architecture) can be further classified in three ways: by published application, by client name, or by priority.
Citrix-ICA can be subclassified by published application. The application classes can be created either automatically or manually.
Automatic Creation of Published Application Classes
When traffic discovery is enabled, PacketWise will automatically discover Citrix published applications and create classes for them. For instance, when PacketWise detects Citrix traffic, a Citrix class will be created, and class discovery will be enabled on that class. Because class discovery is on, PacketWise will also create a Citrix/Default class and Citrix child classes for any published applications.
If your traffic tree already has a Citrix class, you can manually enable class discovery, whereupon the application-named classes will be automatically created as child classes of Citrix.
Manual Creation of Published Application Classes
To manually create a class for a Citrix-ICA published application, create a class for the Citrix-ICA service, and select published application from the Criterion drop-down list. ( show screen) You then must supply a specific name (up to 99 characters). The published application name you enter must exactly match the name configured on the Citrix server and client.
For example, you could create a class for Citrix-ICA traffic that carries the published application PeopleSoft. To create a PeopleSoft class as a child class of the Citrix class, you would specify the following attributes:
Note: The entry in this second Criterion field must match the name for the published application defined in the Citrix Program Neighborhood.
To classify by a Citrix-ICA client name, specify Citrix-ICA as the service,
and select client name from the Criterion drop-down list. show screen
You then must supply a specific name (up to 99 characters). The client name
you enter must exactly match the name configured on the Windows client.
Citrix-ICA has the ability to assign different priority levels to virtual
channels within a single ICA flow, and PacketWise can classify the traffic according
to these priority levels. With Citrix-ICA specified as the service, select priority
from the Criterion drop-down list ( show screen)
and supply a value from 0 to 3 (with 0 being the highest priority). You may
want to create Citrix child classes for each priority level.
Note: The Citrix priority numbers are used for classification purposes only. Once the traffic is categorized by Citrix priority, you can use PacketWise policies to manage bandwidth on the class.
DICOM (Digital Imaging and Communications in Medicine) is the global industry
standard for transfer of radiological images such as MRI, CT, PET, ultrasound,
and mammography. You can create classes for specific DICOM client or server
applications using the Server Title or Client Title criteria.
With DICOM selected as the service, select either Server Title or Client
Title from the Criterion drop-down list field ( show screen)
and enter the name of the server or client. (You can use the class
criteria commands in the CLI to determine what value to enter for the criterion.)
Note: PacketWise can automatically discover DICOM client or server applications when DICOM has traffic discovery enabled within the class.
To classify FTP downloads by file extension or filename, select FTP-Data-Clear
as the service and use the File Name criterion. show screen
You can specify an exact filename or use wildcards (* and ?). For example, to
classify FTP downloads of MP3 files, you can specify *.mp3 as the File
Name criterion.
When HTTP or SOAP-HTTP is listed as the service in a matching rule, the following
attributes can be specified in the Criterion field ( show screen)
to qualify the HTTP service type:
If you select Host DNS Name or IP Address as your web criterion, you can specify the DNS name or IP address of a website in order to control access to the site. The wildcard characters (* for a group of characters and ? for single characters) are supported.
To classify traffic for a specific web page, select URL from the Criterion drop-down list in the matching rule and specify a URL according to the syntax rules shown below.
Note: PacketWise examines only the first 128 bytes of the URL in a flow.
Content types describe specific types of web objects, such as JPEG images or HTML text. To identify content types, use the command-line interface:
1. Access the CLI.
2. Use the class criteria track command to identify the type of web objects traversing the link. For example:
class criteria track /inbound/http web content-type
3. Generate some web traffic.
4. Use the class criteria recent command to show recent values for a class. For example:
class criteria recent /inbound/http
Traffic Class: /Inbound/HTTP
Application: Web
Attribute: content-type (Content type)
Recent Attribute Values (most recent first)
-------------------------------------------------------------------
1. text/html
2. image/gif
3. text/plain
4. image/jpeg
5. Turn off tracking when you are done collecting data. For example:
class criteria track /inbound/http off
When specifying the Content Type criterion, enter the content type as listed in the class criteria recent command output (see step 4 above).
When classifying HTTP traffic by content type, if the content type's value is also a service, the traffic will be classified as the service, not as HTTP. For example, the HTTP content type video/mpeg is automatically classified as the service MPEG-Video, even if there is a manually created HTTP class with the criterion web:content-type:video/mpeg.
The user agent is a string that identifies what web client software is being used. The content of this field is at the discretion of the browser developer.
To identify user agents, use the command-line interface:
1. Access the CLI.
2. Use the class criteria track command to identify the web clients being used on the link. For example:
class criteria track /inbound/http web user-agent
3. Generate some web traffic.
4. Use the class criteria recent command to show the recent user-agent values for a class. For example:
class criteria
recent /inbound/http
Traffic Class: /Inbound/HTTP
Application: Web
Attribute: user-agent (Web browser or user agent)
Recent Attribute Values (most recent first)
----------------------------------------------------------------------
1. Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1
(ax)
2. Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
3. Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107
Firefox/1.0
5. Turn off tracking when you are done collecting data. For example:
class criteria track /inbound/http off
In this example, all browsers use Mozilla as an attribute value. To differentiate between these browsers, you would need to use something more specific than Mozilla as the User Agent criterion. For Microsoft Internet Explorer, you could use MSIE as the criterion and for Netscape you could use Netscape/7.1.
Note: Web user agent strings often contain spaces. Be certain to enclose the string in quotes so that the entire string is matched. PacketWise will stop parsing the user agent string when it encounters a space not contained within quotes.
The nature of web traffic dictates how specific web criteria are classified, as noted in the following list:
Traffic that is sent through an HTTP tunnel via an HTTP proxy server on the Internet is classified as HTTP-Tunnel. HTTP-Tunnel traffic can be further classified by host or by port number.
To classify by a particular HTTP proxy server, create a class for the HTTP-Tunnel service, select Host DNS Name or IP Address for the Criterion, and enter the host's DNS name or IP address in the text field. Or, to classify by a specific port number that is using HTTP-Tunnel, create a class for the HTTP-Tunnel service, select Port for the Criterion, and enter the port number in the text field.
ICMP traffic can be broken down into nine subtypes, based on the ICMP message type field. These criterion identifiers include:
To classify by ICMP, create a class for the ICMP service, make sure ICMP
Type appears in the Criterion field ( show screen),
and type one of the above messages in the empty text fields. For example, the
UNIX ping command generates ICMP echo request packets and listens for the subsequent
ICMP echo response packets. To identify ping traffic passing through the unit,
create an ICMP class and enter echo into the Criterion text box
of the matching rule.
Network News Transfer Protocol (NNTP) traffic can be further classified by
newsgroup name. For example, you can create a class for the Microsoft computer
games newsgroup (comp.games.microsoft). To classify by newsgroup name, create
a class for the NNTP-Clear service, make sure Group Name appears in the
Criterion field ( show screen),
and type the newsgroup name in the empty text field. You can specify an exact
name or use the asterisk wildcard. For example, to classify newsgroup names
that have "linux" in the name, you can specify *linux* as the
Group Name criterion.
Oracle-netv2 traffic can be further classified by database name. PacketWise looks at the database name that the client requests when it connects to the Oracle listener. This means that you can classify by database name only if you are connecting to the database by name, rather than by requesting the "default database." The database classes can be created either automatically or manually.
When traffic discovery is enabled, PacketWise will automatically discover Oracle database names and create classes for them. For instance, when PacketWise detects Oracle traffic, an Oracle class will be created, and class discovery will be enabled on that class. Because class discovery is on, PacketWise will also create an Oracle/Default class and Oracle child classes for any Oracle databases.
If your traffic tree already has an Oracle class, you can manually enable class discovery, whereupon the database-named classes will be automatically created as child classes of Oracle.
To manually create an Oracle database class, create a class for the Oracle-netv2
service, make sure Database Name appears in the Criterion field
( show screen),
and type the database name in the empty text field.
The PostgreSQL freeware SQL database application can be subclassified by database name. The database classes can be created either automatically or manually.
When traffic discovery is enabled, PacketWise will automatically discover PostgreSQL database names and create classes for them. For instance, when PacketWise detects PostgreSQL traffic, a PostgreSQL class will be created, and class discovery will be enabled on that class. Because class discovery is on, PacketWise will also create a PostgreSQL/Default class and PostgreSQL child classes for any PostgreSQL databases.
If your traffic tree already has a PostgreSQL class, you can manually enable class discovery, whereupon the database-named classes will be automatically created as child classes of PostgreSQL.
To manually create a PostgreSQL database class, create a class for the PostgreSQL service, make sure Database Name appears in the Criterion field ( show screen), and type the database name in the empty text field.
Real-time control protocol (interactive) can be further classified by the following criteria. Using these criteria, you can differentiate between different audio and video streams. Or, you could set the encoding name to a value such as GSM or PCMA so that you can manage streams differently based on how they are encoded.
| Attribute | Examples of Values |
|---|---|
| Encoding Name |
G729, GSM, JPEG, PCMA, PCMU Note: PCMA and PCMU are both specified in CCITT/ITU-T recommendation G.711. To specify G.711 encoding, enter either PCMA (Pulse Code Modulation a-law) or PCMU (Pulse Code Modulation mu-law) for the Encoding Name. PacketWise can automatically discover encoding names when the RTCP class has traffic discovery enabled within the class. |
| Media Type | "a" for audio, "v" for video |
| Clock Rate | Supported values include: 8000, 16000, 44100, 90000 |
To classify by RTCP, create a class for the RTCP-I service and select one of
the options from the Criterion drop-down list. show screen
If you selected Encoding Name for the criterion, specify the encoding
name in the empty text field. (For a list of encoding names, go to ietf.org
and look up RFC 1890.) If you selected Media Type, type a for
audio or v for video in the text field. If you selected Clock Rate,
type 8000, 16000, 44100, or 90000.
This real-time protocol for media streaming can be further classified by the following criteria, based on the RTP standard. In addition to the criteria available for RTCP-I, RTP-I also includes criteria for SIP-based RTP traffic so that you can classify by caller, callee, user-agent, source IP address of the call setup (SIP) flow, or destination IP address of the flow. For example, you can classify all VoIP traffic going through a SIP Gateway by creating an RTP class with criteria that identifies the source or destination IP address of the SIP Gateway.
| Attribute | Examples of Values |
|---|---|
| Encoding Name |
G729, GSM, JPEG, PCMA, PCMU Note: PCMA and PCMU are both specified in CCITT/ITU-T recommendation G.711. To specify G.711 encoding, enter either PCMA (Pulse Code Modulation a-law) or PCMU (Pulse Code Modulation mu-law) for the Encoding Name. PacketWise can automatically discover encoding names when the RTP class has traffic discovery enabled within the class. |
| Media Type | a for audio, v for video |
| Clock Rate | Supported values include: 8000, 16000, 44100, 90000 |
| SIP Callee Identifier | +12125551212@server.phone2net.com, 17476004249@10.10.254.56 |
| SIP Caller Identifier | agb@bell-telephone.com, 17476004230@172.21.1.41 |
| SIP User-Agent | Motorola VT1000, X-Lite |
| SIP srcIP Address | 207.78.98.18 |
| SIP destIP Address | 207.78.98.18 |
To classify by real-time protocol, create a class for the RTP-I service and
select one of the options from the Criterion drop-down list. show screen
In the empty text field, enter the text string you want to match for.
For SIP attributes, you can enter a substring of the attribute. For example,
to match all Motorola models, you can enter Motorola for the SIP User-Agent
criteria.
Simple Mail Transport Protocol (SMTP) can be sub-classified by the sender's email address in the SMTP message header. You can classify for a specific sender's email address or use wildcards to classify all email senders from a specific domain.
To classify by email sender's name, create a class for the SMTP-Clear service, make sure Sender Email is selected for Criterion, and enter the sender's email address in the empty text field. The * wildcard may be used to classify email for a specific domain. For example, *@test.com would match any email sender from the test.com domain.
Some peer-to-peer (P2P) applications allow users to transfer files via SSL on port 443 (https). To limit or block this type of traffic, you can create an SSL class that is based on a particular SSL certificate common name (such as my.loudpc.com or www.redhat.com). To identify common names, use the command-line interface:
1. Access the CLI.
2. Use the class criteria track command to identify the certificate common names used in the SSL traffic. For example:
class criteria track /inbound/ssl SSL commonName
3. Allow a period of time for SSL traffic to be generated.
4. Use the class criteria recent command to show recent values for a class. For example:
class criteria recent /inbound/ssl
Traffic Class: /Inbound/SSL
Application: SSL
Attribute: commonName (Common Name)
Recent Attribute Values (most recent first)
------------------------------------------------------------------------------
1. my.loud.pc
2. www.redhat.com
3. optionslink.etrade.com
4. trades1.optionslink.com
5. onlineca.bankofamerica.com
6. onlineid.bankofamerica.com
5. Turn off tracking when you are done. For example:
class criteria track /inbound/ssl off
Once you have determined the certificate common name, you can create a class
for this type of SSL traffic. Create a class based on the SSL service, choose
Common Name in the Criterion field, and enter the certificate
common name exactly as it appeared in the output of the class criteria recent
command.
A matching rule can contain only one application-specific criterion. To combine multiple criteria, use two traffic classes, a parent and a child. For example, to match HTTP traffic to a URL and a content type of audio/8track, first create a class that matches the URL, then create a child class under this URL class and specify the content type of audio/8track.
PacketGuide™ for PacketWise® 7.4