> > In my /etc/flow-tools/cfg/filter.cfg > > filter-primitive Dump-SNMP > type ip-port > deny 161 > deny 162 > default permit > > filter-primitive background-noise > type ip-address-mask > deny 192.168.0.0 255.255.252.0 > deny 224.0.0.0 240.0.0.0 > default permit > > filter-definition noise > match background-noise > match Dump-SNMP > > and I started flow-capture with: > > flow-capture -w /data/flows -F noise -N 2 0/0/9800 > > And I get nothing stored to the files. >
I'm not sure it'll fix your issue, but I think you want an 'or' between the match statements in the filter-definition otherwise you're matching on (ip=192.168.0.0/23 || ip=224.0.0.0/6) && (port=161 || port=162) I think you want to eliminate all flows having to do with: ip=192.168.0.0/23 or ip=multicast or port=snmp or port=snmptrap So try: filter-definition noise match background-noise or match Dump-SNMP I'm still not sure if that's what's causing you to not get any flows when the filter is engaged. _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
