> > You have the idea of what I was trying to get, and teh "or" directive > makes sense, I would want that in there. However, your are > also right, > that did not alter the effect I am seeing. > > When I start the flow-capture, with the "-F noise" in the > arguments. I get > a 88 Bytes tmp-xxxxx and in 20 mins it never grows. > > When I leave that filter off, that tmp file grows about every > 30 secs and > turns into an ft-.. file every 15 mins like it should. > > Now, I get a BUNCH of traffic, I would expect to see it grow > a little. :) > > I'll leave it running this time for an hour, and see what I get. > > Otherwise, it does look like I figured out how to filter properly? >
Hmmmm...well, I can't say I've actually used a capture filter. I always let flow-capture run wide open and have it dump out five minute files. Then I have a cron job that filters the ft* files. I can see where it would be nice to not even bother to save certain flows to disk tho. Have you tried to use this filter with flow-nfilter and flow-print... flow-cat ft* | flow-nfilter -f filters.txt -F noise | flow-print ...does that work? It would be really weird if filters would function differently between flow-nfilter versus flow-capture. _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
