Greg,
I was using 0.67 at that time.
I am ready to try building 0.68 from the tarball instead of teh Gentoo
Portage package, and see if that fixes my flow-report issue as well.
Nick
--
Nick Ellson
CCDA, CCNP, CCSP, CCAI,
MCSE 2000, Security+, Network+
Network Hobbyist.
On Mon, 23 May 2005, Mark Fullmer wrote:
What version of flow-tools. Using your original example I get the expected
output.
% flow-nfilter -fnfilter.cfg -Fnoise
flow-nfilter: nfilter.cfg line 14: Expecting match primitive.
flow-nfilter: ftfil_load(): failed
--
mark
On May 9, 2005, at 4:17 PM, Nick Ellson wrote:
Ok, found my oversite..
In my filter file I did not notice I needed a "match" type before listing
the primitive.
The odd thing, it never complained until I moved my primitives and
definitions to a file of their own.
So this does work they way I needed it to.
filter-primitive snmpdump
type ip-port
deny 161
deny 162
default permit
filter-primitive backnoise
type ip-address-mask
deny 192.168.0.0 255.255.252.0
deny 224.0.0.0 240.0.0.0
default permit
filter-definition noise
match ip-source-address backnoise
match ip-destination-address backnoise
or
match ip-destination-port snmpdump
Thanks Greg!
Nick
--
Nick Ellson
CCDA, CCNP, CCSP, CCAI, MCSE 2000, Security+, Network+
Network Hobbyist.
On Mon, 9 May 2005 [EMAIL PROTECTED] wrote:
> >
> > You have the idea of what I was trying to get, and teh "or" directive
> > makes sense, I would want that in there. However, your are
> > also right,
> > that did not alter the effect I am seeing.
> >
> > When I start the flow-capture, with the "-F noise" in the
> > arguments. I get
> > a 88 Bytes tmp-xxxxx and in 20 mins it never grows.
> >
> > When I leave that filter off, that tmp file grows about every
> > 30 secs and
> > turns into an ft-.. file every 15 mins like it should.
> >
> > Now, I get a BUNCH of traffic, I would expect to see it grow
> > a little. :)
> >
> > I'll leave it running this time for an hour, and see what I get.
> >
> > Otherwise, it does look like I figured out how to filter properly?
> >
>
> Hmmmm...well, I can't say I've actually used a capture filter. I always
> let flow-capture run wide open and have it dump out five minute files.
> Then I have a cron job that filters the ft* files. I can see where it
> would be nice to not even bother to save certain flows to disk tho.
> Have you tried to use this filter with flow-nfilter and flow-print...
>
> flow-cat ft* | flow-nfilter -f filters.txt -F noise | flow-print
>
> ...does that work? It would be really weird if filters would function
> differently between flow-nfilter versus flow-capture.
>
>
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
