On Tue, Aug 30, 2005 at 10:14:33AM +0200, Lautenschlaeger, Eric wrote: > Hello all, > > I have tried to write a filter to match TCP-Flags. I have tried to filter out > TCP-SYN packets: >
<snip> > filter-primitive ip-tcp-flags > type ip-tcp-flags > mask 0xFF > permit 0x02 > default deny > > But there isnĀ“t a match in my report (an there should be tons) > <snip> > > I am using flow-tools 0.68 and a Enterasys SSR 8000 with 10.0.0.4. Do I need > a never version of SSR or flow-tools? > I would assume that Netflow pkts you are receiving have not flags set correctly. Using the same config as above (permit 0x02) I got 'tons' of flows with TCP flag 0x02 (about one sixth in every flow-tools data file). Try capturing your Netflow pkts via tcpdump and then read them in ethereal (it is usually necessary to manualy decode them as Netflow pkts via Analyze -> Decode As -> CFLOW) and you will see what flags are set. v. _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
