Hi, One of our customers wants to locate file-sharers which share files. Not those who just downloads. One method of doing that is to locate only the flows which are initialized from the outside to some given ports.
I can see from the documentation of nfsen: "The ordering of the flags is not relevant. Flags not mentioned are treated as don't care. In order to get those flows with only the SYN flag set, use the syntax 'flags S and not flags AFRPU'." This gives us this filter which will result in *possible* flows containing bittorrent traffic initialized from the outside: proto tcp and dst net <dst-net-address> and dst port > 6000 and dst port < 7000 and flags S and not flags AFRPU Yes, I'm aware that bittorrent also uses other ports, but let's not discuss that. I'm wondering if this is going to work? Wouldn't all successfull flows (a full tcp connection) include a SYN-flag? The whole flow includes every packet of the flow, and I guess this is based on an or-statement including all the packets in one flow? I.e. every flow whether it is initialized from the outside or not will include only a SYN-flag in one of the packets, and we can't decide whether one flow is initialized from the outside or not? Regards, Rune Sydskjør, UNINETT ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
