Hi,
I do not know if it's a good idea or not, nor if it is feasible..
Could it be possible to use the "protolist" definition of the nf_common.c file
not only for protocol name display but also to accept the same list of protocol
names in nfdump proto filters ?
Trying to find unusual protocols flowing through my network, I started to
exclude known protocols and digging further to eliminiate all the "normal"
traffic.
The "proto" filter statement is allowing several protocol names to ease the
filter usage like:
"not proto TCP and not proto UDP and not proto ICMP and not proto ESP and not
proto PIM and not proto VRRP"
In the nfdump output, the protocol decoding seems to use the "
protolist[NumProtos][6]" definition of nf_common.c to display the protocol name
instead of its IANA number :
Date flow start Duration Proto Src IP Addr:Port Dst IP
Addr:Port Flags Tos Packets Bytes Flows
2008-04-07 18:57:00.623 0.000 IPv6 x.x.x.140:0 -> y.y.y.1:0
...... 0 1 223 1
If it's not too heavy to implement, it would be nice if we could re-use this
protocol list to allow the usage of all the protocol names for the "proto"
filters
i.e. the displayed IPv6 protocol above cannot be used in a filter like "not
proto IPv6" today, the filter must be "not proto 41"
Nils
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
