On 05.08.15 16:02, diphen wrote: > Did you try putting dst net parameters in brackets? > > src as 1234 and (dst net 1.2.3.4/24 or dst net 2.3.4.5/24 or dst net > 3.4.5.6/25)
If you have only a coupple of nets, do it like this. If the number of networks to test is bigger than - say 50 or so, the list is more efficient. I check to integrate that. - Peter > > On Sun, Aug 2, 2015 at 10:47 PM, Royke <[email protected]> wrote: > >> Not like that, >> >> The case : >> >> I want to check traffic from specific AS to each specified network. >> >> Filter 1 : >> src as 1234 and dst net 1.2.3.4/24 or dst net 3.4.5.6/24 or dst net >> 4.5.6.7/24 . >> >> This will work but not as intended >> Because the filter statement from : >> >> or dst net 3.4.5.6/24 or dst net 4.5.6.7/24 will accept any src as >> beside as 1234 >> >> So I should write the filter like this : >> >> Filter 2 : >> src as 1234 and dst net 1.2.3.4/24 or src as 1234 and dst net 3.4.5.6/24 >> or src as 1234 and dst net 4.5.6.7/24 >> >> It would be more simple if I can write the filter like : >> >> Filter 3 : >> src as 1234 and dst net in [ 1.2.3.4/24 3.4.5.6/24 4.5.6.7/24 ] >> >> That sintaks only applied to ip addresses. >> >> See that ? >> >> So right now I'm using the filter like Filter 2. It works but very long >> sintaks if you have 10 network or more. >> >> regards >> >> On 07/31/2015 08:42 PM, Saverio Proto wrote: >>> What about >>> >>> (net in net.wo.rk.a/24) or (net in net.wo.rk.b/24) or (net in >> net.wo.rk.c/24) >>> >>> this works for you ? :) >>> >>> Saverio >>> >>> 2015-07-30 8:45 GMT+02:00 Royke <[email protected]>: >>>> Hi Peter / All >>>> >>>> I want to create filter with network address as a list so I create >>>> filter like this : >>>> >>>> net in [ net.wo.rk.a/24 net.wo.rk.b/24 net.wo.rk.c/24 ], but not work. >>>> And based on the documentation is not possible. >>>> I cannot "supernet/summarize" the network to /23 or /22 since they are >>>> very different networks. >>>> >>>> Could you consider this as a feature request ? >>>> Or is it possible but not well documented ? >>>> >>>> Thank you and Best regards >>>> Royke >>>> >>>> >> ------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> Nfsen-discuss mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Nfsen-discuss mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss >> > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Nfsen-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > -- Be nice to your netflow data. Use NfSen and nfdump :) ------------------------------------------------------------------------------ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
