Richard Stupek wrote:
Which of the 2 scan commands should we use to scan a message? Does
sending the IP address help improve scanning?
<snf><xci><scanner><scan file='filepath'/></scanner></xci></snf>
OR
<snf><xci><scanner><scan file='filepath' xhdr='no' log='no'
ip='12.34.56.78'/></scanner></xci></snf>
That depends on your needs.
If you want SNF + GBUdb to learn IPs by reading through the Received
headers then you would NOT include the ip= attribute.
If you want to tell SNF + GBUdb what the source IP was for the message
explicitly then you DO include the ip= attribute.
See:
http://www.armresearch.com/support/articles/software/snfServer/xci/scanner.jsp
"The ip='12.34.56.78' attribute is optional and indicates that the
source IP for the message has already been determined as 12.34.56.78. If
this option is used then GBUdb training directives may not function as
expected. This option is best used when the calling application has
already determined the correct source IP for the message and wishes to
force the source IP value rather than have SNF+GBUdb discover it from
Received headers in the message.
Note: It is often best to let SNF + GBUdb determine the source IP for a
given message based on the Received headers. If the connecting IP is not
already represented in the top Received header for the message then the
calling application should create one in the top of the temporary file
SNF is going to scan."
Hope this helps,
_M
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to <sniffer-requ...@sortmonster.com>
