I am having difficulty getting a filter to work with flow-capture so that I can weed out back-ground noise that is filling up my capture files with stuff I don't want to see.
In my /etc/flow-tools/cfg/filter.cfg
filter-primitive Dump-SNMP type ip-port deny 161 deny 162 default permit
filter-primitive background-noise type ip-address-mask deny 192.168.0.0 255.255.252.0 deny 224.0.0.0 240.0.0.0 default permit
filter-definition noise match background-noise match Dump-SNMP
and I started flow-capture with:
flow-capture -w /data/flows -F noise -N 2 0/0/9800
And I get nothing stored to the files.
If I remove the -F noise switch, I get flooded with 2.8 megs of flow data every 15 minutes, and it's only 8 am.
Most of the noise comes from or to the subnets listed in "background-noise"
Am I gettig this filter right?
Nick
--
Nick Ellson
CCDA, CCNP, CCSP, CCAI, MCSE 2000, Security+, Network+
Network Hobbyist.
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
