Greg,
You have the idea of what I was trying to get, and teh "or" directive makes sense, I would want that in there. However, your are also right, that did not alter the effect I am seeing.
When I start the flow-capture, with the "-F noise" in the arguments. I get a 88 Bytes tmp-xxxxx and in 20 mins it never grows.
When I leave that filter off, that tmp file grows about every 30 secs and turns into an ft-.. file every 15 mins like it should.
Now, I get a BUNCH of traffic, I would expect to see it grow a little. :)
I'll leave it running this time for an hour, and see what I get.
Otherwise, it does look like I figured out how to filter properly?
Nick
--
Nick Ellson
CCDA, CCNP, CCSP, CCAI, MCSE 2000, Security+, Network+
Network Hobbyist.
On Mon, 9 May 2005 [EMAIL PROTECTED] wrote:
In my /etc/flow-tools/cfg/filter.cfg
filter-primitive Dump-SNMP type ip-port deny 161 deny 162 default permit
filter-primitive background-noise type ip-address-mask deny 192.168.0.0 255.255.252.0 deny 224.0.0.0 240.0.0.0 default permit
filter-definition noise match background-noise match Dump-SNMP
and I started flow-capture with:
flow-capture -w /data/flows -F noise -N 2 0/0/9800
And I get nothing stored to the files.
I'm not sure it'll fix your issue, but I think you want an 'or' between the match statements in the filter-definition otherwise you're matching on (ip=192.168.0.0/23 || ip=224.0.0.0/6) && (port=161 || port=162)
I think you want to eliminate all flows having to do with: ip=192.168.0.0/23 or ip=multicast or port=snmp or port=snmptrap
So try:
filter-definition noise match background-noise or match Dump-SNMP
I'm still not sure if that's what's causing you to not get any flows when the filter is engaged.
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
