Every couple of months I get bad netflow packets thrown at my flow-capture process which put my data totals through the roof - e.g.:
Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets 0425.00:00:16.1389 0414.08:47:58.1018 239 217.73.99.162 60667 255 203.28.113.2 27020 6 3 153 1145004070 0414.11:13:21.796 0414.11:13:24.888 240 217.73.19.225 47327 255 203.28.113.2 80 17 0 153 1410591446 I thought it might be possible to get rid of these junk flows by looking for flows with an extremely high packet rate, but I can't work out the filter-primitive syntax needed - I tried: filter-primitive allowable-packet-rate type counter permit lt 10000 filter-definition mycustomer-in match ip-destination-address CUSTOMER-HOSTS match pps allowable-packet-rate i.e. limit output to flows which have a packet-per-second rate of less than 10000. But my guess at the config syntax is invalid: flow-nfilter: Primitive "pps" incompatible with match in filter-definition "mycustomer-in". flow-nfilter: resolve_primitives(): failed The flow-nfilter docs list 'double' as the accepted filter-primitive for the 'pps' match type, but that doesn't make sense to me (a double isn't listed as a filter primitive). Can anyone suggest a config that will do what I need ? Best regards, Chris _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
