I am trying to filter out known, good traffic so I can see traffic that I am not expecting or considering. I have a list of "rules" that match good traffic and have converted those to nfdump filters. My next step was to negate them which is not producing what I expected. Here are a couple of the simple filters I have tried:
// this works great and gives the expected result nfdump -qBr file 'not dst port 443' // This works as expected nfdump -qBr file 'dst port 443 or dst port 389' Now for the inverse filters: // this does not work, it removes 443 traffic, but not 389 nfdump -qBr file 'not dst port 443 and not dst port 389' // this also does not work, it removes 443 traffic, but not 389 nfdump -qBr file 'not ((dst port 443) or (dst port 389))' Am I doing this incorrectly? Thank you for your time ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
