Hi Peter, I can't understand where I can find this option "-o raw".
Are you talking about nprobe? Nfsen? I've tried on nfsen but still I don't see anything filtering with different TOS values: nprobe -n 10.0.x.x:2055 -u 0 -Q 1 -o raw --zmq tcp://*:5556 -i eth3 nprobe -n 10.0.x.x:2060 -u 0 -Q 1 -o raw --zmq tcp://*:5556 -i eth2 thanks -----Original Message----- From: Peter Haag [mailto:ph...@users.sourceforge.net] Sent: lunedì 20 ottobre 2014 07:07 To: Oliver Lagni; nfsen-discuss@lists.sourceforge.net Subject: Re: [Nfsen-discuss] Filter TOS with NFSEN Hi Oliver, Have you ever list the flows in -o raw format? There you see all infos available in a flow incl. TOS, if you captured them. - Peter On 15/10/14 14:53, Oliver Lagni wrote: > Hi guys, > > anyone else on this? > > Original issue is: > > I can't graph any tos value on NFSEN, despite I see it when I capture traffic > on the segment I'm monitoring. > Only TOS 0 works . > > Thanks > > > -----Original Message----- > From: nfsen-discuss-requ...@lists.sourceforge.net > [mailto:nfsen-discuss-requ...@lists.sourceforge.net] > Sent: martedì 7 ottobre 2014 14:32 > To: nfsen-discuss@lists.sourceforge.net > Subject: Nfsen-discuss Digest, Vol 100, Issue 2 > > Send Nfsen-discuss mailing list submissions to > nfsen-discuss@lists.sourceforge.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > or, via email, send a message with subject or body 'help' to > nfsen-discuss-requ...@lists.sourceforge.net > > You can reach the person managing the list at > nfsen-discuss-ow...@lists.sourceforge.net > > When replying, please edit your Subject line so it is more specific than "Re: > Contents of Nfsen-discuss digest..." > > > Today's Topics: > > 1. Re: Filter TOS with NFSEN (Giles Coochey) > 2. Re: Filter TOS with NFSEN (Giles Coochey) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 07 Oct 2014 13:29:28 +0100 > From: Giles Coochey <gi...@coochey.net> > Subject: Re: [Nfsen-discuss] Filter TOS with NFSEN > To: nfsen-discuss@lists.sourceforge.net > Message-ID: <5433dca8.6050...@coochey.net> > Content-Type: text/plain; charset="windows-1252" > > On 07/10/2014 13:14, Oliver Lagni wrote: >> >> Hello all, >> >> I?m setting the DSCP on some traffic going out and getting in on my >> firewall. >> >> With NFSEN I collect traffic from both segments, LAN and WAN Firewall >> sides. >> >> On my firewall I set DSCP to 101110 for real-time traffic and I >> clearly see it on Nprobe server on both segments, as soon as I filter >> with TCPDump: >> >> tcpdump -i eth2 -vvv -n ip and ip[1]=0xb8 >> >> 0xb8 is 184 in HEX.. and I see this on eth2 (WAN) and eth3 (LAN): >> >> 14:21:23.236494 IP (*tos 0xb8*, ttl 126, id 4388, offset 0, flags >> [DF], proto TCP (6), length 450) >> >> 217.xx.xx.xx.47460 > 64.xx.xx.xx.https: Flags [P.], cksum 0x5af4 >> (correct), seq 949:1359, ack 84, win 256, length 410 >> >> But as soon as I filter on NFSEN with syntax Tos 184 or tos 0xb8 I >> don?t see anything. >> >> Is there any reason? Can someone help me a bit on this? >> >> > I am not sure, but I think the tos value you filter with is the 3 most > significant bits, so a value between 0-7 > > 0 = 000xxxxxx > 1 = 001xxxxxx > 2 = 010xxxxxx > 3 = 011xxxxxx > 4 = 100xxxxxx > 5 = 101xxxxxx > 6 = 110xxxxxx > 7 = 111xxxxxx > > So "tos 1" filter matches your priority packets? > > -- > Regards, > > Giles Coochey, CCNP, CCNA, CCNAS > NetSecSpec Ltd > +44 (0) 8444 780677 > +44 (0) 7584 634135 > http://www.coochey.net > http://www.netsecspec.co.uk > gi...@coochey.net > > -------------- next part -------------- An HTML attachment was > scrubbed... > -------------- next part -------------- A non-text attachment was > scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 6454 bytes > Desc: S/MIME Cryptographic Signature > > ------------------------------ > > Message: 2 > Date: Tue, 07 Oct 2014 13:31:55 +0100 > From: Giles Coochey <gi...@coochey.net> > Subject: Re: [Nfsen-discuss] Filter TOS with NFSEN > To: nfsen-discuss@lists.sourceforge.net > Message-ID: <5433dd3b.8090...@coochey.net> > Content-Type: text/plain; charset="windows-1252" > > On 07/10/2014 13:29, Giles Coochey wrote: >> On 07/10/2014 13:14, Oliver Lagni wrote: >>> >>> On my firewall I set DSCP to 101110 for real-time traffic and I >>> clearly see it on Nprobe server on both segments, as soon as I >>> filter with TCPDump: >>> >>> >> I am not sure, but I think the tos value you filter with is the 3 >> most significant bits, so a value between 0-7 >> >> 0 = 000xxxxxx >> 1 = 001xxxxxx >> 2 = 010xxxxxx >> 3 = 011xxxxxx >> 4 = 100xxxxxx >> 5 = 101xxxxxx >> 6 = 110xxxxxx >> 7 = 111xxxxxx >> >> So "tos 1" filter matches your priority packets? > > Argh... binary, 0xb8 should be "tos 5" > >> -- >> Regards, >> >> Giles Coochey, CCNP, CCNA, CCNAS >> NetSecSpec Ltd >> +44 (0) 8444 780677 >> +44 (0) 7584 634135 >> http://www.coochey.net >> http://www.netsecspec.co.uk >> gi...@coochey.net > > > -- > Regards, > > Giles Coochey, CCNP, CCNA, CCNAS > NetSecSpec Ltd > +44 (0) 8444 780677 > +44 (0) 7584 634135 > http://www.coochey.net > http://www.netsecspec.co.uk > gi...@coochey.net > > -------------- next part -------------- An HTML attachment was > scrubbed... > -------------- next part -------------- A non-text attachment was > scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 6454 bytes > Desc: S/MIME Cryptographic Signature > > ------------------------------ > > ---------------------------------------------------------------------- > -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog > Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI > DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download > White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with > EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. > clktrk > > ------------------------------ > > _______________________________________________ > Nfsen-discuss mailing list > Nfsen-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > > > End of Nfsen-discuss Digest, Vol 100, Issue 2 > ********************************************* > > ---------------------------------------------------------------------- > -------- Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://p.sf.net/sfu/Zoho > _______________________________________________ > Nfsen-discuss mailing list > Nfsen-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
