Hi Oliver, On 21/10/14 14:30, Oliver Lagni wrote: > Hi Peter, > > I can't understand where I can find this option "-o raw". > > Are you talking about nprobe? Nfsen?
nfdump -o raw ... If it does not help you may ask Lucca, about nproble and TOS values. nfdump only displays those values it finds in the netflow stream. - Peter > > > I've tried on nfsen but still I don't see anything filtering with different > TOS values: > > nprobe -n 10.0.x.x:2055 -u 0 -Q 1 -o raw --zmq tcp://*:5556 -i eth3 > nprobe -n 10.0.x.x:2060 -u 0 -Q 1 -o raw --zmq tcp://*:5556 -i eth2 > > thanks > > -----Original Message----- > From: Peter Haag [mailto:ph...@users.sourceforge.net] > Sent: lunedì 20 ottobre 2014 07:07 > To: Oliver Lagni; nfsen-discuss@lists.sourceforge.net > Subject: Re: [Nfsen-discuss] Filter TOS with NFSEN > > Hi Oliver, > Have you ever list the flows in -o raw format? There you see all infos > available in a flow incl. TOS, if you captured them. > > - Peter > > > On 15/10/14 14:53, Oliver Lagni wrote: >> Hi guys, >> >> anyone else on this? >> >> Original issue is: >> >> I can't graph any tos value on NFSEN, despite I see it when I capture >> traffic on the segment I'm monitoring. >> Only TOS 0 works . >> >> Thanks >> >> >> -----Original Message----- >> From: nfsen-discuss-requ...@lists.sourceforge.net >> [mailto:nfsen-discuss-requ...@lists.sourceforge.net] >> Sent: martedì 7 ottobre 2014 14:32 >> To: nfsen-discuss@lists.sourceforge.net >> Subject: Nfsen-discuss Digest, Vol 100, Issue 2 >> >> Send Nfsen-discuss mailing list submissions to >> nfsen-discuss@lists.sourceforge.net >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss >> or, via email, send a message with subject or body 'help' to >> nfsen-discuss-requ...@lists.sourceforge.net >> >> You can reach the person managing the list at >> nfsen-discuss-ow...@lists.sourceforge.net >> >> When replying, please edit your Subject line so it is more specific than >> "Re: Contents of Nfsen-discuss digest..." >> >> >> Today's Topics: >> >> 1. Re: Filter TOS with NFSEN (Giles Coochey) >> 2. Re: Filter TOS with NFSEN (Giles Coochey) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Tue, 07 Oct 2014 13:29:28 +0100 >> From: Giles Coochey <gi...@coochey.net> >> Subject: Re: [Nfsen-discuss] Filter TOS with NFSEN >> To: nfsen-discuss@lists.sourceforge.net >> Message-ID: <5433dca8.6050...@coochey.net> >> Content-Type: text/plain; charset="windows-1252" >> >> On 07/10/2014 13:14, Oliver Lagni wrote: >>> >>> Hello all, >>> >>> I?m setting the DSCP on some traffic going out and getting in on my >>> firewall. >>> >>> With NFSEN I collect traffic from both segments, LAN and WAN Firewall >>> sides. >>> >>> On my firewall I set DSCP to 101110 for real-time traffic and I >>> clearly see it on Nprobe server on both segments, as soon as I filter >>> with TCPDump: >>> >>> tcpdump -i eth2 -vvv -n ip and ip[1]=0xb8 >>> >>> 0xb8 is 184 in HEX.. and I see this on eth2 (WAN) and eth3 (LAN): >>> >>> 14:21:23.236494 IP (*tos 0xb8*, ttl 126, id 4388, offset 0, flags >>> [DF], proto TCP (6), length 450) >>> >>> 217.xx.xx.xx.47460 > 64.xx.xx.xx.https: Flags [P.], cksum 0x5af4 >>> (correct), seq 949:1359, ack 84, win 256, length 410 >>> >>> But as soon as I filter on NFSEN with syntax Tos 184 or tos 0xb8 I >>> don?t see anything. >>> >>> Is there any reason? Can someone help me a bit on this? >>> >>> >> I am not sure, but I think the tos value you filter with is the 3 most >> significant bits, so a value between 0-7 >> >> 0 = 000xxxxxx >> 1 = 001xxxxxx >> 2 = 010xxxxxx >> 3 = 011xxxxxx >> 4 = 100xxxxxx >> 5 = 101xxxxxx >> 6 = 110xxxxxx >> 7 = 111xxxxxx >> >> So "tos 1" filter matches your priority packets? >> >> -- >> Regards, >> >> Giles Coochey, CCNP, CCNA, CCNAS >> NetSecSpec Ltd >> +44 (0) 8444 780677 >> +44 (0) 7584 634135 >> http://www.coochey.net >> http://www.netsecspec.co.uk >> gi...@coochey.net >> >> -------------- next part -------------- An HTML attachment was >> scrubbed... >> -------------- next part -------------- A non-text attachment was >> scrubbed... >> Name: smime.p7s >> Type: application/pkcs7-signature >> Size: 6454 bytes >> Desc: S/MIME Cryptographic Signature >> >> ------------------------------ >> >> Message: 2 >> Date: Tue, 07 Oct 2014 13:31:55 +0100 >> From: Giles Coochey <gi...@coochey.net> >> Subject: Re: [Nfsen-discuss] Filter TOS with NFSEN >> To: nfsen-discuss@lists.sourceforge.net >> Message-ID: <5433dd3b.8090...@coochey.net> >> Content-Type: text/plain; charset="windows-1252" >> >> On 07/10/2014 13:29, Giles Coochey wrote: >>> On 07/10/2014 13:14, Oliver Lagni wrote: >>>> >>>> On my firewall I set DSCP to 101110 for real-time traffic and I >>>> clearly see it on Nprobe server on both segments, as soon as I >>>> filter with TCPDump: >>>> >>>> >>> I am not sure, but I think the tos value you filter with is the 3 >>> most significant bits, so a value between 0-7 >>> >>> 0 = 000xxxxxx >>> 1 = 001xxxxxx >>> 2 = 010xxxxxx >>> 3 = 011xxxxxx >>> 4 = 100xxxxxx >>> 5 = 101xxxxxx >>> 6 = 110xxxxxx >>> 7 = 111xxxxxx >>> >>> So "tos 1" filter matches your priority packets? >> >> Argh... binary, 0xb8 should be "tos 5" >> >>> -- >>> Regards, >>> >>> Giles Coochey, CCNP, CCNA, CCNAS >>> NetSecSpec Ltd >>> +44 (0) 8444 780677 >>> +44 (0) 7584 634135 >>> http://www.coochey.net >>> http://www.netsecspec.co.uk >>> gi...@coochey.net >> >> >> -- >> Regards, >> >> Giles Coochey, CCNP, CCNA, CCNAS >> NetSecSpec Ltd >> +44 (0) 8444 780677 >> +44 (0) 7584 634135 >> http://www.coochey.net >> http://www.netsecspec.co.uk >> gi...@coochey.net >> >> -------------- next part -------------- An HTML attachment was >> scrubbed... >> -------------- next part -------------- A non-text attachment was >> scrubbed... >> Name: smime.p7s >> Type: application/pkcs7-signature >> Size: 6454 bytes >> Desc: S/MIME Cryptographic Signature >> >> ------------------------------ >> >> ---------------------------------------------------------------------- >> -------- Meet PCI DSS 3.0 Compliance Requirements with EventLog >> Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI >> DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download >> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with >> EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg. >> clktrk >> >> ------------------------------ >> >> _______________________________________________ >> Nfsen-discuss mailing list >> Nfsen-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss >> >> >> End of Nfsen-discuss Digest, Vol 100, Issue 2 >> ********************************************* >> >> ---------------------------------------------------------------------- >> -------- Comprehensive Server Monitoring with Site24x7. >> Monitor 10 servers for $9/Month. >> Get alerted through email, SMS, voice calls or mobile push notifications. >> Take corrective actions from your mobile device. >> http://p.sf.net/sfu/Zoho >> _______________________________________________ >> Nfsen-discuss mailing list >> Nfsen-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss >> > > ------------------------------------------------------------------------------ > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://p.sf.net/sfu/Zoho > _______________________________________________ > Nfsen-discuss mailing list > Nfsen-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
