Hi, Ok, it was an error from my part.
The filter syntax expects to specify the addresses in hex format and compare it with the specific octets of the IP packet that define the source IP and the destination IP. So for the previous example where I want to have: labelA: 192.168.0.1 - 192.168.0.100 labelB: 192.168.0.101 - 192.168.0.200 The relevant entries in the pre_tag_map are: set_label=LabelA filter='((ip[12:4] >= 0xC0A80001) and (ip[12:4] <= 0xC0A80064)) or ((ip[16:4] >= 0xC0A80001) and (ip[16:4] <= 0xC0A80064))' set_label=LabelB filter='((ip[12:4] >= 0xC0A80065) and (ip[12:4] <= 0xC0A800C8)) or ((ip[16:4] >= 0xC0A80065) and (ip[16:4] <= 0xC0A800C8))' where the: - ip[12:4] is the source ip - ip[16:4] is the dest ip So far it seems to be working, so I'm just putting here for future reference. ;-) Best, Georgios Ref: https://isc.sans.edu/diary/IP+Address+Range+Search+with+libpcap/6667 On 11/10/2017 05:16 PM, Georgios Kaklamanos wrote: > Dear Paolo, > > Thanks for the fast reply. > > My main issue is that some of the ranges we have, do not fit into subnets. > > For example: > > labelA: 192.168.0.1 - 192.168.0.100 > labelB: 192.168.0.101 - 192.168.0.200 > > That is why I was trying to play around with the less than / greater > than operators, combined with "and". > > Would something like that be possible too? > > Best, > Georgios > > > On 11/10/2017 04:57 PM, Paolo Lucente wrote: >> >> Hi Georgios, >> >> The 'filter' keyword in pre_tag_map accepts a libpcap/tcpdump filter >> syntax - what you would find working as a filter in tcpdump, should work >> here too. To express IP ranges, you should use IP subnets, for example: >> >> set_label=labelA filter='net 192.168.0.0/17' >> set_label=labelB filter='net 192.168.128.0/17' >> >> Paolo >> >> On Fri, Nov 10, 2017 at 01:55:18PM +0100, Georgios Kaklamanos wrote: >>> Hello, >>> >>> On nfacctd, I'm trying to apply labels on IP ranges, that can't always >>> be defined by subnets. >>> >>> For example I want: >>> - IPs from 192.168.0.1 to 192.168.127.254, to get "labelA" >>> - IPs from 192.168.128.1 to 192.168.255.254, to get "labelA" >>> >>> >>> At the Pre-Tagging map example, it says that the filter key, expects the >>> expression on libpcap syntax. >>> >>> So I tried the following: >>> >>> set_label=labelA filter='(ip >= 192.168.0.1) and (ip <= >>> 192.168.127.254)' >>> set_label=labelB filter='(ip >= 192.168.128.1) and (ip <= >>> 192.168.255.254)' >>> >>> And it didn't work, and neither did the following, where I'm using the >>> int / hex representation of the IP. >>> >>> set_label=labelA filter='(ip >= 3232235521) and (ip <= 3232268286)' >>> set_label=labelB filter='(ip >= 3232268289) and (ip <= 3232301054)' >>> >>> set_label=labelA filter='(ip >= 0xC0A80001) and (ip <= 0xC0A87FFE)' >>> set_label=labelB filter='(ip >= 0xC0A88001) and (ip <= 0xC0A8FFFE)' >>> >>> I'm always getting "malformed filter: syntax error" >>> >>> So any suggestions on how to solve this? >>> >>> Is it really a syntax error, or the range cannot be defined this way? >>> >>> Thank you for your time. >>> >>> Best Regards, >>> Georgios Kaklamanos >>> >>> >>> -- >>> ------------------------------------------------------------------ >>> Georgios Kaklamanos >>> Research Assistant, e-Science Group, GWDG >>> mailto: [email protected] >>> Telefon: 0551 201-26803 >>> ------------------------------------------------------------------ >>> GWDG - Gesellschaft für wissenschaftliche >>> Datenverarbeitung mbH Göttingen >>> Am Faßberg 11, 37077 Göttingen, Germany >>> >>> WWW: www.gwdg.de mailto: [email protected] >>> Phone: +49 (0) 551 201-1510 >>> Fax: +49 (0) 551 201-2150 >>> ------------------------------------------------------------------ >>> Geschäftsführer: Prof. Dr. Ramin Yahyapour >>> Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger >>> Sitz der Gesellschaft: Göttingen >>> Registergericht: Göttingen >>> Handelsregister-Nr. B 598 >>> ------------------------------------------------------------------ >>> Zertifiziert nach ISO 9001 >>> ------------------------------------------------------------------ >>> >> >> >> >>> _______________________________________________ >>> pmacct-discussion mailing list >>> http://www.pmacct.net/#mailinglists >> >> >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists >> > > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > -- ------------------------------------------------------------------ Georgios Kaklamanos Research Assistant, e-Science Group, GWDG mailto: [email protected] Telefon: 0551 201-26803 ------------------------------------------------------------------ GWDG - Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen Am Faßberg 11, 37077 Göttingen, Germany WWW: www.gwdg.de mailto: [email protected] Phone: +49 (0) 551 201-1510 Fax: +49 (0) 551 201-2150 ------------------------------------------------------------------ Geschäftsführer: Prof. Dr. Ramin Yahyapour Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger Sitz der Gesellschaft: Göttingen Registergericht: Göttingen Handelsregister-Nr. B 598 ------------------------------------------------------------------ Zertifiziert nach ISO 9001 ------------------------------------------------------------------
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
