Hi Paolo, Glad I could help.
Just a note though. To my understanding, if this mapping is global, then a packet with source IP in the first range, and destination IP in the second, will only get the first label, after the first rule matches. So if one does aggregates based on dst_host / src_host, and also uses the label, then there should be two different mapping files, one for inbound and one for outbound, with mappings only for destination / source IP accordingly. Any thoughts on this? Best, George On 11/11/2017 01:48 PM, Paolo Lucente wrote: > > Hi Georgios, > > Very cool, thanks for sharing this. I think there is also good material > for me for extra documentation here. > > Paolo > > On Fri, Nov 10, 2017 at 06:40:56PM +0100, Georgios Kaklamanos wrote: >> Hi, >> >> Ok, it was an error from my part. >> >> The filter syntax expects to specify the addresses in hex format and >> compare it with the specific octets of the IP packet that define the >> source IP and the destination IP. >> >> So for the previous example where I want to have: >> >> labelA: 192.168.0.1 - 192.168.0.100 >> labelB: 192.168.0.101 - 192.168.0.200 >> >> The relevant entries in the pre_tag_map are: >> >> set_label=LabelA filter='((ip[12:4] >= 0xC0A80001) and (ip[12:4] <= >> 0xC0A80064)) or ((ip[16:4] >= 0xC0A80001) and (ip[16:4] <= 0xC0A80064))' >> >> set_label=LabelB filter='((ip[12:4] >= 0xC0A80065) and (ip[12:4] <= >> 0xC0A800C8)) or ((ip[16:4] >= 0xC0A80065) and (ip[16:4] <= 0xC0A800C8))' >> >> where the: >> - ip[12:4] is the source ip >> - ip[16:4] is the dest ip >> >> So far it seems to be working, so I'm just putting here for future >> reference. ;-) >> >> Best, >> Georgios >> >> Ref: https://isc.sans.edu/diary/IP+Address+Range+Search+with+libpcap/6667 >> >> On 11/10/2017 05:16 PM, Georgios Kaklamanos wrote: >>> Dear Paolo, >>> >>> Thanks for the fast reply. >>> >>> My main issue is that some of the ranges we have, do not fit into subnets. >>> >>> For example: >>> >>> labelA: 192.168.0.1 - 192.168.0.100 >>> labelB: 192.168.0.101 - 192.168.0.200 >>> >>> That is why I was trying to play around with the less than / greater >>> than operators, combined with "and". >>> >>> Would something like that be possible too? >>> >>> Best, >>> Georgios >>> >>> >>> On 11/10/2017 04:57 PM, Paolo Lucente wrote: >>>> >>>> Hi Georgios, >>>> >>>> The 'filter' keyword in pre_tag_map accepts a libpcap/tcpdump filter >>>> syntax - what you would find working as a filter in tcpdump, should work >>>> here too. To express IP ranges, you should use IP subnets, for example: >>>> >>>> set_label=labelA filter='net 192.168.0.0/17' >>>> set_label=labelB filter='net 192.168.128.0/17' >>>> >>>> Paolo >>>> >>>> On Fri, Nov 10, 2017 at 01:55:18PM +0100, Georgios Kaklamanos wrote: >>>>> Hello, >>>>> >>>>> On nfacctd, I'm trying to apply labels on IP ranges, that can't always >>>>> be defined by subnets. >>>>> >>>>> For example I want: >>>>> - IPs from 192.168.0.1 to 192.168.127.254, to get "labelA" >>>>> - IPs from 192.168.128.1 to 192.168.255.254, to get "labelA" >>>>> >>>>> >>>>> At the Pre-Tagging map example, it says that the filter key, expects the >>>>> expression on libpcap syntax. >>>>> >>>>> So I tried the following: >>>>> >>>>> set_label=labelA filter='(ip >= 192.168.0.1) and (ip <= >>>>> 192.168.127.254)' >>>>> set_label=labelB filter='(ip >= 192.168.128.1) and (ip <= >>>>> 192.168.255.254)' >>>>> >>>>> And it didn't work, and neither did the following, where I'm using the >>>>> int / hex representation of the IP. >>>>> >>>>> set_label=labelA filter='(ip >= 3232235521) and (ip <= 3232268286)' >>>>> set_label=labelB filter='(ip >= 3232268289) and (ip <= 3232301054)' >>>>> >>>>> set_label=labelA filter='(ip >= 0xC0A80001) and (ip <= 0xC0A87FFE)' >>>>> set_label=labelB filter='(ip >= 0xC0A88001) and (ip <= 0xC0A8FFFE)' >>>>> >>>>> I'm always getting "malformed filter: syntax error" >>>>> >>>>> So any suggestions on how to solve this? >>>>> >>>>> Is it really a syntax error, or the range cannot be defined this way? >>>>> >>>>> Thank you for your time. >>>>> >>>>> Best Regards, >>>>> Georgios Kaklamanos >>>>> >>>>> >>>>> -- >>>>> ------------------------------------------------------------------ >>>>> Georgios Kaklamanos >>>>> Research Assistant, e-Science Group, GWDG >>>>> mailto: georgios.kaklama...@gwdg.de >>>>> Telefon: 0551 201-26803 >>>>> ------------------------------------------------------------------ >>>>> GWDG - Gesellschaft für wissenschaftliche >>>>> Datenverarbeitung mbH Göttingen >>>>> Am Faßberg 11, 37077 Göttingen, Germany >>>>> >>>>> WWW: www.gwdg.de mailto: g...@gwdg.de >>>>> Phone: +49 (0) 551 201-1510 >>>>> Fax: +49 (0) 551 201-2150 >>>>> ------------------------------------------------------------------ >>>>> Geschäftsführer: Prof. Dr. Ramin Yahyapour >>>>> Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger >>>>> Sitz der Gesellschaft: Göttingen >>>>> Registergericht: Göttingen >>>>> Handelsregister-Nr. B 598 >>>>> ------------------------------------------------------------------ >>>>> Zertifiziert nach ISO 9001 >>>>> ------------------------------------------------------------------ >>>>> >>>> >>>> >>>> >>>>> _______________________________________________ >>>>> pmacct-discussion mailing list >>>>> http://www.pmacct.net/#mailinglists >>>> >>>> >>>> _______________________________________________ >>>> pmacct-discussion mailing list >>>> http://www.pmacct.net/#mailinglists >>>> >>> >>> >>> >>> _______________________________________________ >>> pmacct-discussion mailing list >>> http://www.pmacct.net/#mailinglists >>> >> >> -- >> ------------------------------------------------------------------ >> Georgios Kaklamanos >> Research Assistant, e-Science Group, GWDG >> mailto: georgios.kaklama...@gwdg.de >> Telefon: 0551 201-26803 >> ------------------------------------------------------------------ >> GWDG - Gesellschaft für wissenschaftliche >> Datenverarbeitung mbH Göttingen >> Am Faßberg 11, 37077 Göttingen, Germany >> >> WWW: www.gwdg.de mailto: g...@gwdg.de >> Phone: +49 (0) 551 201-1510 >> Fax: +49 (0) 551 201-2150 >> ------------------------------------------------------------------ >> Geschäftsführer: Prof. Dr. Ramin Yahyapour >> Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger >> Sitz der Gesellschaft: Göttingen >> Registergericht: Göttingen >> Handelsregister-Nr. B 598 >> ------------------------------------------------------------------ >> Zertifiziert nach ISO 9001 >> ------------------------------------------------------------------ >> > > > >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > -- ------------------------------------------------------------------ Georgios Kaklamanos Research Assistant, e-Science Group, GWDG mailto: georgios.kaklama...@gwdg.de Telefon: 0551 201-26803 ------------------------------------------------------------------ GWDG - Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen Am Faßberg 11, 37077 Göttingen, Germany WWW: www.gwdg.de mailto: g...@gwdg.de Phone: +49 (0) 551 201-1510 Fax: +49 (0) 551 201-2150 ------------------------------------------------------------------ Geschäftsführer: Prof. Dr. Ramin Yahyapour Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger Sitz der Gesellschaft: Göttingen Registergericht: Göttingen Handelsregister-Nr. B 598 ------------------------------------------------------------------ Zertifiziert nach ISO 9001 ------------------------------------------------------------------
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
