Hi Georgios, Very cool, thanks for sharing this. I think there is also good material for me for extra documentation here.
Paolo On Fri, Nov 10, 2017 at 06:40:56PM +0100, Georgios Kaklamanos wrote: > Hi, > > Ok, it was an error from my part. > > The filter syntax expects to specify the addresses in hex format and > compare it with the specific octets of the IP packet that define the > source IP and the destination IP. > > So for the previous example where I want to have: > > labelA: 192.168.0.1 - 192.168.0.100 > labelB: 192.168.0.101 - 192.168.0.200 > > The relevant entries in the pre_tag_map are: > > set_label=LabelA filter='((ip[12:4] >= 0xC0A80001) and (ip[12:4] <= > 0xC0A80064)) or ((ip[16:4] >= 0xC0A80001) and (ip[16:4] <= 0xC0A80064))' > > set_label=LabelB filter='((ip[12:4] >= 0xC0A80065) and (ip[12:4] <= > 0xC0A800C8)) or ((ip[16:4] >= 0xC0A80065) and (ip[16:4] <= 0xC0A800C8))' > > where the: > - ip[12:4] is the source ip > - ip[16:4] is the dest ip > > So far it seems to be working, so I'm just putting here for future > reference. ;-) > > Best, > Georgios > > Ref: https://isc.sans.edu/diary/IP+Address+Range+Search+with+libpcap/6667 > > On 11/10/2017 05:16 PM, Georgios Kaklamanos wrote: > > Dear Paolo, > > > > Thanks for the fast reply. > > > > My main issue is that some of the ranges we have, do not fit into subnets. > > > > For example: > > > > labelA: 192.168.0.1 - 192.168.0.100 > > labelB: 192.168.0.101 - 192.168.0.200 > > > > That is why I was trying to play around with the less than / greater > > than operators, combined with "and". > > > > Would something like that be possible too? > > > > Best, > > Georgios > > > > > > On 11/10/2017 04:57 PM, Paolo Lucente wrote: > >> > >> Hi Georgios, > >> > >> The 'filter' keyword in pre_tag_map accepts a libpcap/tcpdump filter > >> syntax - what you would find working as a filter in tcpdump, should work > >> here too. To express IP ranges, you should use IP subnets, for example: > >> > >> set_label=labelA filter='net 192.168.0.0/17' > >> set_label=labelB filter='net 192.168.128.0/17' > >> > >> Paolo > >> > >> On Fri, Nov 10, 2017 at 01:55:18PM +0100, Georgios Kaklamanos wrote: > >>> Hello, > >>> > >>> On nfacctd, I'm trying to apply labels on IP ranges, that can't always > >>> be defined by subnets. > >>> > >>> For example I want: > >>> - IPs from 192.168.0.1 to 192.168.127.254, to get "labelA" > >>> - IPs from 192.168.128.1 to 192.168.255.254, to get "labelA" > >>> > >>> > >>> At the Pre-Tagging map example, it says that the filter key, expects the > >>> expression on libpcap syntax. > >>> > >>> So I tried the following: > >>> > >>> set_label=labelA filter='(ip >= 192.168.0.1) and (ip <= > >>> 192.168.127.254)' > >>> set_label=labelB filter='(ip >= 192.168.128.1) and (ip <= > >>> 192.168.255.254)' > >>> > >>> And it didn't work, and neither did the following, where I'm using the > >>> int / hex representation of the IP. > >>> > >>> set_label=labelA filter='(ip >= 3232235521) and (ip <= 3232268286)' > >>> set_label=labelB filter='(ip >= 3232268289) and (ip <= 3232301054)' > >>> > >>> set_label=labelA filter='(ip >= 0xC0A80001) and (ip <= 0xC0A87FFE)' > >>> set_label=labelB filter='(ip >= 0xC0A88001) and (ip <= 0xC0A8FFFE)' > >>> > >>> I'm always getting "malformed filter: syntax error" > >>> > >>> So any suggestions on how to solve this? > >>> > >>> Is it really a syntax error, or the range cannot be defined this way? > >>> > >>> Thank you for your time. > >>> > >>> Best Regards, > >>> Georgios Kaklamanos > >>> > >>> > >>> -- > >>> ------------------------------------------------------------------ > >>> Georgios Kaklamanos > >>> Research Assistant, e-Science Group, GWDG > >>> mailto: georgios.kaklama...@gwdg.de > >>> Telefon: 0551 201-26803 > >>> ------------------------------------------------------------------ > >>> GWDG - Gesellschaft für wissenschaftliche > >>> Datenverarbeitung mbH Göttingen > >>> Am Faßberg 11, 37077 Göttingen, Germany > >>> > >>> WWW: www.gwdg.de mailto: g...@gwdg.de > >>> Phone: +49 (0) 551 201-1510 > >>> Fax: +49 (0) 551 201-2150 > >>> ------------------------------------------------------------------ > >>> Geschäftsführer: Prof. Dr. Ramin Yahyapour > >>> Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger > >>> Sitz der Gesellschaft: Göttingen > >>> Registergericht: Göttingen > >>> Handelsregister-Nr. B 598 > >>> ------------------------------------------------------------------ > >>> Zertifiziert nach ISO 9001 > >>> ------------------------------------------------------------------ > >>> > >> > >> > >> > >>> _______________________________________________ > >>> pmacct-discussion mailing list > >>> http://www.pmacct.net/#mailinglists > >> > >> > >> _______________________________________________ > >> pmacct-discussion mailing list > >> http://www.pmacct.net/#mailinglists > >> > > > > > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > > -- > ------------------------------------------------------------------ > Georgios Kaklamanos > Research Assistant, e-Science Group, GWDG > mailto: georgios.kaklama...@gwdg.de > Telefon: 0551 201-26803 > ------------------------------------------------------------------ > GWDG - Gesellschaft für wissenschaftliche > Datenverarbeitung mbH Göttingen > Am Faßberg 11, 37077 Göttingen, Germany > > WWW: www.gwdg.de mailto: g...@gwdg.de > Phone: +49 (0) 551 201-1510 > Fax: +49 (0) 551 201-2150 > ------------------------------------------------------------------ > Geschäftsführer: Prof. Dr. Ramin Yahyapour > Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger > Sitz der Gesellschaft: Göttingen > Registergericht: Göttingen > Handelsregister-Nr. B 598 > ------------------------------------------------------------------ > Zertifiziert nach ISO 9001 > ------------------------------------------------------------------ > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
