Re: [pmacct-discussion] Apply label to IPs, based on IP range (not subnets).
Hi Georgios, You can make the mapping specific to a plugin no problem, ie.: plugins: print[inbound], print[outbound] ! pre_tag_map[inbound]: /path/to/pretag-inbound.map ! [.. ] ! pre_tag_map[outbound]: /path/to/pretag-outbound.map ! [ .. ] ! Paolo On Mon, Nov 13, 2017 at 10:49:59AM +0100, Georgios Kaklamanos wrote: > Hi Paolo, > > Glad I could help. > > Just a note though. To my understanding, if this mapping is global, then > a packet with source IP in the first range, and destination IP in the > second, will only get the first label, after the first rule matches. > > So if one does aggregates based on dst_host / src_host, and also uses > the label, then there should be two different mapping files, one for > inbound and one for outbound, with mappings only for destination / > source IP accordingly. > > Any thoughts on this? > > Best, > George > > On 11/11/2017 01:48 PM, Paolo Lucente wrote: > > > > Hi Georgios, > > > > Very cool, thanks for sharing this. I think there is also good material > > for me for extra documentation here. > > > > Paolo > > > > On Fri, Nov 10, 2017 at 06:40:56PM +0100, Georgios Kaklamanos wrote: > >> Hi, > >> > >> Ok, it was an error from my part. > >> > >> The filter syntax expects to specify the addresses in hex format and > >> compare it with the specific octets of the IP packet that define the > >> source IP and the destination IP. > >> > >> So for the previous example where I want to have: > >> > >> labelA: 192.168.0.1 - 192.168.0.100 > >> labelB: 192.168.0.101 - 192.168.0.200 > >> > >> The relevant entries in the pre_tag_map are: > >> > >> set_label=LabelA filter='((ip[12:4] >= 0xC0A80001) and (ip[12:4] <= > >> 0xC0A80064)) or ((ip[16:4] >= 0xC0A80001) and (ip[16:4] <= 0xC0A80064))' > >> > >> set_label=LabelB filter='((ip[12:4] >= 0xC0A80065) and (ip[12:4] <= > >> 0xC0A800C8)) or ((ip[16:4] >= 0xC0A80065) and (ip[16:4] <= 0xC0A800C8))' > >> > >> where the: > >> - ip[12:4] is the source ip > >> - ip[16:4] is the dest ip > >> > >> So far it seems to be working, so I'm just putting here for future > >> reference. ;-) > >> > >> Best, > >> Georgios > >> > >> Ref: https://isc.sans.edu/diary/IP+Address+Range+Search+with+libpcap/6667 > >> > >> On 11/10/2017 05:16 PM, Georgios Kaklamanos wrote: > >>> Dear Paolo, > >>> > >>> Thanks for the fast reply. > >>> > >>> My main issue is that some of the ranges we have, do not fit into subnets. > >>> > >>> For example: > >>> > >>> labelA: 192.168.0.1 - 192.168.0.100 > >>> labelB: 192.168.0.101 - 192.168.0.200 > >>> > >>> That is why I was trying to play around with the less than / greater > >>> than operators, combined with "and". > >>> > >>> Would something like that be possible too? > >>> > >>> Best, > >>> Georgios > >>> > >>> > >>> On 11/10/2017 04:57 PM, Paolo Lucente wrote: > > Hi Georgios, > > The 'filter' keyword in pre_tag_map accepts a libpcap/tcpdump filter > syntax - what you would find working as a filter in tcpdump, should work > here too. To express IP ranges, you should use IP subnets, for example: > > set_label=labelA filter='net 192.168.0.0/17' > set_label=labelB filter='net 192.168.128.0/17' > > Paolo > > On Fri, Nov 10, 2017 at 01:55:18PM +0100, Georgios Kaklamanos wrote: > > Hello, > > > > On nfacctd, I'm trying to apply labels on IP ranges, that can't always > > be defined by subnets. > > > > For example I want: > > - IPs from 192.168.0.1 to 192.168.127.254, to get "labelA" > > - IPs from 192.168.128.1 to 192.168.255.254, to get "labelA" > > > > > > At the Pre-Tagging map example, it says that the filter key, expects the > > expression on libpcap syntax. > > > > So I tried the following: > > > > set_label=labelAfilter='(ip >= 192.168.0.1) and (ip <= > > 192.168.127.254)' > > set_label=labelBfilter='(ip >= 192.168.128.1) and (ip <= > > 192.168.255.254)' > > > > And it didn't work, and neither did the following, where I'm using the > > int / hex representation of the IP. > > > > set_label=labelAfilter='(ip >= 3232235521) and (ip <= 3232268286)' > > set_label=labelBfilter='(ip >= 3232268289) and (ip <= 3232301054)' > > > > set_label=labelAfilter='(ip >= 0xC0A80001) and (ip <= 0xC0A87FFE)' > > set_label=labelBfilter='(ip >= 0xC0A88001) and (ip <= 0xC0A8FFFE)' > > > > I'm always getting "malformed filter: syntax error" > > > > So any suggestions on how to solve this? > > > > Is it really a syntax error, or the range cannot be defined this way? > > > > Thank you for your time. > > > > Best Regards, > > Georgios Kaklamanos > > > > > > -- > > -- > > Georgios Kaklamanos > > Research Assistant, e-Science Group, GWDG > > mailto: georgios.kaklama...@gwdg.de > > Telefon:
Re: [pmacct-discussion] Apply label to IPs, based on IP range (not subnets).
Hi Paolo, Glad I could help. Just a note though. To my understanding, if this mapping is global, then a packet with source IP in the first range, and destination IP in the second, will only get the first label, after the first rule matches. So if one does aggregates based on dst_host / src_host, and also uses the label, then there should be two different mapping files, one for inbound and one for outbound, with mappings only for destination / source IP accordingly. Any thoughts on this? Best, George On 11/11/2017 01:48 PM, Paolo Lucente wrote: > > Hi Georgios, > > Very cool, thanks for sharing this. I think there is also good material > for me for extra documentation here. > > Paolo > > On Fri, Nov 10, 2017 at 06:40:56PM +0100, Georgios Kaklamanos wrote: >> Hi, >> >> Ok, it was an error from my part. >> >> The filter syntax expects to specify the addresses in hex format and >> compare it with the specific octets of the IP packet that define the >> source IP and the destination IP. >> >> So for the previous example where I want to have: >> >> labelA: 192.168.0.1 - 192.168.0.100 >> labelB: 192.168.0.101 - 192.168.0.200 >> >> The relevant entries in the pre_tag_map are: >> >> set_label=LabelA filter='((ip[12:4] >= 0xC0A80001) and (ip[12:4] <= >> 0xC0A80064)) or ((ip[16:4] >= 0xC0A80001) and (ip[16:4] <= 0xC0A80064))' >> >> set_label=LabelB filter='((ip[12:4] >= 0xC0A80065) and (ip[12:4] <= >> 0xC0A800C8)) or ((ip[16:4] >= 0xC0A80065) and (ip[16:4] <= 0xC0A800C8))' >> >> where the: >> - ip[12:4] is the source ip >> - ip[16:4] is the dest ip >> >> So far it seems to be working, so I'm just putting here for future >> reference. ;-) >> >> Best, >> Georgios >> >> Ref: https://isc.sans.edu/diary/IP+Address+Range+Search+with+libpcap/6667 >> >> On 11/10/2017 05:16 PM, Georgios Kaklamanos wrote: >>> Dear Paolo, >>> >>> Thanks for the fast reply. >>> >>> My main issue is that some of the ranges we have, do not fit into subnets. >>> >>> For example: >>> >>> labelA: 192.168.0.1 - 192.168.0.100 >>> labelB: 192.168.0.101 - 192.168.0.200 >>> >>> That is why I was trying to play around with the less than / greater >>> than operators, combined with "and". >>> >>> Would something like that be possible too? >>> >>> Best, >>> Georgios >>> >>> >>> On 11/10/2017 04:57 PM, Paolo Lucente wrote: Hi Georgios, The 'filter' keyword in pre_tag_map accepts a libpcap/tcpdump filter syntax - what you would find working as a filter in tcpdump, should work here too. To express IP ranges, you should use IP subnets, for example: set_label=labelA filter='net 192.168.0.0/17' set_label=labelB filter='net 192.168.128.0/17' Paolo On Fri, Nov 10, 2017 at 01:55:18PM +0100, Georgios Kaklamanos wrote: > Hello, > > On nfacctd, I'm trying to apply labels on IP ranges, that can't always > be defined by subnets. > > For example I want: > - IPs from 192.168.0.1 to 192.168.127.254, to get "labelA" > - IPs from 192.168.128.1 to 192.168.255.254, to get "labelA" > > > At the Pre-Tagging map example, it says that the filter key, expects the > expression on libpcap syntax. > > So I tried the following: > > set_label=labelAfilter='(ip >= 192.168.0.1) and (ip <= > 192.168.127.254)' > set_label=labelBfilter='(ip >= 192.168.128.1) and (ip <= > 192.168.255.254)' > > And it didn't work, and neither did the following, where I'm using the > int / hex representation of the IP. > > set_label=labelAfilter='(ip >= 3232235521) and (ip <= 3232268286)' > set_label=labelBfilter='(ip >= 3232268289) and (ip <= 3232301054)' > > set_label=labelAfilter='(ip >= 0xC0A80001) and (ip <= 0xC0A87FFE)' > set_label=labelBfilter='(ip >= 0xC0A88001) and (ip <= 0xC0A8FFFE)' > > I'm always getting "malformed filter: syntax error" > > So any suggestions on how to solve this? > > Is it really a syntax error, or the range cannot be defined this way? > > Thank you for your time. > > Best Regards, > Georgios Kaklamanos > > > -- > -- > Georgios Kaklamanos > Research Assistant, e-Science Group, GWDG > mailto: georgios.kaklama...@gwdg.de > Telefon: 0551 201-26803 > -- > GWDG - Gesellschaft für wissenschaftliche > Datenverarbeitung mbH Göttingen > Am Faßberg 11, 37077 Göttingen, Germany > > WWW: www.gwdg.demailto: g...@gwdg.de > Phone: +49 (0) 551 201-1510 > Fax: +49 (0) 551 201-2150 > -- > Geschäftsführer: Prof. Dr. Ramin Yahyapour > Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger > Sitz der Gesellschaft: Göttingen > Registergericht: Göttingen >
Re: [pmacct-discussion] Apply label to IPs, based on IP range (not subnets).
Hi Georgios, Very cool, thanks for sharing this. I think there is also good material for me for extra documentation here. Paolo On Fri, Nov 10, 2017 at 06:40:56PM +0100, Georgios Kaklamanos wrote: > Hi, > > Ok, it was an error from my part. > > The filter syntax expects to specify the addresses in hex format and > compare it with the specific octets of the IP packet that define the > source IP and the destination IP. > > So for the previous example where I want to have: > > labelA: 192.168.0.1 - 192.168.0.100 > labelB: 192.168.0.101 - 192.168.0.200 > > The relevant entries in the pre_tag_map are: > > set_label=LabelA filter='((ip[12:4] >= 0xC0A80001) and (ip[12:4] <= > 0xC0A80064)) or ((ip[16:4] >= 0xC0A80001) and (ip[16:4] <= 0xC0A80064))' > > set_label=LabelB filter='((ip[12:4] >= 0xC0A80065) and (ip[12:4] <= > 0xC0A800C8)) or ((ip[16:4] >= 0xC0A80065) and (ip[16:4] <= 0xC0A800C8))' > > where the: > - ip[12:4] is the source ip > - ip[16:4] is the dest ip > > So far it seems to be working, so I'm just putting here for future > reference. ;-) > > Best, > Georgios > > Ref: https://isc.sans.edu/diary/IP+Address+Range+Search+with+libpcap/6667 > > On 11/10/2017 05:16 PM, Georgios Kaklamanos wrote: > > Dear Paolo, > > > > Thanks for the fast reply. > > > > My main issue is that some of the ranges we have, do not fit into subnets. > > > > For example: > > > > labelA: 192.168.0.1 - 192.168.0.100 > > labelB: 192.168.0.101 - 192.168.0.200 > > > > That is why I was trying to play around with the less than / greater > > than operators, combined with "and". > > > > Would something like that be possible too? > > > > Best, > > Georgios > > > > > > On 11/10/2017 04:57 PM, Paolo Lucente wrote: > >> > >> Hi Georgios, > >> > >> The 'filter' keyword in pre_tag_map accepts a libpcap/tcpdump filter > >> syntax - what you would find working as a filter in tcpdump, should work > >> here too. To express IP ranges, you should use IP subnets, for example: > >> > >> set_label=labelA filter='net 192.168.0.0/17' > >> set_label=labelB filter='net 192.168.128.0/17' > >> > >> Paolo > >> > >> On Fri, Nov 10, 2017 at 01:55:18PM +0100, Georgios Kaklamanos wrote: > >>> Hello, > >>> > >>> On nfacctd, I'm trying to apply labels on IP ranges, that can't always > >>> be defined by subnets. > >>> > >>> For example I want: > >>> - IPs from 192.168.0.1 to 192.168.127.254, to get "labelA" > >>> - IPs from 192.168.128.1 to 192.168.255.254, to get "labelA" > >>> > >>> > >>> At the Pre-Tagging map example, it says that the filter key, expects the > >>> expression on libpcap syntax. > >>> > >>> So I tried the following: > >>> > >>> set_label=labelAfilter='(ip >= 192.168.0.1) and (ip <= > >>> 192.168.127.254)' > >>> set_label=labelBfilter='(ip >= 192.168.128.1) and (ip <= > >>> 192.168.255.254)' > >>> > >>> And it didn't work, and neither did the following, where I'm using the > >>> int / hex representation of the IP. > >>> > >>> set_label=labelAfilter='(ip >= 3232235521) and (ip <= 3232268286)' > >>> set_label=labelBfilter='(ip >= 3232268289) and (ip <= 3232301054)' > >>> > >>> set_label=labelAfilter='(ip >= 0xC0A80001) and (ip <= 0xC0A87FFE)' > >>> set_label=labelBfilter='(ip >= 0xC0A88001) and (ip <= 0xC0A8FFFE)' > >>> > >>> I'm always getting "malformed filter: syntax error" > >>> > >>> So any suggestions on how to solve this? > >>> > >>> Is it really a syntax error, or the range cannot be defined this way? > >>> > >>> Thank you for your time. > >>> > >>> Best Regards, > >>> Georgios Kaklamanos > >>> > >>> > >>> -- > >>> -- > >>> Georgios Kaklamanos > >>> Research Assistant, e-Science Group, GWDG > >>> mailto: georgios.kaklama...@gwdg.de > >>> Telefon: 0551 201-26803 > >>> -- > >>> GWDG - Gesellschaft für wissenschaftliche > >>> Datenverarbeitung mbH Göttingen > >>> Am Faßberg 11, 37077 Göttingen, Germany > >>> > >>> WWW: www.gwdg.demailto: g...@gwdg.de > >>> Phone: +49 (0) 551 201-1510 > >>> Fax: +49 (0) 551 201-2150 > >>> -- > >>> Geschäftsführer: Prof. Dr. Ramin Yahyapour > >>> Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger > >>> Sitz der Gesellschaft: Göttingen > >>> Registergericht: Göttingen > >>> Handelsregister-Nr. B 598 > >>> -- > >>> Zertifiziert nach ISO 9001 > >>> -- > >>> > >> > >> > >> > >>> ___ > >>> pmacct-discussion mailing list > >>> http://www.pmacct.net/#mailinglists > >> > >> > >> ___ > >> pmacct-discussion mailing list > >> http://www.pmacct.net/#mailinglists > >> > > > > > > > > ___ > > pmacct-disc
Re: [pmacct-discussion] Apply label to IPs, based on IP range (not subnets).
Hi, Ok, it was an error from my part. The filter syntax expects to specify the addresses in hex format and compare it with the specific octets of the IP packet that define the source IP and the destination IP. So for the previous example where I want to have: labelA: 192.168.0.1 - 192.168.0.100 labelB: 192.168.0.101 - 192.168.0.200 The relevant entries in the pre_tag_map are: set_label=LabelA filter='((ip[12:4] >= 0xC0A80001) and (ip[12:4] <= 0xC0A80064)) or ((ip[16:4] >= 0xC0A80001) and (ip[16:4] <= 0xC0A80064))' set_label=LabelB filter='((ip[12:4] >= 0xC0A80065) and (ip[12:4] <= 0xC0A800C8)) or ((ip[16:4] >= 0xC0A80065) and (ip[16:4] <= 0xC0A800C8))' where the: - ip[12:4] is the source ip - ip[16:4] is the dest ip So far it seems to be working, so I'm just putting here for future reference. ;-) Best, Georgios Ref: https://isc.sans.edu/diary/IP+Address+Range+Search+with+libpcap/6667 On 11/10/2017 05:16 PM, Georgios Kaklamanos wrote: > Dear Paolo, > > Thanks for the fast reply. > > My main issue is that some of the ranges we have, do not fit into subnets. > > For example: > > labelA: 192.168.0.1 - 192.168.0.100 > labelB: 192.168.0.101 - 192.168.0.200 > > That is why I was trying to play around with the less than / greater > than operators, combined with "and". > > Would something like that be possible too? > > Best, > Georgios > > > On 11/10/2017 04:57 PM, Paolo Lucente wrote: >> >> Hi Georgios, >> >> The 'filter' keyword in pre_tag_map accepts a libpcap/tcpdump filter >> syntax - what you would find working as a filter in tcpdump, should work >> here too. To express IP ranges, you should use IP subnets, for example: >> >> set_label=labelA filter='net 192.168.0.0/17' >> set_label=labelB filter='net 192.168.128.0/17' >> >> Paolo >> >> On Fri, Nov 10, 2017 at 01:55:18PM +0100, Georgios Kaklamanos wrote: >>> Hello, >>> >>> On nfacctd, I'm trying to apply labels on IP ranges, that can't always >>> be defined by subnets. >>> >>> For example I want: >>> - IPs from 192.168.0.1 to 192.168.127.254, to get "labelA" >>> - IPs from 192.168.128.1 to 192.168.255.254, to get "labelA" >>> >>> >>> At the Pre-Tagging map example, it says that the filter key, expects the >>> expression on libpcap syntax. >>> >>> So I tried the following: >>> >>> set_label=labelAfilter='(ip >= 192.168.0.1) and (ip <= >>> 192.168.127.254)' >>> set_label=labelBfilter='(ip >= 192.168.128.1) and (ip <= >>> 192.168.255.254)' >>> >>> And it didn't work, and neither did the following, where I'm using the >>> int / hex representation of the IP. >>> >>> set_label=labelAfilter='(ip >= 3232235521) and (ip <= 3232268286)' >>> set_label=labelBfilter='(ip >= 3232268289) and (ip <= 3232301054)' >>> >>> set_label=labelAfilter='(ip >= 0xC0A80001) and (ip <= 0xC0A87FFE)' >>> set_label=labelBfilter='(ip >= 0xC0A88001) and (ip <= 0xC0A8FFFE)' >>> >>> I'm always getting "malformed filter: syntax error" >>> >>> So any suggestions on how to solve this? >>> >>> Is it really a syntax error, or the range cannot be defined this way? >>> >>> Thank you for your time. >>> >>> Best Regards, >>> Georgios Kaklamanos >>> >>> >>> -- >>> -- >>> Georgios Kaklamanos >>> Research Assistant, e-Science Group, GWDG >>> mailto: georgios.kaklama...@gwdg.de >>> Telefon: 0551 201-26803 >>> -- >>> GWDG - Gesellschaft für wissenschaftliche >>> Datenverarbeitung mbH Göttingen >>> Am Faßberg 11, 37077 Göttingen, Germany >>> >>> WWW: www.gwdg.demailto: g...@gwdg.de >>> Phone: +49 (0) 551 201-1510 >>> Fax: +49 (0) 551 201-2150 >>> -- >>> Geschäftsführer: Prof. Dr. Ramin Yahyapour >>> Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger >>> Sitz der Gesellschaft: Göttingen >>> Registergericht: Göttingen >>> Handelsregister-Nr. B 598 >>> -- >>> Zertifiziert nach ISO 9001 >>> -- >>> >> >> >> >>> ___ >>> pmacct-discussion mailing list >>> http://www.pmacct.net/#mailinglists >> >> >> ___ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists >> > > > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > -- -- Georgios Kaklamanos Research Assistant, e-Science Group, GWDG mailto: georgios.kaklama...@gwdg.de Telefon: 0551 201-26803 -- GWDG - Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen Am Faßberg 11, 37077 Göttingen, Germany WWW: www.gwdg.demailto: g...@gwdg.de Phone: +49 (0) 551 20
Re: [pmacct-discussion] Apply label to IPs, based on IP range (not subnets).
Dear Paolo, Thanks for the fast reply. My main issue is that some of the ranges we have, do not fit into subnets. For example: labelA: 192.168.0.1 - 192.168.0.100 labelB: 192.168.0.101 - 192.168.0.200 That is why I was trying to play around with the less than / greater than operators, combined with "and". Would something like that be possible too? Best, Georgios On 11/10/2017 04:57 PM, Paolo Lucente wrote: > > Hi Georgios, > > The 'filter' keyword in pre_tag_map accepts a libpcap/tcpdump filter > syntax - what you would find working as a filter in tcpdump, should work > here too. To express IP ranges, you should use IP subnets, for example: > > set_label=labelA filter='net 192.168.0.0/17' > set_label=labelB filter='net 192.168.128.0/17' > > Paolo > > On Fri, Nov 10, 2017 at 01:55:18PM +0100, Georgios Kaklamanos wrote: >> Hello, >> >> On nfacctd, I'm trying to apply labels on IP ranges, that can't always >> be defined by subnets. >> >> For example I want: >> - IPs from 192.168.0.1 to 192.168.127.254, to get "labelA" >> - IPs from 192.168.128.1 to 192.168.255.254, to get "labelA" >> >> >> At the Pre-Tagging map example, it says that the filter key, expects the >> expression on libpcap syntax. >> >> So I tried the following: >> >> set_label=labelAfilter='(ip >= 192.168.0.1) and (ip <= >> 192.168.127.254)' >> set_label=labelBfilter='(ip >= 192.168.128.1) and (ip <= >> 192.168.255.254)' >> >> And it didn't work, and neither did the following, where I'm using the >> int / hex representation of the IP. >> >> set_label=labelAfilter='(ip >= 3232235521) and (ip <= 3232268286)' >> set_label=labelBfilter='(ip >= 3232268289) and (ip <= 3232301054)' >> >> set_label=labelAfilter='(ip >= 0xC0A80001) and (ip <= 0xC0A87FFE)' >> set_label=labelBfilter='(ip >= 0xC0A88001) and (ip <= 0xC0A8FFFE)' >> >> I'm always getting "malformed filter: syntax error" >> >> So any suggestions on how to solve this? >> >> Is it really a syntax error, or the range cannot be defined this way? >> >> Thank you for your time. >> >> Best Regards, >> Georgios Kaklamanos >> >> >> -- >> -- >> Georgios Kaklamanos >> Research Assistant, e-Science Group, GWDG >> mailto: georgios.kaklama...@gwdg.de >> Telefon: 0551 201-26803 >> -- >> GWDG - Gesellschaft für wissenschaftliche >> Datenverarbeitung mbH Göttingen >> Am Faßberg 11, 37077 Göttingen, Germany >> >> WWW: www.gwdg.demailto: g...@gwdg.de >> Phone: +49 (0) 551 201-1510 >> Fax: +49 (0) 551 201-2150 >> -- >> Geschäftsführer: Prof. Dr. Ramin Yahyapour >> Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger >> Sitz der Gesellschaft: Göttingen >> Registergericht: Göttingen >> Handelsregister-Nr. B 598 >> -- >> Zertifiziert nach ISO 9001 >> -- >> > > > >> ___ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists > > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > -- -- Georgios Kaklamanos Research Assistant, e-Science Group, GWDG mailto: georgios.kaklama...@gwdg.de Telefon: 0551 201-26803 -- GWDG - Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen Am Faßberg 11, 37077 Göttingen, Germany WWW: www.gwdg.demailto: g...@gwdg.de Phone: +49 (0) 551 201-1510 Fax: +49 (0) 551 201-2150 -- Geschäftsführer: Prof. Dr. Ramin Yahyapour Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger Sitz der Gesellschaft: Göttingen Registergericht: Göttingen Handelsregister-Nr. B 598 -- Zertifiziert nach ISO 9001 -- smime.p7s Description: S/MIME Cryptographic Signature ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Apply label to IPs, based on IP range (not subnets).
Hi Georgios, The 'filter' keyword in pre_tag_map accepts a libpcap/tcpdump filter syntax - what you would find working as a filter in tcpdump, should work here too. To express IP ranges, you should use IP subnets, for example: set_label=labelAfilter='net 192.168.0.0/17' set_label=labelBfilter='net 192.168.128.0/17' Paolo On Fri, Nov 10, 2017 at 01:55:18PM +0100, Georgios Kaklamanos wrote: > Hello, > > On nfacctd, I'm trying to apply labels on IP ranges, that can't always > be defined by subnets. > > For example I want: > - IPs from 192.168.0.1 to 192.168.127.254, to get "labelA" > - IPs from 192.168.128.1 to 192.168.255.254, to get "labelA" > > > At the Pre-Tagging map example, it says that the filter key, expects the > expression on libpcap syntax. > > So I tried the following: > > set_label=labelAfilter='(ip >= 192.168.0.1) and (ip <= > 192.168.127.254)' > set_label=labelBfilter='(ip >= 192.168.128.1) and (ip <= > 192.168.255.254)' > > And it didn't work, and neither did the following, where I'm using the > int / hex representation of the IP. > > set_label=labelAfilter='(ip >= 3232235521) and (ip <= 3232268286)' > set_label=labelBfilter='(ip >= 3232268289) and (ip <= 3232301054)' > > set_label=labelAfilter='(ip >= 0xC0A80001) and (ip <= 0xC0A87FFE)' > set_label=labelBfilter='(ip >= 0xC0A88001) and (ip <= 0xC0A8FFFE)' > > I'm always getting "malformed filter: syntax error" > > So any suggestions on how to solve this? > > Is it really a syntax error, or the range cannot be defined this way? > > Thank you for your time. > > Best Regards, > Georgios Kaklamanos > > > -- > -- > Georgios Kaklamanos > Research Assistant, e-Science Group, GWDG > mailto: georgios.kaklama...@gwdg.de > Telefon: 0551 201-26803 > -- > GWDG - Gesellschaft für wissenschaftliche > Datenverarbeitung mbH Göttingen > Am Faßberg 11, 37077 Göttingen, Germany > > WWW: www.gwdg.demailto: g...@gwdg.de > Phone: +49 (0) 551 201-1510 > Fax: +49 (0) 551 201-2150 > -- > Geschäftsführer: Prof. Dr. Ramin Yahyapour > Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger > Sitz der Gesellschaft: Göttingen > Registergericht: Göttingen > Handelsregister-Nr. B 598 > -- > Zertifiziert nach ISO 9001 > -- > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] Apply label to IPs, based on IP range (not subnets).
Hello, On nfacctd, I'm trying to apply labels on IP ranges, that can't always be defined by subnets. For example I want: - IPs from 192.168.0.1 to 192.168.127.254, to get "labelA" - IPs from 192.168.128.1 to 192.168.255.254, to get "labelA" At the Pre-Tagging map example, it says that the filter key, expects the expression on libpcap syntax. So I tried the following: set_label=labelAfilter='(ip >= 192.168.0.1) and (ip <= 192.168.127.254)' set_label=labelBfilter='(ip >= 192.168.128.1) and (ip <= 192.168.255.254)' And it didn't work, and neither did the following, where I'm using the int / hex representation of the IP. set_label=labelAfilter='(ip >= 3232235521) and (ip <= 3232268286)' set_label=labelBfilter='(ip >= 3232268289) and (ip <= 3232301054)' set_label=labelAfilter='(ip >= 0xC0A80001) and (ip <= 0xC0A87FFE)' set_label=labelBfilter='(ip >= 0xC0A88001) and (ip <= 0xC0A8FFFE)' I'm always getting "malformed filter: syntax error" So any suggestions on how to solve this? Is it really a syntax error, or the range cannot be defined this way? Thank you for your time. Best Regards, Georgios Kaklamanos -- -- Georgios Kaklamanos Research Assistant, e-Science Group, GWDG mailto: georgios.kaklama...@gwdg.de Telefon: 0551 201-26803 -- GWDG - Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen Am Faßberg 11, 37077 Göttingen, Germany WWW: www.gwdg.demailto: g...@gwdg.de Phone: +49 (0) 551 201-1510 Fax: +49 (0) 551 201-2150 -- Geschäftsführer: Prof. Dr. Ramin Yahyapour Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger Sitz der Gesellschaft: Göttingen Registergericht: Göttingen Handelsregister-Nr. B 598 -- Zertifiziert nach ISO 9001 -- smime.p7s Description: S/MIME Cryptographic Signature ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists