Difference between revisions of "Forensic Data Using The Direct Filter"
From Observer GigaFlow Support | VIAVI Solutions Inc.
Kevin Wilkie (Talk | contribs) (Created page with "Field Operators Description Example srcadd =, != IP Address that the traffic came from srcadd=172.21.40.2 dstadd =, != IP Address that the traffic went to dstadd=172.21.40.3 i...") |
Kevin Wilkie (Talk | contribs) |
||
| (4 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
| − | Field Operators Description Example | + | |
| − | srcadd =, != IP Address that the traffic came from srcadd=172.21.40.2 | + | {| class="wikitable" border="1" |
| − | dstadd =, != IP Address that the traffic went to dstadd=172.21.40.3 | + | |- |
| − | inif <, =, >, != IFIndex of the interface that the traffic came into the router on inif=23 | + | ! Field |
| − | outif <, =, >, != IFIndex of the interface that the traffic left the router on | + | ! Operators |
| − | pkts <, =, >, != Number of packets seen in the flow pkts>100 | + | ! Description |
| − | bytes <, =, >, != Number of bytes seen in the flow bytes<10000 | + | ! Example |
| − | duration <, =, >, != Duration of flow in milliseconds duration>100 | + | |- |
| − | srcport <, =, >, != Source IP port of flow srcport>1024 | + | | srcadd |
| − | dstport <, =, >, != Destination IP port of flow dstport=5900 | + | | =, != |
| − | flags <, =, >, != TCP Flags of flow flags=2 i.e. syn only. Flags=CEUAPRSF | + | | IP Address that the traffic came from |
| − | proto <, =, >, != IP Protocol Number/Type proto=16 | + | | srcadd=172.21.40.2 |
| − | tos <, =, >, != TOS Marking tos=104 //Flash | + | |- |
| − | srcas <, =, >, != Source AS Number srcas!=5124 | + | | dstadd |
| − | dstas <, =, >, != Destination AS Number dstas!=5124 | + | | =, != |
| − | fwextcode =, != Forwarding Extended Code fwextcode='out-of-memory' | + | | IP Address that the traffic went to |
| − | fwevent =, != Forwarding Event fwevent!='Flow Deleted' | + | | dstadd=172.21.40.3 |
| − | tgsource =, | + | |- |
| − | tgdest =, <> Traffic Group Destination tgdest<>'Other' | + | | inif |
| + | | <, =, >, != | ||
| + | | IFIndex of the interface that the traffic came into the router on | ||
| + | | inif=23 | ||
| + | |- | ||
| + | | outif | ||
| + | | <, =, >, != | ||
| + | | IFIndex of the interface that the traffic left the router on | ||
| + | | outif=25 | ||
| + | |- | ||
| + | | pkts | ||
| + | | <, =, >, != | ||
| + | | Number of packets seen in the flow | ||
| + | | pkts>100 | ||
| + | |- | ||
| + | | bytes | ||
| + | | <, =, >, != | ||
| + | | Number of bytes seen in the flow | ||
| + | | bytes<10000 | ||
| + | |- | ||
| + | | duration | ||
| + | | <, =, >, != | ||
| + | | Duration of flow in milliseconds | ||
| + | | duration>100 | ||
| + | |- | ||
| + | | srcport | ||
| + | | <, =, >, != | ||
| + | | Source IP port of flow | ||
| + | | srcport>1024 | ||
| + | |- | ||
| + | | dstport | ||
| + | | <, =, >, != | ||
| + | | Destination IP port of flow | ||
| + | | dstport=5900 | ||
| + | |- | ||
| + | | flags | ||
| + | | <, =, >, != | ||
| + | | TCP Flags of flow | ||
| + | | flags=2 i.e. syn only. Flags=CEUAPRSF | ||
| + | |- | ||
| + | | proto | ||
| + | | <, =, >, != | ||
| + | | IP Protocol Number/Type | ||
| + | | proto=16 | ||
| + | |- | ||
| + | | tos | ||
| + | | <, =, >, != | ||
| + | | TOS Marking | ||
| + | | tos=104 //Flash | ||
| + | |- | ||
| + | | srcas | ||
| + | | <, =, >, != | ||
| + | | Source AS Number | ||
| + | | srcas!=5124 | ||
| + | |- | ||
| + | | dstas | ||
| + | | <, =, >, != | ||
| + | | Destination AS Number | ||
| + | | dstas!=5124 | ||
| + | |- | ||
| + | | fwextcode | ||
| + | | =, != | ||
| + | | Forwarding Extended Code | ||
| + | | fwextcode='out-of-memory' | ||
| + | |- | ||
| + | | fwevent | ||
| + | | =, != | ||
| + | | Forwarding Event | ||
| + | | fwevent!='Flow Deleted' | ||
| + | |- | ||
| + | | tgsource | ||
| + | | <, =, >, != | ||
| + | | Traffic Group Source | ||
| + | | fwextcode<>'My network 1' | ||
| + | |- | ||
| + | | tgdest | ||
| + | | =, <> | ||
| + | | Traffic Group Destination | ||
| + | | tgdest<>'Other' | ||
| + | |} | ||
| + | |||
| + | |||
Ranges are also supported for IP address, port and AS fields. i.e. "dstport in (22,23,80,443) will match any flow where the dstport is either of the specified ports. | Ranges are also supported for IP address, port and AS fields. i.e. "dstport in (22,23,80,443) will match any flow where the dstport is either of the specified ports. | ||
Logical operators "and", "or", "not" as well as parentheses can also be used. i.e. "dstport not in(23,2055,443) and srcport not in (8585,23) and (fpr >0 or pkts <100)" | Logical operators "and", "or", "not" as well as parentheses can also be used. i.e. "dstport not in(23,2055,443) and srcport not in (8585,23) and (fpr >0 or pkts <100)" | ||
It is possible to check the bit value of a field using the bitand function i.e. "(flags bitand 4)=4" would filter for flows with the Reset flag set. | It is possible to check the bit value of a field using the bitand function i.e. "(flags bitand 4)=4" would filter for flows with the Reset flag set. | ||
Latest revision as of 11:49, 14 January 2020
| Field | Operators | Description | Example |
|---|---|---|---|
| srcadd | =, != | IP Address that the traffic came from | srcadd=172.21.40.2 |
| dstadd | =, != | IP Address that the traffic went to | dstadd=172.21.40.3 |
| inif | <, =, >, != | IFIndex of the interface that the traffic came into the router on | inif=23 |
| outif | <, =, >, != | IFIndex of the interface that the traffic left the router on | outif=25 |
| pkts | <, =, >, != | Number of packets seen in the flow | pkts>100 |
| bytes | <, =, >, != | Number of bytes seen in the flow | bytes<10000 |
| duration | <, =, >, != | Duration of flow in milliseconds | duration>100 |
| srcport | <, =, >, != | Source IP port of flow | srcport>1024 |
| dstport | <, =, >, != | Destination IP port of flow | dstport=5900 |
| flags | <, =, >, != | TCP Flags of flow | flags=2 i.e. syn only. Flags=CEUAPRSF |
| proto | <, =, >, != | IP Protocol Number/Type | proto=16 |
| tos | <, =, >, != | TOS Marking | tos=104 //Flash |
| srcas | <, =, >, != | Source AS Number | srcas!=5124 |
| dstas | <, =, >, != | Destination AS Number | dstas!=5124 |
| fwextcode | =, != | Forwarding Extended Code | fwextcode='out-of-memory' |
| fwevent | =, != | Forwarding Event | fwevent!='Flow Deleted' |
| tgsource | <, =, >, != | Traffic Group Source | fwextcode<>'My network 1' |
| tgdest | =, <> | Traffic Group Destination | tgdest<>'Other' |
Ranges are also supported for IP address, port and AS fields. i.e. "dstport in (22,23,80,443) will match any flow where the dstport is either of the specified ports.
Logical operators "and", "or", "not" as well as parentheses can also be used. i.e. "dstport not in(23,2055,443) and srcport not in (8585,23) and (fpr >0 or pkts <100)"
It is possible to check the bit value of a field using the bitand function i.e. "(flags bitand 4)=4" would filter for flows with the Reset flag set.
