Forensic Data Using The Direct Filter

From Observer GigaFlow Support | VIAVI Solutions Inc.
Revision as of 10:42, 14 January 2020 by Kevin Wilkie (Talk | contribs)

Jump to: navigation, search

inif <, =, >, != IFIndex of the interface that the traffic came into the router on inif=23 outif <, =, >, != IFIndex of the interface that the traffic left the router on inif=25 pkts <, =, >, != Number of packets seen in the flow pkts>100 bytes <, =, >, != Number of bytes seen in the flow bytes<10000 duration <, =, >, != Duration of flow in milliseconds duration>100 srcport <, =, >, != Source IP port of flow srcport>1024 dstport <, =, >, != Destination IP port of flow dstport=5900 flags <, =, >, != TCP Flags of flow flags=2 i.e. syn only. Flags=CEUAPRSF proto <, =, >, != IP Protocol Number/Type proto=16 tos <, =, >, != TOS Marking tos=104 //Flash srcas <, =, >, != Source AS Number srcas!=5124 dstas <, =, >, != Destination AS Number dstas!=5124 fwextcode =, != Forwarding Extended Code fwextcode='out-of-memory' fwevent =, != Forwarding Event fwevent!='Flow Deleted' tgsource =, <> Traffic Group Source fwextcode<>'My network 1' tgdest =, <> Traffic Group Destination tgdest<>'Other'

Field Operators Description Example
srcadd =, != IP Address that the traffic came from srcadd=172.21.40.2
dstadd =, != IP Address that the traffic went to dstadd=172.21.40.3
inif <, =, >, != IFIndex of the interface that the traffic came into the router on inif=23
outif <, =, >, != IFIndex of the interface that the traffic left the router on outif=25


Ranges are also supported for IP address, port and AS fields. i.e. "dstport in (22,23,80,443) will match any flow where the dstport is either of the specified ports. Logical operators "and", "or", "not" as well as parentheses can also be used. i.e. "dstport not in(23,2055,443) and srcport not in (8585,23) and (fpr >0 or pkts <100)" It is possible to check the bit value of a field using the bitand function i.e. "(flags bitand 4)=4" would filter for flows with the Reset flag set.