Difference between revisions of "Forensic Data Using The Direct Filter"
From Observer GigaFlow Support | VIAVI Solutions Inc.
Kevin Wilkie (Talk | contribs) |
Kevin Wilkie (Talk | contribs) |
||
| Line 1: | Line 1: | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
| Line 43: | Line 27: | ||
| outif=25 | | outif=25 | ||
|- | |- | ||
| − | | | + | | pkts |
| − | | | + | | <, =, >, != |
| − | | | + | | Number of packets seen in the flow |
| − | | | + | | pkts>100 |
|- | |- | ||
| − | | | + | | bytes |
| − | | | + | | <, =, >, != |
| − | | | + | | Number of bytes seen in the flow |
| − | | | + | | bytes<10000 |
|- | |- | ||
| − | | | + | | duration |
| − | | | + | | <, =, >, != |
| − | | | + | | Duration of flow in milliseconds |
| − | | | + | | duration>100 |
|- | |- | ||
| − | | | + | | srcport |
| − | | | + | | <, =, >, != |
| − | | | + | | Source IP port of flow |
| − | | | + | | srcport>1024 |
|- | |- | ||
| − | | | + | | dstport |
| − | | | + | | <, =, >, != |
| − | | | + | | Destination IP port of flow |
| − | | | + | | dstport=5900 |
|- | |- | ||
| − | | | + | | flags |
| − | | | + | | <, =, >, != |
| − | | | + | | TCP Flags of flow |
| − | | | + | | flags=2 i.e. syn only. Flags=CEUAPRSF |
|- | |- | ||
| − | | | + | | proto |
| − | | | + | | <, =, >, != |
| − | | | + | | IP Protocol Number/Type |
| − | | | + | | proto=16 |
|- | |- | ||
| − | | | + | | tos |
| − | | | + | | <, =, >, != |
| − | | | + | | TOS Marking |
| − | | | + | | tos=104 //Flash |
|- | |- | ||
| − | | | + | | srcas |
| − | | | + | | <, =, >, != |
| − | | | + | | Source AS Number |
| − | | | + | | srcas!=5124 |
|- | |- | ||
| − | | | + | | dstas |
| − | | | + | | <, =, >, != |
| − | | | + | | Destination AS Number |
| − | | | + | | dstas!=5124 |
|- | |- | ||
| − | | | + | | fwextcode |
| − | | | + | | =, != |
| − | | | + | | Forwarding Extended Code |
| − | | | + | | fwextcode='out-of-memory' |
|- | |- | ||
| − | | | + | | fwevent |
| − | | | + | | =, != |
| − | | | + | | Forwarding Event |
| − | | | + | | fwevent!='Flow Deleted' |
|- | |- | ||
| − | | | + | | tgsource |
| − | | | + | | <, =, >, != |
| − | | | + | | Traffic Group Source |
| − | | | + | | fwextcode<>'My network 1' |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
|- | |- | ||
| − | | | + | | tgdest |
| − | | | + | | =, <> |
| − | | | + | | Traffic Group Destination |
| − | | | + | | tgdest<>'Other' |
|} | |} | ||
Latest revision as of 11:49, 14 January 2020
| Field | Operators | Description | Example |
|---|---|---|---|
| srcadd | =, != | IP Address that the traffic came from | srcadd=172.21.40.2 |
| dstadd | =, != | IP Address that the traffic went to | dstadd=172.21.40.3 |
| inif | <, =, >, != | IFIndex of the interface that the traffic came into the router on | inif=23 |
| outif | <, =, >, != | IFIndex of the interface that the traffic left the router on | outif=25 |
| pkts | <, =, >, != | Number of packets seen in the flow | pkts>100 |
| bytes | <, =, >, != | Number of bytes seen in the flow | bytes<10000 |
| duration | <, =, >, != | Duration of flow in milliseconds | duration>100 |
| srcport | <, =, >, != | Source IP port of flow | srcport>1024 |
| dstport | <, =, >, != | Destination IP port of flow | dstport=5900 |
| flags | <, =, >, != | TCP Flags of flow | flags=2 i.e. syn only. Flags=CEUAPRSF |
| proto | <, =, >, != | IP Protocol Number/Type | proto=16 |
| tos | <, =, >, != | TOS Marking | tos=104 //Flash |
| srcas | <, =, >, != | Source AS Number | srcas!=5124 |
| dstas | <, =, >, != | Destination AS Number | dstas!=5124 |
| fwextcode | =, != | Forwarding Extended Code | fwextcode='out-of-memory' |
| fwevent | =, != | Forwarding Event | fwevent!='Flow Deleted' |
| tgsource | <, =, >, != | Traffic Group Source | fwextcode<>'My network 1' |
| tgdest | =, <> | Traffic Group Destination | tgdest<>'Other' |
Ranges are also supported for IP address, port and AS fields. i.e. "dstport in (22,23,80,443) will match any flow where the dstport is either of the specified ports.
Logical operators "and", "or", "not" as well as parentheses can also be used. i.e. "dstport not in(23,2055,443) and srcport not in (8585,23) and (fpr >0 or pkts <100)"
It is possible to check the bit value of a field using the bitand function i.e. "(flags bitand 4)=4" would filter for flows with the Reset flag set.
