[netsa-tools-discuss] Using rwfilter --flags-inital to fitler servers and clients addresses
Mark Thomas
mthomas at cert.org
Mon Oct 26 10:05:05 EDT 2015
asad-
The "initialFlags" field of the SiLK flow record (which is the field
checked by the --flags-initial switch on rwfilter) is only populated
when the flow record was converted from an IPFIX record generated by
YAF.
Unless you are using YAF as your flow generator, the initialFlags
field is always empty.
-Mark
-----Original Message-----
From: asad <a.alii85 at gmail.com>
Date: Mon, 26 Oct 2015 13:43:15 +0500
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] Using rwfilter --flags-inital to fitler
servers and clients addresses
Hello,
I'm processing nexsus 7k logs, and on 1 vlan I have tried to filter
all those IP addresses that are responsible for initial query
(handshake). My cmd and results looks like
"rwfilter --sensor=S1 --type=int2int --start-date=2015/10/15
--end-date=2015/10/23 --flags-initial=S/SA --print-statistics
--pass=query.rw
Files 216. Read 35403. Pass 0. Fail 35403."
If the filter is correct, it means I don't have a client in my VLAN
all are servers?Can this query be converted to identity list of source
IP addresses which requested connection to the servers in specific
vlan?
Thanks.
More information about the netsa-tools-discuss
mailing list