netraf
A Network Analyzer and Traffic Logger. 

FILTERS.CONF(5)                                   FILTERS.CONF(5)

NAME

       filters.conf - filter definitions file

DESCRIPTION

       This  file contains filter definitions for netrafd writers
       It is divided into sections. Each section  is  defined  by
       opening  [[filter  name]]  and  closing [[]] lines, and is
       built of OPTION = "value"; definitions.
       Each section defines  a  filter,  which  contain  list  of
       optional parameters specifying criteria for packet
       filtering.
       Comment lines begin with a # sign.

FILTER SECTION

       DMAC   Process  only  packets  destinated to the given MAC
              address.

       SMAC   Process  only  packets  sent  from  the  given  MAC
              address.

       DIP    Process  only  packets  destinated  to the given IP
              address.

       SIP    Process  only  packets  sent  from  the  given   IP
              address.

       DPORT  Process  only packets destinated to the given port.

       SPORT  Process only packets sent from the given port.

       INTERFACE
              Process only packets that came  through  the  given
              interface.

       PCRE   Process  only  packets  that  match  given  regular
              expression.
              *) On slower machines complicated match expression
                 may cause netrafd to drop some packets.

EXAMPLES

       To  process only  packets that  came from  the  particular
       MAC address, we could  define filter matching packets with
       header value of source  address  equal to our desired MAC.

       [[filter one]]
        SMAC = "AA:BB:CC:DD:EE:FF";
       [[]]

                                   ---

       To  count only  packets with  queries to our  local HTTP
       server, we should check packets destinated to our port 80.

       [[filter two]]
        DIP = "172.10.20.30";
        DPORT = "80";
       [[]]

                                   ---

       To  gather  information  about  traffic  going  through
       particular  interface...

       [[interface 1]]
        INTERFACE = "eth1";
       [[]]

                                   ---

       To check  who connected  to our VNC  server we could match
       packets by regular expression. So only the  begining  of
       connection will be captured...

       [[filter three]]
        DPORT = "5900" ;
        DIP = "172.10.20.1" ;
        PCRE = "rfb 00[1-9].00[0-9]" ;
       [[]]

                                   ---

       ..or we could check who is logging in with
       plain text login method to our ftp server :)

       [[filter three]]
        DPORT = "21";
        DIP = "10.15.14.13";
        PCRE = "USER|PASS";
       [[]]

SEE ALSO

       netrafd.conf(5)

AUTHORS

       M.K. M.S. T.J.

                            09.06.2005            FILTERS.CONF(5)

back to "Documentation" section

Copyright © 2005, M.K., T.J., M.S.
netraf is Open Source software, distributed under the terms of the New BSD License.
waldson.com activity involved