[flow-tools] Local Traffic filter...

Michael Bellears michael.bellears@staff.datafx.com.au
Fri, 17 May 2002 14:50:37 +1000 

Mark,

Champion!!

Seems my piping b/w the two flow-stats was causing the problem.

The following worked perfectly:
./flow-cat -a /netflow/oar/krc3.v5/2002/2002-04/2002-04-26 | ./flow-filter
-f test.acl -Sbar -Dfoo|./flow-stat -f17

test.acl:

ip access-list standard foo permit host xxx.xxx.xxx.xxx
ip access-list standard foo deny any
ip access-list standard bar deny yyy.yyy.yyy.0 0.0.0.255
ip access-list standard bar permit any

Regards,
MB

> -----Original Message-----
> From: Mark Fullmer [mailto:maf@splintered.net]
> Sent: Friday, 17 May 2002 2:00 PM
> To: Michael Bellears
> Cc: 'Cougar'; 'flow-tools@splintered.net'
> Subject: Re: [flow-tools] Local Traffic filter...
> 
> What you're doing should work.  You can save a data copy by using
> -S and -D at the same time, ie
> 
> flow.acl:
>  ip access-list standard foo permit 10.0.0.0 0.255.255.255
>  ip access-list standard bar permit 128.146.0.0 0.0.255.255
> 
> flow-cat <data> | flow-filter -f flow.acl -Sfoo -Dbar | flow-stat -f17
> 
> Subnets can be matched by using Cisco's don't care bit ACL syntax.  The
> above would permit traffic from 10/8 to 128.146/16.
> 
> flow-tag with flow-stat may be a better solution for customer billing.
> Some pieces are still missing, ie the ability for flow-filter to filter
> on tags but that should be in 0.58.
> 
> mark
> 
> On Thu, May 16, 2002 at 04:59:48PM +1000, Michael Bellears wrote:
> > Ahh Yes! - That will teach me to copy+paste!
> >
> > I still get zero output though:
> >
> > ./flow-cat -a /netflow/oar/krc3.v5/2002/2002-04/2002-04-30 | ./flow-
> filter
> > -f client.acl -D foo|./flow-filter -f local.acl -S bar|./flow-stat -f17
> > |more
> > #  --- ---- ---- Report Information --- --- ---
> > #
> > # Fields:    Total
> > # Symbols:   Disabled
> > # Sorting:   None
> > # Name:      Input interface
> > #
> > # Args:      ./flow-stat -f17
> > #
> > #
> > # interface flows                 octets                packets
> > #
> > vagabond:~/flow-tools-0.57/src#
> >
> > Regards,
> > MB
> >
> > > -----Original Message-----
> > > From: Cougar [mailto:cougar@random.ee]
> > > Sent: Thursday, 16 May 2002 4:46 PM
> > > To: Michael Bellears
> > > Cc: 'flow-tools@splintered.net'
> > > Subject: RE: [flow-tools] Local Traffic filter...
> > >
> > >
> > > On Thu, 16 May 2002, Michael Bellears wrote:
> > >
> > > > Now, if I have the following:
> > > > local.acl
> > > > ip access-list standard bar deny host yyy.yyy.yyy.yyy
> > > > ip access-list standard bar deny any
> > >
> > > Are you sure it should be "deny any" instead of "permit any" ? ;-)
> > >
> > > ---
> > > Cougar
> > >
> > >
> > > _______________________________________________
> > > flow-tools@splintered.net
> > > http://www.splintered.net/sw/flow-tools
> >
> > _______________________________________________
> > flow-tools@splintered.net
> > http://www.splintered.net/sw/flow-tools