I'm wondering if there is support for "Any" in two areas.
First, I'd like to be able to search across all my IPFIX devices as a Netflow Source (i.e. remove --sensor from the rwfilter command).
Second, just like there is a set of fields for Sources and Destinations we'd like to see a set of fields for "Anys" so that if the source or destination IP is 1.1.1.1, it matches (i.e. use --any-cidr). If the source or destination port is 80, it matches, etc (i.e. use --aport).
Alternatively, if there is a way to do this (other than the "Other Switches" field) that I'm missing any guidance would be appreciated.
Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the Reply Joe. I'm not sure what the behavior change is supposed to be with the Site directive but I'm not seeing any. Here is my config. Setting ipfix_default_device to "Site"; seems have no effect. It behaves the same as setting it to ""; I have to manually pick a device to get the UI to add the SiLK elements.
Haha, I guess adding a pound before a line makes it jumbo as the empty ipfix_devices line above was actually commented out. I have replaced my list with "Site" and it is behaving as expected. Thanks for the help.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
SiLK, FlowViewer 4.6
I'm wondering if there is support for "Any" in two areas.
First, I'd like to be able to search across all my IPFIX devices as a Netflow Source (i.e. remove --sensor from the rwfilter command).
Second, just like there is a set of fields for Sources and Destinations we'd like to see a set of fields for "Anys" so that if the source or destination IP is 1.1.1.1, it matches (i.e. use --any-cidr). If the source or destination port is 80, it matches, etc (i.e. use --aport).
Alternatively, if there is a way to do this (other than the "Other Switches" field) that I'm missing any guidance would be appreciated.
Thanks!
Sorry ... I've been swamped lately ....
To query from all devices, please try the 'Site' (as a device) option. Should be some discussion in the User's Guide.
I'm thinking the 'any' (sounds like 'source_port = 80, OR dest_port = 80', etc.) option may have to be a future enhancement. (But a worthy one).
Thanks for the Reply Joe. I'm not sure what the behavior change is supposed to be with the Site directive but I'm not seeing any. Here is my config. Setting ipfix_default_device to "Site"; seems have no effect. It behaves the same as setting it to ""; I have to manually pick a device to get the UI to add the SiLK elements.
$version = "4.6";
$no_devices_or_exporters = "Y";
@devices = (); # for flow-tools
@ipfix_devices = ("router1","router2","router3");
@ipfix_devices = ();
@ipfix_storage = ();
$ipfix_default_device = "Site";
@exporters = ();
Hi Eacheach,
You'll need to add a device called 'Site';
I.e., @ipfix_devices = ("Site");
Try that please ... if it doesn't work please reply with a DEBUG_VIEWER or DEBUG_GRAPHER text file and we'll see what it is trying to do.
Thanks,
Joe
Last edit: Joe Loiacono 2015-04-06
Haha, I guess adding a pound before a line makes it jumbo as the empty ipfix_devices line above was actually commented out. I have replaced my list with "Site" and it is behaving as expected. Thanks for the help.
Hah! Was a little puzzled why it was Jumbo! Glad it's working ... I've updated the documentation.
Joe
<DELETED>
Last edit: Eacheach 2015-03-18
<deleted></deleted>
Last edit: Eacheach 2015-03-18