Re: [Sguil-users] Zeroes for source IP/port, dest IP/port, and protocol
Status: Beta
Brought to you by:
bamm
From: Chris M. <chr...@da...> - 2009-10-22 20:13:09
|
Thanks all for your responses and suggestions. We've identified the cause of our zero value records. It was due to our SANCP configuration logging non-IP(v4) traffic. This resulted in SANCP creating sessions for data where no IP information or point of reference was available, hence all the zero value records being logged under source packets and source bytes. The sessions with a large number of source packets/bytes were IPv6, STP, Loop and CDP. Sessions for these types of traffic were being created over a 24 hour period which is the time interval between SANCP being restarted each night. So with the appropriates SANCP configuration or BPF filters we can now filter these types of traffic out. Many Thanks -- Chris Martin CCNA Infrastructure Analyst Dataline Software Ltd Clarence House, 30-31 North Street, Brighton, BN1 1EB, UK Tel: +44 (0)1273 324939 Fax: +44 (0)1273 205576 www: http://www.dataline.co.uk IMPORTANT NOTICE This communication is from Dataline Software Ltd. Dataline Software Ltd is a limited company registered in England and Wales with registered number 1717921 and its registered office at 8 The Drive, Hove, BN3 3JT, United Kingdom. This communication is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title "received in error" to enq...@da... then delete the email and destroy any copies of it. Email communications cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept liability for any such matters or their consequences. Anyone who communicates with us by email is taken to accept the risks in doing so. Opinions, conclusions and other information in this e-mail and any attachments which do not relate to the official business of the firm are neither given nor endorsed by it. |