[netflow-tools] Flowd Filter Question
Damien Miller
djm at mindrot.org
Wed Mar 15 07:39:02 EST 2006
On Tue, 14 Mar 2006, Nathan Einwechter wrote:
> I just installed flowd as part of a security management system I'm
> trying to pull together and am trying to refine the collection of
> NetFlow logs to reduce the amount of space eaten by the logs. As such, I
> am trying to filter out those entries I'm not interested in.
> Specifically, I am trying to filter out (discard) anything non-UDP or
> TCP and any connection which was not established (obviously for TCP
> only, we'll keep all UDP).
>
> How can this be done? I've been fiddling with the filters for a couple
> days now and just can't seem to get it.
You should be able to do something like:
discard all
accept proto udp
accept proto tcp tcp_flags mask 0x12 equals 0x12
# ACK = 0x10, SYN = 0x02
-d
More information about the netflow-tools
mailing list