From mworld at twbc.net  Wed Jan  4 15:00:41 2012
From: mworld at twbc.net (Otto)
Date: Wed, 04 Jan 2012 14:00:41 +1000
Subject: [netflow-tools] ipv6 filtering - unwanted addresses showing up
Message-ID: <4F03CEE9.1060101@twbc.net>

Hi. I've been setting up some IPv6 filters with some unwanted results. I 
get link local and multicast addresses showing up.

e.g. (real ips removed)

discard src 2001:xxxx:xxxx:xxxx::/56
accept dst 2001:xxxx:xxxx:xxxx::/56
discard before date 20120101000000
discard after date 20120101235959
discard inet

Output:

1325347355,0,2157541701,127.0.0.1,2,146,2157232389,2157232289,0,0,fe80::456f:397d:4c49:b9f3,ff02::1:3,(null),0,0,64852,5355,17,0,0,0,0,0,0
1325347355,0,2157541701,127.0.0.1,2,146,2157234962,2157234862,0,0,fe80::456f:397d:4c49:b9f3,ff02::1:3,(null),0,0,62415,5355,17,0,0,0,0,0,0
1325347373,0,2157558941,127.0.0.1,22,1584,2157547205,2157252221,0,0,fe80::456f:397d:4c49:b9f3,ff02::1:ff54:e8c8,(null),0,0,0,0,58,0,0,0,0,0,0


Regards,
Otto.

From mworld at twbc.net  Fri Jan  6 18:45:41 2012
From: mworld at twbc.net (Otto)
Date: Fri, 06 Jan 2012 17:45:41 +1000
Subject: [netflow-tools] bz2 flowd file reading working in c/c++
In-Reply-To: <20111219100302.02d42c1b@beans.lunch.za.net>
References: <4EEEA363.2090704@twbc.net>
 <20111219100302.02d42c1b@beans.lunch.za.net>
Message-ID: <4F06A6A5.3010606@twbc.net>

Hi guys. I took another look at reading bzip2 compressed flowd log files 
and have managed to get it working. The only reason I would want to do 
this is for threading. I know I could just use bzcat if I were using 
flowd-reader, but I'm writing a threaded app. I'm not sure who the 
maintainer is for flowd, but they may be interested in the code.

All I do is compress the files after rolling them over (every 5 
minutes). The roll over script takes care of creating the directory 
structure (like flow-capture) e.g. 2012/2012-01/2012-01-06 , send flowd 
-SIGHUP and then renames the main log file that flowd is writing to, to 
{datedir}/flowd-2012-01-06-hhmmss , finally compressing it.

Regards,
Otto.

On 19/12/2011 6:03 PM, Andrew McGill wrote:
> On Mon, 19 Dec 2011 12:37:23 +1000
> Otto<mworld at twbc.net>  wrote:
>
>> Hi. This community seems rather quite ?
> Quite true.  Report a bug.  Write flow-split-by-ip-list netflow splitter and save me the trouble.  Happy Christmas!
>
> &:-)


From mworld at twbc.net  Thu Jan 12 20:20:41 2012
From: mworld at twbc.net (Otto)
Date: Thu, 12 Jan 2012 19:20:41 +1000
Subject: [netflow-tools] ipv6 filtering - unwanted addresses showing up
	- SOLVED
In-Reply-To: <4F03CEE9.1060101@twbc.net>
References: <4F03CEE9.1060101@twbc.net>
Message-ID: <4F0EA5E9.8060401@twbc.net>

I figured this filtering system out. I think the docs need better examples.

If I want all destination addresses to match a local subnet or 2 from 
2012-01-12 18:00:00 to 2012-01-12 19:00:00 is :

discard quick before date 20120112180000
discard quick after date 20120112190000
accept quick dst 2001:xxxx:xxxx:xxxx::/56
accept quick dst 192.168.0.0/19
discard all

Regards,
Otto.

On 4/01/2012 2:00 PM, Otto wrote:
> Hi. I've been setting up some IPv6 filters with some unwanted results. 
> I get link local and multicast addresses showing up.
>
> e.g. (real ips removed)
>
> discard src 2001:xxxx:xxxx:xxxx::/56
> accept dst 2001:xxxx:xxxx:xxxx::/56
> discard before date 20120101000000
> discard after date 20120101235959
> discard inet
>
> Output:
>
> 1325347355,0,2157541701,127.0.0.1,2,146,2157232389,2157232289,0,0,fe80::456f:397d:4c49:b9f3,ff02::1:3,(null),0,0,64852,5355,17,0,0,0,0,0,0 
>
> 1325347355,0,2157541701,127.0.0.1,2,146,2157234962,2157234862,0,0,fe80::456f:397d:4c49:b9f3,ff02::1:3,(null),0,0,62415,5355,17,0,0,0,0,0,0 
>
> 1325347373,0,2157558941,127.0.0.1,22,1584,2157547205,2157252221,0,0,fe80::456f:397d:4c49:b9f3,ff02::1:ff54:e8c8,(null),0,0,0,0,58,0,0,0,0,0,0 
>
>
>
> Regards,
> Otto.