On 06/12/2016 15:39, James A. Klun wrote:
this does not work:$ cat filters/temp.txt not ( dst port 53 and proto UDP ) and not ( dst port 53 and proto TCP ) and not ( dst port 161 and proto UDP ) $ nfdump -B -r nfcapd.201612050004 -f ./filters/temp.txt -o "fmt: %sa %da %dp %pr" | grep " 53 " | more produces output of form below - no filtering x.x.x.x y.y.y.y 53 UDP x.x.x.x y.y.y.y 53 UDP< continues >
I've tried your filter, and it works for me.I think your problem is with the -B flag which may swap source and destination ports around - that is, if it sees source port < 1024 with dest port > 1024 then it swaps the flows around before making them bidirectional.
If that is the problem, it implies that the filtering is taking place *before* the -B port swapping.
Regards, Brian.
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi
_______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
