GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
IPFIXCOL2-FILTER-INTER(7) IPFIXcol collector IPFIXCOL2-FILTER-INTER(7)

ipfixcol2-filter-inter - Filter (intermediate plugin)

The plugin performs filtering of flow records based on an filter expression. Flow records not matching the specified filtering criteria are discarded.

  • Comparison operators ==, <, >, <=, >=, !=. If the comparison operator is ommited, the default comparison is ==.
  • The contains operator for substring comparison, e.g. DNSName contains "example".
  • Arithmetic operations +, -, *, /, %.
  • Bitwise operations not ~, or |, and &, xor ^.
  • The in operator for list comparison, e.g. port in [80, 443].
  • The logical and, or, not operators.



  • Numbers can be integer or floating point. Integer numbers can also be written in their hexadecimal or binary form using the 0x or 0b prefix. Floating point numbers also support the exponential notation such as 1.2345e+2. A number can be explicitly unsigned using the u suffix. Numbers also support size suffixes B, k, M, G, T, and time suffixes ns, us, ms, s, m, d.
  • Strings are values enclosed in a pair of double quotes ". Supported escape sequences are n, r, t and ". The escape sequences to write characters using their octal or hexadecimal value are also supported, e.g. ux22 or 042.
  • IP addresses are written in their usual format, e.g. 127.0.0.1 or 1234:5678:9abc:def1:2345:6789:abcd:ef12. The shortened IPv6 version is also supported, e.g. ::ff. IP addresses can also contain a suffix specifying their prefix length, e.g. 10.0.0.0/16.
  • MAC addresses are written in their usual format, e.g. 12:34:56:78:9a:bc.
  • Timestamps use the ISO timestamp format, e.g. 2020-04-05T24:00Z.



IPFIX fields can be identified using their name specified in the IPFIX information elements table or their alias defined in the aliases.xml file. If the IPFIX name is used and the default iana table is being referred, the iana: prefix can be ommited. Note that one alias can point to multiple IPFIX information elements. The default location of the aliases file is /etc/libfds/system/aliases.xml.

Commonly used values can be mapped to a name using the mappings.xml file, for example the name http when used in an expression port http can refer to the value 80. These names can have different meanings depending on the IPFIX field they're being compared with. The default location of the mappings file is /etc/libfds/system/mappings.xml.

<intermediate>


    <name>Filter</name>


    <plugin>filter</plugin>


    <params>


        <expr>ip 10.0.0.0/16 and port in [80, 8080]</expr>


    </params>
</intermediate>


The most common use case would be filtering based on a list of allowed IP address ranges. In such case, it is recommended to use the following construct for optimal performance:

<intermediate>


    <name>Filter</name>


    <plugin>filter</plugin>


    <params>


        <expr>srcip in [1.0.0.0/8, 2.2.0.0/16, 3.3.3.0/24] or dstip in [4.4.4.0/24]</expr>


    </params>
</intermediate>


The filter expression.

Michal Sedlák (xsedla0v@stud.fit.vutbr.cz)

Copyright © 2020 CESNET, z.s.p.o.

2020-08-24 1.0
Search for    or go to Top of page |  Section 7 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.