On Tue, 14 Mar 2006, Nathan Einwechter wrote:
> I just installed flowd as part of a security management system I''m
> trying to pull together and am trying to refine the collection of
> NetFlow logs to reduce the amount of space eaten by the logs. As such, I
> am trying to filter out those entries I''m not interested in.
> Specifically, I am trying to filter out (discard) anything non-UDP or
> TCP and any connection which was not established (obviously for TCP
> only, we''ll keep all UDP).
>
> How can this be done? I''ve been fiddling with the filters for a
couple
> days now and just can''t seem to get it.
You should be able to do something like:
discard all
accept proto udp
accept proto tcp tcp_flags mask 0x12 equals 0x12
# ACK = 0x10, SYN = 0x02
-d