Nagios Support Forum

Hi,

One of our network guys has asked if its possible to filter on a per interface direction?

This is what he's messaged me

"netflow records contain an input and output interface, in other netflow tools I've used you can filter on a per-interface direction, can we do this in Nagios Network Analyzer?"

http://www.cisco.com/en/US/technologies ... a3db9.html
Table 6. NetFlow Version 9 Field Type Definitions

Is this possible in NA?

You can filter on any valid tcpdump/pcap/ngrep style filter (http://www.tcpdump.org/manpages/pcap-filter.7.html). So you can make good use of the "net" directive to determine which way packets are flowing (internal network is inbound, anything else is outbound).

Edit: changed "dir" to "net", though the "dir" directive may apply as well.

Well said, eloyd. OP, let us know if that gets you on track....

Thanks

Pardon my ignorance, but how do I use that filter in nagos na?

No worries, I think eloyd was talking about using those tcpdump style filters in conjunction with custom queries (from the NNA UI). This doc provides some useful examples to get started https://assets.nagios.com/downloads/nag ... alyzer.pdf

Yes, I was. Sorry. I was actually thinking you could take that information back to your networking person, since I thought it was them asking for it!

Thanks,

I've had a play and got some results. Unsure if its correct so will check with him tomorrow.

Thanks for your help. I got the info from here, as listed in the manual

http://manpages.ubuntu.com/manpages/pre ... ump.1.html

eloyd wrote:Yes, I was. Sorry. I was actually thinking you could take that information back to your networking person, since I thought it was them asking for it!

No worries, I thought I would double check before I go back to him and he asks how to do that, plus I love to learn new things

Cool, keep us posted as to whether or not that's what the admin/network guy was looking for....

You can also set up a "filter" using views. In the screenshot above that you gave, there is a button that says "create" up top. This creates a "view" which is essentially another source inside a source that will ONLY save anything that you have determined to be in there. It uses a regular nfdump query like the ones you run in the Query page in order to determine what is saved in that view. Once you've created it, every 5 minutes when the netflow data is reaped it will also save a copy of the filtered data in the views section. Then, you can use the dropdown to select a view to see inside a source - which will end up being a filter list of values.