#  2005, Thu 17 Feb 00
#
#  nifty ruleset, in SRL (v6 version)
#
#  Nevil Brownlee, ITSS Technology Development, The University of Auckland
#

   if SourcePeerType == IPv4
         || SourcePeerType == IPv6
      save;  # Fall through to IP handling below
   else if SourcePeerType == other save, {  # ethertype/LSAP in src/dest peer
      store FlowKind := 3;  # Plot as SQUARE
      save SourcePeerAddress;
      save DestPeerAddress;
      count;
      }
   else if SourcePeerType == dummy
      ignore;
   else {
      save SourcePeerType;
      store FlowKind := 3;  # Plot as SQUARE
      count;
      }

   if DestPeerAddress == 224.0/4  # Multicast
      nomatch;  # We want the multicast address as Source
   else if SourcePeerAddress == 224.0/4 {  # Multicast
      save SourcePeerAddress;
      save DestPeerAddress;
      if SourceTransType == (tcp, udp) save, {
         save SourceTransAddress;  # Don't try to classify the ports
         save DestTransAddress;
         }
      store FlowKind := 1;  # Plot as DIAMOND
      count;
      }


   if SourceTransType == (tcp, udp) save, {  # Look at well-known ports

      if SourceTransAddress == (
         domain, ftp, ftpdata, gopher, nntp, ntp, smtp, snmp, telnet, www,
         79, 110, 143, 513, 515,  # finger, pop, imap, login, printer
         137, 138, 139,  # NETBIOS name service, datagram, session
         2049,           # NFS
         1080, 8080,     # UA socks gateway, www proxy
         3128, 3130,     # Squid cache, cache control
         6000            # X-Windows
         ) nomatch;  # We want the well-known port as Dest

      if DestTransAddress == (137, 138, 139)  # NETBIOS
         save, store FlowKind := 'B';
      else if DestTransAddress == 3128  # Squid data
         save, store FlowKind := 'C';
      else if DestTransAddress == 3130  # Squid control
         save, store FlowKind := 'c';
      else if DestTransAddress == domain
         save, store FlowKind := 'D';
      else if DestTransAddress == (ftp, ftpdata)
         save, store FlowKind := 'F';
      else if DestTransAddress == 143  # imap
         save, store FlowKind := 'I';
      else if DestTransAddress == nntp
         save, store FlowKind := 'N';
      else if DestTransAddress == 110  # pop
         save, store FlowKind := 'P';
      else if DestTransAddress == smtp
         save, store FlowKind := 'M';
      else if DestTransAddress == 1080  # UA socks gateway
         save, store FlowKind := 'S';
      else if DestTransAddress == snmp
         save, store FlowKind := 's';
      else if DestTransAddress == telnet
         save, store FlowKind := 'T';
      else if DestTransAddress == (www, 8080)  # UA WWW proxy
         save, store FlowKind := 'W';
      else if DestTransAddress == 6000  # xwin
         save, store FlowKind := 'X';

      else if SourceTransType == udp
         store FlowKind := 2;  # Plot as PLUS
      else if SourceTransType == tcp
         store FlowKind := 1;  # Plot as DIAMOND
      else
         store FlowKind := 3;  # Plot as SQUARE
      }

   else {  # Not tcp or udp
      store FlowKind := 3;  # Plot as SQUARE
      save SourceTransType;
      }

   save SourcePeerAddress;  # Default width is PEER_ADDR_LEN
   save DestPeerAddress;
   save SourceTransAddress;
   save DestTransAddress;
#   save SourceASN;  save SourcePrefix;
#   save DestASN;  save DestPrefix;
   count;
#
#
SET  7;  # NeMaC command
#
#
format
  FlowRuleSet FlowIndex FirstTime "  "
  SourcePeerType "  "
  SourcePeerAddress DestPeerAddress "  "
#  SourceASN "/" SourcePrefix DestASN "/" DestPrefix "  "
  SourceTransAddress DestTransAddress "  "
  ToPDUs ToOctets "  " FromPDUs FromOctets;