#  1705, Wed 8 Jul 98
#
#  nifty ruleset,  modified to combine sub-sessions on well-known ports
#
#  Nevil Brownlee, ITSS Technology Development, The University of Auckland
#

   if SourcePeerType == IP
      save;  # Fall through to IP handling below
   else if SourcePeerType == other {  # ethertype/LSAP in source/dest peer
      store FlowKind := 3;  # Plot as SQUARE
      save SourcePeerAddress/16;
      save DestPeerAddress/16;
      count;
      }
   else if SourcePeerType == dummy
      ignore;
   else {
      store FlowKind := 3;  # Plot as SQUARE
      count;
      }

   if SourceTransType == (tcp, udp) save, {  # Look at well-known ports

      if SourceTransAddress == (
         domain, ftp, ftpdata, gopher, nntp, ntp, smtp, snmp, telnet, www,
         79, 110, 143, 513, 515,  # finger, pop, imap, login, printer
         137, 138, 139,  # NETBIOS name service, datagram, session
         2049,           # NFS
         1080, 8080,     # UA socks gateway, www proxy
         3128, 3130,     # Squid cache, cache control
         6000            # X-Windows
         ) nomatch;  # We want the well-known port as Dest

      store FlowKind := '@';
      if DestTransAddress == (137, 138, 139)  # NETBIOS
         save, store FlowKind := 'B';
      else if DestTransAddress == 3128  # Squid data
         save, store FlowKind := 'C';
      else if DestTransAddress == 3130  # Squid control
         save, store FlowKind := 'c';
      else if DestTransAddress == domain
         save, store FlowKind := 'D';
      else if DestTransAddress == (ftp, ftpdata)
         save, store FlowKind := 'F';
      else if DestTransAddress == 143  # imap
         save, store FlowKind := 'I';
      else if DestTransAddress == nntp
         save, store FlowKind := 'N';
      else if DestTransAddress == 110  # pop
         save, store FlowKind := 'P';
      else if DestTransAddress == smtp
         save, store FlowKind := 'M';
      else if DestTransAddress == 1080  # UA socks gateway
         save, store FlowKind := 'S';
      else if DestTransAddress == snmp
         save, store FlowKind := 's';
      else if DestTransAddress == telnet
         save, store FlowKind := 'T';
      else if DestTransAddress == (www, 8080)  # UA WWW proxy
         save, store FlowKind := 'W';
      else if DestTransAddress == 6000  # xwin
         save, store FlowKind := 'X';

      if FlowKind == '@' {  # Not a well-known port
         if SourceTransType == udp
            store FlowKind := 2;  # Plot as PLUS
         else if SourceTransType == tcp
            store FlowKind := 1;  # Plot as DIAMOND
         else
            store FlowKind := 3;  # Plot as SQUARE
         }
      else {
         save SourcePeerAddress/32;
         save DestPeerAddress/32;
         save DestTransAddress/16;  # Only save the wkp
         count;
         }

      }

   else {  # Not tcp or udp
      store FlowKind := 3;  # Plot as SQUARE
      save SourceTransType;
      }

   save SourcePeerAddress/32;
   save DestPeerAddress/32;
   save SourceTransAddress/16;
   save DestTransAddress/16;
   count;
#
#
SET  7;  # NeMaC command
#
#