#  1300, Fri 20 Oct 95
#
#  Rules to look at IP flows by Class C subnet
#
#  Nevil Brownlee,  ITSS Technology Development,  The University of Auckland
#
SET 5
#
RULES
   SourcePeerType & 255 = IP:  PushtoAct, IP_pkt;
   Null & 0 = 0:  Ignore, 0;
#
IP_pkt:
  SourcePeerAddress & 255.255.255.0 = 0.0.0.0: PushPkttoAct, Next;
  DestPeerAddress   & 255.255.255.0 = 0.0.0.0: PushPktto, Next;
#
  SourceTransType & 255 = tcp:    Pushto, tcp_udp;
  SourceTransType & 255 = udp:    Pushto, tcp_udp;
  SourceTransType & 255 = icmp:   PushtoAct, c_trans_only;
  SourceTransType & 255 = ospf:   PushtoAct, c_trans_only;
  Null & 0 = 0:  GotoAct, c_bad;  #  Unknown transport type
#
tcp_udp:
  SourceTransAddress & 255.255 = domain:  PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = 79:      PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = ftp:     PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = ftpdata: PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = gopher:  PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = 113:     PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = 513:     PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = 138:     PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = nntp:    PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = 2049:    PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = ntp:     PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = 110:     PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = 515:     PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = smtp:    PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = snmp:    PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = telnet:  PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = www:     PushtoAct, c_trans_source;
  SourceTransAddress & 255.255 = 6000:    PushtoAct, c_trans_source;
#
  DestTransAddress & 255.255 = domain:    Retry, 0;
  DestTransAddress & 255.255 = 79:        Retry, 0;
  DestTransAddress & 255.255 = ftp:       Retry, 0;
  DestTransAddress & 255.255 = ftpdata:   Retry, 0;
  DestTransAddress & 255.255 = gopher:    Retry, 0;
  DestTransAddress & 255.255 = 113:       Retry, 0;
  DestTransAddress & 255.255 = 513:       Retry, 0;
  DestTransAddress & 255.255 = 138:       Retry, 0;
  DestTransAddress & 255.255 = nntp:      Retry, 0;
  DestTransAddress & 255.255 = 2049:      Retry, 0;
  DestTransAddress & 255.255 = ntp:       Retry, 0;
  DestTransAddress & 255.255 = 110:       Retry, 0;
  DestTransAddress & 255.255 = 515:       Retry, 0;
  DestTransAddress & 255.255 = smtp:      Retry, 0;
  DestTransAddress & 255.255 = snmp:      Retry, 0;
  DestTransAddress & 255.255 = telnet:    Retry, 0;
  DestTransAddress & 255.255 = www:       Retry, 0;
  DestTransAddress & 255.255 = 6000:      Retry, 0;
#
  Null & 0 = 0:  GotoAct, c_bad;  #  'Unusual' port
c_bad:
  SourceTransAddress & 255.255 = 0: PushPktToAct, Next;
  DestTransAddress   & 255.255 = 0: PushPktToAct, Next;
c_trans_source:
c_trans_only:
  SourceTransType    & 255 = 0:     CountPkt, 0;
#
#
FORMAT
  ToPDUs ToOctets "  " FromPDUs FromOctets "  "
  SourcePeerType SourceTransType SourceTransAddress DestTransAddress "\t"
  SourcePeerAddress DestPeerAddress;
#
# end of file