#  1200, Sun 26 May 96
#
#  Rules to look at IP packets, pushing all flow attributes
#
#  Nevil Brownlee,  ITSS Technology Development,  The University of Auckland
#
SET 2
#
RULES
  SourcePeerType & 255 = dummy:  Ignore, 0;
  SourcePeerType & 255 = IP:     Pushto, IP_pkt;
  SourcePeerType & 255 = Other:  PushToAct, other_pkt;
#
  Null & 0 = 0:   GotoAct, Next;  # Not IP or Other
  FlowKind & 255 = 3:  PushtoAct, Next;  # Plot as SQUARE
  SourceInterface & 255 = 0:  PushPkttoAct, Next;
  SourcePeerType  & 255 = 0:  CountPkt, 0;
#
other_pkt:  # We want to know ethertype/LSAP (in source/dest Peer) 
  FlowKind & 255 = 3:  PushtoAct, Next;  # Plot as SQUARE
  SourceInterface & 255 = 0:  PushPkttoAct, Next;
  SourcePeerAddress  & 255.255 = 0: PushPktToAct, Next;
  DestPeerAddress    & 255.255 = 0: CountPkt, 0;
#
IP_pkt:
  SourceTransType & 255 = tcp:    Pushto, tcp_udp;
  SourceTransType & 255 = udp:    Pushto, tcp_udp;
  Null & 0 = 0:   GotoAct, Next;  # Not TCP or UDP
  SourceTransType  & 255 = 0:  PushPkttoAct, Next;
  FlowKind & 255 = 3:  PushtoAct, count_IP;  # Plot as SQUARE
#
tcp_udp:
  SourceTransAddress & 255.255 = domain:   Retry, 0;  # Want WKP as dest
  SourceTransAddress & 255.255 = 79:       Retry, 0;
  SourceTransAddress & 255.255 = ftp:      Retry, 0;
  SourceTransAddress & 255.255 = ftpdata:  Retry, 0;
  SourceTransAddress & 255.255 = gopher:   Retry, 0;
  SourceTransAddress & 255.255 = 113:      Retry, 0;
  SourceTransAddress & 255.255 = 513:      Retry, 0;
  SourceTransAddress & 255.255 = 138:      Retry, 0;
  SourceTransAddress & 255.255 = nntp:     Retry, 0;
  SourceTransAddress & 255.255 = 2049:     Retry, 0;
  SourceTransAddress & 255.255 = ntp:      Retry, 0;
  SourceTransAddress & 255.255 = 110:      Retry, 0;
  SourceTransAddress & 255.255 = 515:      Retry, 0;
  SourceTransAddress & 255.255 = smtp:     Retry, 0;
  SourceTransAddress & 255.255 = snmp:     Retry, 0;
  SourceTransAddress & 255.255 = 1080:     Retry, 0;  # UA socks gateway
  SourceTransAddress & 255.255 = telnet:   Retry, 0;
  SourceTransAddress & 255.255 = www:      Retry, 0;
  SourceTransAddress & 255.255 = 8080:     Retry, 0;  # UA WWW proxy
  SourceTransAddress & 255.255 = 6000:     Retry, 0;
#
  DestTransAddress & 255.255 = domain:     GotoAct, c_domain;
  DestTransAddress & 255.255 = 79:         GotoAct, c_finger;
  DestTransAddress & 255.255 = ftp:        GotoAct, c_ftp;
  DestTransAddress & 255.255 = ftpdata:    GotoAct, c_ftpdata;
  DestTransAddress & 255.255 = gopher:     GotoAct, c_gopher;
  DestTransAddress & 255.255 = 113:        GotoAct, c_imap;
  DestTransAddress & 255.255 = 513:        GotoAct, c_login;
  DestTransAddress & 255.255 = 138:        GotoAct, c_netbios;
  DestTransAddress & 255.255 = nntp:       GotoAct, c_news;
  DestTransAddress & 255.255 = 2049:       GotoAct, c_nfs;
  DestTransAddress & 255.255 = ntp:        GotoAct, c_ntp;
  DestTransAddress & 255.255 = 110:        GotoAct, c_pop;
  DestTransAddress & 255.255 = 515:        GotoAct, c_printer;
  DestTransAddress & 255.255 = smtp:       GotoAct, c_smtp;
  DestTransAddress & 255.255 = snmp:       GotoAct, c_snmp;
  DestTransAddress & 255.255 = 1080:       GotoAct, c_socks;  # UA socks
  DestTransAddress & 255.255 = telnet:     GotoAct, c_telnet;
  DestTransAddress & 255.255 = www:        GotoAct, c_www;
  DestTransAddress & 255.255 = 8080:       GotoAct, c_www;  # UA WWW proxy
  DestTransAddress & 255.255 = 6000:       GotoAct, c_xwin;
#
  Null & 0 = 0:  GotoAct, c_tcp;  #  'Unusual' port
#
c_domain:
  FlowKind & 255 = 'D':  PushtoAct, count_IP;
c_ftp:
c_ftpdata:
  FlowKind & 255 = 'F':  PushtoAct, count_IP;
c_imap:
  FlowKind & 255 = 'I':  PushtoAct, count_IP;
c_news:
  FlowKind & 255 = 'N':  PushtoAct, count_IP;
c_pop:
  FlowKind & 255 = 'P':  PushtoAct, count_IP;
c_smtp:
  FlowKind & 255 = 'M':  PushtoAct, count_IP;
c_socks:
  FlowKind & 255 = 'S':  PushtoAct, count_IP;
c_telnet:
  FlowKind & 255 = 'T':  PushtoAct, count_IP;
c_www:
  FlowKind & 255 = 'W':  PushtoAct, count_IP;
c_xwin
  FlowKind & 255 = 'X':  PushtoAct, count_IP;
#
c_finger:
c_gopher:
c_login:
c_netbios:
c_nfs
c_ntp:
c_printer:
c_snmp:
#
c_tcp:
  Null & 0 = 0:   GotoAct, Next;  # TCP
  FlowKind & 255 = 1:  PushtoAct, count_IP;  # Plot as DIAMOND
#
count_IP:
  SourceInterface & 255 = 0:  PushPkttoAct, Next;
  SourcePeerAddress  & 255.255.255.255 = 0:  PushPkttoAct, Next;
  DestPeerAddress    & 255.255.255.255 = 0:  PushPkttoAct, Next;
  SourceTransAddress & 255.255         = 0:  PushPkttoAct, Next;
  DestTransAddress   & 255.255         = 0:  CountPkt, 0;
#
#
FORMAT
   FirstTime LastTime
   ToPDUs ToOctets "  " FromPDUs FromOctets "   "
   FlowRuleSet FlowIndex  " | "
   SourceInterface " | "
  SourcePeerType SourcePeerAddress " -> " DestPeerAddress "  "
  SourceTransType SourceTransAddress " -> " DestTransAddress;
#
#
STATISTICS
#
# end of file