2 Replies Latest reply: Jan 21, 2015 6:03 AM by Jamie Lozan RSS

BPF Syntax inside traffic expression

Jamie Lozan

Can we use BPFs inside a traffic expression?  For example, I'm running a script and want to exclude icmp or gre.  Can I do something like this?  Or no........?

 

.....--groupby hpr --trafficexpr "(src hostgroup ByLocationSummary:az and dst hostgroup ByLocation:NDC) or (dst hostgroup ByLocationSummary:az and src hostgroup ByLocation:MDC) and not icmp and not gre" --timefilter="11/5/14 2:00 to 11/5/14 2:02" --columns cli_host_dns,cli_group_name........

 

Runs fine without the and not syntax.........what am I missing?

 

Thank you.........Jamie

  • Re: BPF Syntax inside traffic expression
    jchessman

    Hi Jamie-

     

    Unfortunately you can not use BPF syntax when querying against a NetProfiler.  NetProfiler has it's own query syntax (if you have access to a NetProfiler go to Reports->Traffic->Advanced Tab and look for the "Traffic Expression" tab - under that entry box there is a place where you can get to the help screens which have detailed information on how to use the query syntax - I also attached a PDF copy to this message) that is used in place of BPF.

    traffic-1.png

    In the example you put above you need to specify identifiers for the icmp and gre.  So:

     

    "src hostgroup ByLocationSummary:az and dst hostgroup ByLocation:NDC) or (dst hostgroup ByLocationSummary:az and src hostgroup ByLocation:MDC) and not proto 1 and not proto 47"

     

    Though I think you may want to reconsider using "and not proto 1 and not proto 47" since that may cause evaluation problems - it is unlikely you will have proto 1 and 47 at the same time.  This may work better:

     

    src hostgroup ByLocationSummary:az and dst hostgroup ByLocation:NDC) or (dst hostgroup ByLocationSummary:az and src hostgroup ByLocation:MDC) and not (proto 1 or proto 47)"

     

    Josh