Eric,
When filtering on a MAC address, you can use a mask (just as you can
for IP addresses). For example:
sourceAddress=00A000000000/FFFFFF000000
works just like:
sourceAddress=128.141.0.0/255.255.0.0
regards,
neil
On Nov 28, 2005, at 4:29 PM, Mckenney, Stephen E wrote:
> This is something we also need. However we need to be able to perform
> using partial MAC address. Allowing us to find anything made by a
> particular company; example 00A000******.
>
> Thank You
> Eric McKenney
>
> -----Original Message-----
> From: owner-traffic-management@inmon.com
> [mailto:owner-traffic-management@inmon.com] On Behalf Of Neil McKee
> Sent: Saturday, November 26, 2005 11:20 AM
> To: Mike Zanker
> Cc: sflow traffic management ML
> Subject: Re: [traffic-management] MAC address detection
>
> Mike,
>
> ITS version 5 will make this kind of thing quite straightforward,
> because custom-reports can be scheduled to run quite frequently.
> In the
> mean time, if you need to do this with ITS version 4 I think the
> simplest way to do it is probably will a small script. You can build
> the query URL you want using Query->Other->Interface Traffic, and
> then use it with wget(1). The script can be scheduled with cron(1)
> to run periodically, and it can generate an event just by writing a
> file into the appropriate directory.
>
> Below is a roughly thrown-together example that might serve as a
> starting point. Hope this helps.
>
> regards,
> neil
>
> ----------------------------------------------------------------------
> --
> ----
> #!/bin/bash
>
> # example script to look for traffic from a given MAC address.
> # To have this script run every 5 minutes, make it executable using #
> "chmod -x", and submit a cron entry like this:
> #
> # echo "*/5 * * * * /path/to/this/script > /dev/null" | crontab "-"
>
> SEARCHMAC='000480603600';
>
> # query the last 5 minutes using Query->Other->Interface Traffic.
> Filter
> # with filterProtocol=MAC and set the sourceAddress filter to the
> one #
> we are looking for. grep the output to see if it appeared.
>
> FOUND=`wget -q -O- "http://demo.inmon.com/its/query/Monitor?
> filterProtocol=MAC&sou
> rceAddress=$SEARCHMAC&intervals=1&intervalSize=5&resultField=time%
> 2CsourceAddress&
> resultFormat=csv&resultProtocol=MAC&action=query" | grep -c
> $SEARCHMAC`;
>
> echo "FOUND=$FOUND";
>
> # post an event into the ITS event directory #
> POSTEVENTS="/usr/local/inmon/server/events/testForMAC.$$.up"
> #if [ "$FOUND" = "1" ]; then
> # echo "::inform:status:mac:up::::mac=$SEARCHMAC" > $POSTEVENTS;
> #fi
>
> On Nov 23, 2005, at 12:26 PM, Mike Zanker wrote:
>
>> Hello,
>>
>> is it possible to configure InMon to alert when it sees a specific
>> MAC
>
>> address?
>>
>> Thanks,
>>
>> Mike.
>
> ======================================================================
> ==========================
>
> Confidentiality Notice: This e-mail message, including any
> attachments, is for the sole use of the intended recipient(s) and
> may contain confidential and privileged information. Any
> unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact
> the sender by reply e-mail and destroy all copies of the original
> message.
> ======================================================================
> ==========================
Received on Mon Nov 28 10:19:20 2005
This archive was generated by hypermail 2.1.8 : 11/28/05 PST