I've been trying to find a way to locate devices using traffic sentinel
based on the first 6 of the mac address. Is there a way this can be
done?
Thanks
Eric
-----Original Message-----
From: Neil McKee [mailto:neil.mckee@inmon.com]
Sent: Monday, November 28, 2005 12:16 PM
To: Mckenney, Stephen E
Cc: traffic-management@inmon.com
Subject: Re: [traffic-management] MAC address detection
Eric,
When filtering on a MAC address, you can use a mask (just as you can
for IP addresses). For example:
sourceAddress=00A000000000/FFFFFF000000
works just like:
sourceAddress=128.141.0.0/255.255.0.0
regards,
neil
On Nov 28, 2005, at 4:29 PM, Mckenney, Stephen E wrote:
> This is something we also need. However we need to be able to perform
> using partial MAC address. Allowing us to find anything made by a
> particular company; example 00A000******.
>
> Thank You
> Eric McKenney
>
> -----Original Message-----
> From: owner-traffic-management@inmon.com
> [mailto:owner-traffic-management@inmon.com] On Behalf Of Neil McKee
> Sent: Saturday, November 26, 2005 11:20 AM
> To: Mike Zanker
> Cc: sflow traffic management ML
> Subject: Re: [traffic-management] MAC address detection
>
> Mike,
>
> ITS version 5 will make this kind of thing quite straightforward,
> because custom-reports can be scheduled to run quite frequently.
> In the
> mean time, if you need to do this with ITS version 4 I think the
> simplest way to do it is probably will a small script. You can build
> the query URL you want using Query->Other->Interface Traffic, and
> then use it with wget(1). The script can be scheduled with cron(1)
> to run periodically, and it can generate an event just by writing a
> file into the appropriate directory.
>
> Below is a roughly thrown-together example that might serve as a
> starting point. Hope this helps.
>
> regards,
> neil
>
> ----------------------------------------------------------------------
> --
> ----
> #!/bin/bash
>
> # example script to look for traffic from a given MAC address.
> # To have this script run every 5 minutes, make it executable using #
> "chmod -x", and submit a cron entry like this:
> #
> # echo "*/5 * * * * /path/to/this/script > /dev/null" | crontab "-"
>
> SEARCHMAC='000480603600';
>
> # query the last 5 minutes using Query->Other->Interface Traffic.
> Filter
> # with filterProtocol=MAC and set the sourceAddress filter to the one
> # we are looking for. grep the output to see if it appeared.
>
> FOUND=`wget -q -O- "http://demo.inmon.com/its/query/Monitor?
> filterProtocol=MAC&sou
> rceAddress=$SEARCHMAC&intervals=1&intervalSize=5&resultField=time%
> 2CsourceAddress&
> resultFormat=csv&resultProtocol=MAC&action=query" | grep -c
> $SEARCHMAC`;
>
> echo "FOUND=$FOUND";
>
> # post an event into the ITS event directory #
> POSTEVENTS="/usr/local/inmon/server/events/testForMAC.$$.up"
> #if [ "$FOUND" = "1" ]; then
> # echo "::inform:status:mac:up::::mac=$SEARCHMAC" > $POSTEVENTS;
> #fi
>
> On Nov 23, 2005, at 12:26 PM, Mike Zanker wrote:
>
>> Hello,
>>
>> is it possible to configure InMon to alert when it sees a specific
>> MAC
>
>> address?
>>
>> Thanks,
>>
>> Mike.
>
> ======================================================================
> ==========================
>
> Confidentiality Notice: This e-mail message, including any
> attachments, is for the sole use of the intended recipient(s) and may
> contain confidential and privileged information. Any unauthorized
> review, use, disclosure or distribution is prohibited. If you are not
> the intended recipient, please contact the sender by reply e-mail and
> destroy all copies of the original message.
> ======================================================================
> ==========================
================================================================================================
Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
================================================================================================
Received on Mon Apr 17 06:16:59 2006
This archive was generated by hypermail 2.1.8 : 04/17/06 PDT