From 81358f577310865d4e3f7a9dc770d36d25bab5d1 Mon Sep 17 00:00:00 2001 From: Peter Haag Date: Fri, 10 Jan 2025 12:47:01 +0100 Subject: [PATCH] Update man page nfdump.1 for nat filters. See #589 --- man/nfdump.1 | 96 +++++++++++++++++++--------------------------------- 1 file changed, 34 insertions(+), 62 deletions(-) diff --git a/man/nfdump.1 b/man/nfdump.1 index 9bb90f67..432a0c6c 100755 --- a/man/nfdump.1 +++ b/man/nfdump.1 @@ -964,13 +964,13 @@ the source or destination geo location code may match. Please note: country code .Nm filter language reserved words such as IN, LT etc must be explicitly quoted to be recoginzed as string. .Pp -.It Cm tunip Ar ipaddr -.It Cm src tunip Ar ipaddr -.It Cm dst tunip Ar ipaddr +.It Cm tun ip Ar ipaddr +.It Cm src tun ip Ar ipaddr +.It Cm dst tun ip Ar ipaddr True if the respective tunnel IP field of the record matches .Ar ipaddr . If -.Cm tunip +.Cm tun ip is not specified with .Cm src or @@ -1436,7 +1436,6 @@ True, if the respective latency field in the flow record compares to is specified in msec. .Pp .It CISCO ASA, network security event logging (NSEL) and NAT event logging (NEL) specific filters: -.It NSEL specific filters: .Pp .It Cm asa event Ar event True if the NSEL event type of an event record matches @@ -1459,12 +1458,23 @@ which may be True, if the comparison of the extended event field of the event record matches .Ar num .Pp +.It Cm nat event Cm event +True if the NEL event type of an event record matches +.Ar event. event +may be +.Ar add, delete +.Pp +.It Cm nat event Ar comp number +True if the comparison of the NEL event type of an event records matches +.Ar number +as a number. +.Pp .It Cm nat ip Ar ipaddr .It Cm src nat ip Ar ipaddr .It Cm dst nat ip Ar ipaddr True, if the field of the translated source or destination IP address matches -.Ar ipaddr -if +.Ar ipaddr. +If .Cm nat ip is specified without .Cm src @@ -1472,13 +1482,13 @@ or .Cm dst both IP addresses may match. .Pp -.It Cm nat port Ar ipaddr -.It Cm src nat port Ar ipaddr -.It Cm dst nat port Ar ipaddr -True, if the field of the translated source or destination IP address matches -.Ar ipaddr -if -.Cm xport +.It Cm nat port Ar port +.It Cm src nat port Ar port +.It Cm dst nat port Ar port +True, if the field of the translated source or destination port matches +.Ar port. +If +.Cm port is specified without .Cm src or @@ -1501,6 +1511,16 @@ or .Cm dst both IP addresses may match. .Pp +.It Cm pblock start Ar comp number +.It Cm pblock step Ar comp number +.It Cm pblock end Ar comp number +True if the comparison of the start, step or end of the NAT port block in the event record matches +.Ar number +.It Cm port in pblock +.It Cm src port in pblock +.It Cm dst port in pblock +True, if the source or destination port field matches the NAT port block range +.Pp .It Cm ingress ACL Ar comp number .It Cm ingress ACE Ar comp number .It Cm ingress XACE Ar comp number @@ -1511,58 +1531,10 @@ True if the comparison of the respective ingress field matches True if the comparison of the egress field matches .Ar number .Pp -.It NEL specific filters: -.It Cm nat event Cm event -True if the NEL event type of an event record matches -.Ar event. event -may be -.Ar add, delete -.Pp -.It Cm nat event Ar comp number -True if the comparison of the NEL event type of an event records matches -.Ar number -as a number. -.Pp -.It Cm nip Ar ipaddr -.It Cm src nip Ar ipaddr -.It Cm dst nip Ar ipaddr -True, if the field of the nat source or destination IP address matches -.Ar ipaddr -if -.Cm nip -is specified without -.Cm src -or -.Cm dst -both IP addresses may match. -.Pp -It Cm nport Ar number -.It Cm src nport Ar number -.It Cm dst nport Ar number -True, if the field of the nat source or destination port matches -.Ar number -if -.Cm nip -is specified without -.Cm src -or -.Cm dst -both ports may match. -.Pp .It Cm ingress vrf Ar number True, if the field of the ingess vrf field of the event record matches .Ar number .Pp -.It Cm pblock start Ar comp number -.It Cm pblock step Ar comp number -.It Cm pblock end Ar comp number -True if the comparison of the start, step or end of the NAT port block in the event record matches -.Ar number -.It Cm port in pblock -.It Cm src port in pblock -.It Cm dst port in pblock -True, if the source or destination port field matches the NAT port block range -.Pp .It Ar comp Many filter elements support the comparison with a number. The following comparators are supported for each of those filters: