argh! Ports
list Jeff Newman
All, Quick question. I have tried every permutation I can think of but basically: Every PORT example I can find has something similar to: PORT LOCAL=%[.:]22$ (etc...) or PORT LOCAL=%[.:](80|443) No example I have seen has it where you KNOW the IP and you DONT know the port, such as: 192.168.22.3:??????????? I need the port string to match an IP with an unknown port number. If I do: PORT REMOTE=192.168.22.3:1234 (saying that netstat has a 1234 established) it works fine, but (again pretending on the port #'s) if a netstat had 3 established connections to ports 1234,1111,23521 I only get the 1234. I want all of them. Ive tried permutations for 2 hours now, and can't figure it out. Thanks, Jeff
list Galen Johnson
▸
Jeff Newman wrote:
All, Quick question. I have tried every permutation I can think of but basically: Every PORT example I can find has something similar to: PORT LOCAL=%[.:]22$ (etc...) or PORT LOCAL=%[.:](80|443) No example I have seen has it where you KNOW the IP and you DONT know the port, such as: 192.168.22.3:??????????? I need the port string to match an IP with an unknown port number. If I do: PORT REMOTE=192.168.22.3:1234 (saying that netstat has a 1234 established) it works fine, but (again pretending on the port #'s) if a netstat had 3 established connections to ports 1234,1111,23521 I only get the 1234. I want all of them. Ive tried permutations for 2 hours now, and can't figure it out. Thanks, Jeff
Have you tried "REMOTE=%192.168.22.3:.*"? Now, that will most likely get you every port on that IP...which is probably not what you want...it's usually easier to write it for the ports you want...or "EXREMOTE=%192.168.22.3:.*"... =G=
list Jeff Newman
Actually that is what I want (every port on that IP) - It's a second nic on that box that only does one thing (just on a couple different random ports) I just tried both: PORT "REMOTE=%192.168.22.3:.*" and PORT REMOTE=%192.168.22.3:.* (without the double quotes) and neither worked. Again, explicitly stating PORT REMOTE=192.168.22.3:1234 does work, so I know it at least partially works :-) -jeff
▸
On 5/17/07, Galen Johnson <user-d2ff723b6cb6@xymon.invalid> wrote:Jeff Newman wrote:All, Quick question. I have tried every permutation I can think of but basically: Every PORT example I can find has something similar to: PORT LOCAL=%[.:]22$ (etc...) or PORT LOCAL=%[.:](80|443) No example I have seen has it where you KNOW the IP and you DONT know the port, such as: 192.168.22.3:??????????? I need the port string to match an IP with an unknown port number. If I do: PORT REMOTE=192.168.22.3:1234 (saying that netstat has a 1234 established) it works fine, but (again pretending on the port #'s) if a netstat had 3 established connections to ports 1234,1111,23521 I only get the 1234. I want all of them. Ive tried permutations for 2 hours now, and can't figure it out. Thanks, JeffHave you tried "REMOTE=%192.168.22.3:.*"? Now, that will most likely get you every port on that IP...which is probably not what you want...it's usually easier to write it for the ports you want...or "EXREMOTE=%192.168.22.3:.*"... =G=
list Galen Johnson
▸
Jeff Newman wrote:
Actually that is what I want (every port on that IP) - It's a second nic on that box that only does one thing (just on a couple different random ports) I just tried both: PORT "REMOTE=%192.168.22.3:.*" and PORT REMOTE=%192.168.22.3:.* (without the double quotes) and neither worked. Again, explicitly stating PORT REMOTE=192.168.22.3:1234 does work, so I know it at least partially works :-) -jeff On 5/17/07, Galen Johnson <user-d2ff723b6cb6@xymon.invalid> wrote:Jeff Newman wrote:All, Quick question. I have tried every permutation I can think of but basically: Every PORT example I can find has something similar to: PORT LOCAL=%[.:]22$ (etc...) or PORT LOCAL=%[.:](80|443) No example I have seen has it where you KNOW the IP and you DONT know the port, such as: 192.168.22.3:??????????? I need the port string to match an IP with an unknown port number. If I do: PORT REMOTE=192.168.22.3:1234 (saying that netstat has a 1234 established) it works fine, but (again pretending on the port #'s) if a netstat had 3 established connections to ports 1234,1111,23521 I only get the 1234. I want all of them. Ive tried permutations for 2 hours now, and can't figure it out. Thanks, JeffHave you tried "REMOTE=%192.168.22.3:.*"? Now, that will most likely get you every port on that IP...which is probably not what you want...it's usually easier to write it for the ports you want...or "EXREMOTE=%192.168.22.3:.*"... =G=
Just tried it using pcretest and it works...there are some threads on the list that suggest wrapping the regex in quotes: REMOTE="%192.168.22.3:.*" Dunno what else to try... =G=
list Jeff Newman
Stll didn't work. Henrik: I've just counted 60 different variations I have tried ( ()'s "'s etc.. in various places) and still the only thing that works is PORT REMOTE=192.168.22.3:1234 I cannot get the regex to work. What would be the absolute authoritative way to do this? Is there some sort of log I can look at? BTW server is 4.2, os is redhat as 4 Thanks,
▸
Jeff
On 5/17/07, Galen Johnson <user-d2ff723b6cb6@xymon.invalid> wrote:Jeff Newman wrote:Actually that is what I want (every port on that IP) - It's a second nic on that box that only does one thing (just on a couple different random ports) I just tried both: PORT "REMOTE=%192.168.22.3:.*" and PORT REMOTE=%192.168.22.3:.* (without the double quotes) and neither worked. Again, explicitly stating PORT REMOTE=192.168.22.3:1234 does work, so I know it at least partially works :-) -jeff On 5/17/07, Galen Johnson <user-d2ff723b6cb6@xymon.invalid> wrote:Jeff Newman wrote:All, Quick question. I have tried every permutation I can think of but basically: Every PORT example I can find has something similar to: PORT LOCAL=%[.:]22$ (etc...) or PORT LOCAL=%[.:](80|443) No example I have seen has it where you KNOW the IP and you DONT know the port, such as: 192.168.22.3:??????????? I need the port string to match an IP with an unknown port number. If I do: PORT REMOTE=192.168.22.3:1234 (saying that netstat has a 1234 established) it works fine, but (again pretending on the port #'s) if a netstat had 3 established connections to ports 1234,1111,23521 I only get the 1234. I want all of them. Ive tried permutations for 2 hours now, and can't figure it out. Thanks, JeffHave you tried "REMOTE=%192.168.22.3:.*"? Now, that will most likely get you every port on that IP...which is probably not what you want...it's usually easier to write it for the ports you want...or "EXREMOTE=%192.168.22.3:.*"... =G=Just tried it using pcretest and it works...there are some threads on the list that suggest wrapping the regex in quotes: REMOTE="%192.168.22.3:.*" Dunno what else to try... =G=
list John Glowacki
The following works for me on redhat as 4, Hobbit server 4.2 with allinone patch, pcre version 6.7. HOST=hobbit1 PORT REMOTE=%::ffff:10.10.196.120:.* PORT REMOTE=%10.10.128.130:.* You can run tests in hobbit like this: # ../bin/bbcmd ../bin/hobbitd_client --test 2007-05-21 11:02:10 Using default environment file /opt/hobbit/server/etc/hobbitserver.cfg Hostname (.=end, ?=dump, !=reload) []: hobbit1 Hosttype []: linux Test (cpu, mem, disk, proc, log, port): port Need to know netstat columns for 'Local address', 'Remote address' and 'State' Enter columns [4 5 6]: 5 To read 'netstat' data from a file, enter '@FILENAME' at the prompt netstat line: tcp 0 1408 ::ffff:10.10.128.130:22 ::ffff:10.10.196.120:2575 ESTABLISHED netstat line: &green remote=%::ffff:10.10.196.120:.* : (found 1, req. 1 or more) &red remote=%10.10.128.230:.* : (found 0, req. 1 or more) Hostname (.=end, ?=dump, !=reload) [hobbit1]: . John
▸
Jeff Newman wrote:Stll didn't work. Henrik: I've just counted 60 different variations I have tried ( ()'s "'s etc.. in various places) and still the only thing that works is PORT REMOTE=192.168.22.3:1234 I cannot get the regex to work. What would be the absolute authoritative way to do this? Is there some sort of log I can look at? BTW server is 4.2, os is redhat as 4 Thanks, Jeff On 5/17/07, Galen Johnson <user-d2ff723b6cb6@xymon.invalid> wrote:Jeff Newman wrote:Actually that is what I want (every port on that IP) - It's a second nic on that box that only does one thing (just on a couple different random ports) I just tried both: PORT "REMOTE=%192.168.22.3:.*" and PORT REMOTE=%192.168.22.3:.* (without the double quotes) and neither worked. Again, explicitly stating PORT REMOTE=192.168.22.3:1234 does work, so I know it at least partially works :-) -jeff On 5/17/07, Galen Johnson <user-d2ff723b6cb6@xymon.invalid> wrote:Jeff Newman wrote:All, Quick question. I have tried every permutation I can think of but basically: Every PORT example I can find has something similar to: PORT LOCAL=%[.:]22$ (etc...) or PORT LOCAL=%[.:](80|443) No example I have seen has it where you KNOW the IP and you DONT know the port, such as: 192.168.22.3:??????????? I need the port string to match an IP with an unknown port number. If I do: PORT REMOTE=192.168.22.3:1234 (saying that netstat has a 1234 established) it works fine, but (again pretending on the port #'s) if a netstat had 3 established connections to ports 1234,1111,23521 I only get the 1234. I want all of them. Ive tried permutations for 2 hours now, and can't figure it out. Thanks, JeffHave you tried "REMOTE=%192.168.22.3:.*"? Now, that will most likely get you every port on that IP...which is probably not what you want...it's usually easier to write it for the ports you want...or "EXREMOTE=%192.168.22.3:.*"... =G=Just tried it using pcretest and it works...there are some threads on the list that suggest wrapping the regex in quotes: REMOTE="%192.168.22.3:.*" Dunno what else to try... =G=
list Jeff Newman
All, Thank you for your help. The following is what ended up working: PORT REMOTE=%192.168.22.3.* I had to drop the ":" from the output. The netstat returned: tcp4 0 0 192.168.22.4.40389 192.168.22.3.1261 ESTABLISHED no colon. Doh. Thanks again. -Jeff
▸
On 5/21/07, John Glowacki <user-a1361bcdf988@xymon.invalid> wrote:The following works for me on redhat as 4, Hobbit server 4.2 with allinone patch, pcre version 6.7. HOST=hobbit1 PORT REMOTE=%::ffff:10.10.196.120:.* PORT REMOTE=%10.10.128.130:.* You can run tests in hobbit like this: # ../bin/bbcmd ../bin/hobbitd_client --test 2007-05-21 11:02:10 Using default environment file /opt/hobbit/server/etc/hobbitserver.cfg Hostname (.=end, ?=dump, !=reload) []: hobbit1 Hosttype []: linux Test (cpu, mem, disk, proc, log, port): port Need to know netstat columns for 'Local address', 'Remote address' and 'State' Enter columns [4 5 6]: 5 To read 'netstat' data from a file, enter '@FILENAME' at the prompt netstat line: tcp 0 1408 ::ffff:10.10.128.130:22 ::ffff:10.10.196.120:2575 ESTABLISHED netstat line: &green remote=%::ffff:10.10.196.120:.* : (found 1, req. 1 or more) &red remote=%10.10.128.230:.* : (found 0, req. 1 or more) Hostname (.=end, ?=dump, !=reload) [hobbit1]: . John Jeff Newman wrote:Stll didn't work. Henrik: I've just counted 60 different variations I have tried ( ()'s "'s etc.. in various places) and still the only thing that works is PORT REMOTE=192.168.22.3:1234 I cannot get the regex to work. What would be the absolute authoritative way to do this? Is there some sort of log I can look at? BTW server is 4.2, os is redhat as 4 Thanks, Jeff On 5/17/07, Galen Johnson <user-d2ff723b6cb6@xymon.invalid> wrote:Jeff Newman wrote:Actually that is what I want (every port on that IP) - It's a second nic on that box that only does one thing (just on a couple different random ports) I just tried both: PORT "REMOTE=%192.168.22.3:.*" and PORT REMOTE=%192.168.22.3:.* (without the double quotes) and neither worked. Again, explicitly stating PORT REMOTE=192.168.22.3:1234 does work, so I know it at least partially works :-) -jeff On 5/17/07, Galen Johnson <user-d2ff723b6cb6@xymon.invalid> wrote:Jeff Newman wrote:All, Quick question. I have tried every permutation I can think of but basically: Every PORT example I can find has something similar to: PORT LOCAL=%[.:]22$ (etc...) or PORT LOCAL=%[.:](80|443) No example I have seen has it where you KNOW the IP and you DONT know the port, such as: 192.168.22.3:??????????? I need the port string to match an IP with an unknown port number. If I do: PORT REMOTE=192.168.22.3:1234 (saying that netstat has a 1234 established) it works fine, but (again pretending on the port #'s) if a netstat had 3 established connections to ports 1234,1111,23521 I only get the 1234. I want all of them. Ive tried permutations for 2 hours now, and can't figure it out. Thanks, JeffHave you tried "REMOTE=%192.168.22.3:.*"? Now, that will most likely get you every port on that IP...which is probably not what you want...it's usually easier to write it for the ports you want...or "EXREMOTE=%192.168.22.3:.*"... =G=Just tried it using pcretest and it works...there are some threads on the list that suggest wrapping the regex in quotes: REMOTE="%192.168.22.3:.*" Dunno what else to try... =G=