Sometimes the customers that start off the most confused end up being the happiest customers. In this blog, I will digress on why one of our new customers is absolutely ecstatic with Scrutinizer’s powerful filtering. It is also part of the reason why Jim Frey from Enterprise Management Associates was recently quoted as saying “Scrutinizer is the best pure-play I’ve seen for NetFlow reporting.”

When it comes to reporting, filtering separates NetFlow Analyzers. With Scrutinizer, you can be confident that you get what you pay for. Even the most expensive products on the market can’t filter like this.

First of all, Scrutinizer is currently the only product on the market that lets you filter on any field that is exported in the NetFlow template. If today you decide to export Mac Address or VLAN ID, you can instantly start building reports based on these new fields.

Secondly, there is the concern of how a product can filter. In Scrutinizer, not only can you include or exclude data, there is also the option to AND & OR between filters. This is what I want to specifically focus on today. Lets take the IP Host filters for example:

Any filter that has a SRC/DST option (hosts, AS, network) can have an AND or an OR in them, depending on how the filter is built.

Take this example:

Src host = 10.1.10.1
Src host = 10.1.10.2
Dst host = 10.1.4.254

The query will look like:

(srcIPAddress = 10.1.10.1 OR srcIPAddress = 10.1.10.2) AND (dstIPAddress = 10.1.4.254)

Next, let’s take adding bi-directional host filters as an example.  Let’s say you started off your report with two hosts filters:

Src host = 10.1.10.2
Dst host = 10.1.4.254

The query will look like:

(srcIPAddress = 10.1.10.2) AND (dstIPAddress = 10.1.4.254)

Now you add a bi-directional filter (source or destination) and the query changes quite significantly.  By adding a bi-directional filter you’re adding a subset of data rather then removing a subset of data.

Src/dst host = 10.1.10.1
Src host = 10.1.10.2
Dst host = 10.1.4.254

The query will now look like:

(srcIPAddress = 10.1.10.1 OR srcIPAddress = 10.1.10.2) OR (dstIPAddress = 10.1.4.254 OR dstIPAddress = 10.1.10.1)

The logic on the backend is: If there is a src/dst filter use OR, otherwise use AND.

Here is an example of why it works this way:

Src/dst host = 10.1.10.1

And I use AND, you will restrict to the point that you get no results:

(srcIPAddress = 10.1.10.1) AND (dstIPAddress = 10.1.10.1) — A host doesn’t send traffic to itself over the network.

Exclude filters need to be different. Specifically, like fields are ANDed, not ORed. Take this example.

Include:

Src host = 10.1.10.1
Src host = 10.1.10.2
Dst host = 10.1.4.254

The query will look like:
(srcIPAddress = 10.1.10.1 OR srcIPAddress = 10.1.10.2) AND (dstIPAddress = 10.1.4.254)

Exclude : (!= means “not equal”)

Src host != 10.1.10.1
Src host != 10.1.10.2
Dst host != 10.1.4.254

The query will look like:

(srcIPAddress != 10.1.10.1 AND srcIPAddress != 10.1.10.2) AND (dstIPAddress != 10.1.4.254)

Now, between different types of filters is always an AND. For example, I can filter for IP Host = 10.5.5.5 AND exclude ToS = DSCP 0

We know that those of us who like to dig in for the details appreciate the engineering that went it to make Scrutinizer’s filtering behave like this. Let me know if you feel it should behave differently. We are always trying to improve it.

Paul Dube

Paul Dube is the Director of Technical Services at Plixer. He has a passion for enabling individuals and organizations to use highly complex systems to solve business and personal objectives. This passion for problem solving has Paul working with some of the largest enterprises to solve their security and networking challenges and also educating his young daughters on how to enrich their lives with technology. When he's not working, you will find him enjoying time with his family, cooking something delicious on the Big Green Egg, and enjoying the best brews that the locals have to offer.

Related

Leave a Reply