Optek Pty Ltd

ScreenOS tools

Netscreen Traffic Log Filter


nslf is a simple PERL script to filter and reformat Netscreen traffic log entries from a syslog file. Simple or complex filtering expressions can be applied to the log fields to display only entries of interest. Output is displayed in tabular format and fields can be shown or hidden selectively.

Download it here (.pl) or here (.tar.gz)

The help message is below.

Email: tools a t optekconsulting.com


nstf

NAME

nstf - Netscreen Traffic Log Reformat & Filter

SYNOPSIS

nstf 'dPort eq 2048 && dZone eq PUBLIC' < ScreenOS.syslog
nstf --noDevice 'Device eq nsfw1' < ScreenOS.syslog
nstf --noDevice 'dAddr net 192.168.1.0/24' < ScreenOS.syslog

DESCRIPTION

nstf is a simple tool for reformatting Netscreen syslog traffic logs into columns and showing only entries of interest. Columns can be shown or hidden using command line options and trival or complex filters can be specified using a simplified PERL syntax.

nstf reads input from stdin and does NOT accept named files on the command line.

FIELDS

The following fields are selectable from the logs;

        Device vSys sTime PolId
        Svc sZone sAddr dZone dAddr
        Proto sPort dPort Action bSent
        bRecv Elap 
        sXAddr sXPort dXAddr dXPort

By default all except the following fields are shown;

        Svc
        bSent
        bRecv
        sXAddr
        sXPort
        dXAddr
        dXPort

Any field can be shown or hidden using long format options;

        nstf --noDevice --dXAddr --dXPort

Which would hide Device but show dXAddr and dXport.

FILTERS

Filters can be applied to any of the fields, whether they are shown or not. The filter is implemented using PERL eval so can be quite complicated. Following are some examples;

        nstf 'sPort eq 2048'
        nstf 'sPort > 2048'
        nstf '( sPort > 2048 && dPort < 1024 ) || dPort > 32000'

Note it is generally recommended that you quote the parameters you pass to nstf as they often will be confused with shell meta-characters, however quoting is not always necessary.

One special purpose match function has been defined for matching IP addresses to networks.

        nstf 'sAddr net 172.17.0.0/16'

The net operator matches when the LHS is within the RHS network. For speed the net test does not do much error checking so if you incorrectly specify a network address the result will be probably meaningless.

BUGS

The filter parsing is not particularly good and does not do much error checking. If you for instance specify a non-existant field (ie sProt eq 1) the filter will not complain but will never match.

This code is not particulary fast - much slower than grep for instance.

AUTHOR

This tool is provided by Optek Pty Ltd

COPYRIGHT & DISCLAIMER

This code is copyright by Optek Pty Ltd with all rights reserved.

Any entity ("you") may use this code under the conditions set out in the following paragraph.

The copyright holders and/or other parties provide this file and related files as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose and the accuracy of the information contained within it. The entire risk as to the quality and performance of the file and related files is with you. Should the file and/or related files fail to work on your system, you assume the cost of all necessary servicing, repair or correction
© all rights reserved, Optek Pty Ltd