The inclusion of the src port generates the huge amount of records.

  • 1
  • Question
  • Updated 5 years ago
  • (Edited)
How do I remove the src port from the out of this report -

'IP Activity :: Systems ordered by number of network connections created :: Breakdown'?

Photo of Andy

Andy

  • 44 Posts
  • 2 Reply Likes

Posted 5 years ago

  • 1
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 391 Posts
  • 8 Reply Likes
The base syntax looks something like:

Query ip [senid#Sensor#sensor], [proto#Protocol#protocol], [src#Source IP#subnet], [dst#Destination IP#subnet], [sport#Src Port#port], [dport#Dest Port#port], [sum(sent)#Sent#bytecnt], [sum(rcvd)#Received#bytecnt], [sum(sent,rcvd)#Total#bytecnt] sort=-8   where   {end#t#Time#date}    & {senid#senid#Sensor#sensor}    & {src#src#Source IP/Subnet#subnet}    & {dst#dst#Destination IP/Subnet#subnet}    & {src,dst#ip#Client or Server#subnetdl}    & {proto#proto#IP Protocol#protocol}    & {dport#dport#Destination Port#service}
   Link chart.png Flows /netmon/view.cgi?View=1&rid=105&t=$t&proto=$1&sport=$4&dport=$5&src=$2&dst=$3&senid=$0&ip=$ip 9

To update the report to remove the src port column, change the syntax to:

 Query ip [senid#Sensor#sensor], [proto#Protocol#protocol], [src#Source IP#subnet], [dst#Destination IP#subnet], [dport#Dest Port#port], [sum(sent)#Sent#bytecnt], [sum(rcvd)#Received#bytecnt], [sum(sent,rcvd)#Total#bytecnt] sort=-7   where   {end#t#Time#date#}    & {senid#senid#Sensor#sensor#}    & {src#src#Source IP/Subnet#subnet#}    & {dst#dst#Destination IP/Subnet#subnet#}    & {src,dst#ip#Client or Server#subnetdl#}    & {proto#proto#IP Protocol#protocol#}    & {dport#dport#Destination Port#service#}
   Link chart.png Flows /netmon/view.cgi?View=1&rid=105&t=$t&proto=$1&sport=$4&dport=$5&src=$2&dst=$3&senid=$0&ip=$ip 9