[hobbit] argh! Ports

Jeff Newman jeffnewman75 at gmail.com
Mon May 21 23:31:25 CEST 2007 

All,

Thank you for your help.

The following is what ended up working:

PORT REMOTE=%192.168.22.3.*

I had to drop the ":" from the output. The netstat returned:

tcp4       0      0  192.168.22.4.40389    192.168.22.3.1261     ESTABLISHED

no colon.  Doh.

Thanks again.

-Jeff
On 5/21/07, John Glowacki <johng at idttechnology.com> wrote:
> The following works for me on redhat as 4, Hobbit server 4.2 with
> allinone patch, pcre version 6.7.
>
> HOST=hobbit1
>  PORT REMOTE=%::ffff:10.10.196.120:.*
>  PORT REMOTE=%10.10.128.130:.*
>
> You can run tests in hobbit like this:
>
> #  ../bin/bbcmd ../bin/hobbitd_client --test
> 2007-05-21 11:02:10 Using default environment file
> /opt/hobbit/server/etc/hobbitserver.cfg
> Hostname (.=end, ?=dump, !=reload) []: hobbit1
> Hosttype []: linux
> Test (cpu, mem, disk, proc, log, port): port
> Need to know netstat columns for 'Local address', 'Remote address' and
> 'State'
> Enter columns [4 5 6]: 5
> To read 'netstat' data from a file, enter '@FILENAME' at the prompt
> netstat line: tcp        0   1408 ::ffff:10.10.128.130:22
> ::ffff:10.10.196.120:2575  ESTABLISHED
> netstat line:
> &green remote=%::ffff:10.10.196.120:.* : (found 1, req. 1 or more)
> &red remote=%10.10.128.230:.* : (found 0, req. 1 or more)
> Hostname (.=end, ?=dump, !=reload) [hobbit1]: .
>
> John
>
> Jeff Newman wrote:
> > Stll didn't work.
> >
> > Henrik: I've just counted 60 different variations I have tried ( ()'s
> > "'s etc.. in various places) and still the only thing that works is
> >
> > PORT REMOTE=192.168.22.3:1234
> >
> > I cannot get the regex to work. What would be the absolute
> > authoritative way to do this? Is there some sort of log I can look at?
> > BTW server is 4.2, os is redhat as 4
> >
> > Thanks,
> > Jeff
> >
> >
> > On 5/17/07, Galen Johnson <gjohnson at trantor.org> wrote:
> >> Jeff Newman wrote:
> >> > Actually that is what I want (every port on that IP) - It's a second
> >> > nic on that box that only does one thing (just on a couple different
> >> > random ports)
> >> >
> >> > I just tried both:
> >> > PORT "REMOTE=%192.168.22.3:.*"
> >> > and
> >> > PORT REMOTE=%192.168.22.3:.*
> >> >
> >> > (without the double quotes)
> >> > and neither worked.
> >> >
> >> > Again, explicitly stating PORT REMOTE=192.168.22.3:1234 does work, so
> >> > I know it at least partially works :-)
> >> >
> >> > -jeff
> >> >
> >> >
> >> > On 5/17/07, Galen Johnson <gjohnson at trantor.org> wrote:
> >> >> Jeff Newman wrote:
> >> >> > All,
> >> >> >
> >> >> > Quick question. I have tried every permutation I can think of but
> >> >> > basically:
> >> >> >
> >> >> > Every PORT example I can find has something similar to:
> >> >> >
> >> >> > PORT LOCAL=%[.:]22$  (etc...)
> >> >> > or
> >> >> > PORT LOCAL=%[.:](80|443)
> >> >> >
> >> >> > No example I have seen has it where you KNOW the IP and you DONT
> >> know
> >> >> > the port, such as:
> >> >> >
> >> >> > 192.168.22.3:???????????
> >> >> >
> >> >> > I need the port string to match an IP with an unknown port number.
> >> >> >
> >> >> > If I do:
> >> >> > PORT REMOTE=192.168.22.3:1234 (saying that netstat has a 1234
> >> >> > established)
> >> >> > it works fine, but (again pretending on the port #'s) if a
> >> netstat had
> >> >> > 3 established connections to ports 1234,1111,23521 I only get the
> >> >> > 1234. I want all of them.
> >> >> >
> >> >> > Ive tried permutations for 2 hours now, and can't figure it out.
> >> >> >
> >> >> > Thanks,
> >> >> > Jeff
> >> >> >
> >> >> > To unsubscribe from the hobbit list, send an e-mail to
> >> >> > hobbit-unsubscribe at hswn.dk
> >> >> >
> >> >> >
> >> >> Have you tried "REMOTE=%192.168.22.3:.*"?  Now, that will most likely
> >> >> get you every port on that IP...which is probably not what you
> >> >> want...it's usually easier to write it for the ports you want...or
> >> >> "EXREMOTE=%192.168.22.3:.*"...
> >> >>
> >> >> =G=
> >> >>
> >> >>
> >> >> To unsubscribe from the hobbit list, send an e-mail to
> >> >> hobbit-unsubscribe at hswn.dk
> >> >>
> >> >>
> >> >>
> >> >
> >> > To unsubscribe from the hobbit list, send an e-mail to
> >> > hobbit-unsubscribe at hswn.dk
> >> >
> >> >
> >> Just tried it using pcretest and it works...there are some threads on
> >> the list that suggest wrapping the regex in quotes:
> >> REMOTE="%192.168.22.3:.*"
> >>
> >> Dunno what else to try...
> >>
> >> =G=
> >>
> >>
> >> To unsubscribe from the hobbit list, send an e-mail to
> >> hobbit-unsubscribe at hswn.dk
> >>
> >>
> >>
> >
> > To unsubscribe from the hobbit list, send an e-mail to
> > hobbit-unsubscribe at hswn.dk
> >
>
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
>

More information about the Xymon mailing list