User guide

include-filter {

proto 6;

}

exclude-filter {

port 20;

port 21;

port 22;

port 25;

port 80;

port 53;

port 110;

port 123;

port 161;

port 143;

port 443;

port 1434;

port 1863;

port 5050;

port 5190;

port 8200;

}

In this example, the tfm would look for all TCP traffic, but would also ignore any sessions occurring on the ports listed in

the exclude filter.

Tenable NetFlow Monitor Event Types

These are the event types that the Tenable NetFlow Monitor can currently generate:

 TFM-TCP_Session_Whole

 TFM-TCP_Session_Partial

 TFM-UDP_Activity

 TFM-TCP_Session_Whole_1MB

 TFM-TCP_Session_Whole_10MB

 TFM-TCP_Session_Whole_100MB

 TFM-TCP_Session_Whole_1000MB

 TFM-TCP_Session_Whole_Long

 TFM-TCP_Session_Partial_Long

Usage

Once the policy is configured correctly, simply invoke the tfmd binary from the command line.

Traffic from NetFlow version 9 will produce records that will have a trailing “0”. This will be seen in the LCE host when

viewing log data from the LCE. An example of these records is shown below:

Tue Jul 18 13:30:27 - TFM-TCP_Session_Partial[46|0]:192.168.1.6:5190 ->

192.168.1.7:2958|1153243797|1153243797|0