Stenographer Reference for DMF Recorder Node
This appendix provides information about composing Stenographer queries and submitting them through REST API.
Stenographer Query Syntax
The DANZ Monitoring Fabric (DMF) Recorder Node accepts Stenographer queries using a syntax based on the Berkeley Packet Filter (BPF) syntax. When entering a malformed BPF string, the recorder node will respond with an error. The entire BPF grammar is not supported, but query strings can be composed using the predicates in the following table.
| BPF Predicate | Value | Description |
|---|---|---|
| before value | time | string before the specified time |
| before value m ago | duration | before value minutes ago |
| before value h ago | duration | before value hours ago |
| before value d ago | duration | before value days ago |
| before value w ago | duration | before value weeks ago |
| after value | time string | after the specified time |
| after value m ago | duration | after value minutes ago |
| after value h ago | duration | after value hours ago |
| vlan value | VLAN ID | match the specified VLAN tag (outer, inner, or inner inner) |
| outer vlan value | VLAN ID | match the specified outer VLAN tag |
| inner vlan value | VLAN ID | match the specified inner VLAN tag (or middle tag of triple-tagged packets) |
| inner vlan value | VLAN ID | match the specified innermost VLAN tag of triple-tagged packets |
| src mac value | MAC address | match the specified MAC address in typical colon-delimited form (e.g. 11:22:33:44:55) |
| dst mac value | MAC address | match the specified MAC address in typical colon-delimited form (e.g. 11:22:33:44:55) |
| mpls value | MPLS label | match the specified MPLS label |
| src host value | IPv4/v6 address | match the specified source address exactly |
| dst host value | IPv4/v6 address | match the specified destination address exactly |
| src net value | IPv4/v6 address | match the specified source address with an optional CIDR mask. All octets of address must be specified, e.g. good → 1.2.3.0/24, bad → 1.2.3/24 |
| src net value mask value | IPv4/v6 address | match the specified source address with masked with the specified address |
| dst net value | IPv4/v6 address | match the specified destination address with an optional CIDR mask. All octets of address must be specified, e.g. good → 1.2.3.0/24, bad → 1.2.3/24 |
| dst net value mask value | IPv4/v6 address | match the specified destination address with masked with the specified address |
| ip proto value | protocol number | match the specified IP protocol number |
| icmp | match ICMP packets (shortcut for “ip proto 1”) | |
| tcp | match TCP packets (shortcut for “ip proto 6”) | |
| udp | match UDP packets (shortcut for “ip proto 17”) | |
| src port value | transport port number | match the specified transport port number |
| dst port value | transport port number | match the specified transport port number |
| cid value | Community ID | match the provided community ID in standard version:base-64 encoded form (e.g. 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=) |
| policy value | DMF policy name | match the forwarding VLAN(s) of the specified DMF policy. Only supported through the DMF Controller. Not supported when using a Recorder Node REST API directly. |
| filter-interface value | DMF filter interface name | match the forwarding VLAN of the specified filter interface. Only supported through the DMF Controller. Not supported when using a Recorder Node REST API directly. |
| event value | Recorder Node event name | match the time range of the specified event. Only supported through the DMF Controller. Not sup- ported when using a Recorder Node REST API directly. |
| and | logical “and” | |
| && | logical “and” | |
| or | logical “or” | |
| || | logical “or” | |
| ( | begin grouping | |
| ) | end grouping |
Example Stenographer Queries
After two hours ago but before one hour ago, search for all packets to or from Google DNS (8.8.8.8).
(after 2h ago and before 1h ago) and (src host 8.8.8.8 or dst host 8.8.8.8)after 24h ago and dst host 10.4.100.200 and tcp and src port 22Within the last five minutes, search for all packets to or from 10.1.1.100. And, in the five minutes before that, search for all packets to or from 10.1.100.101.
(after 5m ago and (src host 10.1.1.100 or dst host 10.1.1.100)) or (after 10m ago and before 5m ago
and (src host 10.1.1.101 or dst host 10.1.1.101))Within the timespan of event abc and within the last hour, search for all SSH (TCP port 22) packets destined for IP 1.2.3.4.
(event abc or after 1h ago) and dst host 1.2.3.4 and tcp and dst port 22Within the timespan defined by the intersection of events abc and def, search for all packets sent from any IP in subnet 1.2.3.0/24 seen on filter interface xyz.
(event abc and event def) and filter-interface xyz and src net 1.2.3.0/24
.. note::
To use the filter-interface predicate, the DMF Controller must be in the push-per-filter Auto
VLAN mode.Within the last five minutes, search for all packets sent from IP 1.2.3.4 to the DANZ Monitoring Fabric (DMF) Recorder Node using DMF policy abc.
after 5m ago and policy abc and src host 1.2.3.4
.. note::
To use the policy predicate the DMF Controller must be in the push-per-policy or push-per-
filter Auto VLAN mode. When in push-per-policy auto-vlan-mode, the policy's forwarding tag will
be queried. When in push-per-filter mode, the forwarding tags of the filter interfaces used in
the policy are queried.Within the last five minutes, search for all packets with any VLAN tag 100.
after 5m ago and vlan 100Within the last five minutes, search for all packets with an outer VLAN tag 100.
after 5m ago and outer vlan 100Within the last five minutes, search for all packets with an inner (or middle) VLAN tag 100.
after 5m ago and inner vlan 100Within the last five minutes, search for all triple-tagged packets with innermost VLAN tag 100.
after 5m ago and inner inner vlan 100Within the last five minutes, search for packets belonging to a flow with community ID of 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=.
after 5m ago and cid 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=This matches packets in each direction of the flow, if applicable.
Within the last five minutes, search for all L2 broadcast packets originating from MAC address 11:22:33:44:55:66.
after 5m ago and src mac 11:22:33:44:55:66 and dst mac ff:ff:ff:ff:ff:ff