Searching tracked connections

kevin_i_orourke · August 21, 2007, 9:53am

I’ve been looking at the “/ ip firewall connection” list recently and trying to search it based on src-address and dst-address.

The problem is that it seems to require that you specify a port number, so that:

:put [find src-address=192.168.0.112]

returns nothing.

Instead I’d have to print the whole list and specify a port number, for example:

:put [find src-address=192.168.0.112:4510]

which kind of defeats the purpose.

Is there some way of giving a wildcard port number, to get a list of all connections from a specific IP address?

Thanks,
Kevin

mrz · August 21, 2007, 10:10am

I don’t think that there are some kind of wildcards, but you can do this with simple script:

:foreach i in=[/ip firewall connection find ] do={    
    :if ( [:find [/ip firewall connection get $i src-address] 192.168.0.112 ] >= 0 ) do={ 
         :put ( [/ip firewall connection get $i src-address] . " " . [/ip firewall connection get $i dst-address] );
    }
}

kevin_i_orourke · August 21, 2007, 10:21am

mrz:

I don’t think that there are some kind of wildcards, but you can do this with simple script:

:foreach i in=[/ip firewall connection find ] do={    
    :if ( [:find [/ip firewall connection get $i src-address] 192.168.0.112 ] >= 0 ) do={ 
         :put ( [/ip firewall connection get $i src-address] . " " . [/ip firewall connection get $i dst-address] );
    }
}

Thanks, I can modify that to do what I want to do.

But isn’t it a bit ugly that way? It would be much nicer if the ports were separated from the IPs, for example src-port and dst-port.

Oh well, can’t have everything and at least your solution works and is available now.

Thanks again,
Kevin