Observer Matrix : Matrix CLI : Matrix CLI : create rule
   
create rule
The command create rule creates a new rule. Rules can be referenced by layout connections.
 
Usage
create rule <"RuleName"> [value= <"FilterString">] [desc="RuleDesc"] [balance=(enable|disable)][balance-type=(packet|conversation)][conversation-type=(ip|L4port|mac|vlan)] [trailer=(enable|disable)] [trailer-uplink=(enable|disable)] [trim=(enable|disable)] [trimlen=64|128|192|256|384|512] [dedup=(enable|disable)] [create-filter="FilterName","FilterString"[,"FilterDesc"]]
 
 
Parameters
Parameter
Description
RuleName
The case-sensitive name of the rule. Consider the purpose of the rule when creating a name.
If it contains a space character, the entire string must be enclosed in quotes.
desc="RuleDesc"
Rule descriptions are optional and displayed in the Rules list.
value= <"FilterString">
A filter that conforms to the BPF syntax. See help filter for more details about BPF. If it contains a space character, the entire string must be enclosed in quotes.
balance=(enable|disable)
If selected, load balancing changes how traffic is moved from network ports to tool ports.
balance-type=(packet|conversation)
packet: Packets are equally distributed to tool ports using a round-robin method. By dividing the packet volume equally, link utilization is decreased between tool ports and connected tools by a factor of how many tool ports are connected to the rule. Network conversations are severed by using this type, so ensure that any connected tools can operate effectively without intact conversations.
conversation: Packets with identical characteristics, such as an identical IP pair, are forwarded exclusively to one tool port. By keeping these packets together, an intact conversation is likely being forwarded. Other unique conversations might be forwarded to the same or different tool port, creating a balanced distribution of conversations to all tool ports connected to the rule. Load balancing of this type is useful when connected tools need to perform analysis on complete network conversations.
conversation-type=(ip|L4port|mac|vlan)
Sets the conversation behavior to load balance. If choosing multiple conversation types, use a comma separated list with no spaces. For example, ip,L4port,vlan.
Conversations are traffic streams that must be kept together and forwarded intact to a tool port. How the system determines a conversation must be specified. For example, selecting only 'Include IP pair' indicates all connections between a unique IP pair must be kept intact and forwarded to the same tool port.
trailer=(enable|disable)
If selected, an identifying trailer is appended to ingress packets as they arrive. Each trailer contains a timestamp and the Group ID, Box ID, and Port ID identifying where the packet arrived.
trailer-uplink=(enable|disable
If selected, an identifying trailer is appended to ingress packets as they arrive. Each trailer contains a timestamp and the Group ID, Box ID, and Port ID identifying where the packet arrived.
dedup=(enable|disable)
If selected, hardware-accelerated packet deduplication removes duplicate ingress packets in real time.
trim=(enable|disable)
If selected, packets larger than the Trim Length value are truncated to a specified size. Packets smaller than the Trim Length value are unchanged.
trimlen=64|128|192|256|384|512
Only the first N-bytes of each ingress packet are forwarded to tool ports. A new 4-byte CRC value is affixed to each trimmed packet. Valid values are: 64, 128, 192, 256, 384, and 512.
 
 
Examples
matrix_host(layout_name)# create rule rule1 value="portrange 2000-2010 and host 10.0.64.30"
matrix_host(layout_name)# create rule rule2 dedup=enable