AnsweredAssumed Answered

OUI Identifier - LUA parser

Question asked by Joe Gumke on Aug 22, 2017
Latest reply on Aug 22, 2017 by Joe Gumke

Like • Show 0 Likes0
Comment • 6

We have a need to strip out the OUI Identifier out of our DHCP logs, but running into issues with building a LUA passer (see attached). Does anyone have a prebuilt solution they could share? Or look into my LUA log parser? I cannot get the data to send into the findOUI function

-- attached working version, thanks to bill.

Attachments

lua_ouiparser.lua.zip895 bytes

No one else has this question

Outcomes

6 Replies

William Motley Aug 22, 2017 11:25 AM
Mark Correct
Correct Answer
Your log line for the eth.dst match is inside the "if deviceType == 1", so we don't know whether that callback is occurring or not. I suspect either the deviceType callback isn't occurring, or "infobloxnios" isn't actually all lowercase. In deviceType try something like,

if string.lower(dtype) == "infobloxnios" then
nw.logInfo("infobloxnios seen")
deviceType = 1
end

(Don't forget to reset deviceType at session begin.)

A different way to go could be not using two callbacks. Instead, remove deviceType. Replace findOUI with,

function lua_ouiParser:findOUI()
local payload = nw.getPayload()
local message = payload:tostring()
local oui = string.match(message, "^.*dhcpd%[%d+%]: DHCPOFFER on [%d%.]+ to (%x%x:%x%x:%x%x):%x%x:%x%x:%x%x")
if oui then
nw.createMeta(self.keys["usb.eth.oui"], oui)
end
end
Like • Show 0 Likes0
Actions
- Joe Gumke @ William Motley on Aug 22, 2017 11:51 AM
  Mark Correct
  Correct Answer
  thanks bill. Sorry forgot to mention, but yes I did validate that the deviceType function is working, which is why i'm confused about why its not making it into the fundOUI function
  Like • Show 0 Likes0
  Actions
  - William Motley @ Joe Gumke on Aug 22, 2017 11:59 AM
    Mark Correct
    Correct Answer
    Just noticed this: change the eth.dst callback to,
    
    [nwlanguagekey.create("eth.dst", nwtypes.MAC)] = lua_ouiparser.findOUI
    ^^^^^^^^^^^^^
    1 person found this helpful
    Like • Show 0 Likes0
    Actions
    - Joe Gumke @ William Motley on Aug 22, 2017 12:11 PM
      Mark Correct
      Correct Answer
      thanks bill, that got it in the function.
      NOW -- what type of regex does the lua engine support?
      
      This doesnt work for chunking out the first 3 portions of the MAC
      ^[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}
      Like • Show 0 Likes0
      Actions
      - William Motley @ Joe Gumke on Aug 22, 2017 12:28 PM
        Mark Correct
        Correct Answer
        Lua doesn't use regex. It implements its own regex-like pattern matching. You can do pretty much anything you can do in regex, just not necessarily in the same way or as easily.
        
        This page details the character classes and modifiers:
        
        https://www.lua.org/pil/20.2.html
        
        While it does support repetition modifiers such as * and +, it doesn't support counts ("{2}"). So something like:
        
        local oui = string.match(ethdst, "^(%x%x:%x%x:%x%x):%x%x:%x%x:%x%x$")
        if oui then
        ...
        
        ^ and $ mean begin and end of line just like regex.
        %x means hexadecimal character.
        The portion within the parentheses will be captured into the "oui" variable. The rest is there just for validation.
        Like • Show 1 Like1
        Actions
        Joe Gumke @ William Motley on Aug 22, 2017 12:52 PM
        Mark Correct
        Correct Answer
        thanks for help bill! thanks works. i'll attach final version here shortly, hopefully it helps other customers as well.
        Like • Show 0 Likes0
        Actions

OUI Identifier - LUA parser

Attachments

Outcomes

Related Content

Recommended Content