This article helps you with providing steps to install CIDR FLow Tagger in Trisul Network Analytics.

Create Automatic flow tags for all the network traffic with CIDR network tags and integrate them into the backend indices.

1. Login as Admin and install the app by selecting 'Flexible CIDR Flow Tagger' from Web Admin > Manage > Apps
2. Restart the Probe node.

Specify the networks that you want to tag. By default CIDR tags the subnets /25,/26,/27,/28.

To do this,

• Create a file named 'trisulnsm_cidr-tagger.lua' in /usr/local/var/lib/trisul-probe/domain0/probe0/context0/config.
• put the lines below in that file

return    {
            -- only tag these subnet networks
            tag_masks={26,27,28},

            -- only tag internalhosts 
            tag_internal_hosts_only = true
          } 
} 

You can search for specific subnetwork flows by adding the tag group called [cidr]. For example,

tag=[cidr]192.17.20.32/27

Once the app is installed the CIDR tags automatically gets added to the flows.