IP only filter?
Carter Bullard
carter at qosient.com
Mon Nov 13 18:06:11 EST 2000
Hey Russell,
Hmmmm. So we have the -I option, that is not finished yet,
which is designed to report these types of states. Guess I had
better finish implementing this one.
Carter
-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
Sent: Monday, November 13, 2000 5:43 PM
To: 'Argus (E-mail)'
Subject: Re: RE: IP only filter?
On Mon, 13 Nov 2000 17:10:03 -0500 Carter Bullard <carter at qosient.com>
wrote:
> Hey Russell,
> Yes, the 'ip' filter does that very thing. It also
> filters out man records, so if you want the man records
> back, you should go with "ip or man".
Great!
>
> So I run into your -n problem regularly, when
> I have a .rarc file that specifies "don't print names"
> and I use the -n option on the command line out of habit.
> Argus-1.x had it so that if you put -nn on the command
> line, all names would revert to numbers. Having the
> .rarc and a -n on the command line is the equivalent
> of -nn.
>
> Does this should like your situation?
>
Yup, that's it. I had forgotten about the .rarc file. So everything
is as it should be.
One more question:
Is there a way of flagging streams containing fragments (like the old F
flag in 1.8). I can extract such streams with frag filter but I would
like to be able to disinguish them when they are mixed with other flows.
If there isn't anything already then perhaps something in the status --
pity F and f are both used? Hmmm.. how about appending _F to the
status field when using -z or -Z.
Russell.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20001113/8884f1f8/attachment.html>
More information about the argus
mailing list