Capture Filter Not Working

Peter Van Epp vanepp at sfu.ca
Tue Jul 15 15:06:39 EDT 2003 

	Hmmm, don't have a 2.0.5 copy handy anymore, but I'd suggest try it
from the command line. I just did on FreeBSD 4.7 with 2.0.6.beta.9 and icmp
(no web on the appropiate net unfortunatly). This connection is also on a
switch (and the Century tap is currently on a Linux box on the uplink which
isn't a suitable platform for this) so I pinged this machine from 
142.58.101.25 to create filterable traffic:

r2d2# argus_bpf -w nfargus.out

r2d2# ./ra -r nfargus.out -n

r2d2# ./ra -r nfargus.out -n
15 Jul 03 11:58:21    man version=2.0     probeid=3848370891                STA
15 Jul 03 11:58:28    arp    142.58.2.254     who-has     142.58.2.24       INT
15 Jul 03 11:58:28   icmp   142.58.101.25       <->       142.58.1.10       ECO
15 Jul 03 11:58:21   icmp   142.58.101.25       <->       142.58.1.10       ECO
15 Jul 03 11:58:22    udp    142.58.1.103.60682  ->   239.255.255.253.427   INT
15 Jul 03 11:58:25   icmp   142.58.101.25       <->       142.58.1.10       ECO
15 Jul 03 11:58:25    llc   0:6:29:d3:17:eb.gbl  ->  ff:ff:ff:ff:ff:ff.gbl  INT
15 Jul 03 11:58:25    udp    142.58.1.160.137    ->      142.58.1.255.137   INT

r2d2# ./argus_bpf -w argus.out -- not icmp

r2d2# ./ra -r argus.out -n
15 Jul 03 11:58:57    man version=2.0     probeid=3848370891                STA
15 Jul 03 11:58:57    udp    142.58.1.121.138    ->      142.58.1.255.138   INT
15 Jul 03 11:59:03    llc   0:6:29:d3:17:eb.gbl  ->  ff:ff:ff:ff:ff:ff.gbl  INT
15 Jul 03 11:59:05    llc     0:2:b3:4:d0:4.gbl  ->  ff:ff:ff:ff:ff:ff.gbl  INT
15 Jul 03 11:59:00    udp     142.58.1.19.138    ->      142.58.1.255.138   INT
15 Jul 03 11:58:57    llc   0:6:29:75:8e:69.gbl  ->  ff:ff:ff:ff:ff:ff.gbl  INT
15 Jul 03 11:58:58    udp    142.58.1.175.65019  ->   239.255.255.253.427   INT
15 Jul 03 11:59:02    udp    142.58.1.205.49352  ->   239.255.255.253.427   INT
15 Jul 03 11:58:59    llc   0:1:f4:a1:bb:80.stp  ->      1:80:c2:0:0:0.stp  INT
15 Jul 03 11:59:03    udp    142.58.1.160.137    ->      142.58.1.255.137   INT
15 Jul 03 11:59:02    arp    142.58.1.254     who-has    142.58.1.208       INT

	As expected no icmp showing up in the filtered ra output.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



On Tue, Jul 15, 2003 at 01:27:29PM -0500, Eric wrote:
> On Tue, 2003-07-15 at 13:55:51 -0400, Carter Bullard proclaimed...
> 
> >    You've got the ARGUS_FILTER twice with the last entry
> > as "", so that will probably remove any filters on that
> > interface.  See if removing that doesn't fix things.
> 
> Yea sorry about that - I noticed it after I posted (it was a post
> mistake, not in the actual config).
> 
> Needless to say, it doesn't fix anything.
> 
> - Eric

More information about the argus mailing list