Capture Filter Not Working

Eric eric-list-argus at catastrophe.net
Tue Jul 15 17:43:34 EDT 2003 

On Tue, 2003-07-15 at 12:06:39 -0700, Peter Van Epp proclaimed...

> 	Hmmm, don't have a 2.0.5 copy handy anymore, but I'd suggest try it
> from the command line. I just did on FreeBSD 4.7 with 2.0.6.beta.9 and icmp
> (no web on the appropiate net unfortunatly). This connection is also on a
> switch (and the Century tap is currently on a Linux box on the uplink which
> isn't a suitable platform for this) so I pinged this machine from 
> 142.58.101.25 to create filterable traffic:

Hmmm, ok. So I tried both ARGUS_FILTER="not host 10.6.6.6" and
ARGUS_FILTER="tcp dst port 80" and it doesn't work.

Neither does...

/usr/local/sbin/argus -c -d -n /var/run/argus.pid -I 1 -m -P 561 \
        -i em0 -i em1 -w /var/log/argus.new.out "not tcp port 80"

The following is what argus yields..

15 Jul 03 16:40:18    tcp  10.66.50.112.1571   -> 216.34.209.13.80    RST
15 Jul 03 16:40:18    tcp  10.66.195.47.3357   -> 207.171.179.30.80    RST
15 Jul 03 16:39:54    tcp   63.144.223.53.3733   -> 10.66.5.14.80    TIM
15 Jul 03 16:40:01    tcp   80.236.24.136.80     ?> 10.66.2.18.59615 RST
15 Jul 03 16:40:03    tcp 10.66.131.149.3431   -> 207.46.196.120.80    TIM
15 Jul 03 16:40:01    tcp   10.66.50.55.2276   ?> 80.12.137.56.80    FIN
15 Jul 03 16:40:01    tcp   10.66.50.55.2281   ?> 80.12.137.56.80    FIN
15 Jul 03 16:40:01    tcp   10.66.50.55.2282   ?> 80.12.137.56.80    FIN
15 Jul 03 16:40:02    tcp  10.66.59.212.2060   -> 138.12.4.195.80    RST
15 Jul 03 16:40:18    tcp  10.66.74.158.2438   -> 200.201.192.45.80    RST
15 Jul 03 16:39:52    tcp   10.66.50.55.2220   ?> 205.188.145.185.80    RST
15 Jul 03 16:40:03    tcp   12.207.159.85.5695   ?> 10.66.10.21.80    RST
15 Jul 03 16:40:03    tcp  10.66.50.112.1561   -> 216.34.209.13.80    RST
15 Jul 03 16:39:58    tcp 10.66.171.245.1709   ?> 216.73.84.71.80    RST
15 Jul 03 16:40:02    tcp   80.236.16.137.80     ?> 10.66.2.18.59616 RST
15 Jul 03 16:40:02    tcp  207.68.176.250.80     ?> 10.66.110.126.1263  RST
15 Jul 03 16:40:03    tcp   67.163.44.196.3411   ?> 10.66.220.35.80    RST
15 Jul 03 16:40:03    tcp  10.66.195.47.3349   -> 65.243.133.80.80    RST
15 Jul 03 16:40:03    tcp  10.66.183.83.80     ?> 12.250.222.133.3669  FIN
15 Jul 03 16:40:02    tcp     10.66.1.6.80     ?> 68.74.122.234.2824  FIN
15 Jul 03 16:40:03    tcp     10.66.1.6.80     ?> 66.19.49.178.1155  FIN
15 Jul 03 16:40:04    tcp  209.115.237.79.80     ?> 10.66.195.47.3317  RST
15 Jul 03 16:40:07    tcp    10.66.18.6.51672  -> 195.134.143.177.80    RST

BTW - I'm watching an OC3c with about 100Mbps sustained -- looking
at two intel fiber cards. If I can provide any debugging
information please let me know.

- Eric

p.s. You mentioned you're running 2.0.6; where can I grab a newer release 
     of argus to test this with? I didn't know that 2.0.6x was out.

More information about the argus mailing list