Capture Filter Not Working

Carter Bullard carter at qosient.com
Tue Jul 15 18:18:33 EDT 2003 

Hey Eric,
   Go to ftp://qosient.com/dev/argus-2.0 and pick up
the most recent argus and argus-clients there.

Carter



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Eric
> Sent: Tuesday, July 15, 2003 5:44 PM
> To: Peter Van Epp
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: Capture Filter Not Working
> 
> 
> On Tue, 2003-07-15 at 12:06:39 -0700, Peter Van Epp proclaimed...
> 
> > 	Hmmm, don't have a 2.0.5 copy handy anymore, but I'd 
> suggest try it
> > from the command line. I just did on FreeBSD 4.7 with 
> 2.0.6.beta.9 and icmp
> > (no web on the appropiate net unfortunatly). This 
> connection is also on a
> > switch (and the Century tap is currently on a Linux box on 
> the uplink which
> > isn't a suitable platform for this) so I pinged this machine from 
> > 142.58.101.25 to create filterable traffic:
> 
> Hmmm, ok. So I tried both ARGUS_FILTER="not host 10.6.6.6" and
> ARGUS_FILTER="tcp dst port 80" and it doesn't work.
> 
> Neither does...
> 
> /usr/local/sbin/argus -c -d -n /var/run/argus.pid -I 1 -m -P 561 \
>         -i em0 -i em1 -w /var/log/argus.new.out "not tcp port 80"
> 
> The following is what argus yields..
> 
> 15 Jul 03 16:40:18    tcp  10.66.50.112.1571   -> 
> 216.34.209.13.80    RST
> 15 Jul 03 16:40:18    tcp  10.66.195.47.3357   -> 
> 207.171.179.30.80    RST
> 15 Jul 03 16:39:54    tcp   63.144.223.53.3733   -> 
> 10.66.5.14.80    TIM
> 15 Jul 03 16:40:01    tcp   80.236.24.136.80     ?> 
> 10.66.2.18.59615 RST
> 15 Jul 03 16:40:03    tcp 10.66.131.149.3431   -> 
> 207.46.196.120.80    TIM
> 15 Jul 03 16:40:01    tcp   10.66.50.55.2276   ?> 
> 80.12.137.56.80    FIN
> 15 Jul 03 16:40:01    tcp   10.66.50.55.2281   ?> 
> 80.12.137.56.80    FIN
> 15 Jul 03 16:40:01    tcp   10.66.50.55.2282   ?> 
> 80.12.137.56.80    FIN
> 15 Jul 03 16:40:02    tcp  10.66.59.212.2060   -> 
> 138.12.4.195.80    RST
> 15 Jul 03 16:40:18    tcp  10.66.74.158.2438   -> 
> 200.201.192.45.80    RST
> 15 Jul 03 16:39:52    tcp   10.66.50.55.2220   ?> 
> 205.188.145.185.80    RST
> 15 Jul 03 16:40:03    tcp   12.207.159.85.5695   ?> 
> 10.66.10.21.80    RST
> 15 Jul 03 16:40:03    tcp  10.66.50.112.1561   -> 
> 216.34.209.13.80    RST
> 15 Jul 03 16:39:58    tcp 10.66.171.245.1709   ?> 
> 216.73.84.71.80    RST
> 15 Jul 03 16:40:02    tcp   80.236.16.137.80     ?> 
> 10.66.2.18.59616 RST
> 15 Jul 03 16:40:02    tcp  207.68.176.250.80     ?> 
> 10.66.110.126.1263  RST
> 15 Jul 03 16:40:03    tcp   67.163.44.196.3411   ?> 
> 10.66.220.35.80    RST
> 15 Jul 03 16:40:03    tcp  10.66.195.47.3349   -> 
> 65.243.133.80.80    RST
> 15 Jul 03 16:40:03    tcp  10.66.183.83.80     ?> 
> 12.250.222.133.3669  FIN
> 15 Jul 03 16:40:02    tcp     10.66.1.6.80     ?> 
> 68.74.122.234.2824  FIN
> 15 Jul 03 16:40:03    tcp     10.66.1.6.80     ?> 
> 66.19.49.178.1155  FIN
> 15 Jul 03 16:40:04    tcp  209.115.237.79.80     ?> 
> 10.66.195.47.3317  RST
> 15 Jul 03 16:40:07    tcp    10.66.18.6.51672  -> 
> 195.134.143.177.80    RST
> 
> BTW - I'm watching an OC3c with about 100Mbps sustained -- looking
> at two intel fiber cards. If I can provide any debugging
> information please let me know.
> 
> - Eric
> 
> p.s. You mentioned you're running 2.0.6; where can I grab a 
> newer release 
>      of argus to test this with? I didn't know that 2.0.6x was out.
> 
>

More information about the argus mailing list