Capture Filter Not Working
Carter Bullard
carter at qosient.com
Wed Jul 16 11:56:35 EDT 2003
Hey Eric,
No need to issue a bug report, I've got all the info.
I've got a fix in for the filter problems, ala Peter's
suggestion to do the right thing with FreeBSD and getopt().
I'll have beta.11 up in about 30 minutes, and I'll follow
up with an email. Since I don't have a *BSD machine,
f you guys could give this a test, that would be great!!!
Carter
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Eric
> Sent: Tuesday, July 15, 2003 5:44 PM
> To: Peter Van Epp
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: Capture Filter Not Working
>
>
> On Tue, 2003-07-15 at 12:06:39 -0700, Peter Van Epp proclaimed...
>
> > Hmmm, don't have a 2.0.5 copy handy anymore, but I'd
> suggest try it
> > from the command line. I just did on FreeBSD 4.7 with
> 2.0.6.beta.9 and icmp
> > (no web on the appropiate net unfortunatly). This
> connection is also on a
> > switch (and the Century tap is currently on a Linux box on
> the uplink which
> > isn't a suitable platform for this) so I pinged this machine from
> > 142.58.101.25 to create filterable traffic:
>
> Hmmm, ok. So I tried both ARGUS_FILTER="not host 10.6.6.6" and
> ARGUS_FILTER="tcp dst port 80" and it doesn't work.
>
> Neither does...
>
> /usr/local/sbin/argus -c -d -n /var/run/argus.pid -I 1 -m -P 561 \
> -i em0 -i em1 -w /var/log/argus.new.out "not tcp port 80"
>
> The following is what argus yields..
>
> 15 Jul 03 16:40:18 tcp 10.66.50.112.1571 ->
> 216.34.209.13.80 RST
> 15 Jul 03 16:40:18 tcp 10.66.195.47.3357 ->
> 207.171.179.30.80 RST
> 15 Jul 03 16:39:54 tcp 63.144.223.53.3733 ->
> 10.66.5.14.80 TIM
> 15 Jul 03 16:40:01 tcp 80.236.24.136.80 ?>
> 10.66.2.18.59615 RST
> 15 Jul 03 16:40:03 tcp 10.66.131.149.3431 ->
> 207.46.196.120.80 TIM
> 15 Jul 03 16:40:01 tcp 10.66.50.55.2276 ?>
> 80.12.137.56.80 FIN
> 15 Jul 03 16:40:01 tcp 10.66.50.55.2281 ?>
> 80.12.137.56.80 FIN
> 15 Jul 03 16:40:01 tcp 10.66.50.55.2282 ?>
> 80.12.137.56.80 FIN
> 15 Jul 03 16:40:02 tcp 10.66.59.212.2060 ->
> 138.12.4.195.80 RST
> 15 Jul 03 16:40:18 tcp 10.66.74.158.2438 ->
> 200.201.192.45.80 RST
> 15 Jul 03 16:39:52 tcp 10.66.50.55.2220 ?>
> 205.188.145.185.80 RST
> 15 Jul 03 16:40:03 tcp 12.207.159.85.5695 ?>
> 10.66.10.21.80 RST
> 15 Jul 03 16:40:03 tcp 10.66.50.112.1561 ->
> 216.34.209.13.80 RST
> 15 Jul 03 16:39:58 tcp 10.66.171.245.1709 ?>
> 216.73.84.71.80 RST
> 15 Jul 03 16:40:02 tcp 80.236.16.137.80 ?>
> 10.66.2.18.59616 RST
> 15 Jul 03 16:40:02 tcp 207.68.176.250.80 ?>
> 10.66.110.126.1263 RST
> 15 Jul 03 16:40:03 tcp 67.163.44.196.3411 ?>
> 10.66.220.35.80 RST
> 15 Jul 03 16:40:03 tcp 10.66.195.47.3349 ->
> 65.243.133.80.80 RST
> 15 Jul 03 16:40:03 tcp 10.66.183.83.80 ?>
> 12.250.222.133.3669 FIN
> 15 Jul 03 16:40:02 tcp 10.66.1.6.80 ?>
> 68.74.122.234.2824 FIN
> 15 Jul 03 16:40:03 tcp 10.66.1.6.80 ?>
> 66.19.49.178.1155 FIN
> 15 Jul 03 16:40:04 tcp 209.115.237.79.80 ?>
> 10.66.195.47.3317 RST
> 15 Jul 03 16:40:07 tcp 10.66.18.6.51672 ->
> 195.134.143.177.80 RST
>
> BTW - I'm watching an OC3c with about 100Mbps sustained -- looking
> at two intel fiber cards. If I can provide any debugging
> information please let me know.
>
> - Eric
>
> p.s. You mentioned you're running 2.0.6; where can I grab a
> newer release
> of argus to test this with? I didn't know that 2.0.6x was out.
>
>
More information about the argus
mailing list