another newbie question
Furnish, Trever G
TGFurnish at herff-jones.com
Tue Jan 20 11:58:14 EST 2004
I'm back with another hopefully easy question...
Where can I look for details on the filter language. Is it just vanilla
tcpdump? If so, then can someone help me understand why the following three
commands don't all produce exactly the same output (given the same input
file)? The only change between the commands is the 3rd octet of the network
address that makes up the last condition. ...but the 3rd octet should not
matter at all because the mask is a /16.
So these should all be the same network:
net 192.168.10.0 mask 255.255.0.0
net 192.168.0.0 mask 255.255.0.0
net 192.168.1.0 mask 255.255.0.0
But they produce very different results. What am I misunderstanding, or is
this a bug?
[root at enterprise u01]# ramon -M Matrix -n -L0 -r /u01/argus.log - dst net
192.168.0.64 mask 255.255.0.192 and ! net 192.168.10.0 mask 255.255.0.0 | wc
-l
341
[root at enterprise u01]# ramon -M Matrix -n -L0 -r /u01/argus.log - dst net
192.168.0.64 mask 255.255.0.192 and ! net 192.168.0.0 mask 255.255.0.0 | wc
-l
0
[root at enterprise u01]# ramon -M Matrix -n -L0 -r /u01/argus.log - dst net
192.168.0.64 mask 255.255.0.192 and ! net 192.168.1.0 mask 255.255.0.0 | wc
-l
341
--
Trever
More information about the argus
mailing list