another newbie question {Scanned by HJMS}

Carter Bullard carter at qosient.com
Tue Jan 27 18:37:29 EST 2004 

Hey Trever,
   When it comes to writing effective filter expression,
either they work or they don't.  ra*() programs do NOT
use the BPF language that tcpdump uses, so the tcpdump
man page is not going to be helpful.  The ra() man page
maybe though.

   I don't think your masks are going to work, but if
you are getting the results you're looking for, then
that is great.  If you're not getting the results you're
looking for, then changing the masks may work.  But if
that eventually fails, then we can change the tools,
if that is necessary.

Carter



-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Furnish, Trever
G
Sent: Tuesday, January 27, 2004 5:21 PM
To: Argus List (E-mail)
Subject: RE: another newbie question {Scanned by HJMS}

> -----Original Message-----
> From: Kevin C Miller [mailto:kevinm at andrew.cmu.edu]
> Sent: Tuesday, January 20, 2004 12:06 PM
> To: Furnish, Trever G; Argus List (E-mail)
> Subject: Re: another newbie question {Scanned by HJMS}
>
>
> It's just the BPF language that tcpdump and others use.

So it *is* the same as tcpdump?  Odd then that tcpdump has no issue with "!"
(and it's in the tcpdump manual page).  From that page:

Primitives may be combined using:
   A parenthesized group of primitives and operators (parentheses are
special to the Shell and must be escaped).
   Negation (`!' or `not').
   Concatenation (`&&' or `and').
   Alternation (`||' or `or').

But I'll give "not" a try nonetheless - thanks.

> Also, 255.255.0.192 isn't a valid netmask. Do you mean
> 255.255.255.192 ?

I'm surprised at that statement.  By my understanding of netmasks (which
applies quite well to cisco routers), there is no requirement that the 1's
in a mask be contiguous across octet boundaries.  In a mask, the 1's denote
those bits of the address octets which are not allowed to vary.

So for example, the following "pattern" (address+mask):
1.2.3.4 mask 255.255.0.255

...should match each of the following example addresses:
1.2.1.4
1.2.2.4
1.2.3.4
1.2.4.4
...

...because the third octet is all zeros, meaning all eight bits are allowed
to vary.

And by that logic, all of the three expressions I listed in the original
message define the exact same set of addresses.


> -Kevin
>
> --On Tuesday, January 20, 2004 11:58 AM -0500 "Furnish, Trever G"
> <TGFurnish at herff-jones.com> wrote:
>
> > [root at enterprise u01]# ramon -M Matrix -n -L0 -r
> /u01/argus.log - dst net
> > 192.168.0.64 mask 255.255.0.192 and ! net 192.168.1.0 mask
> 255.255.0.0 |
> > wc -l
> >     341
>
>
>
> ---------------------------------------------------
> Kevin C. Miller <kcm at cmu.edu>
> Network Development
> Carnegie Mellon University
>

More information about the argus mailing list