Problem with tcpdump filters

Carter Bullard carter at qosient.com
Wed Jan 5 13:30:38 EST 2005


Hey Alaios,
   Argus passes the filter you provide directly to
libpcap, so if your filter works for tcpdump, it will
work for argus.  The problem is that argus supports
two filters, an input filter and an output filter,
and the output filter is specified as an optional string
after the -w option.  (see the argus man page description
for the "-w outfile [filter]" option)

So, the way around your situation is this:

   argus -dM 1.0 -S 0.01 -I $1 -w my-AF1 - ip[1]==0x28

(probably don't want to generate a management record
100 times a second).

Hope this is useful!!!

Carter
  


> From: Alaios <alaios at yahoo.com>
> Date: Wed, 22 Dec 2004 06:24:53 -0800 (PST)
> To: <carter at qosient.com>
> Subject: Re: [ARGUS] Problem with tcpdump filters
> 
> Can u plz help me with the following? I need an
> alternate way to make it work. Thx
> 
> Your problem likely is that argus doesn't support the
> full tcpdump 
> filter syntax, and I don't believe (although Carter
> would be the 
> expert) that
> the ip[1] is supported.
> 
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
> 
> 
> On Tue, Dec 21, 2004 at 06:42:18AM -0800, Alaios
> wrote:
>> Hi... I face a problem with the argus and the filter
>> that i need to apply...
>> The following command
>> tcpdump -i eth4 -vv ip[1]==0x28 with the filter
> works
>> fine..
>> The problem is that i cannot apply it to argus...
>> argus -d -M 0.01 -S 0.01 -i $1   -w my-AF1
> ip[1]==0x28
>> returns no packet...
>> 
>> I think that the problem is argus-oriented.. because
>> the ra give me packets but ends with a no data seen
>> message
>> 
>> e.x
>> ....
>> skipped a bunch of lines
>> 
>> 
>> 
>> 04-12-21 16:41:04.496108        0.200060
> man 
>> pkts       604  bytes       629368  drops     0
> flows
>>    3         closed       0           CON
>> 04-12-21 16:41:04.696168        0.200053
> man 
>> pkts       714  bytes       743988  drops     0
> flows
>>    3         closed       0           CON
>> 
>> No data seen.
>> 
>> Plz suggest me something as fast a u can
>> 
> 
> 
> 
> __________________________________
> Do you Yahoo!? 
> Yahoo! Mail - now with 250MB free storage. Learn more.
> http://info.mail.yahoo.com/mail_250
> 





More information about the argus mailing list