Omitting data with dir = <?>

Carter Bullard carter at qosient.com
Thu Dec 13 15:34:46 EST 2007 

Hey Esteban,
Seems like a precedence problem.  The lexical parser
is parsing the filter string as:

    (not tcp) and (con)

But "con" is a complex keyword that only applies
to TCP traffic (same applies to the "est" keyword),
so, ..,  you get the error because it will always return
NULL (i think its cool that the compiler catches this
but the credit goes to the original tcpdump() group).

This works however:

    not \(tcp and con\)

We could make the "con" keyword a bit more generic,
looking for any flow that has bi-directional traffic, but
the concept for "con" really applies to connection-oriented
protocols, so seems like this is the right behavior.

What do you think?

Carter



On Dec 10, 2007, at 4:58 PM, Esteban G wrote:

> On a related question. Sometime ago you provided the following command
> line as an example for splitting out the servers observed by a sensor
> into directories based on IP:
> rasplit -R data -M time 1d -w servers/\$daddr/argus.%Y.%m.%d.%H.%M. 
> %S \
>           - \( tcp and syn and synack \) or \( not tcp and con \)
>
> When I do  this, the output is really nice. However, I am only seeing
> the tcp traffic and nothing from the "(not tcp and con)" filter. When
> I run ra -n -r <data> - "(not tcp and con)". I get the complaint:
> ArgusFilterCompile: expression rejects all records
>
>
> -Esteban
>
>
> On 12/3/07, Carter Bullard <carter at qosient.com> wrote:
>> Hey Wolfgang,
>>  The ? is caused by not seeing the tcp syn or synack, so ...
>>
>>  -- (syn or synack) or not tcp
>>
>> Should do the trick.
>>
>> Carter
>>
>>
>> Carter Bullard
>> QoSient LLC
>> 150 E. 57th Street Suite 12D
>> New York, New York 10022
>> +1 212 588-9133 Phone
>> +1 212 588-9134 Fax
>>
>> -----Original Message-----
>> From: wob at swobspace.de (Wolfgang Barth)
>>
>> Date: Fri, 30 Nov 2007 17:45:21
>> To:argus-info at lists.andrew.cmu.edu
>> Subject: [ARGUS] Omitting data with dir = <?>
>>
>>
>> Hi,
>>
>> I want to omit records with unknown direction (dir = <?>). How can  
>> I filter
>> out such records with ra?
>>
>> Wolfgang
>> --
>> <wob (at) swobspace de> * http://www.swobspace.de
>>
>>
>>
>

More information about the argus mailing list