filters specified in config file ignored by rc39
Russell Fulton
r.fulton at auckland.ac.nz
Wed Feb 28 20:20:14 EST 2007
Russell Fulton wrote:
> Hi Folks,
>
> Would someone else test this to make sure I'm not pissing into the wind
> again :)
>
> I recently transferred the filter specs from the command line, first to
> the output file spec and then to the filter variable in the config
> file. Neither seemed to work. Putting the filter back on the command
> line worked as expected.
>
> BTW I assume it is more effective to specify the filter globally rather
> than on the output file if there is just one output file.
>
>
Hmmm... trap for the unwary :) filter "tcp and dst port 80" means
something rather different to ra and argus! I took me about half an
hour to figure out why argus was seeing traffic in just one direction
after I applied this filter. I've got so used to using filters with
ra where the filter applies to *flows* that I simply assumed that argus
filters would behave the same. They don't they behave just like tcpdump
filters ( i.e. they are packet filters).
Carter, am I correct in assuming that the output filters associated with
an output file are flow filters not packet filters?
And this answers my original question about when to use the argus_filter
and when to use the filter option of the output file.
Russell
More information about the argus
mailing list