filters specified in config file ignored by rc39

[carter at qosient.com]

Hey Russell,
You are absolutely correct!!!  The input filter for argus is a libpcap filter, and so its a packet filter.  All other filters are flow filters.

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: Russell Fulton <r.fulton at auckland.ac.nz>
Date: Thu, 01 Mar 2007 14:20:14 
To:Russell Fulton <r.fulton at auckland.ac.nz>
Cc:argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] filters specified in config file ignored by rc39



Russell Fulton wrote:
> Hi Folks,
>
> Would someone else test this to make sure I'm not pissing into the wind
> again :)
>
> I recently transferred the filter specs from the command line, first to
> the output file spec and then to the filter variable in the config
> file.  Neither seemed to work.  Putting the filter back on the command
> line worked as expected.
>
> BTW  I assume it is more effective to specify the filter globally rather
> than on the output file if there is just one output file.
>
>   

Hmmm... trap for the unwary :)  filter "tcp and dst port 80"  means
something rather different to ra and argus!  I took me about half an
hour to figure out why argus was seeing traffic in just one direction
after I applied this filter.    I've got so used to using filters with
ra where the filter applies to *flows* that I simply assumed that argus
filters would behave the same.  They don't they behave just like tcpdump
filters ( i.e. they are packet filters).


Carter, am I correct in assuming that the output filters associated with
an output file are flow filters not packet filters?


And this answers my original question about when to use the argus_filter
and when to use the filter option of the output file.

Russell