Filtering with netmasks?

Carter Bullard carter at qosient.com
Wed May 2 16:01:09 EDT 2007 

The syntax changed because we need to input floating point numbers
into the filter, and parsing 10.3 as both a net address and a float 
is/was a bit
confusing for flex/bison.  Hopefully this will not be a major problem.

Carter


Peter Van Epp wrote:
> On Wed, May 02, 2007 at 01:53:12PM -0500, K K wrote:
>   
>> We'd like to be able to generate a "Top 10 users of Internet
>> bandwidth" report for traffic exchanged between internal users and
>> Internet hosts.  Originally I tried this with v2, and I'm now testing
>> with V3.0.0.  In both cases, the host OS is OpenBSD 3.9 (soon to be
>> upgraded to 4.1, released yesterday).
>>
>> We already have the inside-edge Cisco router sending NetFlow to Argus,
>> but not all the traffic crossing this router is Internet traffic, so
>> I'm trying to use filter expressions to report only on the relevant
>> traffic, like this:
>>
>> ra -r /data/argus/argus.2007.05.01.16.50.01.gz -w -
>>  - 'host squidproxy or host socksproxy or not ( src net 205.166.42.
>> or 10. or 172.24. or 172.30.12. or 192.168. ) or not ( dst net
>> 205.166.42. or 10. or 172.24. or 172.30.12. or 192.168. )' | racluster
>> -M rmon -m saddr -w - | rasort -m bytes load -w - | ra -N 10 -s saddr
>> daddr spkts dpkts sbytes dbytes load | tr -s " " | sed -e "s/
>> 0\.0\.0\.0//"
>>
>>     
>
> 	That is likely because filter syntax has changed a bit.
>
> ra3 -r com_argus -n \(src net 142.58.209.\)
>    10:54:58.668335             man               3032      0                    22674      1   766884    40295        22674   3276032916   CON
>    10:54:58.668335             man               3110      0                    22592      1   802514    38178        22592   3325167276   CON
>    10:54:58.668335             man               3364      0                    
>
> 	which now needs to be:
>
> ra3 -r com_argus -n \(src net 142.58.209.0/24\)
>
>    11:59:56.019915  e          tcp      142.58.209.70.1168     <?>      xxx.yy.zzz.aa.80            8        8         9225         1117   CON
>
> 	to get the expected data. Filters of the first form worked in the 
> 2.0 (at least 2.0.6) series but don't on 3.0. 
>
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
>
>

More information about the argus mailing list