Fwd: BPF filter in Argus 2.0.5

Kjell Tore Fossbakk kjelltore at gmail.com
Fri Apr 25 07:01:06 EDT 2008 

Hello Mr Rebollo.

There is "and not port X", should that give you a exclusion of port X?
(atleast that's how i write BPF filters in tcpdump).

I have not tested with unescaping the brackets. I'll try that!

Thanks,
Kjell Tore Fossbakk

On Fri, Apr 25, 2008 at 12:17 PM, Pablo J. Rebollo-Sosa <
Pablo.Rebollo at ece.uprm.edu> wrote:

> Kjell,
>
> You can try "not port \( 443 or 80 \)".  You can't use "and" because both
> conditions need to be true.
>
> Regards,
>
> Pablo J. Rebollo
>
> Kjell Tore Fossbakk wrote:
>
>> Sent to the wrong address.
>>
>> ---------- Forwarded message ----------
>> From: *Kjell Tore Fossbakk* <kjelltore at gmail.com <mailto:
>> kjelltore at gmail.com>>
>> Date: Fri, Apr 25, 2008 at 10:33 AM
>> Subject: Fwd: BPF filter in Argus 2.0.5
>> To: carter at qosient.com <mailto:carter at qosient.com>
>>
>>
>> Hello again.
>>
>> As of now im using tcpdump to write to a fifo filepointer, and using argus
>> with option -r to read from that fifo. Then I am able to filter out port 80
>> and port 443, but surely there is a better way of doing this?
>>
>> Cheers,
>> Kjell Tore Fossbakk
>>
>>
>> ---------- Forwarded message ----------
>> From: *Kjell Tore Fossbakk* <kjelltore at gmail.com <mailto:
>> kjelltore at gmail.com>>
>> Date: Fri, Apr 25, 2008 at 9:49 AM
>> Subject: BPF filter in Argus 2.0.5
>> To: carter at qosient.com <mailto:carter at qosient.com>
>>
>>
>> Hello Mr Carter.
>>
>> I'm running Argus Version 2.0.5, and im trying to exclude port 80 and port
>> 443 from my  Argus sessions due to the massive amounts of sessions they
>> generate.
>>
>> I start argus by running:
>>
>> argus -i <interface> -w output -c -d ip and !(port 80 or port 443)
>> argus -i <interface> -w output -c -d ip and not port 80 and not port 443
>> argus -i <interface> -w output -c -d - ip and !(port 80 or port 443)
>> argus -i <interface> -w output -c -d - ip and not port 80 and not port 443
>>
>> Neither of the commands above excludes port 80 and/or port 443 from my
>> output file.
>>
>> Do you have any idea why this does not work?
>>
>> Cheers,
>> Kjell Tore Fossbakk
>>
>


-- 

Social Engineering Specialist
- Because there's no patch for Human Stupidity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080425/d7137b2e/attachment.html>

More information about the argus mailing list