Fwd: BPF filter in Argus 2.0.5

Pablo J. Rebollo Pablo.Rebollo at ece.uprm.edu
Fri Apr 25 07:41:03 EDT 2008


Kjell,

If you use the expression "port", remember that the packets have both 
source and destination.  So if you use "port 443 and port 80" both 
conditions need to be true for the same packet to match.  This will 
match packets like this:

 192.168.0.1:80 -> 192.168.0.2:443
 192.168.0.3:443 -> 192.168.0.4:80

This is what I understand. ;)

Best regards,

Pablo J. Rebollo

Kjell Tore Fossbakk wrote:
> Hello Mr Rebollo.
>
> There is "and not port X", should that give you a exclusion of port X? 
> (atleast that's how i write BPF filters in tcpdump).
>
> I have not tested with unescaping the brackets. I'll try that!
>
> Thanks,
> Kjell Tore Fossbakk
>
> On Fri, Apr 25, 2008 at 12:17 PM, Pablo J. Rebollo-Sosa 
> <Pablo.Rebollo at ece.uprm.edu <mailto:Pablo.Rebollo at ece.uprm.edu>> wrote:
>
>     Kjell,
>
>     You can try "not port \( 443 or 80 \)".  You can't use "and"
>     because both conditions need to be true.
>
>     Regards,
>
>     Pablo J. Rebollo
>
>     Kjell Tore Fossbakk wrote:
>
>         Sent to the wrong address.
>
>         ---------- Forwarded message ----------
>         From: *Kjell Tore Fossbakk* <kjelltore at gmail.com
>         <mailto:kjelltore at gmail.com> <mailto:kjelltore at gmail.com
>         <mailto:kjelltore at gmail.com>>>
>         Date: Fri, Apr 25, 2008 at 10:33 AM
>         Subject: Fwd: BPF filter in Argus 2.0.5
>         To: carter at qosient.com <mailto:carter at qosient.com>
>         <mailto:carter at qosient.com <mailto:carter at qosient.com>>
>
>
>         Hello again.
>
>         As of now im using tcpdump to write to a fifo filepointer, and
>         using argus with option -r to read from that fifo. Then I am
>         able to filter out port 80 and port 443, but surely there is a
>         better way of doing this?
>
>         Cheers,
>         Kjell Tore Fossbakk
>
>
>         ---------- Forwarded message ----------
>         From: *Kjell Tore Fossbakk* <kjelltore at gmail.com
>         <mailto:kjelltore at gmail.com> <mailto:kjelltore at gmail.com
>         <mailto:kjelltore at gmail.com>>>
>         Date: Fri, Apr 25, 2008 at 9:49 AM
>         Subject: BPF filter in Argus 2.0.5
>         To: carter at qosient.com <mailto:carter at qosient.com>
>         <mailto:carter at qosient.com <mailto:carter at qosient.com>>
>
>
>         Hello Mr Carter.
>
>         I'm running Argus Version 2.0.5, and im trying to exclude port
>         80 and port 443 from my  Argus sessions due to the massive
>         amounts of sessions they generate.
>
>         I start argus by running:
>
>         argus -i <interface> -w output -c -d ip and !(port 80 or port 443)
>         argus -i <interface> -w output -c -d ip and not port 80 and
>         not port 443
>         argus -i <interface> -w output -c -d - ip and !(port 80 or
>         port 443)
>         argus -i <interface> -w output -c -d - ip and not port 80 and
>         not port 443
>
>         Neither of the commands above excludes port 80 and/or port 443
>         from my output file.
>
>         Do you have any idea why this does not work?
>
>         Cheers,
>         Kjell Tore Fossbakk
>
>
>
>
> -- 
>
> Social Engineering Specialist
> - Because there's no patch for Human Stupidity 




More information about the argus mailing list