How to find multipath flows

Carter Bullard carter at qosient.com
Tue Feb 12 22:07:16 EST 2008 

Hey Kevin,
Hmmmm, I probably haven't put it back into argus() yet.
What this will do is provide an indication in the flow record that the
mac addresses did change.  It will come up as a 'M' in the flgs field,
and multipath as a keyword will work, however, I'm not sure that any
of this support in back in argus.  I'll look at it tonight.

Carter

On Feb 12, 2008, at 4:01 PM, Kevin & Leah Branch wrote:

>
> According to this line in the ra man page:
>       "Support for selecting flows that used multiple pairs of MAC  
> addresses during their lifetime.  multipath"
> it appears possible to find flows where the src/dst ip pair of a  
> given flow may have more than a single src and dst mac address  
> involved.
>
> For the life of me, I can't figure out how to use that keyword  
> successfully.
>
> #ra -r /argus/tru - multipath
> ra[12908]: 15:52:52.724448 multipath filter syntax error
>
> # ra -r /argus/tru - ip and multipath
> ra[12910]: 15:53:03.768240 ip and multipath filter syntax error
>
> #ra -r /argus/tru - ipv4 and multipath
> ra[12912]: 15:53:07.135261 ipv4 and multipath filter syntax error
>
> Any hints on this one?
>
> More than once I've run into weirdly behaving devices on my network  
> that have responded to flooded unicast packets (as in my switches  
> didn't have the target mac in their forwarding tables)  not  
> addressed to them(neither by dest IP nor by dest mac)  by "routing"  
> them back out onto the same network (decremented TTL and src mac  
> replaced by that of wierd device).   I'd love to be able to better  
> isolate this behavior in the future.  So far, I can only catch this  
> if there is another anomaly at the flow level that gets my attention  
> and leads me to dig further into my verbatim tcpdump recordings.
>
> Kevin Branch
>
> Need to know the score, the latest news, or you need your Hotmail®- 
> get your "fix". Check it out.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080212/2662ccec/attachment.html>

More information about the argus mailing list