How to find multipath flows

Carter Bullard carter at qosient.com
Wed Feb 13 00:31:46 EST 2008 

Hey Kevin,
I just upload a new argus-3.0.0 and argus-clients-3.0.0.rc.69 that
have multipath support.  You'll see a 'M' in the encapsulation column
of the flgs field and [src | dst] multipath work as filter expressions  
on
the client side.

Give it a try to see if it works for you!!

Carter


On Feb 12, 2008, at 4:01 PM, Kevin & Leah Branch wrote:

>
> According to this line in the ra man page:
>       "Support for selecting flows that used multiple pairs of MAC  
> addresses during their lifetime.  multipath"
> it appears possible to find flows where the src/dst ip pair of a  
> given flow may have more than a single src and dst mac address  
> involved.
>
> For the life of me, I can't figure out how to use that keyword  
> successfully.
>
> #ra -r /argus/tru - multipath
> ra[12908]: 15:52:52.724448 multipath filter syntax error
>
> # ra -r /argus/tru - ip and multipath
> ra[12910]: 15:53:03.768240 ip and multipath filter syntax error
>
> #ra -r /argus/tru - ipv4 and multipath
> ra[12912]: 15:53:07.135261 ipv4 and multipath filter syntax error
>
> Any hints on this one?
>
> More than once I've run into weirdly behaving devices on my network  
> that have responded to flooded unicast packets (as in my switches  
> didn't have the target mac in their forwarding tables)  not  
> addressed to them(neither by dest IP nor by dest mac)  by "routing"  
> them back out onto the same network (decremented TTL and src mac  
> replaced by that of wierd device).   I'd love to be able to better  
> isolate this behavior in the future.  So far, I can only catch this  
> if there is another anomaly at the flow level that gets my attention  
> and leads me to dig further into my verbatim tcpdump recordings.
>
> Kevin Branch
>
> Need to know the score, the latest news, or you need your Hotmail®- 
> get your "fix". Check it out.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080213/2f4189c8/attachment.html>

More information about the argus mailing list