Argus 3.0 and Fedora 9
Mike Iglesias
iglesias at uci.edu
Tue Mar 3 02:51:39 EST 2009
Carter Bullard wrote:
> That is odd, as we just pass that string directly to the pcap
> filter compiler, and if it compiles, we use it.
>
> If you give argus a "-b" option, you should get the dump of
> the pcap compiled filter. Is there any output with the (ip and not icmp)
> filter?
Here's the output:
# /usr/local/argus/sbin/argus -b - \( ip and not icmp \)
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 7
(002) ldh [12]
(003) jeq #0x800 jt 4 jf 6
(004) ldb [23]
(005) jeq #0x1 jt 7 jf 6
(006) ret #96
(007) ret #0
The Fedora 9 libpcap version from the RPM name is 0.9.8-2.fc9.
--
Mike Iglesias Email: iglesias at uci.edu
University of California, Irvine phone: 949-824-6926
Network & Academic Computing Services FAX: 949-824-2270
More information about the argus
mailing list