Argus 3.0 and Fedora 9
carter at qosient.com
carter at qosient.com
Tue Mar 3 07:08:42 EST 2009
Hey Mike,
So the test for IP is the 16 bit test for 0x0800 in the ethernet next hdr, but the 1 maybe
------Original Message------
From: Mike Iglesias
To: Carter Bullard
Cc: Argus
Subject: Re: [ARGUS] Argus 3.0 and Fedora 9
Sent: Mar 3, 2009 2:51 AM
Carter Bullard wrote:
> That is odd, as we just pass that string directly to the pcap
> filter compiler, and if it compiles, we use it.
>
> If you give argus a "-b" option, you should get the dump of
> the pcap compiled filter. Is there any output with the (ip and not icmp)
> filter?
Here's the output:
# /usr/local/argus/sbin/argus -b - \( ip and not icmp \)
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 7
(002) ldh [12]
(003) jeq #0x800 jt 4 jf 6
(004) ldb [23]
(005) jeq #0x1 jt 7 jf 6
(006) ret #96
(007) ret #0
The Fedora 9 libpcap version from the RPM name is 0.9.8-2.fc9.
--
Mike Iglesias Email: iglesias at uci.edu
University of California, Irvine phone: 949-824-6926
Network & Academic Computing Services FAX: 949-824-2270
Sent from my Verizon Wireless BlackBerry
More information about the argus
mailing list