Argus 3.0 and Fedora 9
carter at qosient.com
carter at qosient.com
Tue Mar 3 07:17:01 EST 2009
Sorry my phone sent my mail before I was done ;o)
So the filter doesn't look bad at first glance, but not sure about ICMP being a 1?
What about other simple filters like "tcp" ?
Are they working?
Carter
------Original Message------
From: Carter Bullard
Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
To: Mike Iglesias
Cc: Argus
ReplyTo: Carter Bullard
Subject: Re: [ARGUS] Argus 3.0 and Fedora 9
Sent: Mar 3, 2009 7:08 AM
Hey Mike,
So the test for IP is the 16 bit test for 0x0800 in the ethernet next hdr, but the 1 maybe
------Original Message------
From: Mike Iglesias
To: Carter Bullard
Cc: Argus
Subject: Re: [ARGUS] Argus 3.0 and Fedora 9
Sent: Mar 3, 2009 2:51 AM
Carter Bullard wrote:
> That is odd, as we just pass that string directly to the pcap
> filter compiler, and if it compiles, we use it.
>
> If you give argus a "-b" option, you should get the dump of
> the pcap compiled filter. Is there any output with the (ip and not icmp)
> filter?
Here's the output:
# /usr/local/argus/sbin/argus -b - \( ip and not icmp \)
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 7
(002) ldh [12]
(003) jeq #0x800 jt 4 jf 6
(004) ldb [23]
(005) jeq #0x1 jt 7 jf 6
(006) ret #96
(007) ret #0
The Fedora 9 libpcap version from the RPM name is 0.9.8-2.fc9.
--
Mike Iglesias Email: iglesias at uci.edu
University of California, Irvine phone: 949-824-6926
Network & Academic Computing Services FAX: 949-824-2270
Sent from my Verizon Wireless BlackBerry
Sent from my Verizon Wireless BlackBerry
More information about the argus
mailing list