simple question

Rodney McKee rmckee at aconex.com
Thu May 7 01:14:48 EDT 2009


Peter, 

No it looks like the filter just does not find a match and happily produces no data, fair enough really. 

I guess another option wold be to have this as a default configuration as it would appear to be quite useful and have some more detailed instruction in the conf file explaining why you have it. 
Would have help an uber-nubie like me heaps :-) 

----- "Peter Van Epp" <vanepp at sfu.ca> wrote: 
> On Wed, May 06, 2009 at 03:52:07PM +1000, Rodney McKee wrote: 
> > Alexander, 
> > 
> > As Peter mentioned, the thing that I was missing was the recording of MAC addresses. 
> > 
> > ARGUS_GENERATE_MAC_DATA=yes 
> > 
> > Make sure this is enabled on the server otherwise its a more complex process. 
> > 
> > 
> 
> Did it toss an error message or warning anywhere when you didn't have 
> MACs enabled? I'd think (but would have to look at the code to be sure) that 
> ra should be able to detect that the MACs aren't in the record (either because 
> the DSR isn't present, or the MACs are 0ed) in which case if there is a MAC 
> based filter present a warning that there is no MAC data to filter on would 
> be a useful enhancement I expect. The devil may be in the details of compiling 
> the BPF filter before actually processing the data to know whether there are 
> MACs present or not though. 
> As well the ra output should tell you that the filter is working 
> correctly as all the source addresses should be from your network IP range 
> and all the offsite ones should be destinations. Its probably worth noting that 
> if you are single arm routing between VLANs argus will be confused as it is 
> selecting on 5 tuples (not VLAN ID which would be a 6 tuple) and thus will 
> aggregate the same packet on the 2 VLANs in to one (because the 5 tuples match). 
> Finally tcpdump/wireshark/sniffer are your friend. If you can capture 
> a pcap file from your network (or alternately let argus write a pcap file which 
> is another .argusrc option although it has performance issues) you can use 
> tcpdump/wireahark/ a sniffer to manually parse the pcap file and compare the 
> results to what ra produces. argus will happily accept a pcap file with the -r 
> option and write an argus file just as if it came in from an interface but 
> with reproducable (we hope anyway :-)) results. Due to the reporting interval 
> the ra output won't be identical, but if you sum them all up (I typically use 
> perl for that) the totals should always match and should match the manually 
> parsed tcpdump output. I've also used tcpreplay to replay a pcap file to the 
> physical interface (and may do so again if I find I need more traffic than I 
> have and can get a suitable capture from SFU or more probably the local Gigapop 
> who have a 10 gig capture applience). 
> 
> Peter Van Epp 
> analysis. 
> 
> 

-- 













Rodney McKee 
Linux systems administrator 
	Aconex 
The easy way to save time and money on your project 

696 Bourke Street, Melbourne 
Tel: +61 3 9240 0200 Fax: +61 3 9240 0299 
Email: rmckee at aconex.com www.aconex.com 
This email and any attachments are intended solely for the addressee. The contents may be privileged, confidential and/or subject to copyright or other applicable law. 
No confidentiality or privilege is lost by an erroneous transmission. If you have received this e-mail in error, please let us know by reply e-mail and delete or destroy 
this mail and all copies. If you are not the intended recipient of this message you must not disseminate, copy or take any action in reliance on it. The sender takes no 
responsibility for the effect of this message upon the recipient's computer system. 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090507/08d20636/attachment.html>


More information about the argus mailing list