using ether filter

Rodney McKee rmckee at aconex.com
Tue May 26 03:14:54 EDT 2009 

Am I doing something wrong? 
Shouldn't the following command only show me those flows with the filtered mac address? 

$ ra -M rmon -nr fw1.23 -N 10 -s +sbytes +dbytes +smac +dmac - ether src 0:14:5e:31:52:38 
StartTime Flgs Proto Host Sport Dir DstAddr Dport TotPkts TotBytes State OutBytes InBytes Mac DstMac 
2009-05-23 00:00:01.041191 e icmp 61.88.237.140.8 <-> 202.130.120.194.31491 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:01.041191 e icmp 202.130.120.194.8 <-> 61.88.237.140.31491 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:01.316196 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:01.316196 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:02.180324 e udp 61.88.237.140.6208 <-> 125.252.200.5.53 2 180 CON 82 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:02.180324 e udp 125.252.200.5.53 <-> 61.88.237.140.6208 2 180 CON 98 82 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:02.317448 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:02.317448 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:03.318681 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:03.318681 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:04.242992 e udp 61.88.237.140.60659 <-> 125.56.176.8.53 2 180 CON 82 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:04.242992 e udp 125.56.176.8.53 <-> 61.88.237.140.60659 2 180 CON 98 82 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:04.320106 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:04.320106 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:05.321564 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:05.321564 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:05.951303 e icmp 61.88.237.140.8 <-> 213.123.201.106.6165 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:05.951303 e icmp 213.123.201.106.8 <-> 61.88.237.140.6165 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:06.952426 e icmp 61.88.237.140.8 <-> 213.123.201.106.6165 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:06.952426 e icmp 213.123.201.106.8 <-> 61.88.237.140.6165 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 


Rgds 
Rodney 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090526/25bb9ea0/attachment.html>

More information about the argus mailing list