using ether filter

carter at qosient.com carter at qosient.com
Tue May 26 07:52:29 EDT 2009 

Hey Rodney,
Your input filter is working, the "-M rmon" option is then acting on the filtered input and correctly generating the output.

I'm pretty sure you don't want the "-M rmon"

Carter
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Rodney McKee <rmckee at aconex.com>

Date: Tue, 26 May 2009 17:14:54 
To: argus-info<argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] using ether filter


Am I doing something wrong? 
Shouldn't the following command only show me those flows with the filtered mac address? 

$ ra -M rmon -nr fw1.23 -N 10 -s +sbytes +dbytes +smac +dmac - ether src 0:14:5e:31:52:38 
StartTime Flgs Proto Host Sport Dir DstAddr Dport TotPkts TotBytes State OutBytes InBytes Mac DstMac 
2009-05-23 00:00:01.041191 e icmp 61.88.237.140.8 <-> 202.130.120.194.31491 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:01.041191 e icmp 202.130.120.194.8 <-> 61.88.237.140.31491 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:01.316196 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:01.316196 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:02.180324 e udp 61.88.237.140.6208 <-> 125.252.200.5.53 2 180 CON 82 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:02.180324 e udp 125.252.200.5.53 <-> 61.88.237.140.6208 2 180 CON 98 82 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:02.317448 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:02.317448 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:03.318681 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:03.318681 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:04.242992 e udp 61.88.237.140.60659 <-> 125.56.176.8.53 2 180 CON 82 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:04.242992 e udp 125.56.176.8.53 <-> 61.88.237.140.60659 2 180 CON 98 82 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:04.320106 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:04.320106 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:05.321564 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:05.321564 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:05.951303 e icmp 61.88.237.140.8 <-> 213.123.201.106.6165 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:05.951303 e icmp 213.123.201.106.8 <-> 61.88.237.140.6165 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
2009-05-23 00:00:06.952426 e icmp 61.88.237.140.8 <-> 213.123.201.106.6165 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
2009-05-23 00:00:06.952426 e icmp 213.123.201.106.8 <-> 61.88.237.140.6165 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 


Rgds 
Rodney 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090526/79864f6f/attachment.html>

More information about the argus mailing list