using ether filter

Rodney McKee rmckee at aconex.com
Tue May 26 17:31:39 EDT 2009 

Thanks for all the responses, did not realize that "-M rmon" would act on the output AFTER applying the filter. 


----- carter at qosient.com wrote: 
> Hey Rodney, 
> Your input filter is working, the "-M rmon" option is then acting on the filtered input and correctly generating the output. 
> 
> I'm pretty sure you don't want the "-M rmon" 
> 
> Carter 

Sent from my Verizon Wireless BlackBerry 


>From : Rodney McKee 
> Date : Tue, 26 May 2009 17:14:54 +1000 (EST) 
> To : argus-info<argus-info at lists.andrew.cmu.edu> 
> Subject : [ARGUS] using ether filter 
> 


> Am I doing something wrong? 
> Shouldn't the following command only show me those flows with the filtered mac address? 
> 
> $ ra -M rmon -nr fw1.23 -N 10 -s +sbytes +dbytes +smac +dmac - ether src 0:14:5e:31:52:38 
> StartTime Flgs Proto Host Sport Dir DstAddr Dport TotPkts TotBytes State OutBytes InBytes Mac DstMac 
> 2009-05-23 00:00:01.041191 e icmp 61.88.237.140.8 <-> 202.130.120.194.31491 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:01.041191 e icmp 202.130.120.194.8 <-> 61.88.237.140.31491 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:01.316196 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:01.316196 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:02.180324 e udp 61.88.237.140.6208 <-> 125.252.200.5.53 2 180 CON 82 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:02.180324 e udp 125.252.200.5.53 <-> 61.88.237.140.6208 2 180 CON 98 82 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:02.317448 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:02.317448 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:03.318681 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:03.318681 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:04.242992 e udp 61.88.237.140.60659 <-> 125.56.176.8.53 2 180 CON 82 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:04.242992 e udp 125.56.176.8.53 <-> 61.88.237.140.60659 2 180 CON 98 82 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:04.320106 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:04.320106 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:05.321564 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:05.321564 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:05.951303 e icmp 61.88.237.140.8 <-> 213.123.201.106.6165 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:05.951303 e icmp 213.123.201.106.8 <-> 61.88.237.140.6165 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:06.952426 e icmp 61.88.237.140.8 <-> 213.123.201.106.6165 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:06.952426 e icmp 213.123.201.106.8 <-> 61.88.237.140.6165 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 
> 
> Rgds 
> Rodney 
> 
> 

-- 













Rodney McKee 
Linux systems administrator 
	Aconex 
The easy way to save time and money on your project 

696 Bourke Street, Melbourne 
Tel: +61 3 9240 0200 Fax: +61 3 9240 0299 
Email: rmckee at aconex.com www.aconex.com 
This email and any attachments are intended solely for the addressee. The contents may be privileged, confidential and/or subject to copyright or other applicable law. 
No confidentiality or privilege is lost by an erroneous transmission. If you have received this e-mail in error, please let us know by reply e-mail and delete or destroy 
this mail and all copies. If you are not the intended recipient of this message you must not disseminate, copy or take any action in reliance on it. The sender takes no 
responsibility for the effect of this message upon the recipient's computer system. 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090527/1fa1a9d2/attachment.html>

More information about the argus mailing list