using ether filter

Rodney McKee rmckee at aconex.com
Tue May 26 23:37:02 EDT 2009 

What I'm looking for is traffic volume coming into the firewall/network, without using rmon I'm not seeing the flows that are initiated from outside the network. 
Am I looking at this the right way? 
eg. 

ra -nr fw1.23 -w - - tcp | ra -nr - -N 100 -s +sbytes +dbytes - ether src 0:14:5e:31:52:38 
... 
2009-05-23 00:00:01.985171 e tcp 61.88.237.140.1154 -> 202.177.201.180.13010 44 7720 FIN 4018 3702 
2009-05-23 00:00:02.003966 e tcp 61.88.237.140.42427 -> 59.151.158.113.80 40 27179 FIN 1659 25520 
2009-05-23 00:00:02.091373 e tcp 61.88.237.140.1156 -> 202.177.201.180.13010 44 7720 FIN 4018 3702 
2009-05-23 00:00:02.092617 e tcp 61.88.237.140.1158 -> 89.187.105.134.13030 43 7835 FIN 4034 3801 
... 

If I use rmon I'm seeing the connections initiated from outside 

ra -nr fw1.23 -w - -M rmon - tcp | ra -nr - -N 200 -s +sbytes +dbytes - ether src 0:14:5e:31:52:38 
... 
2009-05-23 00:00:01.985171 e tcp 61.88.237.140.1154 -> 202.177.201.180.13010 44 7720 FIN 4018 3702 
2009-05-23 00:00:02.003966 e tcp 61.88.237.140.42427 -> 59.151.158.113.80 40 27179 FIN 1659 25520 
2009-05-23 00:00:02.014800 e tcp 61.88.237.140.5667 -> 203.89.192.138.38824 11 1606 FIN 482 1124 
2009-05-23 00:00:02.043536 e tcp 61.88.237.140.5667 -> 203.89.202.184.36008 11 1606 FIN 482 1124 
2009-05-23 00:00:02.075834 e tcp 61.88.237.140.5667 -> 202.177.201.181.43746 11 1606 FIN 482 1124 
2009-05-23 00:00:02.091373 e tcp 61.88.237.140.1156 -> 202.177.201.180.13010 44 7720 FIN 4018 3702 
2009-05-23 00:00:02.092617 e tcp 61.88.237.140.1158 -> 89.187.105.134.13030 43 7835 FIN 4034 3801 
... 

----- carter at qosient.com wrote: 
> Hey Rodney, 
> Your input filter is working, the "-M rmon" option is then acting on the filtered input and correctly generating the output. 
> 
> I'm pretty sure you don't want the "-M rmon" 
> 
> Carter 

Sent from my Verizon Wireless BlackBerry 


>From : Rodney McKee 
> Date : Tue, 26 May 2009 17:14:54 +1000 (EST) 
> To : argus-info<argus-info at lists.andrew.cmu.edu> 
> Subject : [ARGUS] using ether filter 
> 


> Am I doing something wrong? 
> Shouldn't the following command only show me those flows with the filtered mac address? 
> 
> $ ra -M rmon -nr fw1.23 -N 10 -s +sbytes +dbytes +smac +dmac - ether src 0:14:5e:31:52:38 
> StartTime Flgs Proto Host Sport Dir DstAddr Dport TotPkts TotBytes State OutBytes InBytes Mac DstMac 
> 2009-05-23 00:00:01.041191 e icmp 61.88.237.140.8 <-> 202.130.120.194.31491 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:01.041191 e icmp 202.130.120.194.8 <-> 61.88.237.140.31491 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:01.316196 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:01.316196 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:02.180324 e udp 61.88.237.140.6208 <-> 125.252.200.5.53 2 180 CON 82 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:02.180324 e udp 125.252.200.5.53 <-> 61.88.237.140.6208 2 180 CON 98 82 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:02.317448 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:02.317448 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:03.318681 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:03.318681 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:04.242992 e udp 61.88.237.140.60659 <-> 125.56.176.8.53 2 180 CON 82 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:04.242992 e udp 125.56.176.8.53 <-> 61.88.237.140.60659 2 180 CON 98 82 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:04.320106 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:04.320106 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:05.321564 e icmp 61.88.237.140.8 <-> 87.80.0.15.34819 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:05.321564 e icmp 87.80.0.15.8 <-> 61.88.237.140.34819 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:05.951303 e icmp 61.88.237.140.8 <-> 213.123.201.106.6165 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:05.951303 e icmp 213.123.201.106.8 <-> 61.88.237.140.6165 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 2009-05-23 00:00:06.952426 e icmp 61.88.237.140.8 <-> 213.123.201.106.6165 2 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:7:ac:ef 
> 2009-05-23 00:00:06.952426 e icmp 213.123.201.106.8 <-> 61.88.237.140.6165 2 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:31:52:38 
> 
> 
> Rgds 
> Rodney 
> 
> 

-- 













Rodney McKee 
Linux systems administrator 
	Aconex 
The easy way to save time and money on your project 

696 Bourke Street, Melbourne 
Tel: +61 3 9240 0200 Fax: +61 3 9240 0299 
Email: rmckee at aconex.com www.aconex.com 
This email and any attachments are intended solely for the addressee. The contents may be privileged, confidential and/or subject to copyright or other applicable law. 
No confidentiality or privilege is lost by an erroneous transmission. If you have received this e-mail in error, please let us know by reply e-mail and delete or destroy 
this mail and all copies. If you are not the intended recipient of this message you must not disseminate, copy or take any action in reliance on it. The sender takes no 
responsibility for the effect of this message upon the recipient's computer system. 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090527/8cf110d7/attachment.html>

More information about the argus mailing list