using ether filter
Carter Bullard
carter at qosient.com
Tue May 26 23:59:48 EDT 2009
Hey Rodney,
Hmmmmm, the arrows are not right in the "-M rmon" example, they should
all be "<->" not "->". Other than that, everything is working as it
is suppose to.
The concept of "coming into the firewall" is a L2 semantic. The "-M
rmon"
option allows you to generate L2 metrics from L3 oriented data.
Good to see the "ether src xx:xx:xx:xx:xx:xx" filter placed correctly.
Carter
On May 26, 2009, at 11:37 PM, Rodney McKee wrote:
> What I'm looking for is traffic volume coming into the firewall/
> network, without using rmon I'm not seeing the flows that are
> initiated from outside the network.
> Am I looking at this the right way?
> eg.
>
> ra -nr fw1.23 -w - - tcp | ra -nr - -N 100 -s +sbytes +dbytes -
> ether src 0:14:5e:31:52:38
> ...
> 2009-05-23 00:00:01.985171 e tcp
> 61.88.237.140.1154 -> 202.177.201.180.13010 44
> 7720 FIN 4018 3702
> 2009-05-23 00:00:02.003966 e tcp
> 61.88.237.140.42427 -> 59.151.158.113.80 40
> 27179 FIN 1659 25520
> 2009-05-23 00:00:02.091373 e tcp
> 61.88.237.140.1156 -> 202.177.201.180.13010 44
> 7720 FIN 4018 3702
> 2009-05-23 00:00:02.092617 e tcp
> 61.88.237.140.1158 -> 89.187.105.134.13030 43
> 7835 FIN 4034 3801
> ...
>
> If I use rmon I'm seeing the connections initiated from outside
>
> ra -nr fw1.23 -w - -M rmon - tcp | ra -nr - -N 200 -s +sbytes
> +dbytes - ether src 0:14:5e:31:52:38
> ...
> 2009-05-23 00:00:01.985171 e tcp
> 61.88.237.140.1154 -> 202.177.201.180.13010 44
> 7720 FIN 4018 3702
> 2009-05-23 00:00:02.003966 e tcp
> 61.88.237.140.42427 -> 59.151.158.113.80 40
> 27179 FIN 1659 25520
> 2009-05-23 00:00:02.014800 e tcp
> 61.88.237.140.5667 -> 203.89.192.138.38824 11
> 1606 FIN 482 1124
> 2009-05-23 00:00:02.043536 e tcp
> 61.88.237.140.5667 -> 203.89.202.184.36008 11
> 1606 FIN 482 1124
> 2009-05-23 00:00:02.075834 e tcp
> 61.88.237.140.5667 -> 202.177.201.181.43746 11
> 1606 FIN 482 1124
> 2009-05-23 00:00:02.091373 e tcp
> 61.88.237.140.1156 -> 202.177.201.180.13010 44
> 7720 FIN 4018 3702
> 2009-05-23 00:00:02.092617 e tcp
> 61.88.237.140.1158 -> 89.187.105.134.13030 43
> 7835 FIN 4034 3801
> ...
>
> ----- carter at qosient.com wrote:
> > Hey Rodney,
> > Your input filter is working, the "-M rmon" option is then acting
> on the filtered input and correctly generating the output.
> >
> > I'm pretty sure you don't want the "-M rmon"
> >
> > Carter
> Sent from my Verizon Wireless BlackBerry
> From: Rodney McKee
> > Date: Tue, 26 May 2009 17:14:54 +1000 (EST)
> > To: argus-info<argus-info at lists.andrew.cmu.edu>
> > Subject: [ARGUS] using ether filter
> >
> > Am I doing something wrong?
> > Shouldn't the following command only show me those flows with the
> filtered mac address?
> >
> > $ ra -M rmon -nr fw1.23 -N 10 -s +sbytes +dbytes +smac +dmac -
> ether src 0:14:5e:31:52:38
> > StartTime Flgs Proto Host
> Sport Dir DstAddr Dport TotPkts TotBytes State
> OutBytes InBytes Mac DstMac
> > 2009-05-23 00:00:01.041191 e icmp
> 61.88.237.140.8 <-> 202.130.120.194.31491 2
> 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:
> 7:ac:ef
> > 2009-05-23 00:00:01.041191 e icmp
> 202.130.120.194.8 <-> 61.88.237.140.31491
> 2 196 ECO 98 98 0:0:c:7:ac:ef
> 0:14:5e:31:52:38
> > 2009-05-23 00:00:01.316196 e icmp
> 61.88.237.140.8 <-> 87.80.0.15.34819 2
> 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:
> 7:ac:ef
> > 2009-05-23 00:00:01.316196 e icmp
> 87.80.0.15.8 <-> 61.88.237.140.34819 2
> 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:
> 31:52:38
> > 2009-05-23 00:00:02.180324 e udp
> 61.88.237.140.6208 <-> 125.252.200.5.53 2
> 180 CON 82 98 0:14:5e:31:52:38 0:0:c:
> 7:ac:ef
> > 2009-05-23 00:00:02.180324 e udp
> 125.252.200.5.53 <-> 61.88.237.140.6208 2
> 180 CON 98 82 0:0:c:7:ac:ef 0:14:5e:
> 31:52:38
> > 2009-05-23 00:00:02.317448 e icmp
> 61.88.237.140.8 <-> 87.80.0.15.34819 2
> 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:
> 7:ac:ef
> > 2009-05-23 00:00:02.317448 e icmp
> 87.80.0.15.8 <-> 61.88.237.140.34819 2
> 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:
> 31:52:38
> > 2009-05-23 00:00:03.318681 e icmp
> 61.88.237.140.8 <-> 87.80.0.15.34819 2
> 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:
> 7:ac:ef
> > 2009-05-23 00:00:03.318681 e icmp
> 87.80.0.15.8 <-> 61.88.237.140.34819 2
> 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:
> 31:52:38
> > 2009-05-23 00:00:04.242992 e udp
> 61.88.237.140.60659 <-> 125.56.176.8.53 2
> 180 CON 82 98 0:14:5e:31:52:38 0:0:c:
> 7:ac:ef
> > 2009-05-23 00:00:04.242992 e udp
> 125.56.176.8.53 <-> 61.88.237.140.60659 2
> 180 CON 98 82 0:0:c:7:ac:ef 0:14:5e:
> 31:52:38
> > 2009-05-23 00:00:04.320106 e icmp
> 61.88.237.140.8 <-> 87.80.0.15.34819 2
> 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:
> 7:ac:ef
> > 2009-05-23 00:00:04.320106 e icmp
> 87.80.0.15.8 <-> 61.88.237.140.34819 2
> 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:
> 31:52:38
> > 2009-05-23 00:00:05.321564 e icmp
> 61.88.237.140.8 <-> 87.80.0.15.34819 2
> 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:
> 7:ac:ef
> > 2009-05-23 00:00:05.321564 e icmp
> 87.80.0.15.8 <-> 61.88.237.140.34819 2
> 196 ECO 98 98 0:0:c:7:ac:ef 0:14:5e:
> 31:52:38
> > 2009-05-23 00:00:05.951303 e icmp
> 61.88.237.140.8 <-> 213.123.201.106.6165 2
> 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:
> 7:ac:ef
> > 2009-05-23 00:00:05.951303 e icmp
> 213.123.201.106.8 <-> 61.88.237.140.6165
> 2 196 ECO 98 98 0:0:c:7:ac:ef
> 0:14:5e:31:52:38
> > 2009-05-23 00:00:06.952426 e icmp
> 61.88.237.140.8 <-> 213.123.201.106.6165 2
> 196 ECO 98 98 0:14:5e:31:52:38 0:0:c:
> 7:ac:ef
> > 2009-05-23 00:00:06.952426 e icmp
> 213.123.201.106.8 <-> 61.88.237.140.6165
> 2 196 ECO 98 98 0:0:c:7:ac:ef
> 0:14:5e:31:52:38
> >
> >
> > Rgds
> > Rodney
> >
>
> >
>
> --
>
> Rodney McKee
> Linux systems administrator
> Aconex
> The easy way to save time and money on your project
>
> 696 Bourke Street, Melbourne
> Tel: +61 3 9240 0200 Fax: +61 3 9240 0299
> Email: rmckee at aconex.com www.aconex.com
> This email and any attachments are intended solely for the
> addressee. The contents may be privileged, confidential and/or
> subject to copyright or other applicable law.
> No confidentiality or privilege is lost by an erroneous
> transmission. If you have received this e-mail in error, please let
> us know by reply e-mail and delete or destroy
> this mail and all copies. If you are not the intended recipient of
> this message you must not disseminate, copy or take any action in
> reliance on it. The sender takes no
> responsibility for the effect of this message upon the recipient's
> computer system.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090526/4742dcf4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090526/4742dcf4/attachment.bin>
More information about the argus
mailing list