Proto Filter for PPPoE

Carter Bullard carter at qosient.com
Mon Sep 14 09:54:14 EDT 2009 

Hey Barry,
Going from monitoring wireless to PPPoE doesn't require that you  
change anything
with argus() or ra().  argus() parses through all the packet headers  
that it understands
and forms the same types of flows, regardless  of the type of network  
it is monitoring.
So you shouldn't have to make any changes when you use argus() to  
monitor a
PPPoE network.

argus() performs RTP discovery automatically, as it does with several  
protocols, such as
IPv4 or IPv6 over MPLS.  If argus()  thinks the flow contains RTP  
headers, it will report it.
So you don't have to do anything to track RTP flows, its done in the  
argus() sensor.

For argus() and the ra* programs, PPPoE is an encapsulation,  not a  
protocol.  So if  you
want  to look at all the flows that were contained in PPPoE tunnels,  
you use the
'encaps' filter keyword with 'pppoe' as the parameter:

    ra -r argus.file - encaps pppoe

If you're interested in seeing the RTP status flow records, you would  
try this:

    ra -r argus.file - rtp

If you still have questions, please send mail to the list.  No  
problem!!!

Always grab the latest and greatest software, just in case:
    argus-3.0.2 and argus-clients-3.0.2.beta.12

http://qosient.com/argus

Carter

On Sep 13, 2009, at 6:29 PM, Barry Kolts wrote:

> Hi All,
>
> I need a little help understanding the proto filter in ra(). What I  
> want to
> do is see what is encapsulated in PPPoE. We have been using Argus to  
> monitor
> our wireless network, but now are going to use PPPoE. If I  
> understand the
> ra() man page the proto filter will attempt to discover the Realtime
> Transport Protocol. So I think I want something like
> ra -r argus.data -s stime saddr daddr proto sbytes dbytes - proto p ?
> I think from the man page I use 'p' to filter PPPoE but I don't know  
> what
> the second field should be.
> ra() says the 'p' is illegal and the syntax is wrong. It is obvious  
> I am not
> understanding how to use this filter. Can anyone set me straight.
> I am using Argus 3.0.1.beta.3 and Argus-clients 3.0.2.beta.7
>
> Thanks in advance,
> Barry
>
>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090914/b92b25c2/attachment.bin>

More information about the argus mailing list