Argus-info Digest, Vol 49, Issue 13

CS Lee geek00l at gmail.com
Mon Sep 14 10:25:36 EDT 2009 

hi Barry,

I suggest you use the latest argus and its client  as well because iirc
there's problem with argus handling pppoe. You will be able to look inside
its ip flow without applying any filter.

And to Carter, I tried to check out the filter encaps pppoe, apparently this
filter shows all the ip flows even though it is generated from the pcap that
do not contain any pppoe traffic.

Cheers ;)

On Mon, Sep 14, 2009 at 10:17 PM,
<argus-info-request at lists.andrew.cmu.edu>wrote:

> Send Argus-info mailing list submissions to
>        argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
>        argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
>        argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
>   1.  Proto Filter for PPPoE (Barry Kolts)
>   2. Re:  Proto Filter for PPPoE (Carter Bullard)
>   3. Re:  Inserting AS Number and Label To DB (Carter Bullard)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 13 Sep 2009 17:29:03 -0500
> From: "Barry Kolts" <bhkolts at gotrain.org>
> Subject: [ARGUS] Proto Filter for PPPoE
> To: argus-info at lists.andrew.cmu.edu
> Message-ID: <h8jrnc$4ji$1 at ger.gmane.org>
>
> Hi All,
>
> I need a little help understanding the proto filter in ra(). What I want to
> do is see what is encapsulated in PPPoE. We have been using Argus to
> monitor
> our wireless network, but now are going to use PPPoE. If I understand the
> ra() man page the proto filter will attempt to discover the Realtime
> Transport Protocol. So I think I want something like
> ra -r argus.data -s stime saddr daddr proto sbytes dbytes - proto p ?
> I think from the man page I use 'p' to filter PPPoE but I don't know what
> the second field should be.
> ra() says the 'p' is illegal and the syntax is wrong. It is obvious I am
> not
> understanding how to use this filter. Can anyone set me straight.
> I am using Argus 3.0.1.beta.3 and Argus-clients 3.0.2.beta.7
>
> Thanks in advance,
> Barry
>
>
>
>
>
>
>


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090914/0c61f436/attachment.html>

More information about the argus mailing list