Proto Filter for PPPoE

Barry Kolts bhkolts at gotrain.org
Mon Sep 14 15:50:07 EDT 2009 

Hi Carter,

Thanks for the explanation. I appreciate you taking time to do that. I have 
installed the latest argus and clients and all seems to be working OK.

C.S. Lee thanks for your input also.

Cheers,
Barry

"Carter Bullard" <carter at qosient.com> wrote in message 
news:6BB8A8A6-5452-415A-8ABF-7EB8FDC2AA1C at qosient.com...
> Hey Barry,
> Going from monitoring wireless to PPPoE doesn't require that you
> change anything
> with argus() or ra().  argus() parses through all the packet headers
> that it understands
> and forms the same types of flows, regardless  of the type of network
> it is monitoring.
> So you shouldn't have to make any changes when you use argus() to
> monitor a
> PPPoE network.
>
> argus() performs RTP discovery automatically, as it does with several
> protocols, such as
> IPv4 or IPv6 over MPLS.  If argus()  thinks the flow contains RTP
> headers, it will report it.
> So you don't have to do anything to track RTP flows, its done in the
> argus() sensor.
>
> For argus() and the ra* programs, PPPoE is an encapsulation,  not a
> protocol.  So if  you
> want  to look at all the flows that were contained in PPPoE tunnels,
> you use the
> 'encaps' filter keyword with 'pppoe' as the parameter:
>
>    ra -r argus.file - encaps pppoe
>
> If you're interested in seeing the RTP status flow records, you would
> try this:
>
>    ra -r argus.file - rtp
>
> If you still have questions, please send mail to the list.  No
> problem!!!
>
> Always grab the latest and greatest software, just in case:
>    argus-3.0.2 and argus-clients-3.0.2.beta.12
>
> http://qosient.com/argus
>
> Carter
>
> On Sep 13, 2009, at 6:29 PM, Barry Kolts wrote:
>
>> Hi All,
>>
>> I need a little help understanding the proto filter in ra(). What I
>> want to
>> do is see what is encapsulated in PPPoE. We have been using Argus to
>> monitor
>> our wireless network, but now are going to use PPPoE. If I
>> understand the
>> ra() man page the proto filter will attempt to discover the Realtime
>> Transport Protocol. So I think I want something like
>> ra -r argus.data -s stime saddr daddr proto sbytes dbytes - proto p ?
>> I think from the man page I use 'p' to filter PPPoE but I don't know
>> what
>> the second field should be.
>> ra() says the 'p' is illegal and the syntax is wrong. It is obvious
>> I am not
>> understanding how to use this filter. Can anyone set me straight.
>> I am using Argus 3.0.1.beta.3 and Argus-clients 3.0.2.beta.7
>>
>> Thanks in advance,
>> Barry
>>
>>
>>
>>
>
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3957 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090914/31e44a1f/attachment.bin>

More information about the argus mailing list