how to filter arp, llc, loop, ospf.
Carter Bullard
carter at qosient.com
Tue Feb 9 11:59:27 EST 2010
Hey Pengiran,
When you are having problems, you need to send a complete description of
how you are running the programs, along with a copy of their configuration
files and any command options you are using.
If you want to filter the input to argus(), then you will use a tcpdump() filter. It is not
the same as the ra* client filter syntax. Use tcpdump to verify that the filter matches
the packets you are interested in, and then use the same filter with argus.
If you are using a filter on ra(), you need to make sure that argus is generating
the flows you are interested in, and then apply a filter to ra() that matches those
flows. If argus is generating flows but the filters don't seem to work, or argus
stops working, try specifying a "local" filter:
ra -S argus - local proto ospf
This causes the client to do the filtering itself, rather than sending the filter to
argus. If that works, then argus's compiler may have an issue.
Carter
On Feb 9, 2010, at 10:22 AM, pengiran wrote:
> Hi all,
>
> i want to record traffic for a period of time. currently i manage to have 4 sensor and 1 database server.all the traffic been collected and inserted into the databse by rasqlinsert.
>
> i want to filter the traffic with the proto = arp, llc, loop ,ospf.
>
> i know we can use "- ip proto not icmp " and "argus.out "not icmp" as filter. when i try to change the protocol to "ospf", argus run smoothly and read using ra doesnt show any ospf record. but when i try to change to llc, loop. argus simply did not start (check /var/run and using "ps aux | grep argus").
>
>
> please guide me.
>
> Thanks
>
> Regards,
> Peng
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100209/27d7db8c/attachment.bin>
More information about the argus
mailing list