how to filter arp, llc, loop, ospf.

Carter Bullard carter at qosient.com
Tue Feb 9 20:00:46 EST 2010


Hey Benet,
You are absolutely correct, and the ra manpage is definitely the
place to go (I should have suggested that).  There are a few exceptions,
however, where there is specific keyword support in the compiler for
some common protocols. 

For instance, arp and rarp have specific support:
    
% ra -b - arp
(000) ldb      dsr[1][1]
(001) and      #6
(002) jeq      #0x6             jt 3	jf 4
(003) ret      #96
(004) ret      #0

But, for llc, you'll need the full filter expression:

% ra -b - ether proto llc
(000) ldb      dsr[1][2]
(001) jset     #0x1f            jt 2	jf 3
(002) ret      #0
(003) ret      #96

Argus has specific arp tracking support, so the clients have specific
logic for picking out arp flows.

If there are protocols that should have "shortcuts" just holler and
I'll look into putting them in the compiler.

Carter

On Feb 9, 2010, at 7:50 PM, Benet Leong wrote:

> Hi pengiran,
> 
> To filter traffic such as llc, arp, loop and such... you'll need to refer to the ./includes/ethernames.h file in the argus/ra client source.
> There's a whole bunch of argus pseudo ethertypes list in that file.
> 
> In a nutshell, you'll need to write your filter expression as 
> 	
> 	- ether proto 2054 
> 
> in the case of ARP for example.
> 
> Please read the "Filter Expression" section in the ra man pages for more info.
> 
> Best regards,
> Benet Leong.
> 
> On Feb 10, 2010, at 12:22 AM, pengiran wrote:
> 
>> Hi all,
>> 
>> i want to record traffic for a period of time. currently i manage to have 4 sensor and 1 database server.all the traffic been collected and inserted into the databse by rasqlinsert.
>> 
>> i want to filter the traffic with the proto = arp, llc, loop ,ospf.
>> 
>> i know we can use "- ip proto not icmp " and "argus.out "not icmp" as filter. when i try to change the protocol to "ospf", argus run smoothly and read using ra doesnt show any ospf record. but when i try to change to llc, loop. argus simply did not start (check /var/run and using "ps aux | grep argus"). 
>> 
>> 
>> please guide me.
>> 
>> Thanks
>> 
>> Regards,
>> Peng
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100209/8d6b1759/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100209/8d6b1759/attachment.bin>


More information about the argus mailing list