how to filter arp, llc, loop, ospf.

Benet Leong benet at comworth.co.jp
Tue Feb 9 21:02:13 EST 2010 

Hi Carter,

Thanks for the clarification. So far, I've been sticking to using the full filter expression most of the time as that's the best way I can ensure that it'll work each time regardless of the protocols that I'm trying to filter. 
Nevertheless, for those quick moments where you need a filter fast, those keyword support sure comes in handy. 

Best regards,
Benet Leong.

On Feb 10, 2010, at 10:00 AM, Carter Bullard wrote:

> Hey Benet,
> You are absolutely correct, and the ra manpage is definitely the
> place to go (I should have suggested that).  There are a few exceptions,
> however, where there is specific keyword support in the compiler for
> some common protocols. 
> 
> For instance, arp and rarp have specific support:
>     
> % ra -b - arp
> (000) ldb      dsr[1][1]
> (001) and      #6
> (002) jeq      #0x6             jt 3	jf 4
> (003) ret      #96
> (004) ret      #0
> 
> But, for llc, you'll need the full filter expression:
> 
> % ra -b - ether proto llc
> (000) ldb      dsr[1][2]
> (001) jset     #0x1f            jt 2	jf 3
> (002) ret      #0
> (003) ret      #96
> 
> Argus has specific arp tracking support, so the clients have specific
> logic for picking out arp flows.
> 
> If there are protocols that should have "shortcuts" just holler and
> I'll look into putting them in the compiler.
> 
> Carter
> 
> On Feb 9, 2010, at 7:50 PM, Benet Leong wrote:
> 
>> Hi pengiran,
>> 
>> To filter traffic such as llc, arp, loop and such... you'll need to refer to the ./includes/ethernames.h file in the argus/ra client source.
>> There's a whole bunch of argus pseudo ethertypes list in that file.
>> 
>> In a nutshell, you'll need to write your filter expression as 
>> 	
>> 	- ether proto 2054 
>> 
>> in the case of ARP for example.
>> 
>> Please read the "Filter Expression" section in the ra man pages for more info.
>> 
>> Best regards,
>> Benet Leong.
>> 
>> On Feb 10, 2010, at 12:22 AM, pengiran wrote:
>> 
>>> Hi all,
>>> 
>>> i want to record traffic for a period of time. currently i manage to have 4 sensor and 1 database server.all the traffic been collected and inserted into the databse by rasqlinsert.
>>> 
>>> i want to filter the traffic with the proto = arp, llc, loop ,ospf.
>>> 
>>> i know we can use "- ip proto not icmp " and "argus.out "not icmp" as filter. when i try to change the protocol to "ospf", argus run smoothly and read using ra doesnt show any ospf record. but when i try to change to llc, loop. argus simply did not start (check /var/run and using "ps aux | grep argus"). 
>>> 
>>> 
>>> please guide me.
>>> 
>>> Thanks
>>> 
>>> Regards,
>>> Peng
>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100210/6a05b03d/attachment.html>

More information about the argus mailing list