how to filter arp, llc, loop, ospf.

pengiran pengiran.my at gmail.com
Wed Feb 10 20:59:08 EST 2010 

Hi Benet and Carter,

Thank you for the guide.
i only intrested in tcp, udp and icmp traffic.

so i add the filter in argus.conf

ARGUS_FILTER="tcp or udp or icmp"

i also dont want to record a traffic for a host XXX.XXX.XXX.XXX

is this the right filter to be use?

ARGUS_FILTER="tcp or udp or icmp and not host XXX.XXX.XXX.XXX"

please advice.

Regards,
Peng

On Wed, Feb 10, 2010 at 10:02 AM, Benet Leong <benet at comworth.co.jp> wrote:

> Hi Carter,
>
> Thanks for the clarification. So far, I've been sticking to using the full
> filter expression most of the time as that's the best way I can ensure that
> it'll work each time regardless of the protocols that I'm trying to filter.
> Nevertheless, for those quick moments where you need a filter fast,
> those keyword support sure comes in handy.
>
> Best regards,
> Benet Leong.
>
> On Feb 10, 2010, at 10:00 AM, Carter Bullard wrote:
>
> Hey Benet,
> You are absolutely correct, and the ra manpage is definitely the
> place to go (I should have suggested that).  There are a few exceptions,
> however, where there is specific keyword support in the compiler for
> some common protocols.
>
> For instance, arp and rarp have specific support:
>
> % ra -b - arp
> (000) ldb      dsr[1][1]
> (001) and      #6
> (002) jeq      #0x6             jt 3 jf 4
> (003) ret      #96
> (004) ret      #0
>
> But, for llc, you'll need the full filter expression:
>
> % ra -b - ether proto llc
> (000) ldb      dsr[1][2]
> (001) jset     #0x1f            jt 2 jf 3
> (002) ret      #0
> (003) ret      #96
>
> Argus has specific arp tracking support, so the clients have specific
> logic for picking out arp flows.
>
> If there are protocols that should have "shortcuts" just holler and
> I'll look into putting them in the compiler.
>
> Carter
>
> On Feb 9, 2010, at 7:50 PM, Benet Leong wrote:
>
> Hi pengiran,
>
> To filter traffic such as llc, arp, loop and such... you'll need to refer
> to the ./includes/ethernames.h file in the argus/ra client source.
> There's a whole bunch of argus pseudo ethertypes list in that file.
>
> In a nutshell, you'll need to write your filter expression as
>
> - ether proto 2054
>
> in the case of ARP for example.
>
> Please read the "Filter Expression" section in the ra man pages for more
> info.
>
> Best regards,
> Benet Leong.
>
> On Feb 10, 2010, at 12:22 AM, pengiran wrote:
>
> Hi all,
>
>
> i want to record traffic for a period of time. currently i manage to have 4
> sensor and 1 database server.all the traffic been collected and inserted
> into the databse by rasqlinsert.
>
>
> i want to filter the traffic with the proto = arp, llc, loop ,ospf.
>
>
> i know we can use "- ip proto not icmp " and "argus.out "not icmp" as
> filter. when i try to change the protocol to "ospf", argus run smoothly and
> read using ra doesnt show any ospf record. but when i try to change to llc,
> loop. argus simply did not start (check /var/run and using "ps aux | grep
> argus").
>
>
>
> please guide me.
>
>
> Thanks
>
>
> Regards,
>
> Peng
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100211/37fe424c/attachment.html>

More information about the argus mailing list