Argus SrcID And SrcID filtering
CS Lee
geek00l at gmail.com
Thu Dec 8 18:12:58 EST 2011
hi Carter,
I did try to escape the quote -
./ra -L0 -S url://127.0.0.1 -s srcid saddr sport dir daddr dport - srcid
\"eth0\"
ra[18428]: 15:12:55.910966 remote Filter error
>From argus side, I got this -
argus -mAJZRU 512 -i eth0/\"eth0\" -B 127.0.0.1 -P 561
argus[16475]: 08 Dec 11 08:29:51.336199 started
argus[16475]: 08 Dec 11 08:29:51.371174 ArgusGetInterfaceStatus: interface
eth0 is up
argus[18382]: 08 Dec 11 15:09:05.085784 illegal char '"'
argus[18388]: 08 Dec 11 15:09:52.731229 illegal char '"'
argus[18401]: 08 Dec 11 15:10:17.372676 illegal char '"'
On Fri, Dec 9, 2011 at 3:55 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey CS Lee,
> You need to escape the double quotes, so that they make it into the
> compiler:
>
> ra -S URI://127.0.0.1:561 -s srcid saddr sport dir daddr dport - srcid
> \"eth0\"
>
> without the quotes, ra will think you are looking for the IP address of
> the host 'eth0',
> which probably is not in your namespace.
>
> So without making a bit of a change in the srcid DSR definition, you only
> get 4 bytes
> for the srcid. This can change in 3.0.8, but right now you're limited to
> only
> 4 chars (32-bits).
>
> Carter
>
> On Dec 8, 2011, at 3:40 AM, CS Lee wrote:
>
> hi Carter,
>
> I would like to assign network interface name as srcid for argus, however
> in most condition 4 bytes looks enough, if I use freebsd and some of intel
> nic, it does have ixgbe as nic name, can it change from 4 bytes to say 8
> bytes instead.
>
> By the way filtering by srcid is not working -
>
> argus -mAJZRU 512 -i eth0/\"eth0\" -B 127.0.0.1 -P 561
> ra -S URI://127.0.0.1:561 -s srcid saddr sport dir daddr dport - srcid
> "eth0"
> ra[13898]: 00:42:09.339847 srcid eth0 unknown
> ra[13897]: 00:42:09.554215 srcid eth0 filter syntax error
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
>
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20111209/f6c9a36d/attachment.html>
More information about the argus
mailing list