Filtering arp records by the "who-has" and "tell" IPs

Carter Bullard carter at qosient.com
Thu Jul 21 13:25:56 EDT 2011


Hey Kevin,
Sorry I can't test this right now, but how does this do?
   ra - arp and src host x.y.z.w

I'll check why your strategy didn't work later today.

Carter

On Jul 21, 2011, at 12:21 PM, The Branches <branchbunch at gmail.com> wrote:

> Could someone please remind me how to filter based on the IPs in arp requests?  I know arp packets don't technically have a source and destination IP but I thought for sure that argus interpreted the "tell" field as source IP and the "who-has" field as the destination IP.
> 
> I though the syntax to filter for all the arp requests generated by host 1.2.3.4 was like this
>    ra -r flowfile - "arp src host 1.2.3.4"
> But this seems to only pick up non-arp traffic for that host.
> 
> I know I can do an "arp and ether src host xx:xx:xx:xx:xx:xx" to get the above to work, but that method won't work when wanting to filter on who is being arped for.
> 
> I know racluster understands the IPs in arp requests as the src/dst IP of the flow  because this works nicely
>    racluster -r flowfile - "arp" -m saddr daddr
> 
> Anyway, thanks in advance for some pointers on this.
> Kevin
> 
> 



More information about the argus mailing list