Filtering arp records by the "who-has" and "tell" IPs

The Branches branchbunch at gmail.com
Thu Jul 21 13:44:29 EDT 2011


Carter,

In a case where the output of this
     ra -r flowfile - "arp"
clearly shows arps being broadcast by host 1.2.3.4, when I run this
     ra -r flowfile - "arp and src host x.y.z.w"
I get no results.

Interestingly, when I  run this
     ra -r flowfile - "arp src host x.y.z.w"
I get the same results as if I used the filter "src host x.y.z.w"

Thanks for taking a peek into this when you get the chance.

Kevin


On 7/21/2011 1:25 PM, Carter Bullard wrote:
> Hey Kevin,
> Sorry I can't test this right now, but how does this do?
>     ra - arp and src host x.y.z.w
>
> I'll check why your strategy didn't work later today.
>
> Carter
>
> On Jul 21, 2011, at 12:21 PM, The Branches<branchbunch at gmail.com>  wrote:
>
>> Could someone please remind me how to filter based on the IPs in arp requests?  I know arp packets don't technically have a source and destination IP but I thought for sure that argus interpreted the "tell" field as source IP and the "who-has" field as the destination IP.
>>
>> I though the syntax to filter for all the arp requests generated by host 1.2.3.4 was like this
>>     ra -r flowfile - "arp src host 1.2.3.4"
>> But this seems to only pick up non-arp traffic for that host.
>>
>> I know I can do an "arp and ether src host xx:xx:xx:xx:xx:xx" to get the above to work, but that method won't work when wanting to filter on who is being arped for.
>>
>> I know racluster understands the IPs in arp requests as the src/dst IP of the flow  because this works nicely
>>     racluster -r flowfile - "arp" -m saddr daddr
>>
>> Anyway, thanks in advance for some pointers on this.
>> Kevin
>>
>>




More information about the argus mailing list