Filtering arp records by the "who-has" and "tell" IPs
The Branches
branchbunch at gmail.com
Thu Jul 21 12:21:10 EDT 2011
Could someone please remind me how to filter based on the IPs in arp
requests? I know arp packets don't technically have a source and
destination IP but I thought for sure that argus interpreted the "tell"
field as source IP and the "who-has" field as the destination IP.
I though the syntax to filter for all the arp requests generated by host
1.2.3.4 was like this
ra -r flowfile - "arp src host 1.2.3.4"
But this seems to only pick up non-arp traffic for that host.
I know I can do an "arp and ether src host xx:xx:xx:xx:xx:xx" to get the
above to work, but that method won't work when wanting to filter on who
is being arped for.
I know racluster understands the IPs in arp requests as the src/dst IP
of the flow because this works nicely
racluster -r flowfile - "arp" -m saddr daddr
Anyway, thanks in advance for some pointers on this.
Kevin
More information about the argus
mailing list