ra and racluster problem when reading flow-tools files
Carter Bullard
carter at qosient.com
Thu Jul 21 19:14:32 EDT 2011
Hey Mike,
Sorry for the delay. Hmmm, I would suggest that you apply a '-' to your command line to indicate the start of the filter.
Run your command with the -b option, to see what the filter compiler generates. This is what I would expect.
# ra -r ft:file -n -b - host 1.2.3.4 or host 2.3.4.5
(000) ldb dsr[1][2]
(001) and #31
(002) jeq #0x1 jt 3 jf 10
(003) ld dsr[1][4]
(004) jeq #0x1020304 jt 9 jf 5
(005) jeq #0x2030405 jt 9 jf 6
(006) ld dsr[1][8]
(007) jeq #0x1020304 jt 9 jf 8
(008) jeq #0x2030405 jt 9 jf 10
(009) ret #96
(010) ret #0
Carter
On Jul 19, 2011, at 5:54 PM, Mike Iglesias wrote:
> When using argus-clients-3.0.5.17 ra or racluster to read flow-tools files
> like this:
>
> ra -n -r ft:ft-v07.2011-07-09.000000-0700 host a.b.c.d or host w.x.y.z
>
> The IP specifications appear to be ignored and I just get all the data in the
> flow-tools output file. I only want output if the flow record source or
> destination IP matches the IPs I specified on the command line.
>
>
> --
> Mike Iglesias Email: iglesias at uci.edu
> University of California, Irvine phone: 949-824-6926
> Office of Information Technology FAX: 949-824-2270
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110721/b7bbdb34/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110721/b7bbdb34/attachment.bin>
More information about the argus
mailing list