Argus Filter Question
Carter Bullard
carter at qosient.com
Mon May 16 18:24:14 EDT 2011
Hey Leif,
Argus passes this filter down to libpcap, so the filter needs to be formulated as if you were using it with tcpdump.
Play with tcpdump() to figure out the right filter. "not proto gre" is much different than "not ip proto gre", so not sure
if your filter works or not. Also, not sure if I remember that you're using dags? If so are you using the native dag driver or
the libpcap interface to the dags?
Carter
On May 16, 2011, at 5:40 PM, Leif Tishendorf wrote:
> Hey Carter or anyone else really,
>
> I have a question about usage of "ARGUS_FILTER" in argus.conf. We have a significant amount of GRE traffic on the network that I don't care about and I'm trying to filter it out using "ARGUS_FILTER="not proto gre"", but I'm still seeing it in the Argus records. Not sure if I'm doing it right. Any help is much appreciated.
>
> Thanks,
>
> --Leif
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110516/bfa124a8/attachment.bin>
More information about the argus
mailing list