Argus Filter Question

[Leif Tishendorf]

 > Also, not sure if I remember that you're using dags?  If so are you
 > using the native dag driver or the libpcap interface to the dags?

I'm not sure on that one. Can Argus read the Endance ERF format?  I have 
Argus complied against the Dag enabled libpcap, but if they can 
understand ERF that would cut down on some overhead.  I don't see an 
option in the Argus configuration script to point it at the Dag drivers 
for compile time.

-Leif

On 05/16/2011 03:24 PM, Carter Bullard wrote:
> Hey Leif,
> Argus passes this filter down to libpcap, so the filter needs to be formulated as if you were using it with tcpdump.
> Play with tcpdump() to figure out the right filter.  "not proto gre" is much different than "not ip proto gre", so not sure
> if your filter works or not.  Also, not sure if I remember that you're using dags?  If so are you using the native dag driver or
> the libpcap interface to the dags?
>
> Carter
>
> On May 16, 2011, at 5:40 PM, Leif Tishendorf wrote:
>
>> Hey Carter or anyone else really,
>>
>> I have a question about usage of "ARGUS_FILTER" in argus.conf.  We have a significant amount of GRE traffic on the network that I don't care about and I'm trying to filter it out using "ARGUS_FILTER="not proto gre"", but I'm still seeing it in the Argus records.  Not sure if I'm doing it right.  Any help is much appreciated.
>>
>> Thanks,
>>
>> --Leif
>>
>

-- 
--Leif