Argus Filter Question
Carter Bullard
carter at qosient.com
Mon May 16 20:20:42 EDT 2011
Not at compile time, but at ./configure time. Try:
./configure --help
You should see with-dag=dir
Provide the path to the dag code distribution.
Carter
On May 16, 2011, at 6:52 PM, Leif Tishendorf <ltishend at gmail.com> wrote:
> > Also, not sure if I remember that you're using dags? If so are you
> > using the native dag driver or the libpcap interface to the dags?
>
> I'm not sure on that one. Can Argus read the Endance ERF format? I have Argus complied against the Dag enabled libpcap, but if they can understand ERF that would cut down on some overhead. I don't see an option in the Argus configuration script to point it at the Dag drivers for compile time.
>
> -Leif
>
> On 05/16/2011 03:24 PM, Carter Bullard wrote:
>> Hey Leif,
>> Argus passes this filter down to libpcap, so the filter needs to be formulated as if you were using it with tcpdump.
>> Play with tcpdump() to figure out the right filter. "not proto gre" is much different than "not ip proto gre", so not sure
>> if your filter works or not. Also, not sure if I remember that you're using dags? If so are you using the native dag driver or
>> the libpcap interface to the dags?
>>
>> Carter
>>
>> On May 16, 2011, at 5:40 PM, Leif Tishendorf wrote:
>>
>>> Hey Carter or anyone else really,
>>>
>>> I have a question about usage of "ARGUS_FILTER" in argus.conf. We have a significant amount of GRE traffic on the network that I don't care about and I'm trying to filter it out using "ARGUS_FILTER="not proto gre"", but I'm still seeing it in the Argus records. Not sure if I'm doing it right. Any help is much appreciated.
>>>
>>> Thanks,
>>>
>>> --Leif
>>>
>>
>
> --
> --Leif
>
More information about the argus
mailing list