Argus Filter Question

Leif Tishendorf ltishend at gmail.com
Tue May 17 12:52:34 EDT 2011 

With Argus 3.0.5.2 I don't see a dag option in the configuration help. 
So I went ahead and tried to feed it the option anyway and I get:

root@:~/argus-3.0.5.2# ./configure --with-dag=/usr/local/lib/dag
configure: WARNING: unrecognized options: --with-dag

--Leif


On 05/16/2011 05:20 PM, Carter Bullard wrote:
> Not at compile time, but at ./configure time.  Try:
>     ./configure --help
>
> You should see with-dag=dir
>
> Provide the path to the dag code distribution.
> Carter
>
>
> On May 16, 2011, at 6:52 PM, Leif Tishendorf<ltishend at gmail.com>  wrote:
>
>>> Also, not sure if I remember that you're using dags?  If so are you
>>> using the native dag driver or the libpcap interface to the dags?
>>
>> I'm not sure on that one. Can Argus read the Endance ERF format?  I have Argus complied against the Dag enabled libpcap, but if they can understand ERF that would cut down on some overhead.  I don't see an option in the Argus configuration script to point it at the Dag drivers for compile time.
>>
>> -Leif
>>
>> On 05/16/2011 03:24 PM, Carter Bullard wrote:
>>> Hey Leif,
>>> Argus passes this filter down to libpcap, so the filter needs to be formulated as if you were using it with tcpdump.
>>> Play with tcpdump() to figure out the right filter.  "not proto gre" is much different than "not ip proto gre", so not sure
>>> if your filter works or not.  Also, not sure if I remember that you're using dags?  If so are you using the native dag driver or
>>> the libpcap interface to the dags?
>>>
>>> Carter
>>>
>>> On May 16, 2011, at 5:40 PM, Leif Tishendorf wrote:
>>>
>>>> Hey Carter or anyone else really,
>>>>
>>>> I have a question about usage of "ARGUS_FILTER" in argus.conf.  We have a significant amount of GRE traffic on the network that I don't care about and I'm trying to filter it out using "ARGUS_FILTER="not proto gre"", but I'm still seeing it in the Argus records.  Not sure if I'm doing it right.  Any help is much appreciated.
>>>>
>>>> Thanks,
>>>>
>>>> --Leif
>>>>
>>>
>>
>> --
>> --Leif
>>

-- 
--Leif

More information about the argus mailing list