Argus Filter Question

Tue May 17 13:00:38 EDT 2011

So sorry.  My bad, I forgot that I took it out for 3.0.4.  If important I can put it back in for 3.0.5.
Argus has supported dag's and ERF packet formats for many, many years. Probably took it
out when I cleaned up all the legacy packet formats, that no one uses any longer.  snoop, moat, etc....

No thing to put back in.  If you looked in the code you would see ArgusErfRead(),
ArgusDagPacket(), Arguslookup_dag_callback(), etc....

Would this be important.  Don't remember that you get the filter support when you use native
DAG drivers?

Carter

On May 17, 2011, at 12:52 PM, Leif Tishendorf wrote:

> With Argus 3.0.5.2 I don't see a dag option in the configuration help. So I went ahead and tried to feed it the option anyway and I get:
> 
> root@:~/argus-3.0.5.2# ./configure --with-dag=/usr/local/lib/dag
> configure: WARNING: unrecognized options: --with-dag
> 
> --Leif
> 
> 
> On 05/16/2011 05:20 PM, Carter Bullard wrote:
>> Not at compile time, but at ./configure time.  Try:
>>    ./configure --help
>> 
>> You should see with-dag=dir
>> 
>> Provide the path to the dag code distribution.
>> Carter
>> 
>> 
>> On May 16, 2011, at 6:52 PM, Leif Tishendorf<ltishend at gmail.com>  wrote:
>> 
>>>> Also, not sure if I remember that you're using dags?  If so are you
>>>> using the native dag driver or the libpcap interface to the dags?
>>> 
>>> I'm not sure on that one. Can Argus read the Endance ERF format?  I have Argus complied against the Dag enabled libpcap, but if they can understand ERF that would cut down on some overhead.  I don't see an option in the Argus configuration script to point it at the Dag drivers for compile time.
>>> 
>>> -Leif
>>> 
>>> On 05/16/2011 03:24 PM, Carter Bullard wrote:
>>>> Hey Leif,
>>>> Argus passes this filter down to libpcap, so the filter needs to be formulated as if you were using it with tcpdump.
>>>> Play with tcpdump() to figure out the right filter.  "not proto gre" is much different than "not ip proto gre", so not sure
>>>> if your filter works or not.  Also, not sure if I remember that you're using dags?  If so are you using the native dag driver or
>>>> the libpcap interface to the dags?
>>>> 
>>>> Carter
>>>> 
>>>> On May 16, 2011, at 5:40 PM, Leif Tishendorf wrote:
>>>> 
>>>>> Hey Carter or anyone else really,
>>>>> 
>>>>> I have a question about usage of "ARGUS_FILTER" in argus.conf.  We have a significant amount of GRE traffic on the network that I don't care about and I'm trying to filter it out using "ARGUS_FILTER="not proto gre"", but I'm still seeing it in the Argus records.  Not sure if I'm doing it right.  Any help is much appreciated.
>>>>> 
>>>>> Thanks,
>>>>> 
>>>>> --Leif
>>>>> 
>>>> 
>>> 
>>> --
>>> --Leif
>>> 
> 
> -- 
> --Leif
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110517/a92b2d30/attachment.bin>