Filter type 'appbytes' behavior unexpected
Jesse Bowling
jessebowling at gmail.com
Sun Oct 6 23:16:53 EDT 2013
Hello,
I noticed while looking at some data that using the filter type
'appbytes' appears to filter on either sappbytes or dappbytes, but not
on appbytes, which is unexpected to me. From the man page:
[src | dst] appbytes [gt | gte | lt | lte | eq] number
True if the application byte count in the Argus record
(default) equals number.
For instance, I would expect this invocation:
ra -r test.argus -s sappbytes dappbytes appbytes - appbytes eq 2760
To display output for only flows whose total application bytes
(appbytes) equals 2760. Instead the behavior I see is that I get flows
which have 2760 bytes in either sappbytes or dappbytes.
SAppBytes DAppBytes TotAppByte
151 2760 2911
169 2760 2929
2760 151 2911
151 2760 2911
I can see the utility of this behavior, but based on the documentation I
would not expect this result. I'm seeing the same results from 3.0.7.9
-> 3.0.7.15.
Is the current behavior the 'correct' behavior or a bug?
Thanks,
Jesse
More information about the argus
mailing list