ra filter of llc packets

Carter Bullard carter at qosient.com
Wed Jul 23 15:42:04 EDT 2014 

Hey Mike,
Since LLC is a Layer 2 protocol, you should be able to pick
them up with:

   ra — ether proto llc

or reject them with:

   ra - not ether proto llc

With regard to the -N option … What version are you running ???
Could you try argus-clients-3.0.8.tar.gz which is on the dev server
(if you’re not already using it ??).

   http://qosient.com/argus/dev/argus-clients-latest.tar.gz

Carter



On Jul 23, 2014, at 10:36 AM, mike tancsa <mike at sentex.ca> wrote:

> Hi,
> 	I am trying to slim down some historical files by filtering out some L2 proto packets, but cant seem to find the magic filter incantation. Is there a way to get rid of
> 
> packets such as
> 
> 07/11 19:19:30.80*  *           llc  00:04:28:c7:fe:50.170       -> 01:00:0c:cc:cc:cd.170           3        192   REQ
> 07/11 19:19:36.79*  *           llc  00:04:28:c7:fe:50.170       -> 01:00:0c:cc:cc:cd.170           3        192   REQ
> 07/11 19:19:42.83*  *           llc  00:04:28:c7:fe:50.170       -> 01:00:0c:cc:cc:cd.170           3        192   REQ
> 07/11 19:19:48.83*  *           llc  00:04:28:c7:fe:50.170       -> 01:00:0c:cc:cc:cd.170           3        192   REQ
> 
> 
> Another thing I noticed was that this particular file seems to break the -N switch-- at least what I understand how it should work.
> 
> eg.
> 
> # ra -nr mpls-router.arg -s stime,proto | head -20
>            StartTime  Proto
> 07/11 11:31:58.310204    llc
> 07/11 11:32:04.309024    llc
> 07/11 11:32:10.308252    llc
> 07/11 11:32:16.307877    llc
> 07/11 11:32:22.306741    llc
> 07/11 11:32:28.342169    llc
> 07/11 11:32:34.341274    llc
> 07/11 11:32:40.340494    llc
> 07/11 11:32:46.340141    llc
> 07/11 11:32:49.762776    tcp
> 07/11 11:32:52.339053    llc
> 07/11 11:32:55.237412    tcp
> 07/11 11:32:58.338272    llc
> 07/11 11:33:03.847288    tcp
> 07/11 11:33:04.337521    llc
> 07/11 11:33:10.337955    llc
> 07/11 11:33:16.336544    llc
> 07/11 11:33:22.335258    llc
> 07/11 11:33:28.370505    llc
> 
> yet if I do
> 
> # ra -nr mpls-router.arg -s stime,proto -N 20 | head -20
>            StartTime  Proto
> 07/11 11:31:58.310204    llc
> #
> 
> I get one record ?
> 
> 	---Mike
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140723/6217e08c/attachment.sig>

More information about the argus mailing list