ra filter of llc packets

[mike tancsa]

On 7/23/2014 3:42 PM, Carter Bullard wrote:
> Hey Mike,
> Since LLC is a Layer 2 protocol, you should be able to pick
> them up with:
>
>     ra — ether proto llc


>
> or reject them with:
>
>     ra - not ether proto llc


Hi Carter, no luck on the not ether proto  with 3.0.7.23

% ra -sstime,saddr -nr mpls-router.arg - not ether proto llc | head
                  StartTime            SrcAddr
2014/07/11 11:31:58.310204  00:04:28:c7:fe:50
2014/07/11 11:32:04.309024  00:04:28:c7:fe:50
2014/07/11 11:32:10.308252  00:04:28:c7:fe:50
2014/07/11 11:32:16.307877  00:04:28:c7:fe:50
2014/07/11 11:32:22.306741  00:04:28:c7:fe:50
2014/07/11 11:32:28.342169  00:04:28:c7:fe:50
2014/07/11 11:32:34.341274  00:04:28:c7:fe:50
2014/07/11 11:32:40.340494  00:04:28:c7:fe:50
2014/07/11 11:32:46.340141  00:04:28:c7:fe:50


>
> With regard to the -N option … What version are you running ???
> Could you try argus-clients-3.0.8.tar.gz which is on the dev server
> (if you’re not already using it ??).
>
>     http://qosient.com/argus/dev/argus-clients-latest.tar.gz

same deal with the latest

0(cage)# ra -sstime,proto -nr mpls-router.arg -N 10000
          StartTime  Proto
    11:31:58.310204    llc
0(cage)# ra -sstime,proto -nr mpls-router.arg | wc
   224177  448354 5828603
0(cage)#

However, with the the latest clients, the filter does work to get rid of 
the proto llc

0(cage)# ra -sstime,proto -nr mpls-router.arg - not ether proto llc | head
          StartTime  Proto
    11:32:49.762776    tcp
    11:32:55.237412    tcp
    11:33:03.847288    tcp
    11:33:48.139558    tcp
    11:33:55.237928    tcp
    11:34:40.356986    tcp
    11:34:55.238432    tcp
    11:35:29.512015    tcp
    11:35:55.238932    tcp
0(cage)#

	---Mike