ra filter of llc packets

Carter Bullard carter at qosient.com
Wed Jul 23 17:24:26 EDT 2014 

Hey Mike,
Glad to see that 3.0.8 is working on the ‘ether proto llc’.

So very weird on the -N option though, works on all systems here
using argus-clients-3.0.8.

What system are you on, 32-bit ???  64-bit ??? Do you have a .rarc file ???

So can we try some test ???  How do these uses of -N work for you ??

   ra -s +0rank -r file -N 5
   ra -s +0rank -r file -N 0-5
   ra -s +0rank -r file -N 5-10

   ra -s +0rank -r file -N i5
   ra -s +0rank -r file -N o5-10

   ra -s +0rank -r file -N i0-10 -N o5-8

Carter

On Jul 23, 2014, at 4:53 PM, mike tancsa <mike at sentex.ca> wrote:

> On 7/23/2014 3:42 PM, Carter Bullard wrote:
>> Hey Mike,
>> Since LLC is a Layer 2 protocol, you should be able to pick
>> them up with:
>> 
>>    ra — ether proto llc
> 
> 
>> 
>> or reject them with:
>> 
>>    ra - not ether proto llc
> 
> 
> Hi Carter, no luck on the not ether proto  with 3.0.7.23
> 
> % ra -sstime,saddr -nr mpls-router.arg - not ether proto llc | head
>                 StartTime            SrcAddr
> 2014/07/11 11:31:58.310204  00:04:28:c7:fe:50
> 2014/07/11 11:32:04.309024  00:04:28:c7:fe:50
> 2014/07/11 11:32:10.308252  00:04:28:c7:fe:50
> 2014/07/11 11:32:16.307877  00:04:28:c7:fe:50
> 2014/07/11 11:32:22.306741  00:04:28:c7:fe:50
> 2014/07/11 11:32:28.342169  00:04:28:c7:fe:50
> 2014/07/11 11:32:34.341274  00:04:28:c7:fe:50
> 2014/07/11 11:32:40.340494  00:04:28:c7:fe:50
> 2014/07/11 11:32:46.340141  00:04:28:c7:fe:50
> 
> 
>> 
>> With regard to the -N option … What version are you running ???
>> Could you try argus-clients-3.0.8.tar.gz which is on the dev server
>> (if you’re not already using it ??).
>> 
>>    http://qosient.com/argus/dev/argus-clients-latest.tar.gz
> 
> same deal with the latest
> 
> 0(cage)# ra -sstime,proto -nr mpls-router.arg -N 10000
>         StartTime  Proto
>   11:31:58.310204    llc
> 0(cage)# ra -sstime,proto -nr mpls-router.arg | wc
>  224177  448354 5828603
> 0(cage)#
> 
> However, with the the latest clients, the filter does work to get rid of the proto llc
> 
> 0(cage)# ra -sstime,proto -nr mpls-router.arg - not ether proto llc | head
>         StartTime  Proto
>   11:32:49.762776    tcp
>   11:32:55.237412    tcp
>   11:33:03.847288    tcp
>   11:33:48.139558    tcp
>   11:33:55.237928    tcp
>   11:34:40.356986    tcp
>   11:34:55.238432    tcp
>   11:35:29.512015    tcp
>   11:35:55.238932    tcp
> 0(cage)#
> 
> 	---Mike
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140723/a45cf5df/attachment.sig>

More information about the argus mailing list