De-aggragating multiple MAC addresses in flows

Peter Van Epp via Argus-info argus-info at
Thu Dec 31 17:31:23 EST 2015

On Thu, Dec 31, 2015 at 02:03:34PM -0500, Phillip Deneault via Argus-info wrote:
> Hello all,
> I've been experimenting with using argus to debug firewall traffic
> patterns.  In my scenario, I have passive taps on either side of the
> firewall which have both sets of traffic aggregated into the same physical
> sniffing port.  That port has argus listening to it with MAC address data
> turned on (-m) and is generating flows to a file.  Both src and dst IPs lie
> in VLANs the firewall is moving files between.
	Your scenario isn't odd, its your capture method that is odd :-).
I expect that the MAC information is indeed lost (although you should wait
for Carter to confirm that) but there is a simple (if possibly not cheap)
solution: add one or two interfaces to your argus box (depending on duplex
and how your aggregator works) and have two argus instances one reading each
side of the firewall. You can then compare the two argus output streams to 
check that your firewall is doing what you expect and desire. You of course
will double the amount of data you are collecting and depending on your line
rate, may in fact need a second argus box to handle the load, but that should
do what you want.

Peter Van Epp

More information about the argus mailing list