Very basic query... MAC address

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Tue Aug 30 19:01:09 EDT 2016 

Hsy Muneer,
You have to turn on ethernet address capture, either on the command line or in the argus.conf file.   Try -m on the command line.
Carter



	 	
Carter Bullard • CTO
150 E 57th Street Suite 12D
New York, New York 10022-2795
Phone +1.212.588.9133 • Mobile +1.917.497.9494
> On Aug 30, 2016, at 5:05 PM, Noman Muneer via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hi Dave/Carter/Argus list,
> 
> Apologies for responding a while after the initial query... It took a while to hook the box to the span port thus a while for me to get my hands on the data flow.
> 
> Recap : I am trying to pull the source mac address from the traffic going from our aruba conroller to the internet... I can see the traffic however I am not yet able to pull the source mac address. This is what I have done so far:
> 
> argus -X -d -m -i eth0 -P 561
> 
> and then : ra -S localhost:561 -s stime daddr saddr smac
> 
> The above did not give me the source mac address... I can see the stime, daddr, and saddr... but no MAC address. I tried ratop -S localhost:561 too... gives me all the other data but the mac address.
> 
> Please find below the output for ra -S localhost:561 -N 20 -s +smac +dmac -L0
> 
> <image.png>
> 
> ... any help you are able to offer will be most appreciated. I am currently trying Carter's recommendations and will follow up if I see a different outcome.
> 
> Many thanks in advance.
> 
> Kind Regards,
> Muneer
> 
> 
>> On Thu, May 12, 2016 at 6:23 PM, David Edelman <dedelman at iname.com> wrote:
>> This should work unless there is some conflict with the argus.conf file. I suggest that you use this command line
>> 
>>  
>> 
>> argus  -X -d -m -i dup:eth0,eth1 -P 561
>> 
>> The –X must be the first parameter.
>> 
>> I expect that you are using something like ra –S localhost:561 –s stime daddr saddr smac to display the output.
>> 
>> Just a side note, you are not capturing netflow data but network flow data. Netflow is a Cisco protocol that would not have any MAC information. The smac and dmac fields are used to show the source and destination interface numbers for the netflow derived flows.
>> 
>> If none of this works, please post the output of this command
>> 
>> ra –S localhost:561 –N 20 –s +smac +dmac –L0
>> 
>>  
>> 
>> --Dave
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>> From: Argus-info [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of Noman Muneer via Argus-info
>> Sent: Thursday, May 12, 2016 4:37 PM
>> To: Argus <argus-info at lists.andrew.cmu.edu>
>> Subject: Re: [ARGUS] Very basic query... MAC address
>> 
>>  
>> 
>> Hi,
>> 
>> A little information on what I am trying to do.
>> 
>> My organization has Aruba controllers however we do not have the ability to log the traffic. I will be placing a TAP in front of the Aruba controller and running Argus on a box to capture netflow data. I would like to capture the time, dst_ip, src_ip, and MAC address of src device. I have been able to capture all the data except for the MAC address on a test setup.
>> 
>> The command I am using is as follows:
>> 
>> argus -d -m -i dup:eth0,eth1 -P 561
>> 
>> Am I doing something wrong? Or is my concept out-of-whack, so to speak?
>> 
>> Any feedback/guidance will be most appreciated indeed.
>> 
>> Thank you.
>> 
>> Kind Regards,
>> 
>> Noman Muneer
>> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160830/5cfe12d4/attachment.html>

More information about the argus mailing list