Very basic query... MAC address
Carter Bullard via Argus-info
argus-info at lists.andrew.cmu.edu
Tue Aug 30 21:26:23 EDT 2016
Hey Muneer,
I looked at your email again and realized that you did use the -m in your command. Sorry for the bogus suggestion. So ... , a few things to check ... what version of argus and clients are you using, and can you capture some packets to a pcap file, to see if you can replicate the problem. You can run argus against the pcap file, and generate the data that we can fhen test. It is possible that the headers may not be as you expect.
Carter
> On Aug 30, 2016, at 7:01 PM, Carter Bullard via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>
> Hsy Muneer,
> You have to turn on ethernet address capture, either on the command line or in the argus.conf file. Try -m on the command line.
> Carter
>
>> Hi Dave/Carter/Argus list,
>>
>> Apologies for responding a while after the initial query... It took a while to hook the box to the span port thus a while for me to get my hands on the data flow.
>>
>> Recap : I am trying to pull the source mac address from the traffic going from our aruba conroller to the internet... I can see the traffic however I am not yet able to pull the source mac address. This is what I have done so far:
>>
>> argus -X -d -m -i eth0 -P 561
>>
>> and then : ra -S localhost:561 -s stime daddr saddr smac
>>
>> The above did not give me the source mac address... I can see the stime, daddr, and saddr... but no MAC address. I tried ratop -S localhost:561 too... gives me all the other data but the mac address.
>>
>> Please find below the output for ra -S localhost:561 -N 20 -s +smac +dmac -L0
>>
>> <image.png>
>>
>> ... any help you are able to offer will be most appreciated. I am currently trying Carter's recommendations and will follow up if I see a different outcome.
>>
>> Many thanks in advance.
>>
>> Kind Regards,
>> Muneer
>>
>>
>>> On Thu, May 12, 2016 at 6:23 PM, David Edelman <dedelman at iname.com> wrote:
>>> This should work unless there is some conflict with the argus.conf file. I suggest that you use this command line
>>>
>>>
>>>
>>> argus -X -d -m -i dup:eth0,eth1 -P 561
>>>
>>> The –X must be the first parameter.
>>>
>>> I expect that you are using something like ra –S localhost:561 –s stime daddr saddr smac to display the output.
>>>
>>> Just a side note, you are not capturing netflow data but network flow data. Netflow is a Cisco protocol that would not have any MAC information. The smac and dmac fields are used to show the source and destination interface numbers for the netflow derived flows.
>>>
>>> If none of this works, please post the output of this command
>>>
>>> ra –S localhost:561 –N 20 –s +smac +dmac –L0
>>>
>>>
>>>
>>> --Dave
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> From: Argus-info [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of Noman Muneer via Argus-info
>>> Sent: Thursday, May 12, 2016 4:37 PM
>>> To: Argus <argus-info at lists.andrew.cmu.edu>
>>> Subject: Re: [ARGUS] Very basic query... MAC address
>>>
>>>
>>>
>>> Hi,
>>>
>>> A little information on what I am trying to do.
>>>
>>> My organization has Aruba controllers however we do not have the ability to log the traffic. I will be placing a TAP in front of the Aruba controller and running Argus on a box to capture netflow data. I would like to capture the time, dst_ip, src_ip, and MAC address of src device. I have been able to capture all the data except for the MAC address on a test setup.
>>>
>>> The command I am using is as follows:
>>>
>>> argus -d -m -i dup:eth0,eth1 -P 561
>>>
>>> Am I doing something wrong? Or is my concept out-of-whack, so to speak?
>>>
>>> Any feedback/guidance will be most appreciated indeed.
>>>
>>> Thank you.
>>>
>>> Kind Regards,
>>>
>>> Noman Muneer
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160830/e54fbf24/attachment.html>
More information about the argus
mailing list