FW: Flows not being constructed as expected

Tue Feb 9 18:34:42 EST 2016

Adding the list – For some reason reply to all is not including the list :(

--Dave

From: David Edelman [mailto:dedelman at iname.com] 
Sent: Tuesday, February 9, 2016 6:31 PM
To: 'Matt Brown' <matthewbrown at gmail.com>
Subject: RE: [ARGUS] Flows not being constructed as expected

If you have the packet capture file you can ingest that with argus to produce a flow file so that the experiment is repeatable. I have a standard set of command line parameters that I use for slurping up pcap files:

  argus –X –A –Z –R –J –U 2048 –w theOutputFileName –r the InputFile.pcap 

It’s probably overkill but the leading –X ensures that there is nothing in a configuration file that is eating your lunch (or your ICMP)

I’d then run the output file through ra using a very vanilla set of parameters:

                ra –X –r theOutputFileName – icmp and host x.y.z.q

Post the results and we might be able to help 

--Dave

From: Argus-info [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of Matt Brown via Argus-info
Sent: Tuesday, February 9, 2016 5:55 PM
To: argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu> 
Subject: [ARGUS] Flows not being constructed as expected

Hello all,

I'm using cisco switches to mirror packets by vlan as follows:

monitor session 2 source vlan 1 , 5 - 8 , 10
monitor session 2 filter packet-type good rx
monitor session 2 destination interface Gi4/21

When comparing output of `tcpdump` with `ra -S 127.0.0.1:561 <http://127.0.0.1:561>   -- icmp and host [my host]`, I do not see flows constructed for pings as expected (or at all :) ).

This is the first time I've ingested vlan encapped data into argus and was wondering if I need to adjust some additional settings that I may have missed?

Thanks,

Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160209/e151b2b9/attachment.html>