Argus: ip proto usage
Carter Bullard
carter at qosient.com
Thu Aug 21 10:42:00 EDT 2003
Hey Geoff,
So what do you want to do with the data?
It maybe that we have something close to what you
want already.
I use ratop for real-time checks. It basically
is ragator with a curses frontend. If you have
any suggestions for improving it, just send mail.
I have to fix a cisco netflow record reading
problem and then we're to release.
Hope all is well, down/up under/over!!
Carter
> -----Original Message-----
> From: Geoff Powell [mailto:geoff at lanrex.net.au]
> Sent: Thursday, August 21, 2003 6:11 AM
> To: argus-info at lists.andrew.cmu.edu
> Cc: carter at qosient.com
> Subject: RE: Argus: ip proto usage
>
>
> Hi Carter
>
> I am looking for a tcpdump formatted file from Argus flow
> data, I wasn't
> sure if that was possible - taking into consideration that
> Argus stores
> transaction records as opposed to packets, but I thought no harm in
> asking.
>
> Tcpdump output will allow me to utilize some other funky
> tools designed
> to parse that format (otherwise I would use ra)
>
> I've also had a look at ratop utility, never knew it existed.
> I've found
> it to be quite useful - for example processing a file containing Argus
> flows for one day's traffic is good for a manual check on the
> high users
> :-)
>
> The new racount binary is still working great, does this take Argus to
> version 2.0-7?
>
> Regards,
> Geoff
>
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus-
> > info at lists.andrew.cmu.edu] On Behalf Of Carter Bullard
> > Sent: Thursday, August 21, 2003 12:06 AM
> > To: 'Geoff Powell'; argus-info at lists.andrew.cmu.edu
> > Subject: RE: Argus: ip proto usage
> >
> > Hey Geoff,
> > So, is it that you want to generate a tcpdump formatted
> > file from argus flow data, or do you want argus to generate
> > a tcpdump output file of the packets it receives?
> >
> > Carter
> >
> >
> > > -----Original Message-----
> > > From: owner-argus-info at lists.andrew.cmu.edu
> > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> > > Geoff Powell
> > > Sent: Wednesday, August 20, 2003 7:40 AM
> > > To: argus-info at lists.andrew.cmu.edu
> > > Cc: carter at qosient.com
> > > Subject: RE: Argus: ip proto usage
> > >
> > >
> > > Carter,
> > >
> > > After a few days of processing I haven't seen anything abnormal on
> my
> > > racount commands output, I think you have successfully
> fixed the "ip
> > > proto" filter problem.
> > >
> > > I have another question however, is it possible to get a tcpdump
> style
> > > output from any Argus utilities? If not, is the data Argus stores
> in
> > > its transaction records enough to produce this type of raw output?
> > >
> > > Thanks again
> > >
> > > Geoff
> > >
> > > > -----Original Message-----
> > > > From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus-
> > > > info at lists.andrew.cmu.edu] On Behalf Of Carter Bullard
> > > > Sent: Monday, August 18, 2003 10:08 AM
> > > > To: 'Geoff Powell'; argus-info at lists.andrew.cmu.edu
> > > > Subject: RE: Argus: ip proto usage
> > > >
> > > > Hey Geoff,
> > > > There could easily be a bug, so we'll have to dig just a
> > > > bit, but first, what does '1.2.3.4/56' mean? That is not
> > > > a real CIDR address, so I'm not sure what it will do, but
> > > > I'll check later tonight. Have you tried this with a correct
> > > > CIDR address to see if it changes things?
> > > >
> > > > The mask bit length should be less than 32.
> > > >
> > > > Carter
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: owner-argus-info at lists.andrew.cmu.edu
> > > > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> > > > > Geoff Powell
> > > > > Sent: Saturday, August 16, 2003 9:52 AM
> > > > > To: argus-info at lists.andrew.cmu.edu
> > > > > Subject: Argus: ip proto usage
> > > > >
> > > > >
> > > > > Hi all
> > > > >
> > > > > I've been using Argus server and the ra utilities for a
> > > few months,
> > > I
> > > > > have found the application to be reasonably stable and
> > > useful, it's
> > > > > pretty good so thanks to the authors and maintainers.
> > > > >
> > > > > I have a few questions, hopefully someone has the answers
> > > > >
> > > > > I use racount to grasp traffic usage on different IP protocols
> and
> > > > > ports. For example, to find the usage for tcp port 80 for
> > > > > host 1.2.3.4 I
> > > > > might use the following two commands
> > > > >
> > > > > racount -n -r datafile.out - tcp and src net 1.2.3.4/56
> > > and port 80
> > > > > racount -n -r datafile.out - tcp and dst net 1.2.3.4/56
> > > and port 80
> > > > >
> > > > >
> > > > > However, when I use the same method to get usage for
> > > IPSec (udp port
> > > > > 500, also utilizes ip protocols 50 and 51), using the
> > > > > following commands
> > > > >
> > > > > racount -n -r datafile.out - ip proto 50 and not tcp and not
> > > > > udp and not
> > > > > icmp and src net 1.2.3.4/56
> > > > > racount -n -r datafile.out - ip proto 50 and not tcp and not
> > > > > udp and not
> > > > > icmp and dst net 1.2.3.4/56
> > > > > racount -n -r datafile.out - ip proto 51 and not tcp and not
> > > > > udp and not
> > > > > icmp and src net 1.2.3.4/56
> > > > > racount -n -r datafile.out - ip proto 51 and not tcp and not
> > > > > udp and not
> > > > > icmp and dst net 1.2.3.4/56
> > > > > racount -n -r datafile.out - udp and port 500 and dst
> 1.2.3.4/56
> > > > > racount -n -r datafile.out - udp and port 500 and src net
> > > 1.2.3.4/56
> > > > >
> > > > > I have noticed that the above filters yield incorrect
> > > > > results. The first
> > > > > command, if piped to a file using ra instead of racount
> > > shows any IP
> > > > > transaction that is not tcp, udp or icmp. So, in my file for
> that
> > > one
> > > > > command I see 47, 50 and 51. Hence, when using racount
> > > and the same
> > > > > filter incorrect byte counts are returned.
> > > > >
> > > > > Moreover, the following two commands produce the same
> > > output, which
> > > is
> > > > > incorrect.
> > > > >
> > > > > (I have RA_PRINT_SUMMARY=no)
> > > > >
> > > > > # racount -r data.out - ip proto 2987212 and not tcp and not
> > > > > udp and not
> > > > > icmp
> > > > > racount records total_pkts src_pkts
> > > dst_pkts
> > > > > total_bytes src_bytes dst_bytes
> > > > > sum 808 101170 50616
> > > 50554
> > > > > 21254862 7194035 14060827
> > > > >
> > > > > # racount -r data.out - ip proto 1 and not tcp and not udp
> > > > > and not icmp
> > > > > racount records total_pkts src_pkts
> > > dst_pkts
> > > > > total_bytes src_bytes dst_bytes
> > > > > sum 808 101170 50616
> > > 50554
> > > > > 21254862 7194035 14060827
> > > > >
> > > > > The ra documentation reads as follows:
> > > > >
> > > > > ip proto protocol
> > > > > True if the Argus record is an ip transaction (see ip(4P)) of
> > > protocol
> > > > > type protocol. Protocol can be a number or any of the
> > > string values
> > > > > found in /etc/protocols
> > > > >
> > > > > "2987212" is certainly not in my /etc/protocols :-)
> > > > >
> > > > > Am I doing something wrong, or is this a bug in the
> application?
> > > > >
> > > > > # rpm -q argus
> > > > > argus-2.0-4
> > > > >
> > > > > Linux 2.4.19, Red Hat Linux release 7.3 (Valhalla)
> > > > >
> > > > > Any help much appreciated, I hope what I'm saying makes sense.
> > > > >
> > > > > Thanks in advance
> > > > >
> > > > > Regards,
> > > > > Geoff (geoff at lanrex.net.au)
> > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> > >
> >
>
>
>
More information about the argus
mailing list