[ARGUS] argus-2.0.6 released!!!
Carter Bullard
carter at qosient.com
Wed May 5 23:48:07 EDT 2004
Hey Steve,
I'm cool with all you've suggested. And don't worry, I know
that there is still a lot of work to do on what we have, much
less on what is still to be done.
I would suggest a few changes at first, so that you don't
get tooooo far down the path without a sanity check, although
I'm sure that the effort will be well done.
Carter
-----Original Message-----
From: Steve McInerney [mailto:spm at healthinsite.gov.au]
Sent: Wednesday, May 05, 2004 11:10 PM
To: Carter Bullard
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] argus-2.0.6 released!!!
My 2c?
Both. ;-)
Certainly not _every_ example, but perhaps the more useful ways in which
argus can be done. Perhaps I've chosen poor examples, but, personally,
I'd love to see more examples. The raw reference is great, but actually
seeing a working command is, for myself anyway, extremely useful.
I personally use man pages in exactly this way - I want to do X; Is
there an example of X or perhaps X' that I can modify.
There are also some non obvious gotcha's etc to new users about the
"best" way of driving the tools.
Hence, I'd be very keen to leave the reference to ragator somewhere
obvious in the ra man page. Mainly as it makes such a HUGE difference to
the speed of multiple queries.
We tend to use argus here for troubleshooting with occaisional usage for
auditing; so the end query is typically refined over multiple iterations
to single down to the "funky" stuff.
There is another issue here as well: too much docco is prune-able :-)
I just had another look at the faq and agree it does need a bit of work
(No criticism intended! :-) ). How about I do some changes to that over
the next few days or so and see how we go from there?
Would you prefer a dribble of little changes (a day's worth or so) or a
monster single one after a week or so?
We could probably also expand the HOWTO a bit as well.
I'm positive that there is crossover between all three documents; some
duplication is probably going to be a Good Thing(tm).
????
- Steve
Carter Bullard wrote:
> Hey Steve,
> Should these be in the man page or in the FAQ, or both?
> I'm for brevity, so some examples in the man page to get
> one started, but if we put every example in the man page
> then it gets too huge (need to have every example?).
> That's my opinion, but I do bend to the crowd, so opinions,
> attitude, flames, suggestions, reactions, reflections are
> all welcome here!!!!!
>
> I'll hold off adding this to the man page until we get
> some responses.
>
> The FAQ needs work, so why don't we do something with it?
>
> Carter
>
>
>
> -----Original Message-----
> From: Steve McInerney [mailto:spm at healthinsite.gov.au]
> Sent: Wednesday, May 05, 2004 7:30 PM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] argus-2.0.6 released!!!
>
> Man pages eh?
>
> The below patch is one I've just written up from my recent Q about
> finding non-returning TCP connections.
>
> I've also added a quick line at the top in the Description about how
> using ragator might be a "Good Thing(tm)".
> FWIW, I'm a strong believer in copious examples; so I'd like to dig out
> some of the common and not so common regular "queries" we run internally
> for submission and add those - if agreeable?
>
> All errors are now Carter's problem ;-)
>
>
> HTH?
>
>
> - Steve
>
> applied against: argus-clients-2.0.6/man/man1/ra.1
>
> 13c13
> < .TH RA 1 "12 November 2000" "ra 2.0"
> ---
> > .TH RA 1 "06 May 2004" "ra 2.0.6"
> 17c17
> < Copyright (c) 2000-2003 QoSient. All rights reserved.
> ---
> > Copyright (c) 2000-2004 QoSient. All rights reserved.
> 35a36,41
> > It is frequently useful to first parse an \fIargus-file\fP through
> > .BR ragator(8)
> > to speed up later ra queries.
> > .BR ragator(8)
> > combines all the records about a given flow into a single record.
> > .LP
> 527a534,549
> > .LP
> > To report all TCP HTTP transactions from and to host 'narly.wave.com',
> > reading transaction data from \fIargus-file\fP argus.data:
> > .RS
> > .nf
> > \fBra -r argus.data - tcp and port http and host narly.wave.com\fP
> > .fi
> > .RE
> > .LP
> > To report all TCP HTTP transactions to host 'narly.wave.com' that did
not
> > receive any returned data, reading transaction data from
> \fIargus-file\fP argus.data:
> > .RS
> > .nf
> > \fBra -r argus.data - tcp and port http and syn and not synack and
> host narly.wave.com\fP
> > .fi
> > .RE
>
>
>
>
> Carter Bullard wrote:
>
>>Ok, finally 2.0.6 is released, and I have to thank everyone
>>that helped to fix the problems, and of course thanks to
>>everyone for there amazing patience. Web site is updated,
>>which means that a billion bugs have just been spontaneously
>>generated and will emerge from the rocks, but that is of
>>course the nature of this beast.
>>
>>Next step is to work on the clients. Please take a look at the
>>argus-clients-2.0.6.tar.gz so we can beef it up a bit, including
>>man pages (I know, ....., even the documentation) and the like.
>>
>>Hope all is well, and that argus continues to be helpful!!!!
>>
>>Carter
>>
>>
>>
>
>
>
>
More information about the argus
mailing list