[ARGUS] RE:

Glenn MacGregor gtm at highstreetnetworks.com
Thu May 13 16:35:21 EDT 2004 

Carter,

Not sure if it is giving incorrect data, just trying to interpert the 
XML data I have. I run the following command:

ramon -M hostsvc -unnnr argus.out -w - | raxml -unnnr - > services.xml
ramon -M matrix -unnnr argus.out -w - | raxml -unnnr - > talkers.xml
ramon -M topn -unnnr argus.out -w - | raxml -unnnr - > hosts.xml

This produces 3 xml files which I process. I want to look at the 
hosts.xml for instance and get the host producing the most traffic then 
go to the talkers.xml and see who that host is talking to, then go the 
services.xml and see what they are talking about. I know this seems like 
a lot of work, why not just do it all with the output or ra. I thought 
this would produce 3 'tables' which would be much smaller than the 1 ra 
'table'.

But anyway when I am looking at the hosts.xml I see source address (no 
ports, ro dest address, which is expected). So on a record that has a 
source address of 192.168.0.100 what is the source bytes column, bytes 
going into the source or leaving the source?

    Glenn

Carter Bullard wrote:
> Hey Glen,
> No, even argus will generate only one record for the
> complete bi-directional conversation, assuming that
> it's a pretty normal http request.
> 
>     192.168.0.100.35067 -> www.goole.com.80
> 
> if you're getting (192.168.55, 80), are you sure
> that this host isn't acting as a web server for someone?
> 
> if you think that ramon is giving you erroneous data,
> try to find out if the original argus data doesn't
> explain the output.
> 
> use ra to find a record that has this address,port pair
> as a part of the data:
> 
>    ra -r file - \(src host 192.168.0.100 and src port 80\) or
>                 \(dst host 192.168.0.100 and dst port 80\)
> 
> that should find something if ramon is reporting the address
> and that port as a pair.
> 
> Carter
> 
> 
> 
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Glenn MacGregor
> Sent: Thursday, May 13, 2004 6:49 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject:
> 
> Hi All,
> 
> I am using ramon -M hostsvc to figure out what services are running on my
> network. I thought this would be what I wanted but it seems the info I get
> is
> actually the client ip and destination port. So I see 192.168.0.55 80, this
> tells me that 192.168.0.55 is going to port 80 somewhere. Is there an ramon
> (or
> someother ra*) command that will tell me the destination address and
> destination
> port. I want this so I can see all the services in my network, and what
> servers
> provide those services.
> 
> Also ragator, I have read the amn page but am still unclear on the purpose.
> How
> does it merge records? If I hit a website:
> 
> SrcIP            DstIP            SPort   DPort
> 192.168.0.100    www.google.com   35067   80
> 
> and it responds:
> 
> SrcIP            DstIP           SPort   DPort
> www.google.com   192.168.0.100   80(?)   35067
> 
> With ra I will see 2 records, correct? Will ragator merge these two records
> into
> one?
> 
>    Thanks
> 
>      Glenn
> 
> Glenn MacGregor
> HighStreet Networks
> 
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
> 
> 
>

More information about the argus mailing list