oddities with ramon

Harry Hoffman hhoffman at ip-solutions.net
Tue Apr 5 09:26:32 EDT 2005 

Hi Russell,

Yep, I am running ramon in both cases. Hmm, it was late last night and I 
didn't include any system info...

System:  FreeBSD my.box.com 4.11-STABLE FreeBSD 4.11-STABLE #0: Thu Mar 
24 13:16:19 EST 2005     root at my.box.com:/usr/obj/usr/src/sys/ANYA  i386
Paths:    /usr/local/sbin/argus /usr/local/bin/ra /usr/sbin/tcpdump 
/usr/bin/make /usr/local/bin/gmake /usr/bin/gcc /usr/bin/cc

ARGUS:   Argus Version 2.0.6.fixes.1
RA:      Ra Version 2.0.6.fixes.1
TCPDUMP: tcpdump version 3.7.2 libpcap version 0.7

GCC:     Using builtin specs.
gcc version 2.95.4 20020320 [FreeBSD]

LIBC:
-r--r--r--  1 root  wheel  1231856 Mar 24 13:46 /usr/lib/libc.a
lrwxr-xr-x  1 root  wheel  9 Mar 24 13:46 /usr/lib/libc.so -> libc.so.4
lrwxr-xr-x  1 root  wheel  7 Mar 31  2004 /usr/lib/libc.so.3 -> libc.so
-r--r--r--  1 root  wheel  583024 Mar 24 13:46 /usr/lib/libc.so.4


IP's changed to protect the innocent (well, given the amount of traffic 
they are probably guilty ;-)

Me thinks I'm missing something I just don't know what... here's the 
output though:

bash-2.05b# ramon -M TopN -N 10 -nnnr /dump/argus/argus.out
05 Apr 05 08:59:16   xxx.xxx.xxx.202 697494   800239    47192963 
74158743
05 Apr 05 08:59:28    xxx.xxx.xxx.23 645393   832223    43135650 
839286414
05 Apr 05 08:59:23     xxx.xxx.xxx.186 761083   429429    1143514968 
24351282
05 Apr 05 08:59:24   xxx.xxx.xxx.166 430529   679135    29125354 
915442554
05 Apr 05 08:59:31   xxx.xxx.xxx.108 602246   455999    651121284 
67908834
05 Apr 05 08:59:30    xxx.xxx.xxx.38 352273   648674    19359493 
953116776
05 Apr 05 08:59:30     xxx.xxx.xxx.187 304883   545311    16655804 
785976593
05 Apr 05 08:59:36       xxx.xxx.xxx.5 393457   393341    317489534 
23830340
05 Apr 05 08:59:32    xxx.xxx.xxx.248 422890   275186    317417565 
77615887
05 Apr 05 08:59:18   xxx.xxx.xxx.106 251800   396484    17040022 
378388307


bash-2.05b# ramon -M TopN -N 10 -nnnr 
/dump/argus/archive/2005/04/05/argus.2005.04.05.09.00.00.gz

05 Apr 05 08:10:56    xxx.xxx.xxx.180 1        1         54           62
05 Apr 05 08:10:23    xxx.xxx.xxx.103 3        1         170          62
05 Apr 05 08:10:23    xxx.xxx.xxx.161 3        1         170          62
05 Apr 05 08:10:23    xxx.xxx.xxx.89 2        0         124          0
05 Apr 05 08:10:23    xxx.xxx.xxx.114 4        2         230          260
05 Apr 05 08:10:23    xxx.xxx.xxx.15 4        5         752          571
05 Apr 05 08:10:23    xxx.xxx.xxx.35 2        0         124          0
05 Apr 05 08:10:23    xxx.xxx.xxx.95 3        1         170          62
05 Apr 05 08:10:23    xxx.xxx.xxx.197 2        0         124          0
05 Apr 05 08:10:23    xxx.xxx.xxx.34 2        0         124          0
05 Apr 05 08:10:23    xxx.xxx.xxx.96 2        5         260          284
05 Apr 05 08:10:23    xxx.xxx.xxx.196 2        0         124          0
05 Apr 05 08:10:23    xxx.xxx.xxx.33 2        0         124          0
05 Apr 05 08:10:23    xxx.xxx.xxx.32 2        0         124          0
05 Apr 05 08:10:23    xxx.xxx.xxx.172 2        5         260          284
05 Apr 05 08:10:23    xxx.xxx.xxx.150 5        4         630          805
05 Apr 05 08:10:23   xxx.xxx.xxx.130 11       10        3931         1061
...

Cheers,
Harry

Russell Fulton wrote:
> Hi Harry,
...
> 
> so you are saying that 
> ramon -M TopN -N 10 -nnnr /dump/argus/YEAR/MONTH/DAY/FILENAME
> 
> does something different?
> 
> Are you sure you aren't running ra instead of ramon? I've done things
> like that in the past!
> 
>>Also, I feel like I'm barely touching the tip of the iceberg with my use 
>>of Argus. Are there any good write-ups of what others are doing?
Ah! very nice... I knew that membership to usenix would pay off :-)
> 
> 
> Peter van Epp did a good write up for USENIX a few years back...
> 
> Russell.

More information about the argus mailing list