Argus-info Digest, Vol 14, Issue 3

CS Lee geek00l at gmail.com
Wed Oct 4 12:26:32 EDT 2006


Hi Peter,

Thanks, I don't find it in the man page either and that's why I don't know
it is implemented, thanks again. :)

On 10/5/06, argus-info-request at lists.andrew.cmu.edu <
argus-info-request at lists.andrew.cmu.edu> wrote:
>
> Send Argus-info mailing list submissions to
>         argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
>         argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
>         argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
>    1.  Connection Bytes (CS Lee)
>    2. Re:  Connection Bytes (Peter Van Epp)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 4 Oct 2006 13:58:29 +0800
> From: "CS Lee" <geek00l at gmail.com>
> Subject: [ARGUS] Connection Bytes
> To: argus-info at lists.andrew.cmu.edu
> Message-ID:
>         <1bb5dd90610032258t47258b24sbcca64e8fac018c at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi all,
>
> Normally when we perform analysis using argus, we will have entry like
> this
>
> 17:19:46.623049 6 222.64.79.60.3493 -> 1.2.3.4.80 4 3 *536 780* CON
> 17:19:53.598808 6 222.64.79.60.3493 -> 1.2.3.4.80 2 1 *420 668* CON
>
> The bold numbers are the sbytes and dbytes, which is actually includes the
> header and i consider it as frame bytes, is it possible to only show the
> payload(application bytes) instead of the whole frame bytes?
>
> By the way, I vote for libpcap base too :)
>
> Cheers
>
>
>
>
>
> --
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20061004/0e539c22/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Wed, 4 Oct 2006 07:56:34 -0700
> From: Peter Van Epp <vanepp at sfu.ca>
> Subject: Re: [ARGUS] Connection Bytes
> To: argus-info at lists.andrew.cmu.edu
> Message-ID: <20061004145634.GA29895 at sfu.ca>
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, Oct 04, 2006 at 01:58:29PM +0800, CS Lee wrote:
> > Hi all,
> >
> > Normally when we perform analysis using argus, we will have entry like
> this
> >
> > 17:19:46.623049 6 222.64.79.60.3493 -> 1.2.3.4.80 4 3 *536 780* CON
> > 17:19:53.598808 6 222.64.79.60.3493 -> 1.2.3.4.80 2 1 *420 668* CON
> >
> > The bold numbers are the sbytes and dbytes, which is actually includes
> the
> > header and i consider it as frame bytes, is it possible to only show the
> > payload(application bytes) instead of the whole frame bytes?
> >
> > By the way, I vote for libpcap base too :)
> >
> > Cheers
> >
> >
> >
> >
> >
> > --
> > Best Regards,
> >
> > CS Lee<geekooL[at]gmail.com>
>
>          Yep, if you add -s +sappbytes +dappbytes to the ra command you
> will get the payload only counts (in a quick look I didn't
> see this in the ra man page though it may be there and I'm blind :-)).
> Adding -s -sbytes -s -dbytes will supress the payload
> counts. Comparing the application and payload count ratios is a good way
> to find hosts with high error rate connections (a good
> connection will be %5 or %10 different, I've seen ones with %50 difference
> because of something screwball in the machine's
> stack, and that leaps out at you).
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 14, Issue 3
> *****************************************
>



-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061005/98a47ace/attachment.html>


More information about the argus mailing list