Per-connection info
Carter Bullard
carter at qosient.com
Fri Dec 14 10:37:25 EST 2007
Hey David,
Did you fix you're problem? You should be using racluster() from the
new distribution.
You should not need any parameters to generate the output your
interested in.
ragator -r file -w file.rag
racluster -r file -w file.clu
If your data source is a stream, then you will have some issues when
trying to figure
out when to flush the records. racluster() provides support for this,
but I'm not
a fan of this type of flow flushing.
Carter
On Nov 26, 2007, at 6:51 AM, David wrote:
> I have just started using Argus and I'd like to get per-connection/
> stream info out using ra.
>
> The fields I am interested in can be provided, it seems, by the
> Argus data. I would like start time, duration (or end time), end-
> points (IP and port or IP and ICMP message-type), packet totals and
> byte totals.
>
> However, I do not want 1 line per Argus record (e.g. SYN/FIN/etc).
> I would like 1 line per connection (for TCP flows), UDP stream or
> ICMP message with the total counts per stream.
>
> What I am after is similar to tshark -z conv,tcp but with the dates,
> which Wireshark cannot do and UDP/ICMP messages.
>
> I have tried ragator but possibly I passed the wrong option, as
> further ra runs do not appear to do what I am after.
>
> Other tools such as rahosts have saved me lots of time so far, thanks!
>
> David
>
>
>
More information about the argus
mailing list