Argus-info Digest, Vol 29, Issue 25

CS Lee geek00l at gmail.com
Fri Jan 25 11:39:17 EST 2008 

Hi Tbh,

For your argus query for topN for port, make sure you have -m proto sport,
the reason why you don't have port showing is because the protocol mix
up(udp, tcp and icmp) so you have to define it in racluster -M rmon -m proto
sport so it understand it based on protocol(either tcp, udp or icmp) and
generate the ports for you.

It should work, cheers ;]

Message: 1
Date: Thu, 24 Jan 2008 12:40:23 -0600
From: tbh <tbh1000 at gmail.com>
Subject: Re: [ARGUS] raxml help
To: "Carter Bullard" <carter at qosient.com>
Cc: argus-info at lists.andrew.cmu.edu
Message-ID:
       <af331c0c0801241040m718d3d40s1a4452ffc5a9335c at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Carter,
Thanks for the feedback. Taking a look at the TopN suggestions, I'm
running into a problem getting the ports to display.

racluster -r /usr/local/argus/argus-eth1.2008.01.24.10.00.00.gz -M
rmon -m sport -w - -- ip | rasort -m bytes -w - | ra -nn -N 5 -s sport
bytes:20

Gives me the following:
                  16533767
                  16131223
                  14024461
                  13655259
                  13393841

As you can see, the sport value is missing.

To make sure I understand the commands correctly, the racluster
command is reading the argus zipped file, consolidating the data by
sport and writing the result to stdout. rasort is reading the output
from racluster and sorting the data by bytes...writing the results to
stdout. ra is reading the output from rasort, not performing host or
port resolution, and printing the top 5 results including only the
sport field and the bytes field (out to 20 characters), right?

If I replace the -m sport with -m saddr, ra prints the saddr and
bytes. If I remove the -m sport from racluster, ra prints the port
numbers ( although it obviously is not consolidating the data based on
sport). What am I missing?

Thanks!
tbh

-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080126/d21f1fbf/attachment.html>

More information about the argus mailing list