Argus-info Digest, Vol 29, Issue 25

tbh tbh1000 at gmail.com
Fri Jan 25 12:26:39 EST 2008 

Thanks Carter and CS...that seemed to fix it!

I appreciate the help!!

On 1/25/08, CS Lee <geek00l at gmail.com> wrote:
> Hi Tbh,
>
> For your argus query for topN for port, make sure you have -m proto sport,
> the reason why you don't have port showing is because the protocol mix
> up(udp, tcp and icmp) so you have to define it in racluster -M rmon -m proto
> sport so it understand it based on protocol(either tcp, udp or icmp) and
> generate the ports for you.
>
> It should work, cheers ;]
>
> Message: 1
> Date: Thu, 24 Jan 2008 12:40:23 -0600
> From: tbh <tbh1000 at gmail.com>
> Subject: Re: [ARGUS] raxml help
> To: "Carter Bullard" <carter at qosient.com>
> Cc: argus-info at lists.andrew.cmu.edu
> Message-ID:
>
> <af331c0c0801241040m718d3d40s1a4452ffc5a9335c at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Carter,
> Thanks for the feedback. Taking a look at the TopN suggestions, I'm
> running into a problem getting the ports to display.
>
> racluster -r /usr/local/argus/argus-eth1.2008.01.24.10.00.00.gz -M
> rmon -m sport -w - -- ip | rasort -m bytes -w - | ra -nn -N 5 -s sport
> bytes:20
>
> Gives me the following:
>                   16533767
>                   16131223
>                   14024461
>                   13655259
>                   13393841
>
> As you can see, the sport value is missing.
>
> To make sure I understand the commands correctly, the racluster
> command is reading the argus zipped file, consolidating the data by
> sport and writing the result to stdout. rasort is reading the output
> from racluster and sorting the data by bytes...writing the results to
> stdout. ra is reading the output from rasort, not performing host or
> port resolution, and printing the top 5 results including only the
> sport field and the bytes field (out to 20 characters), right?
>
> If I replace the -m sport with -m saddr, ra prints the saddr and
> bytes. If I remove the -m sport from racluster, ra prints the port
> numbers ( although it obviously is not consolidating the data based on
> sport). What am I missing?
>
> Thanks!
> tbh
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com

More information about the argus mailing list