racount

CS Lee geek00l at gmail.com
Mon Jan 28 16:46:26 EST 2008


Hi Matthew,

Yeah that's my blog, thanks for reading it. For your question, if you want
to get statistics for the major protocols(tcp,udp, icmp as well as arp), you
can do this which will do almost similar things you see in racount version
2, try -

racluster -m proto -r whatever.arg3 -s trans bytes spkts dpkts bytes sbytes
dbytes

This should give you the result you are looking for with racount -ar

Cheers ;]

On Jan 29, 2008 4:00 AM, Mathew Brown <mathewbrown at fastmail.fm> wrote:

> Hi CS,
>
>  Nothing in particular.  As I mentioned in a previous post, I'm still
>  new at Argus (compiled it for the first time yesterday) so I just
>  compared it with argus 2.x which I also started using 2 days ago or
>  so.  By the way, if you're the author of http://geek00l.blogspot.com/
>  I love your blog :)  Finally, as most information and tutorials on the
>  net cover Argus 2.x, there aren't many examples of Argus 3.x.  It
>  would be great if a "Argus 3.x Recipes section" could be added to the
>  main page of http://qosient.com/argus/ with examples of different
>  scenarios and depending on the scenario and objective, you would run
>  various ra* commands.  Experienced users can then provide newbies like
>  myself with direction on how to approach different scenarios and the
>  power of using argus and the ra* commands in comparison with any other
>  alternative.  Thanks again.
>
> On Tue, 29 Jan 2008 03:49:46 +0800, "CS Lee" <geek00l at gmail.com> said:
> > Hi Matthew,
> >
> > Can you tell me in more detail what kind of information you want, as far
> > as
> > I know you can craft them out with racluster especially to generate
> > statistics.
> >
> > Cheers ;]
> >
> > On Jan 29, 2008 3:46 AM, Mathew Brown <mathewbrown at fastmail.fm> wrote:
> >
> > > Hi CS,
> > >
> > >  Thanks.  However, it seems strange that the -a option was removed, so
> > >  you only get a one-line summary and not the details that you could
> get
> > >  from argus v2.x  I think the 2.x version of racount provided more
> > >  information than the current 3.x version.
> > >
> > > On Tue, 29 Jan 2008 01:11:19 +0800, "CS Lee" <geek00l at gmail.com> said:
> > > > Hi Matthew,
> > > >
> > > > There's no -a option, simply use -
> > > >
> > > > racount -r whatever.argus3
> > > >
> > > > This will produce result you need.
> > > >
> > > > Date: Sun, 27 Jan 2008 10:52:59 -0800
> > > > From: "Mathew Brown" <mathewbrown at fastmail.fm>
> > > > Subject: [ARGUS] racount and other commands won't run under
> > > >        argus-clients-3.0.0.rc.68
> > > > To: argus-info at lists.andrew.cmu.edu
> > > > Message-ID: <1201459980.14910.1233537409 at webmail.messagingengine.com
> >
> > > > Content-Type: text/plain; charset="iso-8859-1"
> > > >
> > > > Hi,
> > > >
> > > >  I'm new to Argus and just recently compiled and installed argus and
> > > >  argus-clients on a Debian machine.  I'm able to run argus
> > > >  successfully:
> > > >
> > > >  argus -r capture.cap -w capture.cap.argus
> > > >
> > > >  works fine.  However, when I try to run any of the r-commands such
> as
> > > >  rahosts or racount, it gives me the following error such as:
> > > >
> > > >   racount -ar capture.cap.argus
> > > >   racount[27189]: 20:51:15.185652 /etc/ra.conf: syntax error line
> 199
> > > >   racount   records     total_pkts     src_pkts       dst_pkts
> > > >   total_bytes        src_bytes          dst_bytes
> > > >    sum   0           0              0              0              0
> > > >                 0                  0
> > > >
> > > >  Looking into /etc/ra.conf on line 199, I see the following:
> > > >
> > > >  RA_PRINT_HOSTNAMES=no
> > > >
> > > >  Any ideas?  Thanks for your help.
> > > >
> > > > PS.  I'm currently using argus-3.0.0 and
> > > > argus-clients-3.0.0.rc.68.tar.gz
> > > > --
> > > >  Mathew Brown
> > > >  mathewbrown at fastmail.fm
> > > >
> > > >
> > > > --
> > > > Best Regards,
> > > >
> > > > CS Lee<geek00L[at]gmail.com>
> > > >
> > > > http://geek00l.blogspot.com
> > > --
> > >  Mathew Brown
> > >  mathewbrown at fastmail.fm
> > >
> > > --
> > > http://www.fastmail.fm - Same, same, but different…
> > >
> > >
> >
> >
> > --
> > Best Regards,
> >
> > CS Lee<geek00L[at]gmail.com>
> >
> > http://geek00l.blogspot.com
> --
>  Mathew Brown
>  mathewbrown at fastmail.fm
>
> --
> http://www.fastmail.fm - Same, same, but different…
>
>


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080129/4a2b18e0/attachment.html>


More information about the argus mailing list