Cheat sheet premiere

Nick Diel ndiel at engr.colostate.edu
Tue Mar 11 17:24:23 EDT 2008


How about:
racluster -m proto -s loss -r argus.arg - tcp

This should merge all records based on protocol (in this case only tcp 
because of the filter) and then print the loss column of all merged records.

Nick

Stewart Gray wrote:
> awesome, That's a really good start. I've already been playing with a 
> few of the options I hadn't toyed with before :)
>  
> Is there an easy way to generate a raw count of packets 
> loss/retransmitted rather than having it graphed?
>  
> I figure we start with:
>  
> racluster -s loss -r argus.arg -w -
>  
> How are the figured totaled? Do we pipe it to rasort or ra?
>  
> Thanks,
>  
> Stewart
>
> ------------------------------------------------------------------------
> *From:* Stéphane Peters [mailto:stephane.peters at forem.be]
> *Sent:* Saturday, 8 March 2008 11:06 a.m.
> *To:* Carter Bullard
> *Cc:* Stewart Gray; Argus
> *Subject:* Re: Re: [ARGUS] Cheat sheet premiere
>
> Hi Carter,
>
> I would love to see such a sheet in the distribution,
> and I also was hoping that you could check,
> if those examples made sense or were appropriate.
> So please go on !
>
>
> Some cosmetic work could be done too;
> for example to use everywhere some "standard" parameters like this one :
>     file=argus-eth1.out
>     ra -r $file
> so it is easy to paste the line "as is".
> without forgetting the shell escapes ( \$srcid) like in:
>     rasplit -S $argushost  -M 1d -w /path/argus-\$srcid.%Y.%m.%d.log
>
> By the way, as another example given to the list, here are 3 scripts I 
> use.
> The PATH vars permit to have a nicer ps(1) output.
>
> start-argus
>> #!/bin/sh
>> interf=eth1
>> PATH=/sbin ifconfig $interf | grep UP || PATH=/sbin ifconfig $interf up
>> PATH=/usr/local/sbin argus -d -i $interf -e `hostname` -P 561 -U128 
>> -mRS 30 -w argus-eth1.out
>
> rotate:
>> #!/bin/sh
>>
>> # Rotates server log files, without affecting users who may be
>> # connected to the server.
>>
>> # This can be run as a cron script
>>
>> DATE=`date +%Y-%m%d-%H%M`
>> LOGS='argus-eth1.out'
>>
>>  for i in $LOGS; do
>>    if [ -f $i ]; then
>>      mv $i $i.$DATE
>>      gzip -9 $i.$DATE
>>    fi
>>  done
>
> rotate-daily
>> #!/bin/sh
>> ./rotate
>> sleep 60 # sometimes the preceding command finishes too early
>> echo ./rotate-daily | at 0000 > /tmp/rotate-daily.log
>
> I use at(1) instead of cron(8) to cut the files closer to midnight.,
> but rastream(1)'s extended "-w" option seems promising.
> A better solution could be to use argus(8) to preprocess the flows,
> and rastream(1). to write, "rotate" and compress the files.
> Another thread, perhaps.
>
>
>
>
>
>    
>
>
> Carter Bullard wrote :
>> Hey Stephane,
>> This is great!!!!  I'll put this in the distribution, if you don't 
>> mind!!!!
>> And I'll also go through it to make sure that any changes in the
>> code actually don't break this, and I can add some of the ones
>> that I do.
>>
>> So Russell is asking for a wiki, and we already have one at:
>>
>> http://www.vorant.com/nsmwiki/index.php?title=Argus
>>
>>
>> Carter
>>
>>
>>
>>
>> On Mar 7, 2008, at 2:24 PM, Stéphane Peters wrote:
>>
>>> Hi Stewart,
>>>
>>> I also think that a cheat sheet would be nice !
>>> Here is a good occasion to show mine...
>>>
>>> Please note, most of the stuff has been collected right from this 
>>> argus list,
>>> so hopefully, you shouldn't browse all the (numerous) past messages.
>>>
>>> Any suggestions ?
>>>
>>> ------------------------------------------------------------------------
>>> flow filtering on certain port range:
>>>    ra -r file - dst port \( gt 1024 and lt 2048 \)
>>> (...)
>>> ------------------------------------------------------------------------
>>>
>>>
>>> Stewart Gray a écrit :
>>>> awesome, that's more like what I was after :) Thanks for your help
>>>> again. 
>>>>
>>>> As I mentioned earlier, I reckon it'd be neat to have some sort of cheat
>>>> sheet for doing common tasks. I bet there's lot's of stuff you know that
>>>> others don't, having written the application yourself. I don't know what
>>>> I don't know!
>>>>   
>>>
>>> Regards,
>>> -- 
>>> Stephane.Peters at forem.be, Postmaster at forem.be
>>
>
> Regards,
> -- 
> Stephane.Peters at forem.be
> #####################################################################################
> Important: This electronic message and attachments (if any) are 
> confidential and may be legally privileged. If you are not the 
> intended recipient do not copy, disclose or use the contents in any 
> way. Please let us know by return e-mail immediately and then destroy 
> this message.
> #####################################################################################

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080311/0b0ab9cc/attachment.html>


More information about the argus mailing list