flow model and argus irc channel
carter at qosient.com
carter at qosient.com
Wed Apr 22 06:04:52 EDT 2009
Hey Oguz,
Try argus() with the default options, and for all ra* programs, the "- filter" must be at the end of the command line.
racluster -L0 -nr http.arg3 -s proto saddr sport dir
daddr dport stime ltime dur sbytes sappbytes dappbytes dbytes spkts
dpkts sloss dloss - tcp and port 80 > http.txt
Carter
Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: Oguz Yarimtepe <comp.ogz at gmail.com>
Date: Wed, 22 Apr 2009 09:52:29
To: CS Lee<geek00l at gmail.com>
Cc: Argus<argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] flow model and argus irc channel
On Wed, 2009-04-22 at 00:11 +0800, CS Lee wrote:
>
> I would like to see a argus file if you can send me.
Here[1] is a sample http pcap file, i used to check the result again.
When i checked the packets inside the file i can see the usual http
connection messages from both client to server and server to client.
I changed the pcap file to arg3 file via
argus -mAJZR -r 55b43299cd167ee1c78e34b2097d52dc.pcap -w http.arg3
Then i used racluster to see the unified flows:
racluster -L0 -nr http.arg3 - tcp and port 80 -s proto saddr sport dir
daddr dport stime ltime dur sbytes sappbytes dappbytes dbytes spkts
dpkts sloss dloss > http.txt
When i checked the http.txt file, i saw only unidirectional flows.
I checked the arg3 file also with ra -nr, again there was not any
bidirectional flow.
Maybe you can explain the reason of that and i can understand more
clearly the meaning of directionality.
[1]
http://www.pcapr.net/view/bwilkerson/2008/10/3/14/55b43299cd167ee1c78e34b2097d52dc.pcap.html
More information about the argus
mailing list