best way to collect traffic
Nick Diel
nick at engineerity.com
Fri Apr 24 10:14:42 EDT 2009
I am not sure if you saw an earlier email from Cater in reply to earlier
questions, but you need to put the filter as your very last argument.
Change:
racluster -L0 -nr testdump.arg3 - tcp and port 22 -s proto saddr sport
dir daddr dport stime ltime dur sbytes sappbytes dappbytes dbytes spkts
dpkts sloss dloss > testdump.txt
To:
racluster -L0 -nr testdump.arg3 -s proto saddr sport
dir daddr dport stime ltime dur sbytes sappbytes dappbytes dbytes spkts
dpkts sloss dloss *- tcp and port 22* > testdump.txt
Nick
On Fri, Apr 24, 2009 at 1:07 AM, Oguz Yarimtepe <comp.ogz at gmail.com> wrote:
> On Fri, 2009-04-24 at 08:44 +0300, Oguz Yarimtepe wrote:
> > What is the good way to collect a traffic for analyzing via argus?
>
> Here is the tcpdumpfile, i collected via
>
> tcpdump -i eth0 -n -w testdump
>
> http://www.loopbacking.info/dosya/testdump
>
> and the converted arg3 file
> http://www.loopbacking.info/dosya/testdump.arg3
>
> argus -mAJZR -r testdump -w testdump.arg3
>
> When i check with ra as
>
> ra -nr testdump.arg3
>
> i see some <?>
>
> Using racluster caused 0byte file
>
> racluster -L0 -nr testdump.arg3 - tcp and port 22 -s proto saddr sport
> dir daddr dport stime ltime dur sbytes sappbytes dappbytes dbytes spkts
> dpkts sloss dloss > testdump.txt
>
> --
> Oguz Yarimtepe
> http://www.loopbacking.info
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090424/88f623f0/attachment.html>
More information about the argus
mailing list