best way to collect traffic
Carter Bullard
carter at qosient.com
Fri Apr 24 11:18:38 EDT 2009
The "<?>" dir field indicates that argus didn't see the connection
establishment
phase of the TCP connection, so argus doesn't know who originated the
TCP.
There are always ongoing TCP connections on the wire when you first
start
tcpdump(), and argus() will report that it didn't see the SYN ->
SYN_ACK volley
for those flows.
Carter
On Apr 24, 2009, at 3:07 AM, Oguz Yarimtepe wrote:
> On Fri, 2009-04-24 at 08:44 +0300, Oguz Yarimtepe wrote:
>> What is the good way to collect a traffic for analyzing via argus?
>
> Here is the tcpdumpfile, i collected via
>
> tcpdump -i eth0 -n -w testdump
>
> http://www.loopbacking.info/dosya/testdump
>
> and the converted arg3 file
> http://www.loopbacking.info/dosya/testdump.arg3
>
> argus -mAJZR -r testdump -w testdump.arg3
>
> When i check with ra as
>
> ra -nr testdump.arg3
>
> i see some <?>
>
> Using racluster caused 0byte file
>
> racluster -L0 -nr testdump.arg3 - tcp and port 22 -s proto saddr sport
> dir daddr dport stime ltime dur sbytes sappbytes dappbytes dbytes
> spkts
> dpkts sloss dloss > testdump.txt
>
> --
> Oguz Yarimtepe
> http://www.loopbacking.info
>
>
Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
More information about the argus
mailing list